Applies To:
Show VersionsBIG-IP AAM
- 12.1.3
BIG-IP APM
- 12.1.3
BIG-IP Analytics
- 12.1.3
BIG-IP Link Controller
- 12.1.3
BIG-IP LTM
- 12.1.3
BIG-IP PEM
- 12.1.3
BIG-IP AFM
- 12.1.3
BIG-IP DNS
- 12.1.3
BIG-IP ASM
- 12.1.3
BIG-IP Release Information
Version: 12.1.3.4
Build: 2.0
NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v12.1.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
701359-2 | CVE-2017-3145 | K08613310 | BIND vulnerability CVE-2017-3145 |
615269-1 | CVE-2016-2183 | K13167034 | CVE-2016-2183: AFM SSH Proxy Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
680850-1 | 3-Major | K48342409 | Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. |
570570-5 | 3-Major | Default crypto failure action is now 'go-offline-downlinks'. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
711547 | 1-Blocking | Update cipher support for Common Criteria compliance | |
708054-3 | 2-Critical | Web Acceleration: TMM may crash on very large HTML files with conditional comments | |
706305-2 | 2-Critical | bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled | |
703761-1 | 2-Critical | Disable DSA keys for public-key and host-based authentication in Common Criteria mode | |
677937-1 | 2-Critical | K41517253 | APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets |
673484-1 | 2-Critical | K85405312 | IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO |
664549-2 | 2-Critical | K55105132 | TMM restart while processing rewrite filter |
599423-1 | 2-Critical | K24584925 | merged cores and restarts |
583111-1 | 2-Critical | BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured | |
701626-1 | 3-Major | GUI resets custom Certificate Key Chain in child client SSL profile | |
693312-2 | 3-Major | vCMPd may crash when processing bridged network traffic | |
688516-2 | 3-Major | vCMPd may crash when processing bridged network traffic | |
686029-1 | 3-Major | K00026204 | A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces |
664737-2 | 3-Major | Do not reboot on ctrl-alt-del | |
655005-1 | 3-Major | K23355841 | "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync |
646890-1 | 3-Major | K12068427 | IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512 |
635703-1 | 3-Major | K14508857 | Interface description may cause some interface level commands to be removed |
614486-1 | 3-Major | BGP community lower bytes of zero is not allowed to be set in route-map | |
612721-4 | 3-Major | FIPS: .exp keys cannot be imported when the local source directory contains .key file | |
609967-2 | 3-Major | K55424912 | qkview missing some HugePage memory data |
586412-2 | 3-Major | BGP peer-group members address-family configuration not saved to configuration | |
583108-1 | 3-Major | Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart. | |
581101-1 | 3-Major | non-admin user running list cmd: can't get object count | |
557155-8 | 3-Major | BIG-IP Virtual Edition becomes completely unresponsive under very heavy load. | |
421797-3 | 3-Major | ePVA continues to accelerate IP Forwarding VS traffic even in Standby | |
651413-2 | 4-Minor | tmsh list ltm node does not return an error when node does not exist | |
598437-1 | 4-Minor | SNMP process monitoring is incorrect for tmm and bigd |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
706631 | 2-Critical | A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured. | |
705611-1 | 2-Critical | The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used | |
704666-2 | 2-Critical | memory corruption can occur when using certain certificates | |
701202-1 | 2-Critical | SSL memory corruption | |
700862-2 | 2-Critical | K15130240 | tmm SIGFPE 'valid node' |
700393-2 | 2-Critical | Under certain circumstances a stale http2 stream can cause a tmm crash | |
685254-1 | 2-Critical | RAM Cache Exceeding Watchdog Timeout in Header Field Search | |
678416-2 | 2-Critical | Some tmm/umem_usage_stat counters may be incorrect under memory pressure. | |
676028-2 | 2-Critical | K09689143 | SSL forward proxy bypass may fail to release memory used for ssl_hs instances |
673951-4 | 2-Critical | K56466330 | Memory leak when using HTTP2 profile |
670814-2 | 2-Critical | Wrong SE Linux label breaks nethsm DNSSEC keys | |
665185-1 | 2-Critical | K20994524 | SSL handshake reference is not dropped if forward proxy certificate lookup failed |
657463-2 | 2-Critical | SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake. | |
648320-3 | 2-Critical | Downloading via APM tunnels could experience performance downgrade. | |
647757-2 | 2-Critical | K96395052 | RATE-SHAPER:Fred not properly initialized may halt traffic |
636096-1 | 2-Critical | Nitrox PX chips may temporarily fail | |
613088-3 | 2-Critical | pkcs11d thread has session initialization problem. | |
452283-2 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
705794-1 | 3-Major | Under certain circumstances a stale http2 stream can cause a tmm crash | |
695901-2 | 3-Major | TMM may crash when processing ProxySSL data | |
690042-3 | 3-Major | K43412307 | Potential Tcl leak during iRule suspend operation |
689449-3 | 3-Major | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | |
688009-5 | 3-Major | Appliance Mode TMSH hardening | |
687205-3 | 3-Major | Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart | |
686972-1 | 3-Major | The change of APM log settings will reset the SSL session cache. | |
686395 | 3-Major | With DTLS version1, when client hello uses version1.2, handshake shall proceed | |
683697-3 | 3-Major | K00647240 | SASP monitor may use the same UID for multiple HA device group members |
677457 | 3-Major | HTTP/2 Gateway appends semicolon when a request has one or more cookies | |
677400-3 | 3-Major | K82502883 | pimd daemon may exit on failover |
673399-1 | 3-Major | HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. | |
665652-2 | 3-Major | K41193475 | Multicast traffic not forwarded to members of VLAN group |
664528-1 | 3-Major | SSL record can be larger than maximum fragment size (16384 bytes) | |
663551-1 | 3-Major | K14942957 | SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event |
662911-2 | 3-Major | K93119070 | SASP monitor uses same UID for all vCMP guests in a chassis or appliance |
654368-7 | 3-Major | ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require | |
654086-3 | 3-Major | Incorrect handling of HTTP2 data frames larger than minimal frame size | |
653976-2 | 3-Major | K00610259 | SSL handshake fails if server certificate contains multiple CommonNames |
651901-2 | 3-Major | Removed unnecessary ASSERTs in MPTCP code | |
640369-2 | 3-Major | TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan | |
633333-3 | 3-Major | During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent | |
619844-2 | 3-Major | Packet leak if reject command is used in FLOW_INIT rule | |
611691-5 | 3-Major | Packet payload ignored when DSS option contains DATA_FIN | |
608991-7 | 3-Major | BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed | |
605480-4 | 3-Major | BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection | |
604880-4 | 3-Major | tmm assert "valid pcb" in tcp.c | |
604549-7 | 3-Major | MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data | |
592731-1 | 3-Major | K34220124 | Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck. |
653746-2 | 4-Minor | K83324551 | Unable to display detailed CPU graphs if the number of CPU is too large |
569814-2 | 4-Minor | K30240351 | iRule "nexthop IP_ADDR" rejected by validator |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
710424-3 | 2-Critical | Possible SIGSEGV in GTMD when GTM persistence is enabled. | |
699135-2 | 2-Critical | tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip | |
691287-3 | 2-Critical | tmm crashes on iRule with pool command after string command | |
682335-3 | 2-Critical | TMM can establish multiple connections to the same gtmd | |
699339-1 | 3-Major | K24634702 | Geolocation upgrade files fail to replicate to secondary blades |
696808-3 | 3-Major | K35353213 | Disabling a single pool member removes all GTM persistence records |
687128-3 | 3-Major | gtm::host iRule validation for ipv4 and ipv6 addresses | |
679149-2 | 3-Major | TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] | |
663310-3 | 3-Major | K50871313 | named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★ |
619158-1 | 3-Major | iRule DNS request with trailing dot times out with empty response | |
595293-4 | 3-Major | Deleting GTM links could cause gtm_add to fail on new devices. | |
603758-1 | 4-Minor | Big3D security hardening |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679221-1 | 1-Blocking | APMD may generate core file or appears locked up after APM configuration changed | |
702278-3 | 2-Critical | Potential XSS security exposure on APM logon page. | |
678715-1 | 2-Critical | Large volume of query result update to SessionDB fails and locks down ApmD | |
710211 | 3-Major | Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. | |
704580-3 | 3-Major | apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP | |
702490-4 | 3-Major | Windows Credential Reuse feature may not work | |
702487-1 | 3-Major | AD/LDAP admins with spaces in names are not supported | |
700780-4 | 3-Major | F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses | |
699267-1 | 3-Major | LDAP Query may fail to resolve nested groups | |
681415-1 | 3-Major | Copying of profile with advanced customization or images might fail | |
675775-2 | 3-Major | TMM crashes inside dynamic ACL building session db callback | |
672250-1 | 3-Major | SessionDB update from ApmD with large volume fails | |
671149-3 | 3-Major | Captive portal login page is not rendered until it is refreshed | |
669459-2 | 3-Major | Efect of bad connection handle between APMD and memcachd | |
639283-4 | 3-Major | Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate | |
569542-1 | 3-Major | After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★ | |
667237-3 | 4-Minor | Edge Client logs the routing and IP tables repeatedly |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
673463-2 | 2-Critical | K68275280 | SDD v3 symmetric deduplication may start performing poorly after a failover event |
685693 | 3-Major | APM AppTunnels memory leak |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
702738 | 3-Major | K32181540 | Tmm might crash activating new blob when changing firewall rules |
528499-3 | 4-Minor | AFM address lists are not sorted while trying to create a new rule. |
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
704490 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
704483 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707226-2 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | |
706086-1 | 2-Critical | PAM RADIUS authentication subsystem hardening | |
704804-2 | 3-Major | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | |
704733-2 | 3-Major | NAS-IP-Address will be sent with the bytes backwards | |
703869-1 | 3-Major | Waagent updated to 2.2.21 | |
701249-2 | 3-Major | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | |
699147 | 3-Major | Hourly billed cloud images are now pre-licensed | |
687098 | 3-Major | IPv6 RADIUS servers not supported for remote authentication | |
674288-2 | 3-Major | K62223225 | FQDN nodes - monitor attribute doesn't reliably show in GUI |
649465-1 | 3-Major | SELinux warning messages regarding nsm daemon |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
695117 | 2-Critical | K30081842 | bigd cores and sends corrupted MCP messages with many FQDN nodes |
668883 | 2-Critical | FQDN pool member status may become out-of-sync when enabled/disabled through GUI | |
707675 | 3-Major | FQDN nodes or pool members flap when DNS response received | |
701609 | 3-Major | Static member of pool with FQDN members may revert to user-disabled after being re-enabled | |
685344-2 | 3-Major | Monitor 'min 1 of' not working as expected with FQDN nodes/members | |
673075-1 | 3-Major | Reduced Issues for Monitors configured with FQDN | |
671228-1 | 3-Major | Multiple FQDN ephemeral nodes may be created with autopopulate disabled | |
667560-3 | 3-Major | K69205908 | FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed |
573602-1 | 3-Major | FQDN pool members not shown by tmsh show ltm monitor | |
573302-1 | 3-Major | FQDN pool member remains in disabled state after removing monitor | |
571095-1 | 3-Major | Monitor probing to pool member stops after FQDN pool member with same IP address is deleted | |
467709-1 | 4-Minor | FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN | |
699262-2 | 5-Cosmetic | FQDN pool member status remains in 'checking' state after full config sync |
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
700556-2 | CVE-2018-5504 | K11718033 | TMM may crash when processing WebSockets data |
698080-1 | CVE-2018-5503 | K54562183 | TMM may consume excessive resources when processing with PEM |
691504-3 | CVE-2018-5503 | K54562183 | PEM content insertion in a compressed response may cause a crash. |
677193-2 | CVE-2017-6154 | K38243073 | ASM BD Daemon Crash. |
674189 | CVE-2016-0718 | K52320548 | iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0 |
673078-1 | CVE-2017-6150 | K62712037 | TMM may crash when processing FastL4 traffic |
670822-3 | CVE-2017-6148 | K55225440 | TMM may crash when processing SOCKS data |
668501-2 | CVE-2017-6151 | K07369970 | HTTP2 does not handle some URIs correctly |
630446-1 | CVE-2016-0718 | K52320548 | Expat vulnerability CVE-2016-0718 |
621233-1 | CVE-2018-5509 | K49440608 | FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm |
694274-2 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 | K23565223 | [RHSA-2017:3195-01] Important: httpd security update - EL6.7 |
688625-2 | CVE-2017-11628 | K75543432 | PHP Vulnerability CVE-2017-11628 |
671638-4 | CVE-2018-5500 | K33211839 | TMM crash when load-balancing mptcp traffic |
662850-2 | CVE-2015-2716 | K50459349 | Expat XML library vulnerability CVE-2015-2716 |
662663-6 | CVE-2018-5507 | K52521791 | Decryption failure Nitrox platforms in vCMP mode |
652848-2 | CVE-2018-5501 | K44200194 | TCP DNS profile may impact performance |
643375-1 | CVE-2018-5508 | K10329515 | TMM may crash when processing compressed data |
617273-7 | CVE-2016-5300 | K70938105 | Expat XML library vulnerability CVE-2016-5300 |
593139-9 | CVE-2014-9761 | K31211252 | glibc vulnerability CVE-2014-9761 |
572272-5 | CVE-2018-5506 | K65355492 | BIG-IP - Anonymous Certificate ID Enumeration |
673607-2 | CVE-2017-3169 | K83043359 | Apache CVE-2017-3169 |
672667-4 | CVE-2017-7679 | K75429050 | CVE-2017-7679: Apache vulnerability |
605579-8 | CVE-2012-6702 | K65460334 | iControl-SOAP expat client library is subjected to entropy attack |
578983-4 | CVE-2015-8778 | K51079478 | glibc: Integer overflow in hcreate and hcreate_r |
684033-1 | CVE-2017-9798 | K70084351 | CVE-2017-9798 : Apache Vulnerability (OptionsBleed) |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
686389-3 | 3-Major | APM does not honor per-farm HTML5 client disabling at the View Connection Server | |
685020-1 | 3-Major | Enhancement to SessionDB provides timeout | |
653772-2 | 3-Major | fastL4 fails to evict flows from the ePVA | |
639505-3 | 3-Major | BGP may not send all configured aggregate routes | |
587107-3 | 3-Major | Allow iQuery to negotiate up to version TLS1.2 |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
667148-1 | 1-Blocking | K02500042 | Config load or upgrade can fail when loading GTM objects from a non-/Common partition |
689577-1 | 2-Critical | K45800333 | ospf6d may crash when processing specific LSAs |
678833 | 2-Critical | IPv6 prefix SPDAG causes packet drop | |
676203-1 | 2-Critical | Inter-blade mpi connection fails, does not recover, and eventually all memory consumed. | |
670405-4 | 2-Critical | K20486351: glibc vulnerability CVE-2017-1000366: | |
667405-2 | 2-Critical | K61251939 | Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM. |
667404-2 | 2-Critical | K77576404 | Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts |
651362 | 2-Critical | eventd crashes during boot | |
631700-1 | 2-Critical | K72453283 | sod may kill bcm56xxd under heavy load |
617733-1 | 2-Critical | Error message: subscriber id response; Subscription not found | |
580753-1 | 2-Critical | K82583534 | eventd might core on transition to secondary. |
563661-2 | 2-Critical | Datastor may crash | |
694696-3 | 3-Major | On multiblade Viprion, creating a new traffic-group causes the device to go Offline | |
688011-5 | 3-Major | Dig utility does not apply best practices | |
687658-2 | 3-Major | K03469520 | Monitor operations in transaction will cause it to stay unchecked |
687353-3 | 3-Major | K35595105 | Qkview truncates tmstat snapshot files |
682213-3 | 3-Major | K31623549 | TLS v1.2 support in IP reputation daemon |
679480-1 | 3-Major | User able to create node when an ephemeral with the same IP already exists | |
674320-2 | 3-Major | K11357182 | Syncing a large number of folders can prevent the configuration getting saved on the peer systems |
672815-2 | 3-Major | Incorrect disaggregation on VIPRION B4200 blades | |
671082-1 | 3-Major | K85168072 | snmpd constantly restarting |
669888-2 | 3-Major | No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96 | |
669462-1 | 3-Major | Error adding /Common/WideIPs as members to GTM Pool in non-Common partition | |
664894-1 | 3-Major | K11070206 | PEM sessions lost when new blade is inserted in chassis |
664057-2 | 3-Major | Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached | |
664017-3 | 3-Major | OCSP may reject valid responses | |
652968-2 | 3-Major | K88825548 | IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys |
645723-2 | 3-Major | K74371937 | Dynamic routing update can delete admin ip route from the kernel |
632366-1 | 3-Major | Prevent a spurious Broadcom switch driver failure. | |
631316 | 3-Major | K62532020 | Unable to load config with client-SSL profile error★ |
626990-1 | 3-Major | K64915164 | restjavad logs flooded with messages from ChildWrapper |
624362-1 | 3-Major | VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file | |
623803-2 | 3-Major | K12921801 | General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP' |
610122-1 | 3-Major | Hotfix installation fails: can't create /service/snmpd/run★ | |
598724-1 | 3-Major | Abandoned indefinite lifetime SessionDB entries on STANDBY devices. | |
586887-2 | 3-Major | K25883308 | SCTP tmm crash with virtual server destination. |
579760-3 | 3-Major | K55703840 | HSL::send may fail to resume after log server pool member goes down/up |
471237-2 | 3-Major | K12155235 | BIG-IP VE instances do not work with an encrypted disk in AWS. |
699281 | 4-Minor | Version format of hypervisor bundle matches Version format of ISO | |
669255-2 | 4-Minor | K20100613 | An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms |
660239-3 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present | |
655085-2 | 4-Minor | While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors | |
613275-2 | 4-Minor | K62581339 | SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up |
601168-1 | 4-Minor | Incorrect virtual server CPU utilization may be observed. | |
509980-1 | 4-Minor | Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
692970-3 | 2-Critical | Using UDP port 67 for purposes other than DHCP might cause TMM to crash | |
687603-1 | 2-Critical | tmsh query for dns records may cause tmm to crash | |
686228-3 | 2-Critical | TMM may crash in some circumstances with VLAN failsafe | |
682682-3 | 2-Critical | tmm asserts on a virtual server-to-virtual server connection | |
681175-1 | 2-Critical | K32153360 | TMM may crash during routing updates |
676982-2 | 2-Critical | K21958352 | Active connection count increases over time, long after connections expire |
674576-4 | 2-Critical | Outage may occur with VIP-VIP configurations | |
665924-1 | 2-Critical | K24847056 | The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios |
665732-2 | 2-Critical | K45001711 | FastHTTP may crash when receiving a fragmented IP packet |
664461-3 | 2-Critical | K16804728 | Replacing HTTP payload can cause tmm restart |
658989-2 | 2-Critical | Memory leak when connection terminates in iRule process | |
639039-4 | 2-Critical | K33754014 | Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons |
614702-1 | 2-Critical | K24172560 | Race condition when using SSL Orchestrator can cause TMM to core |
704073-3 | 3-Major | Repeated "bad transition" OOPS logging may appear in /var/log/ltm and /var/log/tmm | |
699346-2 | 3-Major | NetHSM capacity reduces when handling errors | |
698000-1 | 3-Major | K04473510 | Connections may stop passing traffic after a route update |
689089-3 | 3-Major | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | |
686307-1 | 3-Major | Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later | |
686305-2 | 3-Major | TMM may crash while processing SSL forward proxy traffic | |
686065-1 | 3-Major | RESOLV::lookup iRule command can trigger crash with slow resolver | |
685955 | 3-Major | TMM hud_message_ctx leak | |
685110-3 | 3-Major | K05430133 | With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. |
683683-1 | 3-Major | ASN1::encode returns wrong binary data | |
682104-1 | 3-Major | HTTP PSM leaks memory when looking up evasion descriptions | |
680755-1 | 3-Major | K27015502 | max-request enforcement no longer works outside of OneConnect |
676457-3 | 3-Major | TMM may consume excessive resource when processing compressed data | |
673621-2 | 3-Major | Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile. | |
670816-2 | 3-Major | K44519487 | HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters |
669974-1 | 3-Major | K90395411 | Encoding binary data using ASN1::encode may truncate result |
668522-1 | 3-Major | bigd might try to read from a file descriptor that is not ready for read | |
668419-1 | 3-Major | K53322151 | ClientHello sent in multiple packets results in TCP connection close |
666315 | 3-Major | Global SNAT sets TTL to 255 instead of decrementing | |
666160-1 | 3-Major | K63132146 | L7 Policy reconfiguration causes a slow memory leak |
665022-1 | 3-Major | Rateshaper stalls when TSO packet length exceeds max ceiling. | |
664769-1 | 3-Major | K33637041 | TMM may restart when using SOCKS profile and an iRule |
663821-3 | 3-Major | K41344010 | SNAT Stats may not include port FTP traffic |
661881-2 | 3-Major | K00030614 | Memory and performance issues when using certain ASN.1 decoding formats in iRules |
659648-2 | 3-Major | LTM Policy rule name migration doesn't properly handle whitespace | |
657795-1 | 3-Major | K51498984 | Possible performance impact on some SSL connections |
655432-7 | 3-Major | K85522235 | SSL renegotiation failed intermittently with AES-GCM cipher |
651681-4 | 3-Major | K49562354 | Orphaned bigd instances may exist (within multi-process bigd) |
651135-4 | 3-Major | K41685444 | LTM Policy error when rule names contain slash (/) character★ |
645220-2 | 3-Major | bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs | |
645197-3 | 3-Major | Monitors receiving unique HTTP "success" response codes may stop monitoring after status change | |
640565-1 | 3-Major | K11564859 | Incorrect packet size sent to clone pool member |
636149-3 | 3-Major | Multiple monitor response codes to single monitor probe failure | |
628721-1 | 3-Major | In rare conditions, DNS cache resolver outbound TCP connections fail to expire. | |
627926-1 | 3-Major | K21211001 | Retrieving a server-side SSL session ID in iRules does not work |
584865-1 | 3-Major | Primary slot mismatch after primary cluster member leaves and then rejoins the cluster | |
582487-2 | 3-Major | 'merged.method' set to 'slow_merge,' does not update system stats | |
574526-1 | 3-Major | K55542554 | HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter |
573366-4 | 3-Major | parking command used in the nesting script of clientside and serverside command can cause tmm core | |
692095-3 | 4-Minor | K65311501 | bigd logs monitor status unknown for FQDN Node/Pool Member |
625892-2 | 4-Minor | Nagle Algorithm Not Fully Enforced with TSO | |
530877-7 | 4-Minor | K13887095 | TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
692941-3 | 2-Critical | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | |
678861-3 | 2-Critical | K00426059 | DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★ |
580537-1 | 2-Critical | The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data | |
562921-4 | 2-Critical | K55736054 | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems |
700527-1 | 3-Major | cmp-hash change can hang iRule DNS lookup | |
691498-1 | 3-Major | Connection failure during iRule DNS lookup can crash TMM | |
690166-3 | 3-Major | ZoneRunner create new stub zone when creating a SRV WIP with more subdomains | |
671326-2 | 3-Major | K81052338 | DNS Cache debug logging might cause tmm to crash. |
667469-1 | 3-Major | K35324588 | Higher than expected CPU usage when using DNS Cache |
665347-2 | 3-Major | K17060443 | GTM listener object cannot be created via tmsh while in non-Common partition |
636853-2 | 3-Major | Under some conditions, a change in the order of GTM topology records does not take effect. | |
621374-1 | 3-Major | "abbrev" argument in "whereis" iRule returns nothing | |
487144-2 | 3-Major | K52278479 | tmm intermittently reports that it cannot find FIPS key |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
701327-1 | 2-Critical | failed configuration deletion may cause unwanted bd exit | |
699720-3 | 2-Critical | ASM crash when configuring remote logger for WebSocket traffic with response-logging:all | |
691670-3 | 2-Critical | K02515009 | Rare BD crash in a specific scenario |
684312-2 | 2-Critical | K54140729 | During Apply Policy action, bd agent crashes, causing the machine to go Offline |
681109-2 | 2-Critical | K46212485 | BD crash in a specific scenario |
679603-2 | 2-Critical | K15460886 | bd core upon request, when profile has sensitive element configured. |
678462-2 | 2-Critical | after chassis failover: asmlogd CPU 100% on secondary | |
678228-1 | 2-Critical | K27568142 | Repeated Errors in ASM Sync |
672301-2 | 2-Critical | ASM crashes when using a logout object configuration in ASM policy | |
662281-2 | 2-Critical | Inconsistencies in Automatic sync ASM Device Group | |
637252-1 | 2-Critical | K73107660 | Rest worker becomes unreliable after processing a call that generated an error |
633070-1 | 2-Critical | Sync Inconsistencies when using Autosync ASM Group between Chassis devices | |
631609-1 | 2-Critical | ASM Centralized Management Infrastructure Sync issues | |
631204-1 | 2-Critical | GeoIP lookups incorrectly parse IP addresses | |
614441-4 | 2-Critical | K04950182 | False Positive for illegal method (GET) |
611154-1 | 2-Critical | BD crash | |
599221-1 | 2-Critical | ASM Policy cannot be created in non-default partition via the Import Policy Task | |
576123-3 | 2-Critical | ASM policies are created as inactive policies on the peer device | |
702946-2 | 3-Major | Added option to reset staging period for signatures | |
701841-1 | 3-Major | Unnecessary file recovery_db/conf.tar.gz consumes /var disk space | |
700564-2 | 3-Major | JavaScript errors shown when debugging a mobile device with ASM deviceID enabled | |
700330 | 3-Major | AJAX blocking page isn't shown when a webpage uses jQuery framework. | |
700143-1 | 3-Major | ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages | |
698919-1 | 3-Major | Anti virus false positive detection on long XML uploads | |
697303-3 | 3-Major | BD crash | |
696265-3 | 3-Major | BD crash | |
694922-4 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
691477-1 | 3-Major | ASM standby unit showing future date and high version count for ASM Device Group | |
685743-3 | 3-Major | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | |
685207-2 | 3-Major | DoS client side challenge does not encode the Referer header. | |
683508-3 | 3-Major | WebSockets: umu memory leak of binary frames when remote logger is configured | |
682612 | 3-Major | Event Correlation is disabled on vCMP even though all the prerequisites are met. | |
679384-1 | 3-Major | K85153939 | The policy builder is not getting updates about the newly added signatures. |
678293-1 | 3-Major | Uncleaned policy history files cause /var disk exhaustion | |
676416-2 | 3-Major | BD restart when switching FTP profiles | |
675232-3 | 3-Major | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction | |
674494-1 | 3-Major | K77993010 | BD memory leak on specific configuration and specific traffic |
671675-1 | 3-Major | Centralized Management Infrastructure: asm_config_server restart on device group change | |
668184-1 | 3-Major | Huge values are shown in the AVR statistics for ASM violations | |
668181-2 | 3-Major | Policy automatic learning mode changes to manual after failover | |
667922 | 3-Major | K44692860 | Alternative unicode encoding in JSON objects not being parsed correctly |
666986-2 | 3-Major | K50320144 | Filter by Support ID is not working in Request Log |
663535-1 | 3-Major | Sending ASM cookies with "secure" attribute even without client-ssl profile | |
654925-1 | 3-Major | K25952033 | Memory Leak in ASM Sync Listener Process |
654873-2 | 3-Major | ASM Auto-Sync Device Group | |
619516-1 | 3-Major | Inconsistencies in Automatic sync ASM Device Group | |
605982-1 | 3-Major | Policy settings change during export/import | |
434821-1 | 3-Major | Remote logging of staged signatures and staged sets | |
694073-1 | 4-Minor | All signature update details are shown in 'View update history from previous BIG-IP versions' popup | |
655159-1 | 4-Minor | K84550544 | Wrong XML profile name Request Log details for XML violation |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
658343-2 | 3-Major | K33043439 | AVR tcp-analytics: per-host RTT average may show incorrect values |
648242 | 3-Major | Administrator users unable to access all partition via TMSH for AVR reports | |
582029-4 | 3-Major | AVR might report incorrect statistics when used together with other modules. | |
682105 | 4-Minor | Adding widget in Analytics Overview can cause measures list to empty out on Page change | |
649161-1 | 4-Minor | K42340304 | AVR caching mechanism not working properly |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
693739-3 | 2-Critical | VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled | |
660711-1 | 2-Critical | K05265457 | MCPd might crash when user trying to import a access policy |
649234-3 | 2-Critical | K64131101 | TMM crash from a possible memory corruption. |
639929-2 | 2-Critical | Session variable replace with value containing these characters ' " & < > = may case tmm crash | |
632178-1 | 2-Critical | LDAP Query agent creates only two session variables when required attributes list is empty | |
703984-2 | 3-Major | Machine cert agent does not follow best practices | |
703429-1 | 3-Major | Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services | |
700783-3 | 3-Major | Machine certificate check does not check against all FQDN hostnames | |
692307-1 | 3-Major | User with 'operator' role may not be able to view some session variables | |
689826-2 | 3-Major | Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese) | |
686282-1 | 3-Major | APMD intermittently crash when processing access policies | |
684325-3 | 3-Major | APMD Memory leak when applying a specific access profile | |
683389-1 | 3-Major | Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file | |
682500-1 | 3-Major | VDI Profile and Storefront Portal Access resource do not work together | |
680112-1 | 3-Major | K18131781 | SWG-Explicit rejects large POST bodies during policy evaluation |
678851-1 | 3-Major | Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() | |
676690-3 | 3-Major | Windows Edge Client sometimes crashes when user signs out from Windows | |
675866-1 | 3-Major | WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO | |
675399-3 | 3-Major | Network Access does not work when empty variables are assigned for WINS and DNS | |
674593-1 | 3-Major | APM configuration snapshot takes a long time to create | |
674410-3 | 3-Major | K59281892 | AD auth failures due to invalid Kerberos tickets |
673748-1 | 3-Major | K19534801 | ng_export, ng_import might leave security.configpassword in invalid state |
672868-1 | 3-Major | Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly | |
672040-3 | 3-Major | Access Policy Causing Duplicate iRule Event Execution | |
671597-1 | 3-Major | Import, export, copy and delete is taking too long on 1000 entries policy | |
670910-2 | 3-Major | Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined | |
669510-2 | 3-Major | When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled. | |
669154-1 | 3-Major | Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases. | |
668623-5 | 3-Major | K85991425 | macOS Edge client fails to detect correct system language for regions other than USA |
668503-3 | 3-Major | Edge Client fails to reconnect to virtual server after disabling Network Adapter | |
668129-1 | 3-Major | BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers. | |
666689-1 | 3-Major | Occasional "profile not found" errors following activate access policy | |
666058-2 | 3-Major | K86091857 | XenApp 6.5 published icons are not displayed on APM Webtop |
665416-3 | 3-Major | Old versions of APM configuration snapshots need to be reaped more aggressively if not used | |
665330-1 | 3-Major | MSIE 11 should avoid compatibility mode | |
664507-3 | 3-Major | When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration | |
663127-1 | 3-Major | Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration. | |
655364-1 | 3-Major | Portal access rewriting window.opener causes JS exception | |
655146-2 | 3-Major | APM Profile access stats are not updated correctly | |
654508-2 | 3-Major | SharePoint MS-OFBA browser window displays Javascript errors | |
654046-1 | 3-Major | BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs. | |
653771-2 | 3-Major | tmm crash after per-request policy error | |
653324-3 | 3-Major | K87979026 | On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly |
651910-2 | 3-Major | Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later | |
649613-3 | 3-Major | Multiple UDP/TCP packets packed into one DTLS Record | |
632646-4 | 3-Major | APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. | |
629921-4 | 3-Major | [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work. | |
621682-1 | 3-Major | Portal Access: problem with specific JavaScript code | |
616104-2 | 3-Major | VMware View connections to pool hit matching BIG-IP virtuals | |
613373-2 | 3-Major | Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page | |
610582-2 | 3-Major | Device Guard prevents Edge Client connections | |
601420-3 | 3-Major | Possible SAML authentication loop with IE and multi-domain SSO. | |
596083-1 | 3-Major | Error running custom APM Reports with "session creation time" on Viprion Platform | |
590992-3 | 3-Major | If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working | |
578413-1 | 3-Major | Missing reference to customization-group from connectivity profile if created via portal access wizard | |
575444-1 | 3-Major | Wininfo agent incorrectly reports OS version on Windows 10 in some cases | |
563135-3 | 3-Major | SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt | |
466068-1 | 3-Major | Allow setting of the AAA Radius server timeout value larger than 60 seconds | |
447565-5 | 3-Major | Renewing machine-account password does not update the serviceId for associated ntlm-auth. | |
699455-3 | 4-Minor | SAML export does not follow best practices | |
691017-1 | 4-Minor | Preventing ng_export hangs | |
684414-1 | 4-Minor | Retrieving too many groups is causing out of memory errors in TMUI and VPE | |
673717-1 | 4-Minor | VPE loading times can be very long | |
671627-1 | 4-Minor | K06424790 | HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. |
667304-1 | 4-Minor | K68108551 | Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled |
561892-2 | 4-Minor | Kerberos cache is not cleared when Administrator password is changed in AAA AD Server |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
662844 | 2-Critical | K87735013 | TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x. |
643785-3 | 2-Critical | diadb crashes if it cannot find pool name | |
699431 | 3-Major | Possible memory leak in MRF under low memory |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
456376-4 | 1-Blocking | K53153545 | BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32 |
671052-3 | 2-Critical | K50324413 | AFM NAT security RST the traffic with (FW NAT) dst_trans failed |
664708-2 | 2-Critical | TMM memory leak when DoS profile is attached to VS | |
644822-2 | 2-Critical | K19245372 | FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned |
564058-1 | 2-Critical | K91467162 | AutoDoS daemon aborts intermittently after it's being up for several days |
620543-1 | 3-Major | Security Address Lists and Port Lists can't change Description field |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
696383-2 | 2-Critical | PEM Diameter incomplete flow crashes when sweeped | |
694717-3 | 2-Critical | Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. | |
616008-3 | 2-Critical | K23164003 | TMM core may be seen when using an HSL format script for HSL reporting in PEM |
696789-2 | 3-Major | PEM Diameter incomplete flow crashes when TCL resumed | |
695968-3 | 3-Major | Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. | |
694319-3 | 3-Major | CCA without a request type AVP cannot be tracked in PEM. | |
694318-3 | 3-Major | PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. | |
684333-3 | 3-Major | PEM session created by Gx may get deleted across HA multiple switchover with CLI command | |
678820-2 | 3-Major | Potential memory leak if PEM Diameter sessions are not created successfully. | |
678714-3 | 3-Major | After HA failover, subscriber data has stale session ID information | |
660187-3 | 3-Major | TMM core after intra-chassis failover for some instances of subscriber creation | |
642068-1 | 3-Major | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | |
638594-3 | 3-Major | TMM crash when handling unknown Gx messages. | |
627616-3 | 3-Major | CCR-U missing upon VALIDITY TIMER expiry when quota is zero | |
624231-5 | 3-Major | No flow control when using content-insertion with compression | |
680729-3 | 4-Minor | K64307999 | DHCP Trace log incorrectly marked as an Error log. |
678822-3 | 4-Minor | Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
663333-1 | 2-Critical | TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high | |
615432-1 | 2-Critical | Multiple TFTP data transfers cannot be initiated in a single session | |
663974-2 | 3-Major | TMM crash when using LSN inbound connections |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
692123-2 | 3-Major | GET parameter is grayed out if MobileSafe is not licensed | |
667892-2 | 3-Major | FPS: BLFN inheritance won't take effect until GUI refresh |
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
681710-4 | CVE-2017-6155 | K10930474 | Malformed HTTP/2 requests may cause TMM to crash |
673595-2 | CVE-2017-3167 CVE-2017-3169 | K34125394 | Apache CVE-2017-3167 |
648786-5 | CVE-2017-6169 | K31404801 | TMM crashes when categorizing long URLs |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
673129 | 3-Major | New feature: revoke license |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
682837 | 1-Blocking | Compression watchdog period too brief. | |
675921 | 1-Blocking | Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running | |
696468 | 2-Critical | Active compression requests can become starved from too many queued requests. | |
665656-1 | 2-Critical | BWC with iSession may memory leak | |
663366-3 | 2-Critical | SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms. | |
621386-1 | 2-Critical | K91988084 | restjavad spawns too many icrd_child instances |
679959-1 | 3-Major | Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000 | |
672988-2 | 3-Major | K03433341 | MCP memory leak when performing incremental ConfigSync |
669288-3 | 3-Major | K76152943 | Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist. |
668352-2 | 3-Major | High Speed Logging unbalance in log distribution for multiple pool destination. | |
668048-1 | 3-Major | K02551403 | TMM memory leak when manually enabling/disabling pool member used as HSL destination |
663063-2 | 3-Major | Disabling pool member used in busy HSL TCP destination can result service disruption. | |
659057-1 | 3-Major | BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD | |
658636-2 | 3-Major | K51355172 | When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped. |
652691-1 | 3-Major | Installation fails if only .iso.384.sig (new format signature file) is present★ | |
652689-2 | 3-Major | K14243280 | Displaying 100G interfaces |
642952 | 3-Major | platform_check doesn't run PCI check on i11800 | |
640636-3 | 3-Major | F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade | |
638881-1 | 3-Major | Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances | |
628739-1 | 3-Major | BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD | |
628735-1 | 3-Major | Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles | |
604547-1 | 3-Major | Unix daemon configuration may lost or not be updated upon reboot | |
674515 | 4-Minor | New revoke license feature for VE only implemented | |
663580-1 | 4-Minor | K31981624 | logrotate does not automatically run when /var/log reaches 90% usage |
644723-1 | 4-Minor | cm56xxd logs link 'DOWN' message when an interface is admin DISABLED | |
507206-1 | 4-Minor | Multicast Out stats always zero for management interface. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
463097-3 | 3-Major | K09247330 | Clock advanced messages with large amount of data maintained in DNS Express zones |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
672504-1 | 2-Critical | K52325625 | Deleting zones from large databases can take excessive amounts of time. |
614788-1 | 2-Critical | zxfrd crash due to lack of disk space | |
655233-1 | 3-Major | K93338593 | DNS Express using wrong TTL for SOA RRSIG record in NoData response |
648766-1 | 3-Major | K57853542 | DNS Express responses missing SOA record in NoData responses if CNAMEs present |
645615-2 | 3-Major | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
433678-2 | 3-Major | K32401561 | A monitor removed from GTM link cannot be deleted: 'monitor is in use' |
646615-1 | 4-Minor | Improved default storage size for DNS Express database |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
652796-1 | 1-Blocking | When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled. | |
652792-1 | 2-Critical | When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled. | |
678976-2 | 3-Major | K24756214 | Do not print all HTTP headers to avoid printing user credentials to /var/log/apm. |
677058-3 | 3-Major | Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679440-2 | 2-Critical | K14120433 | MCPD Cores with SIGABRT |
591828-4 | 3-Major | For unmatched connection, TCP RST may not be sent for data packet |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
668252-2 | 2-Critical | K22784428 | TMM crash in PEM_DIAMETER component |
628311-3 | 2-Critical | K87863112 | Potential TMM crash due to duplicate installed PEM policies by the PCRF |
675928-2 | 3-Major | Periodic content insertion could add too many inserts to multiple flows if http request is outstanding | |
674686-2 | 3-Major | Periodic content insertion of new flows fails, if an outstanding flow is a long flow | |
673683-2 | 3-Major | Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener | |
673678-2 | 3-Major | Periodic content insertion fails, if http request/response get interleaved by second subscriber http request | |
673472-2 | 3-Major | After classification rule is updated, first periodic Insert content action fails for existing subscriber | |
639486-4 | 3-Major | TMM crash due to PEM usage reporting after a CMP state change. | |
634015-3 | 3-Major | Potential TMM crash due to a PEM policy content triggered buffer overflow | |
572568-2 | 3-Major | Gy CCR-i requests are not being re-sent after initial configured re-transmits |
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
684879-2 | CVE-2017-6164 | K02714910 | Malformed TLS1.2 records may result in TMM segmentation fault. |
662022-5 | CVE-2017-6138 | K34514540 | The URI normalization functionality within the TMM may mishandle some malformed URIs. |
653993-3 | CVE-2017-6132 | K12044607 | A specific sequence of packets to the HA listener may cause tmm to produce a core file |
653880 | CVE-2017-6214 | K81211720 | Kernel Vulnerability: CVE-2017-6214 |
652539 | CVE-2016-0634 CVE-2016-7543 CVE-2016-9401 |
K73705133 | Multiple Bash Vulnerabilities |
652516 | CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 | K31603170 | Multiple Linux Kernel Vulnerabilities |
651221-2 | CVE-2017-6133 | K25033460 | Parsing certain URIs may cause the TMM to produce a core file. |
650286-2 | CVE-2017-6167 | K24465120 | REST asynchronous tasks permissions issues |
650059-1 | CVE-2017-6129 | K20087443 | TMM may crash when processing VPN traffic |
649907-2 | CVE-2017-3137 | K30164784 | BIND vulnerability CVE-2017-3137 |
649904-2 | CVE-2017-3136 | K23598445 | BIND vulnerability CVE-2017-3136 |
644904-5 | CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486 |
K55129614 | tcpdump 4.9 |
644693-3 | CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 | K15518610 | Fix for multiple CVE for openjdk-1.7.0 |
638556-2 | CVE-2016-10045 | K73926196 | PHP Vulnerability: CVE-2016-10045 |
634779-1 | CVE-2017-6147 | K43945001 | In SSL Forward Proxy, an uninitialized variable may overflow a buffer and cause TMM to produce a core file |
625860-2 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on B4450 platform. |
624903-6 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms. |
600069-6 | CVE-2017-0301 | K54358225 | Portal Access: Requests handled incorrectly |
659791-2 | CVE-2017-6136 | K81137982 | TFO and TLP could produce a core file under specific circumstances |
655059-3 | CVE-2017-6134 | K37404773 | TMM Crash |
653224-1 | CVE-2016-8610 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337 |
K59836191 | Multiple GnuTLS Vulnerabilities |
653217-2 | CVE-2016-2125 CVE-2016-2126 |
K03644631 | Multiple Samba Vulnerabilities |
645480-3 | CVE-2017-6139 | K45432295 | Unexpected APM response |
645101-2 | CVE-2017-3731, CVE-2017-3732 | K44512851 | OpenSSL vulnerability CVE-2017-3732 |
642659-2 | CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540 | K34527393 | Multiple LibTIFF Vulnerabilities |
640768 | CVE-2016-10088 CVE-2016-9576 |
K05513373 | Kernel vulnerability: CVE-2016-10088 |
639729-2 | CVE-2017-0304 | K39428424 | Request validation failure in AFM UI Policy Editor |
637666-2 | CVE-2016-10033 | K74977440 | PHP Vulnerability: CVE-2016-10033 |
635314-5 | CVE-2016-1248 | K22183127 | vim Vulnerability: CVE-2016-1248 |
622178-1 | CVE-2017-6158 | K19361245 | Improve flow handling when Autolasthop is disabled |
597176-1 | CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE | K01837042 | Multiple Wireshark (tshark) vulnerabilities |
583678-1 | CVE-2016-3115 | K93532943 | SSHD session.c vulnerability CVE-2016-3115 |
567233-1 | CVE-2015-5252, CVE-2015-5296, CVE-2015-5299 | K92616530 | Multiple samba vulnerabilities |
656912-4 | CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458 | K32262483 | Various NTP vulnerabilities |
615226-5 | CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300 | K13074505 | Libarchive vulnerabilities: CVE-2016-8687 and others |
590840-2 | CVE-2015-8325 | K20911042 | OpenSSH vulnerability CVE-2015-8325 |
655021-2 | CVE-2017-3138 | K23598445 | BIND vulnerability CVE-2017-3138 |
627203-1 | CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597 | K63427774 | Multiple Oracle Java SE vulnerabilities |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
654549-1 | 2-Critical | PVA support for uncommon protocols DoS vector | |
653729-2 | 2-Critical | Support IP Uncommon Protocol | |
653234 | 2-Critical | Many objects must be reconfigured before use when loading a UCS from another device.★ | |
652094-2 | 2-Critical | K49190243 | Improve traffic disaggregation for uncommon IP protocols |
643210-2 | 2-Critical | K45444280 | Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM |
643054-2 | 2-Critical | ARP and NDP packets should be CoS marked by the swtich on ingress | |
663521-2 | 3-Major | Intermittent dropping of multicast packets on certain BIG-IP platforms | |
651772-3 | 3-Major | IPv6 host traffic may use incorrect IPv6 and MAC address after route updates | |
643143-2 | 3-Major | ARP and NDP packets should be QoS/DSCP marked on egress | |
632875-3 | 3-Major | Non-Administrator TMSH users no longer allowed to run dig | |
610710-2 | 3-Major | Pass IP TOS bits from incoming connection to outgoing connection | |
584545-2 | 3-Major | Failure to stabilize internal HiGig link will not trigger failover event | |
567177-1 | 4-Minor | Log all attempts of key export in ltm log | |
650074-1 | 5-Cosmetic | Changed Format of RAM Cache REST Status output. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
642703-2 | 1-Blocking | Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★ | |
619097 | 1-Blocking | iControl REST slow performace on GET request for virtual servers | |
539093-1 | 1-Blocking | K26104530 | VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface. |
697878 | 2-Critical | High crypto request completion time under some workload patterns | |
666790-2 | 2-Critical | K06619044 | Use HSB HiGig MAC reset to recover both FCS errors and link instability |
665354-2 | 2-Critical | K31190471 | Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log |
658574-2 | 2-Critical | K61847644 | An accelerated flow transmits packets to a stale (incorrect) destination MAC address. |
655357-2 | 2-Critical | K06245820 | Corrupted L2 FDB entries on B4450 blades might result in dropped traffic |
653376-5 | 2-Critical | bgpd may crash on receiving a BGP update with >= 32 extended communities | |
649866-1 | 2-Critical | fsck should not run during first boot on public clouds | |
638997-2 | 2-Critical | Reboot required after disk size modification in a running BIG-IP VE instance. | |
625456-5 | 2-Critical | Pending sector utility may write repaired sector incorrectly | |
624826-2 | 2-Critical | mgmt bridge takes HWADDR of guest vm's tap interface | |
613415-2 | 2-Critical | Memory leak in ospfd when distribute-list is used | |
609335-1 | 2-Critical | IPsec tmm devbuf memory leak. | |
604011-1 | 2-Critical | Sync fails when iRule or policy is in use★ | |
595783 | 2-Critical | Changing console baud rate for B2100, B2150 and B2250 blades does not work | |
593137-1 | 2-Critical | userDefined property for bot signatures is not shown in REST | |
579210-3 | 2-Critical | K11418051 | VIPRION B4400N blades might fail to go Active under rare conditions. |
471860-10 | 2-Critical | K16209 | Disabling interface keeps DISABLED state even after enabling |
412817-3 | 2-Critical | BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive. | |
671920-1 | 3-Major | Accessing SNMP over IPv6 on non-default route domains | |
669818-2 | 3-Major | Higher CPU usage for syslog-ng when a syslog server is down | |
667278-3 | 3-Major | DSC connections between BIG-IP units may fail to establish | |
667138-1 | 3-Major | LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★ | |
664829-1 | 3-Major | BIG-IP sometimes performs unnecessary reboot on first boot | |
662331-1 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
661764-2 | 3-Major | K53762147 | It is possible to configure a number of CPUs that exceeds the licensed throughput |
660532-2 | 3-Major | K21050223 | Cannot specify the event parameter for redirects on the policy rule screen. |
655671-1 | 3-Major | Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced | |
655649-2 | 3-Major | K88627152 | BGP last update timer incorrectly resets to 0 |
654011-2 | 3-Major | K33210520 | Pool member's health monitors set to Member Specific does not display the active monitors |
652638-2 | 3-Major | php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx() | |
651155-1 | 3-Major | HSB continually logs 'loopback ring 0 tx not active' | |
650349 | 3-Major | K50168519 | Creation or reconfiguration of iApps will fail if logging is configured |
650002-1 | 3-Major | tzdata bug fix and enhancement update | |
649949-1 | 3-Major | Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★ | |
647988-3 | 3-Major | K15331432 | HSL Balanced distribution to Two-member pool may not be balanced correctly. |
647944-2 | 3-Major | MCP may crash when making specific changes to a FIX profile attached to more than one virtual server | |
645179-6 | 3-Major | K42751321 | Traffic group becomes active on more than one BIG-IP after a long uptime |
644404-1 | 3-Major | Extracting SSD from system leads to Emergency LCD alert★ | |
644184-4 | 3-Major | K36427438 | ZebOS daemons hang while AgentX SNMP daemon is waiting. |
643294 | 3-Major | IGMP and PIM not in self-allow default list when upgrading from 10.2.x★ | |
643121-1 | 3-Major | Failed installation volumes cannot be deleted in the GUI. | |
643013 | 3-Major | DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3 | |
642982-3 | 3-Major | K23241518 | tmrouted may continually restart after upgrade, adding or renaming an interface★ |
642314-2 | 3-Major | K24276198 | CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★ |
638825-2 | 3-Major | SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD | |
637561-1 | 3-Major | Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice | |
636744-1 | 3-Major | K16918340 | IKEv1 phase 2 SAs not deleted |
631866-2 | 3-Major | Cannot access LTM policy rules in the web UI when the name contains certain characters | |
631172-4 | 3-Major | GUI user logged off when idle for 30 minutes, even when longer timeout is set | |
624692-3 | 3-Major | Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying | |
623391-5 | 3-Major | cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★ | |
622619-5 | 3-Major | BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD | |
622133-1 | 3-Major | VCMP guests may incorrectly obtain incorrect MAC addresses | |
621259-3 | 3-Major | Config save takes long time if there is a large number of data groups | |
619060 | 3-Major | Reduction in boot time in BIG-IP Virtual Edition platforms | |
617875-1 | 3-Major | vCMP guest may fail to start due to not enough hugepages | |
612752-1 | 3-Major | UCS load or upgrade may fail under certain conditions.★ | |
610442-2 | 3-Major | K75051412 | vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★ |
607961-1 | 3-Major | Secondary blades restart when modifying a virtual server's route domain in a different partition. | |
605792-1 | 3-Major | Installing a new version changes the ownership of administrative users' files★ | |
601709-2 | 3-Major | K02314881 | I2C error recovery for BIG-IP 4340N/4300 blades |
590938-3 | 3-Major | The CMI rsync daemon may fail to start | |
583475-1 | 3-Major | The BIG-IP may core while recompiling LTM policies | |
577474-3 | 3-Major | K35208043 | Users with auditor role are unable to use tmsh list sys crypto cert |
569100-1 | 3-Major | Virtual server using NTLM profile results in benign Tcl error | |
544906-2 | 3-Major | K07388310 | Issues when using remote authentication when users have different partition access on different devices |
507240-4 | 3-Major | K13811263 | ICMP traffic cannot be disaggregated based on IP addresses |
480983-4 | 3-Major | tmrouted daemon may core due to daemon_heartbeat | |
471029-2 | 3-Major | If the configuration contains a filename with the $ character, then saving the UCS fails. | |
656900-1 | 4-Minor | Blade family migration may fail | |
655314 | 4-Minor | When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★ | |
653225-1 | 4-Minor | coreutils security and bug fix update | |
645717 | 4-Minor | UCS load does not set directory owner | |
644975-4 | 4-Minor | /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost | |
644799-1 | 4-Minor | K42882011 | TMM may crash when the BIG-IP system processes CGNAT traffic. |
642723-3 | 4-Minor | Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect | |
634371-2 | 4-Minor | Cisco ethernet NIC driver | |
530927-8 | 4-Minor | Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed | |
530530-6 | 4-Minor | tmsh sys log filter is displays in UTC time | |
527720-1 | 4-Minor | Rare 'No LopCmd reply match found' error in getLopReg | |
448409-1 | 4-Minor | K15491 | 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle |
626596 | 5-Cosmetic | Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
670011-2 | 1-Blocking | SSL forward proxy does not create the server certchain when ignoring server certificates | |
621452-1 | 1-Blocking | K58146172 | Connections can stall with TCP::collect iRule |
659899-1 | 2-Critical | K10589537 | Rare, intermittent system instability observed in dynamic load-balancing modes |
657713-5 | 2-Critical | K05052273 | Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. |
655628-1 | 2-Critical | TCP analytics does not release resources under specific sequence of packets | |
655211-1 | 2-Critical | K25384206 | bigd crash (SIGSEGV) when running FQDN node monitors |
650317-3 | 2-Critical | The TMM on the next-active panics with message: "Missing oneconnect HA context" | |
649171-4 | 2-Critical | tmm core in iRule with unreachable remote address | |
648037-2 | 2-Critical | LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash | |
646643-2 | 2-Critical | K43005132 | HA standby virtual server with non-default lasthop settings may crash. |
646604-5 | 2-Critical | K21005334 | Client connection may hang when NTLM and OneConnect profiles used together |
645663 | 2-Critical | Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus. | |
644112-2 | 2-Critical | K56150996 | Permanent connections may be expired when endpoint becomes unreachable |
643631 | 2-Critical | K70938130 | Serverside connections on virtual servers using VDI may become zombies. |
635274-1 | 2-Critical | K21514205 | SSL::sessionid command may return invalid values |
634265-2 | 2-Critical | K34688632 | Using route pools whose members aren't directly connected may crash the TMM. |
632552-2 | 2-Critical | K08634156 | tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event |
629178-1 | 2-Critical | K42206046 | Incorrect initial size of connection flow-control window |
611704-5 | 2-Critical | tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event | |
605983-1 | 2-Critical | tmrouted may crash when being restarted in debug mode | |
604926-3 | 2-Critical | K50041125 | The TMM may become unresponsive when using SessionDB data larger than ~400K |
604223-2 | 2-Critical | pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM" | |
583700-3 | 2-Critical | tmm core on out of memory | |
583355-1 | 2-Critical | The TMM may crash when changing profiles associated with plugins | |
566071-5 | 2-Critical | network-HSM may not be operational on secondary slots of a standby chassis. | |
559030-1 | 2-Critical | K65244513 | TMM may core during ILX RPC activity if a connflow closes before the RPC returns |
687193-1 | 3-Major | TMM may leak memory when processing SSL Forward Proxy traffic | |
677119 | 3-Major | HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE | |
672008-1 | 3-Major | K22122208 | NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds |
671935-2 | 3-Major | K64461712 | Possible ephemeral port reuse. |
669025-1 | 3-Major | K11425420 | Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate |
668521-2 | 3-Major | Bigd might stall while waiting for an external monitor process to exit | |
666032-3 | 3-Major | K05145506 | Secure renegotiation is set while data is not available. |
663326-2 | 3-Major | Thales HSM: "fipskey.nethsm --export" fails to make stub keys | |
662881-2 | 3-Major | K10443875 | L7 mirrored packets from standby to active might cause tmm core when it goes active. |
662085-1 | 3-Major | iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages | |
658214-2 | 3-Major | K20228504 | TCP connection fail intermittently for mirrored fastl4 virtual server |
655793-1 | 3-Major | K04178391 | SSL persistence parsing issues due to SSL / TCP boundary mismatch |
654109-2 | 3-Major | K01102467 | Configuration loading may fail when iRules calling procs in other iRules are deleted |
653511-2 | 3-Major | K45770397 | Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve |
652535-1 | 3-Major | K54443700 | HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented. |
652445-2 | 3-Major | K87541959 | SAN with uppercase names result in case-sensitive match or will not match |
651651-3 | 3-Major | K54604320 | bigd can crash when a DNS response does not match the expected value |
650292-2 | 3-Major | DNS transparent cache can return non-recursive results for recursive queries | |
650152-1 | 3-Major | Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms | |
648954-5 | 3-Major | K01102467 | Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls |
647137 | 3-Major | bigd/tmm con vCMP guests | |
646443-1 | 3-Major | K54432535 | Ephemeral Node may be errantly created in bigd, causing crash |
645058-3 | 3-Major | Modifying SSL profiles in GUI may fail when key is protected by passphrase | |
645036-3 | 3-Major | K85772089 | Removing pool from virtual server does not update its status |
644873-2 | 3-Major | K97237310 | ssldump can fail to decrypt captures with certain TCP segmenting |
644851-2 | 3-Major | Websockets closes connection on receiving a close frame from one of the peers | |
644418-2 | 3-Major | Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate | |
643777-2 | 3-Major | K27629542 | LTM policies with more than one IP address in TCP address match may fail |
643582-2 | 3-Major | Config load with large ssl profile configuration may cause tmm restart | |
641491-2 | 3-Major | K37551222 | TMM core while running iRule LB::status pool poolname member ip port |
640376-3 | 3-Major | STPD leaks memory on 2000/4000/i2000/i4000 series | |
638715-3 | 3-Major | K77010072 | Multiple Diameter monitors to same server ip/port may race on PID file |
632001-1 | 3-Major | For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys | |
627574-1 | 3-Major | After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft. | |
626434-6 | 3-Major | tmm may be killed by sod when a hardware accelerator does not work | |
624805-1 | 3-Major | ILX node.js process may be restarted if a single operation takes more than 15 seconds | |
623940-3 | 3-Major | SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello | |
622017-8 | 3-Major | K54106058 | Performance graph data may become permanently lost after corruption. |
621736-6 | 3-Major | statsd does not handle SIGCHLD properly in all cases | |
620788-1 | 3-Major | K05232247 | FQDN pool created with existing FQDN node has RED status |
618161-1 | 3-Major | SSL handshake fails when clientssl uses softcard-protected key-certs. | |
618121 | 3-Major | "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★ | |
607246-10 | 3-Major | Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires | |
603609-2 | 3-Major | Policy unable to match initial path segment when request-URI starts with "//" | |
602040-3 | 3-Major | Truncated support ID for HTTP protocol security logging profile | |
600614-5 | 3-Major | External crypto offload fails when SSL connection is renegotiated | |
596433-3 | 3-Major | Virtual with lasthop configured rejects request with no route to client. | |
596242-1 | 3-Major | K17065223 | [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record |
595275-5 | 3-Major | Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN | |
593390-4 | 3-Major | Profile lookup when selected via iRule ('SSL::profile') might cause memory issues. | |
589006-5 | 3-Major | SSL does not cancel pending sign request before the handshake times out or is canceled. | |
587705-5 | 3-Major | K98547701 | Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools. |
578573-1 | 3-Major | SSL Forward Proxy Forged Certificate Signature Algorithm | |
563933-4 | 3-Major | [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs | |
536563-7 | 3-Major | Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets. | |
484542-1 | 3-Major | QinQ tag-mode can be set on unsupported platforms | |
668802-3 | 4-Minor | K83392557 | GTM link graphs fail to display in the GUI |
667318-3 | 4-Minor | BIG-IP DNS/GTM link graphs fail to display in the GUI. | |
584210-1 | 4-Minor | TMM may core when running two simultaneous WebSocket collect commands | |
578415-2 | 4-Minor | Support for hardware accelerated bulk crypto SHA256 missing | |
513288-7 | 4-Minor | Management traffic from nodes being health monitored might cause health monitors to fail. | |
462043-2 | 4-Minor | DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
620903-1 | 2-Critical | Decreased performance of ICMP attack mitigation. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
636541-3 | 1-Blocking | DNS Rapid Response filters large datagrams | |
667028-1 | 2-Critical | DNS Express does not run on i11000 platforms with htsplit disabled. | |
649564-2 | 2-Critical | Crash related to GTM monitors with long RECV strings | |
663073-1 | 3-Major | GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list. | |
659912-1 | 3-Major | GSLB Pool Member Manage page display issues and error message | |
655807-5 | 3-Major | K40341291 | With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score |
655445-2 | 3-Major | Provide the ability to globally specifiy a DSCP value. | |
654599-1 | 3-Major | K74132601 | The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed |
648286-2 | 3-Major | GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button. | |
644447-2 | 3-Major | sync_zones script increasingly consumes memory when there is network connectivity failure | |
626141-3 | 3-Major | DNSX Performance Graphs are not displaying Requests/sec" | |
615222-1 | 3-Major | GTM configuration fails to load when it has gslb pool with members containing more than one ":"★ | |
605260-1 | 3-Major | [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0 | |
659969-1 | 4-Minor | tmsh command for gtm-application disabled contexts does not work with none and replace-all-with | |
644220-3 | 4-Minor | K37049259 | Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page |
604371-1 | 4-Minor | Pagination controls missing for GSLB pool members | |
582773-5 | 4-Minor | DNS server for child zone can continue to resolve domain names after revoked from parent |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
653014-1 | 2-Critical | Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name | |
652200-1 | 2-Critical | K81349220 | Failure to update ASM enforcer about account change. |
638629-2 | 2-Critical | Bot can be classified as human | |
619110-1 | 2-Critical | Slow to delete URLs, CPU spikes with Automatic Policy Builder | |
672695-1 | 3-Major | Internal perl process listening on all interfaces when ASM enabled | |
665905 | 3-Major | K83305000 | Signature System corruption from specific ASU prevents ASU load after upgrade |
664930-2 | 3-Major | Policy automatic learning mode changes to manual after failover | |
655617-1 | 3-Major | K36442669 | Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge |
631444-2 | 3-Major | Bot Name for ASM Search Engines is case sensitive | |
606521-1 | 3-Major | Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade | |
605616-1 | 3-Major | Creating 256 Fundamental Security policies will result in an out of memory error | |
602975-1 | 3-Major | Unable to update the HTTP URL's "Header-Based Content Profiles" values | |
596685-1 | 3-Major | K76841626 | Request Log failure on request with XML format violation |
595900-4 | 3-Major | K11833633 | Cookie Signature overrides may be ignored after Signature Update |
563727-1 | 3-Major | Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked' | |
534247-1 | 3-Major | Issue a Body in Get sub violation for GET request with content type header |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
604191-1 | 2-Critical | AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★ | |
629573-1 | 3-Major | No drill-down filter for virtual-servers is mentioned on exported reports when using partition | |
603875-2 | 3-Major | The statistic ASM memory Utilization - bd swap size: stats are wrong | |
601536-1 | 3-Major | Analytics load error stops load of configuration★ | |
639395-2 | 4-Minor | K91614278 | AVR does not display 'Max read latency' units. |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
647108-1 | 1-Blocking | Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction | |
679235-5 | 2-Critical | Inspection Host NPAPI Plugin for Safari can not be installed | |
669341 | 2-Critical | Category Lookup by Subject.CN will result in a reset | |
666454-2 | 2-Critical | K05520115 | Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update |
663506-7 | 2-Critical | K30533350 | apmd crash during ldap cache initialization |
652004-2 | 2-Critical | K45320415 | Show /apm access-info all-properties causes memory leaks in tmm |
662639-2 | 3-Major | Policy Sync fails when policy object include FIPS key | |
659371-2 | 3-Major | apmd crashes executing iRule policy evaluate | |
658852-5 | 3-Major | Empty User-Agent in iSessions requests from APM client on Windows | |
654513-6 | 3-Major | K11003951 | APM daemon crashes when the LDAP query agent returns empty in its search results. |
649929-1 | 3-Major | saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it | |
648053-1 | 3-Major | Rewrite plugin may crash on some JavaScript files | |
646928-1 | 3-Major | Landing URI incorrect when changing URI | |
645684-2 | 3-Major | Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting. | |
618957-1 | 3-Major | Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates | |
601919-2 | 3-Major | Custom categories and custom url filter assignment must be specific to partition instead of global lookup | |
583272-2 | 3-Major | "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth | |
580567-1 | 3-Major | LDAP Query agent failed to resolve nested group membership | |
551795-1 | 3-Major | Portal Access: corrections to CORS support for XMLHttpRequest | |
550547-2 | 3-Major | URL including a "token" query fails results in a connection reset |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
664535-1 | 2-Critical | Diameter failure: load balancing fails when all pool members use same IP Address | |
640407-1 | 2-Critical | K41344483 | Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF |
568545-2 | 2-Critical | K17124802 | iRules commands that refer to a transport-config will fail validation |
559953-1 | 2-Critical | tmm core on long DIAMETER::host value | |
662364-2 | 3-Major | MRF DIAMETER: IP ToS not passing through with DIAMETER | |
644946-2 | 3-Major | K05053251 | Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation |
644565-1 | 3-Major | MRF Message metadata lost when routing message to a connection on a different TMM | |
634078-2 | 3-Major | MRF: Routing using a virtual with SNAT set to none may select a source port of zero | |
624155-2 | 3-Major | MRF Per-Client mode connections unable to return responses if used by another client connection | |
620929-4 | 3-Major | New iRule command, MR::ignore_peer_port | |
353229-2 | 3-Major | K54130510 | Buffer overflows in DIAMETER |
651640-3 | 4-Minor | queue full dropped messages incorrectly counted as responses |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
670400-3 | 2-Critical | SSH Proxy public key authentication can be circumvented in some cases | |
655470 | 2-Critical | K79924625 | IP Intelligence logging publisher removal can cause tmm crash |
651001-1 | 2-Critical | massive prints in tmm log: "could not find conf for profile crc" | |
650081-1 | 3-Major | K53010710 | FP feature causes the blank page/delay on IE11 |
648617 | 3-Major | JavaScript challenge repeating in loop when URL has path parameters | |
644855-2 | 3-Major | irules with commands which may suspend processing cannot be used with proactive bot defense | |
630356-1 | 3-Major | JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge | |
628351-1 | 3-Major | Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled | |
618902-4 | 3-Major | PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation | |
618656-2 | 3-Major | JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters | |
519612-1 | 3-Major | JavaScript challenge fails when coming within iframe with different domain than main page |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
658261-2 | 2-Critical | TMM core after HA during GY reporting | |
658148-2 | 2-Critical | K23150504 | TMM core after intra-chassis failover for some instances of subscriber creation |
657632-4 | 2-Critical | Rarely if a subscriber delete is performed following HA switchover, tmm may crash | |
653285-1 | 2-Critical | PEM rule deletion with HSL reporting may cause tmm coredump | |
652973-2 | 2-Critical | Coredump observed at system bootup time when many DHCP packets arrive | |
650422-2 | 2-Critical | TMM core after a switchover involving GY quota reporting | |
659567-1 | 3-Major | K94685557 | iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions |
652052-3 | 3-Major | PEM:sessions iRule made the order of parameters strict | |
635257-2 | 3-Major | K41151808 | Inconsistencies in Gx usage record creation. |
623037-2 | 3-Major | delete of pem session attribute does not work after a update |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
676808-2 | 2-Critical | FPS: tmm may crash on response with large payload from server | |
669364-1 | 2-Critical | TMM core when server responds fast with server responses such as 404. | |
669359 | 2-Critical | WebSafe might cause connections to hang | |
674931 | 3-Major | FPS modified responses/injections might result in a corrupted response | |
674909-3 | 3-Major | Application CSS injection might break when connection is congested | |
667872-1 | 3-Major | Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports | |
658321-2 | 3-Major | Websafe features might break in IE8 | |
657502-2 | 3-Major | JS error when leaving page opened for several minutes | |
644694 | 3-Major | FPS security update check ends up with an empty page when error occurs. | |
618185-1 | 3-Major | Mismatch in URL CRC32 calculation | |
643602-2 | 4-Minor | 'Select All' checkbox selects items on hidden pages |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
605123-1 | 2-Critical | IAppLX objects fail to sync after establishing HA in auto-sync mode★ |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
606316-4 | 1-Blocking | HTTPS request to F5 licensing server fails | |
665778-1 | 2-Critical | K34503519 | Non-admin BIG-IP users can now view/re-deploy iApps through TMUI. |
599424-2 | 2-Critical | iApps LX fails to sync★ | |
632060-1 | 4-Minor | restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★ |
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
693211-3 | CVE-2017-6168 | K21905460 | CVE-2017-6168 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
664063-1 | 2-Critical | K03203976 | Azure displays failure for deployment of BIG-IP from a Resource Manager template |
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
652151-1 | CVE-2017-6131 | K61757346 | Azure VE: Initialization improvement |
641256-1 | CVE-2016-9257 | K43523962 | APM access reports display error |
623885-4 | CVE-2016-9251 | K41107914 | Internal authentication improvements |
621371-2 | CVE-2016-9257 | K43523962 | Output Errors in APM Event Log |
648865-2 | CVE-2017-6074 | K82508682 | Linux kernel vulnerability: CVE-2017-6074 |
643187-2 | CVE-2017-3135 | K80533167 | BIND vulnerability CVE-2017-3135 |
641445-1 | CVE-2017-6145 | K22317030 | iControl improvements |
641360-2 | CVE-2017-0303 | K30201296 | SOCKS proxy protocol error |
636702-3 | CVE-2016-9444 | K40181790 | BIND vulnerability CVE-2016-9444 |
636699-5 | CVE-2016-9131 | K86272821 | BIND vulnerability CVE-2016-9131 |
631582 | CVE-2016-9250 | K55792317 | Administrative interface enhancement |
630475-5 | CVE-2017-6162 | K13421245 | TMM Crash |
628836-4 | CVE-2016-9245 | K22216037 | TMM crash during request normalization |
626360 | CVE-2017-6163 | K22541983 | TMM may crash when processing HTTP2 traffic |
624570-1 | CVE-2016-8864 | K35322517 | BIND vulnerability CVE-2016-8864 |
624526-3 | CVE-2017-6159 | K10002335 | TMM core in mptcp |
624457-5 | CVE-2016-5195 | K10558632 | Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195 |
623093-1 | CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320 | K38871451 | TIFF vulnerability CVE-2015-7554 |
620400-1 | CVE-2017-6141 | K21154730 | TMM crash during TLS processing |
610255-1 | CVE-2017-6161 | K62279530 | CMI improvement |
596340-8 | CVE-2016-9244 | K05121675 | F5 TLS vulnerability CVE-2016-9244 |
580026-5 | CVE-2017-6165 | K74759095 | HSM logging error |
648879-2 | CVE-2016-6136 CVE-2016-9555 | K90803619 | Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555 |
641612-2 | CVE-2017-0302 | K87141725 | APM crash |
638137 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 | K51201255 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 |
635412 | CVE-2017-6137 | K82851041 | Invalid mss with fast flow forwarding and software syn cookies |
635252-1 | CVE-2016-9256 | K47284724 | CVE-2016-9256 |
631841-7 | CVE-2016-9311 | K55405388 | NTP vulnerability CVE-2016-9311 |
631688-7 | CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 | K55405388 K87922456 K63326092 K51444934 K80996302 | Multiple NTP vulnerabilities |
630150-1 | CVE-2016-9253 | K51351360 | Websockets processing error |
627916-1 | CVE-2017-6144 | K81601350 | Improve cURL Usage |
627907-1 | CVE-2017-6143 | K11464209 | Improve cURL usage |
627747-1 | CVE-2017-6142 | K20682450 | Improve cURL Usage |
625372-5 | CVE-2016-2179 | K23512141 | OpenSSL vulnerability CVE-2016-2179 |
623119 | CVE-2016-4470 | K55672042 | Linux kernel vulnerability CVE-2016-4470 |
622496 | CVE-2016-5829 | K28056114 | Linux kernel vulnerability CVE-2016-5829 |
622126-1 | CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 | K54308010 | PHP vulnerability CVE-2016-7124 |
621337-6 | CVE-2016-7469 | K97285349 | XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469 |
618261-6 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
615267-2 | CVE-2016-2183 | K13167034 | OpenSSL vulnerability CVE-2016-2183 |
613225-7 | CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
606710-10 | CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 | K15479471 | Mozilla NSS vulnerability CVE-2016-2834 |
600232-9 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
600223-2 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
599858-7 | CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240 | K68785753 | ImageMagick vulnerability CVE-2015-8898 |
635933-3 | CVE-2004-0790 | K23440942 K13361021 | The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable |
628832-4 | CVE-2016-6161 | K71581599 | libgd vulnerability CVE-2016-6161 |
622662-7 | CVE-2016-6306 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
609691-1 | CVE-2014-4617 | K21284031 | GnuPG vulnerability CVE-2014-4617 |
600205-9 | CVE-2016-2178 | K53084033 | OpenSSL Vulnerability: CVE-2016-2178 |
600198-2 | CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
599285-2 | CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 | K51390683 | PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095 |
598002-10 | CVE-2016-2178 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
621937-1 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
621935-6 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
606771-2 | CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 | K35799130 | Multiple PHP vulnerabilities |
601268-5 | CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 | K43267483 | PHP vulnerability CVE-2016-5766 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
653453 | 2-Critical | ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs. | |
628972-2 | 2-Critical | BMC version 2.51.7 for iSeries appliances | |
624831-2 | 2-Critical | BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps | |
616918-1 | 2-Critical | BMC version 2.50.3 for iSeries appliances | |
633723-3 | 3-Major | New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot | |
633391-1 | 3-Major | GUI Error trying to modify IP Data-Group | |
609614-3 | 3-Major | Yafuflash 4.25 for iSeries appliances | |
597797-4 | 3-Major | K78449695 | Allow users to disable enforcement of RFC 7057 |
581840-5 | 3-Major | K46576869 | Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ. |
564876-2 | 3-Major | New DB variable log.lsn.comma changes CGNAT logs to CSV format | |
609084-2 | 4-Minor | K03808942 | Max number of chunks not configurable above 1000 chunks |
597270-2 | 4-Minor | tcpdump support missing for VXLAN-GPE NSH |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
655500 | 1-Blocking | Rekey SSH sessions after one hour | |
642058-1 | 1-Blocking | CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances | |
641390-5 | 1-Blocking | K00216423 | Backslash removal in LTM monitors after upgrade |
627433-1 | 1-Blocking | HSB transmitter failure on i2x00 and i4x00 platforms | |
602830-1 | 1-Blocking | BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode | |
648056-2 | 2-Critical | K16503454 | bcm56xxd core when configuring QinQ VLAN with vCMP provisioned. |
645805 | 2-Critical | LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address | |
641248 | 2-Critical | IPsec-related tmm segfault | |
641013-5 | 2-Critical | GRE tunnel traffic pinned to one TMM | |
638935-3 | 2-Critical | Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
636918-2 | 2-Critical | Fix for crash when multiple tunnels use the same traffic selector | |
636290 | 2-Critical | vCMP support for B4450 blade | |
627898-2 | 2-Critical | TMM leaks memory in the ECM subsystem | |
625824-1 | 2-Critical | iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory | |
624263-4 | 2-Critical | iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response | |
618779-1 | 2-Critical | Route updates during IPsec tunnel setup can cause tmm to restart | |
616059-1 | 2-Critical | K19545861 | Modifying license.maxcores Not Allowed Error |
614296-1 | 2-Critical | Dynamic routing process ripd may core | |
613536-5 | 2-Critical | tmm core while running the iRule STATS:: command | |
610295-1 | 2-Critical | K32305923 | TMM may crash due to internal backplane inconsistency after reprovisioning |
583516-2 | 2-Critical | tmm ASSERT's "valid node" on Active, after timer fire.. | |
567457-2 | 2-Critical | TMM may crash when changing the IKE peer config. | |
652484-2 | 3-Major | tmsh show net f5optics shows information for only 1 chassis slot in a cluster | |
649617-2 | 3-Major | qkview improvement for OVSDB management | |
648544-5 | 3-Major | K75510491 | HSB transmitter failure may occur when global COS queues enabled |
646760 | 3-Major | Common Criteria Mode Disrupts Administrative SSH Access | |
644490-1 | 3-Major | Finisar 100G LR4 values need to be revised in f5optics | |
637559-1 | 3-Major | Modifying iRule online could cause TMM to be killed by SIGABRT | |
636535 | 3-Major | K24844444 | HSB lockup in vCMP guest doesn't generate core file |
635961-1 | 3-Major | gzipped and truncated files may be saved in qkview | |
635129 | 3-Major | Chassis systems in HA configuration become Active/Active during upgrade★ | |
635116-1 | 3-Major | K34100550 | Memory leak when using replicated remote high-speed logging. |
634115-1 | 3-Major | Not all topology records may sync. | |
633879-1 | 3-Major | K52833014 | Fix IKEv1 md5 phase1 hash algorithm so config takes effect |
633512-1 | 3-Major | HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION. | |
633413-1 | 3-Major | IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI | |
631627-4 | 3-Major | Applying BWC over route domain sometimes results in tmm not becoming ready on system start | |
630622-1 | 3-Major | tmm crash possible if high-speed logging pool member is deleted and reused | |
630610-5 | 3-Major | K43762031 | BFD session interface configuration may not be stored on unit state transition |
630546-1 | 3-Major | Very large core files may cause corrupted qkviews | |
629499-9 | 3-Major | tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found" | |
629085-1 | 3-Major | K55278069 | Any CSS content truncated at a quoted value leads to a segfault |
628202-4 | 3-Major | Audit-forwarder can take up an excessive amount of memory during a high volume of logging | |
628164-3 | 3-Major | K20766432 | OSPF with multiple processes may incorrectly redistribute routes |
628009-1 | 3-Major | f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800 | |
627961-3 | 3-Major | K15130343 | nic_failsafe reboot doesn't trigger if HSB fails to disable interface |
627914-1 | 3-Major | Unbundled 40GbE optics reporting as Unsupported Optic | |
627214-3 | 3-Major | BGP ECMP recursive default route not redistributed to TMM | |
626839 | 3-Major | sys-icheck error for /var/lib/waagent in Azure. | |
626721-5 | 3-Major | "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart | |
625703-2 | 3-Major | SELinux: snmpd is denied access to tmstat files | |
625085 | 3-Major | lasthop rmmod causes kernel panic | |
624361-1 | 3-Major | Responses to some of the challenge JS are not zipped. | |
623930-3 | 3-Major | vCMP guests with vlangroups may loop packets internally | |
623401-1 | 3-Major | Intermittent OCSP request failures due to non-optimal default TCP profile setting | |
623336-4 | 3-Major | After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★ | |
623055-1 | 3-Major | Kernel panic during unic initialization | |
622183-5 | 3-Major | The alert daemon should remove old log files but it does not. | |
621909-4 | 3-Major | K23562314 | Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members |
621273-1 | 3-Major | DSR tunnels with transparent monitors may cause TMM crash. | |
620659-3 | 3-Major | The BIG-IP system may unecessarily run provisioning on successive reboots | |
620366-4 | 3-Major | Alertd can not open UDP socket upon restart | |
617628-1 | 3-Major | SNMP reports incorrect value for sysBladeTempTemperature OID | |
615934-1 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
615107-1 | 3-Major | Cannot SSH from AOM/SCCP to host without password (host-based authentication). | |
613765-3 | 3-Major | Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors. | |
612809-1 | 3-Major | Bootup script fails to run on on a vCMP guest due to a missing reference file. | |
611658-3 | 3-Major | "less" utility logs an error for remotely authenticated users using the tmsh shell | |
611512-1 | 3-Major | AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name. | |
611487-3 | 3-Major | vCMP: VLAN failsafe does not trigger on guest | |
610417-1 | 3-Major | K54511423 | Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported. |
609119-7 | 3-Major | Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3: | |
608320-3 | 3-Major | iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response | |
604727-1 | 3-Major | Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★ | |
604237-3 | 3-Major | Vlan allowed mismatch found error in VCMP guest | |
604061-2 | 3-Major | Link Aggregation Control Protocol May Lose Synchronization after TMM Crash | |
602376-1 | 3-Major | qkview excludes files | |
598498-7 | 3-Major | Cannot remove Self IP when an unrelated static ARP entry exists. | |
598134-1 | 3-Major | Stats query may generate an error when tmm on secondary is down | |
596067-2 | 3-Major | GUI on VIPRION hangs on secondary blade reboot | |
590211-2 | 3-Major | jitterentropy-rngd quietly fails to start | |
583754-7 | 3-Major | When TMM is down, executing 'show ltm persist persist-records' results in a blank error message. | |
575027-1 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. | |
562928-2 | 3-Major | Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled | |
559080-5 | 3-Major | High Speed Logging to specific destinations stops from individual TMMs | |
557471-3 | 3-Major | LTM Policy statistics showing zeros in GUI | |
543208-1 | 3-Major | Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★ | |
534520-1 | 3-Major | qkview may exclude certain log files from /var/log | |
424542-5 | 3-Major | tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments | |
418349-2 | 3-Major | Update/overwrite of FIPS keys error | |
643404-2 | 4-Minor | K30014507 | 'tmsh system software status' does not display properly in a specific cc-mode situation★ |
636520-3 | 4-Minor | K88813435 | Detail missing from power supply 'Bad' status log messages |
633181-1 | 4-Minor | A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section | |
632668-5 | 4-Minor | When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds | |
632069-3 | 4-Minor | Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076 | |
621957-2 | 4-Minor | Timezone data on AOM not syncing with host | |
617901-1 | 4-Minor | GUI to handle file path manipulation to prevent GUI instability. | |
609107-1 | 4-Minor | mcpd does not properly validate missing 'sys folder' config in bigip_base.conf | |
605420-5 | 4-Minor | httpd security update - CVE-2016-5387 | |
599191-2 | 4-Minor | One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card | |
589379-2 | 4-Minor | K20937139 | ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route. |
585097-1 | 4-Minor | Traffic Group score formula does not result in unique values. | |
541550-3 | 4-Minor | Defining more than 10 remote-role groups can result in authentication failure | |
541320-10 | 4-Minor | K50973424 | Sync of tunnels might cause restore of deleted tunnels. |
500452-8 | 4-Minor | K28520025 | PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware |
642015-2 | 5-Cosmetic | SSD Manufacturer "unavailable" | |
524277-2 | 5-Cosmetic | Missing power supplies issue warning message that should be just a notice message. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
651476 | 2-Critical | bigd may core on non-primary bigd when FQDN in use | |
648715-2 | 2-Critical | BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0 | |
643396-2 | 2-Critical | K34553627 | Using FLOW_INIT iRule may lead to TMM memory leak or crash |
642400-2 | 2-Critical | Path MTU discovery occasionally fails | |
640352-2 | 2-Critical | K01000259 | Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet |
639744-1 | 2-Critical | K84228882 | Memory leak in STREAM::expression iRule |
637181-4 | 2-Critical | VIP-on-VIP traffic may stall after routing updates | |
632685 | 2-Critical | bigd memory leak for FQDN nodes on non-primary bigd instance | |
630306-1 | 2-Critical | TMM crash in DNS processing on UDP virtual server with no available pool members | |
629145-1 | 2-Critical | External datagroups with no metadata can crash tmm | |
628890-1 | 2-Critical | Memory leak when modifying large datagroups | |
627403-2 | 2-Critical | HTTP2 can can crash tmm when stats is updated on aborting of a new connection | |
626311-2 | 2-Critical | K75419237 | Potential failure of DHCP relay functionality credits to incorrect route lookup. |
625198-1 | 2-Critical | TMM might crash when TCP DSACK is enabled | |
622856-1 | 2-Critical | BIG-IP may enter SYN cookie mode later than expected | |
621870-2 | 2-Critical | Outage may occur with VIP-VIP configurations | |
619663-3 | 2-Critical | K49220140 | Terminating of HTTP2 connection may cause a TMM crash |
619528-4 | 2-Critical | TMM may accumulate internal events resulting in TMM restart | |
619071-3 | 2-Critical | OneConnect with verified accept issues | |
614509-1 | 2-Critical | iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart | |
609027-1 | 2-Critical | TMM crashes when SSL forward proxy is enabled. | |
608304-1 | 2-Critical | K55292305 | TMM crash on memory corruption |
603667-2 | 2-Critical | TMM may leak or corrupt memory when configuration changes occur with plugins in use | |
603082-3 | 2-Critical | Ephemeral pool members are getting deleted/created over and over again. | |
602136-5 | 2-Critical | iRule drop command causes tmm segfault or still sends 3-way handshake to the server. | |
601828-1 | 2-Critical | K13338433 | An untrusted certificate can cause tmm to crash. |
600982-5 | 2-Critical | TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0" | |
599720-2 | 2-Critical | TMM may crash in bigtcp due to null pointer dereference | |
597828-1 | 2-Critical | SSL forward proxy crashes in some cases | |
596450-1 | 2-Critical | TMM may produce a core file after updating SSL session ticket key | |
594642-3 | 2-Critical | Stream filter may require large allocations by Tcl leading TMM to core on allocation failure. | |
581746-1 | 2-Critical | K42175594 | MPTCP or SSL traffic handling may cause a BIG-IP outage |
557358-5 | 2-Critical | TMM SIGSEGV and crash when memory allocation fails. | |
423629-3 | 2-Critical | K08454006 | bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted |
651106 | 3-Major | memory leak on non-primary bigd with changing node IPs | |
649571-1 | 3-Major | Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello | |
648990 | 3-Major | Serverside SSL renegotiation does not occur after block cipher data limit is exceeded | |
641512-4 | 3-Major | K51064420 | DNSSEC key generations fail with lots of invalid SSL traffic |
632324-2 | 3-Major | PVA stats does not show correct connection number | |
629412-3 | 3-Major | BIG-IP closes a connection when a maximum size window is attempted | |
627246-1 | 3-Major | K09336400 | TMM memory leak when ASM policy configured on virtual server |
626386-1 | 3-Major | K28505256 | SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled |
626106-3 | 3-Major | LTM Policy with illegal rule name loses its conditions and actions during upgrade★ | |
625106-2 | 3-Major | Policy Sync can fail over a lossy network | |
624616-1 | 3-Major | Safenet uninstall is unable to remove libgem.so | |
620625-2 | 3-Major | K38094257 | Changes to the Connection.VlanKeyed DB key may not immediately apply |
620079-3 | 3-Major | Removing route-domain may cause monitors to fail | |
619849-4 | 3-Major | In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled. | |
618430-2 | 3-Major | iRules LX data not included in qkview | |
618428 | 3-Major | iRules LX - Debug mode does not function in dedicated mode | |
618254-4 | 3-Major | Non-zero Route domain is not always used in HTTP explicit proxy | |
617858-2 | 3-Major | bigd core when using Tcl monitors | |
616022-2 | 3-Major | K46530223 | The BIG-IP monitor process fails to process timeout conditions |
613326-1 | 3-Major | SASP monitor improvements | |
612694-5 | 3-Major | TCP::close with no pool member results in zombie flows | |
610429-5 | 3-Major | X509::cert_fields iRule command may memory with subpubkey argument | |
610302-1 | 3-Major | Link throughput graphs might be incorrect. | |
609244-4 | 3-Major | tmsh show ltm persistence persist-records leaks memory | |
608551-3 | 3-Major | Half-closed congested SSL connections with unclean shutdown might stall. | |
607152-1 | 3-Major | Large Websocket frames corrupted | |
604496-4 | 3-Major | SQL (Oracle) monitor daemon might hang. | |
603979-4 | 3-Major | Data transfer from the BIG-IP system self IP might be slow | |
603723-2 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
603550-1 | 3-Major | Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats. | |
600827-8 | 3-Major | Stuck Nitrox crypto queue can erroneously be reported | |
600593-1 | 3-Major | Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests | |
600052-1 | 3-Major | GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system | |
599121-2 | 3-Major | K24036315 | Under heavy load, hardware crypto queues may become unavailable. |
592871-3 | 3-Major | Cavium Nitrox PX/III stuck queue diagnostics missing. | |
591666-3 | 3-Major | TMM crash in DNS processing on TCP virtual with no available pool members | |
589400-1 | 3-Major | With Nagle disabled, TCP does not send all of xfrags with size greater than MSS. | |
586738-4 | 3-Major | The tmm might crash with a segfault. | |
584471-1 | 3-Major | Priority order of clientssl profile selection of virtual server. | |
584310-1 | 3-Major | TCP:Collect ignores the 'skip' parameter when used in serverside events | |
584029-6 | 3-Major | Fragmented packets may cause tmm to core under heavy load | |
582769-1 | 3-Major | K99405272 | WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual |
579926-1 | 3-Major | HTTP starts dropping traffic for a half-closed connection when in passthrough mode | |
568543-4 | 3-Major | Syncookie mode is activated on wildcard virtuals | |
562267-3 | 3-Major | FQDN nodes do not support monitor alias destinations. | |
517756-6 | 3-Major | Existing connections can choose incorrect route when crossing non-strict route-domains | |
509858-5 | 3-Major | K36300805 | BIG-IP FastL4 profile vulnerability |
419741-3 | 3-Major | Rare crash with vip-targeting-vip and stale connections on VIPRION platforms | |
352957-4 | 3-Major | K03005026 | Route lookup after change in route table on established flow ignores pool members |
660170-1 | 4-Minor | K28505910 | tmm may crash at ~75% of VLAN failsafe timeout expiration |
631862-1 | 4-Minor | K32107573 | Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk |
618517-1 | 4-Minor | K61255401 | bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring |
611161-3 | 4-Minor | K28540353 | VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default. |
587966-1 | 4-Minor | K77283304 | LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port |
583943-1 | 4-Minor | K27491104 | Forward proxy does not work when netHSM is configured on TMM interfaces |
574020-5 | 4-Minor | Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}') |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
621115-1 | 2-Critical | IP/IPv6 TTL/hoplimit may not be preserved for host traffic |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
642039-2 | 2-Critical | TMM core when persist is enabled for wideip with certain iRule commands triggered. | |
584374-2 | 2-Critical | K67622400 | iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address. |
642330-2 | 3-Major | GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
640903-1 | 3-Major | Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen | |
632423-4 | 3-Major | DNS::query can cause tmm crash if AXFR/IXFR types specified. | |
629530-2 | 3-Major | K53675033 | Under certain conditions, monitors do not time out. |
628897-1 | 3-Major | Add Hyperlink to gslb server and vs on the Pool Member List Page | |
625671-4 | 3-Major | The diagnostic tool dnsxdump may crash with non-standard DNS RR types. | |
624876-1 | 3-Major | Response Policy Zones can trigger even after entry removed from zone | |
624193-2 | 3-Major | Topology load balancing not working as expected | |
623023-1 | 3-Major | Unable to set DNS Topology Continent to Unknown via GUI | |
621239-2 | 3-Major | Certain DNS queries bypass DNS Cache RPZ filter. | |
620215-5 | 3-Major | TMM out of memory causes core in DNS cache | |
619398-7 | 3-Major | TMM out of memory causes core in DNS cache | |
612769-1 | 3-Major | K33842313 | Hard to use search capabilities on the Pool Members Manage page. |
601180-2 | 3-Major | K73505027 | Link Controller base license does not allow DNS namespace iRule commands.★ |
567743-2 | 3-Major | K70663134 | Possible gtmd crash under certain conditions. |
557434-4 | 3-Major | After setting a Last Resort Pool on a Wide IP, cannot reset back to None | |
366695-1 | 5-Cosmetic | Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
646511-1 | 2-Critical | BD crashes repeatedly after interrupted roll-forward upgrade★ | |
636397-1 | 2-Critical | bd cores when persistent storage configuration and under some memory conditions. | |
634001-2 | 2-Critical | ASM restarts after deleting a VS that has an ASM security policy assigned to it | |
627117-1 | 2-Critical | crash with wrong ceritifcate in WSS | |
625783-1 | 2-Critical | Chassis sync fails intermittently due to sync file backlog | |
618771-1 | 2-Critical | Some Social Security Numbers are not being masked | |
601378-2 | 2-Critical | Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons | |
584082-3 | 2-Critical | BD daemon crashes unexpectedly | |
540928-1 | 2-Critical | Memory leak due to unnecessary logging profile configuration updates. | |
640824-1 | 3-Major | K20770267 | Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★ |
635754-1 | 3-Major | K65531575 | Wildcard URL pattern match works inncorectly in Traffic Learning |
632344-2 | 3-Major | POP DIRECTIONAL FORMATTING causes false positive | |
632326-2 | 3-Major | K52814351 | relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation |
631737-1 | 3-Major | K61367823 | ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations |
630929-1 | 3-Major | K69767100 | Attack signature exception list upload times-out and fails |
627360-1 | 3-Major | Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★ | |
625832-4 | 3-Major | A false positive modified domain cookie violation | |
622913-2 | 3-Major | Audit Log filled with constant change messages | |
621524-2 | 3-Major | Processing Timeout When Viewing a Request with 300+ Violations | |
620635-2 | 3-Major | Request having upper case JSON login parameter is not detected as a failed login attempt | |
611151-2 | 3-Major | An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive | |
608245 | 3-Major | Reporting missing parameter details when attack signature is matched against parameter value | |
581406-1 | 3-Major | SQL Error on Peer Device After Receiving ASM Sync in a Device Group | |
580168-4 | 3-Major | Information missing from ASM event logs after a switchboot and switchboot back | |
576591-6 | 3-Major | Support for some future credit card number ranges | |
572885-1 | 3-Major | Policy automatic learning mode changes to manual after failover | |
392121-3 | 3-Major | TMSH Command to retrieve the memory consumption of the bd process | |
642874-1 | 4-Minor | K15329152 | Ready to be Enforced filter for Policy Signatures returns too many signatures |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
634215-1 | 2-Critical | False detection of attack after restarting dosl7d | |
573764-1 | 2-Critical | In some cases, only primary blade retains it's statistics after upgrade on multi bladed system | |
642221-2 | 3-Major | Incorrect entity is used when exporting TCP analytics from GUI | |
641574 | 3-Major | K06503033 | AVR doesn't report on virtual and client IP in DNS statistics |
635561-1 | 3-Major | Heavy URLs statistics are not shown after upgrade. | |
631722 | 3-Major | Some HTTP statistics not displayed after upgrade | |
631131-3 | 3-Major | Some tmstat-adapters based reports stats are incorrect | |
605010-1 | 3-Major | Thrift::TException error | |
560114-6 | 3-Major | Monpd is being affected by an I/O issue which makes some of its threads freeze |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
645339-2 | 1-Blocking | TMM may crash when processing APM data | |
637308-8 | 2-Critical | K41542530 | apmd may crash when HTTP Auth agent is used in an Access Policy |
632005-1 | 2-Critical | BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes | |
622244-2 | 2-Critical | Edge client can fail to upgrade when always connected is selected | |
617310-2 | 2-Critical | Edge client can fail to upgrade when Always Connected is selected★ | |
614322-1 | 2-Critical | K31063537 | TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway |
608424-2 | 2-Critical | Dynamic ACL agent error log message contains garbage data | |
608408-2 | 2-Critical | TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library | |
593078-1 | 2-Critical | CATEGORY::filetype command may cause tmm to crash and restart | |
643547-1 | 3-Major | K43036745 | APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP |
638799-1 | 3-Major | Per-request policy branch expression evaluation fails | |
638780-3 | 3-Major | Handle 302 redirects for VMware Horizon View HTML5 client | |
636044-1 | 3-Major | K68018520 | Large number of glob patterns affects custom category lookup performance |
634576 | 3-Major | K48181045 | TMM core in per-request policy |
634252 | 3-Major | K99114539 | TMM crash with per-request policy in SWG explicit |
632504-1 | 3-Major | K31277424 | APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list |
632499-1 | 3-Major | K70551821 | APM Policy Sync: Resources under webtop section are not sync'ed automatically |
632472-1 | 3-Major | Frequently logged "Silent flag set - fail" messages | |
632386-1 | 3-Major | EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists | |
630571-1 | 3-Major | K35254214 | Edge Client on Mac OSX Sierra stuck in a reconnect loop |
629801-2 | 3-Major | Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain. | |
629698-1 | 3-Major | Edge client stuck on "Initializing" state | |
629069-2 | 3-Major | Portal Access may delete scripts from HTML page in some cases | |
628687-2 | 3-Major | Edge Client reconnection issues with captive portal | |
628685-2 | 3-Major | K79361498 | Edge Client shows several security warnings after roaming to a network with Captive Portal |
627972-2 | 3-Major | K11327511 | Unable to save advanced customization when using Exchange iApp |
627059-1 | 3-Major | In some rare cases TMM may crash while handling VMware View client connection | |
626910-1 | 3-Major | Policy with assigned SAML Resource is exported with error | |
625474-1 | 3-Major | POST request body is not saved in session variable by access when request is sent using edge client | |
625159-1 | 3-Major | Policy sync status not shown on standby device in HA case | |
624966-2 | 3-Major | Edge client starts new APM session when Captive portal session expire | |
623562-3 | 3-Major | Large POSTs rejected after policy already completed | |
622790-1 | 3-Major | EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP | |
621976-4 | 3-Major | OneDrive for Business thick client shows javascript errors when rendering APM logon page | |
621974-4 | 3-Major | Skype For Business thick client shows javascript errors when rendering APM logon page | |
621447-1 | 3-Major | In some rare cases, VDI may crash | |
621210-2 | 3-Major | Policy sync shows as aborted even if it is completed | |
621126-2 | 3-Major | Import of config with saml idp connector with reuse causes certificate not found error | |
620829-2 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
620801-3 | 3-Major | Access Policy is not able to check device posture for Android 7 devices | |
620614-4 | 3-Major | Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account | |
619879-1 | 3-Major | HTTP iRule commands could lead to WEBSSO plugin being invoked | |
619811-2 | 3-Major | Machine Cert OCSP check fails with multiple Issuer CA | |
619486-3 | 3-Major | Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self | |
619473-2 | 3-Major | Browser may hang at APM session logout | |
618170-3 | 3-Major | Some URL unwrapping functions can behave bad | |
617063-1 | 3-Major | After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel | |
617002-1 | 3-Major | SWG with Response Analytics agent in a Per-Request policy fails with some URLs | |
616838-3 | 3-Major | Citrix Remote desktop resource custom parameter name does not accept hyphen character | |
615970-1 | 3-Major | SSO logging level may cause failover | |
615254-2 | 3-Major | Network Access Launch Application item fails to launch in some cases | |
612419-1 | 3-Major | APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable)) | |
611968-3 | 3-Major | JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow | |
611669-4 | 3-Major | Mac Edge Client customization is not applied on macOS 10.12 Sierra | |
610180-2 | 3-Major | SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin. | |
597214-5 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
595819-1 | 3-Major | Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached, | |
595272-1 | 3-Major | Edge client may show a windows displaying plain text in some cases | |
591246-1 | 3-Major | Unable to launch View HTML5 connections in non-zero route domain virtual servers | |
584582-1 | 3-Major | JavaScript: 'baseURI' property may be handled incorrectly | |
570217-2 | 3-Major | BIG-IP APM now uses Airwatch v2 API to retreive device posture information | |
533956-3 | 3-Major | K30515450 | Portal Access: Space-like characters in EUC character sets may be handled incorrectly. |
503842-4 | 3-Major | Microsoft WebService HTML component does not work after rewriting | |
640521-1 | 4-Minor | EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices | |
636254-2 | 4-Minor | Cannot reinitiate a sync on a target device when sync is completed | |
618404-1 | 4-Minor | Access Profile copying might end up in invalid way if series of names. | |
606257-3 | 4-Minor | K56716107 | TCP FIN sent with Connection: Keep-Alive header for webtop page resources |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
630661-2 | 3-Major | K30241432 | WAM may leak memory when a WAM policy node has multiple variation header rules |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
644970-1 | 2-Critical | Editing a virtual server config loses SSL encryption on iSession connections | |
644489-1 | 3-Major | K14899014 | Unencrypted iSession connection established even though data-encrypt configured in profile |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
639236-1 | 2-Critical | K66947004 | Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute |
624023-3 | 2-Critical | TMM cores in iRule when accessing a SIP header that has no value | |
569316-1 | 2-Critical | Core occurs on standby in MRF when routing to a route using a transport config | |
649933-1 | 3-Major | Fragmented RADIUS messages may be dropped | |
629663-1 | 3-Major | K23210890 | CGNAT SIP ALG will drop SIP INVITE |
625542-1 | 3-Major | SIP ALG with Translation fails for REGISTER refresh. | |
625098-3 | 3-Major | SCTP::local_port iRule not supported in MRF events | |
601255-4 | 3-Major | RTSP response to SETUP request has incorrect client_port attribute |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
632731-2 | 2-Critical | specific external logging configuration can cause TMM service restart | |
628623-1 | 2-Critical | tmm core with AFM provisioned | |
639193-1 | 3-Major | K03453591 | BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail. |
631025-1 | 3-Major | 500 internal error on inline rule editor for certain firewall policies | |
626438-1 | 3-Major | Frame is not showing in the browser and/ or an error appears | |
614563-3 | 3-Major | AVR TPS calculation is inaccurate | |
610129-3 | 3-Major | K43320840 | Config load failure when cluster management IP is not defined, but instead uses address-list. |
592113-5 | 3-Major | tmm core on the standby unit with dos vectors configured | |
590805-4 | 3-Major | Active Rules page displays a different time zone. | |
583024-1 | 3-Major | TMM restart rarely during startup | |
431840-3 | 3-Major | Cannot add vlans to whitelist if they contain a hyphen |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
627257-2 | 2-Critical | Potential PEM crash during a Gx operation | |
626851-2 | 2-Critical | K37665112 | Potential crash in a multi-blade chassis during CMP state changes. |
624744-1 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. | |
624733-1 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. | |
624228-1 | 2-Critical | Memory leak when using insert action in pem rule and flow gets aborted | |
623922-5 | 2-Critical | K64388805 | TMM failure in PEM while processing Service-Provider Disaggregation |
641482-2 | 3-Major | Subscriber remains in delete pending state until CCR-t ack has success as result code is received | |
640510-3 | 3-Major | BWC policy category attachment may fail during a PEM policy update for a subscriber. | |
640457-2 | 3-Major | Session Creation failure after HA | |
635233-3 | 3-Major | K80902149 | Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages |
630611-1 | 3-Major | K84324392 | PEM module crash when subscriber not fund |
627798-3 | 3-Major | Buffer length check for quota bucket objects | |
627279-2 | 3-Major | Potential crash in a multi-blade chassis during CMP state changes. | |
623927-2 | 3-Major | K41337253 | Flow entry memory leaked after DHCP DORA process |
564281-3 | 3-Major | TMM (debug) assert seen during Failover with Gy | |
628869-4 | 4-Minor | Unconditional logs seen due to the presence of a PEM iRule. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
609788 | 2-Critical | PCP may pick an endpoint outside the deterministic mapping | |
642284 | 3-Major | Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption. | |
629871-2 | 3-Major | FTP ALG deployment should not rewrite PASV response 464 XLAT cases |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
639750-1 | 2-Critical | username aliases are not supported | |
636370 | 3-Major | Application Layer Encryption AJAX support | |
629627-1 | 3-Major | FPS Log Publisher is not grouped nor filtered by partition | |
629127-1 | 3-Major | Parent profiles cannot be saved using FPS GUI | |
628348-1 | 3-Major | Cannot configure any Mobile Security list having 11 records or more via the GUI | |
628337-1 | 3-Major | Forcing a single injected tag configuration is restrictive | |
625275-1 | 3-Major | Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI | |
624198-1 | 3-Major | Unable to add multiple User-Defined alerts with the same search category | |
623518-1 | 3-Major | Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition | |
594127-2 | 3-Major | Pages using Angular may hang when Websafe is enabled | |
635541 | 4-Minor | "Application CSS Locations" is not inherited if changing parent profile |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
625172-1 | 2-Critical | tmm crashes when classification is enabled and ftp traffic is flowing trough the box | |
631472-1 | 3-Major | Reseting classification signatures to default may result in non-working configuration |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
606518-3 | 2-Critical | iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username. | |
642983-1 | 3-Major | K94534313 | Update to max message size limit doesn't work sometimes |
629845-2 | 3-Major | Disallowing TLSv1 connections to HTTP causes iControl/REST issues | |
626542-2 | 3-Major | Unable to set maxMessageBodySize in iControl REST after upgrade★ |
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
618306-2 | CVE-2016-9247 | K33500120 | TMM vulnerability CVE-2016-9247 |
616864-1 | CVE-2016-2776 | K18829561 | BIND vulnerability CVE-2016-2776 |
613282-2 | CVE-2016-2086, CVE-2016-2216, CVE-2016-1669 | K15311661 | NodeJS vulnerability CVE-2016-2086 |
611469-3 | CVE-2016-7467 | K95444512 | Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector |
597394-2 | CVE-2016-9252 | K46535047 | Improper handling of IP options |
591328-7 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
591325-8 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K75152412 | OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 |
591042-17 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K23230229 | OpenSSL vulnerabilities |
560109-7 | CVE-2017-6160 | K19430431 | Client capabilities failure |
618549-1 | CVE-2016-9249 | K71282001 | Fast Open can cause TMM crash CVE-2016-9249 |
618263-1 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
614147-1 | CVE-2017-6157 | K02692210 | SOCKS proxy defect resolution |
614097-1 | CVE-2017-6157 | K02692210 | HTTP Explicit proxy defect resolution |
607314-1 | CVE-2016-3500 CVE-2016-3508 | K25075696 | Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508 |
605039-3 | CVE-2016-2775 | K92991044 | lwresd and bind vulnerability CVE-2016-2775 |
601059-6 | CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 | K14614344 | libxml2 vulnerability CVE-2016-1840 |
599536-1 | CVE-2017-6156 | K05263202 | IPsec peer with wildcard selector brings up wrong phase2 SAs |
597023-1 | CVE-2016-4954 | K82644737 | NTP vulnerability CVE-2016-4954 |
595242-1 | CVE-2016-3705 | K54225343 | libxml2 vulnerabilities CVE-2016-3705 |
595231-1 | CVE-2016-3627 | K54225343 | libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705 |
594496-1 | CVE-2016-4539 | K35240323 | PHP Vulnerability CVE-2016-4539 |
593447-1 | CVE-2016-5024 | K92859602 | BIG-IP TMM iRules vulnerability CVE-2016-5024 |
592485 | CVE-2015-5157 CVE-2015-8767 | K17326 | Linux kernel vulnerability CVE-2015-5157 |
592001-1 | CVE-2016-4071 CVE-2016-4073 | K64412100 | CVE-2016-4073 PHP vulnerabilities |
591455-7 | CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 | K24613253 | NTP vulnerability CVE-2016-2516 |
591447-1 | CVE-2016-4070 | K42065024 | PHP vulnerability CVE-2016-4070 |
591358-1 | CVE-2016-3425 CVE-2016-0695 CVE-2016-3427 | K81223200 | Oracle Java SE vulnerability CVE-2016-3425 |
585424-1 | CVE-2016-1979 | K20145801 | Mozilla NSS vulnerability CVE-2016-1979 |
580747-1 | CVE-2016-0739 | K57255643 | libssh vulnerability CVE-2016-0739 |
557190-3 | CVE-2017-6166 | K65615624 | 'packet_free: double free!' tmm core |
597010-1 | CVE-2016-4955 | K03331206 | NTP vulnerability CVE-2016-4955 |
596997-1 | CVE-2016-4956 | K64505405 | NTP vulnerability CVE-2016-4956 |
591767-8 | CVE-2016-1547 | K11251130 | NTP vulnerability CVE-2016-1547 |
591438-7 | CVE-2015-8865 | K54924436 | PHP vulnerability CVE-2015-8865 |
575629-3 | CVE-2015-8139 | K00329831 | NTP vulnerability: CVE-2015-8139 |
573343-1 | CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 | K01324833 | NTP vulnerability CVE-2015-8158 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
615377-3 | 3-Major | Unexpected rate limiting of unreachable and ICMP messages for some addresses. | |
590122-2 | 3-Major | Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification. | |
581438-2 | 3-Major | Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision. | |
561348-7 | 3-Major | krb5.conf file is not synchronized between blades and not backed up | |
541549-2 | 3-Major | AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination. | |
530109-3 | 3-Major | OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled. | |
246726-1 | 3-Major | K8940 | System continues to process virtual server traffic after disabling virtual address |
599839-3 | 4-Minor | Add new keyords to SIP::persist command to specify how Persistence table is updated | |
591733-4 | 4-Minor | K83175883 | Save on Auto-Sync is missing from the configuration utility. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
625784 | 1-Blocking | TMM crash on i4x00 and i2x00 platforms with large ASM configuration. | |
617622 | 1-Blocking | In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure | |
621422 | 2-Critical | i2000 and i4000 series appliances do not warn when an incorrect optic is in a port | |
620056-1 | 2-Critical | Assert on deletion of paired in-and-out IPsec traffic selectors | |
617935 | 2-Critical | IKEv2 VPN tunnels fail to establish | |
617481-1 | 2-Critical | TMM can crash when HTML minification is configured | |
614865-5 | 2-Critical | Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors. | |
610354-1 | 2-Critical | TMM crash on invalid memory access to loopback interface stats object | |
605476-3 | 2-Critical | statsd can core when reading corrupt stats files. | |
601527-4 | 2-Critical | mcpd memory leak and core | |
600894-1 | 2-Critical | In certain situations, the MCPD process can leak memory | |
598748 | 2-Critical | IPsec AES-GCM IVs are now based on a monotonically increasing counter | |
598697-1 | 2-Critical | vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★ | |
595712-1 | 2-Critical | Not able to add remote user locally | |
591495-2 | 2-Critical | VCMP guests sflow agent can crash due to duplicate vlan interface indices | |
591104-1 | 2-Critical | ospfd cores due to an incorrect debug statement. | |
588686 | 2-Critical | High-speed logging to remote logging node stops sending logs after all logging nodes go down | |
587698-3 | 2-Critical | bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured | |
585745-2 | 2-Critical | sod core during upgrade from 10.x to 12.x. | |
583936-5 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM | |
557680-4 | 2-Critical | Fast successive MTU changes to IPsec tunnel interface crashes TMM | |
355806-7 | 2-Critical | Starting mcpd manually at the command line interferes with running mcpd | |
622877-1 | 3-Major | i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away | |
622199 | 3-Major | sys-icheck reports error with /var/lib/waagent | |
622194 | 3-Major | sys-icheck reports error with ssh_host_rsa_key | |
621423 | 3-Major | sys-icheck reports error with /config/ssh/ssh_host_dsa_key | |
621242-1 | 3-Major | Reserve enough space in the image for future upgrades. | |
621225 | 3-Major | LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0" | |
620782 | 3-Major | Azure cloud now supports hourly billing | |
619410-1 | 3-Major | TMM hardware accelerated compression not registering for all compression levels. | |
617986-2 | 3-Major | Memory leak in snmpd | |
617229-1 | 3-Major | K54245014 | Local policy rule descriptions disappear when policy is re-saved |
616242-3 | 3-Major | K39944245 | basic_string::compare error in encrypted SSL key file if the first line of the file is blank★ |
614530-2 | 3-Major | Dynamic ECMP routes missing from Linux host | |
614180-1 | 3-Major | ASM is not available in LTM policy when ASM is licensed as the main active module | |
610441-3 | 3-Major | When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received. | |
610352-1 | 3-Major | sys-icheck reports error with /etc/sysconfig/modules/unic.modules | |
610350-1 | 3-Major | sys-icheck reports error with /config/bigpipe/defaults.scf | |
610273-3 | 3-Major | Not possible to do targeted failover with HA Group configured | |
605894-3 | 3-Major | Remote authentication for BIG-IP users can fail | |
603149-2 | 3-Major | Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy | |
602854-8 | 3-Major | Missing ASM control option from LTM policy rule screen in the Configuration utility | |
602502-2 | 3-Major | Unable to view the SSL Cert list from the GUI | |
601989-3 | 3-Major | K88516119 | Remote LDAP system authenticated username is case sensitive★ |
601893-2 | 3-Major | TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero. | |
601502-4 | 3-Major | Excessive OCSP traffic | |
600558-5 | 3-Major | Errors logged after deleting user in GUI | |
599816-2 | 3-Major | Packet redirections occur when using VLAN groups with members that have different cmp-hash settings. | |
598443-1 | 3-Major | Temporary files from TMSH not being cleaned up intermittently. | |
598039-6 | 3-Major | MCP memory may leak when performing a wildcard query | |
597729-5 | 3-Major | Errors logged after deleting user in GUI | |
596104-1 | 3-Major | K84539934 | HA trunk unavailable for vCMP guest★ |
595773-4 | 3-Major | Cancellation requests for chunked stats queries do not propagate to secondary blades | |
594426-2 | 3-Major | Audit forwarding Radius packets may be rejected by Radius server | |
592870-2 | 3-Major | Fast successive MTU changes to IPsec tunnel interface crashes TMM | |
592320-5 | 3-Major | ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1 | |
589083-2 | 3-Major | TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. | |
586878-4 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★ | |
585833-3 | 3-Major | Qkview will abort if /shared partition has less than 2GB free space | |
585547-1 | 3-Major | K58243048 | NTP configuration items are no longer collected by qkview★ |
585485-3 | 3-Major | inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system | |
584583-3 | 3-Major | Timeout error when using the REST API to retrieve large amount of data | |
583285-5 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
582084-1 | 3-Major | BWC policy in device sync groups. | |
580500-1 | 3-Major | /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed. | |
578551-5 | 3-Major | bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot | |
576305-7 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code | |
575649-5 | 3-Major | MCPd might leak memory in IPFIX destination stats query | |
575591-6 | 3-Major | Potential MCPd leak in IKE message stats query code | |
575589-5 | 3-Major | Potential MCPd leak in IKE event stats query code | |
575587-7 | 3-Major | Potential MCPd leak in BWC policy class stats query code | |
575176-1 | 3-Major | Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic | |
575066-1 | 3-Major | Management DHCP settings do not take effect | |
570818-4 | 3-Major | Address lease-pool in IKEv2 might interfere with IKEv2 negotiations. | |
568672-1 | 3-Major | Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI | |
566507-4 | 3-Major | Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment | |
553795-7 | 3-Major | Differing certificate/key after successful config-sync | |
547479-5 | 3-Major | Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted | |
546145-1 | 3-Major | Creating local user for previously remote user results in incomplete user definition. | |
540872-1 | 3-Major | Config sync fails after creating a partition. | |
527206-5 | 3-Major | Management interface may flap due to LOP sync error | |
393270-1 | 3-Major | Configuration utility may become non-responsive or fail to load. | |
618421 | 4-Minor | Some mass storage is left un-used | |
617124 | 4-Minor | Cannot map hardware type (12) to HardwareType enumeration | |
581835-1 | 4-Minor | Command failing: tmsh show ltm virtual vs_name detail. | |
567546-1 | 4-Minor | Files with file names larger than 100 characters are omitted from qkview | |
564771-1 | 4-Minor | cron sends purge_mysql_logs.pl email error on LTM-only device | |
564522-2 | 4-Minor | K40547220 | cron is configured with MAILTO=root but mailhost defaults to 'mail' |
559837-4 | 4-Minor | Misleading error message in catalina.out when listing certificates. | |
551349-5 | 4-Minor | K80203854 | Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★ |
460833-5 | 4-Minor | MCPD sync errors and restart after multiple modifications to file object in chassis | |
572133-5 | 5-Cosmetic | tmsh save /sys ucs command sends status messages to stderr | |
442231-4 | 5-Cosmetic | Pendsect log entries have an unexpected severity |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
618905-1 | 1-Blocking | tmm core while installing Safenet 6.2 client | |
616215-4 | 2-Critical | TMM can core when using LB::detach and TCP::notify commands in an iRule | |
615388-1 | 2-Critical | L7 policies using normalized HTTP URI or Referrer operands may corrupt memory | |
612229-1 | 2-Critical | TMM may crash if LTM a disable policy action for 'LTM Policy' is not last | |
609628-2 | 2-Critical | CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session | |
609199-6 | 2-Critical | Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join | |
608555-1 | 2-Critical | Configuring asymmetric routing with a VE rate limited license will result in tmm crash | |
607724-2 | 2-Critical | K25713491 | TMM may crash when in Fallback state. |
607524-2 | 2-Critical | Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down. | |
607360-5 | 2-Critical | Safenet 6.2 library missing after upgrade★ | |
606573-3 | 2-Critical | FTP traffic does not work through SNAT when configured without Virtual Server★ | |
605865-4 | 2-Critical | Debug TMM produces core on certain ICMP PMTUD packets | |
604133-2 | 2-Critical | Ramcache may leave the HTTP Cookie Cache in an inconsistent state | |
603032-1 | 2-Critical | clientssl profiles with sni-default enabled may leak X509 objects | |
602326-1 | 2-Critical | Intermittent pkcs11d core when installing Safenet 6.2 software | |
599135-2 | 2-Critical | B2250 blades may suffer from high TMM CPU utilisation with tcpdump | |
588959-2 | 2-Critical | K34453301 | TMM may crash or behave abnormally on a Standby BIG-IP unit |
588351-5 | 2-Critical | IPv6 fragments are dropped when packet filtering is enabled. | |
586449-1 | 2-Critical | Incorrect error handling in HTTP cookie results in core when TMM runs out of memory | |
584213-1 | 2-Critical | Transparent HTTP profiles cannot have iRules configured | |
575011-1 | 2-Critical | K21137299 | Memory leak. Nitrox3 Hang Detected. |
574880-3 | 2-Critical | Excessive failures observed when connection rate limit is configured on a fastl4 virtual server. | |
549329-3 | 2-Critical | K02020031 | L7 mirrored ACK from standby to active box can cause tmm core on active |
545810-3 | 2-Critical | K14304373 | TMM halts and restarts |
459671-4 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. | |
617862-2 | 3-Major | Fastl4 handshake timeout is absolute instead of relative | |
617824-3 | 3-Major | "SSL::disable/enable serverside" + oneconnect reuse is broken | |
615143-1 | 3-Major | VDI plugin-initiated connections may select inappropriate SNAT address | |
613429-2 | 3-Major | Unable to assign wildcard wide IPs to various BIG-IP DNS objects. | |
613369-4 | 3-Major | Half-Open TCP Connections Not Discoverable | |
613079-4 | 3-Major | Diameter monitor watchdog timeout fires after only 3 seconds | |
613065-1 | 3-Major | User can't generate netHSM key with Safenet 6.2 client using GUI | |
612040-4 | 3-Major | Statistics added for all crypto queues | |
611320-3 | 3-Major | Mirrored connection on Active unit of HA pair may be unexpectedly torndown | |
610609-3 | 3-Major | Total connections in bigtop, SNMP are incorrect | |
608024-3 | 3-Major | Unnecessary DTLS retransmissions occur during handshake. | |
607803-3 | 3-Major | K33954223 | DTLS client (serverssl profile) fails to complete resumed handshake. |
607304-5 | 3-Major | TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap. | |
606940-3 | 3-Major | Clustered Multiprocessing (CMP) peer connection may not be removed | |
606575-6 | 3-Major | Request-oriented OneConnect load balancing ends when the server returns an error status code. | |
606565-2 | 3-Major | K52231531 | TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection |
604977-2 | 3-Major | K08905542 | Wrong alert when DTLS cookie size is 32 |
603236-1 | 3-Major | 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware | |
602385-1 | 3-Major | Add zLib compression | |
602366-1 | 3-Major | Safenet 6.2 HA performance | |
602358-5 | 3-Major | BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version | |
601496-4 | 3-Major | iRules and OCSP Stapling | |
601178-6 | 3-Major | HTTP cookie persistence 'preferred' encryption | |
598874-2 | 3-Major | GTM Resolver sends FIN after SYN retransmission timeout | |
597978-2 | 3-Major | GARPs may be transmitted by active going offline | |
597879-1 | 3-Major | CDG Congestion Control can lead to instability | |
597532-1 | 3-Major | iRule: RADIUS avp command returns a signed integer | |
597089-8 | 3-Major | Connections are terminated after 5 seconds when using ePVA full acceleration | |
593530-6 | 3-Major | In rare cases, connections may fail to expire | |
592784-2 | 3-Major | Compression stalls, does not recover, and compression facilities cease. | |
592497-1 | 3-Major | Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state. | |
591659-5 | 3-Major | K47203554 | Server shutdown is propagated to client after X-Cnection: close transformation. |
591476-7 | 3-Major | K53220379 | Stuck crypto queue can erroneously be reported |
591343-5 | 3-Major | K03842525 | SSL::sessionid output is not consistent with the sessionid field of ServerHello message. |
589223-1 | 3-Major | TMM crash and core dump when processing SSL protocol alert. | |
588115-1 | 3-Major | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw | |
588089-3 | 3-Major | SSL resumed connections may fail during mirroring | |
587016-3 | 3-Major | SIP monitor in TLS mode marks pool member down after positive response. | |
585813-3 | 3-Major | SIP monitor with TLS mode fails to find cert and key files. | |
585412-4 | 3-Major | SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines | |
583957-6 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. | |
582465-1 | 3-Major | Cannot generate key after SafeNet HSM is rebooted | |
580303-5 | 3-Major | When going from active to offline, tmm might send a GARP for a floating address. | |
579843-1 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states | |
579371-4 | 3-Major | K70126130 | BIG-IP may generate ARPs after transition to standby |
578951-2 | 3-Major | TCP Fast Open connection timeout during handshake does not decrement pre_established_connections | |
572281-5 | 3-Major | Variable value in the nesting script of foreach command get reset when there is parking command in the script | |
570057-2 | 3-Major | Can't install more than 16 SafeNet HSMs in its HA group | |
569288-6 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures | |
565799-4 | 3-Major | CPU Usage increases when using masquerade addresses | |
551208-6 | 3-Major | Nokia alarms are not deleted due to the outdated alert_nokia.conf. | |
550161-4 | 3-Major | Networking devices might block a packet that has a TTL value higher than 230. | |
545796-5 | 3-Major | [iRule] [Stats] iRule is not generating any stats for executed iRules. | |
545450-5 | 3-Major | Log activation/deactivation of TM.TCPMemoryPressure | |
537553-8 | 3-Major | tmm might crash after modifying virtual server SSL profiles in SNI configuration | |
534457-4 | 3-Major | Dynamically discovered routes might fail to remirror connections. | |
530266-7 | 3-Major | Rate limit configured on a node can be exceeded | |
506543-5 | 3-Major | Disabled ephemeral pool members continue to receive new connections | |
483953-1 | 3-Major | Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value. | |
472571-7 | 3-Major | Memory leak with multiple client SSL profiles. | |
464801-3 | 3-Major | Intermittent tmm core | |
423392-6 | 3-Major | tcl_platform is no longer in the static:: namespace | |
371164-1 | 3-Major | BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs. | |
225634-1 | 3-Major | The rate class feature does not honor the Burst Size setting. | |
598860-4 | 4-Minor | IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address | |
587676-2 | 4-Minor | SMB monitor fails due to internal configuration issue | |
560471-1 | 4-Minor | Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down | |
544033-5 | 4-Minor | K30404012 | ICMP fragmentation request is ignored by BIG-IP |
222034-4 | 4-Minor | HTTP::respond in LB_FAILED with large header/body might result in truncated response |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
510631-1 | 3-Major | B4450 L4 No ePVA or L7 throughput lower than expected |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
603598-3 | 2-Critical | big3d memory under extreme load conditions | |
587656-2 | 2-Critical | GTM auto discovery problem with EHF for ID574052 | |
587617-1 | 2-Critical | While adding GTM server, failure to configure new IP on existing server leads to gtmd core | |
615338-2 | 3-Major | The value returned by "matchregion" in an iRule is inconsistent in some cases. | |
613576-1 | 3-Major | QOS load balancing links display as gray | |
613045-7 | 3-Major | Interaction between GTM and 10.x LTM results in some virtual servers marked down | |
607658-1 | 3-Major | GUI becomes unresponsive when managing GSLB Pool | |
589256-1 | 3-Major | DNSSEC NSEC3 records with different type bitmap for same name. | |
588289-1 | 3-Major | GTM is Re-ordering pools when adding pool including order designation | |
584623-2 | 3-Major | Response to -list iRules command gets truncated when dealing with MX type wide IP | |
574052-4 | 3-Major | GTM autoconf can cause high CPU usage for gtmd | |
370131-4 | 3-Major | Loading UCS with low GTM Autoconf Delay drops pool Members from config |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
609499-1 | 2-Critical | Compiled signature collections use more memory than prior versions | |
603945-2 | 2-Critical | BD config update should be considered as config addition in case of update failure | |
588087-1 | 2-Critical | Attack prevention isn't escalating under some conditions in session opening mitigation | |
587629-2 | 2-Critical | IP exceptions may have issues with route domain | |
575133-1 | 2-Critical | asm_config_server_rpc_handler_async.pl SIGSEGV and core | |
622386-1 | 3-Major | Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled | |
616169 | 3-Major | ASM Policy Export returns HTML error file | |
613396-1 | 3-Major | Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs | |
611385-1 | 3-Major | "Learn Explicit Entities" may continue to work as if it is 'Add All Entities' | |
609496-2 | 3-Major | Improved diagnostics in BD config update (bd_agent) added | |
608509-1 | 3-Major | Policy learning is slow under high load | |
604923-5 | 3-Major | REST id for Signatures change after update | |
604612-1 | 3-Major | K20323120 | Modified ASM cookie violation happens after upgrade to 12.1.x★ |
602221-2 | 3-Major | Wrong parsing of redirect Domain | |
584642-1 | 3-Major | Apply Policy Failure | |
584103-2 | 3-Major | FPS periodic updates (cron) write errors to log | |
582683-2 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan | |
582133-1 | 3-Major | Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.) | |
581315-1 | 3-Major | Selenium detection not blocked | |
579917-1 | 3-Major | User-defined signature set cannot be created/updated with Signature Type = "All" | |
579495-1 | 3-Major | Error when loading Upgrade UCS★ | |
521204-2 | 3-Major | Include default values in XML Policy Export |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
602654-2 | 2-Critical | TMM crash when using AVR lookups | |
602434-1 | 2-Critical | Tmm crash with compressed response | |
601056 | 2-Critical | TCP-Analytics, error message not using rate-limit mechanism can halt TMM | |
622735 | 3-Major | TCP Analytics statistics does not list all virtual servers | |
618944-1 | 3-Major | AVR statistic is not save during the upgrade process | |
601035 | 3-Major | TCP-Analytics can fail to collect all the activity |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
618506 | 2-Critical | TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual. | |
618324-1 | 2-Critical | Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor | |
592868-3 | 2-Critical | Rewrite may crash processing HTML tag with HTML entity in attribute value | |
591117-3 | 2-Critical | APM ACL construction may cause TMM to core if TMM is out of memory | |
569563-3 | 2-Critical | Sockets resource leak after loading complex policy | |
619250-1 | 3-Major | Returning to main menu from "RSS Feed" breaks ribbon | |
617187-1 | 3-Major | APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate | |
614891-2 | 3-Major | Routing table doesn't get updated when EDGE client roams among wireless networks | |
613613-2 | 3-Major | Incorrect handling of form that contains a tag with id=action | |
611922-1 | 3-Major | Policy sync fails with policy that includes custom CA Bundle. | |
611240-3 | 3-Major | Import of config with securid might fail | |
610224-3 | 3-Major | APM client may fetch expired certificate when a valid and an expired certificate co-exist | |
608941-1 | 3-Major | AAA RADIUS system authentication fails on IPv6 network | |
604767-1 | 3-Major | Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object. | |
601905-1 | 3-Major | POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server | |
600119-3 | 3-Major | DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions | |
598981-3 | 3-Major | K06913155 | APM ACL does not get enforced all the time under certain conditions |
598211-1 | 3-Major | Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode. | |
597431-2 | 3-Major | VPN establishment may fail when computer wakes up from sleep | |
596116-3 | 3-Major | LDAP Query does not resolve group membership, when required attribute(s) specified | |
595227-1 | 3-Major | SWG Custom Category: unable to have a URL in multiple custom categories | |
594288-1 | 3-Major | Access profile configured with SWG Transparent results in memory leak. | |
592414-4 | 3-Major | IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed | |
591840-1 | 3-Major | encryption_key in access config is NULL in whitelist | |
591590-1 | 3-Major | APM policy sync results are not persisted on target devices | |
591268-1 | 3-Major | VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions | |
590820-3 | 3-Major | Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser. | |
588888-3 | 3-Major | K80124134 | Empty URI rewriting is not done as required by browser. |
586718-1 | 3-Major | Session variable substitutions are logged | |
586006-1 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present | |
585562-3 | 3-Major | VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari | |
583113-1 | 3-Major | NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event | |
582752-3 | 3-Major | Macrocall could be topologically not connected with the rest of policy.★ | |
582526-3 | 3-Major | Unable to display and edit huge policies (more than 4000 elements) | |
580893-2 | 3-Major | K08731969 | Support for Single FQDN usage with Citrix Storefront Integration mode |
573643-3 | 3-Major | flash.utils.Proxy functionality is not negotiated | |
572558-1 | 3-Major | Internet Explorer: incorrect handling of document.write() to closed document | |
569309-3 | 3-Major | Clientside HTML parser does not recognize HTML event attributes without value | |
562636-2 | 3-Major | K05489319 | Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases. |
525429-11 | 3-Major | DTLS renegotiation sequence number compatibility | |
455975-1 | 3-Major | Separate MIBS needed for tracking Access Sessions and Connectivity Sessions | |
389484-6 | 3-Major | OAM reporting Access Server down with JDK version 1.6.0_27 or later | |
386517-1 | 3-Major | Multidomain SSO requires a default pool be configured | |
238444-3 | 3-Major | K14219 | An L4 ACL has no effect when a layered virtual server is used. |
605627 | 4-Minor | Selinux denial seen for apmd when it is being shutdown. | |
584373-2 | 4-Minor | AD/LDAP resource group mapping table controls are not accessible sometimes | |
573611-1 | 4-Minor | Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs | |
557411-1 | 4-Minor | Full Webtop resources appear overlapping in IE11 compatibility mode |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
619757-1 | 2-Critical | iSession causes routing entry to be prematurely freed |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
613297-3 | 2-Critical | Default generic message routing profile settings may core | |
612135-3 | 2-Critical | Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic | |
603397-2 | 2-Critical | tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config | |
596631-2 | 2-Critical | SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later | |
609575-5 | 3-Major | BIG-IP drops ACKs containing no max-forwards header | |
609328-3 | 3-Major | K53447441 | SIP Parser incorrectly parsers empty header |
607713-3 | 3-Major | SIP Parser fails header with multiple sequential separators inside quoted string. | |
603019-3 | 3-Major | Inserted SIP VIA branch parameter not unique between INVITE and ACK | |
599521-5 | 3-Major | Persistence entries not added if message is routed via an iRule | |
598854-3 | 3-Major | sipdb tool incorrectly displays persistence records without a pool name | |
598700-6 | 3-Major | MRF SIP Bidirectional Persistence does not work with multiple virtual servers | |
597835-3 | 3-Major | K12228503 | Branch parameter in inserted VIA header not consistent as per spec |
583010-4 | 3-Major | Sending a SIP invite with 'tel' URI fails with a reset | |
578564-4 | 3-Major | ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response | |
573075-4 | 3-Major | ADAPT recursive loop when handling successive iRule events | |
566576-6 | 3-Major | ICAP/OneConnect reuses connection while previous response is in progress | |
401815-1 | 3-Major | BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic | |
585807-2 | 4-Minor | 'ICAP::method <method>' iRule is documented but is read-only | |
561500-4 | 4-Minor | ICAP Parsing improvement |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
612874-1 | 2-Critical | iRule with FLOW_INIT stage execution can cause TMM restart | |
609095-1 | 2-Critical | mcpd memory grows when updating firewall rules | |
622281-1 | 3-Major | Network DoS logging configuration change can cause TMM crash | |
621808-1 | 3-Major | Proactive Bot Defense failing in IE11 with Compatibility View enabled | |
614284-2 | 3-Major | Performance fix to not reset a data structure in the packet receive hotpath. | |
613459-1 | 3-Major | Non-common browsers blocked by Proactive Bot Defense | |
610857-1 | 3-Major | DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver. | |
610830-1 | 3-Major | FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page. | |
608566-1 | 3-Major | The reference count of NW dos log profile in tmm log is incorrect | |
606875-1 | 3-Major | DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page | |
605427-1 | 3-Major | TMM may crash when adding and removing virtual servers with security log profiles | |
601924-1 | 3-Major | Selenium detection by ports scanning doesn't work even if the ports are opened | |
596502-1 | 3-Major | Unable to force Bot Defense action to Allow in iRule | |
594869-4 | 3-Major | AFM can log DoS attack against the internal mpi interface and not the actual interface | |
594075-2 | 3-Major | Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically | |
586070 | 3-Major | 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings | |
585823-1 | 3-Major | FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode) | |
501892-1 | 3-Major | Selenium is not detected by headless mechanism when using client version without server |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
609005-2 | 1-Blocking | Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67). | |
611467-3 | 2-Critical | TMM coredump at dhcpv4_server_set_flow_key(). | |
608009-1 | 2-Critical | Crash: Tmm crashing when active system connections are deleted from cli | |
603825-2 | 2-Critical | Crash when a Gy update message is received by a debug TMM | |
593070-2 | 2-Critical | TMM may crash with multiple IP addresses per session | |
472860-5 | 2-Critical | RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented. | |
623491-2 | 3-Major | After receiving the first Gx response from the PCRF, the BWC action against a rule is lost. | |
622220-2 | 3-Major | Disruption during manipulation of PEM data with suspected flow irregularity | |
618657-4 | 3-Major | Bogus ICMP unreachable messages in PEM with ipother profile in use | |
617014-3 | 3-Major | tmm core using PEM | |
608742-2 | 3-Major | K48561135 | DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode. |
608591-1 | 3-Major | Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers | |
592070-5 | 3-Major | DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied | |
588456-3 | 3-Major | K60250444 | PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed). |
577863-5 | 3-Major | K56504204 | DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
606066-2 | 2-Critical | LSN_DELETE messages may be lost after HA failover | |
605525-1 | 2-Critical | Deterministic NAT combined with NAT64 may cause a TMM core | |
587106-1 | 2-Critical | Inbound connections are reset prematurely when zombie timeout is configured. | |
602171-1 | 3-Major | TMM may core when remote LSN operations time out |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
617648 | 2-Critical | Surfing with IE8 sometimes results with script error | |
603234-3 | 2-Critical | Performance Improvements | |
597471 | 2-Critical | Some Alerts are sent with outdated username value | |
617688 | 3-Major | Encryption is not activated unless "real-time encryption" is selected | |
613671-2 | 3-Major | Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation | |
610897-2 | 3-Major | FPS generated request failure throw "unspecified error" error in old IE. | |
609098-1 | 3-Major | Improve details of ajax failure | |
604885-1 | 3-Major | Redirect/Route action doesn't work if there is an alert logging iRule | |
601083-1 | 3-Major | FPS Globally Forbidden Words lists freeze in IE 11 | |
588058-3 | 3-Major | False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer | |
609114-1 | 4-Minor | Add the ability to control dropping of alerts by before-load-function | |
605125-2 | 4-Minor | Sometimes, passwords fields are readonly | |
592274-3 | 4-Minor | RAT-Detection alerts sent with incorrect duration details |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
588405-1 | 3-Major | BADOS - BIG-IP Self-protection during (D)DOS attack | |
608826-1 | 4-Minor | Greylist (bad actors list) is not cleaned when attack ends |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
624370-1 | 2-Critical | tmm crash during classification hitless upgrade if virtual server configuration is modified |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
621401 | 3-Major | When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
615824-1 | 3-Major | REST API calls to invalid REST endpoint log level change |
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
613127-3 | CVE-2016-5696 | K46514822 | Linux TCP Stack vulnerability CVE-2016-5696 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
612564 | 1-Blocking | mysql does not start | |
618382-4 | 2-Critical | qkview may cause tmm to restart or may take 30 or more minutes to run | |
614766-1 | 3-Major | lsusb uses unknown ioctl and spams kernel logs | |
612952-1 | 3-Major | PSU FW revision not displayed correctly | |
611352 | 3-Major | K68092141 | Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms |
610307 | 3-Major | Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber | |
609325 | 3-Major | Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported | |
606807-1 | 3-Major | i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error | |
604459-1 | 3-Major | On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up | |
597309-2 | 3-Major | Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms | |
561444-1 | 3-Major | LCD might display incorrect output. | |
521270-1 | 3-Major | Hypervisor might replace vCMP guest SYN-Cookie secrets | |
434573-6 | 3-Major | K25051022 | Tmsh 'show sys hardware' displays Platform ID instead of platform name |
609677-1 | 4-Minor | Dossier warning 14 | |
607857-1 | 4-Minor | Some information displayed in "list net interface" will be stale for interfaces that change bundle state | |
607200-1 | 4-Minor | Switch interfaces may seem up after bcm56xxd goes down | |
602061 | 4-Minor | i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages | |
601309 | 4-Minor | Locator LED no longer persists across reboots | |
592716-1 | 4-Minor | BMC timezone value was not being synchronized by BIG-IP |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
597708-4 | 3-Major | Stats are unavailable and VCMP state and status is incorrect |
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
598294-1 | CVE-2016-7472 | K17119920 | BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472 |
601938-2 | CVE-2016-7474 | K52180214 | MCPD stores certain data incorrectly |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
542097-4 | 2-Critical | Update to RHEL6 kernel | |
601927-1 | 4-Minor | K52180214 | Security hardening of control plane |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
602653-1 | 2-Critical | TMM may crash after updating bot-signatures | |
599769 | 2-Critical | TMM may crash when managing APM clients. | |
605682-2 | 3-Major | With forward proxy enabled, sometimes the client connection will not complete. | |
599054-2 | 3-Major | LTM policies may incorrectly use those of another virtual server |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
585120-1 | 2-Critical | Memory leak in bd under rare scenario |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
596674-2 | 2-Critical | High memory usage when using CS features with gzip HTML responses. | |
575170-2 | 2-Critical | Analytics reports may not identify virtual servers correctly | |
590074-1 | 3-Major | Wrong value for TCP connections closed measure |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
603997 | 2-Critical | Plugin should not inject nonce to CSP header with unsafe-inline | |
594910-1 | 3-Major | FPS flags no cookie when length check fails | |
590608-1 | 3-Major | Alert is not redirected to alert server when unseal fails | |
590578-4 | 3-Major | False positive "URL error" alerts on URLs with GET parameters | |
593355 | 4-Minor | FPS may erroneously flag missing cookie | |
589318-1 | 4-Minor | Clicking 'Customize All' checkbox does not work. |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
603605-1 | 2-Critical | Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active | |
608373-2 | 3-Major | Some iApp LX packages will not be saved during upgrade or UCS save/restore |
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
596488-1 | CVE-2016-5118 | K82747025 | GraphicsMagick vulnerability CVE-2016-5118. |
579955-6 | CVE-2016-7475 | K01587042 | BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 |
587077-1 | CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 | K37603172 | Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118 |
579220-1 | CVE-2016-1950 | K91100352 | Mozilla NSS vulnerability CVE-2016-1950 |
570697-1 | CVE-2015-8138 | K71245322 | NTP vulnerability CVE-2015-8138 |
580340-1 | CVE-2016-2842 | K52349521 | OpenSSL vulnerability CVE-2016-2842 |
580313-1 | CVE-2016-0799 | K22334603 | OpenSSL vulnerability CVE-2016-0799 |
579829-7 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability CVE-2016-0702 |
579085-6 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
578570-1 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
569355-1 | CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 | K50118123 | Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 |
565895-1 | CVE-2015-3217 | K17235 | Multiple PCRE Vulnerabilities |
570667-2 | CVE-2016-0701 CVE-2015-3197 | K64009378 | OpenSSL vulnerabilities |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
600811-2 | 3-Major | CATEGORY::lookup command change in behaviour★ |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
606509-4 | 2-Critical | Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★ | |
595605 | 2-Critical | Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★ | |
591119 | 2-Critical | OOM with session messaging may result in TMM crash | |
601076 | 3-Major | Fix watchdog event for accelerated compression request overflow | |
597303 | 3-Major | "tmsh create net trunk" may fail | |
595693 | 3-Major | Incorrect PVA indication on B4450 blade | |
591261 | 3-Major | BIG-IP VPR-B4450N shows "unknown" SNMP Object ID | |
590904-1 | 3-Major | New HA Pair created using serial cable failover only will remain Active/Active | |
589661 | 3-Major | PS2 power supply status incorrect after removal | |
588327 | 3-Major | Observe "err bcm56xxd' liked log from /var/log/ltm | |
587735 | 3-Major | False alarm on LCD indicating bad fan | |
587668 | 3-Major | LCD Checkmark button does not always bring up clearing prompt on VIPRION blades. | |
585332 | 3-Major | Virtual Edition network settings aren't pinned correctly on startup★ | |
584670 | 3-Major | Output of tmsh show sys crypto master-key | |
584661 | 3-Major | Last good master key | |
584655 | 3-Major | platform-migrate won't import password protected master-keys from a 10.2.4 UCS file | |
583177 | 3-Major | LCD text truncated by heartbeat icon on VIPRION | |
581945-2 | 3-Major | Device-group 'datasync-global-dg' becomes out-of-sync every hour | |
581811 | 3-Major | The blade alarm LED may not reflect the warning that non F5 optics is used. | |
579529 | 3-Major | Stats file descriptors kept open in spawned child processes | |
578064 | 3-Major | tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade | |
578036-1 | 3-Major | incorrect crontab can cause large number of email alerts | |
573584 | 3-Major | CPLD update success logs at the same error level as an update failure | |
563592 | 3-Major | Content diagnostics and LCD | |
559655 | 3-Major | Post RMA, system does not display correct platform name regardless of license | |
555039-4 | 3-Major | K24458124 | VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration |
539360 | 3-Major | Firmware update that includes might take over 15 minutes. Do not turn off device. | |
526708 | 3-Major | system_check shows fan=good on removed PSU of 4000 platform | |
433357 | 3-Major | Management NIC speed reported as 'none' | |
400778 | 3-Major | Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete | |
400550 | 3-Major | LCD listener error during shutdown | |
587780 | 4-Minor | warning: HSBe2 XLMAC initial recovery failed after 11 retries. | |
478986 | 4-Minor | Powered down DC PSU is treated as not-present | |
418009 | 5-Cosmetic | Hardware data display inaccuracies |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
603700 | 2-Critical | tmm core on multiple SSL::disable calls | |
598052-1 | 2-Critical | SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails | |
591139 | 2-Critical | TMM QAT segfault after zlib/QAT compression conflation. | |
585654 | 2-Critical | Enhanced implementation of AES in Common Criteria mode | |
579953 | 2-Critical | Updated the list of Common Criteria ciphersuites | |
584926-1 | 3-Major | Accelerated compression segfault when devices are all in error state. | |
566342 | 3-Major | Cannot set 10T-FD or 10T-HD on management port |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
599803 | 1-Blocking | TMM accelerated compression incorrectly destroying in-flight contexts. | |
588879-2 | 2-Critical | apmd crash under rare conditions with LDAP |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
581824-2 | 3-Major | "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
588049-1 | 2-Critical | Improve detection of browser capabilities | |
585352-2 | 2-Critical | bruteForce record selfLink gets corrupted by change to brute force settings in GUI | |
585054-1 | 2-Critical | BIG-IP imports delay violations incorrectly, causing wrong policy enforcement | |
583686-2 | 3-Major | High ASCII meta-characters can be disallowed on UTF-8 policy via XML import | |
581991-1 | 3-Major | Logging filter for remote loggers doesn't work correctly with more than one logging profile | |
521370-1 | 3-Major | Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8 | |
518201-4 | 3-Major | ASM policy creation fails with after upgrading |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
587419-1 | 3-Major | TMM may restart when SAML SLO is performed after APM session is closed | |
585442-2 | 3-Major | Provisioning APM to "none" creates a core file |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
596809-1 | 3-Major | It is possible to create ssh rules with blank space for auth-info | |
593925-1 | 3-Major | ssh profile should not contain rules that begin and end with spaces (cannot be deleted) | |
593696-1 | 3-Major | Sync fails when deleting an ssh profile |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
584921-1 | 2-Critical | Inbound connections fail to keep port block alive |
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
600662-9 | CVE-2016-5745 | K64743453 | NAT64 vulnerability CVE-2016-5745 |
599168-7 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
598983-7 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
580596-1 | CVE-2013-0169 CVE-2016-6907 | K14190 K39508724 | TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
604211-1 | 2-Critical | K72931250 | License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★ |
600859-2 | 2-Critical | Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★ | |
599033-5 | 2-Critical | Traffic directed to incorrect instance after network partition is resolved | |
595394-3 | 2-Critical | Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★ | |
606110-2 | 3-Major | BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets. | |
596814-4 | 3-Major | HA Failover fails in certain valid AWS configurations | |
596603-2 | 3-Major | AWS: BIG-IP VE doesn't work with c4.8xlarge instance type. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
600357-2 | 3-Major | bd crash when asm policy is removed from virtual during specific configuration change |
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
569467-5 | CVE-2016-2084 | K11772107 | BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084. |
591806-8 | CVE-2016-3714 | K03151140 | ImageMagick vulnerability CVE-2016-3714 |
591918-2 | CVE-2016-3718 | K61974123 | ImageMagick vulnerability CVE-2016-3718 |
591908-2 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
591894-2 | CVE-2016-3715 | K10550253 | ImageMagick vulnerability CVE-2016-3715 |
591881-1 | CVE-2016-3716 | K25102203 | ImageMagick vulnerability CVE-2016-3716 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
583631-2 | 1-Blocking | ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers. | |
590993 | 3-Major | Unable to load configs from /usr/libexec/aws/. | |
576478 | 3-Major | Enable support for the Purpose-Built DDoS Hybrid Defender Platform | |
544477 | 3-Major | New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
591039 | 2-Critical | DHCP lease is saved on the Custom AMI used for auto-scaling VE | |
590779 | 2-Critical | Rest API - log profile in json return does not include the partition but needs to | |
588140 | 2-Critical | Pool licensing fails in some KVM/OpenStack environments | |
587791-1 | 2-Critical | Set execute permission on /var/lib/waagent | |
565137 | 2-Critical | K12372003 | Pool licensing fails in some KVM/OpenStack environments. |
554713-2 | 2-Critical | Deployment failed: Failed submitting iControl REST transaction | |
592363 | 3-Major | Remove debug output during first boot of VE | |
592354 | 3-Major | Raw sockets are not enabled on Cloud platforms |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
592699-3 | 2-Critical | IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance | |
594302-1 | 3-Major | Connection hangs when processing large compressed responses from server | |
592854-1 | 3-Major | Protocol version set incorrectly on serverssl renegotiation | |
592682-1 | 3-Major | TCP: connections may stall or be dropped | |
531979-6 | 3-Major | SSL version in the record layer of ClientHello is not set to be the lowest supported version. |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
582629-1 | 2-Critical | User Sessions lookups are not cleared, session stats show marked as invalid |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
590601-2 | 3-Major | BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed | |
590428-1 | 3-Major | The "ACCESS::session create" iRule command does not work | |
590345-1 | 3-Major | ACCESS policy running iRule event agent intermittently hangs | |
585905-1 | 3-Major | Citrix Storefront integration mode with pass-through authentication fails | |
581834-5 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
588399-1 | 3-Major | BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated | |
582374-1 | 3-Major | Multiple 'Loading state for virtual server' messages in admd.log | |
569121-1 | 3-Major | Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low | |
547053-1 | 4-Minor | Bad actor quarantining |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
590795-1 | 2-Critical | tmm crash when loading default signatures or updating classification signature★ |
Cumulative fix details for BIG-IP v12.1.3.4 that are included in this release
711547 : Update cipher support for Common Criteria compliance
Component: TMOS
Symptoms:
Default cipher selection may not be compliant with Common Criteria requirements. Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.
Conditions:
Common Criteria mode active
Impact:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.
Workaround:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.
Fix:
Improved Common Criteria compliance in default cipher strings.
710424-3 : Possible SIGSEGV in GTMD when GTM persistence is enabled.
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.
Conditions:
GTM persistence is enabled.
Impact:
GTMD may occasionally restart.
Workaround:
Disable GTM persistence.
Fix:
GTMD will no longer crash and restart when persistence is enabled.
710211 : Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.
Component: Access Policy Manager
Symptoms:
Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. The system posts a message similar to the following:
Unable to execute transaction because of: 01071203:3: Caption (XYZ1) of the rule in macrocall (/Common/abc_macro) must be identical to the caption (XYZ2) of terminalout.
Conditions:
-- Using Access Policy.
-- Policy includes one or more macros.
-- There is a macrocall on one of the macros.
-- You attempt to add a new terminal to that macro.
Impact:
Cannot edit macro terminals.
Workaround:
None.
Fix:
Can now edit Terminals of Macro if one or more Macrocalls point to a given Macro.
708054-3 : Web Acceleration: TMM may crash on very large HTML files with conditional comments
Component: TMOS
Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.
Conditions:
- HTML file with conditional comments inside:
<!--[if condition...]> ... <![endif]-->
- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.
Impact:
TMM crash interrupts all active sessions.
Workaround:
There is no workaround at this time.
Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.
707675 : FQDN nodes or pool members flap when DNS response received
Component: Local Traffic Manager
Symptoms:
When an LTM pool is configured with FQDN nodes or pool members, the LTM pool and associated virtual server(s) may transition from an UP to DOWN state and back over a period of a few seconds.
Such an event is accompanied by log messages similar to the following:
-- notice mcpd[#]: 01071682:5: SNMP_TRAP: Virtual /Common/vs_test has become unavailable
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from GREEN to RED.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from UP to DOWN.
-- err mcpd[#]: 01020066:3: The requested Pool Member (/Common/Test_Pool /Common/test-dummy.com-12.34.56.78 443) already exists in partition Common.
-- notice bigd[##]: 01060144:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 session status enabled by monitor
-- notice bigd[##]: 01060145:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 monitor status up. [ /Common/mon_test_https: UP ] [ was checking for 0hr:0min:2sec ]
-- notice mcpd[#]: 01071681:5: SNMP_TRAP: Virtual /Common/vs_test has become available
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from RED to GREEN.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from DOWN to UP.
This symptom repeats each time a DNS query is performed to resolve the FQDN node/pool-member name to its IP addresses, based on the 'interval' value configured for the FQDN node.
This symptom occurs only when the 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.
Conditions:
-- LTM pool is configured with FQDN nodes or pool members.
-- The 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.
Impact:
LTM pool and virtual server are briefly and periodically marked DOWN. Traffic may be impacted.
Workaround:
Either of the following methods can be used to work around this issue:
-- Configure static IP addresses instead of FQDN nodes/pool-members.
-- Set the 'autopopulate' value to 'disabled' for the FQDN node/pool-member, if possible (that is, if only one IP address is required/expected to be returned for the FQDN name, which means that the 'autopopulate' feature of FQDN nodes/pool-members is not required).
Fix:
FQDN node/pool-member and corresponding pool and virtual server are no longer briefly marked DOWN when the DNS server is queried to resolve the FQDN name, with the 'autopopulate' feature enabled for the FQDN node/pool-member. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
707226-2 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
Component: TMOS
Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.
Impact:
Meltdown/PTI mitigations may negatively impact performance.
Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.
To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:
tmsh modify sys db kernel.pti value disable
Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
706631 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
Component: Local Traffic Manager
Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.
Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.
-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.
-- Common Criteria mode licensed and configured.
Impact:
A TLS connection succeeds which should fail.
Workaround:
There is no workaround at this time.
Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.
706305-2 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
Component: TMOS
Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.
Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.
Impact:
Inability for the unit to use BGP
Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.
Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled
706086-1 : PAM RADIUS authentication subsystem hardening
Component: TMOS
Symptoms:
The RADIUS component of the PAM authentication subsystem does not follow current best practices.
Conditions:
RADIUS authentication enabled
Impact:
TMM may crash, leading to a failover event
Fix:
The RADIUS component of the PAM authentication subsystem now follows best practices.
705794-1 : Under certain circumstances a stale http2 stream can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
A HTTP2 stream is getting overlooked when cleaning up a HTTP2 flow.
Conditions:
Currently only known is that the closing_stream is not empty. Exact entrance conditions not clear.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
HTTP2 flows are properly cleaned up to prevent a tmm crash.
705611-1 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
Component: Local Traffic Manager
Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.
Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.
Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.
704804-2 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
Component: TMOS
Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.
Conditions:
This applies to remote authentication for the control plane, not APM.
Impact:
Login may be impacted.
Workaround:
There is no workaround at this time.
704733-2 : NAS-IP-Address will be sent with the bytes backwards
Component: TMOS
Symptoms:
The NAS-IP-Address will have the address of the local device sent with the bytes backwards (78.56.30.172 where 172.30.56.78 would be expected).
Conditions:
This affects IPv4 addresses only.
Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.
Workaround:
There is no workaround at this time.
Fix:
This has been corrected.
704666-2 : memory corruption can occur when using certain certificates
Component: Local Traffic Manager
Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.
Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.
Impact:
TMM could crash.
Workaround:
Do not use certificates with extremely long common names
Fix:
A length check has been added to avoid corruption when using extremely long common names.
704580-3 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
Component: Access Policy Manager
Symptoms:
Under certain conditions apmd service may restart when processing response from SAML IdP.
Conditions:
BIG-IP is configured as SAML SP. BIG-IP is processing SAML message from IdP
Impact:
Temporarily users will not be able to authenticate agains BIG-IP
until apmd service starts up.
Workaround:
There is no workaround at this time.
Fix:
apmd service will no longer restart when processing messages from IdP.
704490 : CVE-2017-5754 (Meltdown)
Solution Article: K91229003
704483 : CVE-2017-5753 (Spectre Variant 1)
Solution Article: K91229003
704073-3 : Repeated "bad transition" OOPS logging may appear in /var/log/ltm and /var/log/tmm
Component: Local Traffic Manager
Symptoms:
"bad transition" OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.
Conditions:
No definitive user-discernable conditions. Use of SSL functionality may cause this form of logging.
Impact:
Log pollution and potential for performance degradation.
Workaround:
The logging can be suppressed via 'tmsh modify sys db tmm.oops value silent'
Fix:
The "bad transition" OOPS logging has been demoted to debug builds only.
703984-2 : Machine cert agent does not follow best practices
Component: Access Policy Manager
Symptoms:
Machine cert agent does not follow best practices.
Conditions:
MacOS APM client
Impact:
MacOS machine cert agent does not follow best practices.
Workaround:
None.
Fix:
MacOS machine cert agent does now follows best practices.
703869-1 : Waagent updated to 2.2.21
Component: TMOS
Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.
Conditions:
Using Microsoft Azure.
Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.
Workaround:
None.
Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.
703761-1 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode
Component: TMOS
Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.
Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.
Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.
Workaround:
There is no workaround at this time.
Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.
703429-1 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
Component: Access Policy Manager
Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.
Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.
Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.
Workaround:
None.
Fix:
System now provides valid data to Citrix Receiver for Android client.
702946-2 : Added option to reset staging period for signatures
Component: Application Security Manager
Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.
Conditions:
Staging enabled for signatures in policy.
Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.
Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.
Note: Apply policy is required between actions.
Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.
702738 : Tmm might crash activating new blob when changing firewall rules
Solution Article: K32181540
Component: Advanced Firewall Manager
Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.
Conditions:
Updating, removing or adding firewall rules.
Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.
Impact:
Data traffic processing stops.
Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).
Option B
Modify all the rules simultaneously.
For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }
4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.
Fix:
TMM no longer crashes when changing firewall rules.
702490-4 : Windows Credential Reuse feature may not work
Component: Access Policy Manager
Symptoms:
Windows Credential Reuse feature may not work thus making a user to enter credentials in EdgeClient login window (as well as at Windows logon screen) instead of getting Single Sign-On.
Next logs are observed in logterminal.txt when the issue happens:
<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted
Conditions:
A specific combination of versions of F5 Credential Manager Service and EdgeClient is being used on Windows operation system. Reuse Credential option is enabled in the Connectivity Profile.
Impact:
A user has to type credentials in EdgeClient login windows instead of smooth login with no credentials.
Workaround:
There is no workaround at this time.
Fix:
The issue causing feature not to work has been fixed.
702487-1 : AD/LDAP admins with spaces in names are not supported
Component: Access Policy Manager
Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.
Note: Names containing spaces are not supported on BIG-IP systems.
Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.
Impact:
VPE, import/export/copy/delete do not work.
Workaround:
There is no workaround other than to not use admin names containing spaces.
Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.
702278-3 : Potential XSS security exposure on APM logon page.
Component: Access Policy Manager
Symptoms:
Potential XSS security exposure on APM logon page.
Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.
Impact:
Potential XSS security exposure.
Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:
369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----
Fix:
Potential security exposure has been removed from APM logon page.
701841-1 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
Component: Application Security Manager
Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.
Conditions:
UCS file is saved.
Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.
Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.
Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.
701626-1 : GUI resets custom Certificate Key Chain in child client SSL profile
Component: TMOS
Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).
Conditions:
This happens in the following scenario:
1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.
Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.
Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.
You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..
Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.
701609 : Static member of pool with FQDN members may revert to user-disabled after being re-enabled
Component: Local Traffic Manager
Symptoms:
Within an LTM pool containing both FQDN members and members configured with static IP addresses; a statically-configured member that had been disabled (session = user-disabled) and then re-enabled (session = user-enabled) may become disabled again after making other changes affecting the state of other FQDN members of the pool.
Conditions:
This may occur under the following conditions:
- An LTM pool containing a mix of FQDN and statically-configured members.
- A statically-configured pool member is disabled (session = user-disabled) and then re-enabled (session = user-enabled).
- Other changes occur which affect the availability of FQDN pool members.
For example, if a route to an FQDN pool member is deleted and recreated, a previously-disabled statically-configured member may revert to a disabled state.
Depending on circumstances, the issue may only occur once after BIG-IP, TMM, bigd, or a related daemon restarts.
Impact:
A pool member may be unexpectedly disabled after being re-enabled, and thus would not receive traffic.
Workaround:
It may be possible to work around this issue by disabling and re-enabling the statically-configured pool member again.
Fix:
Statically-configured pool members of a pool that also contains FQDN members remain enabled after being manually disabled then re-enabled. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
701359-2 : BIND vulnerability CVE-2017-3145
Solution Article: K08613310
701327-1 : failed configuration deletion may cause unwanted bd exit
Component: Application Security Manager
Symptoms:
Immediately after the deletion of a configuration fails, bd exists.
Conditions:
When deleting a configuration fails.
Impact:
Unwanted bd restart.
Workaround:
None.
Fix:
bd will exit upon a failed configuration only when configured to exit on failure.
701249-2 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
Component: TMOS
Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.
The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.
Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.
Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.
Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.
Workaround:
There is no workaround.
701202-1 : SSL memory corruption
Component: Local Traffic Manager
Symptoms:
In some instances random memory can be corrupted.
Conditions:
SSL is configured (either client-ssl or server-ssl) and the crypto operations are offloaded - Cavium Card, Intel Card, FIPS box, etc.
Impact:
Random memory can be overwritten yielding unpredictable results.
Workaround:
None
Fix:
The memory corruption issue has been fixed.
700862-2 : tmm SIGFPE 'valid node'
Solution Article: K15130240
Component: Local Traffic Manager
Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.
Conditions:
The host is unreachable.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when the host is unreachable.
700783-3 : Machine certificate check does not check against all FQDN hostnames
Component: Access Policy Manager
Symptoms:
macOS machine can be on multiple networks simultaneously, so it might have multiple hostnames. Machine certificate check does not check against all FQDN hostnames. This causes failure in certain scenarios.
Conditions:
-- macOS configuration with multiple hostnames.
-- The 'match FQDN with subject alt name' option is specified for machine certificate check.
Impact:
Machine cert check might fail.
Workaround:
No workaround at this time.
Fix:
Previously, with a macOS system that had multiple hostnames, the machine certificate check could not check against all hostnames, causing failures in some scenarios. Now, the machine certificate check compares all hostnames on macOS devices.
700780-4 : F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses
Component: Access Policy Manager
Symptoms:
F5 DNS Relay Proxy service does not support DNS-over-TCP requests, so if, in some configuration, the client resolver decides to use TCP for DNS resolution, this packet is not re-routed/proxied by the DNS Relay Proxy service, and may be causing DNS to be resolved using an incorrect DNS server (where the system decides to send it).
Typically, if a client receives DNS response with the TC flag set, it retries using TCP. Clearing the TC flag makes client resolver not use TCP at all, preventing DNS packets leakage.
Conditions:
-- DNS server responds with TC flag set in DNS response packet.
-- Windows only is affected.
Impact:
DNS resolution may not work as designed, as the system might send a packet to an incorrect DNS server.
Workaround:
None.
Fix:
Now F5 DNS Relay Proxy service clears TC flag in all proxied packets, preventing client DNS resolvers from using TCP. An appropriate log entry is printed into the service's log.
700564-2 : JavaScript errors shown when debugging a mobile device with ASM deviceID enabled
Component: Application Security Manager
Symptoms:
When debugging a mobile device with ASM Device ID enabled, the Google Chrome browser console log contains JavaScript errors similar to the following: net::ERR_UNKNOWN_URL_SCHEME.
Note: In order to view the Chrome browser console log, you must use BrowserStack from a developer's console, or physically connect the phone by cable, enable 'usb debug',
enable 'device discovery' on Chrome on the desktop, and view the console from there.
Conditions:
-- ASM policy is attached on a virtual server with deviceID enabled.
-- Device ID collection request has been sent from a mobile device.
-- Chrome browser console log is opened.
Impact:
Mobile device app developers might be concerned about the errors, potentially asking about why the ASM JavaScript code attempts to access UNKNOWN_URL_SCHEME in a mobile device.
The errors occur because Device ID enabled on an ASM policy uses the JavaScript request URI argument 'chrome-extension' to detect the existence of malicious browser extension. However, Chrome on Android/iOS does not support 'chrome-extension'.
Workaround:
Disable Device ID in ASM policy.
Fix:
The system now avoids checking Chrome extensions on mobile devices, so no UNKNOWN_URL_SCHEME errors occur.
700556-2 : TMM may crash when processing WebSockets data
Solution Article: K11718033
700527-1 : cmp-hash change can hang iRule DNS lookup
Component: Global Traffic Manager (DNS)
Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.
Conditions:
An iRule must be in the middle of a call to RESOLV::lookup when a vlan cmp-hash configuration is changed.
Impact:
The iRule call can hang repeatedly.
Workaround:
Restart the TMM. This will interrupt client traffic.
Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.
700393-2 : Under certain circumstances a stale http2 stream can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
Tmm may crash due to a stale/stalled HTTP2 stream.
Conditions:
http2 profile in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.
700330 : AJAX blocking page isn't shown when a webpage uses jQuery framework.
Component: Application Security Manager
Symptoms:
Request is blocked by an ASM policy, but the ASM end user does not see the blocking page with a unique support id for the blocked request.
Conditions:
1. ASM policy Asynchronous JavaScript and XML (AJAX) blocking page enabled.
2. ASM policy is working in blocking mode.
3. ASM policy attached to a virtual server.
4. AJAX request has been sent and blocked.
Impact:
ASM end user has no visual indication that there has been a blocked AJAX request.
Workaround:
None.
Fix:
The system now handles Ajax requests being sent via the JQuery framework.
700143-1 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
Component: Application Security Manager
Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.
Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.
Impact:
Only the latest 10,000 events are deleted.
Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.
Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.
699720-3 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
Component: Application Security Manager
Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.
Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.
Impact:
ASM crash; system goes offline.
Workaround:
Use either of the following workarounds:
-- Remove remote logger.
-- Have response logging for illegal requests only.
Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.
699455-3 : SAML export does not follow best practices
Component: Access Policy Manager
Symptoms:
Export of SAML data does not follow current best practices
Conditions:
SAML data exported by administrator
Impact:
Administrative request processing does not follow current best practices
Workaround:
None.
Fix:
Update SAML export to follow current best practices
699431 : Possible memory leak in MRF under low memory
Component: Service Provider
Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.
Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.
Impact:
The table entry will be remain until the box resets.
Workaround:
There is no workaround at this time.
Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.
699346-2 : NetHSM capacity reduces when handling errors
Component: Local Traffic Manager
Symptoms:
Under certain conditions NetHSM performance may be reduce while handling errors.
Conditions:
NetHSM enabled
Impact:
Reduced performance potentially leading to a failover event
Fix:
Process errors more efficiently when using NetHSM
699339-1 : Geolocation upgrade files fail to replicate to secondary blades
Solution Article: K24634702
Component: Global Traffic Manager (DNS)
Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.
Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.
Impact:
Geoip database is not updated to match primary blade.
Workaround:
Use either of the following workarounds:
-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.
-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.
To edit /etc/csyncd.conf:
Merge the following two terms:
monitor dir /shared/GeoIP {...)
monitor dir /shared/GeoIP/v2 {...}
into one term, as follows:
monitor dir /shared/GeoIP {
queue geoip
pull pri2sec
recurse yes
defer no
lnksync yes
md5 no
post "/usr/local/bin/geoip_reload_data"
}
Fix:
Geolocation upgrade files now correctly replicate to secondary blades.
699281 : Version format of hypervisor bundle matches Version format of ISO
Component: TMOS
Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.
Conditions:
Applies to hypervisor bundles (for example ova files for vmware).
Impact:
Version format in names of hypervisor bundles matches version format of ISO file
Workaround:
Version format in names of hypervisor bundles matches version format of ISO file
Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).
699267-1 : LDAP Query may fail to resolve nested groups
Component: Access Policy Manager
Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).
Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled
Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.
Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups
699262-2 : FQDN pool member status remains in 'checking' state after full config sync
Component: Local Traffic Manager
Symptoms:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) shows FQDN pool members stuck in the 'checking' state.
Conditions:
This occurs after a full config sync is forced between peers using FQDN pool members:
tmsh modify cm device-group <dg_name> devices modify { <local_member> { set-sync-leader } }
Impact:
Affected pools show an Availability state of 'unknown', although pool members are available and can pass traffic.
Workaround:
Restart bigd on the affected peer after the config sync.
Fix:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) no longer shows FQDN pool members stuck in the 'checking' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
699147 : Hourly billed cloud images are now pre-licensed
Component: TMOS
Symptoms:
Hourly billed images in cloud environments require outbound internet access to the F5 public license server in order to retrieve a license. This causes some sites with strict network access policies to fail to license.
Conditions:
Using hourly billing.
Impact:
Hourly instances do not receive licenses and thus could not pass traffic without outbound internet access.
Workaround:
Enable outbound internet access when the guest instance is created to allow it to license, then revoke it.
Fix:
Hourly billed cloud images are now pre-licensed and so do not require internet access to receive a license.
699135-2 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.
Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.
Impact:
tmm cores.
Workaround:
Don't use host command for non type A/AAAA wideips.
698919-1 : Anti virus false positive detection on long XML uploads
Component: Application Security Manager
Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.
Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.
Impact:
Violation is detected where no violation has occurred (false positive violation).
Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.
Note: This workaround will affect the amount of logged data from ASM.
Fix:
Fixed a false positive virus-detected violation related to long XML uploads.
698080-1 : TMM may consume excessive resources when processing with PEM
Solution Article: K54562183
698000-1 : Connections may stop passing traffic after a route update
Solution Article: K04473510
Component: Local Traffic Manager
Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.
Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.
Impact:
Connections may fail after routing updates. New connections will not be affected.
Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.
Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.
697878 : High crypto request completion time under some workload patterns
Component: TMOS
Symptoms:
The tmctl tmm/crypto table shows heavily loaded bulk crypto queues backed up into associated waiting queue. The crypto requests continue to complete, but are significantly delayed.
Conditions:
High crypto usage often in conjunction with high compression usage.
Impact:
Crypto requests can be delayed as long as 1.5 seconds.
Workaround:
Disable hardware crypto by setting the "crypto.hwacceleration" DB key to "disable":
tmsh modify sys db crypto.hwacceleration value disable
Fix:
Improve accelerated crypto poll-timing calculation.
697303-3 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.
Impact:
BD crash, failover, and traffic disturbance.
Workaround:
Turn off the internal parameter relax_unicode_in_json.
Fix:
BD no longer crashes under these conditions.
696808-3 : Disabling a single pool member removes all GTM persistence records
Solution Article: K35353213
Component: Global Traffic Manager (DNS)
Symptoms:
Disabling a single pool member removes all GTM persistence records.
Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.
Impact:
All GTM persistence records are accidently cleared.
Workaround:
Set drain-persistent-requests yes.
Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.
696789-2 : PEM Diameter incomplete flow crashes when TCL resumed
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.
Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.
Impact:
The tmm will restart and all flows will reset.
Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.
696468 : Active compression requests can become starved from too many queued requests.
Component: TMOS
Symptoms:
From the "tmctl compress" table: the cur_ctx value for QAT is equal or higher than 512, and the cur_active remains at zero.
CPU utilization per tmm in this condition may be quite high.
Conditions:
At least 512 contexts with no traffic wait in the compression queue and prevent new requests from getting compression service.
Impact:
Compression on a per-tmm basis can stop servicing new requests.
Workaround:
Switch to software compression.
Fix:
Soften the restriction so that accumulated contexts with no traffic cannot not prevent busy contexts from getting compression time.
696383-2 : PEM Diameter incomplete flow crashes when sweeped
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.
Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.
Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.
696265-3 : BD crash
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.
Impact:
Potential traffic disturbance and failover.
Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.
Fix:
Fixed a BD crash scenario.
695968-3 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
Component: Policy Enforcement Manager
Symptoms:
Memory leak resulting in a potential OOM scenario.
Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM
Impact:
Potential loss of service.
Workaround:
There is no workaround at this time.
Fix:
Freed Diameter messages appropriately.
695901-2 : TMM may crash when processing ProxySSL data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash will processing SSL/TLS data via ProxySSL
Conditions:
ProxySSL enabled
Impact:
TMM crash leading to a failover event
Fix:
TMM processes SSL/TLS data via ProxySSL as expected
695117 : bigd cores and sends corrupted MCP messages with many FQDN nodes
Solution Article: K30081842
Component: Local Traffic Manager
Symptoms:
When configured to monitor large numbers of nodes and/or pool members including FQDN nodes and/or pool members, the following symptoms may occur:
- bigd may core (aborted by sod due to missed heartbeat).
- bigd may produce corrupted MCP messages.
- FQDN nodes and/or pool members may remain in a Checking state indefinitely.
Conditions:
These symptoms may occur on affected versions of BIG-IP when a large number of nodes and/or pool members including FQDN nodes and/or pool members are configured. Depending on the capabilities of the platform in use, approximately one thousand (1,000) or more total nodes and/or pool members may be required to produce these symptoms.
FQDN nodes and/or pool members generate a more significant workload for the bigd daemon than nodes and/or pool members with statically-configured IP addresses. This additional load contributes to high CPU usage and the other observed symptoms.
Impact:
This issue produces the following impacts:
- bigd may core.
- nodes and/or pool members may remain in a Checking state indefinitely.
- bigd may produce corrupted MCP messages, which generate error messages in the LTM log of the following form:
... err mcpd[####]: 01070712:3: Caught configuration exception (0), Can't parse MCP message, ...
Examination of the corrupted MCP message shows objects at the point of corruption that have no hierarchical relationship with the objects referenced at the beginning of the message.
Workaround:
To work around this issue, use the following approaches singly or in combination:
1. Reduce the number of nodes and/or pool members configured for a given BIG-IP system.
2. Configure nodes and/or pool members with statically-configured IP addresses.
Fix:
bigd no longer produces corrupted MCP messages, resulting in nodes and/or pool members remaining in a 'checking' state, with up to 2,000 nodes and/or pool members including FQDN nodes and/or pool members configured. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
694922-4 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.
Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device
Impact:
ASM configuration is not correctly synchronized between devices
Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic
Fix:
Devices no longer spuriously enter an untrusted state
694717-3 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
Component: Policy Enforcement Manager
Symptoms:
TMM crashes
Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.
694696-3 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline
Component: TMOS
Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.
Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.
Impact:
Traffic to all other traffic-groups is disrupted for several seconds.
Workaround:
There is no workaround at this time.
Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.
694319-3 : CCA without a request type AVP cannot be tracked in PEM.
Component: Policy Enforcement Manager
Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.
Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP
Impact:
May hamper effective diagnostics.
Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.
Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type
694318-3 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
Component: Policy Enforcement Manager
Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.
Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.
Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.
Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.
Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.
694274-2 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7
Solution Article: K23565223
694073-1 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup
Component: Application Security Manager
Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.
Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).
Impact:
Low and incorrect visibility of signature update details.
Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.
Fix:
Signature updates are now shown correctly for all versions.
693739-3 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
Component: Access Policy Manager
Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.
Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.
Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.
Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.
Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.
693312-2 : vCMPd may crash when processing bridged network traffic
Component: TMOS
Symptoms:
Under certain conditions vCMPd may crash while processing bridged network traffic
Conditions:
vCMP active in 'host-only' or 'bridged' mode.
Impact:
vCMPd may crash, resulting in a failure of guest instances on the same host hardware slot.
Workaround:
Deploy guests in isolated mode.
Fix:
vCMPd does not crash when processing bridged network traffic.
693211-3 : CVE-2017-6168
Solution Article: K21905460
692970-3 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash
Component: Local Traffic Manager
Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.
Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.
Impact:
TMM restart causes traffic interruption or failover.
Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.
Fix:
TMM no longer crashes with DHCP flow validation.
692941-3 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
Component: Global Traffic Manager (DNS)
Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.
Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.
Impact:
gtmd and tmm core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.
692307-1 : User with 'operator' role may not be able to view some session variables
Component: Access Policy Manager
Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.
Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.
Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.
Workaround:
Find this data via clicking on the session ID.
Fix:
User with 'operator' role can now view all expected session variables
692123-2 : GET parameter is grayed out if MobileSafe is not licensed
Component: Fraud Protection Services
Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.
Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.
Impact:
In FPS Parameter's list, the GET method is always grayed out.
Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.
Fix:
The GET method is not grayed out if MobileSafe is not licensed.
692095-3 : bigd logs monitor status unknown for FQDN Node/Pool Member
Solution Article: K65311501
Component: Local Traffic Manager
Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]
Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.
Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.
Workaround:
None.
Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.
691670-3 : Rare BD crash in a specific scenario
Solution Article: K02515009
Component: Application Security Manager
Symptoms:
BD crash or False reporting of signature ID 200023003.
Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).
Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.
Workaround:
Removing attack signature 200023003 from the security policy stops the issue.
Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.
A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.
691504-3 : PEM content insertion in a compressed response may cause a crash.
Solution Article: K54562183
691498-1 : Connection failure during iRule DNS lookup can crash TMM
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes in the DNS response cache periodic sweep.
Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.
Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.
Workaround:
No known workaround.
Fix:
The reference counting of the resolver connection was fixed.
691477-1 : ASM standby unit showing future date and high version count for ASM Device Group
Component: Application Security Manager
Symptoms:
Policy builder is changing configuration of standby unit.
Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).
Impact:
Unexpected changes are made to the policy on standby device (CID increment).
Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):
killall -s SIGHUP pabnagd
Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.
691287-3 : tmm crashes on iRule with pool command after string command
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes when a pool command immediately follows a string command in an iRule, for example:
when DNS_REQUEST {
pool [string tolower "Test.com"]
}
Conditions:
Similar GTM iRule with pool command after string command.
when DNS_REQUEST {
pool [string tolower "Test.com"]
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use a pool command immediately after a string command in an iRule.
Fix:
tmm no longer crashes on iRule with pool command after string command.
691017-1 : Preventing ng_export hangs
Component: Access Policy Manager
Symptoms:
Sometimes ng_export is stuck while reading tmsh thru the pipe because of buffer issues. Export is trying to read more data from tmsh while data is lost in the middle of the read operation.
Conditions:
-- ng_export receives tmsh replies through buffer of constant size x.
-- During the read operation, tmsh returns a buffer size of x minus k, where k is very small random number (less than 50).
Note: K is very small random number, which makes this issue difficult to describe.
Impact:
The export operation hangs.
Workaround:
None.
Fix:
ng_export is now using non-blocking socket and loops to wait for data or terminate gracefully
690166-3 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
Component: Global Traffic Manager (DNS)
Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.
Conditions:
Creating SRV wideip with three more layers than existing zone.
Impact:
Unnecessary stub zones created.
690042-3 : Potential Tcl leak during iRule suspend operation
Solution Article: K43412307
Component: Local Traffic Manager
Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.
Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.
Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer leaks memory.
689826-2 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
Component: Access Policy Manager
Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.
Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.
Impact:
Proxy settings are not applied on client side after VPN is established.
Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.
Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:
1. Set the custom variable name to the following value:
config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
Note: <network access resource name> is the name of the network access resource.
2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.
3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.
Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.
689577-1 : ospf6d may crash when processing specific LSAs
Solution Article: K45800333
Component: TMOS
Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.
Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.
Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.
Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.
Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.
689449-3 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.
Conditions:
- VIP configured with spdy/http2 and http with fallback-host.
Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.
Workaround:
No workaround at this time.
Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.
689089-3 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
Component: Local Traffic Manager
Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.
Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:
"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"
Where "N" is the number of physical slots in the chassis (2, 4, or 8).
Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.
Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.
Fix:
The configuration file update logic has been changed to prevent file corruption during update.
688625-2 : PHP Vulnerability CVE-2017-11628
Solution Article: K75543432
688516-2 : vCMPd may crash when processing bridged network traffic
Component: TMOS
Symptoms:
Under certain conditions vCMPd may crash while processing bridged network traffic.
Conditions:
vCMP active in 'host-only' or 'bridged' mode.
Impact:
vCMPd may crash, resulting in a failure of guest instances on the same host hardware slot.
Workaround:
Deploy guests in isolated mode.
Fix:
vCMPd does not crash when processing bridged network traffic.
688011-5 : Dig utility does not apply best practices
Component: TMOS
Symptoms:
The dig utility does not apply current best practices when processing administrator requests from TMSH
Conditions:
Appliance mode
TMSH access
Impact:
Dig does not apply current best practices
Workaround:
None.
Fix:
Dig now applies current best practices
688009-5 : Appliance Mode TMSH hardening
Component: Local Traffic Manager
Symptoms:
TMSH does not follow current best practices when Appliance Mode is active
Conditions:
BIG-IP system is operating in Appliance mode
Authorized TMSH access
Impact:
TMSH does not follow current best practices
Fix:
TMSH updated to follow current best practices
687658-2 : Monitor operations in transaction will cause it to stay unchecked
Solution Article: K03469520
Component: TMOS
Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.
Conditions:
This only happens within transactions.
Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.
Impact:
Monitor state never returns to its correct value.
Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.
687603-1 : tmsh query for dns records may cause tmm to crash
Component: Local Traffic Manager
Symptoms:
tmm experiences segmentation fault.
Conditions:
Run 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.
Impact:
Core file / system outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm experiences segmentation fault when running the 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.
687353-3 : Qkview truncates tmstat snapshot files
Solution Article: K35595105
Component: TMOS
Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.
Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).
Note: 5 MiB is qkview utility's default maximum file size value.
Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.
Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0
687205-3 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
Component: Local Traffic Manager
Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.
Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.
Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.
Workaround:
None.
687193-1 : TMM may leak memory when processing SSL Forward Proxy traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may leak memory when processing SSL Forward Proxy traffic.
Conditions:
SSL forward proxy enabled.
Impact:
Increasing memory consumption over time, potentially leading to a TMM crash and failover event.
Workaround:
None.
Fix:
TMM no longer leaks memory when processing SSL Forward Proxy traffic
687128-3 : gtm::host iRule validation for ipv4 and ipv6 addresses
Component: Global Traffic Manager (DNS)
Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.
Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.
Impact:
Incorrect host information was being returned.
Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.
Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.
687098 : IPv6 RADIUS servers not supported for remote authentication
Component: TMOS
Symptoms:
Authenticating against an IPv6 RADIUS server is not supported, only an IPv4 server.
Conditions:
This applies to remote authentication to log on to the BIG-IP system for management purposes.
Impact:
Logon operation will time out, as if the server did not respond.
Workaround:
Use an IPv4 server. If you have an IPv6 management IP, then you will need to have the IPv4 server reachable over a dataplane VLAN.
Fix:
Support for IPv6 RADIUS servers has been added.
686972-1 : The change of APM log settings will reset the SSL session cache.
Component: Local Traffic Manager
Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.
Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.
Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.
Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.
Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.
686395 : With DTLS version1, when client hello uses version1.2, handshake shall proceed
Component: Local Traffic Manager
Symptoms:
With DTLS version1, when client hello uses version1.2, handshake fails with error of :unsupported version".
Conditions:
DTLS version1 handshake:
Handshake version 1.0 . (0xfeff)
Client hello version 1.2(0xfefd)
Impact:
DTLS functionalities.
Workaround:
N/A
Fix:
In this case, we shall still proceed to perform handshake instead of bailing out with "unsupported version" error.
686389-3 : APM does not honor per-farm HTML5 client disabling at the View Connection Server
Component: Access Policy Manager
Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.
With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.
Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.
Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.
Workaround:
There is no workaround at this time.
Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.
Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.
686307-1 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
Component: Local Traffic Manager
Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.
Note: Without LTM policies in the configuration, monitors upgrade without problem.
Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.
Impact:
Monitors may not work after upgrade.
Workaround:
No workaround at this time.
Fix:
This release addresses the underlying problem so the issue no longer occurs.
686305-2 : TMM may crash while processing SSL forward proxy traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing SSL forward proxy traffic
Conditions:
SSL forward proxy enabled
Impact:
TMM crash leading to a failover event
Workaround:
None.
Fix:
TMM now correctly processes SSL forward proxy traffic
686282-1 : APMD intermittently crash when processing access policies
Component: Access Policy Manager
Symptoms:
APMD process may crash intermittently (rare) when processing access policies.
Conditions:
This rarely encountered issue occurs when any one of the following conditions exist:
-- iRule is configured with 'ACCESS::policy evaluate'.
-- NTLM authentication configured and ECA plugin is involved (for example VDI RDG).
-- Kerberos authentication is configured with RBA enabled.
Impact:
APM end users cannot pass access policy, cannot login.
Workaround:
None.
Fix:
APMD no longer intermittently crashes when processing access policies.
686228-3 : TMM may crash in some circumstances with VLAN failsafe
Component: Local Traffic Manager
Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms
Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.
Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.
Workaround:
Relax the timer to the default VLAN failsafe timer setting.
Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.
686065-1 : RESOLV::lookup iRule command can trigger crash with slow resolver
Component: Local Traffic Manager
Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.
Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove RESOLV::lookup from the workflow if it is not required.
Fix:
The scenario now works as expected and no longer results in a crash.
686029-1 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
Solution Article: K00026204
Component: TMOS
Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.
Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.
Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.
Workaround:
None.
Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.
685955 : TMM hud_message_ctx leak
Component: Local Traffic Manager
Symptoms:
There is a TMM memory issue caused by leaked hud_message_ctx objects, each holding a websockets_frame.
Conditions:
Running WebSocket traffic that needs to be processed by a plugin like ASM.
Impact:
Increasing TMM memory usage leading to eventual service outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The memory leak in TMM has been fixed.
685743-3 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported
Component: Application Security Manager
Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.
Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.
Impact:
Requests might be blocked, and no reason is reported.
Workaround:
Reset internal 'request_buffer_size' to default.
Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.
685693 : APM AppTunnels memory leak
Component: Wan Optimization Manager
Symptoms:
Using APM AppTunnels causes a slow memory leak.
Conditions:
Use of APM AppTunnels.
Impact:
The slow memory leak exhaust tmm memory over time. Traffic disrupted when tmm restarts.
Workaround:
None.
Fix:
The memory leak has been corrected.
685344-2 : Monitor 'min 1 of' not working as expected with FQDN nodes/members
Component: Local Traffic Manager
Symptoms:
A pool with a monitor configured as 'min 1 of {...}' may be unavailable when one or more members configured with FQDN are down, rather than remain available as long as at least one pool member remains up.
Conditions:
-- Pool nodes/members are configured with FQDN.
-- At least one associated monitor is defined with the 'min 1 of {...}' feature.
Impact:
The pool may be seen as 'offline' when one or more members are down, rather than remaining available as long as a single pool member is 'UP'.
Workaround:
To configure a pool with 'min 1 of{...}', specify static pool members, do not use FQDN to configure pool members.
Fix:
A pool with FQDN configured nodes/members and specified with a monitor of 'min 1 of {...}' remains available as long as a single pool member remains up.
This issue is resolved by the FQDNv2 feature re-implementation.
685254-1 : RAM Cache Exceeding Watchdog Timeout in Header Field Search
Component: Local Traffic Manager
Symptoms:
SOD halts TMM while RAM cache is processing a header.
Conditions:
When RAM cache is attempting to match an ETag and fails to find it in the header field.
Impact:
The search continues until a match is found in memory, or a NUL byte is encountered. If the search takes too long, sod kills RAM cache on a watchdog timeout violation.
Workaround:
No workaround at this time.
Fix:
SOD no longer halts TMM while RAM cache is processing a header.
685207-2 : DoS client side challenge does not encode the Referer header.
Component: Application Security Manager
Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.
Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.
Impact:
The XSS reflection occurs after triggering the DoS attack.
Workaround:
None.
Fix:
DoS client side challenge now encodes the Referer header.
685110-3 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
Solution Article: K05430133
Component: Local Traffic Manager
Symptoms:
1. FQDN Node/pools fails to populate with members.
2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:
err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.
Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.
Impact:
Unable to use FDQN nodes/pool members with non-LTM license.
Workaround:
None.
Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.
685020-1 : Enhancement to SessionDB provides timeout
Component: TMOS
Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.
Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.
Impact:
Calls made to SessionDB never return from the remote TMM.
Workaround:
None.
Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT.
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.
# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|
Behavior Change:
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.
# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|
684879-2 : Malformed TLS1.2 records may result in TMM segmentation fault.
Solution Article: K02714910
684414-1 : Retrieving too many groups is causing out of memory errors in TMUI and VPE
Component: Access Policy Manager
Symptoms:
Retrieving too many groups might cause out-of-memory errors in TMUI and VPE. TMUI might end up with HTTP 502 and VPE fails with HTTP 500
Conditions:
LDAP/AD server with over 20,000 groups.
Impact:
It's hard to perform LDAP/AD group mapping because there are no group names in the dialog box, which complicates work on such a large number of groups.
Workaround:
The only solution is to remove /shared/tmp/gmcache folder and use manual groupmapping.
Fix:
Retrieving too many groups no longer results in memory errors in TMUI and VPE, even on LDAP/AD servers with over 20,000 groups.
684333-3 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.
Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.
Impact:
PEM session created using Gx may get deleted.
Workaround:
Initiate failover using alternate commands, such as the following:
tmm big start restart.
684325-3 : APMD Memory leak when applying a specific access profile
Component: Access Policy Manager
Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.
Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.
Impact:
APMD process stops after repeated application of the script.
Workaround:
None.
Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.
684312-2 : During Apply Policy action, bd agent crashes, causing the machine to go Offline
Solution Article: K54140729
Component: Application Security Manager
Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------
Causing bd and bd_agent processes restart, and causing the machine to go Offline.
Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.
Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..
Workaround:
None.
Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.
684033-1 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)
Solution Article: K70084351
683697-3 : SASP monitor may use the same UID for multiple HA device group members
Solution Article: K00647240
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.
The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.
As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.
The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.
Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.
It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).
Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.
Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.
It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.
Fix:
The SASP monitor reliably uses a unique UID across HA group members, allowing all HA group members to successfully connect to the SASP GWM.
683683-1 : ASN1::encode returns wrong binary data
Component: Local Traffic Manager
Symptoms:
ASN1::encode returns incorrect data for certain integer values. For example, for integer 49280, ASN1::encode returns 02030000.
Conditions:
The problem happens in an implicit UTF encoding/decoding, and it is not obvious what data triggers the error.
This is because it implicitly converts the Tcl object type from byte array to string and later back to byte array, but because of the UTF de-coding algorithm, certain bytes get changed.
Impact:
The returned binary is wrong.
Workaround:
Use binary scan for the value that is incorrectly encoded by the command.
Fix:
ASN1::encode ENCODE mode now works so that it avoids the implicit type-conversion byte array to string back to byte array, which gets the original byte array changed during UTF-8 decoding.
683508-3 : WebSockets: umu memory leak of binary frames when remote logger is configured
Component: Application Security Manager
Symptoms:
ASM out of memory error messages in /var/log/asm.
Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.
Impact:
ASM out of memory, memory leak.
Workaround:
Remove ASM remote logging profile from a virtual server.
Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.
683389-1 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
Component: Access Policy Manager
Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.
Conditions:
Attempt to create local SharedObject.
Impact:
Affected Flash applications are not working when accessed through Portal Access.
Workaround:
None.
Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.
682837 : Compression watchdog period too brief.
Component: TMOS
Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.
Conditions:
Very high sustained system-wide compression request traffic.
Impact:
Accelerated compression throughput can drop significantly; some flows dropped.
Workaround:
Switch to software compression.
Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.
682682-3 : tmm asserts on a virtual server-to-virtual server connection
Component: Local Traffic Manager
Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.
Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.
Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.
Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.
682612 : Event Correlation is disabled on vCMP even though all the prerequisites are met.
Component: Application Security Manager
Symptoms:
In GUI screen,
Security ›› Event Logs : Application : Event Correlation
It shows "Event Correlation is not supported on this platform.".
Conditions:
Multi bladed vCMP guest, running on a BIG-IP with SSD drives, having only one available Slot (other Slots appear offline/unavailable).
Impact:
Multi bladed vCMP guest, running on a BIG-IP with SSD drives, having only one available Slot have Event Correlation disabled.
Workaround:
The following workaround does not survive ASM restart.
Thus, it has to be executed after every restart of ASM:
------------------------
# perl -MF5::ASMReady -MF5::Cfg -e 'while (! F5::ASMReady::is_asm_ready()) { print "Waiting for ASM to be ready.\n"; sleep 5; }; print "ASM is ready, patching Event Correlation cfg file\n"; F5::Cfg::cfg_set_config_item(qw{/etc/ts/correlation/correlation.cfg}, qw{General}, qw{Idle}, 0)'
# pkill -f correlation
------------------------
Event Correlation should start with in ~15 seconds, after the execution of this workaround:
------------------------
# ps -elf | grep correlation
0 S root ... /usr/share/ts/bin/correlation
------------------------
682500-1 : VDI Profile and Storefront Portal Access resource do not work together
Component: Access Policy Manager
Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.
Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.
Impact:
Citrix Storefront portal access resource cannot be used to launch applications.
Workaround:
None.
Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.
682335-3 : TMM can establish multiple connections to the same gtmd
Component: Global Traffic Manager (DNS)
Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.
Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed, if there is an existing connflow, don't start another connection.
682213-3 : TLS v1.2 support in IP reputation daemon
Solution Article: K31623549
Component: TMOS
Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.
Conditions:
This occurs when using IP reputation.
Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.
Workaround:
None.
Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.
In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.
682105 : Adding widget in Analytics Overview can cause measures list to empty out on Page change
Component: Application Visibility and Reporting
Symptoms:
When adding a new widget on Analytics Overview page with multiple modules (e.g., vCMP, Security), it is possible to reach a state in which the list of available measures is empty.
Conditions:
-- All 'available measurements' is selected (moved left).
-- A page should be changed.
Impact:
In some cases (like in vCMP when changing from Network to SynCookies), the list of available measurements will remain empty. Unable to select measures to display in new widget.
Workaround:
To reset the list of measures so that all measures are visible again, switch to another page and return to the previous one right away.
682104-1 : HTTP PSM leaks memory when looking up evasion descriptions
Component: Local Traffic Manager
Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.
Conditions:
When PSM looks up evasion descriptions.
Impact:
Memory leaked each time might eventually cause out of memory to the TMM.
Workaround:
None.
Fix:
This fix will stop the memory leakage.
681710-4 : Malformed HTTP/2 requests may cause TMM to crash
Solution Article: K10930474
681415-1 : Copying of profile with advanced customization or images might fail
Component: Access Policy Manager
Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar
Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.
Impact:
Unable to copy policy.
Workaround:
None.
Fix:
Copying of profile with advanced customization or images now succeeds as expected.
681175-1 : TMM may crash during routing updates
Solution Article: K32153360
Component: Local Traffic Manager
Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.
Conditions:
-- Dynamic routing.
-- ECMP routes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.
Fix:
TMM no longer crashes on routing updates when ECMP is in use.
681109-2 : BD crash in a specific scenario
Solution Article: K46212485
Component: Application Security Manager
Symptoms:
BD crash occurs.
Conditions:
A specific, non-default configuration with specific traffic.
The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.
For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
Content-Type :: *xml* :: form-data
This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.
Impact:
Failover, traffic disturbance.
Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.
A correctly configured header-based-content-profile property on URLs appears as follows:
In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
Content-Type :: *form* :: Form Data
Content-Type :: *json* :: JSON
Content-Type :: *xml* :: XML
Fix:
Added a check to prevent a crash in a specific scenario.
680850-1 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
Solution Article: K48342409
Component: Global Traffic Manager (DNS)
Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.
Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug
Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.
Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.
Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.
Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.
Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.
This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.
With this fix, setting log.zxfrd.level debug no longer outputs this information.
Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.
Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.
680755-1 : max-request enforcement no longer works outside of OneConnect
Solution Article: K27015502
Component: Local Traffic Manager
Symptoms:
max-request enforcement does not work when OneConnect is not configured.
Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.
Impact:
max-request enforcement does not work.
Workaround:
Always use OneConnect.
Fix:
max-request enforcement now works when OneConnect is not configured.
680729-3 : DHCP Trace log incorrectly marked as an Error log.
Solution Article: K64307999
Component: Policy Enforcement Manager
Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.
Impact:
Possible clutter in the TMM logs.
Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical
Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
680112-1 : SWG-Explicit rejects large POST bodies during policy evaluation
Solution Article: K18131781
Component: Access Policy Manager
Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 64 KB limit on POST bodies while the policy is being evaluated.
==> /var/log/apm <==
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048
Conditions:
This applies only during the policy evaluation. After the policy has been set to 'Allow', there is no limit.
Impact:
Unable to start an SWG-Explicit policy with a large POST body.
Workaround:
None.
Fix:
Modify the db variable 'tmm.access.maxrequestbodysize' with a value larger than the maximum post body size you would like to support. The maximum supported value is 25000000 (25 MB).
679959-1 : Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000
Component: TMOS
Symptoms:
Unable to the ping self IP of VCMP guests configured on i5000, i7000, or i10000.
Conditions:
Running TMOS v12.1.3 and VCMP guests configured on i5000, i7000 or i10000.
Impact:
Unable to process client traffic.
Workaround:
No workaround at this time.
Fix:
This issue is fixed.
679603-2 : bd core upon request, when profile has sensitive element configured.
Solution Article: K15460886
Component: Application Security Manager
Symptoms:
bd crash, system goes offline.
Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.
Impact:
System goes offline/fails over.
Workaround:
Remove sensitive elements from the json profile in the ASM policy.
Fix:
ASM now handles this condition so the crash no longer occurs.
679480-1 : User able to create node when an ephemeral with the same IP already exists
Component: TMOS
Symptoms:
If an FQDN ephemeral node exists for a given IP address, the user is still able to create a real node for the same IP address.
Conditions:
This can only be done by the GUI, not by tmsh or iControl REST.
Impact:
This should be prevented, but is allowed.
Workaround:
Avoid creating such a node.
Fix:
Validation now prevents this from happening.
679440-2 : MCPD Cores with SIGABRT
Solution Article: K14120433
Component: Advanced Firewall Manager
Symptoms:
MCPD cores with SIGABRT.
Conditions:
This occurs while the dynamic white/black daemon (dwbld) processes auto-blacklisted IP addresses.
Impact:
MCPD core.
Workaround:
Run the following command:
tmsh modify sys db debug.afm.shun.notify_peers value disable
Fix:
MCPD no longer cores with SIGABRT if the auto-blacklisting feature is enabled.
679384-1 : The policy builder is not getting updates about the newly added signatures.
Solution Article: K85153939
Component: Application Security Manager
Symptoms:
The policy builder is not getting updates about the newly added signatures.
Conditions:
When ASU is installed or user-defined signatures are added/updated.
Impact:
No learning suggestions for some of the newly added signatures.
Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
killall -s SIGHUP pabnagd
-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).
Fix:
After the fix, Policy Builder will be aware of all newly added signatures.
679235-5 : Inspection Host NPAPI Plugin for Safari can not be installed
Component: Access Policy Manager
Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.
Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.
Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.
Workaround:
There is no workaround at this time.
Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.
679221-1 : APMD may generate core file or appears locked up after APM configuration changed
Component: Access Policy Manager
Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.
Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.
Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.
Workaround:
None.
Fix:
APMD now processes the configuration changes correctly during 'modify apm profile access <profile name> generation-action increment' (TMSH) or 'Apply Access Policy' (GUI), and no service interruption occurs.
679149-2 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may crash or LB::server returns unexpected result.
Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.
Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
GTM rule command LB::server is now executed at the correct time, so TMM does not crash and LB::server returns expected results.
678976-2 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
Solution Article: K24756214
Component: Access Policy Manager
Symptoms:
VDI debug logs print user credentials to /var/log/apm.
Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.
Impact:
User credentials are written to /var/log/apm.
Workaround:
Set VDI debug level to Notice.
Fix:
The system no longer prints user credentials to VDI debug logs.
678861-3 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
Solution Article: K00426059
Component: Global Traffic Manager (DNS)
Symptoms:
Upgrade fails with a message similar to the following.
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.
Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.
Impact:
Upgrade fails.
Workaround:
Remove DNS:: commands from procs before upgrade.
Or use AFM instead of iRules.
678851-1 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
Component: Access Policy Manager
Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.
Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool
Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().
Impact:
Affected Java applets cannot be started through Portal Access.
Workaround:
None.
Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.
678833 : IPv6 prefix SPDAG causes packet drop
Component: TMOS
Symptoms:
If IPv6 prefix SPDAG is turned on, on systems running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3, it can cause packet drops.
Conditions:
Turn on IPv6 prefix DAG.
-- Assign a value other than 128 to sys db tmm.pem.session.ipv6.prefix.len.
-- Running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3.
Impact:
Packet drops.
Workaround:
Turn off IPv6 prefix SPDAG.
678822-3 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed
Component: Policy Enforcement Manager
Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.
Conditions:
If the route to PCRF/OCS is missing or not reachable.
Impact:
Non-Zero stats for provision pending sessions
Workaround:
Disable the Gx/Gy profile if not required or configure the route.
Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.
678820-2 : Potential memory leak if PEM Diameter sessions are not created successfully.
Component: Policy Enforcement Manager
Symptoms:
Memory leak resulting in reduction in available memory.
Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.
Impact:
Loss of service
Workaround:
There is no workaround at this time.
Fix:
Diameter context is freed in case of a failed Diameter session creation.
678715-1 : Large volume of query result update to SessionDB fails and locks down ApmD
Component: Access Policy Manager
Symptoms:
While writing large query results from AD server to sessionDB using memcache API, write operation fails with partial write.
Conditions:
Large volumes of AD query (with Required 'All Attributes') results from AD server while writing to SessionDB.
Impact:
Operation fails with partial write. All worker threads performing authentication eventually gets locks down. Session watchdog thread eventually make a forced abort to recover from the situation. Apmd restarts in this situation.
Workaround:
Make query for specific attributes not the option 'All Attributes'.
Fix:
Partial write failure has been fixed, by writing remaining parts of the query results in several iterations, till the entire result is written.
678714-3 : After HA failover, subscriber data has stale session ID information
Component: Policy Enforcement Manager
Symptoms:
After a failover in a high availability (HA) configuration, subscriber local data is populated with stale session id information
Conditions:
-- HA failover.
-- PEM subscriber.
Impact:
Subscriber data with stale session ID information might cause invalid reference to incorrect subscriber data.
Workaround:
None.
Fix:
Subscriber local data is now populated with new, generated session ID information.
678462-2 : after chassis failover: asmlogd CPU 100% on secondary
Component: Application Security Manager
Symptoms:
After a failover in a chassis:
- asmlogd CPU 0% on primary slot (which was secondary before the failover).
- asmlogd CPU 100% on secondary (which was primary before the failover).
Without traffic running through the chassis.
Conditions:
-- ASM provisioned.
-- Chassis with at least two active slots.
-- Chassis failover after some traffic was passed through the chassis.
Impact:
asmlogd CPU shows 100% on secondary (which was primary before the failover), and vice versa.
Workaround:
There is no workaround at this time.
Fix:
The asmlogd process now better handles chassis failovers during which the chassis slots change roles (primary/secondary), so this issue no longer occurs.
678416-2 : Some tmm/umem_usage_stat counters may be incorrect under memory pressure.
Component: Local Traffic Manager
Symptoms:
After the BIG-IP system experiences severe memory pressure, the 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table incorrectly show extremely high values.
Conditions:
The BIG-IP system experiences enough memory pressure that slabs are transferred between threads.
Impact:
The 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table do not reflect actual values. However, there is no functionality issue as a result. This is a cosmetic issue only.
Workaround:
None.
Fix:
The system now manages better under memory pressure so that the tmm/umem_usage_stat counters correctly reflect actual values.
678293-1 : Uncleaned policy history files cause /var disk exhaustion
Component: Application Security Manager
Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.
Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.
Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.
Impact:
/var disk usage is high.
Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:
----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------
Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.
In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.
678228-1 : Repeated Errors in ASM Sync
Solution Article: K27568142
Component: Application Security Manager
Symptoms:
If an error is encountered when building a full sync file for an ASM enabled Device Group, any future attempts at building a sync file will continue to fail.
Conditions:
An error such as a full disk or out of memory occurs when attempting to build a sync file for an ASM enabled Device Group
Impact:
Any future attempts at building a sync file will continue to fail.
Workaround:
Restart the ASM Config processes, or clear out /ts/var/sync.
Fix:
Remnants of failed sync files are now correctly cleaned up before building a new one.
677937-1 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
Solution Article: K41517253
Component: TMOS
Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.
Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).
Impact:
No connectivity between the client and the server.
Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)
Fix:
APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.
677457 : HTTP/2 Gateway appends semicolon when a request has one or more cookies
Component: Local Traffic Manager
Symptoms:
With an HTTP/2 profile, a virtual server on a BIG-IP system receives requests and handles cookies converting those into a cookie-string. The BIG-IP system concatenates the cookie pairs with semicolon (%3B) and a space (%20) in the cookie-string. This delimiters pair also is appended to the last cookie pair.
Conditions:
HTTP/2 profile is configured on a virtual server and a request contains one or more cookies.
Impact:
The request forwarded to a backend server contains an extra semicolon at the end of cookie-string.
Workaround:
Use an iRule to remove an extra delimiter if it negatively impacts backend server performance.
For example:
when HTTP_REQUEST {
if {[HTTP::header value "Cookie"] contains ";"}
{
set new_header [string range [HTTP::header "Cookie"] 0 end-2]
log local0.notice "$new_header"
HTTP::header replace "Cookie" $new_header
}
}
Fix:
Virtual server with HTTP/2 profile no longer appends extra delimiter to a cookie-string when it forwards the request to HTTP/1.x backend server.
677400-3 : pimd daemon may exit on failover
Solution Article: K82502883
Component: Local Traffic Manager
Symptoms:
When multicast traffic is passing on a high availability (HA) pair, the pimd daemon on the unit that transitions to standby may exit and drop a core file.
Conditions:
-- Multicast routing configured.
-- PIM-Sparse Mode configured.
-- HA failover configuration.
Impact:
None. The system that goes active will reconverge, and multicast traffic will resume.
Workaround:
No workaround required.
Fix:
The pimd daemon no longer exits when an HA failover occurs.
677193-2 : ASM BD Daemon Crash.
Solution Article: K38243073
677119 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
Component: Local Traffic Manager
Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. BIG-IP incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.
Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.
Impact:
BIG-IP doesn't accept the value and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.
Fix:
BIG-IP no longer generates an error due to this issue and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.
677058-3 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text
Component: Access Policy Manager
Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.
Conditions:
This occurs when following conditions are met:
- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.
Impact:
APM logs plain text password when debug logging is turned on for access policy.
Workaround:
None.
Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.
676982-2 : Active connection count increases over time, long after connections expire
Solution Article: K21958352
Component: Local Traffic Manager
Symptoms:
- Number of active connections is increasing over time.
- Memory used by TMM increases over time.
- Potential TMM restart is possible.
Conditions:
This issue arises only when all the following conditions occur:
- Hardware is chassis type.
- There is more than one blade in service.
- A fastL4 profile is configured (e.g., using bigproto).
- SessionDB is used either by iRules or by native profile
functionality.
Impact:
- Service may be impacted after a period.
- TMM instances may restart.
Workaround:
None.
Fix:
SessionDB-related accesses initiated via iRules are now properly cleaned up and no longer hang.
676808-2 : FPS: tmm may crash on response with large payload from server
Component: Fraud Protection Services
Symptoms:
A request to a unprotected FPS URL may cause tmm crash if response payload is large and the URL was configured via live update.
Conditions:
1. Page is not protected.
2. Large response payload (e.g.,50 KB).
3. FPS registered for response event (this will happen if a global URL (configured via live update) was matched).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
FPS will check for fast response situation and will act accordingly.
676690-3 : Windows Edge Client sometimes crashes when user signs out from Windows
Component: Access Policy Manager
Symptoms:
In rare cases Windows Edge Client may crash when user signs out from Windows
Conditions:
User signs out from Windows or restarts Windows while EdgeClient is running and VPN is established
Impact:
No functional impact, user see a message box with error block sign out process. When the user closes the message box, sign out process continues.
Fix:
Previously, in some instances, the Edge Client on Windows would crash when the user signed out of Windows. This has been fixed.
676457-3 : TMM may consume excessive resource when processing compressed data
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may consume an unusually large amount of system resources while processing compressed data
Conditions:
HTTP compression enabled
Impact:
Reduced system capacity, potentially leading to a failover event
Fix:
Avoid excessive resource consumption while processing compressed data
676416-2 : BD restart when switching FTP profiles
Component: Application Security Manager
Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.
Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.
Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.
Workaround:
There is no workaround at this time.
Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.
676203-1 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
Component: TMOS
Symptoms:
TMM memory usage suddenly increases rapidly.
Conditions:
The inter-blade mpi connection fails and does not recover.
Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.
Workaround:
None.
Fix:
Inter-blade mpi connection now continues as expected, without memory issues.
676028-2 : SSL forward proxy bypass may fail to release memory used for ssl_hs instances
Solution Article: K09689143
Component: Local Traffic Manager
Symptoms:
TMM leaks memory used for ssl_hs instances when using SSL forward proxy when bypass is enabled.
Conditions:
The leak can be triggered by iRules, where a duplicate forward proxy lookup is initiated and interferes with the initial asynchronous lookup.
Impact:
TMM will core after running out of memory, which impacts availability.
Workaround:
None.
Fix:
Resolved by preventing duplicate forward proxy lookup.
675928-2 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
Component: Policy Enforcement Manager
Symptoms:
Multiple flows of the same subscriber could get insert content enabled frequently, if the requests from those flows are outstanding
Conditions:
If the http request from the subscriber is outstanding when the new flow is triggered
Impact:
PEM insert content pem_acton will be enabled on multiple flows till the first response is received
Fix:
Throttle insert content action on new flows only to periodic interval if the transaction is outstanding.
675921 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
Component: TMOS
Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status or 'running'.
Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.
Impact:
5th guest and beyond result in an error.
Workaround:
None.
Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.
675866-1 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
Component: Access Policy Manager
Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.
Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.
Impact:
Cannot access the Kerberos-protected resources.
Workaround:
None.
Fix:
Tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.
675775-2 : TMM crashes inside dynamic ACL building session db callback
Component: Access Policy Manager
Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.
Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Guard against NULL pointer dereference for dynamic ACL build.
675399-3 : Network Access does not work when empty variables are assigned for WINS and DNS
Component: Access Policy Manager
Symptoms:
Network Access does not work when empty variables are assigned for WINS and DNS.
Conditions:
If the admin configures empty values for WINS or DNS in the Variable Assign agent in the VPE.
Impact:
The system does not parse the XML tags correctly. Users may not be able establish VPN tunnel.
Workaround:
Do not leave the DNS or WINS values empty in the Variable assign Agent.
Fix:
APM now correctly handles the condition where an empty string is assigned for WINS and/or DNS in the Variable Assign policy agent.
675232-3 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
Component: Application Security Manager
Symptoms:
Errors encountered -
In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.
Impact:
The policy is created but the modify action cannot find the policy.
Workaround:
iApps are built to work with ASM Policy Templates.
A new ASM Policy Template can be created from the desired ASM Policy.
That can be done via GUI and starting from from v13.0 via REST as well.
Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------
Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.
674931 : FPS modified responses/injections might result in a corrupted response
Component: Fraud Protection Services
Symptoms:
in case a connection was congested and FPS tries to send additional egress (modifying the response, e.g. injections) the order of the response sending might break if this send is successful (i.e congestion just ended). instead of sending the buffered data first (response part that was buffered due to congestion), FPS tries to send the new data first and only than will send the buffered data.
Conditions:
- congested connection
- FPS sends modified response (e.g. injections)
- sending egress succeeded (congestion ended)
Impact:
response is corrupted - order of data has erroneously changed
Workaround:
N/A
Fix:
FPS will handle this case correctly, first sending buffered data then sending the new egress.
674909-3 : Application CSS injection might break when connection is congested
Component: Fraud Protection Services
Symptoms:
Large CSS files configured for phishing protection injection in FPS (not fictive websafe CSS files) may be truncated upon response to client.
Conditions:
Inject into Application CSS enabled in Anti-Fraud Profile » Advanced » Phishing Detection
Large CSS file such as bootstrap files configured for Application CSS Locations.
Network congestion engaging TMM flow control.
Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. May break application functionality.
Workaround:
1) Remove affected large files from Application CSS Locations.
or
2) Disable Inject into Application CSS entirely.
Fix:
FPS now handles the case where injecting to application css was interrupted by congestion.
674686-2 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow
Component: Policy Enforcement Manager
Symptoms:
If an outstanding flow with periodic insertion pem_action is very long, it prevents new flow matching the same rule from adding inert content pem_action even for a new periodic interval
Conditions:
If the outstanding flow with insert content pem_action spans multiple periodic interval.
Impact:
No content insertion during the time the long flow is outstanding for new flows matching the same rule as the long flow.
Workaround:
Long flows and short flows need to have separate rule configured
Fix:
New flows will add content insertion, if the new flow request falls in the new periodic interval.
674593-1 : APM configuration snapshot takes a long time to create
Component: Access Policy Manager
Symptoms:
It takes a long time to create the configuration snapshot for a file. This may be accompanied by MEMCACHED related log message, as shown below.
notice apmd[12928]: 0149016a:5: Initiating snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 0149016f:5: Waiting for MEMCACHED to be ready
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1273 Msg: Unable to connect to tmm (sessiondb). Trying again...
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1280 Msg: Successfully connected to tmm (sessiondb)...
notice apmd[12928]: 0149016b:5: Completed snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 01490171:5: MEMCACHED is up
Conditions:
The issue happens if an access profile contains many resources, the resulting configuration
snapshot will have even more configuration variables.
Impact:
TMM will run out of memory If the issue persists. User will not be able to log in due to profile not found error similar to the following:
err apmd[13681]: 01490114:3: /Common/workspace-acess2:Common:a6b495ce: process_request(): Profile '/Common/workspace-acess2' was not found
Workaround:
None.
Fix:
APM policy configuration snapshot generation performance for very large configurations has been improved.
674576-4 : Outage may occur with VIP-VIP configurations
Component: Local Traffic Manager
Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.
Conditions:
VIP-VIP configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround at this time.
Fix:
TMM no longer produces a core with a 'no trailing data' assert.
674515 : New revoke license feature for VE only implemented
Component: TMOS
Symptoms:
Prior to this version, the license revoke feature was not implemented/available.
Conditions:
With out revoke implemented, the feature is simply not available.
Impact:
Licenses cannot be revoked and hence re-used.
Fix:
With this feature implemented, VE licenses can be revoked and then re-used on different VE.
674494-1 : BD memory leak on specific configuration and specific traffic
Solution Article: K77993010
Component: Application Security Manager
Symptoms:
RSS memory of the bd grows.
Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.
Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.
Workaround:
None.
Fix:
Freeing up the remote loggers data when deciding not to log remotly.
674410-3 : AD auth failures due to invalid Kerberos tickets
Solution Article: K59281892
Component: Access Policy Manager
Symptoms:
User can not login.
Conditions:
- AAA AD server is configured on BIG-IP.
- AD Auth/Query agent is used in Access Policy.
- Cached Kerberos ticket is invalid or backend AD server is not reachable for some reason
Impact:
AD Auth/Query fails. APM end user won't be able to take successful branch in Access Policy.
Workaround:
None.
Fix:
Invalid Kerberos tickets for AD Query are now automatically renegotiated by APM.
674320-2 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems
Solution Article: K11357182
Component: TMOS
Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:
notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59
Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)
Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).
Impact:
Configuration on peer systems in a device group does not get saved after a sync.
Workaround:
Manually save the configuration on peer systems after a sync.
Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.
674288-2 : FQDN nodes - monitor attribute doesn't reliably show in GUI
Solution Article: K62223225
Component: TMOS
Symptoms:
When creating more than one node with FQDN configured with monitors, monitors are not displayed in the GUI properly.
Conditions:
Create more than one node with FQDN configured.
Impact:
The previously created FQDN node does not display monitors in the GUI. However, the subsequently created FQDN node does display the correct monitors.
Workaround:
Use tmsh to view monitors for Nodes with FQDN configured.
Fix:
Node page now displays the correct monitors for nodes configured with FQDN.
674189 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
Solution Article: K52320548
673951-4 : Memory leak when using HTTP2 profile
Solution Article: K56466330
Component: Local Traffic Manager
Symptoms:
Memory continues to grow despite reduced volume of traffic. Large number of spdy_frame and xdata allocated.
Conditions:
Virtual server configured with HTTP2 profile.
Impact:
Memory leak, which might eventually trigger aggressive sweeper and potential crash, resulting in failover.
Workaround:
None.
Fix:
Virtual server configured with HTTP2 profile no longer leaks memory.
673748-1 : ng_export, ng_import might leave security.configpassword in invalid state
Solution Article: K19534801
Component: Access Policy Manager
Symptoms:
If import/export of Access Profile or Access Policy results in an error, security.configpassword may retain temporary not <null> state, which can cause problems when the config is saved or loaded using the sys save config or sys load config commands.
Conditions:
Import or export of Access Profile or Access Policy fails with an error.
Impact:
Passwords in .conf might get mangled.
Workaround:
Set the security.configpassword db variable using the following command:
modify sys db security.configpassword value "<null>"
673717-1 : VPE loading times can be very long
Component: Access Policy Manager
Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.
Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.
Impact:
Policies with thousands of entries can take tens of seconds or more to load.
Workaround:
None.
Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.
673683-2 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
Component: Policy Enforcement Manager
Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.
Conditions:
When a subscriber action list have Insert content added and if pem and classification profiles are detached and re-attached to the Listener, periodic insertion may fail to insert the content. This happens when more than one subscriber is using the same policy rule and the listener.
Impact:
Periodic insert content action will fail to insert the content
Workaround:
Delete and recreate the subscriber for which insert content action no longer working
Fix:
For subscriber content insertion record lookup, use the right session id storage associated with the subscriber
673678-2 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
Component: Policy Enforcement Manager
Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.
Conditions:
When a subscriber action list have Insert content added and if the request/response for that http transaction get interleaved by another subscriber request. This happens when more than one subscriber is using the same policy rule
Impact:
Periodic insert content action will fail to insert the content
Workaround:
Delete and recreate the subscriber for which insert content action no longer working
Fix:
For subscriber content insertion record lookup, use the correct session id storage associated with the subscriber.
673621-2 : Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
Component: Local Traffic Manager
Symptoms:
Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
Conditions:
Set ca-file to 'none' in the clientssl profile.
Impact:
Chain is still sent.
Workaround:
None.
Fix:
Chain certificate is no longer sent to the client when both ca-file and chain certificate are removed from the clientssl profile.
673607-2 : Apache CVE-2017-3169
Solution Article: K83043359
673595-2 : Apache CVE-2017-3167
Solution Article: K34125394
673484-1 : IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO
Solution Article: K85405312
Component: TMOS
Symptoms:
IPsec IKEv2 tunnels cannot be established when the remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child Security Association (SA) establishment. This parameter is commonly sent by ASA devices.
Conditions:
-- IPsec IKEv2 with ASA peer.
-- Remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child SA establishment.
Impact:
IKEv2 IPsec tunnels cannot be established with ASA peer.
Workaround:
Use IKEv1.
Fix:
During IPsec IKEv2 child SA establishment, the BIG-IP will ignore the NON_FIRST_FRAGMENTS_ALSO notification and will continue to establish the SA.
673472-2 : After classification rule is updated, first periodic Insert content action fails for existing subscriber
Component: Policy Enforcement Manager
Symptoms:
Immediately after the classification rule associated with a static subscriber is updated and if the action list has Insert content, the first periodic insert content action fails for the subscribers. Subsequent Insert content action will proceed as expected
Conditions:
Update of the classification rule associated with the subscribers.
Impact:
First periodic Insert content action, immediately succeeding after the update of the classification rule will fail.
Workaround:
bigstart restart tmm, after updating the classification rule with insert content action will fix the issue
Fix:
Update the record count associated with the subscriber during eval.
673463-2 : SDD v3 symmetric deduplication may start performing poorly after a failover event
Solution Article: K68275280
Component: Wan Optimization Manager
Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may start performing poorly for some file transfers.
Conditions:
This issue occurs when all of the following conditions are met:
1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) The far side BIG-IP HA configuration (from the perspective of the client performing the download) is failed over.
4) Clients attempt to download files that had previously been transferred through the BIG-IP units.
Impact:
Symmetric deduplication is severely impacted (virtually no hits) for files that had previously been transferred through the units. This causes the amount of data transmitted over the WAN to increase. Files that were not transferred previously through the units are not affected by this issue.
Workaround:
To eliminate the impacted symmetric deduplication condition, restart the receiving (i.e., the near) side.
Fix:
SDD v3 symmetric deduplication no longer performs poorly after a failover event.
673399-1 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
Component: Local Traffic Manager
Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.
Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.
Impact:
Connection is reset.
Workaround:
Disable Websockets profile on the virtual server.
Fix:
We now check whether the Websockets filter is on the virtual server before attempting an insert.
673129 : New feature: revoke license
Component: TMOS
Symptoms:
A different license is required for each Virtual Edition (VE) instance.
Conditions:
Creating new instances of VE.
Impact:
Cannot reuse an existing VE license.
Workaround:
None.
Fix:
For Virtual Edition (VE) BIG-IP systems, licenses can now reused by other VE instances by revoking an active license on one and installing it on another.
Behavior Change:
Revoke license is a new feature so that licenses can be reused for other virtual edition configurations.
To revoke a license using tmsh, run the following command:
tmsh revoke sys license registration-key <reg-key-number>
The system responds with the following confirmation prompt:
Revoking the license will return this BIG-IP to an unlicensed state. It will stop processing traffic. Are you sure? Y/N:
When you type y, the system revokes the license and returns a response similar to the following:
License successfully revoked
[root@bigip11:LICENSE INOPERATIVE:Standalone] config # Jul 17 12:04:28 bigip11 emerg mcpd[5144]: 01070608:0: License is not operational (expired or digital signature does not match contents).
673078-1 : TMM may crash when processing FastL4 traffic
Solution Article: K62712037
673075-1 : Reduced Issues for Monitors configured with FQDN
Component: Local Traffic Manager
Symptoms:
Monitors configured using FQDN might experience several edge cases in some deployment environments. For example, you might experience issues with FQDN-configured monitors when used in environments with volatile/unstable DNS servers, or when network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'. In such cases, the monitor may experiences delay in rotating to the next available DNS server. This is due to complex edge cases that exist within the initial FQDN monitor implementation, where anomalous behavior is aggravated through some network configurations.
Conditions:
Monitors are configured using FQDN, and one-or-more environment conditions exist such as: Unstable DNS servers (i.e., 'flapping' DNS), or the network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'.
Impact:
The monitor will not be updated with information from the (new) DNS server when the previous DNS server becomes unavailable. Other monitor behavior will continue to function normally.
Workaround:
In some cases network configuration can be changed to avoid these edge cases, such as: Ensuring stable DNS servers with only periodic rollovers to backup DNS servers; ensure network ICMP packets are routable back to 'bigd'. Alternatively, monitors may be configured without using FQDN.
Fix:
Monitors configured using FQDN behave as expected in volatile environments, such as those with flapping DNS servers and where ICMP packets for unreachable DNS servers are non-routable back to 'bigd'.
672988-2 : MCP memory leak when performing incremental ConfigSync
Solution Article: K03433341
Component: TMOS
Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.
This leak occurs on the device that is sending the configuration.
Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.
Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.
Workaround:
None.
Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.
672868-1 : Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly
Component: Access Policy Manager
Symptoms:
Portal Access server-side JavaScript parser may work incorrectly if JavaScript code includes non-whitespace control characters inside text constants.
Conditions:
JavaScript code with non-whitespace control characters (0x00..0x08, 0x0E..0x1B, 0x7F..0x9F) inside text constants.
Impact:
Web application may not work correctly.
Workaround:
There is no workaround at this time.
Fix:
Now JavaScript code with non-whitespace control characters can be processed by Portal Access.
672815-2 : Incorrect disaggregation on VIPRION B4200 blades
Component: TMOS
Symptoms:
During startup of the bcm56xxd daemon, the LTM log shows BCM SDK errors containing the string 'SDK error Invalid parameter'. IP fragments fail to be reassembled. The reassembly time out triggers and the flow is killed.
Conditions:
-- After startup as long as the SDK errors occur.
-- Running on VIPRION B4200 blades.
Impact:
TCP connections and UDP datagrams which have fragmented packets are killed or dropped.
Workaround:
There is no workaround that will process fragments correctly.
Fix:
Incorrect disaggregation on VIPRION B4200 blades has been corrected.
672695-1 : Internal perl process listening on all interfaces when ASM enabled
Component: Application Security Manager
Symptoms:
ASM configuration processes are available on unprotected network interfaces.
Conditions:
ASM provisioned
Impact:
Connections to the ASM configuration processes may interfere with normal ASM operations, leading to reduced performance
Workaround:
None
Fix:
ASM-config Event Dispatcher now listens only on protected interfaces
672667-4 : CVE-2017-7679: Apache vulnerability
Solution Article: K75429050
672504-1 : Deleting zones from large databases can take excessive amounts of time.
Solution Article: K52325625
Component: Global Traffic Manager (DNS)
Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.
Conditions:
With a significantly sized database, deletes might be very time-intensive.
Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests
Workaround:
None.
Fix:
Dramatically improved algorithm, to remove significant delay in deletions.
672301-2 : ASM crashes when using a logout object configuration in ASM policy
Component: Application Security Manager
Symptoms:
bd daemon crash and writes a core file in the /shared/core directory.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Logout object configured in the policy.
-- System receives a POST request.
Impact:
System goes offline for a few seconds, failover occurs.
Workaround:
Remove logout object configuration from ASM policy.
Fix:
The system now handles this condition.
672250-1 : SessionDB update from ApmD with large volume fails
Component: Access Policy Manager
Symptoms:
While writing large amounts of data to sessionDB using memcache API, the write operation fails with partial write.
Conditions:
Large volumes data writing to SessionDB via memcache API.
Impact:
All worker threads performing authentication eventually get locked down. Session watchdog thread eventually makes a forced abort to recover from the situation. ApmD restarts in this situation.
Workaround:
Control write to sessionDB with a smaller data size.
Fix:
Partial write failure has been fixed, by writing remaining part(s) of query results in several iteration(s), until entire result is written.
672040-3 : Access Policy Causing Duplicate iRule Event Execution
Component: Access Policy Manager
Symptoms:
iRule event gets triggered twice in clientless mode when access policy is executed.
Conditions:
This only occurs when using iRule in clientless-mode.
Impact:
HTTP_REQUEST event is logged twice in /var/log/ltm.
See below example:
when HTTP_REQUEST {
HTTP::header insert {clientless-mode} 1
set myCount [expr {$myCount + 1}]
log local0. "Count is $myCount"
}
LTM logs:
-----------
Jul 3 12:29:35 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 1
Jul 3 12:29:36 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 2
When this iRule is used, you will see duplicate HTTP_REQUEST with increased count in logs. If this count is used in further calculation, it gives you incorrect result.
Fix:
HTTP_REQUEST iRule event is no longer executed multiple times when using APM clientless-mode.
672008-1 : NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
Solution Article: K22122208
Component: Local Traffic Manager
Symptoms:
Remote syslog logging destinations configured for RFC5424 format might receive malformed timestamp values if the log message is sent when clock rolls over to 1,000,000 microseconds exactly. The resulting log message will have a NUL character appended to the microseconds value in the log's timestamp field.
Example:
Correct timestamp: 2003-08-24T05:14:15.000000-07:00
Malformed timestamp: 2003-08-24T05:14:14.100000\00-07:00
Conditions:
-- syslog destination configured for RFC5424 format.
-- Sending log message when clock rolls over to 1,000,000 microseconds.
Impact:
Some syslog collectors may fail to parse the message, resulting in incorrect log entry or warning.
Workaround:
Change syslog destination format to use RFC3164, which does not include microsecond resolution in timestamp fields.
Fix:
The timestamp field is now formatted correctly for microseconds and seconds values. Seconds now correctly increment when microseconds equal 1,000,000.
671935-2 : Possible ephemeral port reuse.
Solution Article: K64461712
Component: Local Traffic Manager
Symptoms:
When selecting server-side source ports, the BIG-IP system favors ephemeral ports in the upper range.
Conditions:
Source ports, different from the client side, may be reselected. This is always the case when the virtual server's 'source-port change' option is enabled.
Impact:
If server connections are in the TIME_WAIT state and connection recycling is not configured, the server might reset the connection, reusing ports.
Workaround:
Disable the virtual server's 'source-port change' option to use the same source port as the connecting client.
Fix:
Now, even when the virtual server's 'source-port change' option is enabled, the system uses the same source port as the connecting client.
671920-1 : Accessing SNMP over IPv6 on non-default route domains
Component: TMOS
Symptoms:
The SNMP daemon cannot send traps to a non-default route domain destination. However, it can respond to SNMP requests over from a client that is accessed through a non-default route domain path for IPv4. For IPv6 this does not work.
Conditions:
SNMP access over IPv6 on a client accessed through a non-default route domain does not work.
Impact:
Access to SNMP must be through default route domain for IPv6.
Fix:
With this bug fix you can access SNMP from an IPv6 client on a non-default route domain. There is no plan to allow traps to be delivered to destinations on a non-default route domain.
671675-1 : Centralized Management Infrastructure: asm_config_server restart on device group change
Component: Application Security Manager
Symptoms:
If device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group the ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group
Conditions:
A device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group.
Impact:
ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group
Workaround:
Wait 30 seconds between leaving an ASM enabled device group before joining a different one.
Fix:
Successive changes to ASM sync enabled device group are handled correctly.
671638-4 : TMM crash when load-balancing mptcp traffic
Solution Article: K33211839
671627-1 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
Solution Article: K06424790
Component: Access Policy Manager
Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.
Conditions:
HTTP response without body processed by Portal Access
Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.
Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.
Fix:
Now Portal Access does not add invalid 'Transfer-Encoding' header and/or body to responses which have no body.
671597-1 : Import, export, copy and delete is taking too long on 1000 entries policy
Component: Access Policy Manager
Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.
Conditions:
When access policy has 1000+ entires.
Impact:
Import, export and copy are abandoned or fail due to out of memory condition.
Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.
Fix:
ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation
ng_export is still should be used from the console.
671326-2 : DNS Cache debug logging might cause tmm to crash.
Solution Article: K81052338
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache debug logging might cause tmm to crash.
Conditions:
This occurs when the following conditions are met:
-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.
Fix:
DNS Cache debug logging no longer causes tmm to crash.
671228-1 : Multiple FQDN ephemeral nodes may be created with autopopulate disabled
Component: Local Traffic Manager
Symptoms:
Multiple FQDN ephemeral nodes may be created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records for the FQDN, and bigd is restarted.
Conditions:
This may occur when:
1. An FQDN node is configured with autopopulate disabled.
2. The DNS server returns multiple address records for the FQDN.
3. There is a pool configured to use the FQDN node.
4. bigd is restarted (such as when the system goes offline or tmm restarts).
Impact:
Multiple FQDN ephemeral nodes may be created unexpectedly.
Workaround:
Configure the FQDN node with autopopulate enabled.
Fix:
Multiple FQDN ephemeral nodes are no longer created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records, and bigd is restarted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
671149-3 : Captive portal login page is not rendered until it is refreshed
Component: Access Policy Manager
Symptoms:
Sometimes Edge Client shows an error page for captive portal-redirected URLs.
Conditions:
Some captive portal pages use cloud-based authentication and network management. Such captive portals rely on several HTTP redirects and/or HTML (auto-refresh). Sometimes Edge Client fails to download the page/content from the redirected URL. In such scenarios, a full browser re-attempts and successfully downloads and displays the page, but Edge Client does not re-attempt and shows an error page.
Impact:
For the locked client, an APM end user has no access to the internet until captive portal authentication is performed and the Network Access (VPN) tunnel is created.
Workaround:
None.
Fix:
Edge Client now has a retry mechanism to access and display captive portal login pages in case the first attempt fails.
671082-1 : snmpd constantly restarting
Solution Article: K85168072
Component: TMOS
Symptoms:
sod is restarting snmpd, which also produces a core.
SNMP clients are unable to walk the ifTable.
Conditions:
snmpd takes too long processing a request for the ifTable because there are a large amount of VLANs or VLAN groups configured.
Impact:
SNMP requests will not receive replies while snmpd is restarting.
SNMP clients are not able to walk the ifTable.
Workaround:
None.
Fix:
Significantly reduced the time it takes snmpd to process requests for the ifTable when the number of VLANs or VLAN groups is high.
671052-3 : AFM NAT security RST the traffic with (FW NAT) dst_trans failed
Solution Article: K50324413
Component: Advanced Firewall Manager
Symptoms:
In certain cases, destination translation fails with the following message: reset cause '(FW NAT) dst_trans failed'.
Conditions:
This issue may be seen with Source/Destination translation.
Impact:
Destination translation failure. In most of the cases, TMM restart resolves the issue. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fix addresses a case where one of the fields was not initialized.
670910-2 : Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
Component: Access Policy Manager
Symptoms:
Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined.
Conditions:
This might occur when using the following definition:
<?xml version="1.0" encoding="utf-8"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
<-->xmlns:s="library://ns.adobe.com/flex/spark"
<-->width="100%" height="100%"
<-->minWidth="256" minHeight="64"
<-->creationComplete="initApp()">
<--><s:VGroup width="100%" height="100%" verticalAlign="middle" horizontalAlign="center">
<--><--><s:TextInput id="f_output" text="..." width="100%" />
<--><--><fx:Script><![CDATA[
<--><--><-->import flash.external.ExternalInterface;
<--><--><-->private function initApp():void {
<--><--><--><-->f_output.text = ExternalInterface.call("function(v){window.alert(/a\\dc/.toString());return '\\\\Done: '+v+' URL: '+location.href;}", "\\\\Ok?");
<--><--><-->}
<--><-->]]></fx:Script>
<--></s:VGroup>
</s:Application>
Impact:
Flash application malfunction.
Workaround:
None.
Fix:
APM Portal Access Rewrite now correctly handles flash.external.ExternalInterface.call() when the loaderInfo object is not defined.
670822-3 : TMM may crash when processing SOCKS data
Solution Article: K55225440
670816-2 : HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
Solution Article: K44519487
Component: Local Traffic Manager
Symptoms:
An HTTP/HTTPS/TCP monitor response code may contain extraneous trailing characters, such as: 'Response Code: 200 (OKxxx)' where the server response code 'OK' is appended with unrelated characters 'xxx', when the server does not include a carriage-return/line-feed after the response status line.
Conditions:
An HTTP/HTTPS/TCP monitor is configured with a receive string, and the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.
Impact:
The monitor status code displays the correct server response code, but with extraneous trailing characters appended. The monitor continues to function and respond to status changes as expected.
Workaround:
Configure HTTP/HTTPS/TCP servers to return a response that includes a carriage-return/line-feed after the response status line and before the receive string.
Fix:
HTTP/HTTPS/TCP monitor response code for 'last fail reason' no longer contains extraneous trailing characters when the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.
670814-2 : Wrong SE Linux label breaks nethsm DNSSEC keys
Component: Local Traffic Manager
Symptoms:
In /var/log/ltm:
(_Common_thales_key) create failed, retry attempt 1 [nfgk_new: Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied mv: cannot stat `/shared/tmp/_Common_thales_key': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_req': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_selfcert': No such file or directory str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=1024 embedsavefile="_Common_thales_key" plainname="_Common_thales_key" digest=sha256] rfs-sync: error from NFastApp_Connect `(null)': Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied No updates. Update done. Create key pair done. ].
or the output of the following command:
ausearch -m AVC,SELINUX_ERR -ts recent
time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.574:24190): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffd059e2720 a2=6e a3=7ffd059e2470 items=0 ppid=3310 pid=3311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="generatekey" exe="/shared/nfast/tcl/bin/generatekey" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.574:24190): avc: denied { write } for pid=3311 comm="generatekey" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----
time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.600:24191): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffd9dbc33a0 a2=6e a3=7ffd9dbc30f0 items=0 ppid=3313 pid=3316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rfs-sync" exe="/shared/nfast/bin/rfs-sync" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.600:24191): avc: denied { write } for pid=3316 comm="rfs-sync" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----
Conditions:
trying to use a thales nethsm for DNSSEC
Impact:
cannot create DNSSEC keys protected by a thales nethsm
Workaround:
chcon -R --reference=/var/run/rd0.sock /shared/nfast/sockets/
NB: you should also apply the workaround for BZ671337 as well. It's almost certain that if this bug exists, that bug also exists.
Fix:
SE LInux labels no longer prevent the creation of thales-protected nethsm DNSSEC keys
670405-4 : K20486351: glibc vulnerability CVE-2017-1000366:
Component: TMOS
Symptoms:
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. (CVE-2017-1000366)
Conditions:
crafted LD_LIBRARY_PATH values to manipulate the heap/stack
Impact:
This vulnerability allows unauthorized disclosure of information, unauthorized modification, and disruption of service.
Workaround:
To mitigate this vulnerability, you should permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users.
Fix:
upgrade to software with fix
670400-3 : SSH Proxy public key authentication can be circumvented in some cases
Component: Advanced Firewall Manager
Symptoms:
SSH Proxy public key authentication might be circumvented in some cases, allowing a user without the appropriate private key in to the back-end end SSH server.
Conditions:
Public key authentication is being used to authenticate users.
Note: This issue affects only public key authentication, so if additional forms of authentication are being used, the additional security that they provide will not be impacted.
Impact:
Unauthorized access.
Workaround:
A suggested workaround is to configure the back-end SSH server to require 2-factor authentication, or 3-factor authentication. This can be done by adding both publickey+password and publickey+keyboard-interactive as Required Authentications in the configuration file for the back-end SSH server.
See the list below of supported client method orders. Also, keep in mind that the back-end server must support all 3 authentication methods (public-key, password, and keyboard-interactive), as an existing constraint of the current SSH proxy functionality.
One cosmetic item to note is that, when multi-factor authentication is used, regardless of the result of the validity check of the public-key, the SSH proxy will report a 'failed' authentication to the client. However, the returned 'failed' code is merely cosmetic: the actual result of the validity check is what is used to determine whether or not the authentication succeeded.
-------
Supported client method orders:
publickey,keyboard-interactive
publickey,password
publickey,keyboard-interactive,password
publickey,password,keyboard-interactive
Any other combination of authentication methods will fail.
Fix:
Implemented stricter error handling in authentication checking.
670011-2 : SSL forward proxy does not create the server certchain when ignoring server certificates
Component: Local Traffic Manager
Symptoms:
Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.
Conditions:
-- SSL forward proxy or SSL intercept is configured.
-- Ignore server certificate configured in the server SSL profile.
Impact:
Client cannot establish SSL connection with server due to SSL handshake always timing out.
Workaround:
None.
Fix:
The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.
669974-1 : Encoding binary data using ASN1::encode may truncate result
Solution Article: K90395411
Component: Local Traffic Manager
Symptoms:
When using ASN1::encode to encode one or more values, and where the encoding of any of these values results in a representation containing a NUL ('\x0') byte, the overall result that is presented to the iRule does not include the entire set of encoded values and is truncated at the first NUL byte.
Conditions:
-- Using ASN1::encode with binary values (e.g., INTEGER).
-- Encoded results contain a NUL ('\x0') byte.
Impact:
Encoding results in the wrong/truncated value.
Workaround:
It is possible to encode the problematic values using an alternative method.
Fix:
ASN1::encode now correctly encodes binary values.
669888-2 : No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96
Component: TMOS
Symptoms:
The BIG-IP does not differentiate between IPv4 addresses (such as 1.2.3.4) and IPv6 addresses in the prefix ::ffff:0:0/96 (such as ::ffff:102:304, also written ::ffff:1.2.3.4). If you enter such an IPv6 address, the equivalent IPv4 address will be rendered and used.
Conditions:
Any attempt to use an IPv6 address in that subnet.
Impact:
The BIG-IP system will operate as if you entered the IPv4 address.
Workaround:
No workaround at this time.
Fix:
The differing addresses now are handled correctly. For most modules, this does not change the functionality at all. AFM is one exception; IPv6 traffic in the ::ffff:0:0/96 subnet will be treated differently than IPv4 traffic.
669818-2 : Higher CPU usage for syslog-ng when a syslog server is down
Component: TMOS
Symptoms:
Higher CPU usage for syslog-ng when a syslog server is down.
Conditions:
A remote log server is added but it is not available.
Impact:
Potentially higher than expected CPU usage.
Workaround:
To mitigate this issue, use either of the following:
-- Ensure that the remote log server is available.
-- Remove the remote log server from the configuration.
669510-2 : When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
Component: Access Policy Manager
Symptoms:
- When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
Conditions:
- Allow local DNS servers' option is enabled in Network Access configuration.
- Prohibit routing table changes during Network Access connection option is enabled in Network Access configuration.
- Network changes after VPN is established.
Impact:
- Network access tunnel is dropped due to routing table changes.
Workaround:
User needs to connect to VPN again.
669462-1 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
Component: TMOS
Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/
Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool
Impact:
Unable to use pool-members from /Common/ when outside of /Common/
Workaround:
No workaround at this time.
Fix:
Fixed issue preventing users from using GTM pool-members within /Common/ on GTM Pools outside of /Common/
669459-2 : Efect of bad connection handle between APMD and memcachd
Component: Access Policy Manager
Symptoms:
When a connection handle (fd) between apmd and memcachd gets bad (someone else is using or already closed by memcachd), all worker threads gets locked out. A cleaner thread then restart APMD with an assert.
Conditions:
This is difficult to reproduce. It happens if one or more connection handle between apmd worker thread and memcachd gets misused.
Impact:
APMD gets locked down , eventually restart with a core.
Workaround:
None.
Fix:
Communication between APMD and TMM has been improved to be more tolerant of error conditions.
669364-1 : TMM core when server responds fast with server responses such as 404.
Component: Fraud Protection Services
Symptoms:
TMM core when server responds fast with server responses such as 404.
Conditions:
-- FPS gets a request with a WebSafe URL (usually global URL - declared by signatures update).
-- Server response is fast (based on URL/headers).
-- FPS need to take some action on response.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
FPS now handles these conditions without a tmm crash.
669359 : WebSafe might cause connections to hang
Component: Fraud Protection Services
Symptoms:
In a loaded environment, FPS might free a connection context without cleaning up the state.
Conditions:
This occurs in a loaded environment (xoff events present).
Impact:
A connection might stall until abandoned by client.
Workaround:
None.
Fix:
when freeing a connection context, FPS will clear internal egress state.
669341 : Category Lookup by Subject.CN will result in a reset
Component: Access Policy Manager
Symptoms:
Category Lookup Agent is unable to find the Subject.CN, so it initiates an SSL Handshake failure.
==> /var/log/apm <==
crit tmm[11181]: 01790602:2: [C] 10.20.100.1:11980 -> 10.11.10.101:443: (ERR_NOT_FOUND) Error processing URL Classification query from CatEngine
Conditions:
Category Lookup agent configured to use Subject.CN. May also apply if a Category Lookup agent is configured to use SNI, but the client does not send an SNI, resulting in the agent trying to use the Subject.CN.
Impact:
Cannot use Subject.CN as a data source for category lookup agent.
Workaround:
None.
Fix:
The category lookup agent is now able to find the Subject.CN.
669288-3 : Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.
Solution Article: K76152943
Component: TMOS
Symptoms:
From tmsh, running util unix-ls /var/log fails with the following error:
exception: (Failed to canonicalize "/shared/f5optics/images") (util/RealpathHelper.cpp, line 49), continuing...
Data Input Error: /var/log is not an accessible directory for the current mode.
Conditions:
-- A BIG-IP system configured for Appliance mode.
-- Upgrading from a pre-v12.x to v12.x or later.
-- Using a platform that does not have a /shared/f5optics/images directory.
These include the following BIG-IP blades and appliances:
B4400, i4x00, i10x00, i2x00, i7x00, i5x00
Impact:
There is no shell access to the file system when the BIG-IP system is in Appliance mode. This is the intended purpose of Appliance mode. Therefore, unix-* commands are the only way to list directories, and perform other operations specific to the operating system.
Workaround:
To work around this issue, create the /shared/f5optics/images directory. To do so, do the following:
1. Boot the BIG-IP system into single-user mode.
2. Create the directory /shared/f5optics/images with the following command:
mkdir -m 777 -p /shared/f5optics/images.
3. Reboot the BIG-IP system, and allow it to start up normally.
Fix:
The reported exception does not occur, and unix-* commands commands issued in Appliance mode run as expected.
669255-2 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
Solution Article: K20100613
Component: TMOS
Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:
- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.
Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:
- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade
Impact:
The BIG-IP system operates at a suboptimal performance level.
Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.
Fix:
Performance is no longer degraded on certain platforms when the configuration includes enabled sFlow receivers.
669154-1 : Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.
Component: Access Policy Manager
Symptoms:
Adding new SAML IdP configuration object containing empty attribute values via tmsh may cause tmm to restart.
Conditions:
New SSO SAML configuration contains one or more attribute values containing a session variable, following by another empty value "", for example:
multi-values { "%{session.ad.last.attr.name}" "" }
Note: This is not a valid configuration: empty values must not be provided in the list of SAML attributes.
Impact:
TMM may restart when new configuration is added. Traffic disrupted while tmm restarts.
Workaround:
Remove empty attribute values from configuration.
Fix:
SAML object validation has been improved so that empty SAML SSO object attribute values will no longer be accepted.
669025-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
Solution Article: K11425420
Component: Local Traffic Manager
Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.
Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs usually is are the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.
Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.
Impact:
Clients cannot access the web server due to SSL handshake failure.
Workaround:
There is no workaround at this time.
Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.
668883 : FQDN pool member status may become out-of-sync when enabled/disabled through GUI
Component: Local Traffic Manager
Symptoms:
After toggling enable/disable on an FQDN pool member through the GUI, an FQDN pool member status may become 'out-of-sync', and the pool member might process connections opposite to its status. Specifically: 'disabled' might accept connections, and 'enabled' might not accept connections. In this state, the FQDN pool member appears to be exactly 'one-message-behind' for an enable/disable status change made in the GUI.
The FQDN pool member status for enabled/disabled is always correctly displayed in the GUI and in tmsh, and behavior is correctly restored after a system reboot. Other pool members are unaffected.
Conditions:
-- BIG-IP systems configured for high availability (HA).
-- At least three members within an FQDN pool.
-- Use the GUI to toggle enable/disable state on a FQDN pool member.
Impact:
The FQDN pool member does not correctly participate in receiving connections to the pool when in this error state. Other pool members remain unaffected.
Workaround:
Change FQDN pool to statically assign members.
Fix:
Toggling FQDN pool member between 'enable/disable' correctly changes that member's participation for accepting connections within its parent pool. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
668802-3 : GTM link graphs fail to display in the GUI
Solution Article: K83392557
Component: Local Traffic Manager
Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.
statsd reports an error in /var/log/ltm
err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found
Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
-- Trying to view the GTM link graphs in the GUI.
Impact:
Unable to view BIG-IP DNS/GTM link graphs.
Workaround:
None.
Fix:
The GTM graphs are available as expected.
668623-5 : macOS Edge client fails to detect correct system language for regions other than USA
Solution Article: K85991425
Component: Access Policy Manager
Symptoms:
macOS Edge client fails to detect correct system language for regions other than USA.
Conditions:
-- macOS Sierra.
-- Non-English language (e.g., Korean with different regions).
Impact:
Incorrect customization of Edge client for certain items, such as: logo, banner color, banner text color, and tray icon type.
Workaround:
Run one of the following command on the Terminal and re-launch Edge client:
For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"
For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"
For Japanese:
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"
For French:
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"
For Spanish:
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"
For Chinese traditional:
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"
For Chinese simplified:
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"
Fix:
Customization of the following items for Edge client now correctly reflect the region's language selection.
-- Edge client logo.
-- Banner color.
-- Banner text color.
-- Tray icon.
668522-1 : bigd might try to read from a file descriptor that is not ready for read
Component: Local Traffic Manager
Symptoms:
The bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.
Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.).
Impact:
The bigd process might consume excessive CPU resources for for various amounts of time.
Single monitor probes might fail. Depending upon the timing of these failures, it might be possible to see monitor flapping when multiple probes for a specific monitored object happen to fail.
Workaround:
None.
Fix:
An issue was resolved where the bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.
668521-2 : Bigd might stall while waiting for an external monitor process to exit
Component: Local Traffic Manager
Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.
Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)
High system load makes this more likely to occur.
Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.
Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.
Fix:
bigd no longer stalls while waiting for an external monitor process to exit.
668503-3 : Edge Client fails to reconnect to virtual server after disabling Network Adapter
Component: Access Policy Manager
Symptoms:
1. Connect to an APM Virtual Server.
2. Disable Network Adapter.
3. Enable the Network Adapter.
Edge Client fails to reconnect.
Conditions:
Network Adapter is disabled and re-enabled.
Impact:
Edge Client does not re-establish VPN when Network Adapter is re-enabled.
Workaround:
Disconnect and Connect Edge Client.
Fix:
Edge Client now successfully reconnects to virtual server after disabling and enabling Network Adapter.
668501-2 : HTTP2 does not handle some URIs correctly
Solution Article: K07369970
668419-1 : ClientHello sent in multiple packets results in TCP connection close
Solution Article: K53322151
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system receives ClientHello messages in multiple fragments, and the first fragment length is smaller than 8 bytes, SSL might process it as a non-SSL packet.
Conditions:
-- The system receives ClientHello messages in multiple fragments.
-- The first fragment length is smaller than 8 bytes.
Impact:
SSL might process the first fragment as a non-SSL packet, and discard it, and then tear down the TCP connection.
Workaround:
None.
Fix:
Now, if the system receives the ClientHello message in multiple fragments, and the first fragment is smaller than 8 bytes, the system waits for the whole SSL packet to arrive before processing it.
668352-2 : High Speed Logging unbalance in log distribution for multiple pool destination.
Component: TMOS
Symptoms:
Remote High Speed Logging may send logs in an imbalance when configured to use multiple logging pools.
The imbalance may occur if the logging destination remained idle for a while (no logs sent) after initial configuration.
Conditions:
-- Remote High Speed Logging destination configured with multiple pools.
-- The logging destination idle after initial configuration for more than 5 seconds.
Impact:
-- Log distribution imbalance.
Workaround:
There is no workaround at this time.
Fix:
Logs distributed equally on destination pools.
668252-2 : TMM crash in PEM_DIAMETER component
Solution Article: K22784428
Component: Policy Enforcement Manager
Symptoms:
TMM crashes when the route to PCRF is lost.
Conditions:
-- PEM establishes connection with the diameter endpoint (Gx / Gy).
-- The route to the diameter endpoint is lost (interface down / route deleted).
Impact:
TMM diameter module tries to communicate, does not handle the error, and crashes. Module reboot. Traffic disrupted while tmm restarts.
Workaround:
Mitigation: Ensure that the network interface configuration routing diameter packet is not manually brought down.
No workaround for externally triggered failures.
Fix:
The system now handles connections established with the diameter endpoint when the route to PCRF is lost.
668184-1 : Huge values are shown in the AVR statistics for ASM violations
Component: Application Security Manager
Symptoms:
Huge values are shown in the AVR statistics for ASM violations.
Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.
Impact:
ASM violation numbers are incorrectly reported.
Workaround:
None.
Fix:
An issue with bd sending wrong numbers to AVR was fixed.
668181-2 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.
668129-1 : BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.
Component: Access Policy Manager
Symptoms:
Certain SAML implementations support configuration of multiple signing certificates to be used for signing SAML messages. In these deployments different signing certificates could be used when certificate rotation takes place. Until now BIG-IP as SP only supported single signing certificate from external IdPs.
When certificate rotation happens on external IdP, BIG-IP signing verification certificates have to be updated.
Conditions:
External IdP advertises multiple signing certificates in SAML metadata.
Impact:
When external IdP starts using new signing certificate previously advertised in metadata, authentication on BIG-IP as SAML SP will fail until administrator adjusts configuration to specify new signature validation certificate on appropriate SAML IdP connector object.
Workaround:
Signing certificates on BIG-IP as SAML SP can be reconfigured manually.
Fix:
BIG-IP as SP now supports multiple signing certificates advertised by external identity providers.
668048-1 : TMM memory leak when manually enabling/disabling pool member used as HSL destination
Solution Article: K02551403
Component: TMOS
Symptoms:
High Speed Logging fails to free an allocated cache memory resulting in memory leak. A small linear increase in mds_btree_nodes memory utilization may occur.
Conditions:
- Remote High Speed Logging configured.
- Server-side connections dropped or closed. OR
- High Speed Logging pool members removed.
Impact:
Increase in mds_btree_nodes memory utilization.
Workaround:
There is no workaround at this time.
Fix:
High Speed Logging frees allocated memory correctly.
667922 : Alternative unicode encoding in JSON objects not being parsed correctly
Solution Article: K44692860
Component: Application Security Manager
Symptoms:
JSON content might be blocked when unicode encoding is used in one of the JSON nodes.
Conditions:
Configured ASM Policy with JSON profile.
Impact:
False positive blocked request.
Workaround:
Disable metachars checks in JSON profile.
Fix:
The JSON parser now handles unicode sequences correctly.
667892-2 : FPS: BLFN inheritance won't take effect until GUI refresh
Component: Fraud Protection Services
Symptoms:
1. Create fps profile with a "Additional function to be run before JavaScript load" (BLFN) configured.
2. Clone this profile.
3. In the cloned profile choose another profile to defaults from (where there is no BLFN).
4. Save configuration.
Conditions:
- Current profile has a BLFN configured.
- New parent profile has no BLFN.
Impact:
The original BLFN is still configured on the profile (should have inherited the empty BLFN from parent profile).
Workaround:
1. Use tmsh.
2. Refresh before save.
Fix:
Correct BLFN inheritance logic in GUI.
667872-1 : Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
Component: Fraud Protection Services
Symptoms:
'Apply cookies to base domain' feature doesn't work for non standard ports.
Conditions:
'Apply cookies to base domain' is enabled and
connection is over non-standard ports (not 80, 443, etc.).
Impact:
Cookies won't be applied to base domain, thus WebSafe functionality will be broken and missing cookie alerts will be sent.
Workaround:
Use only standard ports.
Fix:
FPS now correctly parses base-domain, including port (if exists).
667560-3 : FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed
Solution Article: K69205908
Component: Local Traffic Manager
Symptoms:
A pool member configured through an FQDN node and which has multiple associated monitors may become unknown (blue) after a monitor rule change to one of its associated monitors. The expected behavior is that the node should remain 'green' if monitoring is successful with the new rule, but the node may become unknown (blue) until bigd is restarted.
Conditions:
A pool member is configured through an FQDN node, and has multiple associated monitors, and a monitor rule change is made to one of the associated monitors.
Impact:
The pool member status correctly reflects whether monitoring is successful (green) or the pool member is unknown (blue), but the changed monitor rule may not take effect until bigd is restarted.
Workaround:
When making changes to a monitor rule associated with a pool member configured through FQDN, verify the node remains monitored (green or checking), or restart bigd. Alternatively, change monitor rules within the configuration file, and reload the configuration.
Fix:
Pool members configured through FQDN nodes and with multiple associated monitors continue to be monitored after a monitor rule change to one of the associated monitors. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
667469-1 : Higher than expected CPU usage when using DNS Cache
Solution Article: K35324588
Component: Global Traffic Manager (DNS)
Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.
Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.
Impact:
Higher than expected CPU usage.
Workaround:
No workaround at this time.
Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.
667405-2 : Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.
Solution Article: K61251939
Component: TMOS
Symptoms:
When the BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets, memory leaks may occur in the TMM.
Conditions:
The BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets.
Impact:
Memory leak in the TMM.
Workaround:
None.
Fix:
No memory leak in the TMM.
667404-2 : Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts
Solution Article: K77576404
Component: TMOS
Symptoms:
If fragmented IP packets match an IPsec policy, then get forwarded to another tmm for actual processing, the flow lookup might accidentally grab a stale flow_key for another connflow, including internal MCP flows. When that happens, if IPsec does tunnel those flows, internal MCP heartbeats later miss and cause tmm restarts.
Conditions:
-- Packet fragmentation.
-- Packets are serviced by IPsec due to a matching policy for those packets.
Impact:
Tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
You can prevent this using either of the following methods:
-- If you can, arrange that fragmented packets are re-assembled before reaching IPsec policy handling.
-- Modify MTU configuration so fragmentation does not happen.
Note: There is no mitigation when fragmented packets reach IPsec and need forwarding from one tmm to another.
Fix:
Now fragmented packets are handled correctly, and other flows cannot experience interference.
667318-3 : BIG-IP DNS/GTM link graphs fail to display in the GUI.
Component: Local Traffic Manager
Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.
statsd reports an error in /var/log/ltm
err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found
Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
Impact:
Unable to view BIG-IP DNS/GTM link graphs.
Workaround:
None.
Fix:
BIG-IP DNS/GTM link graphs are now available in the GUI.
667304-1 : Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled
Solution Article: K68108551
Component: Access Policy Manager
Symptoms:
'Save Password' checkbox is shown even if the feature is not enabled.
Conditions:
-- APM end user tries to authenticate to APM/BIG-IP Server.
-- 'Save Password' is not enabled.
Impact:
APM end user receives the login page with 'Save Password' checkbox. Checking the box has no effect unless 'Save Password' is enabled.
Workaround:
None.
Fix:
'Save Password' checkbox is not shown unless the feature is enabled.
667278-3 : DSC connections between BIG-IP units may fail to establish
Component: TMOS
Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:
-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).
While the unit at the other end of the connection will log messages similar to the following example:
-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed
Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).
Impact:
Config-Sync and device discovery operations will fail between affected units.
Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).
Fix:
Config-Sync and device discovery operations no longer fail.
667237-3 : Edge Client logs the routing and IP tables repeatedly
Component: Access Policy Manager
Symptoms:
Edge Client logs the routing and IP tables repeatedly - in each reconnecting attempt.
Conditions:
Edge Client is in reconnecting state and gateway is reachable. However, APM server is not reachable/responding.
Impact:
It fills up the log file with information that is not useful.
Workaround:
There is no workaround at this time.
Fix:
When Edge Client is in re-connection state and the APM server is not reachable/responding, skip logging the Routing/IP tables in each reconnecting attempts.
667148-1 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition
Solution Article: K02500042
Component: TMOS
Symptoms:
GTM configuration fails to load.
Conditions:
GTM config referencing non-/Common partition objects from /Common.
Impact:
GTM configuration fails to load, which may keep a system from becoming active
Workaround:
No workaround.
Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.
667138-1 : LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★
Component: TMOS
Symptoms:
After upgrade from 10.2.4 to 12.1.2, full config load fails.
Conditions:
The pre-upgrade version must be 10.2.4 and the pre-upgrade config must have user-defined partitions.
Impact:
After upgrade, if changes are made to the running config (in memory; not on disk), then the config files on disk from upgrade cannot be restored.
Workaround:
10.2.4 config on upgrade is stored at /config/bigpipe/. So, a workaround is to load defaults, then merge the original config using bigpipe.
/usr/libexec/bigpipe merge /config/bigpipe/*.conf
Fix:
Full load after upgrade from 10.2.4 now succeeds.
667028-1 : DNS Express does not run on i11000 platforms with htsplit disabled.
Component: Global Traffic Manager (DNS)
Symptoms:
tmm processes enter a restart loop when trying to run DNS Express (DNSX) on i11000 platforms with htsplit disabled.
Conditions:
-- i11000 platform.
-- htsplit disabled (sys db scheduler.splitplanes.ltm set to false).
-- Trying to run DNSX.
Impact:
tmm processes enter a restart loop. In this condition, DNSX does not run, though other DNS functions are unaffected.
Workaround:
Enable htsplit using the following command:
modify sys db scheduler.splitplanes.ltm value true
Fix:
tmm no longer cores under these conditions. However, you cannot use DNSX with htsplit disabled; htsplit must be enabled.
Note: DNSX works as expected with htsplit enabled, both before and after the fix.
666986-2 : Filter by Support ID is not working in Request Log
Solution Article: K50320144
Component: Application Security Manager
Symptoms:
In some cases the Support ID of a request might be shorter than 19 digits. In this case filter by Support ID does not work in Request Logs.
Conditions:
-- Support ID is shorter than 19 digits.
-- Trying to filter by Support ID.
Impact:
Filter by Support ID is not displayed in filter bar and does not affect the list.
Workaround:
You can try to filter by last 4 digits of Support ID. Although that does not replace filter by Support ID functionality, it might help.
Fix:
Filter by Support ID works for any length but 4 digits (in this case search uses the last 4 digits; also a 4-digit Support ID is not a realistic occurrence).
666790-2 : Use HSB HiGig MAC reset to recover both FCS errors and link instability
Solution Article: K06619044
Component: TMOS
Symptoms:
In addition to HiGig Link instability, FCS errors can be seen on internal switch and HSB Higig link. This is likely some PHY-related issues and can cause instability in communication links.
One symptom associated with this might be that a blade cannot become active and join the cluster.
Conditions:
FCS errors reported in tmm/hsbe2_internal_lbb_hgm. Traffic failure observed on some VIPs or self IPs.
Impact:
Link unstable, frame loss.
TMOS MPI and CDP packet loss and internal blade communication issues.
HSB lockup and accumulated FCS errors observed from stats and log.
Workaround:
A switch port reset might be used to recover this failure. Note, however: that procedure might cause potential HSB lockups.
Fix:
FCS errors and link instability no longer occur.
666689-1 : Occasional "profile not found" errors following activate access policy
Component: Access Policy Manager
Symptoms:
Immediately following the applying of a modified access policy it is possible for some profiles to disappear.
It is transient and within a minute or two the profiles are available again.
Conditions:
Clicking "apply access policy" in the GUI or using tmsh to increment snapshot ids will clear the list of profiles and policies and then rebuild those lists. Authentication requests using profiles or policies not yet rebuilt returned the "profile not found" error.
Impact:
Some authentication attempts fail while the lists get rebuilt.
Retrying the authentication a minute or two later succeeds.
Workaround:
Retry the authentication.
Fix:
Applying Access Policies in APM is improved to avoid a short dead time between when the old policies are removed and the new policies are activated.
666454-2 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
Solution Article: K05520115
Component: Access Policy Manager
Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.
Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.
Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.
Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.
Impact:
VPN connection will fail.
Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.
666315 : Global SNAT sets TTL to 255 instead of decrementing
Component: Local Traffic Manager
Symptoms:
Global SNAT sets the TTL to 255 instead of decrementing.
Conditions:
Global SNAT configured.
Impact:
Possible routing loop.
Workaround:
No workaround.
Fix:
TTL for global SNAT now gets decremented.
666160-1 : L7 Policy reconfiguration causes a slow memory leak
Solution Article: K63132146
Component: Local Traffic Manager
Symptoms:
When a virtual server with a L7 policy is reconfigured, a small amount of memory is leaked.
Conditions:
A virtual server with L7 policies has a configuration change.
Impact:
The memory leak will reduce the amount of resources for the TMM.
Workaround:
None.
Fix:
L7 Policies no longer leak memory when a virtual server using them is reconfigured.
666058-2 : XenApp 6.5 published icons are not displayed on APM Webtop
Solution Article: K86091857
Component: Access Policy Manager
Symptoms:
While publishing XenApp 6.5 resources through APM Webtop, some applications are not displaying the icons correctly.
VDI Error logs are seen as follows:
failed to handle '/f5vdi/citrix/icon/': Incorrect bitmap size"
Conditions:
-- XenApp 6.5 is used with their rollup hotfix 6 or 7.
-- Some of the third-party applications more icon bitmap information than expected.
Impact:
Icons are not displayed on the APM Webtop
Workaround:
None.
Fix:
Now APM Webtop correctly displays Citrix XenApp icons correctly regardless of the size of the bitmap data.
666032-3 : Secure renegotiation is set while data is not available.
Solution Article: K05145506
Component: Local Traffic Manager
Symptoms:
Secure renegotiation is set while data is not available, which causes a crash in certain connections.
Conditions:
This occurs when handling SSL secure renegotiation in certain connections.
Impact:
Crashes happen to certain SSL connections.
Workaround:
None.
Fix:
Secure renegotiation is set while data is not available no longer causes a crash in certain connections.
665924-1 : The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
Solution Article: K24847056
Component: Local Traffic Manager
Symptoms:
A TMM crash caused by a double-free of memory within the HTTP2 and SPDY filters. This crash could occur in other TMM sub-systems unrelated to HTTP2 or SPDY.
Conditions:
The HTTP2 or SPDY filter is used, together with many other TMM modules. This situation is difficult to trigger.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The HTTP2 and SPDY filters will no longer double-free memory in rare situations.
665905 : Signature System corruption from specific ASU prevents ASU load after upgrade
Solution Article: K83305000
Component: Application Security Manager
Symptoms:
After loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im" on 11.5.4 HF2 (or later) and upgrading to certain software versions, attempts to perform Signature Update fail.
Conditions:
-- Loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im".
-- Using v11.5.4 HF2 (or later).
-- Upgrading the device to 11.6.1, 12.1.0, 12.1.1, or 12.1.2.
Impact:
Attempts to perform Signature Update fail.
Workaround:
The mistaken Signature System can be deleted using the following SQL:
----------------------------------------------------------------------
UPDATE PLC.NEGSIG_SIGNATURE_SYSTEMS set system_id = 14 where system_id = (select system_id FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache');
DELETE FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache';
----------------------------------------------------------------------
Fix:
Database corruption introduced by loading Attack Signature Update 'ASM-SignatureFile_20170403_145743.im' is now corrected upon upgrade.
665778-1 : Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
Solution Article: K34503519
Component: iApp Technology
Symptoms:
Non-admin BIG-IP users cannot view deployed iApps, so they cannot redeploy the iApp. The system presents an error and does not allow access to the component view or the reconfiguration view. The error shown is 'An error has occurred while trying to process your request.'
Conditions:
-- Login to the BIG-IP system as a non-admin.
-- Try to view components or reconfigure iApps.
Impact:
Cannot view/re-deploy iApps.
Workaround:
Use TMSH to view/re-deploy iApps.
There are two TMUI workarounds to view/re-deploy iApps. Once you employ one of the workarounds, a Manager user can reconfigure the iApp successfully.
Note: After successful submission, the system posts the error described, and the Manager still cannot access the Component list or iApps editing screens.
-- Click on 'app_name' link anywhere in the system where iApp-related objects are listed. For example, if the iApp created a virtual server, click the Application column link on the 'Local Traffic :: Virtual Servers : Virtual Server List' page.
-- Have an Admin user provide the direct link to app. To do so, perform the following procedure:
1. Login as Admin to the BIG-IP system.
2. Navigate to iApps :: Application Services : Applications :: <app_name>.
3. Get the direct link to the app reconfigure page by hovering over the Settings icon and then clicking 'Direct link to this page'. Note: This link will work as long as 'app_name' and template name have not been modified. The URL appears similar to the following:
https://10.10.10.10/tmui/Control/jspmap/tmui/application/reenter.jsp?mode=app&name=/ptn1/abcd.app/abcd&template_name=/Common/f5.microsoft_exchange_2010_2013_cas.v1.6.1
4. Logout as Admin and login as Manager.
5. Paste the app direct link in the browser's address bar and press Enter.
Fix:
Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
665732-2 : FastHTTP may crash when receiving a fragmented IP packet
Solution Article: K45001711
Component: Local Traffic Manager
Symptoms:
A virtual server configured to use FastHTTP may cause a TMM core if fragmented IP packets are received by the virtual. This can be observed by the following TMM log statement: panic: Assertion 'l4hdr set' failed.
Conditions:
A virtual server configured with a FastHTTP profile receiving fragmented IP packets.
Impact:
Intermittent TMM core, resulting in a TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Use a different profile than FastHTTP, such as a full proxy with TCP/HTTP filters.
Fix:
Force packet reassembly before packet is forwarded to a FastHTTP virtual.
665656-1 : BWC with iSession may memory leak
Component: TMOS
Symptoms:
A memory leak may occur when BWC is configured with iSession.
Conditions:
-- BWC is configured with iSession.
-- The BWC policy is removed or reset.
Impact:
A memory leak.
Workaround:
None.
Fix:
The memory leak is prevented when BWC and iSession are configured together and a BWC policy is removed or reset.
665652-2 : Multicast traffic not forwarded to members of VLAN group
Solution Article: K41193475
Component: Local Traffic Manager
Symptoms:
Multicast traffic traversing through the BIG-IP system through a VLAN that is member of a VLAN group does not get forwarded to other members of the VLAN group.
Conditions:
Multicast traffic ingress from a VLAN in a VLAN group.
Impact:
Traffic is not forwarded to the other members of the VLAN group.
Workaround:
None.
Fix:
Multicast traffic is now correctly forwarded to members of VLAN group.
665416-3 : Old versions of APM configuration snapshots need to be reaped more aggressively if not used
Component: Access Policy Manager
Symptoms:
Currently, it takes 24 hrs for old versions of APM config snapshots that are not being used to time out and to release the memory. If access profiles are complex and are updated frequently within 24 hrs, memory resource is likely to be exhausted.
Conditions:
If access profiles are updated frequently within 24 hrs and each version of the configuration snapshot contains many variables.
Impact:
TMM may run out of memory and crash, causing service interruption.
Workaround:
None.
Fix:
Per-session access policy snapshots are now deleted after 60 minutes instead of 24 hours.
665354-2 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
Solution Article: K31190471
Component: TMOS
Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.
Those two messages together indicate this known issue.
Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.
Impact:
The unit intermittently reboots.
Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.
If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.
Important: A device Return Materials Authorization (RMA) will not prevent this issue.
Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.
665347-2 : GTM listener object cannot be created via tmsh while in non-Common partition
Solution Article: K17060443
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use tmsh to create a GTM listener in a non-Common partition.
Conditions:
-- In a non-Common partition.
-- Create a listener using a command similar to the following:
(/Common/newpart)(tmos)# create gtm listener new address 10.2.2.2
Impact:
The listener will not be created. The system outputs an error similar to the following:
01020036:3: The requested profile (/Common/newpart/udp_gtm_dns) was not found.
Workaround:
None.
Fix:
GTM Listener parser now correctly handles validation and selections of profiles for GTM listeners.
665330-1 : MSIE 11 should avoid compatibility mode
Component: Access Policy Manager
Symptoms:
MSIE 11 in compatibility mode is causing JS errors because MSIE 7-9 are not good in javascript.
Conditions:
APM Client and MSIE 11 forced to compartibility mode.
Impact:
Certain pages on client UI are not being rendered or being rendered with errors.
Workaround:
Don't push MSIE 11 to compatibility mode with APM
Use browsers that are good with javascript.
Fix:
We've added meta that sets MSIE in native mode. Although group policy in domain still can overwrite it, for most use cases it's enough.
665185-1 : SSL handshake reference is not dropped if forward proxy certificate lookup failed
Solution Article: K20994524
Component: Local Traffic Manager
Symptoms:
In rare cases, when forward-proxy certificate-lookup fails, the SSL handshake reference is not dropped, which can consume memory that is no longer needed.
Conditions:
Forward-proxy certificate-lookup fails; specifically, input string size is larger than maximum allowed.
Impact:
tmm memory use grows.
Workaround:
None.
Fix:
The system now drops the SSL handshake reference when when forward-proxy certificate-lookup fails. This is correct behavior.
665022-1 : Rateshaper stalls when TSO packet length exceeds max ceiling.
Component: Local Traffic Manager
Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.
Conditions:
Packet length exceeds rateshaper's configured max ceiling.
Impact:
The flow stalls.
Workaround:
Increase the configured rateshaper's max ceiling value to be larger than the largest packet length.
Fix:
Rateshaper no longer stalls when TSO packet length exceeds max ceiling.
664930-2 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.
664894-1 : PEM sessions lost when new blade is inserted in chassis
Solution Article: K11070206
Component: TMOS
Symptoms:
Inserting a blade into a chassis that is using high availability (HA) is configured for 'between clusters' can cause data loss in the SessionDB. This includes iRule table command as well as entries stored in the SessionDB from modules.
Conditions:
HA in use 'between clusters'.
Impact:
Data loss of some SessionDB entries.
Workaround:
In order to cleanly add a blade, put the setting from 'between clusters' to 'within cluster'; then add the new blade(s) to both clusters. Wait 60 seconds, then restore the HA connection to 'between clusters'
Fix:
PEM sessions are now retained when new blade is inserted in chassis when using 'between clusters'.
664829-1 : BIG-IP sometimes performs unnecessary reboot on first boot
Component: TMOS
Symptoms:
Some versions of the BIG-IP Virtual Edition (VE) software incorrectly determine that the size of its disk has changed, and re-sizes the partition table and causes a reboot to occur. This is likely to occur only on VE guests.
Conditions:
-- First boot of VE.
-- Software version that exhibits this issue.
Note: A specific software version for a specific cloud environment either always exhibit this, or never does.
Impact:
Additional, unnecessary minor filesystem size adjustment and additional time for a reboot to occur.
Workaround:
None.
Fix:
An additional, unnecessary reboot of a BIG-IP Virtual Edition during its first boot-up should no longer occur.
664769-1 : TMM may restart when using SOCKS profile and an iRule
Solution Article: K33637041
Component: Local Traffic Manager
Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.
Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.
Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.
Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.
664737-2 : Do not reboot on ctrl-alt-del
Component: TMOS
Symptoms:
BIG-IP reboots on ctrl-alt-del keys
Conditions:
VE with ctrl-alt-del keys in the video console.
Impact:
BIG-IP reboots.
Fix:
prevent reboot on ctrl-alt-del
664708-2 : TMM memory leak when DoS profile is attached to VS
Component: Advanced Firewall Manager
Symptoms:
TMM memory leak when DoS profile is attached to VS
Conditions:
1. have DoS profile
2. traffic from search engine is coming to this VS
3. DNS resolver is configured
Impact:
TMM memory use increases over time.
Workaround:
There is no workaround at this time.
Fix:
Free memory periodically.
664549-2 : TMM restart while processing rewrite filter
Solution Article: K55105132
Component: TMOS
Symptoms:
TMM restart and failover occurs while processing rewrite filter.
Conditions:
-- Virtual server with rewrite-uri-translation profile.
-- Serverside attempts to get data from clientside when connection flow does not exist.
Impact:
TMM restart and failover. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM restart and failover no longer occurs while processing rewrite filter.
664535-1 : Diameter failure: load balancing fails when all pool members use same IP Address
Component: Service Provider
Symptoms:
Case1: Run 2 Servers with same IP but different ports. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server. Same result when use-local-connection is disabled.
Case2: Run 2 Servers with same IP but different ports but this time use MR::message route iRule command to route messages between hosts. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server.
Conditions:
Load balancing scenario with single client and two pool members. The servers use same IP, different ports.
Impact:
All the requests from the same client are delivered to 1 server only.
Workaround:
Use different IP address in the pool member. Or use different IP address as the client request.
Fix:
Load balancing scenario with single client and two pool members now completes successfully even when all pool members use same IP Address.
664528-1 : SSL record can be larger than maximum fragment size (16384 bytes)
Component: Local Traffic Manager
Symptoms:
SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.
Conditions:
This usually happen when a large certificate or certificate chain is configured for server or client authentication.
Impact:
SSL handshake will fail with client or server that properly checks the record size.
Workaround:
Use a certificate that is smaller in size.
Fix:
Properly fragment handshake data.
664507-3 : When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
Component: Access Policy Manager
Symptoms:
IdP-connector automation removes certificate reference when update to metadata file is detected, and metadata file contains multiple signing certificates
Conditions:
- BIG-IP is used as SAML SP with configured IdP-connector automation via remotely published metadata.
- Remotely published SAML metadata contains multiple signing certificates.
- Remotely published SAML metadata is periodically updated.
Impact:
Certificate reference to remotely published metadata is removed from local configuration (saml-idp-connector object). As a result, assertions generated by external IdP will not be accepted until proper certificate is configured on saml-idp-connector object again.
Workaround:
When remote metadata is changed, manually update certificate reference on saml-idp-connector object.
Fix:
When changes to remotely published SAML metadata are detected by IdP-connector automation, certificate is no longer removed from saml-idp-connector object.
664461-3 : Replacing HTTP payload can cause tmm restart
Solution Article: K16804728
Component: Local Traffic Manager
Symptoms:
Under certain conditions, using the [ HTTP::payload replace ... ] iRule can result in the tmm restarting.
Conditions:
Occurs when server response is non-chunked, does not contain a Content-Length header, an iRule adds a Content-Length header and performs an HTTP::payload replace command where the length is shorter than the original body length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The HTTP::payload replace command no longer causes tmm restarts under certain conditions.
664063-1 : Azure displays failure for deployment of BIG-IP from a Resource Manager template
Solution Article: K03203976
Component: TMOS
Symptoms:
When deploying BIG-IP images through Azure Resource Manager or Marketplace Solution templates, the Azure portal will never display success. A timeout will eventually occur and the deployment will appear to have failed.
Conditions:
Deployment from an Azure Resource Manager or Solution template, including the BIG-IP WAF Solution from the Azure Security Center.
Impact:
A successful deployment will appear to have failed when monitoring the status in the Azure portal.
Workaround:
None.
Fix:
Deployments of BIG-IP from Azure Resource Manager or Marketplace Solution templates, or the BIG-IP WAF Solution from the Azure Security Center, now show the correct deployment status.
664057-2 : Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached
Component: TMOS
Symptoms:
Upgrades from pre-12.0.0 to 12.0.0 or beyond would delete WideIPs without pools attached even if they had an iRule attached.
Conditions:
Pre-12.0.0 configuration with an WideIP without any pools, but with an iRule.
Impact:
Some or all of a post-upgrade "GSLB-typed" wideip would be lost during the upgrade process.
Workaround:
Manually add missing WideIPs after upgrade.
Fix:
Fixed issue that could delete certain types of GTM WideIPs after an upgrade from a pre-12.0.0 version to a post 12.0.0 version.
664017-3 : OCSP may reject valid responses
Component: TMOS
Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:
OCSP response: got EOF
Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.
Impact:
Valid OCSP responses may be rejected.
Workaround:
None.
Fix:
These responses are now accepted.
663974-2 : TMM crash when using LSN inbound connections
Component: Carrier-Grade NAT
Symptoms:
TMM might crash when using an LSN pool with inbound connections.
Conditions:
LSN inbound connections configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when using an LSN pool with inbound connections.
663821-3 : SNAT Stats may not include port FTP traffic
Solution Article: K41344010
Component: Local Traffic Manager
Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).
Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.
Impact:
Stats are not incremented in tmsh or GUI
Workaround:
None.
Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.
663580-1 : logrotate does not automatically run when /var/log reaches 90% usage
Solution Article: K31981624
Component: TMOS
Symptoms:
The alertd daemon does not run logrotate when the diskmonitor utility detects that /var/log has less than 10% free space.
Conditions:
/var/log has less than 10% free space.
Impact:
The /var/log filesystem might become completely full, preventing new log messages from being written.
Note: K8865: Overview of the diskmonitor utility (https://support.f5.com/csp/article/K8865) provides a desription for expected behavior.
Workaround:
None.
Fix:
The alertd daemon now correctly recognizes the log message from diskmonitor to initiate logrotate.
663551-1 : SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event
Solution Article: K14942957
Component: Local Traffic Manager
Symptoms:
If an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE event, the expected result is that the SERVERSSL_DATA event will be raised when the serverside receives the SSL data. Then, the decrypted SSL data can be examined and manipulated.
*****************************
when SERVERSSL_HANDSHAKE {
SSL::collect
}
when SERVERSSL_DATA {
log local0. "ServerSSL Data"
log local0. [SSL::payload]
SSL::release
}
*****************************
The issue is that SERVERSSL_DATA is not raised, even when the serverside receives the SSL data when the iRule calls the [SSL::collect] in the SERVERSSL_HANDSHAKE:
****************************
when SERVERSSL_HANDSHAKE {
SSL::collect
}
****************************
Conditions:
Calling the [SSL::collect] in the SERVERSSL_HANDSHAKE event.
****************************
when SERVERSSL_HANDSHAKE {
SSL::collect
}
****************************
Impact:
SERVERSSL_DATA event is not raised.
Workaround:
Add the [SSL::release] command in the SERVERSSL_HANDSHAKE event.
**********************************
when SERVERSSL_HANDSHAKE {
SSL::collect
SSL::release
}
Fix:
SERVERSSL_DATA event is now raised when an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE.
663535-1 : Sending ASM cookies with "secure" attribute even without client-ssl profile
Component: Application Security Manager
Symptoms:
ASM cookies can be set with "secure" attribute on when BIG-IP works on SSL profile.
Conditions:
Enabling ASM, network to BIG-IP without client-ssl.
Impact:
When working with encrypted network in the client side but clear network in the ASM virtual, cookies cannot be set with "secure" attributes.
Workaround:
There is no workaround at this time.
Fix:
Added an internal parameter "assume_https", to decide always setting the "secure" attribute, even when the BIG-IP network is clear.
663521-2 : Intermittent dropping of multicast packets on certain BIG-IP platforms
Component: TMOS
Symptoms:
The switch device on the VIPRION B2250 and B4300 blades and the BIG-IP 10x00, i10x00, i7x00 and i5x00 platforms might drop multicast packets under certain high traffic conditions.
Conditions:
-- Certain high-traffic conditions.
-- Running on the specified blades/platforms.
Note: These dropped packets are counted under the 'drop_out' column from 'show net interface all-properties'.
Impact:
Dropped multicast packets, possibly impacting multicast protocols.
Workaround:
None.
Behavior Change:
Under certain high traffic conditions, multicast and broadcast packets will no longer be dropped.
663506-7 : apmd crash during ldap cache initialization
Solution Article: K30533350
Component: Access Policy Manager
Symptoms:
apmd crashes.
Conditions:
- LDAP module is in use in an access policy,
- APM end-users are logging in, while administrator modifies AAA LDAP Server or LDAP Agent,
- Cache update takes a while (too many groups in domain and/or slow network).
Impact:
BIG-IP cannot process user logon request, until apmd is restarted and LDAP cache is updated
Workaround:
The best practice is to update policy/AAA LDAP Server when BIG-IP is not under load. Then make one logon manually. apmd updates caches on first APM end-user's logon. Once caches update, all the further logons should happen much faster and should not cause any problems
Fix:
APMD now handles the generation of LDAP Query / AD Query nested group cache correctly during high authentication load.
663366-3 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
Component: TMOS
Symptoms:
On the i4x00 and i2x00 platforms, TMM can encounter a second SEGV fault while crashing from an initial 'panic'.
Conditions:
-- i4x00 and i2x00 platforms.
-- TMM encounters a second SEGV fault while crashing from an initial 'panic'.
Impact:
TMM is crashing due to a 'panic'. No additional impact, as traffic is already disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes the driver shutdown code to prevent SEGV during TMM panic.
663333-1 : TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high
Component: Carrier-Grade NAT
Symptoms:
TMM may core while trying to allocate a new block
Conditions:
If LSN pool is under provisioned OR if the utilization is high, TMM may need to send MPI messages to other TMMs to search for other blocks. The TMM may core if these operations time out
Impact:
Traffic disrupted while tmm restarts.
663326-2 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys
Component: Local Traffic Manager
Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.
Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.
Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.
Workaround:
This can be worked around by directly using the Thales command, for example:
[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
[default sha1] >
Fix:
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.
663310-3 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
Solution Article: K50871313
Component: Global Traffic Manager (DNS)
Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.
Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.
Impact:
Zones cannot be loaded.
Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;
Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".
On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".
663127-1 : Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.
Component: Access Policy Manager
Symptoms:
Symptom will show as an error log in /var/log/apm similar to the one below:
Internal error processing sso config /Common/idp_obj_name
sso_tmconf_string_parse_list
When this error message is logged, subsequent authentication attempt using this BIG-IP as IdP object will fail.
Conditions:
SAML Identity Provider configuration is invalid: attribute contains empty value(s), for example:
apm sso saml /Common/idp_obj {
attributes {
{
multi-values { "" user@f5.com }
name User.Email
}
}
Impact:
Authentication will fail for users using affected SAML IdP object.
Workaround:
Manually edit bigip.conf configuration fail and remove empty value(s) in SAML attribute, e.g.:
apm sso saml /Common/idp_obj {
attributes {
{
multi-values { user@f5.com }
name User.Email
}
}
Fix:
Empty values in SAML attributes will no longer be accepted by validation logic.
663073-1 : GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
Component: Global Traffic Manager (DNS)
Symptoms:
GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
Conditions:
When adding a pool member via the combo box, if you click the arrow to expand the dropdown list and select a member by clicking on it, that member name is added to the text box.
If you then mouse over other members in the dropdown list, and then click the Add button, the system adds the selected member to the list, but also removes the wrong member from the combo box: more specifically, it removes the member that was last highlighted by the mouse over.
Impact:
Available pool members might be potentially lost from the combo box until a page reload.
Note: The pool members are not gone from the system; they are still present, just not displayed.
Workaround:
Either use TMSH or place the mouse cursor away from the combo box, and use the text box to narrow down the content in the dropdown list. Then use the arrow keys and the Enter key to select the desired pool member.
Fix:
Changed the behavior of the combo box when a member is selected by clicking on it in the dropdown list. Adding a selected pool member as described above will cause the combo box to correctly remove that pool member from the combo box.
663063-2 : Disabling pool member used in busy HSL TCP destination can result service disruption.
Component: TMOS
Symptoms:
Manually disabling an otherwise available pool member from a pool used as HSL TCP destination can result in tmm crash and service disruption.
This is more likely to occur when HSL destination is using 'balanced' distribution.
Conditions:
-- Busy HSL destination configured with TCP protocol, balanced distribution, and using pool.
-- Manually disabling a pool member.
Impact:
Service disruption while tmm recovers. HA fail-over event. Traffic disrupted while tmm restarts.
Workaround:
You can avoid the issue in either of these ways:
-- Do not manually disable busy pool members that can still respond to TCP handshake.
-- Disable the service on the pool member first.
Fix:
TMM crash no longer occurs when HSL TCP pool member with pending connection is manually disabled.
662911-2 : SASP monitor uses same UID for all vCMP guests in a chassis or appliance
Solution Article: K93119070
Component: Local Traffic Manager
Symptoms:
The SASP GWM monitor generates the LB UID from the chassis serial number of the platform on which BIG-IP is running. All vCMP guests running on the platform attempt to use the same UID.
The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.
As a result, only one vCMP guest running on each BIG-IP appliance or VIPRION chassis is able to successfully use the SASP monitor.
- The SASP monitor running on the first vCMP guest can successfully connect to the SASP GWM.
- Subsequent SASP monitor instances running on other vCMP guests will fail to connect to the SASP GWM.
Conditions:
This occurs when multiple vCMP guests are running on a single BIG-IP appliance or VIPRION chassis, each using a SASP monitor connecting to the same SASP GWM to monitor pool member availability.
Impact:
The SASP monitor is unable to monitor pool member availability on more than one vCMP guest running on a single BIG-IP appliance or VIPRION chassis.
Workaround:
None.
Fix:
The SASP monitor can be used to monitor pool member availability on multiple vCMP guests running on a single BIG-IP appliance or VIPRION chassis.
662881-2 : L7 mirrored packets from standby to active might cause tmm core when it goes active.
Solution Article: K10443875
Component: Local Traffic Manager
Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.
Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
662850-2 : Expat XML library vulnerability CVE-2015-2716
Solution Article: K50459349
662844 : TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.
Solution Article: K87735013
Component: Service Provider
Symptoms:
Mirroring for Diameter MRF was not implemented in v12.x.x. However, there is a option that allows the user to enable it. When enabled, tmm crashes.
Conditions:
-- Connection mirroring is enabled for Diameter MRF virtual server's router profile.
-- Using v12.x.x.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Note: Mirroring for Diameter MRF was implemented in v13.0.0. The presence of the option to enable the unimplemented functionality is erroneous.
Workaround:
Do not enable Diameter MRF router profile's connection mirroring setting for v12.x.x.
Fix:
Diameter MRF mirroring for Diameter MR has been implemented beginning with v13.0.0. Enabling this option in v12.x.x results in a tmm crash.
662663-6 : Decryption failure Nitrox platforms in vCMP mode
Solution Article: K52521791
662639-2 : Policy Sync fails when policy object include FIPS key
Component: Access Policy Manager
Symptoms:
Policy sync failed with a vague error:
err mcpd[5597]: 01071600:3: APM PSync: Atom attribute (fips_exported_key) data type (blob) in class (certificate_key_file_object) object name (/Common/fips1.key) blob value is not empty - no handler for blob Object dump: **certificate_key_file_object:/Common/fips1.key ...
Conditions:
-- Sync-only device group configuration.
-- FIPS cards in use.
-- On one device:
+ Create FIPS key and certificate:
1. Go to System::Certificate Management::Traffic Certificate Management::SSL Certificate List::Create.
2. For 'Security Type' field of 'Key Properties' section, select 'FIPS'.
+ Create a rewrite profile:
1. Go to Access Policy :: Portal Access :: Rewrite :: Create New Profile.
2. Under 'JavaPatcher Settings' select 'Signer' and 'Signer Key' to the one created above (e.g., 'fips1.crt' and 'fips1.key', respectively).
+ Create an access profile.
+ Create a virtual server and attach the access profile and rewrite profile to it.
(Note: You must also include other dependent settings, such as a connectivity profile.)
3. Start a policy sync from the device.
Impact:
Feature failure for specific configurations.
Workaround:
None.
Fix:
Now APM policy sync succeeds even when policy includes FIPS key.
662364-2 : MRF DIAMETER: IP ToS not passing through with DIAMETER
Component: Service Provider
Symptoms:
IP layer's ToS is not passing through MRF Diameter.
Conditions:
-- The IP ToS bit is received in the clientside connection.
-- ip-tos-to-client is set as pass-through.
Impact:
The ToS from the client does not reach the server.
Workaround:
Use an iRule to preserve the ToS from the client and set it to serverside's connection.
Fix:
The ToS bit that arrives from the clientside connection is able to pass-through with Diameter MRF.
662331-1 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Solution Article: K24331010
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.
Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.
Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.
662281-2 : Inconsistencies in Automatic sync ASM Device Group
Component: Application Security Manager
Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.
This can cause any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices
Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.
Impact:
Any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices
Workaround:
Disable automatic sync on the device group, and periodically push changes manually.
Fix:
Calls are correctly propagated across Automatic sync Device Groups
662085-1 : iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
Component: Local Traffic Manager
Symptoms:
Using Node.js package manager (NPM) to install a large Node.js package in the TMUI results in truncated contents in the workspace.
Conditions:
Installing large Node.js packages using the TMUI.
Impact:
The workspace contents will be truncated. Some of the package contents will be missing, or boilerplate F5 elements (f5-nodejs, package.json, etc.) will not be shown.
Workaround:
None.
Note: TMSH recognizes the entire file structure of node_modules (e.g., package.json and module folders of f5-nodejs and async), but TMUI does not.
Fix:
All contents from the workspace filesystem are now shown and are editable from the TMUI.
662022-5 : The URI normalization functionality within the TMM may mishandle some malformed URIs.
Solution Article: K34514540
661881-2 : Memory and performance issues when using certain ASN.1 decoding formats in iRules
Solution Article: K00030614
Component: Local Traffic Manager
Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.
Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.
Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.
Workaround:
None.
Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.
Fix:
Prevented memory leak when using calls to ASN1::decode with "a" or "B" characters in the format string.
661764-2 : It is possible to configure a number of CPUs that exceeds the licensed throughput
Solution Article: K53762147
Component: TMOS
Symptoms:
The system does not prevent you from selecting a number of CPUs that exceeds the license's throughput limit.
Conditions:
Configure a number of CPUs that exceeds the licensed throughput, for example, configuring 4 CPUs on a 2Mbps license on a VE system.
Impact:
Depending on the operations performed, it is possible for tmm to core.
Workaround:
None, other than configuring only the available number of CPUs.
Fix:
The system now detects when a configuration invalid for the license is in use and fails gracefully, presenting an error message explaining the failure.
660711-1 : MCPd might crash when user trying to import a access policy
Solution Article: K05265457
Component: Access Policy Manager
Symptoms:
MCPd restarts during importing an access policy; other daemon might also restart because of MCPd restart.
Conditions:
This occurs when an access policy uses the same agent more than once.
Importing that access policy causes MCPd to crash.
this can happen when you don’t use GUI/VPE to manage access policy but directly modify the config file in exported access policy.
Only use the GUI/VPE to manage access policies.
You should not modify the config file for an exported access policy.
Impact:
MCPd and some other daemons restart. GUI unresponsive for a while.
Workaround:
Only use the GUI/VPE to manage access policies.
You should not modify the config file for an exported access policy.
Fix:
MCP now applies appropriate validation to avoid importing invalid access policies.
660532-2 : Cannot specify the event parameter for redirects on the policy rule screen.
Solution Article: K21050223
Component: TMOS
Symptoms:
Cannot specify the event parameter for redirects on the policy rule screen.
System presents the following error: An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/test', rule 'test-rule3'; an action precedes its conditions.
Conditions:
This occurs when setting a policy rule action's "event" parameter in the GUI when configuring redirects.
Impact:
Cannot specify the event parameter.
Workaround:
None.
Fix:
This release has an option for choosing event for redirect action.
660239-3 : When accessing the dashboard, invalid HTTP headers may be present
Component: TMOS
Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.
Conditions:
Access the dashboard via Statistics :: Dashboard.
Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.
You may see such errors in the http error logs
Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf
Workaround:
There is no workaround at this time.
Fix:
Eliminated invalid header data.
660187-3 : TMM core after intra-chassis failover for some instances of subscriber creation
Component: Policy Enforcement Manager
Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.
Conditions:
-- The chassis is loaded with many blades.
-- The high availability (HA) configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.
Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Verify the validity of the AVPs before copying the attributes
660170-1 : tmm may crash at ~75% of VLAN failsafe timeout expiration
Solution Article: K28505910
Component: Local Traffic Manager
Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.
Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.
Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).
Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)
Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
tmsh modify failover.vlanfailsafe.resettimeronanyframe enable
This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.
2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.
Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.
Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:
- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).
659969-1 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
Component: Global Traffic Manager (DNS)
Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.
Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.
Impact:
Command does not complete successfully. This is an internal validation issue.
Workaround:
None.
659912-1 : GSLB Pool Member Manage page display issues and error message
Component: Global Traffic Manager (DNS)
Symptoms:
The GSLB Pool Member Manage page displays an error message 'Entry could not be matched against existing objects' when using the static-target checkbox to add a member that does not exist on the BIG-IP config.
Also when editing a pool member, the pool member's name will not be auto-selected in the combo box.
Conditions:
-- GSLB pool configured.
-- Members available for addition to the pool.
Note: This issue can happen when creating a pool in the members section as well as on the pool members manage page.
Impact:
Degraded usability.
Workaround:
Use TMSH to add a static-target and to edit pool members.
Fix:
Fixed issue with the edit button and issue that prevented adding as a static-target a GSLB pool member that was not part of the GTM config. Now, if static target is enabled, you can type the name of the target without the target being configured on the system.
659899-1 : Rare, intermittent system instability observed in dynamic load-balancing modes
Solution Article: K10589537
Component: Local Traffic Manager
Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.
Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.
Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.
659791-2 : TFO and TLP could produce a core file under specific circumstances
Solution Article: K81137982
659648-2 : LTM Policy rule name migration doesn't properly handle whitespace
Component: Local Traffic Manager
Symptoms:
LTM Policy validation does not allow rule names to begin or end with whitespace characters. When migrating configuration to the next version, the migration process attempts to trim off any leading and trailing whitespace. However, this process does not handle leading and trailing whitespace when such characters occur within a double quoted string.
Conditions:
LTM policy with a rule name that contains leading and/or trailing whitespace characters. These will typically occur within a double-quoted string. Here is an example that one might find in bigip.conf:
ltm policy example1 {
rules {
" leading and trailing spaces " {
...
}
...
}
Impact:
Policy rules are migrated incorrectly, then fail validation because there of remaining leading and/or trailing whitespace characters.
Workaround:
Prior to migration, LTM Policy rule name can be renamed to remove leading and trailing whitespace. After a failed migration, bigip.conf can be manually edited to remove offending characters and then the configuration can be manually loaded.
Fix:
LTM Policy migration properly handles whitespace in rule names in a quoted string.
659567-1 : iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
Solution Article: K94685557
Component: Policy Enforcement Manager
Symptoms:
When the RADIUS discovery virtual server and the traffic listener virtual server sit in two different route domains, the iRule command 'PEM::session info $sub subscriber-id' may not be able to fetch the subscriber-id.
Conditions:
-- Running v12.1.x or v13.0.0.
-- RADIUS server.
-- Use of iRule command PEM::session.
Impact:
'PEM::session info state/subscriber-id' commands might not return the expected session info.
Workaround:
None.
Fix:
iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions. The commands now consider route domains.
659371-2 : apmd crashes executing iRule policy evaluate
Component: Access Policy Manager
Symptoms:
Following a restart, if apmd executes an iRule policy evaluate before its reinitialization is complete, apmd can crash.
Conditions:
If apmd restarts due to a crash or explicit restart command but tmm remains active, then iRule policy evaluate commands can reach apmd before it completes initialization and it will crash.
Impact:
apmd crashes and restarts, preventing end users from logging in.
Workaround:
NOne.
Fix:
Now APMD has a more robust initialization process to ensure that it does not execute access policies from iRule commands before it is ready.
659057-1 : BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD
Component: TMOS
Symptoms:
The LCD on BIG-IP iSeries appliances must detect whether the system is in IPv4 or IPv6 context before retrieving the gateway from the Host via REST. If two gateways are configured (IPv4 and IPv6) only whichever is first in the list is returned via REST and will be set on the Host.
Conditions:
If two gateways are configured (IPv4 and IPv6).
Impact:
Incorrect gateway retrieval can create bad configs which would impact traffic resulting in failed ping attempts, destination unreachable errors, request timeouts, etc.
Workaround:
No workaround at this time.
Fix:
LCD code now retrieves the correct gateway when switching between IPV4 and IPV6 context.
658989-2 : Memory leak when connection terminates in iRule process
Component: Local Traffic Manager
Symptoms:
Memory leak eventually leading to alloc failure and TMM crash.
Conditions:
Connection is aborted/terminated when iRule processing is suspended for the current connection.
Impact:
Memory leak and eventual TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Avoid suspend/park commands in iRule processing.
Fix:
Memory no longer leaks when connection is aborted/terminated when iRule processing is suspended.
658852-5 : Empty User-Agent in iSessions requests from APM client on Windows
Component: Access Policy Manager
Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.
Conditions:
'/isession' requests from APM client on Windows.
Impact:
Failure to establish a VPN tunnel.
Workaround:
None.
Fix:
Now all connections from Windows APM VPN client contain 'User-Agent' headers, as expected.
658636-2 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
Solution Article: K51355172
Component: TMOS
Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,
Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:
create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon
The system creates the following monitor:
gtm monitor http one_test_mon {
defaults-from http
destination *:*
interval 30
probe-timeout 5
recv 200
send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"
Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.
Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.
Fix:
When creating LTM or DNS monitors through batch/transaction mode newlines are now properly escaped.
658574-2 : An accelerated flow transmits packets to a stale (incorrect) destination MAC address.
Solution Article: K61847644
Component: TMOS
Symptoms:
An accelerated flow can send to a stale destination MAC address after the ARP packet with the updated MAC address is received.
Warning: disabling auto-lasthop is not enough when they want BIG-IP to use updated destination MAC address.
Conditions:
A flow is accelerated with a destination MAC address that changes while the flow is accelerated.
Impact:
The BIG-IP system sends packets to a stale (incorrect) destination MAC address. In this case, the new MAC address is not updated for the accelerated flow and the flow will continue to send traffic using the original MAC address.
Workaround:
Disable HW acceleration. Prevent the downstream destination MAC address from changing. For example, if the downstream unit is a BIG-IP active/standby configuration, then use MAC masquerading to prevent the MAC address from changing.
658343-2 : AVR tcp-analytics: per-host RTT average may show incorrect values
Solution Article: K33043439
Component: Application Visibility and Reporting
Symptoms:
When viewing the Statistics :: Analytics :: TCP :: RTT, then selecting (in the table below the graph), View By: "Remote Host IP Address", the values presented RTT Avg (ms) may be incorrect (they could even be larger than the RTT Max column).
As values are aggregated through the data tables, the reported rtt average value becomes larger and larger.
Conditions:
AVR is provisioned, and a tcp-analytics profile is attached to a virtual server.
Impact:
The values reported in the RTT Avg column when viewing by Remote Host IP Address may be incorrect.
Workaround:
None.
Fix:
The rtt_count, rtt_max, rtt_avg, rtt_sum metrics after day aggregation and week aggregations are now correct in the day, week, month reports. The rtt_sum is now aggregated with correct value (exceed max int), as expected.
658321-2 : Websafe features might break in IE8
Component: Fraud Protection Services
Symptoms:
IE8 transform all custom HTTP headers names to lowercase
in case header name configured with upper-case characters, WebSafe feature might break.
Conditions:
custom HTTP header configured with upper case characters
client is IE8.
Impact:
FPS plugin will not find the header, as it received lower-case but configured with upper-case characters
as a result, WebSafe functionality is broken (functionality which involve the custom HTTP header, e.g. ajax username header)
Workaround:
Set custom HTTP header name to lower case only.
Fix:
FPS now performs case-insensitive matches for custom HTTP headers.
658261-2 : TMM core after HA during GY reporting
Component: Policy Enforcement Manager
Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of GY reporting
Conditions:
-- Failover is triggered,
-- The daglib hash redistributes the subscriber DATA to different slots.
-- Existing flows continue on the slots that were allocated using the old hash of daglib.
Note: This is a rarely encountered issue that occurred in a setup with 8 slots and 750 thousand subscribers.
Impact:
Slot reboots. May trigger more hash rearrangement. Traffic disrupted while tmm restarts.
Workaround:
None.
658214-2 : TCP connection fail intermittently for mirrored fastl4 virtual server
Solution Article: K20228504
Component: Local Traffic Manager
Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.
Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.
Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.
Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.
Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.
Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.
658148-2 : TMM core after intra-chassis failover for some instances of subscriber creation
Solution Article: K23150504
Component: Policy Enforcement Manager
Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.
Conditions:
-- The chassis is loaded with many blades.
-- The HA configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.
Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
If intra-chassis failover is triggered in a loaded chassis, the tmm no longer crashes in some cases of subscriber creation.
657795-1 : Possible performance impact on some SSL connections
Solution Article: K51498984
Component: Local Traffic Manager
Symptoms:
Some SSL connections may be delayed by almost exactly 5 seconds. The delay occurs between the SSL client hello and the server hello response from the BIG-IP system.
Conditions:
-- SSL configured on a Virtual Server. Affects VIPRION/vCMP Guests.
-- Client connects with an SSL session ID that is not in the cache, and in a very specific format that causes tmm to associate the session ID to a blade that does not exist.
Impact:
Performance may be impacted on those SSL connections.
Workaround:
Disable SSL session cache by setting cache-size to zero in the clientssl profile.
Fix:
This release fixes an issue that might cause performance impact on certain SSL connections.
657713-5 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
Solution Article: K05052273
Component: Local Traffic Manager
Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:
-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:
notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- The gateway pool is configured with Action On Service Down = Reject.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- A connection is rejected by the gateway pool.
Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.
Workaround:
Set service-down-action to none or reselect.
Fix:
Gateway pool action no longer triggers TMM to produce a core file and restart.
657632-4 : Rarely if a subscriber delete is performed following HA switchover, tmm may crash
Component: Policy Enforcement Manager
Symptoms:
If a subscriber delete is performed following a HA switchover, tmm may coredump. The probability of this scenario is rare, where a subscriber may have been freed during switchover and a subsequent forced delete command quickly follows.
Conditions:
-- A subscriber delete command followed by a HA switchover.
-- During the switchover, the subscriber was freed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now removes the subscriber index from the table if present in these cases.
657502-2 : JS error when leaving page opened for several minutes
Component: Fraud Protection Services
Symptoms:
Google Chrome delays JS execution when the tab is not active.
Therefore anti-debug module acts as if someone is trying to debug JS code.
Conditions:
-- JS runs in hidden tab in Google Chrome.
-- Anti-debug functionality is active.
-- Page is left open for several minutes.
Impact:
Errors in console and JS logic is incorrectly executed.
Workaround:
Identify hidden tab and pause anti-debug functionality.
Fix:
The system now correctly handles JS code running in a hidden tab and pauses anti-debug check.
657463-2 : SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
Component: Local Traffic Manager
Symptoms:
SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
Conditions:
SSL sends HUDEVT_SENT to TCP in wrong state.
Impact:
Then HTTP disconnects the handshake
Fix:
Don't allow SSL send HUDEVT_SENT event in the wrong state.
656912-4 : Various NTP vulnerabilities
Solution Article: K32262483
656900-1 : Blade family migration may fail
Component: TMOS
Symptoms:
Migrating the configuration from a B2100 blade to a newer variant, as documented in the "Migrating the Configuration on B2000 Series Blades" page in the "VIPRION Systems: Blade Migration" manual, may show output indicating a failure.
Conditions:
All such blade upgrades.
Impact:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.
Workaround:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.
655807-5 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
Solution Article: K40341291
Component: Global Traffic Manager (DNS)
Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.
Conditions:
QoS load balance.
Impact:
Load balance decision is mostly impacted by packet rate.
Workaround:
None.
Fix:
Corrected a calculation error for QoS score involving packet rate.
655793-1 : SSL persistence parsing issues due to SSL / TCP boundary mismatch
Solution Article: K04178391
Component: Local Traffic Manager
Symptoms:
When the SSL client or server system is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled.
So, any SSL record spanning over multiple TCP segments (in this case it's ServerHello, Certificate, and ServerHelloDone) triggers the issue with the SSID error RST cause.
This can also result from a message size exceeding the maximum configured size (default is 32K).
Conditions:
[1] SSL persistence is enabled.
[2a] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds.
[2b] The message size is greater than the maximum configured size (default 32k).
Impact:
When the parsing fails, the SSL client or server hangs and times out. In other words, SSL traffic is affected.
The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.
Workaround:
Disable SSL persistence.
Fix:
The system now switches the state of the SSL persistence to pass through all remaining messages, since no further parsing is needed.
655671-1 : Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
Component: TMOS
Symptoms:
On platforms that run the bcm56xxd daemon, the polling time that the system waits for I2C bus transactions to complete runs too long. On systems with I2C bus issues, this can lead to bcm56xxd core files, because the bcm56xxd daemon doesn't reset the watchdog so the watchdog timer kills the process.
Conditions:
This is an issue only when there is a stuck I2C bus, which occurs rarely.
Impact:
bcm56xxd process may core and restart. That typically resets the I2C bus, which resolves any issues.
Workaround:
None. Typically, the issue resolves itself.
Fix:
The number of times the bcm56xxd process polls for an I2C bus transaction to complete is reduced to prevent bcm56xxd core files.
655649-2 : BGP last update timer incorrectly resets to 0
Solution Article: K88627152
Component: TMOS
Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.
Output from 'sh ip route':
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
[20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
[20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
[20/0] via 10.10.1.6, eno33554952, 00:00:00
Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.
Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.
Workaround:
None.
Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.
655628-1 : TCP analytics does not release resources under specific sequence of packets
Component: Local Traffic Manager
Symptoms:
TCP analytics does not release memory when a specific sequence of packets is observed, and memory usage increases as more such flows occur.
Conditions:
-- A TCP analytics profile is configured to collect clientside/serverside analytics data.
-- AVR is provisioned.
-- FastL4 and HTTP profiles are configured.
-- A specific sequence of packets (on the serverside) occurs.
Impact:
Main memory occupied by TCP analytics is not released which might lead to memory exhaustion on the BIG-IP system.
Workaround:
Turn off collecting TCP analytics data for the virtual server.
Fix:
TCP analytics now releases resources properly.
655617-1 : Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge
Solution Article: K36442669
Component: Application Security Manager
Symptoms:
When running Safari or Firefox in incognito mode on iOS devices, browser gets TCP RST and will not be able to pass client-side challenge. The system posts the following error in tmm log: failed parsing header 3.
Conditions:
1. Web scraping is configured.
2. Persistent client identification is enabled.
3. Using Safari or Firefox on iOS devices.
Impact:
Browser cannot access the site.
Workaround:
Turn off persistent client identification.
Fix:
Safari, Firefox in incognito mode on iOS device can now pass persistent client identification challenge.
655500 : Rekey SSH sessions after one hour
Component: TMOS
Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour
Conditions:
SSH connections to or from the BIG-IP system.
Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time
Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'
Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.
Fix:
SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.
655470 : IP Intelligence logging publisher removal can cause tmm crash
Solution Article: K79924625
Component: Advanced Firewall Manager
Symptoms:
TMM restart immediately after removing global ip-intelligence logging publisher.
Conditions:
1) Global IP Intelligence logging enabled.
2) While new incoming connections are handled by the system, delete the global logging publisher using the following command:
modify security log profile global-network ip-intelligence { log-publisher none }
Impact:
Traffic disrupted while tmm restarts. This is an intermittent, timing-related issue.
Note: Because deleting the global ip-intelligence logging configuration publisher is uncommon, and might occur once, at setup, this issue is unlikely to manifest.
Workaround:
There is no workaround, other than to not delete the ip-intelligence global logging publisher when heavy traffic is being handled.
Fix:
Error handling now checks for NULL publisher and prevents the TMM restart.
655445-2 : Provide the ability to globally specifiy a DSCP value.
Component: Global Traffic Manager (DNS)
Symptoms:
The DSCP value is not configurable for some types of traffic, which can lead to dropped traffic during adverse network conditions.
Conditions:
Under adverse network conditions, monitor traffic can be dropped by the network.
Impact:
BIG-IP DNS incorrectly reports resources as unavailable because monitor traffic is dropped by the network due to congestion with unrelated traffic.
Workaround:
None.
Fix:
Setting the new db variable tm.egressdscp to a value other than the default value of 0, results in the system setting the DSCP value for outgoing traffic to the configured value.
655432-7 : SSL renegotiation failed intermittently with AES-GCM cipher
Solution Article: K85522235
Component: Local Traffic Manager
Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.
Conditions:
This failure is more likely to occur during mutual authentication.
Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.
Workaround:
Disable AES-GCM cipher.
Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.
655364-1 : Portal access rewriting window.opener causes JS exception
Component: Access Policy Manager
Symptoms:
Portal access engine rewriting window.opener causes JavaScript exception error.
Conditions:
When rewriting window.opener.
Impact:
JavaScript exception error generated.
Workaround:
None.
Fix:
The rewriting window.opener operation now completes with Message 'null', which is correct behavior. No JavaScript exception error is generated.
655357-2 : Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
Solution Article: K06245820
Component: TMOS
Symptoms:
ARP replies reach front panel port of B4450 blades but fail to reach TMMs.
This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.
Conditions:
-- An L2 FDB entry is learned on Higig trunk.
-- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.
Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.
Workaround:
Delete the corrupted L2 FDB entries and cause the switch to re-learn them.
To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.
Fix:
A db variable switchboard.l2.mitigation was introduced to configure this feature.
-- A value of "enable" allows packets to be forwarded in the case of corrupted L2 FDB entries. Packets will be hashed on source and destination addresses. Enabling forwarding this way is only a temporary measure.
-- A value of "monitor" does not forward packets but will count packets which were affected by corrupted L2 FDB entries. The stat table switch/l2_mitgation, updated every 11 seconds, reports packet counts. Differences in packet counts are logged to /var/log/ltm.
-- A value of "disable" disables both forwarding and packet counting. Packet counts are reset.
655314 : When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★
Component: TMOS
Symptoms:
The platform-migrate option to the UCS load command is supposed to reject UCS archives generated on BIG-IP software v10.x. It does this; however, the hostname of the BIG-IP system changes to the one in the UCS.
Conditions:
You are trying to do a platform-migrate load to 12.1.2 or 13.0.0 of a UCS originating on a system running v10.x.
Impact:
The hostname is changed, but no other configuration is modified.
Workaround:
Set the hostname back to its old value.
Fix:
The hostname is now left unmodified.
655233-1 : DNS Express using wrong TTL for SOA RRSIG record in NoData response
Solution Article: K93338593
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.
Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.
Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.
Workaround:
There is no workaround.
Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.
655211-1 : bigd crash (SIGSEGV) when running FQDN node monitors
Solution Article: K25384206
Component: Local Traffic Manager
Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.
Conditions:
bigd is configured for FQDN node monitors.
Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.
Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.
Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.
655159-1 : Wrong XML profile name Request Log details for XML violation
Solution Article: K84550544
Component: Application Security Manager
Symptoms:
After system upgrade, Request Log details for XML violation show XML profile name as 'N/A'.
Conditions:
System upgrade.
Request Log details for XML violation.
Impact:
System upgrade does not synchronize properly between policy and already existing XML profiles. System functions properly on existing XML profiles, but violation report reference to the XML profile is wrong.
Workaround:
No workaround for already existing violation records.
For new violation reports, run apply policy.
Fix:
The system now uses the correct XML profile name in the Request Log details for XML violation.
655146-2 : APM Profile access stats are not updated correctly
Component: Access Policy Manager
Symptoms:
The active and established sessions counts in the output of 'tmsh show apm profile access' command are not getting updated as sessions are established and terminated. At the same time, the following errors are showing up in the APM log:
err tmm1[19902]: 01490574:3: (null):Common:00000000: Could not find tmstat. (/Common/Google_vsstats_key)
Conditions:
-- When session is established and terminated.
-- Running the command: tmsh show apm profile access to view stats.
Impact:
APM profile access stats are not accurate.
Workaround:
None.
Fix:
Now the tmsh command "tmsh show apm profile access" displays the correct profile access stats.
655085-2 : While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors
Component: TMOS
Symptoms:
Message of the form
"notice sod[nnnn]: 010c006e:5: All devices in traffic group traffic-group-1(1 of 2) should have a HA group."
is logged on peer devices when a Viprion chassis is being rebooted.
Conditions:
Multiple Viprion chassis are configured in a sync-failover device group, using HA Group scores.
Impact:
Log message indicates a configuration error that does not exist.
Workaround:
If these messages occur during a peer reboot, they should be ignored.
Fix:
Viprion chassis does not report HA Group configuration errors during peer reboot.
655059-3 : TMM Crash
Solution Article: K37404773
655021-2 : BIND vulnerability CVE-2017-3138
Solution Article: K23598445
655005-1 : "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync
Solution Article: K23355841
Component: TMOS
Symptoms:
The "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync.
Conditions:
Changing the "Inherit traffic group from current partition / path" setting and syncing to a peer unit using incremental sync.
Impact:
Peers in a Device Group will get out of sync.
Workaround:
Use a full sync instead.
Fix:
The "Inherit traffic group from current partition / path" virtual-address setting is now synchronized during an incremental sync.
654925-1 : Memory Leak in ASM Sync Listener Process
Solution Article: K25952033
Component: Application Security Manager
Symptoms:
Following several sync errors, a memory leak occurs in the ASM sync listener process (asm_config_server.pl).
Conditions:
-- asm-sync is enabled on an auto-sync Device Group.
-- Errors occur during attempts to sync, either due to full disk or in response to one or more of the following uses in GUI or REST API:
+ Creating/importing/deleting policies.
+ Accepting many suggestions at once.
+ Adjusting Policy Building Settings.
Impact:
RAM is increasing consumed leading to swap usage until the device reaches a panic state.
Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl
Fix:
Hard limits for memory size are now enforced for ASM processes. The sync listener process now shuts down and restarts after an hour of failed repeated attempts to synchronize the device group state.
654873-2 : ASM Auto-Sync Device Group
Component: Application Security Manager
Symptoms:
Some messages that were meant to be sent to peers in a device group are not successfully sent.
Conditions:
A mix of the following uses in GUI or REST API:
1) Creating/importing/deleting policies.
2) Accepting many suggestions at once.
3) Adjusting Policy Building Settings.
Impact:
1) Overuse of full sync between devices.
2) Possible inconsistencies between devices.
3) Possibility of memory leak in rare cases.
Workaround:
Use manual sync groups for ASM sync.
Fix:
Communication for auto-sync groups repaired.
654599-1 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
Solution Article: K74132601
Component: Global Traffic Manager (DNS)
Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.
Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.
Impact:
The "Finished" button on that page does not save the changes made on that page.
Workaround:
Use TMSH.
Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.
654549-1 : PVA support for uncommon protocols DoS vector
Component: TMOS
Symptoms:
A new HSB bitstream for VIPRION B4450 blades is needed to support IP uncommon protocols for DoS Vector.
Conditions:
Using the B4450 blade.
Impact:
No support for IP uncommon protocols for DoS Vector.
Workaround:
None.
Fix:
HSB v3.2.13.0 bitsteam for VIPRION B4450 blades now provides support for IP uncommon protocols for DoS Vector.
Behavior Change:
This bitstream now supports IP uncommon protocols for DoS Vector. Any number of protocols with values between 0-255 can be simultaneously enabled.
654513-6 : APM daemon crashes when the LDAP query agent returns empty in its search results.
Solution Article: K11003951
Component: Access Policy Manager
Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP access profile access policy is configured with an AD Auth agent.
-- The access policy is configured with an LDAP query agent.
-- A user successfully authenticates to the access profile.
-- The LDAP query agent returns no query results.
Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.
Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.
Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.
Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.
654508-2 : SharePoint MS-OFBA browser window displays Javascript errors
Component: Access Policy Manager
Symptoms:
SharePoint MS-OFBA browser window displays Javascript errors while doing authentication.
Conditions:
-- SharePoint Access through LTM and APM.
-- MS-OFBA iRule is used.
Impact:
JavaScript errors shown on the MS-OFBA browser window
Workaround:
None.
Fix:
Now the SharePoint MS-OFBA browser window no longer displays Javascript errors while doing authentication from Microsoft applications.
654368-7 : ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
Component: Local Traffic Manager
Symptoms:
Error is not reported if the profile is associated with an invalid Certificate Revocation List (CRL) that is not signed by trusted CAs, if the CRL issuer has the same subject name as one of the certs in trusted CA.
Conditions:
This occurs when associating CRLs with virtual servers.
Impact:
Error is not reported for invalid CRL.
Workaround:
OpenSSL command can be used to check if the CRL is signed by trusted CA.
Fix:
Error is reported in TMM logs if the CRL is not signed by trusted CA.
654109-2 : Configuration loading may fail when iRules calling procs in other iRules are deleted
Solution Article: K01102467
Component: Local Traffic Manager
Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:
01020036:3: The requested rule (/Common/rule_uses_procs) was not found.
Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).
Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.
Workaround:
Force reloading of the MCP binary database.
For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
Fix:
Configuration loading no longer fails when iRules calling procs in other iRules are deleted.
654086-3 : Incorrect handling of HTTP2 data frames larger than minimal frame size
Component: Local Traffic Manager
Symptoms:
HTTP2 can vary frame size between 16K bytes (included) and 16 Mbytes (not included).
When a client sends a data frame spawning more than one TCP segment, the BIG-IP system incorrectly decrements the frame size twice from the receive window.
If the proxy flow control is disabled, this just creates an additional window update frame. If the proxy is in flow control, this causes a flow control error.
Conditions:
-- HTTP2 profile is configured on a virtual server.
-- Client sends a data frame larger than 16384 bytes, violating RFC. Note: The receiving maximum frame size of the BIG-IP is permanently set at 16384 bytes.
Impact:
HTTP2 resets the stream with FLOW_CONTROL_ERROR.
Workaround:
There is no workaround at this time.
Fix:
When a client sends HTTP2 a data frame exceeding a negotiated maximum frame size, the BIG-IP system correctly resets the stream.
654046-1 : BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.
Component: Access Policy Manager
Symptoms:
When an external Service Provider (SP) canonicalizes authentication requests with the use of inclusive namespaces, a BIG-IP system used as SAML IdP may fail to process such requests. User's SSO will fail with following errors contained in /var/log/tmm:
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Digest from SAML message is invalid
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Error(12) Signature verification failed for SAML Authentication
Conditions:
- BIG-IP is used as SAML IdP.
- User performs SP-initiated SAML SSO.
- External SAML SP sends signed authentication request, in which canonicalization was done with use of inclusive namespaces.
Impact:
Users are unable to perform SAML SSO with certain external service providers.
Workaround:
None.
Fix:
Now BIG-IP APM as IdP SAML canonicalized authentication requests containing inclusive namespaces can be processed successfully.
654011-2 : Pool member's health monitors set to Member Specific does not display the active monitors
Solution Article: K33210520
Component: TMOS
Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.
Conditions:
Have a pool member with Health Monitors set to Member Specific.
Impact:
The specified active monitors will be saved but won't be displayed as active.
Workaround:
Use tmsh to view a pool member's active monitors.
Fix:
Pool member's Health Monitors set to Member Specific now display active monitors.
653993-3 : A specific sequence of packets to the HA listener may cause tmm to produce a core file
Solution Article: K12044607
653976-2 : SSL handshake fails if server certificate contains multiple CommonNames
Solution Article: K00610259
Component: Local Traffic Manager
Symptoms:
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.
Conditions:
This issue occurs when both of the following conditions are met:
-- The external server certificate's Subject field contains multiple CommonNames.
-- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).
Impact:
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.
Workaround:
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake.
The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.
Fix:
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.
653880 : Kernel Vulnerability: CVE-2017-6214
Solution Article: K81211720
653772-2 : fastL4 fails to evict flows from the ePVA
Component: TMOS
Symptoms:
An accelerated flow is in the ePVA with no corresponding software connection.
Conditions:
-- FastL4.
-- ePVA.
-- The other conditions under which this occurs are not well defined.
Impact:
ePVA can continuously send a packet. This might eventually result in a network outage.
Workaround:
Disable HW acceleration.
Fix:
There are now no unknown accelerated flows.
Behavior Change:
The default behavior is to ignore unknown HW accelerated flows (connections). This change will proactively evict unknown HW accelerated flows from the HW (ePVA).
653771-2 : tmm crash after per-request policy error
Component: Access Policy Manager
Symptoms:
TMM core is seen when reject ending in per-request policy encounters error.
Conditions:
The conditions which trigger this are unknown at this time, it was seen once on a per-request policy error.
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM no longer cores when reject ending encounters error in per-request policy
653746-2 : Unable to display detailed CPU graphs if the number of CPU is too large
Solution Article: K83324551
Component: Local Traffic Manager
Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.
Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.
Impact:
Administrator is unable to view the detail CPU graphs.
Workaround:
None.
Fix:
The GUI can now display detailed CPU graphs for 1024 cores with the default of 4 lines per graph.
653729-2 : Support IP Uncommon Protocol
Component: Advanced Firewall Manager
Symptoms:
A BIG-IP system can have CPU usage be non-uniformly distributed across the datapath (tmm) threads, such that the overall CPU usage is low, but individual datapath threads may show high usage of a subset of the CPUs on the system. This can be observed by viewing the per-CPU usage, and can manifest as spuriously dropped packets/flows.
Conditions:
A BIG-IP system receives packets that have uncommon IP protocols – those not parsed by the BIG-IP system.
Impact:
The packets are eventually dropped but may drive a subset of the CPUs in the system to very high usage. As CPU increases, potentially reaching 100%, then the BIG-IP system will start dropping packets and the system might eventually fail.
Workaround:
None.
Fix:
The system now supports packets that have uncommon IP protocols.
Behavior Change:
This change adds the capability of specifying various IP protocols as 'uncommon' protocols. Using this list of uncommon protocols can have the system mitigate an attack from uncommon protocols.
To do so, perform the following procedure:
1. Set the sys db tunable dos.uncommon.replace.illegal to true (it is false by default).
2. Set the 8 sys db tunables dos.uncommon.protocols[0-7] to specify which protocols should be considered uncommon (by default all protocols except TCP/UDP/ICMPv4/ICMPv6/SCTP - bits 1/6/17/58/132 are uncommon).
- dos.uncommon.protocols0 represents bits 31:0 of a 256-bit vector
- dos.uncommon.protocols1 represents bits 63:32 of a 256-bit vector
- dos.uncommon.protocols2 represents bits 95:64 of a 256-bit vector
- dos.uncommon.protocols3 represents bits 127:96 of a 256-bit vector
- dos.uncommon.protocols4 represents bits 159:128 of a 256-bit vector
- dos.uncommon.protocols5 represents bits 191:160 of a 256-bit vector
- dos.uncommon.protocols6 represents bits 223:192 of a 256-bit vector
- dos.uncommon.protocols7 represents bits 255:224 of a 256-bit vector
Setting the specific bit to '1' means that the specified protocol is considered 'uncommon', and setting the specific bit to '0' means that the specified protocol is not considered 'uncommon'.
Then the DoS vector IP Unknown Protocol can be used to mitigate an attack from the above-specified 'Uncommon Protocols'.
653511-2 : Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
Solution Article: K45770397
Component: Local Traffic Manager
Symptoms:
Connections can fail intermittently when multiple clients use the same ephemeral port to connect to BIG-IP and are SNATted to the same address.
Conditions:
When SNAT/Automap is configured with SP-DAG and virtual server source-port setting is "preserve".
Impact:
Service interruption due to intermittent connection failures.
Workaround:
None.
Fix:
Connections no longer fail intermittently with SNAT/automap, SP-DAG and virtual server source-port=preserve.
653453 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
Component: TMOS
Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 defect in the Broadcom Trident2+ switch B4450 blade uses.
Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.
Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.
Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.
Fix:
Resolved an issue on Broadcom Trident2+ switch B4450 blades use in which ARP replies reached the front panel port, but failed to reach TMMs.
Behavior Change:
A new BigDB variable is added to control in which mode the l2xmsg module in Broadcom SDK should run.
bcm56xxd.l2xmsg.mode: poll/fifo (default)
The BIG-IP system used to always run l2xmsg module in poll mode. Now, the BIG-IP system will run l2xmsg mode in fifo by default.
653376-5 : bgpd may crash on receiving a BGP update with >= 32 extended communities
Component: TMOS
Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities
Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.
Impact:
bgpd may crash causing the BGP peering to reset
Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.
Fix:
bgpd no longer crashes on receiving a BGP update with >= 32 extended communities
653324-3 : On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
Solution Article: K87979026
Component: Access Policy Manager
Symptoms:
On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly; it appears very small.
Conditions:
On macOS Sierra (10.12), edge client, customized icon of size 48x48 pixels.
Impact:
This is a display issue only. There is no functional impact to the system.
Workaround:
Use a custom logo image with the pixel dimensions of 100x121 pixels.
Fix:
On macOS Sierra (10.12), Edge client now shows the customized icon of size 48x48 pixels that is now scaled correctly.
653285-1 : PEM rule deletion with HSL reporting may cause tmm coredump
Component: Policy Enforcement Manager
Symptoms:
tmm coredump caused by deletion of a PEM policy rule with HSL reporting configured and passing active traffic. tmm crash.
Conditions:
PEM policy rule with HSL reporting is deleted while passing subscriber traffic.
Impact:
tmm coredump causes traffic disruption and restart of tmm.
Workaround:
None.
Fix:
PEM rule deletion with HSL reporting no longer causes tmm coredump.
653234 : Many objects must be reconfigured before use when loading a UCS from another device.★
Component: TMOS
Symptoms:
Many objects are ignored by the platform-migrate option, and must be reconfigured before use when loading a UCS from another device.
Conditions:
UCS is being loaded from another device, using the platform-migrate option.
Impact:
Risk of configuration load failures.
Workaround:
None, other than reconfiguring for the destination device.
Fix:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.
Behavior Change:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.
653225-1 : coreutils security and bug fix update
Component: TMOS
Symptoms:
A race condition was found in the way su handled the management of child processes.
Impact:
A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616)
Workaround:
install latest hotfix
Fix:
fixed in coreutils-8.4-46.el6
653224-1 : Multiple GnuTLS Vulnerabilities
Solution Article: K59836191
653217-2 : Multiple Samba Vulnerabilities
Solution Article: K03644631
653014-1 : Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
Component: Application Security Manager
Symptoms:
An issue was introduced when dealing with custom Blocking pages containing an HTTP Header that has an underscore in the name.
Conditions:
A custom Blocking page is defined containing an HTTP Header that has an underscore in the name.
Impact:
Set Active fails
Workaround:
Use hyphens instead of underscores in the header name.
Fix:
Underscores in HTTP Headers in Blocking Response pages are handled correctly.
652973-2 : Coredump observed at system bootup time when many DHCP packets arrive
Component: Policy Enforcement Manager
Symptoms:
During system bootup, system coredump is observed when many DHCP packets arrive before system is fully ready and many flow entry creation failures are observed
Conditions:
-- BIG-IP DHCP proxy is in forwarding mode.
-- DHCP relay agent in front of BIG-IP modifies giaddr field of DHCP packets to its own IP address.
-- DHCP packets arrive during system bootup and before system is fully ready (i.e., some VLANs, interfaces and routes are not fully up).
Impact:
System crash and coredump.
Workaround:
Make sure system has come up completely before sending DHCP packets to the system.
Fix:
Coredump no longer occurs under these conditions.
652968-2 : IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys
Solution Article: K88825548
Component: TMOS
Symptoms:
During negotiations that use CREATE_CHILD_SA, IKEv2 will fail to send a KE in the payload when PFS (perfect forward security) is used in config.
Rekey in IKEv2 does not negotiate new keys; the PFS value in phase1-perfect-forward-secrecy is used in the first exchange, then this first key is re-used in later rekey negotiation. Vendor interop problems exist when PFS is required by the other peer.
Conditions:
Define phase1-perfect-forward-secrecy with value other than none. After IPsec SAs expire or are manually deleted, the CREATE_CHILD_SA phase to negotiate new keys has no KEi payload from the BIG-IP Initiator and so no new encryption key.
Impact:
PFS settings apply only to first negotiation and not to subsequent SA rekeys. PFS is therefore absent. When the BIG-IP enters CREATE_CHILD_SA with a third party IPsec peer, negotiation will fail if the peer requires PFS. Under the same conditions, BIG-IP to BIG-IP tunnels will not fail.
Workaround:
To resolve vendor interop problems, disable PFS in the IPsec policy of both peers.
Fix:
When phase1-perfect-forward-secrecy is configured with a value other than none, the BIG-IP will now perform PFS negotiation correctly. Now rekey with CREATE_CHILD_SA generates a new key using the same DH Group as the first exchange that creates the first SA.
Note: In the ipsec-policy configuration object, the ike-phase2-perfect-forward-secrecy option is relevant only to IKEv1 and has no influence on IKEv2 PFS rekeying.
652848-2 : TCP DNS profile may impact performance
Solution Article: K44200194
652796-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
Component: Access Policy Manager
Symptoms:
ECA may be constantly restarting on BIG-IP appliance that has over 24 CPU cores.
Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.
Impact:
ECA NTLM functionality will not be accessible to the users.
Workaround:
If ECA functionality is not required - disable process by running 'bigstart stop eca'.
If ECA functionality is needed:
1. Stop eca by running "bigstart stop eca'.
2. Modify file '/etc/bigstart/scripts/eca' as follows:
a) Replace line:
cpu_count=$(get_number_cpu)
with line:
tmm_count=$(get_tmm_count)
b) Replace line:
exec /usr/sbin/${service} -n ${cpu_count}
with line:
exec /usr/sbin/${service} -n ${tmm_count}
3. Save the file, and restart the process by running 'bigstart start eca'.
Fix:
ECA no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.
652792-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
Component: Access Policy Manager
Symptoms:
urldb may be constantly restarting on a BIG-IP appliance that has over 24 CPU cores.
Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.
Impact:
URLDB functionality will not be accessible to the users.
Workaround:
If URLDB functionality is not required - disable process by running 'bigstart stop urldb'.
If urldb functionality is needed:
1. Stop urldb by running "bigstart stop urldb'.
2. Modify file '/etc/bigstart/scripts/urldb' as follows:
a) Replace line:
cpu_count=$(get_number_cpu)
with line:
tmm_count=$(get_tmm_count)
b) Replace line:
exec /usr/sbin/${service} -n ${cpu_count}
with line:
exec /usr/sbin/${service} -n ${tmm_count}
3. Save the file, and restart the process by running 'bigstart start urldb'.
Fix:
urldb no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.
652691-1 : Installation fails if only .iso.384.sig (new format signature file) is present★
Component: TMOS
Symptoms:
Tab completion only will complete the names of ISO images that have an old style signature format ("BIG-IP-version-build.iso.sig"), not the new style ("BIG-IP-version-build.iso.384.sig"). Then, installation will fail even if you type out the full name.
Conditions:
This only happens when signature checking is enabled for ISO images. You can determine this by looking at the value of the DB variable "liveinstall.checksig".
Impact:
Tab completion will not show the ISO image, and even if you type out the full name, the installation will fail. An error message will appear in "show sys software status" and /var/log/liveinstall.log .
Workaround:
Put both types of signature file (.iso.sig and .iso.384.sig) on the device.
Fix:
Tab completion and installation will now work if the old signature file format (.iso.sig) is missing, and only the new signature format (.iso.384.sig) is present.
652689-2 : Displaying 100G interfaces
Solution Article: K14243280
Component: TMOS
Symptoms:
Interfaces' Active Media Type and Media Speed rows display none.
Conditions:
Having a server with 100G interfaces.
Impact:
Cannot use GUI to determine interfaces' Active Media Type and Media Speed.
Workaround:
Use tmsh to see the affected interface.
Fix:
100G interfaces now display correctly.
652638-2 : php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
Component: TMOS
Symptoms:
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.
Impact:
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.
Fix:
install latest hotfix/image
652539 : Multiple Bash Vulnerabilities
Solution Article: K73705133
652535-1 : HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
Solution Article: K54443700
Component: Local Traffic Manager
Symptoms:
HTTP/2 RST_STREAM is seen with PROTOCOL_ERROR when frame header is fragmented.
Conditions:
HTTP/2 profile is enabled on the virtual. The frame header gets fragmented because of TCP segmentation.
Impact:
HTTP/2 stream is reset.
Workaround:
None.
Fix:
HTTP/2 parser changed to handle header splitting across multiple buffers.
652516 : Multiple Linux Kernel Vulnerabilities
Solution Article: K31603170
652484-2 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster
Component: TMOS
Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.
Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.
Impact:
The f5optics version is not displayed for all of the blades.
Fix:
f5optics version information for all blades within a chsasis is displayed when the user issues tmsh show net f5optics from the primary blade.
652445-2 : SAN with uppercase names result in case-sensitive match or will not match
Solution Article: K87541959
Component: Local Traffic Manager
Symptoms:
SSL certificates with SAN domain names with uppercase characters will fail to match SNI requests for that domain name.
Conditions:
Multiple client-ssl profiles configured with SNI associated with a single virtual where the SAN (Subject Alternative Name) contains DNS names with uppercase characters.
Impact:
SNI does not match, resulting in the wrong certificate being returned to the client, which potentially results in a security warning in the client application due to a non-matching domain.
Workaround:
Use lowercase characters for SAN domain names in SSL certificates.
Fix:
SNI match is now case-insensitive.
652200-1 : Failure to update ASM enforcer about account change.
Solution Article: K81349220
Component: Application Security Manager
Symptoms:
There is an error updating BD with the following information:
Errors:
------------
bd_agent|ERR|...|F5::BdAgent::handle_bd_pipe_message,,Some records sent to enforcer were not handled
ECARD|ERR |...|account_id_table_management.cpp:0222|Failed to PUT table
ECARD|ERR |...|temp_func.c:0850|CONFIG_TYPE_ACCOUNTS message had errors in block_index: 0. status=9
-------------
Conditions:
In a high availability environment (with manual failover and ASM) with a UCS load that contains policies with the same names.
Impact:
Traffic is blocked due to Unknown HTTP selector
Workaround:
Use one of the following Workaround:
A) Deactivate and reactivate the affected policy.
B) Restart ASM on the affected device.
Fix:
The system now correctly handles a UCS containing policies with the same names in a high availability environment (with manual failover and ASM).
652151-1 : Azure VE: Initialization improvement
Solution Article: K61757346
652094-2 : Improve traffic disaggregation for uncommon IP protocols
Solution Article: K49190243
Component: TMOS
Symptoms:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default.
Conditions:
Traffic of uncommon IP protocols on VLAN configured with default DAG.
Impact:
Traffic for uncommon IP protocols not distributed evenly among available processing units.
Workaround:
None.
Fix:
The system now correctly distributes traffic for uncommon IP protocols based on src IP and dest IP.
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.
ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)
Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.
Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.
Behavior Change:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.
ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)
Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.
Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.
652052-3 : PEM:sessions iRule made the order of parameters strict
Component: Policy Enforcement Manager
Symptoms:
In the versions before 12.0, the order of parameters for "PEM::SESSIONS" rule was flexible. It was made strict because of the new validation infrastructure in 12.0. This breaks some existing iRules.
The system will report a validation error such as:
01070151:3: Rule [/Common/test_irule] error: /Common/test_irule:2: error: ["invalid argument subscriber-type"][PEM::session create $ip subscriber-type e164 user-name $user imsi $imsi subscriber-id $callingstationid]
Conditions:
Some parameters, for example, subscriber-id come before the parameter user-name.
Impact:
Configuration that was valid in earlier versions is not accepted in newer versions. This may result in the configuration failing to load during an upgrade and return an MCP validation error.
Workaround:
Change the order of the parameters.
652004-2 : Show /apm access-info all-properties causes memory leaks in tmm
Solution Article: K45320415
Component: Access Policy Manager
Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.
Conditions:
when using show /apm access-info all-properties
Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.
Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.
Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.
651910-2 : Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later
Component: Access Policy Manager
Symptoms:
You cannot change the 'Enable Access System Logs' and 'Enable URL Request Logs' properties via the GUI.
Conditions:
After upgrade from 12.x to 13.0.0 (where these new fields were added) or later.
Impact:
You cannot change 'Enable Access System Logs' and 'Enable URL Request Logs'.
Workaround:
Manually add the properties via tmsh. To do so, follow these steps (substituting your affected log setting for abc in the following example):
modify log-setting abc access add { general-log { publisher sys-db-access-publisher } }
modify log-setting abc url-filters add { test_logsetting_swg { enabled true publisher sys-db-access-publisher }}
Fix:
Now it is possible to use the GUI to successfully use and configure log-setting objects that were created with tmsh.
651901-2 : Removed unnecessary ASSERTs in MPTCP code
Component: Local Traffic Manager
Symptoms:
There are many scenarios that call ASSERT in the MPTCP code, many of which can be handled without using ASSERT.
Conditions:
A virtual server is configured with a TCP profile with MPTCP enabled.
Impact:
If an ASSERT fails, traffic is disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
Fix:
Replaced many ASSERTs with other mitigations that allow TMM to continue running.
651772-3 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
Component: Local Traffic Manager
Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.
Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.
Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.
Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.
Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.
Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.
651681-4 : Orphaned bigd instances may exist (within multi-process bigd)
Solution Article: K49562354
Component: Local Traffic Manager
Symptoms:
When multi-process 'bigd' is configured, orphaned 'bigd' instances may be exit; such as an orphaned 'bigd.1' alongside the active 'bigd.1'.
Conditions:
-- db variable Bigd.NumProcs to 2 or higher.
-- System monitors with long timeouts (such as ~183 seconds or longer), might also be relevant.
When 'bigd' manages monitor configurations that results in no monitoring activity for a long time (such as due to long monitor timeouts), the operating system may temporarily suspend (and later resume) the 'bigd' process. The system might treat the 'bigd' process as if it were "hung", and start another 'bigd' instance without explicitly terminating the suspended 'bigd' process.
Impact:
The suspended 'bigd' process consumes process memory. The process might be suspended (consuming no CPU resources), or running, which might result in "double-monitoring" the resources assigned to that 'bigd' process.
Note: If double-monitoring occurs, monitor status should be correct, but the double-monitoring unnecessarily consumes extra resources.
Workaround:
Configure 'bigd' to run as a single process. To do so, set the db variable Bigd.NumProcs to 1.
Shortening monitor timeouts can reduce the possibility of a 'bigd' process being (temporarily) suspended by the operating system.
Fix:
Multi-process 'bigd' no longer produces orphaned (suspended) process instances.
651651-3 : bigd can crash when a DNS response does not match the expected value
Solution Article: K54604320
Component: Local Traffic Manager
Symptoms:
bigd can crash when a response returned from a DNS request does not match the expected value.
Conditions:
Monitoring DNS server(s), or using FQDN.
Impact:
Potential bigd core and restart; may cause endless restart loop as long as DNS monitor instance is configured.
Workaround:
No workaround at this time.
Fix:
Prevented bigd from crashing when a response returned from a DNS request does not match the expected value.
651640-3 : queue full dropped messages incorrectly counted as responses
Component: Service Provider
Symptoms:
negative number of active response messages reported on sipsession profile stats
Conditions:
If a request message is dropped because the sip filter's ingress message queue is full, the wrong stats is incremented
Impact:
Counting the dropped request messages as response messages causes the calculation of the accepted response messages to be incorrectly calculated, thus producing a negative value.
Fix:
correct stats fields are incremented
651476 : bigd may core on non-primary bigd when FQDN in use
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.
Conditions:
FQDN is in use.
Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.
Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.
Fix:
Known causes of the bug have been fixed.
651413-2 : tmsh list ltm node does not return an error when node does not exist
Component: TMOS
Symptoms:
TMSH does not post an error message in response to the tmsh command to list a specific, non-existent LTM node, or when listing a set of non-existent nodes using regular expressions.
Conditions:
-- Running the command: tmsh list ltm node.
-- Running a regular expression to list a set of nodes.
-- The specified node does not exist.
Impact:
The command produces no output or error message. No indication of why there is no output, nor is there a description of the possible error condition.
Workaround:
None.
Fix:
TMSH now posts the appropriate, node-not-found error message when LTM nodes do not exist when running the command: tmsh list ltm node.
651362 : eventd crashes during boot
Component: TMOS
Symptoms:
eventd may crash during boot due to heap corruption.
Conditions:
This happens during subscription and unsubscription of events.
Impact:
eventd crashes.
Workaround:
None.
Fix:
Race condition has been resolved, so eventd no longer crashes.
651221-2 : Parsing certain URIs may cause the TMM to produce a core file.
Solution Article: K25033460
651155-1 : HSB continually logs 'loopback ring 0 tx not active'
Component: TMOS
Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.
Conditions:
Unknown.
Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.
Workaround:
None.
651135-4 : LTM Policy error when rule names contain slash (/) character★
Solution Article: K41685444
Component: Local Traffic Manager
Symptoms:
Beginning with v12.0.0, there has been additional validation for LTM Policy rule names to allow only certain valid characters. Prior to v13.1.0, the slash (/) character was included in the set of valid characters.
But because the slash character is used as a delimiter in the BIG-IP virtual path hierarchy (e.g., /Common/my_policy/my_rule), extra slashes in a rule name causes validation problems because the rule appears to the system as having additional path segments.
Conditions:
LTM Policy rule contains the slash (/) character.
Impact:
Configuration will not load.
Configuration may load, but admin GUI may not show policy rule.
Workaround:
In the bigip.conf file, the LTM Policy rule names can be manually edited to either remove the illegal character or to substitute a valid character.
For example, the following policy won't load because the rule name contains a slash (/) character:
ltm policy mypolicy {
...
rules {
/testperson/a {
...
}
But it will load when the slash (/) characters are changed to a legal character, such as underscores (_):
ltm policy mypolicy {
...
rules {
_testperson_a {
...
}
Fix:
For upgraded configurations, the roll-forward process will automatically translate slash (/) to underscore (_) in LTM Policy rule names. When creating new rules, validation will not succeed if a rule name contains an illegal character, such as a slash, so the issue will be prevented.
651106 : memory leak on non-primary bigd with changing node IPs
Component: Local Traffic Manager
Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.
Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.
Impact:
bigd memory leak; possible bigd crash.
Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.
651001-1 : massive prints in tmm log: "could not find conf for profile crc"
Component: Advanced Firewall Manager
Symptoms:
Massive messages in tmm log:
"could not find conf for profile crc"
messages are shown while traffic is passing.
Conditions:
1. Have dos profile attached to vs. dos profile does not have dos application enabled.
2. Have ASM policy attached to VS with Web Scraping on/session hijacking/session awarness with DID collection/brute force with DID collection.
Impact:
Massive prints in tmm log that can cause tmm to abort. Traffic disrupted while tmm restarts.
Workaround:
Have DOS application enabled (even if doing nothing).
Fix:
disable prints.
650422-2 : TMM core after a switchover involving GY quota reporting
Component: Policy Enforcement Manager
Symptoms:
Core dump in the code path for async subscriber lookup causes core-dump.
Conditions:
This core happens in an intra-chassis HA configuration, if GY is configured & HA switchover is forced.
Impact:
An initial coredump (or HA switchover) forces multiple core dumps. Traffic disrupted while tmm restarts.
650349 : Creation or reconfiguration of iApps will fail if logging is configured
Solution Article: K50168519
Component: TMOS
Symptoms:
If logging destination of any type is configured (ArcSight, IPFIX, remote high speed logging, etc.), creation or reconfiguration of iApps will fail. The following error will be reported in /var/log/webui.log and displayed in the GUI: The connection to mcpd has been lost, try again.
Conditions:
Logging is configured: filter, destination, and publisher.
Impact:
Cannot create new iApps or reconfigure existing ones.
Workaround:
Remove logging configuration.
Fix:
Can now create or reconfigure iApps if logging is configured.
650317-3 : The TMM on the next-active panics with message: "Missing oneconnect HA context"
Component: Local Traffic Manager
Symptoms:
The next-active TMM panics with message: "Missing oneconnect HA context" on a virtual which doesn't have one-connect on the active.
Conditions:
A mirrored virtual is configured with one-connect on the next-active but no one-connect profile is present on the active. This can occur when the config-sync connection between peers is down or auto-sync on the device group is disabled. The next-active expects a one-connect HA context but the active does not send it.
Impact:
Connections on the active are not mirrored while the next-active restarts.
Workaround:
Resolving configuration differences between the active and next-active will prevent this panic.
Fix:
Mirrored connections which fail to find an HA context on the next-active are not established on the next-active.
650292-2 : DNS transparent cache can return non-recursive results for recursive queries
Component: Local Traffic Manager
Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.
Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.
Impact:
Non recursive responses for recursive requests.
Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.
Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.
650286-2 : REST asynchronous tasks permissions issues
Solution Article: K24465120
650152-1 : Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms
Component: Local Traffic Manager
Symptoms:
In Nitrox PX platforms, vCMP guests can't accelerate AES-GCM traffic, which might cause high CPU usage.
Conditions:
For those vCMP guests deployed on Nitrox PX-based platforms, and SSL cipher is configured to use AES-GCM.
The following blades support the Nitrox PX and vCMP combination: VIPRION B4200, B4300, B2100, and B2150 blades.
Impact:
High CPU usage.
Workaround:
No workaround.
Fix:
Added AES-GCM hardware acceleration support for Nitrox PX-based vCMP.
650081-1 : FP feature causes the blank page/delay on IE11
Solution Article: K53010710
Component: Advanced Firewall Manager
Symptoms:
When PBD and FP are both enabled, there is a very high client-side latency, especially on Microsoft Internet Explorer (IE).
On IE, sometimes the challenge remains on a blank page, never moving on to the site from the back-end server.
Conditions:
If you use ASM dos with fingerprint, but it causes the delay/blank page on browser Microsoft Internet Explorer v11 (IE11).
Impact:
Delay or blank page when clients access the page using IE11.
Workaround:
None
Fix:
Improved the client-side run-time of the JavaScript challenge and prevented it from getting stuck on Internet Explorer.
650074-1 : Changed Format of RAM Cache REST Status output.
Component: Local Traffic Manager
Symptoms:
The REST API returned cache contents in displayable form, not tagged field form.
Conditions:
Using REST API.
Impact:
Text must be parsed as if the caller plans to post-process it.
Workaround:
To present the data in some other format, the text can be displayed as is, but must be parsed as if the caller plans to post-process it.
Fix:
Now RAM Cache REST Status output is returned in field format, and must be parsed by a JSON parser and formatted for display. If you were using the previous format, you must now parse the JSON and re-format the data for display.
Behavior Change:
REST API calls for ramcache stats now returns data as formatted JSON.
650059-1 : TMM may crash when processing VPN traffic
Solution Article: K20087443
650002-1 : tzdata bug fix and enhancement update
Component: TMOS
Symptoms:
There have been changes to timezone data that impact tzdata packages:
* Mongolia no longer observes Daylight Saving Time (DST).
* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.
Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.
Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).
Workaround:
None.
Fix:
To accommodate for Mongolia no longer observing DST, the new America/Punta_Arenas zone was created. Changes were also made to support other timezone changes.
* The zone1970.tab file has been added to the list of files to be installed with the tzdata packages installation.
Note: Users of tzdata are advised to upgrade tzdata to zdata-2017b-1.el6
649949-1 : Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★
Component: TMOS
Symptoms:
Following the instructions at https://support.f5.com/csp/article/K13117 will occasionally fail on iSeries platforms, with the system being unable to find the installation media.
If this happens, running the following command will fail.
image2disk --instslot=HD1.1 --setdefault --nosaveconfig
Conditions:
This can occur on iSeries platforms while performing a clean installation.
Impact:
The /dev/cdrom softlink points to the virtual CD-ROM drive in iSeries platforms instead of the physical USB DVD-ROM drive. This prevents image2disk from automatically finding the installation media.
Workaround:
After the failure, while in MOS, determine USB CDROM device name, mount it, and tell image2disk specifically where it is:
bash (try 'info') / > dmesg | grep "sr0\|sr1"
sr0: scsi3-mmc drive: 62x/62x writer dvd-ram cd/rw xa/form2 cdda tray <-- cdrom name
sr 6:0:0:0: Attached scsi CD-ROM sr0
sr1: scsi-1 drive
sr 7:0:0:0: Attached scsi CD-ROM sr1
bash (try 'info') / > mount -r -t iso9660 /dev/srX /cdserver
bash (try 'info') / > image2disk --instslot=HD1.1 --nosaveconfig /cdserver
In the mount command, replace "/dev/srX" with whichever device is the physical drive.
649933-1 : Fragmented RADIUS messages may be dropped
Component: Service Provider
Symptoms:
Large RADIUS messages may be dropped when processed by iRules.
Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.
Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:
Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""
Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.
649929-1 : saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
Component: Access Policy Manager
Symptoms:
Cannot delete saml_sp_connector from a transaction even when all related objects are specified.
Conditions:
When deleting saml_sp_connector from a transaction along their associated objects.
Impact:
Cannot delete saml_sp_connector and associated objects.
Workaround:
Delete objects in the following order:
SSOResource
SSOSAMLConfig
SPConnector
Fix:
The apm sso saml_sp_connector object can now be deleted from a transaction involving all the related objects regardless of the order in which the objects are specified.
649907-2 : BIND vulnerability CVE-2017-3137
Solution Article: K30164784
649904-2 : BIND vulnerability CVE-2017-3136
Solution Article: K23598445
649866-1 : fsck should not run during first boot on public clouds
Component: TMOS
Symptoms:
Although it is not needed, filesystem check runs during the first boot. This increases the boot time, especially for images that were created more than 180 days before the first boot, because twice year, booting up runs a more comprehensive fsck operation.
Conditions:
This occurs when booting up public cloud configurations of Virtual Edition (VE).
Impact:
Potentially unacceptable long boot times.
Workaround:
None.
Fix:
fsck does not run during first boot on public cloud configurations of VE. Running fsck is postponed until the second boot. If the more comprehensive fsck operation is required, it runs during the second boot as well.
649617-2 : qkview improvement for OVSDB management
Component: TMOS
Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.
If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.
Conditions:
The following conditions need to be met:
- BIG-IP has the SDN services license.
- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.
- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.
Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.
Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.
In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.
Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.
649613-3 : Multiple UDP/TCP packets packed into one DTLS Record
Component: Access Policy Manager
Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.
However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.
Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.
Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.
Workaround:
None.
Fix:
DTLS performance has been improved in lossy or high latency networks by optimizing the number of encoded ppp records inside of DTLS records.
649571-1 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not act on the absence of renegotiation.
Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.
An example of such a TLS server is Apache/2.4.10 on Fedora Linux.
Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".
Workaround:
None.
Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.
649564-2 : Crash related to GTM monitors with long RECV strings
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.
Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.
Impact:
Core dump. Traffic might be disrupted while gtmd restarts.
Workaround:
None.
Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.
649465-1 : SELinux warning messages regarding nsm daemon
Component: TMOS
Symptoms:
Receiving SELinux warning messages regarding nsm daemon when BFD is enabled, and deleting VLANs.
Conditions:
-- BFD enabled for any route-domain.
-- Deleting VLANs.
Impact:
None. This warning message references actions that are extraneous for the nsm daemon.
Workaround:
None.
Fix:
nsm no longer triggers SELinux warning messages with BFD enabled, and deleting VLANs
649234-3 : TMM crash from a possible memory corruption.
Solution Article: K64131101
Component: Access Policy Manager
Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.
Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Access to an invalid or stale Access session result from custom iRules no longer causes TMM crash.
649171-4 : tmm core in iRule with unreachable remote address
Component: Local Traffic Manager
Symptoms:
TCP::unused_port <remote_addr> <remote_port> <local_addr> [<hint_port>] with a non reachable remote_addr, tmm cores
Conditions:
This occurs when using TCP::unused_port in an iRule and the remote address is not reachable
Impact:
Traffic disrupted while tmm restarts.
Workaround:
create faux route for the destination address
649161-1 : AVR caching mechanism not working properly
Solution Article: K42340304
Component: Application Visibility and Reporting
Symptoms:
The AVR caching mechanism fails to store dimension-based queries properly, which leads to incorrect reports.
Conditions:
Using AVR caching mechanism (turned-on by default).
Impact:
Reports will be incorrect.
Workaround:
Using the following TMSH command should solve the problem:
tmsh modify sys db avr.requestcache value disable
* NOTE: the above might cause AVR to perform a bit slower.
Fix:
The system no longer stores the dimension-based queries in the AVR cache.
648990 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
Component: Local Traffic Manager
Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:
info tmm[17859]: 01260034:6: Block cipher data limit exceeded.
Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.
Impact:
Serverssl renegotiation does not occur, log message is displayed.
648954-5 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
Solution Article: K01102467
Component: Local Traffic Manager
Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:
01020036:3: The requested rule (/Common/rule_uses_procs) was not found.
Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).
Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.
Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.
Workaround:
Force reloading of the MCP binary database.
For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
648879-2 : Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
Solution Article: K90803619
648865-2 : Linux kernel vulnerability: CVE-2017-6074
Solution Article: K82508682
648786-5 : TMM crashes when categorizing long URLs
Solution Article: K31404801
648766-1 : DNS Express responses missing SOA record in NoData responses if CNAMEs present
Solution Article: K57853542
Component: Global Traffic Manager (DNS)
Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.
Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.
Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.
Workaround:
None.
Fix:
The SOA record is now included as appropriate.
648715-2 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
Component: Local Traffic Manager
Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.
Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.
Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.
Workaround:
None.
Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.
648617 : JavaScript challenge repeating in loop when URL has path parameters
Component: Advanced Firewall Manager
Symptoms:
The JavaScript challenge is repeating in a loop on URLs which have path parameters (when the URL contains the ';' character). The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.
Conditions:
URLs contain the ';' character, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.
Impact:
Requests with ';' character will be blocked and the browser will repeat the challenge in a loop.
Workaround:
None
Fix:
The JavaScript challenge no longer gets stuck in a loop on URLs which have path parameters.
648544-5 : HSB transmitter failure may occur when global COS queues enabled
Solution Article: K75510491
Component: TMOS
Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.
Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.
Impact:
If this issue occurs then the BIG-IP is rebooted.
Workaround:
Do not use global COS queues.
Fix:
Loopback packet priority is now set during runtime to guarantee transmit on mgmt ring 0.
648320-3 : Downloading via APM tunnels could experience performance downgrade.
Component: Local Traffic Manager
Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.
Conditions:
When downloading using APM tunnels.
Impact:
High number of packet drops and inferior performance.
Workaround:
None.
Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.
648286-2 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
Component: Global Traffic Manager (DNS)
Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.
Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.
Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.
Loss of functionality from earlier releases.
Workaround:
Manually select each entry to add to the member list.
Fix:
Restored behavior that selects the next available entry in list after pressing the Add button on GSLB Pool's Member manage page.
648242 : Administrator users unable to access all partition via TMSH for AVR reports
Component: Application Visibility and Reporting
Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).
Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.
Impact:
AVR reports via TMSH will fail when using partition based entities.
Workaround:
None.
Fix:
Allowing for administrator users to get all partitions available on query.
648056-2 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
Solution Article: K16503454
Component: TMOS
Symptoms:
bcm56xxd constantly crashes, device goes off-line.
Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.
Impact:
Device goes off-line.
Workaround:
None.
Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.
648053-1 : Rewrite plugin may crash on some JavaScript files
Component: Access Policy Manager
Symptoms:
Rewrite plugin may crash parsing JavaScript files in US ASCII encoding.
Conditions:
JavaScript file in US ASCII encoding (not in UTF-8).
Impact:
Rewrite plugin may crash parsing this file. No response is sent to client.
Workaround:
It is possible to change/add 'charset' parameter in response header 'Content-type' to 'UTF-8' by iRule.
Fix:
Now Portal Access rewrite correctly handles JavaScript data if the web page uses US ASCII encoding.
648037-2 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.
Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure a monitor for the pool.
Fix:
Fixed a tmm crash related to LB::reselect
647988-3 : HSL Balanced distribution to Two-member pool may not be balanced correctly.
Solution Article: K15331432
Component: TMOS
Symptoms:
When configuring a two-member pool as HSL destination and using "balanced" distribution, logs from iRule HSL::send may end up balanced to a single pool member.
Conditions:
- Two-member pool configured as remote-high-speed-log destination.
- The remote-high-speed-log distribution is set to "balanced"
- Data-Plane logging using for example but not limited to: iRule HSL::send.
Impact:
Log message may not be distributed correctly resulting in more load on a single pool member.
Workaround:
None.
Fix:
Logs are distributed more equally on pool members in "balanced" distribution HSL.
647944-2 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
Component: TMOS
Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.
Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:
- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.
Impact:
Traffic disrupted while mcpd restarts.
Fix:
Prevented MCP from crashing when the FIX profile is edited.
647757-2 : RATE-SHAPER:Fred not properly initialized may halt traffic
Solution Article: K96395052
Component: Local Traffic Manager
Symptoms:
RATE-SHAPER:Fred is not properly initialized and might halt traffic.
Conditions:
Initialize RATE-SHAPER:Fred as the drop policy using its default properties.
Impact:
Traffic is halted.
Workaround:
There are two possible workarounds:
-- Initialize the drop policy fred to the value of 9999 instead of default 0.
-- Use RED as drop policy instead of fred.
647137 : bigd/tmm con vCMP guests
Component: Local Traffic Manager
Symptoms:
bigd/tmm con vCMP guests.
Conditions:
Set up vCMP guest on VIPRION B2100, B4200, or B4300 blades.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
This release corrects this issue so the crash no longer occurs.
647108-1 : Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
Component: Access Policy Manager
Symptoms:
The system posts messages similar to the following even when the server associated to the connector is also being deleted in the same transaction:
01070734:3: Configuration error: apm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/saml_connector because it is being used by aaa-saml-server (/Common/saml_server_test1
Conditions:
When deleting saml-idp-connector first then the associated saml server.
Impact:
Cannot delete saml-idp-connector and associated server in that specific order.
Workaround:
Delete saml server first and then delete the saml connector.
Fix:
Now saml-idp-connector can be deleted with associated objects in any order from a transaction.
646928-1 : Landing URI incorrect when changing URI
Component: Access Policy Manager
Symptoms:
User accesses resource1, and an access policy starts. Before the policy completes, the user changes to resource2. There is a warning page that the session already exists, and the user clicks to create a new session. After the policy completes, the user is directed to the landing URI of the resource1.
Conditions:
Attempting to change landing URI in the middle of an access policy
Impact:
End-user is inconveniently directed to the first resource instead of the second.
Fix:
Now the "To open a new session, please click here." link on the APM logout page reflects the last used landing URI rather than the first used landing URI.
646890-1 : IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512
Solution Article: K12068427
Component: TMOS
Symptoms:
Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.
Conditions:
If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.
Impact:
Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.
Workaround:
Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.
Fix:
Now tmipsecd sends the correct incremental config description of SHA authentication algorithms to racoon, so that IKEv1 ipsec-policy reconfiguration works immediately without requiring a restart of tmipsecd.
646760 : Common Criteria Mode Disrupts Administrative SSH Access
Component: TMOS
Symptoms:
If Common Criteria mode is enabled the administrative SSH interface on BIG-IP may become unavailable.
Conditions:
CC-mode enabled.
Impact:
SSH interface not available, sshd may fail to start.
Workaround:
There is no workaround at this time.
Fix:
Correct SSH configuration when in CC mode
646643-2 : HA standby virtual server with non-default lasthop settings may crash.
Solution Article: K43005132
Component: Local Traffic Manager
Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.
Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).
-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).
Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.
646615-1 : Improved default storage size for DNS Express database
Component: Global Traffic Manager (DNS)
Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.
Conditions:
DNS Express with configured zones.
Impact:
Possibly reduced database size.
Workaround:
N/A as this is an improvement.
Fix:
A tweak has been made to the DNS Express database to improve the initial database size.
646604-5 : Client connection may hang when NTLM and OneConnect profiles used together
Solution Article: K21005334
Component: Local Traffic Manager
Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.
Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.
Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.
Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.
Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.
646511-1 : BD crashes repeatedly after interrupted roll-forward upgrade★
Component: Application Security Manager
Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.
Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.
Impact:
BD crashes repeatedly on subsequent attempts to start ASM.
Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:
tmsh modify sys db ucs.asm.traffic_data.save value disable
Fix:
ASM completes roll-forward upgrade with traffic data correctly, even after upgrade process is interrupted.
646443-1 : Ephemeral Node may be errantly created in bigd, causing crash
Solution Article: K54432535
Component: Local Traffic Manager
Symptoms:
When FQDN Ephemeral Nodes are being used at the same time as static Node objects, and there is change in those objects, either via DNS resolver changes or manual changes to static nodes, there exists a chance where one may be misidentified as the other during an update, causing a crash in bigd.
Conditions:
FQDN Nodes and Static Nodes being used. Change in node settings or creation/deletion of nodes.
Impact:
Bigd crashes, causing interruption in monitoring.
Workaround:
Avoid use of FQDN Nodes and Pool Members; use only static-IP Nodes/Members instead.
Fix:
Fixed case where misidentification may occur, resulting in bigd running without crashing.
645805 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address
Component: TMOS
Symptoms:
LACP PDUs generated by the 'lacpd' on the i4x00 & i2x00 platforms contain the wrong Ethernet source MAC address.
Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.
Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP is not transmitting with a all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.
Fix:
Insure correct Source MAC address is inserted into the PDU.
645723-2 : Dynamic routing update can delete admin ip route from the kernel
Solution Article: K74371937
Component: TMOS
Symptoms:
Routes obtained from dynamic routing (BGP, etc.) can replace existing management route for the admin IP address, making the BIG-IP lose its management route. Static routes created via TMSH can replace management route.
Conditions:
Using TMSH to create "net route" that matches management network, or dynamic routing accepts a route that matches the management network.
Impact:
Losing the management network route, and potential loss of access to the BIG-IP via the management network.
Workaround:
Don't accept route updates for the management network. Don't create static routes for the management network.
Fix:
Management network admin IP address is now protected from being overwritten.
645717 : UCS load does not set directory owner
Component: TMOS
Symptoms:
When loading a UCS file the directory /etc/ssh will become owned by the first user in the UCS with an .authorized_keys file.
Conditions:
UCS loaded that contains users with .authorized_key files
Impact:
Ownership of /etc/ssh is set to a non-root user after UCS load. This does not interfere with normal system operation or SSH authentication but does not follow secure coding practices
Workaround:
Ownership of on /etc/ssh can be restored with the command: chown root /etc/ssh
Fix:
UCS load now explicitly sets ownership of the /etc/ssh directory to root.
645684-2 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
Component: Access Policy Manager
Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.
Conditions:
This can occur when viewing Flash video while connected to APM.
Impact:
Flash applications might fail to render through Portal Access.
Workaround:
None
Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.
645663 : Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.
Component: Local Traffic Manager
Symptoms:
Accelerated crypto and compression traffic may fail; stuck queue reports appear in logs.
Conditions:
Guests provisioned with more than 12 vcpus, and crypto or compression traffic passed through hardware acceleration.
Impact:
Can cause the hardware accelerator to fail and require host reboot.
Workaround:
Limit guest provisioning to 12 vcpus.
Fix:
Allow guests provisioned with more than 12 vcpus to operate without stalling hardware accelerators.
645615-2 : zxfrd may fail and restart after multiple failovers between blades in a chassis.
Solution Article: K70543226
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.
Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.
Impact:
zxfrd will create a core file and restart, picking up where it left off.
Workaround:
None.
Fix:
The cause of the failure is now addressed.
645480-3 : Unexpected APM response
Solution Article: K45432295
645339-2 : TMM may crash when processing APM data
Component: Access Policy Manager
Symptoms:
Under certain conditions TMM may crash while processing APM data
Conditions:
APM enabled
Impact:
TMM crash leading to a failover event
Fix:
TMM processes APM data as expected
645220-2 : bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs
Component: Local Traffic Manager
Symptoms:
When mcpd debug logging is enabled, mcp messages sent to or received from the bigd daemon are logged with a username of "(user %-P)" or "(user %-S)" instead of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".
Conditions:
mcpd debug messages with the "(user %-P)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and multiple instances of bigd are running.
mcpd debug messages with the "(user %-S)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and a single instance of bigd is running.
Impact:
Confusion about which daemon is referenced in mcpd debug logs with username "(user %-S)" or "(user %-P)".
Fix:
mcpd debug messages sent to or received from the bigd daemon are correctly logged with a username of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".
645197-3 : Monitors receiving unique HTTP "success" response codes may stop monitoring after status change
Component: Local Traffic Manager
Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) will accumulate in the monitor history; upon monitor status change (such as to "fail"), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from "success" to "fail"), notification from 'bigd' to 'mcpd' will fail due to this too-large history, resulting in the monitor remaining in its previous state (i.e., "success"). 'bigd' properly records the monitor status and continues to monitor; but 'mcpd' was not notified of that status change (due to message-send failure from the history being too large).
This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating "success"), as 'bigd' will elide/merge the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (for example, by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history will continue to grow for that monitor until a status-change is detected.
Conditions:
Web server returns unique HTTP/1.1 200 (success) codes, such as an included date/time stamp; and success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from "success" to "fail").
Impact:
The monitor will remain in the "success" state, as the status-change will be "lost" ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.
Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes; thus, receiving the same return-code will elide/merge with previously accumulated values in the monitor history.
Fix:
HTTP/1.1 200 codes with unique values accumulate for limited history, rather than unbounded history, such that monitor status change notifications are always recorded.
645179-6 : Traffic group becomes active on more than one BIG-IP after a long uptime
Solution Article: K42751321
Component: TMOS
Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.
For example:
-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.
Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.
645101-2 : OpenSSL vulnerability CVE-2017-3732
Solution Article: K44512851
645058-3 : Modifying SSL profiles in GUI may fail when key is protected by passphrase
Component: Local Traffic Manager
Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:
01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.
This can occur even when the passphrase already in the SSL profile is correct.
Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.
Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:
tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }
Impact:
User cannot update client SSL profile via the GUI.
Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.
Fix:
User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.
645036-3 : Removing pool from virtual server does not update its status
Solution Article: K85772089
Component: Local Traffic Manager
Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.
Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.
Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.
Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.
Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.
Fix:
Associating a pool with the virtual server now correctly updates the virtual server status.
644975-4 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
Component: TMOS
Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.
Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.
Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.
Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.
2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.
3) Save the file and exit the text editor to install the root user's new crontab configuration.
4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.
5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.
6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.
7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".
Fix:
The crontab configuration files now specify MAILTO="" at the top, so the /var/log/maillog errors no longer occur.
644970-1 : Editing a virtual server config loses SSL encryption on iSession connections
Component: Wan Optimization Manager
Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.
Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.
Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.
Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.
Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.
644946-2 : Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation
Solution Article: K05053251
Component: Service Provider
Symptoms:
When the mirror flag is enabled in the siprouter and diameterrouter profiles, outgoing per-client create connection will be usable by any client connection from the same IP address.
Conditions:
This occurs when the mirror flag is enabled in the siprouter and diameterrouter profiles.
Impact:
In the siprouter and diameterrouter profiles, enabling mirroring incorrectly enables the internal ignore_peer_port flag, which causes the router to not consider the remote port of the client side connection when determining which of an outgoing per-client connection can be used for forwarding messages.
Workaround:
None.
Fix:
The ignore_peer_port flag is no longer affected by the setting of the mirror flag, which is correct functionality.
644904-5 : tcpdump 4.9
Solution Article: K55129614
644873-2 : ssldump can fail to decrypt captures with certain TCP segmenting
Solution Article: K97237310
Component: Local Traffic Manager
Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.
The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data
Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.
Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.
Workaround:
None.
Fix:
ssldump now successfully decrypt a capture, so ssldump no longer crashes.
644855-2 : irules with commands which may suspend processing cannot be used with proactive bot defense
Component: Advanced Firewall Manager
Symptoms:
A request is dropped.
Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")
For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962
Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.
Workaround:
N/A
Fix:
irules which suspends the execution won't cause a request drop when the proactive bot defense is assigned.
644851-2 : Websockets closes connection on receiving a close frame from one of the peers
Component: Local Traffic Manager
Symptoms:
Websocket connection should be closed once an endpoint has both sent and received a Close control frame. BIG-IP closes connection on receiving a close frame from peer and does not wait for close frame from other endpoint. This results in data sent in the other direction to be dropped.
Conditions:
Websocket and HTTP profile are attached to the virtual.
Impact:
One endpoint sends a Websocket Close control frame. Other endpoint continues sending data which is dropped by BIG-IP.
Fix:
Half-close of connection will be triggered instead of closing the connection entirely.
644822-2 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
Solution Article: K19245372
Component: Advanced Firewall Manager
Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.
This behavior does not match the BIG-IP behavior when AFM is not provisioned.
Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.
Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.
Workaround:
No workaround.
Fix:
Fixed, so FastL4 virtual servers with enabled loose-init option will forward any RST packets.
644799-1 : TMM may crash when the BIG-IP system processes CGNAT traffic.
Solution Article: K42882011
Component: TMOS
Symptoms:
TMM may crash when the BIG-IP system processes CGNAT traffic.
Conditions:
A TMM connflow related to CGNAT traffic is expired.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when the BIG-IP system processes CGNAT traffic.
644723-1 : cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
Component: TMOS
Symptoms:
If you disable an interface, the interface is erroneously logged as DOWN:
Feb 12 23:14:09 i5800-R18-S30 info bcm56xxd[8210]: 012c0015:6: Link: 1.1 is DOWN
Conditions:
This is logged when disabling an interface.
Impact:
Log message says the interface is DOWN, it should say DISABLED.
644694 : FPS security update check ends up with an empty page when error occurs.
Component: Fraud Protection Services
Symptoms:
While checking for security updates in FPS, GUI may display an empty page caused by internal errors, such as network errors or temporary downtime.
Conditions:
-- Provision and license FPS.
-- Check for security updates.
Impact:
Empty page is presented, with no indication of what error occurred.
Workaround:
Use TMSH or REST API to perform an update check.
Fix:
Now, when an error occurs, the error will be displayed.
644693-3 : Fix for multiple CVE for openjdk-1.7.0
Solution Article: K15518610
644565-1 : MRF Message metadata lost when routing message to a connection on a different TMM
Component: Service Provider
Symptoms:
The system might choose to create a new outgoing connection when there is an available exiting connection that can be used.
Conditions:
When a message is forwarded to another TMM for delivery, an internal state might be lost.
Impact:
Messages should be delivered correctly as the metadata is lost after routing. There might be an impact if routing is retried and the ignore-peer-port setting is lost. This might cause a new connection to be created when an available existing connection exists.
Workaround:
None.
Fix:
The system now ensures that the ignore-peer-port flag is preserved when forwarding a message to a connection on another TMM.
644490-1 : Finisar 100G LR4 values need to be revised in f5optics
Component: TMOS
Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.
Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.
Impact:
Occasional packet loss at the 100G physical layer.
Workaround:
Use 100G SR4 optics modules on the link if possible.
Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.
For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).
644489-1 : Unencrypted iSession connection established even though data-encrypt configured in profile
Solution Article: K14899014
Component: Wan Optimization Manager
Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.
Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
1) An error occurs during dynamic server-ssl profile replacement.
2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.
In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.
Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.
Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.
Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
2) An error occurs during dynamic server-ssl profile replacement.
644447-2 : sync_zones script increasingly consumes memory when there is network connectivity failure
Component: Global Traffic Manager (DNS)
Symptoms:
sync_zones memory usage exponentially increases during network disruption
Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.
Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.
Workaround:
None.
Fix:
sync_zones script now exits successfully at network failure.
644418-2 : Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
Component: Local Traffic Manager
Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate.
Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.
Conditions:
This may occur when SSL Forward Proxy is in use.
Impact:
Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.
Workaround:
None.
Fix:
In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm
644404-1 : Extracting SSD from system leads to Emergency LCD alert★
Component: TMOS
Symptoms:
When an SSD in a dual-SSD system configuration is extracted, an emergency alert may be issued on the LCD. This does not match the actual severity (Warning) as reported in the LTM log.
Conditions:
Dual SSDs in any BIG-IP system where one has been selected for removal.
Impact:
LCD reports an Emergency-level alert, which does not match the actual Warning severity reported in the LTM log.
Workaround:
Clear the Emergency alert from the LCD.
Fix:
The classification for SSD removal has been changed to 'Warning' to match the LTM log level.
644220-3 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
Solution Article: K37049259
Component: Global Traffic Manager (DNS)
Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.
Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.
Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.
Workaround:
None.
Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.
644184-4 : ZebOS daemons hang while AgentX SNMP daemon is waiting.
Solution Article: K36427438
Component: TMOS
Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.
Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.
Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.
Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.
Fix:
ZebOS daemons no longer hangs while AgentX is waiting.
644112-2 : Permanent connections may be expired when endpoint becomes unreachable
Solution Article: K56150996
Component: Local Traffic Manager
Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.
Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.
Impact:
Tunnel, or other affected connection, will not pass traffic.
Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.
Fix:
Routing updates can no longer lead to expired permanent connections.
643785-3 : diadb crashes if it cannot find pool name
Component: Service Provider
Symptoms:
diadb utility crashes if it cannot find pool name.
Conditions:
-- diadb utility is running.
-- Pool name is not available in the Diameter persistence record.
Impact:
diadb utility crashes.
Workaround:
None.
Fix:
diadb will not crash even if it cannot find the pool name in the Diameter persistence record.
643777-2 : LTM policies with more than one IP address in TCP address match may fail
Solution Article: K27629542
Component: Local Traffic Manager
Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.
Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.
Impact:
The action configured with the match may not be taken.
Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.
Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.
643631 : Serverside connections on virtual servers using VDI may become zombies.
Solution Article: K70938130
Component: Local Traffic Manager
Symptoms:
Listing connections with "tmsh show sys connection all-properties" (please be cautious executing this command as it could have performance impact) will show connections with only a server side whose age is greater than the configured idle timeout. As more zombie connections accumulate, the BIG-IP may run out of memory.
Conditions:
APM provisioned and VDI (Virtual Desktop Infrastructure) is configured on the affected virtual.
Impact:
Zombie connections consume memory that cannot be reclaimed. Potential out-of-memory condition.
Workaround:
None.
Fix:
Expired serverside connections are properly torn down.
643602-2 : 'Select All' checkbox selects items on hidden pages
Component: Fraud Protection Services
Symptoms:
In FPS GUI, clicking 'Select All' when the list contains more than 10 items, selects all items and not just the items on the current page, as expected.
Conditions:
-- FPS provisioned and licensed.
-- Check 'Select All' and click Delete on a list page containing enough items to span more than one page, for example:
On the Security :: Fraud Protection Service :: Anti-Fraud Profile :: Mobile Security :: Man in the Middle Detection page, add 20 domains. This creates two pages of domains on the list page. When you then check 'Select all' and click Delete, all 20 domains are deleted instead of the expected 10 visible on the page.
Impact:
Unexpected behavior: items are deleted from pages that are not visible.
Workaround:
Check one or more items individually for deletion.
Fix:
Clicking the 'Select All' checkbox now selects all items on the currently visible page.
643582-2 : Config load with large ssl profile configuration may cause tmm restart
Component: Local Traffic Manager
Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.
Conditions:
Doing a full config load with large number of ssl profiles.
Impact:
Possible tmm restart.
Workaround:
Doing incremental sync of changes can avoid this issue.
Fix:
A full configuration reload with large number of ssl profiles may cause tmm restart.
643547-1 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
Solution Article: K43036745
Component: Access Policy Manager
Symptoms:
Requests to /my.policy are not getting HTTP responses.
Log file '/var/log/apm' contains large number of error messages about failed XML data creation:
err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP APM system is configured with a large number of access policy agents.
-- You are performing an operation that requires the apmd process to start.
-- For example, your BIG-IP APM system is reloaded, you install a new image, or you manually restart the apmd process.
Impact:
APMD will not able to process any requests.
Workaround:
For some configurations and platforms, you can use the following steps to recover:
- Remove all unused access policies (if applicable).
- Restart apmd.
Fix:
Now APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.
643404-2 : 'tmsh system software status' does not display properly in a specific cc-mode situation★
Solution Article: K30014507
Component: TMOS
Symptoms:
If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.
Conditions:
Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true:
-- The system is in Common Criteria mode (db var Security.CommonCriteria).
-- The system is in FIPS compliance mode (db var security.fips140.compliance).
-- Signature checking is manually enabled (db var LiveInstall.CheckSig).
Impact:
It is difficult to ascertain why the software change cannot be made.
Workaround:
The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.
To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.
Fix:
The 'tmsh show system software status' now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso).
Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.
643396-2 : Using FLOW_INIT iRule may lead to TMM memory leak or crash
Solution Article: K34553627
Component: Local Traffic Manager
Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.
Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.
Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a memory leak in the FLOW_INIT iRule event.
643375-1 : TMM may crash when processing compressed data
Solution Article: K10329515
643294 : IGMP and PIM not in self-allow default list when upgrading from 10.2.x★
Component: TMOS
Symptoms:
IGMP or PIM not in self-allow by default after upgrade.
Conditions:
Upgrade from 10.2.x.
Impact:
Advance routing with multicast or PIM does not work, when configured after upgrade with default self-allow.
Workaround:
Manually add PIM or IGMP to self-allow default.
643210-2 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
Solution Article: K45444280
Component: Local Traffic Manager
Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.
Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.
Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.
Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.
Fix:
The BIG-IP no longer deletes keys from the Safenet HSM when the key is deleted from the BIG-IP system. Now, you must manually delete keys using fipskey.nethsm or 'cmu delete'.
Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.
Behavior Change:
Beginning with this release, the BIG-IP system will not delete a key from the SafeNet HSM when you delete the corresponding key on the BIG-IP system: You must manually delete the key on the HSM using either fipskey.nethsm or 'cmu delete'.
Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.
643187-2 : BIND vulnerability CVE-2017-3135
Solution Article: K80533167
643143-2 : ARP and NDP packets should be QoS/DSCP marked on egress
Component: Local Traffic Manager
Symptoms:
There is currently no way to prioritize ARP/NDP traffic on BIG-IP or configure QoS on TMM-originated ARP/NDP packets.
Conditions:
ARP and/or NDP is in use.
Impact:
When the BIG-IP system's CPU is saturated, there is a possibility that ARP and NDP packets might be dropped.
Workaround:
N/A
Fix:
You can now configure QoS on TMM-originated ARP/NDP packets.
To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority
To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority
Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.
These variables are set with the following commands:
tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]
Behavior Change:
You can now configure QoS on TMM-originated ARP/NDP packets.
To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority
To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority
Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.
These variables are set with the following commands:
tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]
643121-1 : Failed installation volumes cannot be deleted in the GUI.
Component: TMOS
Symptoms:
Failed installation volumes aren't displayed under Disk Management and, therefore, cannot be deleted.
Conditions:
Have a failed installation volume.
Impact:
Cannot use the GUI to delete
Workaround:
Use tmsh to delete failed installation volumes using a command similar to the following:
tmsh delete /sys software volume <HDx.y>.
For example, to delete software volume HD1.0, use the following command:
tmsh delete /sys software volume HD1.0.
Fix:
Failed installation volumes can now be deleted in the GUI.
643054-2 : ARP and NDP packets should be CoS marked by the swtich on ingress
Component: Local Traffic Manager
Symptoms:
When ARP and NDP requests are dropped, ARP caches can time out, and peer nodes may fail to resolve the BIG-IP system's self-IP addresses or virtual servers.
Conditions:
TMM0 is saturated and dropping packets.
Impact:
ARP requests can be dropped, and peer devices, such as routers and monitored devices, can fail to resolve the BIG-IP system's address.
Workaround:
None.
Fix:
You can now use db variables to control internal traffic priority for ingress ARP/NDP packets in the switch.
-- arp.priority : high/normal (default)
-- ipv6.nbr.priority : high/normal (default)
The 'normal' value is the default.
-- Setting arp.priority to high raises ARP packet priority.
-- Setting ipv6.nbr.priority to high raises NDP packet priority.
Behavior Change:
You can now use db variables to raise the internal traffic priority for ingress ARP/NDP packets in switch.
arp.priority : high/normal(default)
ipv6.nbr.priority : high/normal(default)
Setting arp.priority to high raises ARP packet priority.
Setting ipv6.nbr.priority to high raises NDP packet priority.
643013 : DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3
Component: TMOS
Symptoms:
DAGv2 is a new DAG type and is designed to run on new platforms, including i5600, i5800, i7600, i7800, i10600, i10800 platforms. DAGv2 was not ready when these platforms were first released. DAGv2 is enabled on these platforms in v12.1.3.
Conditions:
i5600, i5800, i7600, i7800, i10600, i10800 platforms.
Impact:
No functional impact. This is simply an announcement of a change in the DAG version.
Workaround:
None.
Fix:
DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3.
642983-1 : Update to max message size limit doesn't work sometimes
Solution Article: K94534313
Component: Device Management
Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.
When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).
Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.
Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.
Workaround:
None.
Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.
642982-3 : tmrouted may continually restart after upgrade, adding or renaming an interface★
Solution Article: K23241518
Component: TMOS
Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a VLAN, VLAN group, or tunnel.
Conditions:
-- Dynamic routing configured.
-- Non-default partition name or VLAN names greater than 15 characters.
Impact:
Dynamic routing does not function. This may include monitors not functioning properly and marking pool members down incorrectly.
Workaround:
Shorten VLAN, VLAN group, or tunnel name, or move the interface into the Common partition.
Fix:
tmrouted no longer restarts when using long VLAN, VLAN group, or tunnel names in a non-default partition.
642952 : platform_check doesn't run PCI check on i11800
Component: TMOS
Symptoms:
When "platform_check misc" is run, it will return
Miscellaneous Tests
PCI: NOT RUN
Test not available on this platform
Conditions:
This always happens.
Impact:
No platform check for PCI is executed.
Workaround:
There is no workaround.
Fix:
It is fixed, platform check for PCI is executed.
642874-1 : Ready to be Enforced filter for Policy Signatures returns too many signatures
Solution Article: K15329152
Component: Application Security Manager
Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.
Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.
Impact:
Incorrect results are shown as a result of the filter.
Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.
Fix:
The "Ready to be Enforced" filter works correctly.
642723-3 : Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect
Component: TMOS
Symptoms:
In version 11.4.0, when pendsect was introduced, the Western Digital WD1600YS-01SHB1 hard drive was not supported. This drive was used in very early shipments of the 1600/3600 products.
If you are running 11.4.0 and have a WD1600YS-01SHB1, you might see the following errors in /var/log/ltm:
-- notice pendsect[1662]: skipping drive -- Model: WDC WD1600YS-01SHB1
-- notice pendsect[1662]: No known drives detected for pending sector check. Exiting
Conditions:
-- Running 11.4.0.
-- Using WD1600YS-01SHB1 hard drives.
Impact:
The only impact is a pendsect notice in /var/log/ltm. The hard drive operates as expected.
Workaround:
There is no mitigation or workaround for this issue.
Fix:
The WD1600YS-01SHB1 hard drive was added to the supported list of hard drives in versions 11.5.x, 11.6.x, and 12.1.3.
642703-2 : Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★
Component: TMOS
Symptoms:
Installation from external media (PXE or USB) fails with error:
error: status 768 returned by command: /sbin/lvcreate -L -4719088K -n dat.share vg-db-cpmirror
info: >++++ result:
info: Negative size is invalid
info: Run `lvcreate --help' for more information.
info: >----
error: MultiVolume_add cpmirror.dat.share failed.
Conditions:
-- i5000, i7000, i10000, i11000, and i12000 platforms.
-- Installation from external media (PXE or USB).
-- Running software v12.1.2 or v13.0.0.
Impact:
System is non-functional. It will not work at all, until an 'installation from external media' is performed. There is no software on the system because the operation failed during the early stages of a formatting installation.
Workaround:
Use an earlier version for the formatting installation, such as 12.1.1, and then upgrade to the target version.
Fix:
The error no longer occurs; the formatting installation succeeds.
642659-2 : Multiple LibTIFF Vulnerabilities
Solution Article: K34527393
642400-2 : Path MTU discovery occasionally fails
Component: Local Traffic Manager
Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.
Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.
Impact:
The connection may stall as large TCP segments are continually retransmitted.
Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.
Fix:
Path MTU discovery functions correctly with the TCP profile.
642330-2 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: Global Traffic Manager (DNS)
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
642314-2 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★
Solution Article: K24276198
Component: TMOS
Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.
Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.
Impact:
gtm config load failure after upgrade.
Workaround:
Remove trailing dots or set "Domain Validation" to "none".
Fix:
Upgrading from 11.x to 12.x or 13.x with GTM Pool with canonical-name removes trailing FQDN dot.
642284 : Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.
Component: Carrier-Grade NAT
Symptoms:
Memory corruption caused by closing a PCP connection while requests are being processed.
Conditions:
This can occur when a PCP client sends multiple requests and closes before receiving the replies. When the client OS receives a reply it will send an ICMP destination unreachable message which causes the BIG-IP to close the PCP connection. If the PCP connection is closed while a request is being processed, memory corruption may occur when the request completes.
Impact:
When memory corruption occurs, TMM may crash or assert. Traffic disrupted while tmm restarts.
Fix:
Closing the PCP connection will not cause memory corruption.
642221-2 : Incorrect entity is used when exporting TCP analytics from GUI
Component: Application Visibility and Reporting
Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected
Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.
Impact:
Incorrect data is being exported.
Workaround:
Use tmsh.
Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.
642068-1 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
Component: Policy Enforcement Manager
Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.
Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.
Impact:
PEM sessions remain in the marked-for-delete state.
Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.
Note: The value must be greater than 0 (zero).
Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.
642058-1 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
Component: TMOS
Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.
The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic
The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic
The interface will report in tmsh as down:
tmsh show net interface 5.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none
Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.
Impact:
The CBL-0138-01 will not work.
Workaround:
None.
Fix:
CBL-0138-01 Active Copper now works correctly on i2000/i4000/HRC-i2800 Series appliances.
642039-2 : TMM core when persist is enabled for wideip with certain iRule commands triggered.
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV.
Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable persist on wideip.
Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.
Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.
642015-2 : SSD Manufacturer "unavailable"
Component: TMOS
Symptoms:
On systems with an SSD, the manufacturer displayed in 'tmsh show sys hardware' may appear as "unavailable"..
Conditions:
BIG-IP system with SSD installed.
Impact:
No functional impact, cosmetic only.
Workaround:
No workaround but the issue is only cosmetic and does not indicate an issue with the system.
Fix:
SSD Manufacturer now displays "Samsung" as expected.
641612-2 : APM crash
Solution Article: K87141725
641574 : AVR doesn't report on virtual and client IP in DNS statistics
Solution Article: K06503033
Component: Application Visibility and Reporting
Symptoms:
On the analytics DNS page, the virtual and client IP stats will be shown as "Aggregated".
Conditions:
This can be seen in DNS analytics, when view-by virtual or client-ip is selected.
Impact:
DNS statistics show incomplete results.
Workaround:
None.
Fix:
AVR now provides the complete report results on virtual and client IP in DNS statistics.
641512-4 : DNSSEC key generations fail with lots of invalid SSL traffic
Solution Article: K51064420
Component: Local Traffic Manager
Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.
The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.
Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).
Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.
Workaround:
Restart the TMM after the new key generation is created.
Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.
641491-2 : TMM core while running iRule LB::status pool poolname member ip port
Solution Article: K37551222
Component: Local Traffic Manager
Symptoms:
An iRule response to a DNS request may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. As a result of this issue, you may encounter one or more of the following symptoms:
-- The BIG-IP system may temporarily fail to process traffic as it recovers from the TMM restart, and devices configured as an HA pair may fail over.
-- The BIG-IP system generates a TMM core file to the /shared/core directory.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP DNS system is configured with a wide IP that utilizes an iRule.
-- The iRule uses the DNS_REQUEST event command LB::status to check a pool member status.
-- The iRule pool address and port are separated by white space.
Example iRule syntax:
gtm rule pool_member_selection {
when DNS_REQUEST {
LB::status pool pool-one member 10.0.0.10 80
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use format 'ip:port' or vsname instead of 'ip port. Following are two examples:
1.
gtm rule rule_crash_test {
when DNS_REQUEST {
LB::status pool pool-one member 10.2.108.100:80
}
}
2.
gtm rule rule_crash_test {
when DNS_REQUEST {
LB::status pool pool-one member pool_vs_name
}
}
Fix:
An iRule response to a DNS request no longer triggers TMM to produce a core file and restart.
641482-2 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received
Component: Policy Enforcement Manager
Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.
Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP
Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)
Workaround:
A tmm restart will cleanup all the stale sessions
Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP
641445-1 : iControl improvements
Solution Article: K22317030
641390-5 : Backslash removal in LTM monitors after upgrade
Solution Article: K00216423
Component: TMOS
Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.
Conditions:
-- Specific backslash escaping in LTM monitors.
-- Upgrading from 11.5.x, 11.6.0, 11.6.1, 11.6.2, or 11.6.3 to 12.0.0, 12.1.0, 12.1.1, 12.1.2, or 13.0.0.
Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS/GTM monitors.
For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.
ltm monitor https /Common/my_https {
adaptive disabled
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from /Common/https
destination *:*
interval 5
ip-dscp 0
recv "Test string"
recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
send Test
time-until-up 0
timeout 16
username test\\\"me
}
Impact:
The monitor fails to load.
Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.
Fix:
Upgrade no longer results in incorrectly removing backslashes for some LTM monitor attributes.
641360-2 : SOCKS proxy protocol error
Solution Article: K30201296
641256-1 : APM access reports display error
Solution Article: K43523962
641248 : IPsec-related tmm segfault
Component: TMOS
Symptoms:
The tmm cores and all connections are reset.
Conditions:
Race condition during IPsec tunnel tear down.
Impact:
The tmm restarts and all connections reset. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The IPsec-related tmm segfault has been corrected.
641013-5 : GRE tunnel traffic pinned to one TMM
Component: TMOS
Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.
Conditions:
Use forwarding virtual to handle GRE tunnel traffic.
Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.
Workaround:
None.
Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.
640903-1 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
Component: Global Traffic Manager (DNS)
Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.
Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.
Impact:
Extremely long page load time.
Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.
Fix:
The page can now load hundreds of records on a single screen under 3 seconds.
640824-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
Solution Article: K20770267
Component: Application Security Manager
Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded
crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined
crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead
crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted
info perl[21860]: 01310053:6: ASM starting
-------------------------
Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.
Impact:
Upgrade fails.
Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.
In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.
There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never
2) Do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------
Fix:
Roll-forward upgrade including traffic data now works correctly.
640768 : Kernel vulnerability: CVE-2016-10088
Solution Article: K05513373
640636-3 : F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade
Component: TMOS
Symptoms:
Inserting a 40G optic into a 100G port, or inserting a 100G optic into a 40G shows the optic as "Unsuported Optic". That is not correct, it may be a supported optic, just inserted in the wrong port.
Conditions:
B4450 Blades with 100G or 40G optics inserted in a port that does not support that speed optic.
Impact:
The user may be confused on why the optic is not working, the error message is misleading when the optic is inserted in the wrong port.
Workaround:
If the optic shows up in "tmsh list net interface" as "Unsuported Optic" remove the optic and verify that the optic speed matches the port.
Fix:
The "tmsh list net interface" will now show:
module-description "F5 Qualified Optic in invalid port"
And the LCD warning message will show:
Optic OPT-XXXX not valid in Interface <InterfaceNumber>.
640565-1 : Incorrect packet size sent to clone pool member
Solution Article: K11564859
Component: Local Traffic Manager
Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.
Conditions:
Clone pool is configured on a virtual server.
Impact:
Clone pool members may get traffic exceeding the link MTU.
Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.
640521-1 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
Component: Access Policy Manager
Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.
Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.
Impact:
EdgeClient can not establish VPN connection.
Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.
Fix:
Now Edge Client can successfully interact with a greater number of wifi captive portals.
640510-3 : BWC policy category attachment may fail during a PEM policy update for a subscriber.
Component: Policy Enforcement Manager
Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.
Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.
Impact:
Use cases dependent on BWC can be impacted.
Fix:
Code changes were added such that BWC policy and category changes through PEM are handled correctly.
640457-2 : Session Creation failure after HA
Component: Policy Enforcement Manager
Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.
Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.
Impact:
A set of subscribers lost during HA will never be added back.
Workaround:
No workaround.
640407-1 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
Solution Article: K41344483
Component: Service Provider
Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.
Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.
640376-3 : STPD leaks memory on 2000/4000/i2000/i4000 series
Component: Local Traffic Manager
Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.
Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.
ex. top -b -n 1 | grep stpd
The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.
Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.
Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.
Fix:
BPDU process source code fixed to release memory allocated for each BPDU packet created and sent.
640369-2 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.
Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan
TMM may respond directly using the auto-lasthop feature and not via the route lookup.
Impact:
Traffic may not follow the expected path.
Fix:
TMM now correctly uses the configured option for auto-lashop and ICMPv6 traffic
640352-2 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
Solution Article: K01000259
Component: Local Traffic Manager
Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.
Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.
Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.
Workaround:
None.
Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.
639929-2 : Session variable replace with value containing these characters ' " & < > = may case tmm crash
Component: Access Policy Manager
Symptoms:
TMM crash with session variable replace with value containing these characters ' " & < > =
Conditions:
Session variable replace with value containing these characters ' " & < > =
Impact:
Traffic disrupted while tmm restarts.
Workaround:
avoid session variable values containing ' " & < > = if possible. Otherwise, there is no workaround.
Fix:
Session variable overwrite operation with value containing special characters now works correctly
639750-1 : username aliases are not supported
Component: Fraud Protection Services
Symptoms:
in is a common practice to use aliases for username. for example, an app might allow users to login with either their ID, cell number, or nickname.
WebSafe doesn't support username aliases.
Conditions:
This is encountered when your application uses username aliases.
Impact:
You are unable to use username aliases in your applications.
Workaround:
None.
Fix:
providing new ANTIFRAUD irule command for setting username (replace username alias with the "real" username)
639744-1 : Memory leak in STREAM::expression iRule
Solution Article: K84228882
Component: Local Traffic Manager
Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.
Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.
Impact:
This causes a memory leak in tmm.
Workaround:
None.
Fix:
This release fixes a memory leak in STREAM::expression iRule.
639729-2 : Request validation failure in AFM UI Policy Editor
Solution Article: K39428424
639505-3 : BGP may not send all configured aggregate routes
Component: TMOS
Symptoms:
As a result of a known issue, BGP may not send all configured Aggregate routes if one is a supernet of another.
Conditions:
- BGP established sessions.
- BGP configuration contains several aggregate routes, one or more being a supernet of others.
Impact:
The smaller prefix aggregate (least specific), may not be sent to the BGP peer.
Fix:
BGP now sends all configured aggregates
Behavior Change:
BGP now sends all configured aggregates, even if one is supernetwork of another.
639486-4 : TMM crash due to PEM usage reporting after a CMP state change.
Component: Policy Enforcement Manager
Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.
Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Instead of asserting, handled the error condition gracefully.
639395-2 : AVR does not display 'Max read latency' units.
Solution Article: K91614278
Component: Application Visibility and Reporting
Symptoms:
AVR does not display units for 'Max Read Latency'.
Conditions:
AVR, ASM, DoS, or AFM are provisioned.
Impact:
No units are displayed.
Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.
Fix:
Added units (microsecond) to AVR report.
639283-4 : Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
Component: Access Policy Manager
Symptoms:
Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
Conditions:
* Virtual Server has untrusted certificate
* Using Custom Dialer or Windows logon integration features on client machine for establishing secure VPN
Impact:
Windows logon integration doesn't work. Cannot establish secure VPN connection before logging in to the machine.
Custom dialer doesn't work. Cannot establish secure VPN using Dial-up entry.
Workaround:
- Install trusted certificate to Virtual Server or whitelist untrusted certificate on the client machine.
or
- Use Edge Client to establish secure VPN connection.
Fix:
The Custom Dialer/Windows Logon Integration feature now shows a certificate warning when the certificate is untrusted by the client. This allows the logon to proceed if the user accepts the certificate.
639236-1 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
Solution Article: K66947004
Component: Service Provider
Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute
Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.
Impact:
REGISTER is rejected with a '400 Bad request' error message
Workaround:
None.
Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.
639193-1 : BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.
Solution Article: K03453591
Component: Advanced Firewall Manager
Symptoms:
In high availability (HA) environment where BIG-IP devices are configured for Manual Sync, deleting parent policy causes sync to fail.
Conditions:
This occurs when you delete the parent of a policy that was used as the parent of another policy. For example:
1. Clone Policy A and create Policy B.
2. Clone Policy B and create Policy C.
3. Delete Policy B.
Impact:
Manual sync operation fails.
Workaround:
Use one of the following Workarounds:
A. Enable automatic sync for HA configurations.
B. Run the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all
Sync
Fix:
In HA environments containing BIG-IP devices configured for Manual Sync, deleting parent policy no longer causes sync to fail.
639039-4 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
Solution Article: K33754014
Component: Local Traffic Manager
Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.
Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.
Impact:
Dynamic routing information is lost and must be relearned.
Workaround:
When using dynamic routing, only change the host name during a maintenance window.
638997-2 : Reboot required after disk size modification in a running BIG-IP VE instance.
Component: TMOS
Symptoms:
- BIG-IP VE supports disk size modification during the lifetime of a running instance to expand or reduce the disk size that was allocated at the time of deployment.
- A reboot is required after any such modification in the disk size for the changes to take effect. In previous versions, the reboot happened automatically but an affected BIG-IP VE will not have the reboot happening automatically.
- Due to the lack of reboot, changes in disk size do not take effect on the BIG-IP system.
Conditions:
Modifying disk size in a running BIG-IP VE instance.
Impact:
Changes in the disk size do not take effect till BIG-IP system is rebooted.
Workaround:
Manually reboot the running BIG-IP VE instance after making changes in disk size.
Fix:
Reboot required after disk size modification in a BIG-IP VE instance.
638935-3 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: TMOS
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.
638881-1 : Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances
Component: TMOS
Symptoms:
When the fan tray is removed, the fan status in tmctl tables and 'tmsh show sys hardware' are not updated correctly to reflect the current status of the fan tray i.e. not-present.
Conditions:
When the fan tray is physically removed.
Impact:
It is important to be aware of the fan status since malfunctioning of the fan tray can result in thermal shutdown when temperature thresholds are reached. Having incorrect/incomplete status would result in delayed corrective actions if a problem should arise.
Workaround:
No workaround at this time.
638825-2 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
Component: TMOS
Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.
Conditions:
This always occurs for this type of interface.
Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.
Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.
638799-1 : Per-request policy branch expression evaluation fails
Component: Access Policy Manager
Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:
info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)
Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.
The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.
Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:
#define ACCESS_ALLOWED_IRULE_EVENTS ( \
((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))
Workaround:
None.
Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.
638780-3 : Handle 302 redirects for VMware Horizon View HTML5 client
Component: Access Policy Manager
Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.
Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.
Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.
Workaround:
For versions 11.6.x and 12.x:
===============================
priority 2
when HTTP_REQUEST {
regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}
when HTTP_RESPONSE {
if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
if { [info exists vmview_html5_prefix] } {
set location [HTTP::header "Location"]
set location_path [URI::path $location]
if { $location_path starts_with "/portal/" } {
set path_index [string first $location_path $location]
set new_location [substr $location $path_index]
regsub "/portal/" $new_location $vmview_html5_prefix new_location
HTTP::header replace "Location" $new_location
}
unset vmview_html5_prefix
}
}
}
======================
For version 13.0:
priority 2
when HTTP_REQUEST {
regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}
when HTTP_RESPONSE {
if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
if { [info exists vmview_html5_prefix] } {
set location [HTTP::header "Location"]
set location_path [URI::path $location]
if { $location_path starts_with "/portal/" } {
set path_index [string first $location_path $location]
set new_location "$vmview_html5_prefix[substr $location $path_index]"
HTTP::header replace "Location" $new_location
}
unset vmview_html5_prefix
}
}
}
Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.
638715-3 : Multiple Diameter monitors to same server ip/port may race on PID file
Solution Article: K77010072
Component: Local Traffic Manager
Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.
Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.
Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.
Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).
Fix:
The fix includes the monitor-template name in the generation of the PID file, which ensures multiple Diameter monitor instances probing the same server (IP/port) do not interfere with each other.
638629-2 : Bot can be classified as human
Component: Application Security Manager
Symptoms:
A bot is classified as human in a rare case.
Conditions:
Web scraping is turned on. The CSHUI is tried on the user.
Impact:
Bot traffic gets classified as human by ASM.
Workaround:
N/a
Fix:
Fixed the CSHUI algorithm to have better bot detection.
638594-3 : TMM crash when handling unknown Gx messages.
Component: Policy Enforcement Manager
Symptoms:
TMM crash resulting in potential loss of service.
Conditions:
PCRF sends unsupported Gx messages to PEM.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Add support for identifying unknown messages types and handle them gracefully.
638556-2 : PHP Vulnerability: CVE-2016-10045
Solution Article: K73926196
638137 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
Solution Article: K51201255
637666-2 : PHP Vulnerability: CVE-2016-10033
Solution Article: K74977440
637561-1 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
Component: TMOS
Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.
Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.
Impact:
Wildcard wideips are not returning wildcard requests correctly.
Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd
Fix:
Wildcard wideips now handle matching queries after tmsh load sys from gtm conf file twice.
637559-1 : Modifying iRule online could cause TMM to be killed by SIGABRT
Component: TMOS
Symptoms:
If iRule is used by several virtual servers, and you edit the iRule online, it could cause TMM to be eventually killed by SOD (watchdog).
Conditions:
This can occur under the following conditions:
1. The iRule is used by large number of virtual servers.
2. You edit the iRule and save changes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
If iRule is used by several virtual servers, and you edit the iRule online, it no longer causes TMM to be eventually killed by SOD (watchdog).
637308-8 : apmd may crash when HTTP Auth agent is used in an Access Policy
Solution Article: K41542530
Component: Access Policy Manager
Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.
Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.
The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.
Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.
Workaround:
Use basic auth, or do not use HTTP Auth.
Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.
637252-1 : Rest worker becomes unreliable after processing a call that generated an error
Solution Article: K73107660
Component: Application Security Manager
Symptoms:
Unreliable behavior from ASM REST API.
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.
Conditions:
A REST worker can enter this state if it processes specific calls that ended in error, such as creating a new active Policy.
Note: Policies are meant to be created inactive and then activated through the apply-policy task.
Impact:
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.
Workaround:
1) Do not create 'active' policies. Create them with 'active': false, and then use the apply-policy task to set them active.
2) To recover a device that has reached this state, restart restjavad using the following command:
bigstart restart restjavad
Fix:
REST workers maintain correct state and behavior after calls with errors.
637181-4 : VIP-on-VIP traffic may stall after routing updates
Component: Local Traffic Manager
Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.
Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.
Impact:
Existing connections to the outer VIP may stall.
Workaround:
None.
Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.
636918-2 : Fix for crash when multiple tunnels use the same traffic selector
Component: TMOS
Symptoms:
Given multiple tunnels with the same traffic selector, a crash could sometimes occur.
Conditions:
Same traffic selector used with more than one tunnel.
Impact:
Possible tmm restart if problem happens. Traffic disrupted while tmm restarts.
Workaround:
Use different traffic selectors for different tunnels.
Fix:
Fixed a tmm crash related to traffic selectors used with more than one tunnel.
636853-2 : Under some conditions, a change in the order of GTM topology records does not take effect.
Component: Global Traffic Manager (DNS)
Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.
Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.
Impact:
In certain configurations, the topology load balancing decision may not be made correctly.
Workaround:
Reload the GTM configuration or add/delete a topology record.
Fix:
Changes in the order of topology records now take effect immediately.
636744-1 : IKEv1 phase 2 SAs not deleted
Solution Article: K16918340
Component: TMOS
Symptoms:
The BIG-IP system will not start phase 1 or phase 2 ISAKMP negotiation after an Active -> Standby -> Active failover within a short period of time.
Conditions:
The HA Active BIG-IP system goes Standby and then becomes Active again within the phase 2 lifetime.
Impact:
IPsec tunnel(s) is/are not initiated by the BIG-IP system. Network connectivity is broken between the private networks.
Workaround:
Option 1: Switch to IKEv2 and 12.x, which skips the problem altogether. This combination will mirror the SAs and so deleting existing SAs upon failover is not required.
Option 2: Edit /config/failover/active and add the following two lines at the end:
logger -p local0.notice "Employ ID636744 workaround. Purge IPsec phase2 SAs."
tmsh delete net ipsec ipsec-sa
636702-3 : BIND vulnerability CVE-2016-9444
Solution Article: K40181790
636699-5 : BIND vulnerability CVE-2016-9131
Solution Article: K86272821
636541-3 : DNS Rapid Response filters large datagrams
Component: Global Traffic Manager (DNS)
Symptoms:
Assigning a profile with DNS rapid response enabled to a virtual server on a P8 chassis might result in problems with blades and the cluster.
Depending on the timing of operations (config is loaded and tmm restarts), blades might never join the cluster properly and you will see errors similar to the following looping in /var/log/tmm:
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445394
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445416
Conditions:
-- Assigning a profile with DNS rapid response enabled to a virtual server.
-- P8 chassis.
-- Large datagrams being passed.
Impact:
DNS Rapid Response filters large datagrams. Blades might never join the cluster.
Workaround:
There is no workaround at this time.
Fix:
The system now passes through any datagrams too big for DNS rapid response.
636535 : HSB lockup in vCMP guest doesn't generate core file
Solution Article: K24844444
Component: TMOS
Symptoms:
If an HSB lockup occurs in a vCMP guest, the system does not generate a core file.
Conditions:
HSB lockup, which occur rarely.
Impact:
Limited ability to diagnose failures due to HSB lockups.
Workaround:
None.
Fix:
Whenever an HSB lockup occurs in a vCMP guest, the system generates a core file.
636520-3 : Detail missing from power supply 'Bad' status log messages
Solution Article: K88813435
Component: TMOS
Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad
Conditions:
This occurs when the system posts an internal hardware sensor alert.
Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.
Workaround:
If power supply errors continue to be logged:
1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }
2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.
3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }
4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.
Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.
636397-1 : bd cores when persistent storage configuration and under some memory conditions.
Component: Application Security Manager
Symptoms:
bd cores. Log signature in /var/log/bd looks similar to the following:
BD_MISC|ERR |Jan 02 14:24:06.422|27867|io_manager_init.c:0395|internal_keep_alive: BD shrinking...,going down - BD will be right back.
ptr BD_MISC|CRIT |Jan 02 14:24:06.422|27867|signals.c:0073|Received SIGSEGV - Core Dumping.
Conditions:
There is persistent storage configuration. There is high memory usage.
Impact:
bd crash. Traffic resets and/or failover
Workaround:
None.
Fix:
This release fixes a bd crash due to specific memory conditions and persistent storage.
636370 : Application Layer Encryption AJAX support
Component: Fraud Protection Services
Symptoms:
WebSafe doesn't support parameters encryption in Single Page Applications (using AJAX)
Conditions:
Application uses AJAX for sending parameters to web server
Impact:
Encryption won't work for Single Page Applications
Workaround:
N/A
Fix:
Adding AJAX encryption support (full payload encryption)
for 12.1.2-hf, enabling this feature requires:
tmsh modify sys db antifraud.internalconfig.string1 value <AJAX-HEADER-NAME>
AJAX-HEADER-NAME existence will enable AJAX support for current request and its value may contain the username used in current request (if configured and exists)
Note that activating AJAX support in releases > 12.1.2-hf is done differently (configured in profile, not in db)
636290 : vCMP support for B4450 blade
Component: TMOS
Symptoms:
vCMP is not supported in the B4450 blade
Conditions:
This occurs on the B4450 blade on specific BIG-IP software versions, for more information on supported vCMP versions see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088
Impact:
You are unable to configure vCMP on the B4450 blade.
Fix:
vCMP is supported on the B4450 blade in this version.
636254-2 : Cannot reinitiate a sync on a target device when sync is completed
Component: Access Policy Manager
Symptoms:
After a policy sync is successful, re-initating a sync fails with the following error:
"PolicySyncMgr: Sync already in progress for policy xxx"
Conditions:
This occurs rarely when performing a sync after a successful sync.
Impact:
You cannot re-sync a policy. This is a rare occurrence, and after waiting a small amount of time sync should start working again.
Fix:
Now APM Policy Sync no longer hangs in rare cases with the message: "PolicySyncMgr: Sync already in progress for policy xxx"
636149-3 : Multiple monitor response codes to single monitor probe failure
Component: Local Traffic Manager
Symptoms:
A monitor probe failure to a monitor (such as HTTP) will be logged to '/var/log/ltm' when the probed resource is unavailable. In some cases for a probe resulting in an 'Unable to connect' error, multiple log entries will be made, with the *last* log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are "stale" and due to previous monitor probe behavior that was previously logged.
This is due to an error where the 'Could not connect' event appends a previous error message, rather than overwriting a possibly-present previous error message.
Conditions:
A monitor probe to a monitor is attempted (such as over HTTP), resulting in an "Unable to connect" failure; and where that specific monitor previously reported an error (which is now appended).
Impact:
No system behavior is affected, but multiple log entries are made. The *final* log entry of "Could not connect" or "Unable to connect" is relevant, while the possible multiple log entries immediately above are "stale" and not relevant (as they are due to a previous issue that was previously successfully logged).
Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, user should consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.
Fix:
The code fix is to "clear" previous monitor-log errors when reporting a 'Could not connect' error, rather than appending a previous error that might be present.
636096-1 : Nitrox PX chips may temporarily fail
Component: Local Traffic Manager
Symptoms:
Under certain conditions Nitro PX chips may fail temporarily
Conditions:
-- Using the following hardware:
+ BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 11xxx appliances.
+ VIPRION B42xx/B43xx, B21xx blades.
Impact:
TMM failure leading to a failover event. Normal operation of the Nitrox PX chip will resume after TMM restarts.
Workaround:
To restart tmm, run the following command:
bigstart restart tmm
Fix:
Nitrox PX chips reset as expected.
636044-1 : Large number of glob patterns affects custom category lookup performance
Solution Article: K68018520
Component: Access Policy Manager
Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.
Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.
Impact:
Slow response times to HTTP requests.
Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.
Fix:
Glob pattern matching has been extended to be context sensitive. If the pattern includes the marker "://", a glob immediately before it is restricted to the scheme, and a glob immediately after it is restricted to the hostname. If the match can be satisfied with prefix matching, the pattern will be processed with a prefix comparison rather than as a glob. Also, multiple glob patterns are combined together to create a more optimal match pattern. If custom categories patterns use the context sensitive feature, custom category lookup will be optimized.
635961-1 : gzipped and truncated files may be saved in qkview
Component: TMOS
Symptoms:
When looking at the files in the qkview, some files might be both gzipped and truncated, when only one or the other is expected.
Conditions:
This occurs for certain files that are large enough to require truncation and gzipping.
Impact:
Minimal impact, as the extra file can be ignored. This is primarily an issue of wasting image space.
Workaround:
Ignore the extra copy of the file.
Fix:
Files are no longer both gzipped and truncated.
635933-3 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
Solution Article: K23440942 K13361021
635754-1 : Wildcard URL pattern match works inncorectly in Traffic Learning
Solution Article: K65531575
Component: Application Security Manager
Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.
Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.
Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.
Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).
Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.
"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".
Fix:
Wildcard URL pattern match now works as expected in Traffic Learning
635703-1 : Interface description may cause some interface level commands to be removed
Solution Article: K14508857
Component: TMOS
Symptoms:
Adding a description to the interface from within ZebOS may cause interface level routing protocol commands to be lost on restart.
Conditions:
- Add interface level description to a configuration with interface level routing protocol commands.
- Restart services, tmrouted, or reboot.
Impact:
Interface level commands after the description will not appear in the imish running config and will not be loaded/functional.
Workaround:
To prevent this issue, do not use interface-level descriptions.
If the issue has already occurred, and the configuration is not loading, you can manually correct it using the following procedure:
1. Stop tmrouted using the following command: bigstart stop tmrouted
2. Edit the ZebOS.conf from the corresponding route-domain file manually and remove the interface-level 'description' and 'no shutdown' commands.
3. Restart tmrouted using the following command: bigstart restart tmrouted.
Note: Performing the workaround procedure will temporarily disrupt dynamic routing, so care and adequate planning must be taken into consideration.
Fix:
Routing protocol interface commands are no longer lost with the addition of interface descriptions.
635561-1 : Heavy URLs statistics are not shown after upgrade.
Component: Application Visibility and Reporting
Symptoms:
Heavy URLs statistics are not shown after upgrade.
Conditions:
Upgrading to newer version
Impact:
Missing statistics.
Workaround:
No workaround
Fix:
Upgrade and verify all heavy URLs statistics are shown.
635541 : "Application CSS Locations" is not inherited if changing parent profile
Component: Fraud Protection Services
Symptoms:
"Application CSS Locations" is not inherited if changing parent profile, which can cause to the following error while saving: Application CSS Locations cannot be empty.
Conditions:
This occurs in the GUI when FPS provisioned when the system is configured with phishing detection license.
Impact:
Cannot use FPS GUI to configure Application CSS Locations.
Workaround:
Use tmsh or the REST API to configure Application CSS Locations.
Fix:
"Application CSS Locations" is inherited if parent profile is changed. No errors are shown while saving.
635412 : Invalid mss with fast flow forwarding and software syn cookies
Solution Article: K82851041
635314-5 : vim Vulnerability: CVE-2016-1248
Solution Article: K22183127
635274-1 : SSL::sessionid command may return invalid values
Solution Article: K21514205
Component: Local Traffic Manager
Symptoms:
The SSL::sessionid iRule command might return random, invalid values. This also causes high CPU usage on TMM. This occurs when the SSL ID retrieved from SSL is on the stack and gets overwritten prior to use, resulting in a persist lookup loop which causes the high CPU. The issue is also associated with the SSL::sessionid iRule command because SSL::sessionid and SSL persistence use the same internal mechanism to retrieve the SSL session ID.
Conditions:
This issue occurs when either of the following conditions exists:
-- An iRule exists that queries the SSL::sessionid.
-- An SSL persist profile is configured on the virtual server.
Impact:
The iRule might not work as expected.
High CPU usage.
Workaround:
Do not use the SSL:sessionid iRule.
Fix:
The SSL::sessionid iRule returns the session ID as expected.
635257-2 : Inconsistencies in Gx usage record creation.
Solution Article: K41151808
Component: Policy Enforcement Manager
Symptoms:
Duplicate usage records may be created or expected usage records may be missing.
Conditions:
A subscriber session is associated with the following policies:
1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.
2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.
Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.
Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.
To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.
Fix:
Checks to create usage records are now done using the same keys that are used to create them, so there are no duplicate usage records created or expected usage records missing.
635252-1 : CVE-2016-9256
Solution Article: K47284724
635233-3 : Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
Solution Article: K80902149
Component: Policy Enforcement Manager
Symptoms:
CCR-u or CCR-t sent in response to a non-existent policy may be missing some of the custom AVPs such as IMSI, E164, etc., even if the AVPs are marked mandatory.
Conditions:
This occurs when the BIG-IP system sends a CCR-u or CCR-t when the specified policy received from PCRF does not exist.
Impact:
CCR-u and CCR-t may miss some of the subscriber attributes such as IMSI, E164.
Workaround:
None.
Fix:
Added the custom AVPs in the case of CCR-u and CCR-t, if those attributes are enabled for reporting in the protocol profile.
635129 : Chassis systems in HA configuration become Active/Active during upgrade★
Component: TMOS
Symptoms:
When devices in a Device Service Cluster are upgraded, multiple devices will become Active simultaneously.
The affected versions erroneously clear their management-ip during reboot and synchronize this to other members of the Device Service Cluster. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the Device Service Cluster members lose contact with each other, and all become Active.
Conditions:
This problem occurs on VIPRION chassis systems, either running natively, or as a VCMP guest, when upgrading from the affected versions (12.1.0, 12.1.1, 12.1.2), to any other version. The problem occurs on any upgrade, whether on the list of affected versions, or a later version.
Impact:
When multiple devices become Active simultaneously, traffic is disrupted.
Workaround:
There is no workaround other than to remain in Active/Active state until all Chassis are finished upgrade. See https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.
Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.
635116-1 : Memory leak when using replicated remote high-speed logging.
Solution Article: K34100550
Component: TMOS
Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.
Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.
Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.
Workaround:
Do not use replication in the HSL destination configuration.
Fix:
TMM no longer leaks memory when using a replicated HSL setup.
634779-1 : In SSL Forward Proxy, an uninitialized variable may overflow a buffer and cause TMM to produce a core file
Solution Article: K43945001
634576 : TMM core in per-request policy
Solution Article: K48181045
Component: Access Policy Manager
Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.
Conditions:
APM or SWG per-request policy with reject ending.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when per-request policy encounters reject ending.
634371-2 : Cisco ethernet NIC driver
Component: TMOS
Symptoms:
The Cisco Ethernet NIC driver is version 2.1.1.67
Conditions:
N/A
Impact:
Cisco recommends using the updated version 2.3.0.12
Fix:
Cisco VIC Ethernet NIC Driver 2.3.0.12 is now used.
634265-2 : Using route pools whose members aren't directly connected may crash the TMM.
Solution Article: K34688632
Component: Local Traffic Manager
Symptoms:
The TMM crashes when trying to resolve routes using route pools whose members are not directly connected.
Conditions:
A configuration has route pools whose members aren't directly connected. Additionally, this is an issue only in configurations where the TMM doesn't proxy traffic but sources traffic. An example is an sFLOW configuration.
Impact:
Traffic disrupted while tmm restarts. The TMM crashes whenever a connection tries to resolve such a route.
Workaround:
Create route pools with directly connected members.
Fix:
Using route pools whose members aren't directly connected no longer crashes the TMM.
634252 : TMM crash with per-request policy in SWG explicit
Solution Article: K99114539
Component: Access Policy Manager
Symptoms:
TMM crash is seen intermittently when evaluating per-request access policies for SWG-explicit use cases.
Conditions:
Although the exact conditions required for this issue are unknown, evaluating per-request access policies for SWG-explicit use cases might be related.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM crash is no longer seen when evaluating per-request access policies for SWG-explicit use cases.
634215-1 : False detection of attack after restarting dosl7d
Component: Application Visibility and Reporting
Symptoms:
False detection of an attack.
Conditions:
Restarting dosl7d during traffic.
Impact:
False attack is reported.
Workaround:
No workaround
Fix:
Restart dosl7d during moderate traffic and verify no false attack is reported.
634115-1 : Not all topology records may sync.
Component: TMOS
Symptoms:
Some GTM topology records may silently not be synchronized to other devices in the sync group.
Conditions:
One known case occurs when topology records have overlapping subnet specifiers (such as 1.0.0.0/8 and 1.0.0.0/9). It is possible that there are other conditions that might cause this issue.
Impact:
Other devices in the GTM sync group will have an incomplete set of topology records, so the returned DNS answers may differ from the expected values.
Workaround:
After updating topology records, run the following command to force a push of all GTM objects: run cm config-sync force-full-load-push to-group gtm.
This can be performed from tmshell or bash.
tmshell:
---------
(/Common)(tmos)# run cm config-sync force-full-load-push to-group gtm
Force a full load sync? (y/n)y
bash:
---------
tmsh run cm config-sync force-load-push to-group gtm
Note: This command executes and returns to bash with no feedback. To determine the outcome, you can check /var/log/gtm for 'success'.
Fix:
Some GTM topology records may have silently not been synchronized to other devices in the sync group. This is now resolved; all topology objects will be synchronized to all expected devices.
634078-2 : MRF: Routing using a virtual with SNAT set to none may select a source port of zero
Component: Service Provider
Symptoms:
If a virtual server has a SNAT setting of none and the 'source-port' attribute set to 'preserve' or 'preserve-strict', the outgoing connection will be created with a source port of zero (0) instead of the remote port of the originating connection.
Conditions:
This occurs when a message routing SIP profile is in use.
Impact:
Source port is set to 0.
Workaround:
None.
Fix:
Source port is now set to the source port of the client when SNAT is set to none. This is correct behavior.
634015-3 : Potential TMM crash due to a PEM policy content triggered buffer overflow
Component: Policy Enforcement Manager
Symptoms:
Failure to add a PEM policy to a subscriber session in addition to a TMM crash.
Conditions:
PEM configured with a large number of policy rules that goes beyond the maximum supported PEM resources.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Buffer allocation checks have been added in that result in an error log along in case of a buffer overflow.
634001-2 : ASM restarts after deleting a VS that has an ASM security policy assigned to it
Component: Application Security Manager
Symptoms:
ASM restarts with the following errors:
'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------
'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------
Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.
Impact:
ASM restart
Workaround:
None.
Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.
633879-1 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect
Solution Article: K52833014
Component: TMOS
Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.
Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.
Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.
Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.
Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.
633723-3 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
Component: Local Traffic Manager
Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.
Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.
Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.
See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.
Workaround:
None.
Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.
Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.
If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.
633512-1 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
Component: TMOS
Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).
Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.
Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.
Workaround:
Do not configure Auto-Failback on VIPRION.
Fix:
The devices perform a clean handoff during Auto-Failback, with no Active/Active overlap.
633413-1 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
Component: TMOS
Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).
Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.
Impact:
Get error with unrelated IPv4 address.
Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.
Fix:
You can now add/remove/edit IPv6 and IPv4 within an existing iRules data group.
633391-1 : GUI Error trying to modify IP Data-Group
Component: TMOS
Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.
Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update
Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.
Workaround:
Use tmsh to modify the record field of the data groups.
Fix:
You can now modify the IPv6&IPv4 value within an existing data group.
Behavior Change:
users would be able to modify and update data groups
633333-3 : During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent
Component: Local Traffic Manager
Symptoms:
During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and an MPTCP connection is established.
Impact:
The serverside connection is reset before all data has been sent, causing the tail end of the data stream to not be proxied.
Workaround:
There is no workaround
Fix:
Fixed sequence of events on connection closure.
633181-1 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
Component: TMOS
Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.
Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR
Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.
Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.
633070-1 : Sync Inconsistencies when using Autosync ASM Group between Chassis devices
Component: Application Security Manager
Symptoms:
When at least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it, Devices may go out of sync and may end up with incorrect ASM configuration
Conditions:
At least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it.
An ASM policy is created.
Impact:
Devices may go out of sync and may end up with incorrect ASM configuration
Workaround:
Enable ASM sync on the failover device group, or use manual sync for the ASM device group.
Fix:
Bladed devices (chassis) handle ASM autosync device groups correctly
632875-3 : Non-Administrator TMSH users no longer allowed to run dig
Component: Global Traffic Manager (DNS)
Symptoms:
TMSH users without the Administrator role are allowed to run dig, which may allow access to files in the local filesystem.
Conditions:
Execute dig via TMSH
Impact:
File access restrictions for TMSH users without the Administrator role are not properly enforced when executing the dig command.
Fix:
TMSH users who are do not have Administrator roles can no longer run the dig utility through TMSH.
Behavior Change:
dig command is no longer allowed to be run through TMSH by non-admin users.
632731-2 : specific external logging configuration can cause TMM service restart
Component: Advanced Firewall Manager
Symptoms:
When external logging is configured for ACL rule hits, and the logging server connection is routed through a Forwarding Virtual, the ACL logging causes a TMM crash and service disruption.
Conditions:
The problem is seen when all the following conditions match:
1. External Logging server configured for ACL rule match.
2. External logging server is routed through a Forwarding Virtual (the destination IP of the external logging server matches a Forwarding Virtual's destination address/mask and hence gets routed through the Forwarding VIP).
3. The forwarded logging destination connection causes a crash in TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use one of the following workarounds:
--Avoid configuring remote logging to be forwarded through a Forwarding Virtual.
-- Do not have logging enabled on the forwarding Virtual.
Fix:
Connections originated from the BIG-IP to the remote logging server are not subjected to ACL checks, which prevents generation of logs for log server connection, which prevents the error conditions.
632685 : bigd memory leak for FQDN nodes on non-primary bigd instance
Component: Local Traffic Manager
Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist.
Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes, bigd on the non-primary places memory consumption may be unusually high.
Impact:
bigd memory leak; possible bigd crash.
Workaround:
None.
632668-5 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
Component: TMOS
Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.
Conditions:
System is using statically configured BFD sessions. System is forced offline.
Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.
Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.
632646-4 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
Component: Access Policy Manager
Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.
Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.
Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.
Workaround:
No Workaround
Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.
632552-2 : tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event
Solution Article: K08634156
Component: Local Traffic Manager
Symptoms:
tmm crashes.
Conditions:
When CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event which is fired before either event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Move the script in _CLOSED events to another events.
Fix:
tmm no longer crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event.
632504-1 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
Solution Article: K31277424
Component: Access Policy Manager
Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.
Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".
Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.
Workaround:
If it is a static resource, do not select it as dynamic resource.
Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.
632499-1 : APM Policy Sync: Resources under webtop section are not sync'ed automatically
Solution Article: K70551821
Component: Access Policy Manager
Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.
Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.
Impact:
Sync will fail and some configured resources will not be available on the other devices.
Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.
Fix:
Now administrators can sync access profiles with resources under webtop sections without including them manually as dynamic resources.
632472-1 : Frequently logged "Silent flag set - fail" messages
Component: Access Policy Manager
Symptoms:
APM logs excessive messages similar to the following:
2016-12-07,21:46:10:864, 1740,884,APPCTRL, 2, \UBindSecurityMgr.h, 119, UBindSecurityMgrImpl::GetWindow, Silent flag set - fail
Conditions:
This can occur when connecting to APM via the Edge Client.
Impact:
Excessive messages are logged. These messages can be ignored.
632423-4 : DNS::query can cause tmm crash if AXFR/IXFR types specified.
Component: Global Traffic Manager (DNS)
Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.
Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.
Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.
Workaround:
Do not explicitly use AXFR or IXFR query types.
If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:
if { not [DNS::question type] ends_with "XFR" } {
set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}
Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.
632386-1 : EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
Component: Access Policy Manager
Symptoms:
When a iClient control connection, between Edge Client and BIG-IP, exists for a given session id, a new iClient control connection for the same session id cannot be established until the existing connection is torn down. When the client interface is down or the client changes networks, it takes time for the BIG-IP to detect that the existing control connection is down. During this time, if the client attempts to establish a new control connection (interface up or different network), BIG-IP rejects the new connection request.
Conditions:
EdgeClient attempts to open a new iClient control connection with the same session id as that of an existing control connection and without explicitly closing the current connection. This could happen when the client interface is down or clients changes the network it is on.
Impact:
Edge Client cannot establish a iClient control connection and hence a tunnel to the BIG-IP.
Fix:
When BIG-IP sees a new iClient control connection request for a session id for which another iClient control connection exists, the existing connection is closed and the new connection request is attempted to be accepted.
632366-1 : Prevent a spurious Broadcom switch driver failure.
Component: TMOS
Symptoms:
When a high volume traffic is sent to a BIG-IP system, the Broadcom network switch driver might fail. The failure occurs because the switch driver is preempted (by tmm) from completing a long chip reprogramming routine and touching a watchdog. Sod, which monitors the watchdog, thinks the switch driver has become nonfunctional and kills it.
Conditions:
A very high volume traffic is sent to a BIG-IP system under certain circumstances.
Impact:
Potential eventual system outage if the Broadcom switch driver fails.
Workaround:
None.
Fix:
A spurious Broadcom switch driver failure is not possible anymore.
632344-2 : POP DIRECTIONAL FORMATTING causes false positive
Component: Application Security Manager
Symptoms:
ASM reports false positive violation for the XML request.
Conditions:
This occurs when using "%E2%80%AC" POP DIRECTIONAL FORMATTING as a input in the XML request.
Impact:
When one of the following 3 byte chars arrives to the XML parser, the payload considered as malformed XML:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).
Workaround:
None.
Fix:
This release now supports the following 3 byte chars within the XML parser:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).
632326-2 : relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
Solution Article: K52814351
Component: Application Security Manager
Symptoms:
You observe Malformed XML violations on valid XML, even with the relax_unicode_in_xml flag set. The same can apply to JSON with the relax_unicode_in_json flag.
Conditions:
Valid XML containing unicode characters is passed through ASM, and the relax_unicode_in_xml flag is enabled.
Impact:
False positive Malformed XML violations may still be reported.
Workaround:
N/A
Fix:
XML and JSON unicode now operates as expected when using the relax_unicode_in_xml or relax_unicode_in_json internal parameter.
To set these parameters, run the following commands:
/usr/share/ts/bin/add_del_internal add relax_unicode_in_xml 1.
/usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1.
bigstart restart asm.
632324-2 : PVA stats does not show correct connection number
Component: Local Traffic Manager
Symptoms:
do command tmsh show sys pva-traffic global
The current connection number showed up may not be correct
Conditions:
This occurs when there is PVA Traffic
Impact:
Wrong stats number for current PVA connections
Fix:
Fixed incorrect statistics for PVA Traffic
632178-1 : LDAP Query agent creates only two session variables when required attributes list is empty
Component: Access Policy Manager
Symptoms:
When required attributes list is empty, LDAP Query agent produces only two session variables.
in previous releases, the default behavior was - to get all user's attributes and populate those as session variables
Conditions:
LDAP Query agent configured in an Access Policy.
Required attributes list is empty (not any attr is configured)
Impact:
LDAP Query agent failed if branch rule expects to get user's attributes.
any other agent in the policy that relies on user's LDAP attributes will also fail.
Workaround:
As a workaround you can configure required attributes to be retrieved by LDAP Query agent explicitly
Fix:
The default behavior is back; when the required attributes list is empty, the LDAP Query Agent will retrieve all user's attributes and populate them as session variables.
632069-3 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
Component: TMOS
Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.
Conditions:
VE platform
Authenticated user with advanced shell access
Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.
Fix:
Update sudo package to improve security
632060-1 : restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★
Component: iApp Technology
Symptoms:
when upgrading to 12.1.1, 12.1.2 or 13.0 releases, executing a command similar to
curl -k -u admin:admin https://127.0.0.1:443/mgmt/shared/device-discovery-tasks causes the following error:
"errorMessage": "Could not connect to host 10.0.0.160. Please ensure there are no licensing, firewall, port lockdown or network connectivity issues. Error: Failed to read key /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_12100_2: invalid header",
Conditions:
Upgrading from releases prior to 12.1.1 to 12.1.1 or 12.1.2 or 13.0
Impact:
if your device has an iApps LX application, then that application sill not synchronize to the standby device. So if a failover occurs, then the iApps LX application will seem to disappear, and traffic will not pass through the application.
Workaround:
If you have upgraded and are in this condition, and you need to use iAppsLX, you can perform the following procedure to recover.
Impact of procedure: this procedure disables HA and requires you to rebuild your HA environment. You only need to use this procedure if you absolutely need to run an iAppLX.
1. Reset device trust, then re-establish device trust, your device group(s), and your traffic group(s)
2. At the BIG-IP command line for each of the devices, run the following command:
clear-rest-storage
Fix:
Upgrade to 13.1 or 13.0.x hot fix
632005-1 : BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML Service provider (SP), IdP connector creation can be automated using list of URIs containing IdP metadata.
Symptom for this issue:
When remotely published metadata changes - BIG-IP will not be able to modify previously created idp-connector object(s) to reflect the changes.
When issue happens, the error similar to following is logged in /var/log/saml_automation.log :
"apm aaa saml-idp-connector *NAME* import-metadata only supports create operations."
Conditions:
BIG-IP is used as SP. IdP connector creation is automated. Metadata published on automation URIs changes.
Impact:
BIG-IP configuration will not contain the latest changes reflected in published IdP metadata.
This may have different impact based on how metadata is changed.
Impact can be from none to user authentication failure (e.g. when IdP signing certificate is changed).
Workaround:
When error is encountered:
- Manually remove affected idp-connector configuration object
- Restart samlidpd service : "bigstart restart samlidpd"
As a result, SAML connector automation will re-create new idp-connector objects will current up-to-date metadata files.
Fix:
BIG-IP is able to modify previously created idp-connector object(s) to reflect the changes when connector automation is deployed.
632001-1 : For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
Component: Local Traffic Manager
Symptoms:
fipskey.nethsm uses a Thales utility to actually generate/export keys. This utility looks at files in .../kmdata/local to determine what type of protection to use. If there are any softcard or OCS files, then the key will be token protected. If there aren't any files then the key will be module protected.
This can be a problem for BIG-IP since that entire folder is synced down to it, so OCS or softcard files unrelated to the BIG-IP operation will change fipskey.nethsm's behavior.
Conditions:
Use fipskey.nethsm to generate/export a nethsm-protected key while there are OCS or softcard files in the BIG-IP system's .../kmdata/localfolder.
Impact:
Key protection type changes based on the presence of softcard or OCS files in .../kmdata/local.
Workaround:
Explicitly use the -c or --protect option to define the protection type when generating/exporting keys.
Fix:
fipskey.nethsm will now default to making a module-protected key regardless of the presence of OCS or softcard files in .../kmdata/local.
Scripts that export or generate token or softcard protected keys will now need to explicitly set the protection type via the -c or the --protect option in all situations.
631866-2 : Cannot access LTM policy rules in the web UI when the name contains certain characters
Component: TMOS
Symptoms:
Access LTM policy rules in the web UI when the name contains percent (%) or slash (/) displays an empty page.
Conditions:
The LTM policy rule name being accessed contains the characters percent (%) or slash (/).
Impact:
The policy rule properties page displays an empty page.
Workaround:
Update the LTM policy rule using tmsh.
Fix:
LTM policy rules can be accessed as expected in the web UI regardless of their names.
631862-1 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
Solution Article: K32107573
Component: Local Traffic Manager
Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.
Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).
Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.
Workaround:
Use following iRule for broken URLs:
when HTTP_RESPONSE {
if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
}
}
A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.
Fix:
When OWS serves Transfer-Encoding chunked with zero size chuck, BIG-IP properly handles the response and sends END_STREAM flag finalizing the response.
631841-7 : NTP vulnerability CVE-2016-9311
Solution Article: K55405388
631737-1 : ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
Solution Article: K61367823
Component: Application Security Manager
Symptoms:
ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.
Conditions:
This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows:
-- HTTP Protocol Compliance/ High ASCII characters in headers.
-- HTTP Protocol Compliance/ Host header contains IP address.
-- HTTP Protocol Compliance/ CRLF characters before request start.
-- HTTP Protocol Compliance/ Header without header value.
-- HTTP Protocol Compliance/ Body in GET/HEAD requests.
-- Evasion technique/ directories traversals.
Impact:
When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)
Workaround:
None.
Fix:
Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.
631722 : Some HTTP statistics not displayed after upgrade
Component: Application Visibility and Reporting
Symptoms:
Some statistics will disappear after upgrade due to bug in HTTP statistics backup.
Conditions:
Upgrading to newer version
Impact:
Not all statistics are shown.
Workaround:
No workaround
Fix:
Fixed an issue where some ASM HTTP statistics would disappear after upgrade.
631700-1 : sod may kill bcm56xxd under heavy load
Solution Article: K72453283
Component: TMOS
Symptoms:
Under heavy load, bcm56xxd may not get enough CPU cycles to finish some of its operations and activate the watchdog process. In that case, sod will suspect that bcm56xxd has halted and terminate the process.
Conditions:
When the system is very busy, tmm has higher execute priority, and bcm56xxd does not have enough CPU cycles.
Impact:
The switch will not operate during the restart, and traffic might be interrupted.
Workaround:
Reduce the traffic to make the system less busy.
Fix:
The system now has bcm56xxd activate the watchdog so that sod does not terminate the bcm56xxd process.
631688-7 : Multiple NTP vulnerabilities
Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302
631627-4 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start
Component: TMOS
Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.
Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.
Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.
Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.
Workaround:
Remove BWC from route domain and then reapply the BWC back.
Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.
631609-1 : ASM Centralized Management Infrastructure Sync issues
Component: Application Security Manager
Symptoms:
Devices in a multiple Automatic sync device-groups may extraneously request a full sync after initial device sync creation, or after a full sync event.
Conditions:
Devices are in an autosync failover group and an autosync sync-only group with ASM sync enabled.
Impact:
A device may extraneously request additional full syncs after receiving a full sync from its peer or after adding an ASM policy.
Workaround:
No workaround.
Fix:
Extraneous full sync requests are no longer sent.
631582 : Administrative interface enhancement
Solution Article: K55792317
631472-1 : Reseting classification signatures to default may result in non-working configuration
Component: Traffic Classification Engine
Symptoms:
Configuration will not load when running "tmsh load ltm classification signature default" or clicking Reset to Defaults button on Traffic Intelligence :: Applications : Signature Update page.
Conditions:
1. You upgrade classification signatures to an IM package, and reference one of the newly added applications / categories in your configuration (e.g., PEM classification filter).
2. You reset classification signatures back to default by running "tmsh load ltm classification signature default" or selecting "Reset To Defaults" on the Traffic Intelligence :: Applications : Signature Update page.
Impact:
Configuration will not load.
Workaround:
Remove application that came with the new IM from the configuration.
Fix:
The release solves the problem of potentially non-working configurations after classification signatures were reset to default.
631444-2 : Bot Name for ASM Search Engines is case sensitive
Component: Application Security Manager
Symptoms:
CS challenge is returned for request with known search engine which is sent with different case than configured.
Conditions:
ASM profile is configured on the VS; DoS profile is not configured on the VS.
Impact:
Known search engines will get CS challenge.
Workaround:
Have DoS profile on the VS, in which the only feature turned on is Bot Signature, in report only, where only search engine category is turned on.
Fix:
making the ASM Search Engines case insensitive
631316 : Unable to load config with client-SSL profile error★
Solution Article: K62532020
Component: TMOS
Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'
Conditions:
This occurs when both of the following conditions are met:
-- The system is loading config.
-- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:
cert-key-chain {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
rsa {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
}
}
Impact:
Configuration can not be loaded.
Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.
Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:
cert-key-chain {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
rsa {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
}
}
4. Save your changes, and then run the following command:
tmsh load sys conf
631204-1 : GeoIP lookups incorrectly parse IP addresses
Component: Application Security Manager
Symptoms:
Under certain circumstances, GeoIP lookups may not correctly parse IP addresses.
Conditions:
GeoIP lookups enabled
Impact:
Unintended responses to GeoIP lookups
Workaround:
N/A
Fix:
Improve parsing of IP address in GeoIP lookups
631172-4 : GUI user logged off when idle for 30 minutes, even when longer timeout is set
Component: TMOS
Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.
Conditions:
User logged in to gui and idle for 20-30 minutes
Impact:
User is logged out of the GUI.
Workaround:
None.
Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.
631131-3 : Some tmstat-adapters based reports stats are incorrect
Component: Application Visibility and Reporting
Symptoms:
Stats are being collected in a wrong way for tmstat tables that are using partial-key. This leads to wrong values on reports.
Conditions:
Using partial key from tmstat-table on tmstat-adapter
Impact:
Wrong stats values for some reports.
Fix:
Tmstat-Adapters is now using the correct API from tmstat-framework which simulate a 'group-by' function on the query, and thus provide the correct result-set.
631025-1 : 500 internal error on inline rule editor for certain firewall policies
Component: Advanced Firewall Manager
Symptoms:
While attempting to use the inline rule editor on a firewall policy, the system returns a 500 internal error. Viewing and editing the same policy in tmsh works as expected.
Conditions:
-- This occurs when editing certain firewall policies in the GUI.
-- The issue is specific to policies with rules that meet the following criteria:
a) At least two addresses with the same first three octets.
b) Addresses should have non-default partition.
141.146.155.40%1 { }
141.146.155.41%1 { }
Impact:
Unable to view or edit the policy, page returns an error
Workaround:
You can view these rules in the GUI by disabling the inline rule editor.
Fix:
Fixed an issue with certain AFM rules generating a 500 internal error in the GUI.
630929-1 : Attack signature exception list upload times-out and fails
Solution Article: K69767100
Component: Application Security Manager
Symptoms:
httpd_errors log:
------------
err httpd[<PID>]: [error] [client <client_IP>] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/ts/dms/common/classes/Thrift/packages/asmconfig/f5_thrift.php on line <line_ID>, referer: https://<BIG-IP_MGMT_IP>/dms/policy/pl_header_normalization.php
------------
Conditions:
ASM provisioned.
Attack signature exception list uploaded.
Impact:
Attack signature exception list upload times-out and fails.
Workaround:
N/A
Fix:
Improved the Attack signature exception list upload process to take much less time.
630661-2 : WAM may leak memory when a WAM policy node has multiple variation header rules
Solution Article: K30241432
Component: WebAccelerator
Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.
Conditions:
WAM policy with node utilizing multiple variation header rules.
Impact:
Potential per-request memory leakage driven by client traffic.
Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.
Fix:
WAM no longer leaks memory when evaluation policy nodes which utilize two or more header variation rules.
630622-1 : tmm crash possible if high-speed logging pool member is deleted and reused
Component: TMOS
Symptoms:
When deleting and then re-using a high-speed logging pool member that is in use, a rare tmm crash may occur.
Conditions:
High-speed logging profile configured, high-speed logging pool configured, and a pool member is removed and re-added while the pool is in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Rare tmm crash no longer occurs if high-speed logging pool member is deleted and reused.
630611-1 : PEM module crash when subscriber not fund
Solution Article: K84324392
Component: Policy Enforcement Manager
Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.
Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.
Impact:
PEM/TMM SIGSEV.
Workaround:
None.
Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.
630610-5 : BFD session interface configuration may not be stored on unit state transition
Solution Article: K43762031
Component: TMOS
Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.
Conditions:
State transitions from online to offline.
Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.
Workaround:
Re-add statements manually.
Fix:
BFD session interface configuration is now stored on unit state transition.
630571-1 : Edge Client on Mac OSX Sierra stuck in a reconnect loop
Solution Article: K35254214
Component: Access Policy Manager
Symptoms:
Upon waking laptop Edge Client stuck in a reconnect loop.
Conditions:
Full-Tunnel, no Local LAN Access profile; when opening the device lid, which attempts to reconnect to the VPN service. This occurs only with MAC OS X 10.12.1.
Impact:
Cannot connect to VPN, and the Edge Client gets stuck in a reconnect loop.
Workaround:
Allow local subnet access set to enabled.
Fix:
In this release, using MAC OS X 10.12.1 now resumes a connection to VPN using the Edge Client.
630546-1 : Very large core files may cause corrupted qkviews
Component: TMOS
Symptoms:
If a core file is found on a slave blade in a chassis, that is too large for qkview to include, this can cause the qkview file for the blade to be corrupted.
Conditions:
qkview is run when core files greater than 2.4 GB exist in /var/core.
Impact:
iHealth will not parse the qkview.
Workaround:
Copy the core files on the slave blade from /etc/core to a back up location and delete the original files before creating the qkview.
Fix:
qkview files run when core files greater than 2.4 GB exist in /var/core now complete as expected.
630475-5 : TMM Crash
Solution Article: K13421245
630446-1 : Expat vulnerability CVE-2016-0718
Solution Article: K52320548
630356-1 : JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge
Component: Advanced Firewall Manager
Symptoms:
The JavaScript challenge that is sent to a POST request within an iframe will have a follow-up request of GET when coming from Microsoft Internet Explorer or Edge browser. The request reconstruction is incorrect, and the back-end server does not receive the request payload.
This is relevant to all types JavaScript challenges: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.
Conditions:
JavaScript challenge is used in a POST request, when one of the following features in enabled: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.
Impact:
POST requests will be sent as GET and the request payload will not reach the back-end server.
Workaround:
None.
Fix:
JavaScript challenges to POST requests are sent correctly to the back-end server when coming from iframe in Microsoft Internet Explorer/Edge browsers.
630306-1 : TMM crash in DNS processing on UDP virtual server with no available pool members
Component: Local Traffic Manager
Symptoms:
TMM crash when processing requests to a DNS virtual server.
Conditions:
The issue can occur if a UDP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.
Ensure datagram LB mode is enabled on UDP DNS virtuals.
Fix:
This release prevents a crash in DNS processing on UDP virtual server with no available pool members.
630150-1 : Websockets processing error
Solution Article: K51351360
629921-4 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
Component: Access Policy Manager
Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.
Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth
Impact:
Backend server access is restricted.
Workaround:
None
Fix:
Now when using SWG in explicit proxy mode with NTLM authentication with the Proxy-Authenticate header, BIG-IP allows NTLM authentication to proceed simultaneously to protected resource servers that also use NTLM authentication with the Authenticate header.
629871-2 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases
Component: Carrier-Grade NAT
Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.
Conditions:
FTP ALG deployment.
Impact:
PASV response 464 XLAT cases overwritten.
Workaround:
None.
Fix:
Deploying NAT64 part of a 464 XLAT solution no longer overwrites PASV response 464 XLAT cases.
629845-2 : Disallowing TLSv1 connections to HTTP causes iControl/REST issues
Component: Device Management
Symptoms:
When HTTP disallows TLSv1 connections, UCS via iControl/REST fails with the following in the logs:
[SEVERE][86][08 Nov 2016 16:47:20 UTC][com.f5.rest.icontrol.IControlRunnable] (iControl execution) AxisFault[; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]:
[WARNING][87][08 Nov 2016 16:47:20 UTC][8100/tm/shared/sys/backup/52d67805-3aab-4260-8770-a690154c698e/worker UcsBackupTaskWorker] Failed to restore from backup: backup_test.ucs
Conditions:
This occurs when TLSv1 is explicitly disallowed in the HTTP profile.
Impact:
iControl REST clients are unable to connect.
Workaround:
None.
Fix:
Explicitly disallowing TLSv1 in the HTTP profile no longer causes iControl/REST issues.
629801-2 : Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
Component: Access Policy Manager
Symptoms:
After syncing an access policy, the access policy change on the other device should be prompting you to apply the policy, but instead it applies the policy automatically.
Conditions:
Two or more devices configured in a trust group, one device group is a failover device group, and one device group is a sync-only device group with automatic sync enabled.
A key component that triggers this symptom is that the failover device group is listed first in the configuration. When this occurs, the policy will be applied automatically, which shouldn't occur.
Impact:
Policy changes are automatically applied, when they should only be synced with a prompt to apply after the sync.
Workaround:
None.
Fix:
After syncing an access policy, the access policy change on the other device in the trust group now prompts you to apply the policy, which is correct behavior.
629698-1 : Edge client stuck on "Initializing" state
Component: Access Policy Manager
Symptoms:
It takes a lot of time to reestablish the VPN connection when the Edge Client switches to network with Captive Portal authentication. Edge client freezes on "Initializing" state for around 1 minute.
Conditions:
This can occur on the Edge Client with Captive Portal configured.
Impact:
Edge client is stuck on "Initializing" for an excessive amount of time.
629663-1 : CGNAT SIP ALG will drop SIP INVITE
Solution Article: K23210890
Component: Service Provider
Symptoms:
SIP INVITE message is dropped.
Conditions:
Subscriber registers and then attempts to call out.
Impact:
Subscriber not able to make calls.
Workaround:
None.
Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.
629627-1 : FPS Log Publisher is not grouped nor filtered by partition
Component: Fraud Protection Services
Symptoms:
If there are several log publishers assigned to different partitions, it is not clear which log publisher is assigned to which partition.
All log publishers are displayed regardless of the partition selected.
Conditions:
Provision FPS.
Two or more partitions
Two or more log publishers assigned to different partitions
Impact:
All log publishers are displayed regardless of partition.
Workaround:
None.
Fix:
Log publishers are now grouped in GUI and filtered by the currently selected partition.
629573-1 : No drill-down filter for virtual-servers is mentioned on exported reports when using partition
Component: Application Visibility and Reporting
Symptoms:
The selected filters will not appear in exported reports for virtual servers created under non 'Common' partitions.
Conditions:
When using virtual-servers and ASM policies under a non 'Common' partition, exported reports will not display the the selected drill-down filters.
Impact:
Exported reports will be displayed without the filters.
Workaround:
None.
Fix:
Exported reports will take into consideration partitions which will make the drill-down filters appear as expected.
629530-2 : Under certain conditions, monitors do not time out.
Solution Article: K53675033
Component: Global Traffic Manager (DNS)
Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".
Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.
Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.
Workaround:
Disable the affected resources, and then enable them again.
Fix:
The resource status is now correct under all monitor timeout conditions.
629499-9 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
Component: TMOS
Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found
This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.
Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.
Impact:
Certain tmsh sys perf commands fail to work and give an error.
Workaround:
Restart statsd on all blades once the chassis is up.
e.g.
"bigstart restart statsd" on each blade.
Fix:
statsd has been updated to reparse the statsd config file before rebuild it's config so that it doesn't lose the unsupported tables in it's list.
629412-3 : BIG-IP closes a connection when a maximum size window is attempted
Component: Local Traffic Manager
Symptoms:
HTTP2 provides flow control options which allow you to limit the amount of data on flight. A client can send an increment for a window size to an initial value set by standard to 65,535 bytes. BIG-IP used 64K value inherited from SPDY, causing overflow when the client tried to increment the value to its maximum.
Conditions:
HTTP2 profile is configured on a virtual, and client sends a WINDOW_UPDATE frame to increment the value to its maximum.
Impact:
BIG-IP considers the window size overflow as a protocol violation thus it shuts the connection down not serving any request.
Workaround:
None.
Fix:
With a correct value for initial window size (for both a connection and a stream) BIG-IP correctly processes an increment request of the window size to its maximum.
629178-1 : Incorrect initial size of connection flow-control window
Solution Article: K42206046
Component: Local Traffic Manager
Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.
Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).
Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.
Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).
Fix:
The fix in this release allows BIG-IP to behave according to RFC and send WINDOW_UPDATE frames, preventing the connection flow-control window from exhaustion on a remote endpoint.
629145-1 : External datagroups with no metadata can crash tmm
Component: Local Traffic Manager
Symptoms:
If a large data group exists or the db variable tmm.classallocatemetadata is set to disabled, tmm may crash if the class match iRule matches 9 or more items in the datagroup.
Conditions:
External datagroups in use, a class match iRule will produce at least 9 matches, and the datagroup is extremely large or the db variable tmm.classallocatemetadata is set to disabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to large datagroups.
629127-1 : Parent profiles cannot be saved using FPS GUI
Component: Fraud Protection Services
Symptoms:
Any parent profile (profile that has bee inherited) cannot be saved in FPS GUI.
Conditions:
Provision FPS
License FPS.
1 or more child profiles.
Impact:
User configurations may not be saved.
Workaround:
Can use TMSH or REST.
629085-1 : Any CSS content truncated at a quoted value leads to a segfault
Solution Article: K55278069
Component: TMOS
Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.
Example:
...
.c1 {background-image: url('some
Conditions:
CSS ends without closing quote in value.
Example:
...
.c1 {background-image: url('some
Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.
Workaround:
Use a particular iRule.
Fix:
CSS content truncated at a quoted value no longer leads to a segfault.
629069-2 : Portal Access may delete scripts from HTML page in some cases
Component: Access Policy Manager
Symptoms:
If JavaScript uses Range.createContextualFragment() call to insert new scripts into HTML document, in some cases Portal Access may delete one of the scripts in the page.
Conditions:
JavaScript with Range.createContextualFragment() call which is used to add new scripts by subsequent insertBefore()/insertAfter() calls.
Impact:
Web application may not work correctly.
Workaround:
None.
Fix:
Now web apps delivered via APM Portal Access can use Range.createContextualFragment(), insertBefore(), and insertAfter() javascript properly.
628972-2 : BMC version 2.51.7 for iSeries appliances
Component: TMOS
Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.51.7.
Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Upgrading firmware.
Impact:
This is a firmware upgrade.
Workaround:
None.
Fix:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
Behavior Change:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
628897-1 : Add Hyperlink to gslb server and vs on the Pool Member List Page
Component: Global Traffic Manager (DNS)
Symptoms:
Hyperlinks to the GSLB Server and Virtual-server are missing from the GSLB Pool Member list page.
Conditions:
This can be seen in the DNS :: GSLB : Pools : Pick a pool : Members tab
Impact:
You are unable to to quickly get to the server and virtual server from this page.
Workaround:
Manually navigate to associated server and Virtual Server.
Fix:
Hyperlinks for associated server and VS are not showing on the Pool Member list page.
628890-1 : Memory leak when modifying large datagroups
Component: Local Traffic Manager
Symptoms:
When modifying large external datagroups, a significant memory leak may occur.
Conditions:
This can occur when a large datagroup is in use and is modified.
Impact:
Memory is leaked, and the amount of memory leaked can be significant.
Workaround:
None.
Fix:
Fixed a memory leak related to modifying large datagroups.
628869-4 : Unconditional logs seen due to the presence of a PEM iRule.
Component: Policy Enforcement Manager
Symptoms:
TMM log files will fill up.
Conditions:
Execution of an iRule with the following iRule command:
PEM::subscriber config policy get <subscriber-id> <e164 | imsi | nai | private | mac-address | dhcp | mac-dhcp | dhcp-custom | sip-uri>.
Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.
Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.
Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.
628836-4 : TMM crash during request normalization
Solution Article: K22216037
628832-4 : libgd vulnerability CVE-2016-6161
Solution Article: K71581599
628739-1 : BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD
Component: TMOS
Symptoms:
Configuring the management IP outside the management subnet succeeds without error.
Conditions:
On the LCD, navigate to the 'Setup' tab, and select 'Management'.
1. Set the default Gateway for the network.
2. Now set an IP address outside the Gateway subnet.
3. Notice no errors and commit is successful.
Impact:
Admin IP and Gateway for management route (/Common/default) not in a connected network.
Workaround:
Do not configure the IP and Gateway outside the management route.
Fix:
LCD no longer allows invalid configuration of mgmt IP (with gateway IP outside mgmt subnet).
628735-1 : Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles
Component: TMOS
Symptoms:
The Hardware SYN Cookie Protection field is not displayed in the GUI configuration screen for TCP/FastL4/FastHTTP profiles, despite hardware support for the feature existing on the
platform.
Conditions:
Configuring TCP/FastL4/FastHTTP profiles in the BIG-IP GUI.
This occurs on vCMP guests, on the 10350N, i5600, i5800, i7600, i7800, i10600, i10800 platforms, and on VIPRION systems using the B4450 or B4450N blades.
Impact:
The Hardware SYN Cookie Protection field is not displayed.
Workaround:
Use tmsh to set the Hardware SYN Cookie Protection field.
Fix:
The system no longer uses a static list of platforms that have an HSB as a basis for displaying the Hardware SYN Cookie Protection option in the GUI, so the field is shown as expected.
628721-1 : In rare conditions, DNS cache resolver outbound TCP connections fail to expire.
Component: Local Traffic Manager
Symptoms:
If a TCP connection is initiated by the DNS cache resolver but fails to be fully created, it may be leaked until the next restart of tmm.
Conditions:
This is only known to occur when other internal issues are affecting the tmm's functionality. If there are ongoing log messages in the tmm logs of the form: "hud_msg_queue is full," and a DNS cache resolver is attempting new outbound TCP connections, then it is possible to leak these connections.
Impact:
If enough connections are leaked, the tmm will not be able to create new connections even if the conditions causing the "hud_msg_queue" log messages resolve.
Workaround:
Restarting tmm will clear the leaked connections.
Fix:
The connections are now properly cleaned up if they are unsuccessfully created.
628687-2 : Edge Client reconnection issues with captive portal
Component: Access Policy Manager
Symptoms:
Edge Client stuck at 'Reconnecting' when losing connection to Captive Portal with certificate warning.
Conditions:
Connect to APM through a captive portal.
Impact:
EdgeClient stuck at "Reconnecting".
Workaround:
None.
Fix:
Edge Client no longer hangs at 'Reconnecting' when losing connection to Captive Portal with certificate warning.
628685-2 : Edge Client shows several security warnings after roaming to a network with Captive Portal
Solution Article: K79361498
Component: Access Policy Manager
Symptoms:
Network is blocked by a captive portal. Captive portal uses HTTPS. Periodic-session-check reports SSL certificate is not trusted because access to APM is redirected (to captive portal).
Conditions:
Create a VPN tunnel over WiFi.
Place the computer in sleep/hibernate.
Move to a new network with Captive Portal with SSL and resume from sleep/hibernate.
Impact:
Numerous security warnings.
Workaround:
None.
Fix:
Edge Client no longer shows several security warnings after roaming to a network with Captive Portal.
628623-1 : tmm core with AFM provisioned
Component: Advanced Firewall Manager
Symptoms:
tmm cores on the secondary blade while passing traffic.
Conditions:
This can occur intermittently with AFM provisioned while passing traffic, even if AFM is not in use.
Impact:
Traffic disrupted while tmm restarts.
628351-1 : Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled
Component: Advanced Firewall Manager
Symptoms:
When Proactive Bot Defense is enabled, requests to URLs with Path Parameters (URLs containing a semicolon ;) may get stuck on a redirect loop. This typically applies to URLs which do not respond with HTML content or to URLs with low traffic.
Conditions:
-- Proactive Bot Defense is enabled.
-- URLs use Path Parameters (containing the semicolon ; character).
Impact:
Clients cannot access the web server, getting caught in an infinite redirect loop.
Workaround:
None.
Fix:
Requests to URLs with ";" no longer get stuck in a redirect loop when Proactive Bot Defense is enabled.
628348-1 : Cannot configure any Mobile Security list having 11 records or more via the GUI
Component: Fraud Protection Services
Symptoms:
Any item added to a list with more than 10 records in Mobile Security section is ignored.
Conditions:
Provision FPS
License mobilesafe
add 11 records to a list
Impact:
User configuration may not be saved.
Workaround:
Use TMSH or Rest.
Fix:
GUI allows adding items to lists with more than 10 records.
628337-1 : Forcing a single injected tag configuration is restrictive
Component: Fraud Protection Services
Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.
Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.
Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.
Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.
Fix:
Injected tags configuration has been moved to the URL level.
628311-3 : Potential TMM crash due to duplicate installed PEM policies by the PCRF
Solution Article: K87863112
Component: Policy Enforcement Manager
Symptoms:
Potential TMM crash due to duplicate installed PEM policies by the PCRF.
Conditions:
- PEM enabled with Gx and Gy.
- PEM policies configured with Gy quota management.
- PCRF installs an already-installed policy against a subscriber.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Configure the PCRF to not install an already-installed policy against a subscriber.
Fix:
PEM now prevents PCRF from installing an already-installed policy against a subscriber.
628202-4 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging
Component: TMOS
Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.
Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".
Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.
Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.
Fix:
Prevented audit_forwarder from using more memory than it needs.
628164-3 : OSPF with multiple processes may incorrectly redistribute routes
Solution Article: K20766432
Component: TMOS
Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.
Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.
Impact:
Incorrect routing information in the network when OSPF converges.
Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.
Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.
OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.
628009-1 : f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800
Component: TMOS
Symptoms:
The f5optics functionality is not initialized on Herculon iSeries variants.
Conditions:
This occurs on the following Herculon iSeries platforms: HRC-i2800, HRC-i5800, HRC-i10800.
Impact:
None. No f5optics optics module database is presently provided for Herculon platforms. Herculon uses no optics modules that require tuning (e.g., 100G).
Workaround:
None.
Fix:
With the fix, if an optics module data base is provided via an f5optics install, f5optics will become operational on Herculon. An f5optics database will be provided if optics modules requiring tuning are ever used with Herculon.
627972-2 : Unable to save advanced customization when using Exchange iApp
Solution Article: K11327511
Component: Access Policy Manager
Symptoms:
When Policy created using Microsoft Exchange iApp script, Advanced Customization (usually of logon page) might fail with error similar to the following: 01020066:3: The requested Customization Template File (/Common/Exchange.app/exch_custom_logon_ag logon.inc) already exists in partition Common.
Conditions:
Usually: HA Pair, iApp exchange created profile, in general any advanced customization where name not equals customization_group_name:filename is affected.
Impact:
Unable to edit advanced customization, functionality is unaffected.
Workaround:
edit bigip.conf
apm policy customization-group /Common/Exchange_2010.app/exch_custom_logon_ag {
templates {
logon.inc {
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
}
}
}
change
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
to customizaton_group_name:filename i.e.
name /Common/Exchange_2010.app/exch_custom_logon_ag:logon.inc
Fix:
Can now save advanced customization when using Microsoft Exchange iApp.
627961-3 : nic_failsafe reboot doesn't trigger if HSB fails to disable interface
Solution Article: K15130343
Component: TMOS
Symptoms:
The HSB driver attempts a nic_failsafe in the case of failing to disable the interface.
Conditions:
The driver disables nic_failsafe prior to triggering the nic_failsafe. This is in hsb_ifdown_go_dead.
Impact:
TMM may restart continuously resulting in interfaces bouncing constantly.
Workaround:
Reboot the device.
Fix:
This release fixes issues where nic_failsafe reboot did not happen on HSB failures.
627926-1 : Retrieving a server-side SSL session ID in iRules does not work
Solution Article: K21211001
Component: Local Traffic Manager
Symptoms:
Retrieving the server-side SSL session ID using iRule does not work.
Conditions:
Retrieve server-side SSL Session ID using an iRule.
Impact:
iRules that try to log or capture an SSL session ID will not work properly.
Workaround:
None.
Fix:
The server-side SSL session ID can now be retrieved with an iRule.
627916-1 : Improve cURL Usage
Solution Article: K81601350
627914-1 : Unbundled 40GbE optics reporting as Unsupported Optic
Component: TMOS
Symptoms:
When a 40G interface is configured "bundle disabled" the optic module in use on the interface will be declared as an "Unsupported optic" module even though the optic module is F5 branded.
Conditions:
Using unbundled 40GbE optics.
Impact:
This is a cosmetic problem. The interface is able to function as intended.
Workaround:
No workaround, problem is cosmetic.
Fix:
The fix for the defect results in no longer declaring an otherwise supported optics module as unsupported when bundling is configured disabled on the interface.
627907-1 : Improve cURL usage
Solution Article: K11464209
627898-2 : TMM leaks memory in the ECM subsystem
Component: TMOS
Symptoms:
TMM leaks memory in the ECM subsystem.
Conditions:
This issue occurs when the user has imported one or more SSL certificates onto the system and named them in such a way that the "ca-bundle.crt" string appears in their names. For example, "my-ca-bundle.crt". With this configuration in place, TMM leaks memory each time the configuration is modified.
Impact:
TMM will run out of free memory. This will initially impact traffic and could eventually lead to TMM crashing. Traffic disrupted while tmm restarts.
Workaround:
You can work around this issue by renaming your SSL certificates so that their names don't contain the "ca-bundle.crt" string.
Fix:
TMM no longer leaks memory in the ECM subsystem.
627798-3 : Buffer length check for quota bucket objects
Component: Policy Enforcement Manager
Symptoms:
For quota bucket (Rating Groups) object, BIG-IP allocates a large buffer locally, and doesn't expect it to be over-run as the objects are expected to be smaller
Conditions:
Any quota bucket objects which are being inserted in PEM database
Impact:
For quota bucket objects which are in PEM database, the buffer is usually large enough, so there should not be any impact. But if the quota bucket ever gets larger, then potential corruption of the quota bucket information could occur. This could trigger a tmm core. Traffic disrupted while tmm restarts.
Workaround:
quota bucket with fewer rules
627747-1 : Improve cURL Usage
Solution Article: K20682450
627616-3 : CCR-U missing upon VALIDITY TIMER expiry when quota is zero
Component: Policy Enforcement Manager
Symptoms:
CCR-U is not sent upon VALIDITY TIMER experts.
Conditions:
If PCRF does not grant any GSU (no quota), but only specifies the VALIDITY timer.
Impact:
OCS does not get the CCR-U message and misses the information about quota.
Workaround:
Work around is to set the following timers using sysdb to non-zero value. Here is an example:
sys db tmm.pem.session.quota.bucket.denied.timeout { value "1" }
sys db tmm.pem.session.quota.bucket.depleted.timeout { value "2" }
sys db tmm.pem.session.quota.bucket.idle.timeout { value "3" }
Fix:
CCR-U is now sent upon VALIDITY TIMER experts.
627574-1 : After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.
Component: Local Traffic Manager
Symptoms:
If a BIG-IP system has Local Traffic Policies defined in a non-Common partition, and the system is upgraded to version 12.1.0, 12.1.1, or 12.1.2, attempting to create a new draft of the policy by selecting "Create Draft" will fail and give an error message similar to:
err mcpd[8140]: 01070734:3: Configuration error: Can't associate policy rule (/Partition1/Drafts/policy_name policy_name_policy_rule) folder does not exist
Conditions:
A system is upgraded to version v12.1.x with Local Traffic Policies in a non-default partition.
Impact:
You cannot modify existing Local Traffic Policies.
Workaround:
Manually create a 'Drafts' folder in the appropriate partition, e.g.:
tmsh create sys folder /Partition1/Drafts
Alternately, create a new (different) policy in the specified partition, and then delete it. Doing this has a side-effect of creating the Drafts folder.
627433-1 : HSB transmitter failure on i2x00 and i4x00 platforms
Component: TMOS
Symptoms:
On the BIG-IP i2x00 and i4x00 platforms, tmm enters an infinite 'restart' loop after a 'bigstart restart' or 'bigstart restart tmm' command if traffic is actively flowing through the TMM. This is the result of an HSB transmitter failure.
Conditions:
Traffic actively flowing through the tmm and you issue 'bigstart restart' or 'bigstart restart tmm'.
Another instance occurs when syncing the datasync-global-dg device-group for an HA configuration on iSeries platforms.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure all traffic is stopped before issuing the 'bigstart restart' or 'bigstart restart tmm' commands.
Set HSB::failures_before_reset in /config/tmm_init.tcl to a high value, such as 1000 (default is 50) may resolve the issue, depending on the conditions this issue occurred.
Fix:
TMM restart loop no longer occurs following 'bigstart restart' on i2x00 and i4x00 platforms.
627403-2 : HTTP2 can can crash tmm when stats is updated on aborting of a new connection
Component: Local Traffic Manager
Symptoms:
HTTP2 allocates a block of memory for collecting stats on a connection. If the connection is aborted for any reason, tmm may try to update stats prior the memory is allocated.
Conditions:
HTTP2 profile is configured and assigned to a virtual.
Impact:
Traffic disrupted while tmm restarts.
Fix:
A fix stops HTTP2 from accessing stats prior memory is allocated preventing TMM crash for this reason.
627360-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
Component: Application Security Manager
Symptoms:
These errors come up in asm log, upon first start after upgrade:
-------------------------
2016-11-02T08:33:09-06:00 localhost notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
Nov 2 08:35:34 c5af5ltm1b info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
Nov 2 08:36:03 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script launched
Nov 2 08:36:17 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script finished
Nov 2 08:36:23 c5af5ltm1b info asm_start[19802]: ASM config loaded
Nov 2 08:37:40 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined
Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead
Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted
Nov 2 08:38:33 c5af5ltm1b info perl[21860]: 01310053:6: ASM starting
-------------------------
Conditions:
ASM provisioned
Local request logging enabled
Upgrade of a maintenance release, HF or EHF
Impact:
Upgrade fails
Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.
In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.
There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never
2) do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------
627279-2 : Potential crash in a multi-blade chassis during CMP state changes.
Component: Policy Enforcement Manager
Symptoms:
tmm on a blade may crash during a CMP and PEM change.
Conditions:
Multi-blade chassis undergoing a CMP state change. Additionally requires PEM policy changes resulting in usage record updates.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use an HA pair and have the active chassis fail over during a CMP state change. Allow for the new stand by chassis to complete its CMP state change activity.
Fix:
Handle sessionDB failures gracefully.
627257-2 : Potential PEM crash during a Gx operation
Component: Policy Enforcement Manager
Symptoms:
Tmm may core during a Gx operation
Conditions:
Requires a PEM virtual with Gx, Sd or Gy enabled. This occurs when tmm starts.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Perform proper validation checks as part of API processing.
627246-1 : TMM memory leak when ASM policy configured on virtual server
Solution Article: K09336400
Component: Local Traffic Manager
Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.
Conditions:
-- ASM policy is configured on a virtual server.
-- URL access via the virtual server.
Impact:
System leaks 64 bytes of memory. TMM might run out of memory and eventually crash.
Workaround:
None. But disabling ASM policy configuration on the virtual server can alleviate the problem.
Fix:
A memory leak in hud_oob when ASM policy configured on virtual server has been fixed.
627214-3 : BGP ECMP recursive default route not redistributed to TMM
Component: TMOS
Symptoms:
ECMP recursive routes are not properly redistributed to TMM, resulting in an incorrect routing table.
Conditions:
Dynamic routing configured with multiple equal cost paths reachable through a recursive nexthop.
Impact:
Packets are not routed to all ECMP nexthops.
Workaround:
None.
Fix:
ECMP routes with a recursive nexthop are now used correctly by TMM.
627203-1 : Multiple Oracle Java SE vulnerabilities
Solution Article: K63427774
627117-1 : crash with wrong ceritifcate in WSS
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
Web services security is turned on.
a bad / wrong / missing certificate is attached.
Impact:
Traffic drop until the BD is back (or failover).
Workaround:
The workaround would be to fix the attached certificate.
Fix:
Fix an issue with wrong certificates.
627059-1 : In some rare cases TMM may crash while handling VMware View client connection
Component: Access Policy Manager
Symptoms:
TMM crashes.
Conditions:
VMware View client uses PCoIP to connect to backend via APM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed rare TMM crash during handling of VMware View client PCoIP connection
626990-1 : restjavad logs flooded with messages from ChildWrapper
Solution Article: K64915164
Component: TMOS
Symptoms:
Running iControl REST under heavy load might result in restjavad logs being filled with multiple, repeating messages similar to the following:
[WARNING][76559][13 Dec 2016 07:08:00 UTC][ChildWrapper] Exception found in child runner thread: null
Conditions:
-- Put iControl REST under a heavy load.
-- View restjavad logs.
Impact:
Logs fill with messages and rotate out. Logs full of these error messages might cause other messages to be missed.
Workaround:
None.
Fix:
iControl REST properly handles the exception described.
626910-1 : Policy with assigned SAML Resource is exported with error
Component: Access Policy Manager
Symptoms:
If Access Profile's Access Policy has saml resource assigned export is failing with error.
Conditions:
1. Access profile/access policy
2. Saml resource is assigned
Impact:
Unable to Export Policy
Fix:
Work order is restored
626851-2 : Potential crash in a multi-blade chassis during CMP state changes.
Solution Article: K37665112
Component: Policy Enforcement Manager
Symptoms:
CMP state change can result in a blade crash.
Conditions:
CMP state change with a PEM profile enabled on a virtual. The former can be triggered using a TMM restart/unrelated crash, blade insertion or blade administrative state change.
Impact:
Blade crash resulting in potential loss of service.
Workaround:
Deploy PEM in an HA-pair with a chassis fail over configured to occur if at most one blade on the active chassis fails.
Fix:
The system now gracefully handles sessionDB errors due to a CMP state change.
626839 : sys-icheck error for /var/lib/waagent in Azure.
Component: TMOS
Symptoms:
On a BIG-IP deployed in Azure cloud, sys-icheck reports readlink error for /var/lib/waagent directory as following:
ERROR: ....L.... /var/lib/waagent
Conditions:
BIG-IP deployed in Azure cloud.
Impact:
sys-icheck reports "rpm --verify" errors for /var/lib/waagent. This doesn't have any functional impact on the product but looks like factory RPM settings were modified externally and incorrectly.
Workaround:
No workaround exists for this issue.
Fix:
sys-icheck error for /var/lib/waagent in Azure.
626721-5 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
Component: TMOS
Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342
Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.
Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).
Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.
Fix:
Prevented the command "tmsh reset-stats auth login-failure <username>" from restarting mcpd instances on secondary blades when <username> is an unknown user. The bad command is intercepted at the primary blade and is dealt with there.
626596 : Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.
Component: TMOS
Symptoms:
Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections' instead of 'Assisted Connections'.
Conditions:
-- Running vCMP.
-- System provides hardware acceleration.
-- Statistics :: Analytics :: Hardware Acceleration menu.
Impact:
Spelling of 'Assited' instead of the expected 'Assisted'.
Workaround:
N/A
Fix:
Changed spelling of 'Assited' to 'Assisted'.
626542-2 : Unable to set maxMessageBodySize in iControl REST after upgrade★
Component: Device Management
Symptoms:
After upgrading and attempting to set maxMessageBodySize via iControl REST, you get an error indicating the command is not implemented:
{"code":400,"message":"onPut Not implemented","originalRequestBody":"{\"maxMessageBodySize\": \"111111111\"}","referer":"127.0.0.1","restOperationId":216941,"kind":":resterrorresponse"}
Conditions:
This occurs when upgrading from v11.6.1 to v12.1.0, v12.1.1,or v12.1.2, and applying the UCS from the 11.6.1 release. The error is generated because new defaults were added but they are not set on UCS restore.
Impact:
Command fails, unable to set maxMessageBodySize.
Workaround:
If you encounter this after an upgrade and UCS restore, you can run the following commands from the BIG-IP command line:
1. curl -X DELETE http://localhost:8100/shared/storage?key=shared/server/messaging/settings/8100.
2. bigstart restart restjavad.
Fix:
You can now set maxMessageBodySize via iControl REST after upgrading.
626438-1 : Frame is not showing in the browser and/ or an error appears
Component: Advanced Firewall Manager
Symptoms:
frame going blank when ASM policy enabled. this will trigger the following JS error in clients console:
Uncaught TypeError: Cannot read property '3' of undefined
Conditions:
Asm policy enabled. Device id is enabled theough one of the supporting features
Impact:
Site not operating correctly.
Workaround:
N/a
Fix:
Fixed device id javascript issue that prevented a frame from being displayed .
626434-6 : tmm may be killed by sod when a hardware accelerator does not work
Component: Local Traffic Manager
Symptoms:
tmm may hang and crash (killed by the switchover daemon, sod), when the Cavium hardware accelerator does not come back after the reset from the driver.
Conditions:
This is a rarely seen occurrence. It is triggered when the Cavium hardware accelerator stops working.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Power cycling the system might correct the error.
Fix:
The system now prints out an error message in the log file, improving the way tmm handles the failure.
626386-1 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
Solution Article: K28505256
Component: Local Traffic Manager
Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.
Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.
Impact:
Client connection hangs during the handshake. No impact to any other module.
Workaround:
Disable SSL persistence.
Fix:
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.
626360 : TMM may crash when processing HTTP2 traffic
Solution Article: K22541983
626311-2 : Potential failure of DHCP relay functionality credits to incorrect route lookup.
Solution Article: K75419237
Component: Local Traffic Manager
Symptoms:
DHCP requests from client to server may not make it through.
Conditions:
-- BIG-IP system configured as a DHCP relay.
-- Input variable (flow_key) incorrectly initialized.
Impact:
Clients might not get an IP address from the DHCP server.
Workaround:
None.
Fix:
Input variable (flow_key) is initialized properly to prevent a potential route-lookup failure.
626141-3 : DNSX Performance Graphs are not displaying Requests/sec"
Component: Global Traffic Manager (DNS)
Symptoms:
The DNSX Performance graphs have a X and Y axis of Requests/second but the data actually shows total requests.
Conditions:
Always.
Impact:
The data displayed in the graph is not correct.
626106-3 : LTM Policy with illegal rule name loses its conditions and actions during upgrade★
Component: Local Traffic Manager
Symptoms:
BIG-IP version 12.0.0 introduced more strict checking on the characters allowed in policy and rule names, and it also introduced an auto-migration feature to convert any disallowed characters to an underscore (_). Allowed characters in policy and rule names are:
A-Z a-z 0-9 . / : % -
Spaces are allowed between these characters.
When there is a pre-v12.0 Policy that contains an illegal character, the rule has each illegal character converted to a legal one. But conditions and actions, which are joined to the rule by name were not similarly adjusted. After migration, LTM Policy rule does not have any conditions or actions referring to its new name.
Conditions:
- Pre-v12.0 BIG-IP
- Policy and/or rule names contain illegal characters like: * < > ( ) [ ]
- Upgrade to v12.0 or later
Impact:
Policy rule name is changed, illegal characters converted to benign underscore (_). The upgraded configuration will load successfully, but the Rule's associated conditions and actions are not changed, and still point to the policy by its former name, effectively becoming orphaned. Inspecting rule using UI or tmsh shows conditions and actions missing.
Workaround:
The bigip.conf file can be manually edited to fix illegal characters and configuration reloaded.
625892-2 : Nagle Algorithm Not Fully Enforced with TSO
Component: Local Traffic Manager
Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.
Conditions:
TCP Segmentation Offload is enabled.
Impact:
Sub-MSS packets increase overhead and client power consumption.
Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable
Fix:
Deliver Integer Multiples of MSS to the TSO hardware when Nagle's algorithm applies.
625860-2 : Improved handling of crypto hardware decrypt failures on B4450 platform.
Solution Article: K55102452
625832-4 : A false positive modified domain cookie violation
Component: Application Security Manager
Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.
Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.
Impact:
A false positive violation.
Workaround:
Remove the modified domain cookie violation from blocking.
Fix:
Fixed a false positive modified domain cookie violation.
625824-1 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
Component: TMOS
Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, that causes swap space to increase continuously and might lead to exhaustion of swap space
Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem
Impact:
iControlPortal.cgi memory increases
Workaround:
Restart httpd to reload the iControl daemon.
Fix:
Fixed a memory leak associated with iControl
625784 : TMM crash on i4x00 and i2x00 platforms with large ASM configuration.
Component: TMOS
Symptoms:
With large ASM configurations (50 virtual servers, 50 ASM policies), TMM continuously crashes on boot-up or restart.
Conditions:
-- Large ASM configurations (50 virtual servers, 50 ASM policies).
-- Using i4x00 and i2x00 platforms.
Impact:
TMM continuously crashes and restarts; system is unusable.
Workaround:
None.
Fix:
TMM no longer crashes on i4x00 and i2x00 platforms with large ASM configurations.
625783-1 : Chassis sync fails intermittently due to sync file backlog
Component: Application Security Manager
Symptoms:
Chassis sync may fail intermittently if policies are changed and applied in a short interval.
Conditions:
Policies are changed and applied in a short interval on a chassis platform.
Impact:
Disk partition /var may fill up and synchronized changes may not appear on secondary blades.
Fix:
ASM configuration sync on chassis platform now works more reliably.
625703-2 : SELinux: snmpd is denied access to tmstat files
Component: TMOS
Symptoms:
When a custom SNMP MIB is created by using Tcl scripts or other methods, the snmpwalk will fail to access the created MIB data.
Conditions:
Custom created MIBs.
Impact:
Access to that MIB is denied.
Workaround:
None.
Fix:
When a custom SNMP MIB is created by using a Tcl scripts or other methods, the snmpwalk no longer fails to access the created MIB data.
625671-4 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
Component: Global Traffic Manager (DNS)
Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.
Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.
Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.
Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.
Fix:
dnsxdump handles non-standard resource record types.
625542-1 : SIP ALG with Translation fails for REGISTER refresh.
Component: Service Provider
Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.
Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.
Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.
Workaround:
None
Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.
625474-1 : POST request body is not saved in session variable by access when request is sent using edge client
Component: Access Policy Manager
Symptoms:
POST body sent by Edge Client is not saved in the session db session variable by access hudfilter.
Conditions:
- Configure BIG-IP as SAML Service Provider. To simplify reproduction change Access Policy execution timeout to few seconds.
- Use Edge Client to connect to BIG-IP.
- Saml Agent will redirect user for authentication to IdP
- Wait for few seconds for access policy to time out on BIG-IP.
- Enter credentials/complete authentication on IdP
- User will be redirected back to BIG-IP as SP. At this moment APM will create a new session, and will evaluate access policy again.
Impact:
SAML Agent will now fail with the following error:
SAML Agent: <AgentNameHere> cannot find assertion information in SAML request
Workaround:
Removing the ‘Origin’ header from the request with iRule does fix the issue, and the POST body becomes available to access hudfilter.
Fix:
Check for receipt of HUDEVT_REQUEST_DONE before falling through from EV_ACCESS_TCL_COMPLETION to EV_ACCESS_REQUEST_DONE in client wait for request body to ensure proper storage of POST request body in sessiondb.
625456-5 : Pending sector utility may write repaired sector incorrectly
Component: TMOS
Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.
When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)
For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements
Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.
Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades
Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.
The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:
# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device
# smartctl -i /dev/sda | grep "Sector Size"
Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical
Not Affected:
Sector Size: 512 bytes logical/physical
Impact:
Potential corruption of unknown files on BIG-IP volumes.
625372-5 : OpenSSL vulnerability CVE-2016-2179
Solution Article: K23512141
625275-1 : Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
Component: Fraud Protection Services
Symptoms:
When trying to add URL parameters containing square brackets "[]" in FPS GUI >> URL the parameters name become "0". If trying to modify, the parameters are not saved.
Conditions:
Provision FPS
Create URL
Impact:
FPS GUI
Workaround:
via tmsh, an example:
tmsh modify security anti-fraud profile criteria urls modify { /xml.php { parameters add { "mouse\[2]" } } }
Fix:
It is now possible to add parameters containing square brackets in FPS GUI.
625198-1 : TMM might crash when TCP DSACK is enabled
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
All of the below are required to see this behavior:
DSACK is enabled
MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.
cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.
an iRule exists that changes any of the conditions above besides DSACK.
various client packet combinations interact in certain ways with the iRule logic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change any of the conditions above.
Fix:
TCP maintains state appropriately to avoid crash.
625172-1 : tmm crashes when classification is enabled and ftp traffic is flowing trough the box
Component: Traffic Classification Engine
Symptoms:
tmm crash
Conditions:
1. classification profile attached to the virtual server
2. ftp traffic flows through the system
3. complex configuration with iRules and multiple modules enabled
Impact:
Traffic disrupted while tmm restarts.
Workaround:
remove classification profile from the virtual server
Fix:
Incorrect memory management in one of classification matching mechanisms led to a crash.
625159-1 : Policy sync status not shown on standby device in HA case
Component: Access Policy Manager
Symptoms:
After policy sync, policy sync statuses are not shown in admin GUI on standby device in a failover device group.
Conditions:
- Create a failover device group whose members are in a bigger sync-only device group for policy.
- Initiate a policy sync from an active device
- Check policy sync stats on standby device
Impact:
It does not affect sync functionality and user still can see the sync status on an active device.
Workaround:
Check sync status on an active device in the group.
Fix:
User will be able to see the sync statuses on a standby device, including itself as well as the list of devices in the whole sync-only group where sync is performed.
625106-2 : Policy Sync can fail over a lossy network
Component: Local Traffic Manager
Symptoms:
Policy Sync fails.
Conditions:
BIG-IPs are connected over a lossy link.
Impact:
HA redundancy fails.
Workaround:
tmsh modify sys db TM.TCPProgressive.AutoBufferTuning value disabled
Fix:
Change configuration as described.
625098-3 : SCTP::local_port iRule not supported in MRF events
Component: Service Provider
Symptoms:
SCTP::local_port iRule not supported in MRF events
Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.
Impact:
SCTP::local_port won't work under MR events.
Fix:
After the fix, SCTP::local_port iRule will be supported in MRF events.
625085 : lasthop rmmod causes kernel panic
Component: TMOS
Symptoms:
If someone attempts to unload the lasthop kernel module, it will cause a kernel panic.
Conditions:
Attempting to unload the lasthop kernel module.
Impact:
The system reboots.
Workaround:
Avoid running the following command:
# rmmod lasthop
Fix:
The lasthop kernel module should never be unloaded. The system now prevents the lasthop kernel module from being unloaded, so no kernel panic occurs.
624966-2 : Edge client starts new APM session when Captive portal session expire
Component: Access Policy Manager
Symptoms:
When a Captive portal session expires during Network Access,
Edge-Client shows the Captive portal Authentication page. If the user doesn't authenticate for some amount of time (30-60sec) the Edge Client tries to disconnect the current session. When the user successfully authenticates, Edge Client starts new APM session instead of waiting until the user authenticates on Captive page.
Conditions:
This can occur when Captive portal is configured and the session expires.
Impact:
The Edge Client starts a new session when it should re-use the existing session.
624903-6 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
Solution Article: K55102452
624876-1 : Response Policy Zones can trigger even after entry removed from zone
Component: Global Traffic Manager (DNS)
Symptoms:
If an entry (resource record) is removed from a response policy zone it is possible that it may still trigger as a match for RPZ.
Conditions:
-- An RPZ zone contains an entry, for example badzone.example.com.
-- That entry is subsequently removed.
Impact:
The badzone.example.com entries will continue to be blocked by RPZ, even though the item has been removed.
Workaround:
Delete /var/db/zxfrd.bin and /var/db/tmmdns.bin and restart the system using the following command: bigstart restart zxfrd.
This recreates the databases without the remnants of the deleted entries.
Fix:
The deleted entries are now properly handled and no longer trigger incorrect matches.
624831-2 : BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
Component: TMOS
Symptoms:
tmm crashes while using Bandwidth Control (BWC) dynamic policies.
Conditions:
max-user-rate is set at 2gbps or higher.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
Use a maximum of 1gbps for dynamic BWC policy max-user-rate.
Fix:
tmm crashes while using Bandwidth Control (BWC) dynamic policies with max-user-rate set at 2gbps or higher.
Behavior Change:
no
624826-2 : mgmt bridge takes HWADDR of guest vm's tap interface
Component: TMOS
Symptoms:
MGMT interface becomes unreachable and stops responding to traffic. Whenever guest is in provisioned state MAC address assigned to mgmt is correct (taken from base MAC). Whenever guest is in deployed state MAC address on host mgmt interface changes and is exactly the same as mgmt_vm_tap MAC.
Conditions:
The platform shipped with a "low" F5 base_mac
A Linux bridge by default takes as its mac the lowest mac of its constituent interfaces. This did not cause a problem before because F5 Networks systems' baseMacs have historically been "low", e.g., with legacy_baseMacs in {00:01:D7, 00:0A:49, 00:23:E9}.
When a guest tap interface is added to the mgmt bridge, the bridge takes its Linux default action, which is to take as its mac the lowest mac address of its constituent interfaces. With the comparison min(eth0's mac, guestTap's mac) returning guestTap's mac, the mgmt bridge incorrectly assumes a guestTapIntfc mac.
Impact:
Connectivity to the vCMP host platform is lost when the guest is deployed.
Workaround:
Use ifconfig to ensure that the mac address of the mgmt bridge never changes from eth0. For example, the following command sets as the mac of this bridge, the value passed in Mac.
ifconfig <bridgeName= mgmt> hw ether <Mac of Eth0>
Note: This assumes that eth0 will always be contained in the mgmt bridge.
Fix:
The system now uses ifconfig to assign the mac of interface eth0 to bridge mgmt.
624805-1 : ILX node.js process may be restarted if a single operation takes more than 15 seconds
Component: Local Traffic Manager
Symptoms:
There is an ILX node.js process restart that occurs, conditional on the code and operations of the node.js process. The restart occurs when one specific operation (code path in your node.js app) takes longer than 15 seconds to complete.
Conditions:
-- Running ILX with a node.js RPC or streaming setup.
-- A single operation takes more than 15 seconds.
Impact:
Connflow is dropped, traffic processing for the flows handled by that process stops until it restarts fully.
Workaround:
To work around this issue, you can time yourself in your node.js app, to either make sure operations complete within the timeframe, or determine where operations exceed the 15 second limit and rework the code so that operations complete within 15 seconds.
Fix:
There is no longer a time restriction on a single operation.
624744-1 : Potential crash in a multi-blade chassis during CMP state changes.
Component: Policy Enforcement Manager
Symptoms:
Potential TMM crash resulting in flows being impacted.
Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.
Impact:
Traffic disrupted while tmm restarts.
Fix:
NULL check has been added prior to calling a callback for asynchronous handling.
624733-1 : Potential crash in a multi-blade chassis during CMP state changes.
Component: Policy Enforcement Manager
Symptoms:
Potential TMM crash resulting in flows being impacted.
Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.
Impact:
Traffic disrupted while tmm restarts.
Fix:
NULL check has been added to facilitate a graceful failure during asynchronous handling.
624692-3 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
Component: TMOS
Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.
Conditions:
Certificate with multi-byte encoded strings.
Impact:
Unable to view certificate list page or view certificate information via iControl/REST.
624616-1 : Safenet uninstall is unable to remove libgem.so
Component: Local Traffic Manager
Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:
rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.
Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.
Impact:
Uninstall is unable to complete.
Workaround:
None.
Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.
624570-1 : BIND vulnerability CVE-2016-8864
Solution Article: K35322517
624526-3 : TMM core in mptcp
Solution Article: K10002335
624457-5 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
Solution Article: K10558632
624370-1 : tmm crash during classification hitless upgrade if virtual server configuration is modified
Component: Traffic Classification Engine
Symptoms:
tmm crash
Conditions:
1. classification hitless upgrade is triggered
2. pending (not saved) changes on any of the virtual servers
Impact:
Traffic disrupted while tmm restarts.
Fix:
Change of virtual server configuration triggers new library to be loaded during upgrade which wasn't expected by hitless upgrade mechanism and led to tmm crash. This is fixed in versions starting with 12.1.2.
624362-1 : VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file
Component: TMOS
Symptoms:
/shared disk usage growth and the diskmonitor can alarm when percent of disk usage reaches the configured threshold.
Conditions:
VCMP guest, overtime /shared/tmp/guestagentd.out grows and not rotated.
Impact:
/shared filesystem can fill and cause alerting and inability to copy files such as .iso to /shared.
Workaround:
1. periodically delete the non-critical file /shared/tmp/guestagentd.out
OR,
2. bigstart stop guestagentd (this will disable vcmp health feature on the host)
Fix:
The guestagentd logs no longer fill the tmp file.
624361-1 : Responses to some of the challenge JS are not zipped.
Component: TMOS
Symptoms:
Performance is affected on the JS challenge.
Conditions:
The following is turned on in the application dos configuration :
CS challenge, or PBD challenge when Suspicious browsers are disabled or the Device-ID challenge.
Impact:
1. These responses consume more CPU and more Bandwidth than needed.
2. Client-side latency is degraded.
3. More disk space is utilized than needed
Workaround:
None.
Fix:
Some of the JS challenge have better performance now.
624263-4 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
624231-5 : No flow control when using content-insertion with compression
Component: Policy Enforcement Manager
Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases
Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled
Impact:
Performance impact to flows and possible system crash.
Workaround:
Enable hardware offload and use the pem throttle feature for content insertion
624228-1 : Memory leak when using insert action in pem rule and flow gets aborted
Component: Policy Enforcement Manager
Symptoms:
Memory keeps increasing in PEM after several hours of live service.
Conditions:
Insert action in pem rule and response spawning multiple segments. Connection gets aborted midway.
Impact:
Connections can get reset once memory usage increases beyond threshold
Fix:
free xfrags when aborting flows
624198-1 : Unable to add multiple User-Defined alerts with the same search category
Component: Fraud Protection Services
Symptoms:
Adding 2 or more User-Defined alerts causes to DB exception error.
Conditions:
Provision FPS
Malware Detection license
Add multiple User-Defined alerts with the same "Search In" category.
Impact:
Can impact detection of certain malware.
Workaround:
Adding single record each time.
Use TMSH or Rest.
Fix:
GUI allows adding multiple User-Defined alerts of the same search category.
624193-2 : Topology load balancing not working as expected
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.
Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.
Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.
Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.
Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.
624155-2 : MRF Per-Client mode connections unable to return responses if used by another client connection
Component: Service Provider
Symptoms:
When an outgoing connection is created in per-client mode, that connection is exclusively for use by the client whose message was routed to the destination. All messages (response or requests) received by the server are automatically forwarded to the client. The messages received from the server are forwarded to the original connection from the client (even if it has been closed).
Conditions:
The connection from the client closes and the client connects again.
Impact:
Messages from the new client connection will be routed using the previously created outgoing connection. But messages received from the server will be forwarded to the original connection from the client which is closed. These message will fail to be delivered.
Workaround:
None.
Fix:
When message arrive from a new client connection, the outgoing connection will be to forward messages received from the server to the new connection.
624023-3 : TMM cores in iRule when accessing a SIP header that has no value
Component: Service Provider
Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.
Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround.
Fix:
Fix includes adjusting the buffer offset properly to handle the empty header attributes while parsing the SIP message.
623940-3 : SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
Component: Local Traffic Manager
Symptoms:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.
The ltm error log message looks like:
*****************************************************
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260009:4: Connection error: ssl_select_suite:6799: no shared ciphers (40)
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260026:4: No shared ciphers between SSL peers 10.1.6.50.36563:10.1.6.15.443.
*****************************************************
Conditions:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.
Impact:
SSL Handshake fails.
623930-3 : vCMP guests with vlangroups may loop packets internally
Component: TMOS
Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.
Conditions:
vCMP guest, vlangroups.
Impact:
High CPU utilization and potentially undelivered packets.
Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.
Fix:
Packets are no longer looped between vlangroup children on vCMP guests.
623927-2 : Flow entry memory leaked after DHCP DORA process
Solution Article: K41337253
Component: Policy Enforcement Manager
Symptoms:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is not freed.
Conditions:
Run the DHCP DORA process through BIG-IP (in relay mode or forwarding mode, and wait for client connection flow entry ages out.
Impact:
The system leaks flow entry memory. Over a long period of time, system memory will eventually run out.
Workaround:
None.
Fix:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is now freed, so no memory leak occurs.
623922-5 : TMM failure in PEM while processing Service-Provider Disaggregation
Solution Article: K64388805
Component: Policy Enforcement Manager
Symptoms:
TMM failure in PEM while processing Service-Provider Disaggregation.
Conditions:
System crashes when traffic flows and rules get executed on the flow.
Impact:
System crashes.
Workaround:
Set Service-Provider Disaggregation to sp as suggested by documentation.
Fix:
There is no longer a TMM failure in PEM while processing Service-Provider Disaggregation.
623885-4 : Internal authentication improvements
Solution Article: K41107914
623803-2 : General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'
Solution Article: K12921801
Component: TMOS
Symptoms:
When SCTP profile is selected, the system posts a general DB error due to 'read access denied type Virtual Address profile SCTP'.
Conditions:
-- Login to GUI with non-Admin user.
-- Select SCTP profile from the GUI
Impact:
Cannot get the SCTP profile.
Workaround:
Login with Admin user.
Fix:
The non-Admin user is now be able to login to GUI, select the SCTP profile and retrieve SCTP profile information correctly.
623562-3 : Large POSTs rejected after policy already completed
Component: Access Policy Manager
Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:
/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big
/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960
Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.
Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.
Workaround:
Move the resource from '/' to another URL.
Fix:
The logic of '/' in this area was changed to be consistent with other URLs.
623518-1 : Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
Component: Fraud Protection Services
Symptoms:
If a profile is assigned to a user-defined partition, it is not possible to add users to User Enforcement list.
Also, if a user-defined partition is selected, the GUI will not display a message if a there are available signatures/engine updates.
Conditions:
Provision and license FPS.
Create user-defined partition.
Impact:
You are unable to manage the profile in the user-defined partition.
Workaround:
Use tmsh to add users.
Fix:
Users can be added to User Enforcement list and a message will be displayed if a new update is available.
623491-2 : After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
Component: Policy Enforcement Manager
Symptoms:
The BWC action against a rule is lost and the traffic flow is capped at the maximum bandwidth configured in the BWC policy.
Conditions:
A flow should be associated with a PEM rule that has atleast a BWC action along with a Gx reporting action.
Impact:
The traffic flow is not capped by the correct BWC action, instead it is capped by the maximum configured bandwidth in the BWC policy.
Fix:
The BWC policy is restored correctly after a policy update.
623401-1 : Intermittent OCSP request failures due to non-optimal default TCP profile setting
Component: TMOS
Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.
Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.
Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.
Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.
623391-5 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★
Component: TMOS
Symptoms:
cpcfg fails with errors similar to:
Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.
Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.
Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size
Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3
Fix:
cpcfg could incorrectly calculate the amount of free space required, refusing to do the copy unless the / filesystem on the target volume had sufficient space to do the copy (not taking into account /config, /usr, /var, and other filesystems). This has been resolved and this free space calculation is done correctly.
623336-4 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
Component: TMOS
Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.
Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)
Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.
This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.
Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:
1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
touch /service/mcpd/forceload && reboot
3. After reboot, verify that the two files match (they should have the same checksum):
md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
Fix:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check was performed incorrectly, and the old bundle could accidentally have been chosen. This has been fixed, and the newer version of the file is correctly chosen.
623119 : Linux kernel vulnerability CVE-2016-4470
Solution Article: K55672042
623093-1 : TIFF vulnerability CVE-2015-7554
Solution Article: K38871451
623055-1 : Kernel panic during unic initialization
Component: TMOS
Symptoms:
During system initialization, the kernel panics during unic initialization.
Conditions:
This can occur on BIG-IP Virtual Edition if an error (on memory allocation, io etc.) occurs during unic initialization.
Impact:
The kernel panics, system will not boot.
Fix:
Initialize resources to fail gracefully on error.
623037-2 : delete of pem session attribute does not work after a update
Component: Policy Enforcement Manager
Symptoms:
it will not be possible to delete the session attribute through rules.
Conditions:
rules with session attribute update & delete
Impact:
unable to delete session attribute
623023-1 : Unable to set DNS Topology Continent to Unknown via GUI
Component: Global Traffic Manager (DNS)
Symptoms:
No option in dropdown menu to select Unknown Continent when configuring DNS Topology Record via GUI. Existing Topology Records will be displayed as "Continent is", instead of "Continent is Unknown".
Conditions:
Attempting to configure a DNS Topology Record via the GUI.
Impact:
Unable to set the Continent field to 'Unknown' via GUI.
Workaround:
Set the continent via tmsh using the command `create gtm topology ldns: continent -- server: continent --`
Fix:
The dropdown menu now has an option to select an "Unknown" Continent.
622913-2 : Audit Log filled with constant change messages
Component: Application Security Manager
Symptoms:
Frequent changes by Policy Builder fill the audit log too quickly and can affect viewing the Security Logs:
Error 502 Bad Gateway when clicking "Application Security" logs
Conditions:
Frequent Policy Builder changes occur and no ASM device group is configured.
Impact:
Disk space usage and errors viewing the Application Security logs
Workaround:
Workarounds:
1) Turn off "Recommend Sync when Policy is not applied". (Security ›› Options : Application Security : Preferences)
2) Enable ASM sync on a device group.
Fix:
Updates to the audit log are throttled at max 1/minute.
622877-1 : i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
Component: TMOS
Symptoms:
Messages like the following in /var/log/ltm:
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface: 6.0 transmit power too low alarm. Transmit power:0.0515 mWatts
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 transmit power too low alarm cleared
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 receive power too low alarm cleared
'
Conditions:
i2000 or i4000 series appliances with DDM enabled and a reboot or restart of the pfmand daemon
Impact:
No functional impact, these are not valid DDM alarms or warnings.
Workaround:
Ignore DDM errors that clear right away after powerup or pfmand restart.
Fix:
During DDM initialization clear any alarms or warnings cached in the hardware registers.
622856-1 : BIG-IP may enter SYN cookie mode later than expected
Component: Local Traffic Manager
Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.
Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.
Impact:
BIG-IP does not enter SYN cookie mode at the expected time.
Workaround:
Disable verified accept on all VIP TCP profiles.
Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.
622790-1 : EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
Component: Access Policy Manager
Symptoms:
Edge Client takes a lot of time to disconnect when machine is moved to network with no connectivity to BIG-IP
Conditions:
* VPN is established
* Machine is moved to different network (with no BIG-IP) connectivity
* EdgeClient stays in "Disconnecting..." state for few minutes
Impact:
User have to wait until Disconnect procedure is complete
Fix:
Now Edge Client uses 5000msec timeout in order to complete logout HTTP request. This is enough in normal conditions
622735 : TCP Analytics statistics does not list all virtual servers
Component: Application Visibility and Reporting
Symptoms:
In "Statistics :: Analytics : TCP", displaying the stats by virtual server will only allow the option of "Aggregated".
Conditions:
This occurs on virtual servers with the TCP Analytics profile attached.
Impact:
GUI does not list all virtual servers that have the TCP Analytics profile attached.
Fix:
Fixed an issue with displaying TCP Analytics statistics for virtual servers.
622662-7 : OpenSSL vulnerability CVE-2016-6306
Solution Article: K90492697
622619-5 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
Component: TMOS
Symptoms:
MCPd cpu utilization is high and renders it unresponsive.
Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.
Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.
Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.
622496 : Linux kernel vulnerability CVE-2016-5829
Solution Article: K28056114
622386-1 : Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
Component: Application Security Manager
Symptoms:
Internet Explorer browsers will get into an endless loop of requests, never reaching the back-end server, when accessing a Virtual Server which is enabled with both the Web Scraping feature, and the Proactive Bot Defense, if the mode of Proactive Bot Defense is set to During Attacks.
Conditions:
1. ASM Security Policy is attached to the Virtual Server, and has Web Scraping's Bot Detection set to Alarm & Block.
2. Within Web Scraping, both Fingerprint and Persistent Client Identification are disabled.
3. DoS profile is attached to the Virtual Server, and has Proactive Bot Defense set to During Attacks.
4. Users are using the Internet Explorer browser.
Impact:
Internet Explorer browser users are getting blocked from accessing the back-end server.
Workaround:
Two options for workaround:
1. Set Proactive Bot Defense to Always instead of During Attacks.
2. Enable either Fingerprint or Persistent Client Identification in the Web Scraping configuration.
Fix:
Internet Explorer users are no longer blocked when accessing a Virtual Server which has both Web Scraping enabled, and Proactive Bot Defense set to During Attacks.
622281-1 : Network DoS logging configuration change can cause TMM crash
Component: Advanced Firewall Manager
Symptoms:
Whenever a DoS Network logging profile is assigned or removed from a Virtual Server, it could cause random TMM crash.
Conditions:
The problem happens only with runtime config change.
Any logging profile config settings which was configured already and which gets loaded on TMM startup does not have this problem. Since this problem is a one time event on config change, TMM restart will pickup the config change and will work without any problem after the one time crash and TMM restart.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Invalid memory reference after free resulted in crash, which is fixed.
622244-2 : Edge client can fail to upgrade when always connected is selected
Component: Access Policy Manager
Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled
Conditions:
Always Connected is selected in BIG-IP when upgrading the client
Impact:
Upgrade will fail
Workaround:
Disable the Always Connected mode
Fix:
Upgrade functions as intended regardless of connection mode
622220-2 : Disruption during manipulation of PEM data with suspected flow irregularity
Component: Policy Enforcement Manager
Symptoms:
tmm crashes.
Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to manipulating Policy Enforcement Manager data.
622199 : sys-icheck reports error with /var/lib/waagent
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /var/lib/waagent.
On BIG-IP version 12.0.0:
ERROR: ....L.... /var/lib/waagent
L - readLink(2) path mismatch
On BIG-IP version 12.1.0 and 12.1.1:
ERROR: .M....... /var/lib/waagent
M - Mode differs (includes permissions and file type)
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with waagent that was causing sys-icheck to fail.
622194 : sys-icheck reports error with ssh_host_rsa_key
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub
ERROR: SM5...... /config/ssh/ssh_host_rsa_key
ERROR: SM5...... /config/ssh/ssh_host_rsa_key.pub
Conditions:
This occurs on BIG-IP running on Azure cloud when running the sys-icheck utility.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with ssh_host_rsa_key and ssh_host_rsa_key.pub that was causing sys-icheck to generate an error.
622183-5 : The alert daemon should remove old log files but it does not.
Component: TMOS
Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.
Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.
Impact:
The log filesystem may become completely full, and new log messages cannot be saved.
Fix:
The alert daemon will now remove old log files as intended.
622178-1 : Improve flow handling when Autolasthop is disabled
Solution Article: K19361245
622133-1 : VCMP guests may incorrectly obtain incorrect MAC addresses
Component: TMOS
Symptoms:
vCMP guests may be re-configured to use MAC addresses based off an all zero MAC address (00:00:00:00:00:00).
The 'tmsh show net vlan' command will show the vlan interfaces having mostly 0's in the MAC address:
-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:00:00:00:00:01
MTU 1500
Tag 3702
Customer-Tag
-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) 00:00:00:00:00:02
MTU 1500
Tag 3703
Customer-Tag
Conditions:
For this to manifest the vCMP host vcmpd process will have to have had a prior crash or be killed.
In this scenario vcmpd on restart uses a default zero-base MAC address for the guests.
The guests will not use the new zero-based MAC until services are restarted on the guest, on which the new MAC address will take effect.
Impact:
This can cause network issues and conflicts if occurring on multiple guests in the same VLAN as the same MAC addresses will be used.
Workaround:
Restart the guest from the hypervisor.
Fix:
vCMP no longer uses zero-based MACs on vcmpd crash/kill.
622126-1 : PHP vulnerability CVE-2016-7124
Solution Article: K54308010
622017-8 : Performance graph data may become permanently lost after corruption.
Solution Article: K54106058
Component: Local Traffic Manager
Symptoms:
During an upgrade, system reboot or restart of the statsd daemon, if a performance graph /var/rrd/*.info file is corrupt, the system is expected to backup the performance data before replacing it and starting with new empty graph data. It is then possible to manually recover the previous performance data.
However, if the /shared/rrd.backup directory already exists, the system restarts the performance graph with new data without backing up the previous data.
Conditions:
During startup of the statsd daemon (such as after an upgrade or reboot), the issue occurs if the following two conditions are present:
* The /var/rrd/<filename>.info files are corrupt (CRC value does not match contents).
* The /shared/rrd.backup directory exists.
Impact:
The previous performance graph data is not displayed, and is no longer available for manual recovery.
Workaround:
Old performance graph data can be extracted from the var/rrd directory of a QKView taken prior to the beginning of the problem.
Fix:
Corrupt performance graph RRD data is now backed up to the /shared/rrd.backup directory during startup even if the directory already exists.
621976-4 : OneDrive for Business thick client shows javascript errors when rendering APM logon page
Component: Access Policy Manager
Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page
Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.
Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.
Workaround:
Click thru javascript error dialogs.
Fix:
OneDrive for Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.
621974-4 : Skype For Business thick client shows javascript errors when rendering APM logon page
Component: Access Policy Manager
Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page
Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.
Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.
Workaround:
Click thru javascript error dialogs.
Fix:
Skype For Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.
621957-2 : Timezone data on AOM not syncing with host
Component: TMOS
Symptoms:
Updating the timezone on the host does not sync to the AOM, because certain tzdata files are placed in the wrong directories.
Conditions:
A system using tzdata version v2016i-1 may encounter this problem. If the following files exist:
/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab
then the system has this problem.
Impact:
Time on the AOM is incorrect.
Workaround:
If the following files exist:
/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab
move them to:
/usr/share/zoneinfo/F5zone.tab
/usr/share/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/F5zone.tab
Fix:
Timezone data on AOM now syncs correctly with host again
621937-1 : OpenSSL vulnerability CVE-2016-6304
Solution Article: K54211024
621935-6 : OpenSSL vulnerability CVE-2016-6304
Solution Article: K54211024
621909-4 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
Solution Article: K23562314
Component: TMOS
Symptoms:
When a trunk on the BIG-IP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.
Conditions:
This can occur for two reasons:
-- Purposefully configuring an odd number of members.
-- A port goes down in a trunk that has an even number of members.
Impact:
Uneven traffic distribution.
Workaround:
None.
Fix:
This release fixes uneven egress trunk distribution on the BIG-IP 5000 or 10000 platforms when there is an odd number of ports.
621870-2 : Outage may occur with VIP-VIP configurations
Component: Local Traffic Manager
Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.
Conditions:
VIP-VIP configuration
Impact:
System outage
Workaround:
None.
621808-1 : Proactive Bot Defense failing in IE11 with Compatibility View enabled
Component: Advanced Firewall Manager
Symptoms:
Internet Explorer 11 browsers which have "Compatibility View" enabled (under Compatibility View Settings IE menu), will fail the JavaScript challenge, when Proactive Bot Defense is enabled and the "Block requests from suspicious browsers" checkbox is checked.
The challenged request will be blocked using a TCP_RST flag, and the browser will show "This page can’t be displayed" is seen in the browser.
Conditions:
1. DoS profile that is attached to the Virtual Server has Proactive Bot Defense is enabled and "Block requests from suspicious browsers" checkbox is checked.
2. Internet Explorer 11 browsers in which the site's domain is inserted to the "Compatibility View Settings" in the browser's menu.
Impact:
Legitimate browsers get blocked when accessing the site.
Workaround:
None
Fix:
Internet Explorer 11 browsers with "Compatibility View" enabled on the site no longer get blocked when Proactive Bot Defense is enabled on the DoS profile.
621736-6 : statsd does not handle SIGCHLD properly in all cases
Component: Local Traffic Manager
Symptoms:
- Performance graphs are not updating or are not existant.
- proc_pid_stat shows statsd time not increasing
- Top also shows that statsd is not taking any processor time.
Infact statsd is stuck on a wait in a signal handler.
Conditions:
If statsd receives a SIGCHLD signal it will get stuck and not process anything.
The following can trigger the issue:
rm -rf /shared/rrd.backup
- sed -i "s/^#CRC.*$/#CRC $RANDOM/" /var/rrd/throughput.info
- kill -HUP $(pgrep -f /usr/bin/statsd)
Impact:
No performance graphs are collected / generated
Workaround:
Restart statsd:
- bigstart restart statsd
621682-1 : Portal Access: problem with specific JavaScript code
Component: Access Policy Manager
Symptoms:
Portal Access does not rewrite JavaScript code with try...catch... operator followed by literal regular expression.
Conditions:
JavaScript code like follows:
try {} catch (e) {} /aaa/.test(b)
Impact:
Web application may not work correctly.
Fix:
Now try / catch operator followed by literal regular expression in JavaScript code is handled correctly by Portal Access.
621524-2 : Processing Timeout When Viewing a Request with 300+ Violations
Component: Application Security Manager
Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.
Conditions:
Attempting to view a request that triggered hundreds or thousands of violations
Impact:
A timeout is encountered.
Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.
Fix:
Processing high violation requests is now more efficient.
621452-1 : Connections can stall with TCP::collect iRule
Solution Article: K58146172
Component: Local Traffic Manager
Symptoms:
Connection does not complete.
Conditions:
-- A TCP::collect command is in use.
-- The first packet received after the SYN carries data.
The Initial Sequence number in the SYN, plus the length of the data in the first packet, plus 1, is greater than-or equal to 2^31.
Note: APM VDI profiles internally use TCP::collect, so virtual servers with VDI profiles may be affected as well.
Impact:
Connection fails.
Workaround:
There is no workaround at this time.
Fix:
The system no properly sets state variables associated with TCP::collect.
621447-1 : In some rare cases, VDI may crash
Component: Access Policy Manager
Symptoms:
VDI process crashes and connections to VDI resources are aborted.
Conditions:
VDI receives unexpected session variable result which is meant for some other VDI thread.
Impact:
Existing VDI connections are aborted and the user needs to login again.
Fix:
VDI should gracefully handle the error condition and should not crash
621423 : sys-icheck reports error with /config/ssh/ssh_host_dsa_key
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_dsa_key and other files:
ERROR: missing /config/ssh/ssh_host_dsa_key
ERROR: missing /config/ssh/ssh_host_dsa_key.pub
ERROR: missing /config/ssh/ssh_host_key
ERROR: missing /config/ssh/ssh_host_key.pub
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with files in /config/ssh/ that was causing sys-icheck to report errors.
621422 : i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
Component: TMOS
Symptoms:
A 1G optic is inserted in a port that only supports 10G optics, or a 10G optic is inserted in a port that only supports 1G optics.
The invalid optic may show a link light, and no warning appears on the LCD.
Conditions:
i2000 or i4000 platforms ports do not auto-negotiate between 1G and 10G optics. Ports are assigned to one or the other speed.
Impact:
User may not understand why optic is not working correctly
Workaround:
Move the optic to the correct port.
621401 : When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load
Component: Device Management
Symptoms:
When BIG-IQ is monitoring more than 1 BIG-IP in a HA clustser, AVR reporting on the BIG-IQ may fail if one of the BIG-IPs is under heavy load.
Conditions:
BIG-IQ monitoring BIG-IPs in a HA cluster
BIG-IPs running AFM and/or ASM
BIG-IQ used to monitor AFM and/or ASM reporting.
At least one of the BIG-IPs is under significant load so as to cause delays in responding to BIG-IQ requests.
Impact:
AVR reporting will stop functioning.
Workaround:
bigstart restart restjavad
621386-1 : restjavad spawns too many icrd_child instances
Solution Article: K91988084
Component: TMOS
Symptoms:
icrd_child process keeps crashing and can lead to an out-of-memory condition.
Conditions:
This occurs due to a race condition while restarting the icrd daemon.
Impact:
icrd might crash.
Workaround:
None.
Fix:
Fixed race condition that caused the system to run out of memory by spawning too many icrd_child processes.
621374-1 : "abbrev" argument in "whereis" iRule returns nothing
Component: Global Traffic Manager (DNS)
Symptoms:
The iRule [whereis <ip|ldns> abbrev] does not return a value.
Conditions:
iRule relying on whereis abbrev is used.
Impact:
The whereis iRule command will not return the expected value.
621371-2 : Output Errors in APM Event Log
Solution Article: K43523962
621337-6 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
Solution Article: K97285349
621273-1 : DSR tunnels with transparent monitors may cause TMM crash.
Component: TMOS
Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.
Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".
Impact:
Traffic disrupted while tmm restarts.
Fix:
The TMM does not crash.
621259-3 : Config save takes long time if there is a large number of data groups
Component: TMOS
Symptoms:
Config save takes a long time to complete
Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration
Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM
621242-1 : Reserve enough space in the image for future upgrades.
Component: TMOS
Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.
Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).
Impact:
Extends the disk image to reserve more disk space for upgrades.
Workaround:
N/A
Fix:
Increased the reserved free space on VE images.
621239-2 : Certain DNS queries bypass DNS Cache RPZ filter.
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.
Conditions:
A DNS Cache configured with RPZ.
Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.
Fix:
The DO-bit is now ignored with respect to RPZ filtering.
621233-1 : FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm
Solution Article: K49440608
621225 : LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
Component: TMOS
Symptoms:
When BIG-IP is initially booted or re-started, there are certain conditions under which the LTM log may report the following message for front panel interfaces, "PCI Device not found for Interface <X.0>", where X can be in the range of 1-6. These messages are misleading because the front panel interfaces do not have any PCI devices associated with them and should not have been flagged as errors.
Conditions:
i2600/i2800 products intermittently produce these messages upon power-up or BIG-IP re-start.
Impact:
They are false alarms in the log. The associated interfaces do not have said PCI devices.
Fix:
Removed the possibility of getting false alarm messages in the LTM log for front panel interfaces 1.0-6.0 that claim, "PCI Device not found for Interface X.0".
621210-2 : Policy sync shows as aborted even if it is completed
Component: Access Policy Manager
Symptoms:
After syncing a policy in a sync-only device group, the policy appears to be synced to the target successfully, however, the remote HA pair devices show status as canceled/aborted.
Conditions:
It is not known exactly what triggers this condition. It was observed in a 4-device trust group consisting of 2 sync/failover groups and a single sync-only device group for all 4 devices. After the sync the status reported as cancelled/aborted.
Impact:
Sync status is displayed incorrectly, even after the sync was successful.
Workaround:
None.
Fix:
Policy sync now shows as completed when it is completed.
621126-2 : Import of config with saml idp connector with reuse causes certificate not found error
Component: Access Policy Manager
Symptoms:
Export and then Import with reuse of config that has SAML Idp Connector as part of configuration would fail with Object not found or Certificate not found error:
Import Error: 01070734:3: Configuration error: /Common/my_cert.crt certificate not found.
Conditions:
Exporting and then importing with "Reuse existing objects" checked. Normal import is ok.
Impact:
Importing fails.
Workaround:
On From box:Disconnect Idp configuration, export config.
On To box:Recereate Idp configuration, import, reconnect it.
Fix:
Importing with reuse is fixed.
621115-1 : IP/IPv6 TTL/hoplimit may not be preserved for host traffic
Component: Performance
Symptoms:
Traffic to and from the Linux host has TTL set to 255 or hop limit set to 64. This may impact any protocols that scrutinize the TTL such as IGMP or BGP.
Conditions:
IP/IPv6 TTL/hoplimit for host traffic.
Impact:
IGMP packets will not be passed from TMM to the Linux host and remote routers may reject IGMP packets from the BIG-IP.
BGP neighbors may reject packets from the BIG-IP.
Workaround:
Adjust TTL verification restrictions on peer devices.
Fix:
The IP/IPv6 TTL/hoplimit of host traffic is no longer modified when it traverses TMM.
620929-4 : New iRule command, MR::ignore_peer_port
Component: Service Provider
Symptoms:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port. Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.
Conditions:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port.
Impact:
Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.
Workaround:
Without this change, a new connection would need to be created to the client.
Fix:
New iRule command allow script author to identify the current connection as equivalent to other connections of the IP and route domain ID matches.
620903-1 : Decreased performance of ICMP attack mitigation.
Component: Performance
Symptoms:
Decreased performance of ICMP attack mitigation.
Conditions:
A Big-Ip is under attack, for example a ICMP flood attack.
Impact:
Decreased performance of ICMP attack mitigation.
Workaround:
NA
Fix:
Increased performance of ICMP attack mitigation.
620829-2 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
None.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
620801-3 : Access Policy is not able to check device posture for Android 7 devices
Component: Access Policy Manager
Symptoms:
APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item.
If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.
Conditions:
- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status
- User accesses APM from an Android 7 device using F5 Edge Client app.
Impact:
Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.
Workaround:
This workaround only applies to IBM Maas360:
Add Variable Assign agent just before Managed Endpoint Status agent with the following variables:
session.client.platform_tmp = expr {[mcget session.client.platform]}
session.client.platform = expr {"iOS"}
session.client.unique_id = expr {"Android[mcget session.client.unique_id]"}
And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state:
session.client.platform = expr {[mcget session.client.platform_tmp]}
Fix:
Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.
620788-1 : FQDN pool created with existing FQDN node has RED status
Solution Article: K05232247
Component: Local Traffic Manager
Symptoms:
After creating an FQDN pool using an existing FQDN node, the pool has RED status.
Conditions:
-- Existing FQDN node.
-- Pool created with an existing FQDN node as a member.
Impact:
Traffic will not pass in this pool.
Workaround:
As a workaround, follow these steps:
1. Delete the existing FQDN node.
2. Create a new one.
3. Create a pool that includes the new FQDN node.
Fix:
When creating an FQDN pool with an existing FQDN node, the pool status now reflects the actual monitor status.
620782 : Azure cloud now supports hourly billing
Component: TMOS
Symptoms:
Prior to 12.1.2 hourly billing was not supported in Azure cloud.
Conditions:
Any version prior to 12.1.2 in Azure Cloud
Impact:
Hourly billing not possible
Fix:
With 12.1.2 hourly billing is now supported in Azure.
620659-3 : The BIG-IP system may unecessarily run provisioning on successive reboots
Component: TMOS
Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'
During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'
Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).
Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.
The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
<13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB
The /var/log/tmm logfile on the vCMP guest will contain:
<13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
<13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
<13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **
Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.
Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.
620635-2 : Request having upper case JSON login parameter is not detected as a failed login attempt
Component: Application Security Manager
Symptoms:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.
Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ JSON login parameter with an upper-case character
Impact:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.
Workaround:
N/A
Fix:
We've made sure that JSON login parameter are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.
620625-2 : Changes to the Connection.VlanKeyed DB key may not immediately apply
Solution Article: K38094257
Component: Local Traffic Manager
Symptoms:
Changes to the Connection.VlanKeyed DB key may not immediately apply to all TMMs
Conditions:
The Connection.VlanKeyed DB key is changed
Impact:
Asymmetrically routed connections may fail with Connection.VlanKeyed disabled
Workaround:
Restarting TMM will resolve the issue, though this will interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:
-- on an appliance (BIG-IP platform): bigstart restart tmm
-- on a clustered system (a VIPRION or VIPRION-based vCMP guest): clsh bigstart restart tmm
Fix:
Asymmetrically routed connections no longer fail with Connection.VlanKeyed disabled.
620614-4 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
Component: Access Policy Manager
Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.
/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.
The above error, otherwise, below error which deletes the session id abruptly.
Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).
Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.
Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth
Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.
Fix:
Use the right session id for decrypting the password.
620543-1 : Security Address Lists and Port Lists can't change Description field
Component: Advanced Firewall Manager
Symptoms:
'Description' doesn't get saved when a user tries to create a Address List, or Port List.
Conditions:
Create an Address List/Port List with a description, and hit 'Finished'. The Address/Port List will be created, but the object will not be saved.
Impact:
Users will not be able to save description when Address List/Port List gets created via GUI.
Workaround:
Use tmsh to create Address/Port List.
Fix:
'Description' gets saved when a user tries to create a Address List, or Port List.
620400-1 : TMM crash during TLS processing
Solution Article: K21154730
620366-4 : Alertd can not open UDP socket upon restart
Component: TMOS
Symptoms:
alertd fails to restart due to the following error:
Sep 29 18:29:44 B2200-R76-S19 err alertd[16882]: 01100009:3: Couldn't open file UDP listener
Conditions:
alertd has spawned a long-running process (e.g. ntpd) which does not close inherited file descriptors.
Impact:
alertd fails to restart
Fix:
Mark alertd file descriptors for automatic closure in child processes.
620215-5 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
620079-3 : Removing route-domain may cause monitors to fail
Component: Local Traffic Manager
Symptoms:
Removing route-domain may cause icmp and gateway-icmp monitors in unrelated route-domains to fail.
Conditions:
Route-domain is removed and icmp/gateway-icmp monitor is used.
Impact:
Monitor marking node down resulting in partial service outrage.
Workaround:
Restart bigd (bigstart restart bigd).
620056-1 : Assert on deletion of paired in-and-out IPsec traffic selectors
Component: TMOS
Symptoms:
When two traffic-selectors, one in and one out, mirror each other by reversing source and destination addresses, then deleting one can miss-fire an assert, restarting tmm.
Conditions:
Defining two clearly related traffic selectors, one for in and one for out, can confuse a later check of their names.
Impact:
When a traffic selector is deleted, from such a pair, an assert can fail that restarts tmm processes. Traffic disrupted while tmm restarts.
Workaround:
Using one traffic selector with direction=both would avoid the problem, before this change appears in a release.
Fix:
The confusion of over names for such paired traffic selectors is now fixed, so the assert cannot occur. Such traffic selectors -- just like each other execpt for reversed source and destination -- will work correctly for IKEv1 configs. For IKEv2 it is still best to use single TS insances with direction=both.
619879-1 : HTTP iRule commands could lead to WEBSSO plugin being invoked
Component: Access Policy Manager
Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 BIG-IP3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor
With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 BIG-IP3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))
Conditions:
HTTP::disable followed by HTTP::enable.
when CLIENT_ACCEPTED {
HTTP::disable
// do some other stuff
HTTP::enable
}
Impact:
client receives a HTTP 503 reset
Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.
Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.
619849-4 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGABRT (killed by sod)
Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.
This issue occurs extremely rarely.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
disable verify accept.
Fix:
the loop is fixed.
619844-2 : Packet leak if reject command is used in FLOW_INIT rule
Component: Local Traffic Manager
Symptoms:
TMM memory usage (packets) increases steadily over time.
Conditions:
'reject' command is used in a FLOW_INIT rule
Impact:
Packet leak over time will consume TMM memory.
Workaround:
Do not use reject command in FLOW_INIT iRule
619811-2 : Machine Cert OCSP check fails with multiple Issuer CA
Component: Access Policy Manager
Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.
Conditions:
This can only happen when issuing CA is not first in the CA file.
Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.
Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.
Follow these steps:
iRule:
1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"
Variable Assign:
3) Read this issuer cert from the session db and assign it back to the same session variable:
session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }
Fix:
Issuer cert is now looked up and set properly from the CA bundle. So there is no longer any failure response from OCSP responder.
619757-1 : iSession causes routing entry to be prematurely freed
Component: Wan Optimization Manager
Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.
Conditions:
iSession-enabled virtual.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No reasonable workaround short of not using iSession functionality.
Fix:
iSession no longer causes routing entries to be prematurely freed.
619663-3 : Terminating of HTTP2 connection may cause a TMM crash
Solution Article: K49220140
Component: Local Traffic Manager
Symptoms:
TMM crashes when an HTTP2 connection is being terminating on client and server sides concurrently.
Conditions:
-- HTTP2 profile is configured and assigned to a virtual server.
-- A client SSL profile is also used on the same virtual server.
-- Client interrupting a connection and server terminating a connection at the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
A fix stops HTTP2 from further processing when a connection is terminating preventing TMM crash for this reason.
619528-4 : TMM may accumulate internal events resulting in TMM restart
Component: Local Traffic Manager
Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.
Conditions:
HTTP virtual with long-lived connections.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.
Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.
619516-1 : Inconsistencies in Automatic sync ASM Device Group
Component: Application Security Manager
Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.
Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.
Impact:
This can cause any of the following depending on the change:
-- Superfluous full sync operations.
-- Updating the wrong element on the remote devices.
-- Missing changes on the remote devices.
Workaround:
Disable automatic sync on the device group, and periodically push changes manually.
Fix:
Calls are correctly propagated across Automatic sync Device Groups with ASM enabled.
619486-3 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
Component: Access Policy Manager
Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.
To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.
Conditions:
This can occur if a web application has javascript that modifies the value of window.self.
Impact:
Affected web-applications will not work when accessed through Portal Access.
Workaround:
None
Fix:
Scripts on pages accessed through Portal Access are no longer failing when web application code modifies window.self.
619473-2 : Browser may hang at APM session logout
Component: Access Policy Manager
Symptoms:
Browser hangs at logout from APM session with RDP client and/or VMware View client.
Conditions:
- APM Virtual server with RDP client and/or VMware View client on webtop;
- active session on this webtop with opened client.
Impact:
Logout from APM session may take a long time (several minutes). In some cases, it may be necessary to restart browser.
Fix:
Now browser does not hangs at logout from APM session with RDP client and/or VMvare View client.
619410-1 : TMM hardware accelerated compression not registering for all compression levels.
Component: TMOS
Symptoms:
DEFLATE/gzip/zlib compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.
Conditions:
-- Compression requests for DEFLATE/gzip/zlib levels other than level 1.
-- BIG-IP devices using Coleto Creek SSL hardware acceleration.
Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.
Workaround:
None.
Fix:
Hardware accelerator correctly registers for all DEFLATE/gzip/zlib compression levels, not just level 1.
619398-7 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
619250-1 : Returning to main menu from "RSS Feed" breaks ribbon
Component: Access Policy Manager
Symptoms:
When you go to "RSS Feed" configuration page for Document, Picture Library, List etc. and go back to SharePoint Dashboard using link at the top pointing to "RSS FEED for ..." and then click any option on the ribbon, you got "500 Internal Server Error" and ribbon stops working. When you use built-in browser button "go back" instead, everything works Ok.
Conditions:
"500 Internal Server Error" occurred. Ribbon stop working.
Impact:
Ribbon stop working.
Workaround:
Use built-in browser "go back" button instead.
Fix:
Returning to main menu from "RSS FEED for ...", ribbon continue to work. No more "500 Internal Server Error".
619158-1 : iRule DNS request with trailing dot times out with empty response
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS request takes about 20 seconds to respond and the response is empty.
Conditions:
An iRule uses RESOLV::lookup or NAME::lookup to resolve a domain name that ends with a dot.
Impact:
The request does not properly resolve to an IP address.
Workaround:
Strip the trailing dot from the domain name before calling RESOLV::lookup or NAME::lookup.
Fix:
Domain names with trailing dots are properly resolved from iRules. The trailing dot is stripped when the request is saved to later match with the response.
619110-1 : Slow to delete URLs, CPU spikes with Automatic Policy Builder
Component: Application Security Manager
Symptoms:
Deleting a URL causes an incorrect event to be generated and logged for every other URL in the Policy.
When a policy has many URLs configured, deleting a URL takes a long time and consumes heavy CPU time.
Conditions:
Many URLs are configured in the Policy.
This can be due to Policy Builder being set to "Always" learn new HTTP URLs.
If Policy Builder is also configured to collapse common URLs to wildcards, then it deletes the collapsed urls and these calls can be resource intensive.
Impact:
1) GUI is slow to delete URLs
2) Misleading (incorrect) logs are present in the audit log for each other URL in the system after a URL delete.
3) CPU can spike to 100%
Workaround:
A) Change "Learn New HTTP URLs" mode to "Selective" from "Always"
B) Disable collapse URLS.
Fix:
URL delete no longer incorrectly generates an event for every other URL in the system.
619097 : iControl REST slow performace on GET request for virtual servers
Component: TMOS
Symptoms:
Performing a GET request on a BIG-IP with a large number of virtual servers may result in slow performance and timeout errors.
Conditions:
When a significant number of virtual servers reference persistence profiles.
Impact:
Unable to perform large GET query on virtual servers.
Workaround:
None.
Fix:
Improved iControl REST performance for Performing a GET request on a BIG-IP with a large number persistence profiles on virtual servers.
619071-3 : OneConnect with verified accept issues
Component: Local Traffic Manager
Symptoms:
System may experience an outage.
Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed
Impact:
System outage.
Workaround:
Disabled verified accept when used with OneConnect on a VIP.
Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.
619060 : Reduction in boot time in BIG-IP Virtual Edition platforms
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) version has experienced increased boot time.
Conditions:
The increased boot time occurs each time a VE is booted.
Impact:
Long boot time, longer than previous releases.
Workaround:
None.
Fix:
Reduction in boot time in BIG-IP Virtual Edition platforms.
618957-1 : Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
Component: Access Policy Manager
Symptoms:
BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.
Conditions:
Imported metadata contains two certificates with different use types: 'signing' and 'encryption'
Impact:
There is no impact if in metadata signing and encryption certificates are the same. If certificates are different - SAML SSO may not function properly due to incorrect certificate imported in configuration.
Workaround:
Import certificates manually, and assign them to created from metadata SAML SP connector
Fix:
Issue is now fixed: both certificates are imported correctly.
618944-1 : AVR statistic is not save during the upgrade process
Component: Application Visibility and Reporting
Symptoms:
All AVR statistics will be lost after upgrade from 12.1.0 or 12.1.1.
Conditions:
AVR statistic was collected on 12.1.0 or 12.1.1.
The BIG-IP was upgraded.
Impact:
Old AVR statistics will be lost
Workaround:
1. before upgrade edit the following file:
./usr/libdata/configsync/avr_save_pre
2. change the following line " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 $(is_provisioned asm) -eq 1 ] && "
with " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 -o $(is_provisioned asm) -eq 1 ] && "
Fix:
AVR upgrade script fixed
618905-1 : tmm core while installing Safenet 6.2 client
Component: Local Traffic Manager
Symptoms:
tmm core while installing Safenet 6.2 client.
Conditions:
Safenet 6.2 client installation
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm core related to Safenet 6.2 client installation.
618902-4 : PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation
Component: Advanced Firewall Manager
Symptoms:
Each time the Packet Classification Compiler Daemon (PCCD) process recompiles rules due to configuration changes, it loses approximately 20 bytes or more (depends on the rule complexity) due to small memory leak.
Conditions:
This occurs when making changes to the firewall configuration when AFM is configured.
Impact:
This can potentially lead to an out-of-memory situation if the system runs for a long time without reboot and PCCD continuously recompiles due to frequent configuration changes.
Workaround:
None.
Fix:
The PCCD memory leak was identified and fixed.
618779-1 : Route updates during IPsec tunnel setup can cause tmm to restart
Component: TMOS
Symptoms:
During the setup of IPsec tunnel flows, tmm depends on a valid route being available towards a remote peer to correctly create the IPsec inbound tunnel flows. The absence of the route at this stage, causes tmm to crash and restart. This is more likely to happen if the route towards the endpoint is dynamic.
Conditions:
IPsec tunnels are being set up with a given remote peer and the route towards that peer is not reliably present (as is in the case of dynamic route updates)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure that there is always a valid route towards each of the remote peers.
Fix:
The tmm process no longer restarts if there is no valid route towards the remote peer during IPsec tunnel setup.
618771-1 : Some Social Security Numbers are not being masked
Component: Application Security Manager
Symptoms:
ASM does not block or mask some SSN numbers.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.
Impact:
The traffic passes neither masked nor blocked to the end client.
Workaround:
None.
Fix:
The system now correctly masks and/or blocks all relevant social security numbers.
618657-4 : Bogus ICMP unreachable messages in PEM with ipother profile in use
Component: Policy Enforcement Manager
Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.
Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.
Impact:
Unnecessary ICMP traffic
Fix:
Fixed an issue related to unnecessary ICMP traffic in the PEM filter.
618656-2 : JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters
Component: Advanced Firewall Manager
Symptoms:
The JavaScript challenge is repeating in a loop on Firefox on URLs which are longer than 1033 characters. The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.
Conditions:
URLs are longer than 1033 characters, AND:
Users are using the Firefox browser, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.
Impact:
Requests to URLs longer than 1033 will be blocked on Firefox, and the browser will repeat the challenge in a loop.
Workaround:
None
Fix:
The JavaScript challenge no longer gets stuck in a loop on Firefox, on URLs which are longer than 1033 characters.
618549-1 : Fast Open can cause TMM crash CVE-2016-9249
Solution Article: K71282001
618517-1 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
Solution Article: K61255401
Component: Local Traffic Manager
Symptoms:
- In v11.6.1, bigd reports pool members were marked down that are not actually down, and logs messages similar to the following in the ltm log file:
warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.
- Because of changes in the v12.1.x software, although the problem is still present, it has negligible impact.
Conditions:
-- Monitoring is in use.
-- bigd debug logging is enabled.
-- The bigd debug log file (/var/log/bigdlog) is full.
Impact:
- On v11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.
- In v12.1.x, some of the underlying logging code changed, and there is no real impact.
Workaround:
Prevent the log file from getting full. To do so, rotate the log file using the following command:
logrotate -f bigdlog
Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.
618506 : TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
Component: Access Policy Manager
Symptoms:
TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
Conditions:
APM is provisioned and access profile is attached to the virtual.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Correctly handle session DB data in APM to prevent memory segmentation fault.
618430-2 : iRules LX data not included in qkview
Component: Local Traffic Manager
Symptoms:
Qkview does not contain any of the iRuleLX information.
Conditions:
N/A
Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.
Fix:
The following ILX information was added to the qkview:
TMSH commands:
list ilx workspace all-properties
list ilx plugin all-properties
list ilx global-settings (13.0.0+)
list ltm profile ilx all-properties (13.0.0+)
show ilx plugin all
show ltm profile ilx all (13.0.0+)
The files in the following folders:
/var/ilx - master copies of workspaces
/var/sdm - running files of the plugins
/var/log/ilx - ILX specific logs
618428 : iRules LX - Debug mode does not function in dedicated mode
Component: Local Traffic Manager
Symptoms:
In case if the debug option is enabled in the dedicated mode, sometimes some of the nodejs process can be allocated a "in-use" port, which prevents it from starting successfully.
By design every process is guaranteed a debug port in the configured range as long as there are enough ports available in the system. In-use ports are skipped, so consecutive port allocation is not guaranteed.
Conditions:
some of the ports in the range are busy.
Impact:
Some of the nodejs processes fail to start which prevents normal iRuleLX operation.
Workaround:
Consult with netstat output and set the debug-port-range-low to a higher value (eg. 10000+) to minimise the change of a port conflict.
618421 : Some mass storage is left un-used
Component: TMOS
Symptoms:
It is intended that all mass storage capacity be available for use by application data, site-local configuration, or sofwtare. In some conditions, about 10% of the mass storage capacity is not made available for application data.
Conditions:
This occurs on the BIG-IP i-Series platforms.
Impact:
Applications that use a lot of storage may not function optimally.
Fix:
The storage is optimally reallocated.
618404-1 : Access Profile copying might end up in invalid way if series of names.
Component: Access Policy Manager
Symptoms:
After copying an access policy, you receive an error when trying to open the copy: "Unable to load accessPolicy '/Common/my_policy_access_1_1' from source."
Conditions:
When items with names ending with _#_#_1 and _#_#_2, _# reduction is working.
Impact:
Unable to copy policy properly.
Workaround:
Export policy, import with reuse.
Fix:
Copying is fixed for this conditions.
618382-4 : qkview may cause tmm to restart or may take 30 or more minutes to run
Component: TMOS
Symptoms:
When taking a qkview on a heavily loaded BIG-IP device (with lots of connections) running 12.1.0 or 12.1.1, the qkview utility may take a very long time to complete (30+ minutes) or cause tmm to restart. This is due to a new qkview command that was added to gather a list of recent connections with the tmsh show sys connection command, which has a significant performance impact when run while the BIG-IP is heavily loaded.
Conditions:
This can occur on the following versions:
- 12.1.0 including 12.1.0 HF1 and 12.1.0 HF2
- 12.1.1 including 12.1.1 HF1
This can occur when the BIG-IP is heavily loaded and while running the qkview command.
Impact:
Qkview command can take an exceedingly long time to run (30+ minutes).
Traffic disrupted while tmm restarts.
Workaround:
Do not run the qkview command if the device is heavily loaded.
Fix:
Removed offending "show sys connection" command from qkview utility.
618324-1 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
Component: Access Policy Manager
Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.
Conditions:
Wrongful information displayed.
Impact:
Wrongful information displayed.
Workaround:
N/A
Fix:
Correct (*** Invalid ***) information displayed.
618306-2 : TMM vulnerability CVE-2016-9247
Solution Article: K33500120
618263-1 : OpenSSL vulnerability CVE-2016-2182
Solution Article: K01276005
618261-6 : OpenSSL vulnerability CVE-2016-2182
Solution Article: K01276005
618254-4 : Non-zero Route domain is not always used in HTTP explicit proxy
Component: Local Traffic Manager
Symptoms:
You may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction.
Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.
Impact:
End-to-end connectivity failure.
Workaround:
Change configuration so that all services required are on the default route domain, 0.
618185-1 : Mismatch in URL CRC32 calculation
Component: Fraud Protection Services
Symptoms:
In some cases URL CRC32 calculated by JS does not match referrer CRC32 calculated by Plugin.
Conditions:
Each one of next conditions cause this problem:
1. CRC32 calculated for URL with path parameters while strip_path_parameters BigDB variable value is 'true'.
2. CRC32 calculated for URL with a fragment (hashmark '#') in query string.
Impact:
A component validation alert is triggered as a result of mismatch between URL CRC32 calculated by JS and referrer CRC32 calculated by Plugin.
Workaround:
No workaround.
Fix:
strip_path_parameters BigDB variable value is passed to JS and JS URL normalization before CRC32 calculation is now similar to the one Plugin does.
618170-3 : Some URL unwrapping functions can behave bad
Component: Access Policy Manager
Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.
Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.
Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.
Fix:
Fixed.
618161-1 : SSL handshake fails when clientssl uses softcard-protected key-certs.
Component: Local Traffic Manager
Symptoms:
SSL handshake fails when clientssl uses softcard-protected key-certs.
Conditions:
Softcard-protection is enabled and token protection is disabled.
Impact:
SSL handshake fails
Workaround:
None known.
Fix:
SSL handshake no longer fails when clientssl uses softcard-protected key-certs.
618121 : "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★
Component: Local Traffic Manager
Symptoms:
"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x
Conditions:
When the RTSP_RESPONSE event and "persist add" iRule are used and upgrade to v12.x.x.
Impact:
"persist add" iRule validation failed. The iRule will not be loaded.
Workaround:
possible workaround is to bypass validation
when RULE_INIT {
set static::persist_cmd { persist add uie $SessionID $static::persist_timeout }
}
when RTSP_RESPONSE {
set SessionID [RTSP::header value "Session"]
if { $SessionID != "" }{
#persist add uie $SessionID $static::persist_timeout
eval $static::persist_cmd
}
}
617986-2 : Memory leak in snmpd
Component: TMOS
Symptoms:
Memory usage in snmpd is increases until the OOM process kills snmpd.
Conditions:
BIG-IP configured with virtual servers that have the same destination IP address
Impact:
snmp disrupted while snmp restarts.
Workaround:
No workaround
Fix:
Fixed memory leaks.
617935 : IKEv2 VPN tunnels fail to establish
Component: TMOS
Symptoms:
IKEv2 VPN tunnels fail to establish.
Conditions:
This occurs with IKEv2 on a specific 12.1.2 HF1 engineering hotfix.
Impact:
IPsec IKEv2 VPN tunnels fail to establish.
Workaround:
Use IPsec IKEv1.
Fix:
IKEv2 VPN tunnels now establish as expected.
617901-1 : GUI to handle file path manipulation to prevent GUI instability.
Component: TMOS
Symptoms:
Request file path may be incorrectly processed
Conditions:
Authenticated administrative user makes a GUI request
Impact:
The GUI becomes unstable because it cannot process the request.
Fix:
Redirect the user to a No Access page.
617875-1 : vCMP guest may fail to start due to not enough hugepages
Component: TMOS
Symptoms:
In rare cases, when there are many vCMP guests, the last one may fail to start because the system has apparently leaked a few 2M hugepages. The shortfall so far has been very small, 5 - 20 hugepages missing, but occasionally this is enough that the last guest can not start.
Conditions:
It is not yet known what triggers this.
Impact:
vCMP guest fails to start.
Workaround:
Once in this state, only restarting the host system seems to clear the condition. Restarting the VCMP guests does not appear to help.
Fix:
Addressed by changes to the pagemap code.
617862-2 : Fastl4 handshake timeout is absolute instead of relative
Component: Local Traffic Manager
Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.
Conditions:
A TCP connection in three-way handshake.
Impact:
Connections are expired prematurely if they are still in three-way handshake.
Workaround:
Disable handshake timeout.
Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.
Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.
617858-2 : bigd core when using Tcl monitors
Component: Local Traffic Manager
Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.
Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).
Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.
Workaround:
None.
Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.
617824-3 : "SSL::disable/enable serverside" + oneconnect reuse is broken
Component: Local Traffic Manager
Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.
Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.
Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.
Workaround:
You can work around the problem by disabling oneConnect.
617733-1 : Error message: subscriber id response; Subscription not found
Component: TMOS
Symptoms:
BIG-IP restarts the icr_eventd process and generates a core file. You might see the following messages in the LTM log file:
-- err icr_eventd[4589]: 01a10003:3: Receive MCP msg failed: could not get subscriber id response, status: 0x1020046
-- err mcpd[4206]: 01070069:3: Subscription not found in mcpd for subscriber Id %icr_eventd.
Conditions:
Might be related to restarting a BIG-IP Virtual Edition installation.
Impact:
The icr_eventd process restarts, and the system produces a core file.
Workaround:
None.
617688 : Encryption is not activated unless "real-time encryption" is selected
Component: Fraud Protection Services
Symptoms:
Encryption is not activated as expected
Conditions:
Encryption enabled
Real-time encryption disabled
Impact:
Encryption error alert received in alert server
Workaround:
Enable "real-time encryption"
Fix:
Encryption on submit is now supported better.
617648 : Surfing with IE8 sometimes results with script error
Component: Fraud Protection Services
Symptoms:
Slow devices running Internet Explorer 8 can suffer performance issues on websafe protected sites.
Conditions:
Slow device running Internet Explorer 8.
Large number of configured or updated malware signatures.
Impact:
Clientside slowness.
In extreme cases, a popup asking the user whether to stop the script.
Workaround:
Reduce the number of malware signatures
Fix:
Compressed signatures
617628-1 : SNMP reports incorrect value for sysBladeTempTemperature OID
Component: TMOS
Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.
# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245
# tmsh show sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...
The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.
Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.
Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.
config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
1 1 0 19 49 Blade air outlet temperature 1
1 2 0 14 41 Blade air inlet temperature 1
1 3 0 21 57 Blade air outlet temperature 2
1 4 0 16 41 Blade air inlet temperature 2
1 5 0 25 60 Mezzanine air outlet temperatur
1 6 0 27 72 Mezzanine HSB temperature 1
1 7 0 17 63 Blade PECI-Bridge local tempera
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
1 9 0 25 68 Mezzanine BCM56846 proximity te
1 10 0 22 69 Mezzanine BCM5718 proximity tem
1 11 0 19 57 Mezzanine Nitrox3 proximity tem
1 12 0 16 46 Mezzanine SHT21 Temperature
617622 : In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure
Component: TMOS
Symptoms:
In TMSH, when trying to save the AAM configuration, TMSH removes value from matching rule. It corrupts bigip.conf and causes system loading configuration failure, with the following error in /var/log/ltm:
01070734:3: Configuration error: Policy "/Common/Drafts/<policy>", node "test_node", matching rule "path:Path": Must have a value.
Unexpected Error: Validating configuration process failed.
Conditions:
-- Use TM Shell to load configuration.
-- AAM configuration is loaded on BIG-IP and it is saved
Impact:
TMSH fails to load system configuration file.
Before the configuration save the policy would look like this:
matching {
path {
values {
/ { }
}
}
}
After the save it is converted to
matching {
path { }
}
Workaround:
None.
Fix:
TMSH now saves AAM configuration without removing values from matching rules. Saving/loading system configuration succeeds.
617481-1 : TMM can crash when HTML minification is configured
Component: TMOS
Symptoms:
When AAM is provisioned and is used to cache dynamic pages, it can be configured to use HTML Minification to improve performance and optimize memory utilization. In some cases, HTML may incorrectly process the HTML code and cause TMM to crash.
Conditions:
1) AAM has to be provisioned and
2) AAM policy has to be configured and
3) has HTML minification enabled and
4) be applied to a virtual.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disabling minification prevent TMM from crashing for this reason.
617310-2 : Edge client can fail to upgrade when Always Connected is selected★
Component: Access Policy Manager
Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled
Conditions:
Always Connected is selected in BIG-IP when upgrading the client.
Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.
Workaround:
Turn off Always Connected before upgrading.
Fix:
Edge client now succeeds during upgrade when Always Connected is selected.
617273-7 : Expat XML library vulnerability CVE-2016-5300
Solution Article: K70938105
617229-1 : Local policy rule descriptions disappear when policy is re-saved
Solution Article: K54245014
Component: TMOS
Symptoms:
Local policy rule descriptions disappear when policy is re-saved.
Conditions:
A rule with description exists, and the policy it's under is saved.
Impact:
An existing rule description disappears when the policy it's under is saved.
Workaround:
Use TMSH to modify the policy's properties.
Fix:
Local policy rule descriptions now remain visible when policy is re-saved.
617187-1 : APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
Component: Access Policy Manager
Symptoms:
If APM server uses untrusted SSL certificate/or it is accessed using IP address CustomDilaer, access is refused and there is no prompt to confirm the security warning.
Conditions:
APM has invalid certificate
User uses CustomDialer to access VPN
Impact:
VPN connection can't be established
Workaround:
Use valid SSL certificate on APM or add particular invalid certificate to trusted store on Windows
Fix:
Now CustomDialer warns user about invalid certificate and allows to proceed with invalid certificate.
617124 : Cannot map hardware type (12) to HardwareType enumeration
Component: TMOS
Symptoms:
iControl-SOAP throws an error whenever a method call to SystemInfo::get_hardware_information() is made.
Conditions:
This is reproducible in under all conditions.
Impact:
iControl-SOAP crashes when this call is made.
Workaround:
Don't call this SystemInfo::get_hardware_information().
Fix:
Call this method no longer leads to a crash.
617063-1 : After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
Component: Access Policy Manager
Symptoms:
After VPN tunnel is established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel.
Conditions:
VPN tunnel is established. Place the computer in hibernation. Resume from hibernation and connect to a new network where a Captive Portal is present, e.g. Starbucks.
Impact:
EdgeClient may show an error page for captive portal or stay in Reconnecting state for extended period. Disconnect button may not be responsive.
Fix:
If captive portal is detected during reconnect, close VPN resources before showing captive portal authentication page.
617014-3 : tmm core using PEM
Component: Policy Enforcement Manager
Symptoms:
tmm core when using PEM with cloning monitored traffic
Conditions:
Using PEM with iRules and cloning traffic
Impact:
Traffic disrupted while tmm restarts.
Fix:
The problem with PEM and cloning traffic via iRule has been corrected.
617002-1 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs
Component: Access Policy Manager
Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs
Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.
Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.
Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.
Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.
616918-1 : BMC version 2.50.3 for iSeries appliances
Component: TMOS
Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.50.3.
Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- PXE boot.
Impact:
This is a firmware upgrade.
Workaround:
None.
Fix:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
Behavior Change:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
616864-1 : BIND vulnerability CVE-2016-2776
Solution Article: K18829561
616838-3 : Citrix Remote desktop resource custom parameter name does not accept hyphen character
Component: Access Policy Manager
Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,
01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"
Conditions:
Having Citrix resource with custom parameter name with hyphen character
Impact:
Custom parameter can not be used with hyphen character
Workaround:
None
Fix:
Accept custom parameter name with hyphen character
616242-3 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
Solution Article: K39944245
Component: TMOS
Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:
01070711:3: basic_string::compare
If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.
Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.
Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).
Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.
616215-4 : TMM can core when using LB::detach and TCP::notify commands in an iRule
Component: Local Traffic Manager
Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.
Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.
Fix:
TMM no longer cores in this instance.
616169 : ASM Policy Export returns HTML error file
Component: Application Security Manager
Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.
Conditions:
It is not known what triggers this condition.
Impact:
Unable to export ASM Policies.
Workaround:
Delete all files in /ts/dms/policy/upload_files/. All files are transient and can safely be deleted.
Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.
616104-2 : VMware View connections to pool hit matching BIG-IP virtuals
Component: Access Policy Manager
Symptoms:
When a VMware View resource is configured to use a pool as a destination, for all the connections to this pool, except the very first one, a matching virtual lookup is performed.
This doesn't align with the typical BIG-IP behavior on pool connections that should go directly to the chosen pool member and not hit matching virtual servers.
Conditions:
If a VMware View resource is configured to connect to a pool and there is a virtual server matching some or all the IP/port values of pool members, connections to those members will go through the matching virtual server, except for the very first one.
Impact:
If a matching virtual is not intended to pass the traffic through (e.g., a 'reject-all' virtual), those connections routed to this virtual server will fail.
Workaround:
None.
Fix:
All the connections to VMWare View pool members now go directly without hitting matching BIG-IP virtual servers.
616059-1 : Modifying license.maxcores Not Allowed Error
Solution Article: K19545861
Component: TMOS
Symptoms:
Your sync-failover device group status says 'Sync Failed' and reports the following error in Device Management :: Overview: Sync error on <device name>: Load failed from /Common/BIG-IP1 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.
Conditions:
-- Non-homogeneous Virtual Edition (VE) configured with different licenses in a device group, or with hardware-based BIG-IP systems.
-- License variable perf_VE_cores is different among licenses.
Impact:
The device group fails to sync.
Workaround:
If you are using VEs in a device group, ensure that their licenses are the same.
Fix:
The license variable perf_VE_cores no longer syncs, so there is no error message.
616022-2 : The BIG-IP monitor process fails to process timeout conditions
Solution Article: K46530223
Component: Local Traffic Manager
Symptoms:
Pool members that are down are not marked down by the monitor. The BIG-IP system continues to attempt to monitor the object.
Conditions:
It is not known exactly what triggers this condition. It was encountered on an HTTPS monitor.
Impact:
Incorrect monitor state. Pool members may not be marked down even though the target pool-member is down.
Workaround:
No known workaround.
Fix:
The monitor process no longer inadvertently skips processing monitor timeouts and correctly marks monitored objects down.
616008-3 : TMM core may be seen when using an HSL format script for HSL reporting in PEM
Solution Article: K23164003
Component: Policy Enforcement Manager
Symptoms:
TMM core resulting in potential loss of service.
Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.
Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.
615970-1 : SSO logging level may cause failover
Component: Access Policy Manager
Symptoms:
SSO logging level may cause failover.
Conditions:
SSO logging level set to "Debug".
Impact:
TMM may crash. Core file may be generated.
Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".
Fix:
The SSO logging level of "Debug" no longer causes failover.
615934-1 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.
615824-1 : REST API calls to invalid REST endpoint log level change
Component: iApp Technology
Symptoms:
In Big-IP 12.x versions before 12.1.2 invalid requests to a REST endpoint were being recorded in the FINE level logs, making it difficult to audit when an invalid request to a REST endpoint was coming in. In version 12.1.2, the log level was changed to INFO so that these messages are more easily consumed by users attempting to audit the log.
Conditions:
Any request made to an invalid REST endpoint will trigger a log message at the FINE level indicating that a request came in to an invalid REST endpoint.
Impact:
Auditing the REST Framework logs is more difficult, requiring you to look at messages logged at the FINE level.
Workaround:
Users can increase the log level of the REST Framework to FINE by making the following change to the file '/etc/restjavad.log.conf':
Before:
.level=FINE
After:
.level=INFO
Fix:
This message is included in the INFO log level on BIG-IP v12.1.2.
615432-1 : Multiple TFTP data transfers cannot be initiated in a single session
Component: Carrier-Grade NAT
Symptoms:
Multiple TFTP data transfers cannot be initiated in a single session.
Conditions:
Virtual server with TFTP profile is configured to handle TFTP traffic.
Impact:
Multiple TFTP data transfers cannot be initiated in a single session.
Workaround:
There is no workaround at this time.
Fix:
Multiple TFTP data transfers can be initiated in a single session
615388-1 : L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
Component: Local Traffic Manager
Symptoms:
TMM may restart when using a L7 policy that contains the 'normalized' keyword for HTTP URI or Referrer operands.
Conditions:
Normalized HTTP URI or Referrer operands used in L7 policies.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No workaround short of removing use of normalization for HTTP URI and Referrer instances in L7 policies.
Fix:
Use of URI or Referrer normalization in L7 policies no longer results in memory corruption.
615377-3 : Unexpected rate limiting of unreachable and ICMP messages for some addresses.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might fail to send RSTs, ICMP unreachable, or ICMP echo responses for some addresses.
/var/log/ltm might contain messages similar to the following:
-- Limiting icmp unreach response from 251 to 250 packets/sec.
-- Limiting icmp ping response from 251 to 250 packets/sec.
-- Limiting closed port RST response from 251 to 250 packets/sec.
Conditions:
Certain traffic patterns to addresses in two or more different traffic-groups.
Impact:
Certain response messages from addresses in one or more traffic-groups (but not all) might be rate limited by the BIG-IP system even though the level of traffic has not exceeded the tm.maxrejectrate setting.
Workaround:
None known.
Fix:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.
Example old log message:
warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.
Behavior Change:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.
Example old log message:
warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.
615338-2 : The value returned by "matchregion" in an iRule is inconsistent in some cases.
Component: Global Traffic Manager (DNS)
Symptoms:
The value returned by "matchregion" in an iRule is inconsistent when the GTM global setting, "cache-ldns-servers", is set to "yes" and the region contains a region, continent, country, state, or ISP.
Conditions:
The GTM global setting, "cache-ldns-servers" must be set to "yes" and the region must contain a region, continent, country, state, or ISP.
Impact:
The value returned by "matchregion" in an iRule is inconsistent and may lead to inconsistent behavior in the iRule.
Workaround:
Set the GTM global setting, "cache-ldns-servers" to "no".
Fix:
"Matchregion" returns the correct value under all conditions.
615269-1 : CVE-2016-2183: AFM SSH Proxy Vulnerability
Solution Article: K13167034
615267-2 : OpenSSL vulnerability CVE-2016-2183
Solution Article: K13167034
615254-2 : Network Access Launch Application item fails to launch in some cases
Component: Access Policy Manager
Symptoms:
If access policy has multiple network resources with application launch configured, applications will launch only from first network resource.
Conditions:
Multiple Network access resources are configured with application launch.
Impact:
Applications will launch only from first network resource. Applications will not launch for other network resources
Workaround:
Launch applications manually after VPN is established.
Fix:
Applications from all network resources are now detected and launched correctly.
615226-5 : Libarchive vulnerabilities: CVE-2016-8687 and others
Solution Article: K13074505
615222-1 : GTM configuration fails to load when it has gslb pool with members containing more than one ":"★
Component: Global Traffic Manager (DNS)
Symptoms:
GTM Virtual Servers or GTM Servers containing a colon ":" in their name would throw errors when attempting to use them as a GTM Pool Member through TMSH. If created through TMUI, and a configuration was saved and loaded, the same error would be thrown.
Example error:
01070226:3: Pool Member 20002 references a nonexistent Virtual Server.
Conditions:
1. Create virtual server of format <IP>:<PORT>.
2. Attempt to add this virtual server as a GTM Pool Member
Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.
Workaround:
None.
Fix:
Fixed issue related to parsing of GTM Pool member names that prevents the use of GTM virtual servers or GTM servers with a colon ":" in the name from being used as a GTM pool member.
615143-1 : VDI plugin-initiated connections may select inappropriate SNAT address
Component: Local Traffic Manager
Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual server before reaching the external network, the selected SNAT address may be inappropriate for the egress VLAN.
Conditions:
-- APM configuration.
-- VDI functionality enabled.
-- Additional virtual server matching the VDI-initiated connections.
Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.
Workaround:
No workaround short of removing the additional virtual server matching the VDI traffic.
Fix:
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtual servers before reaching the external network.
615107-1 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).
Component: TMOS
Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.
Conditions:
Presence of /etc/ssh directory on host.
Impact:
AOM/SCCP unable to connect to host without password.
Workaround:
None.
Fix:
Can now SSH from AOM/SCCP to host without password (host-based authentication).
614891-2 : Routing table doesn't get updated when EDGE client roams among wireless networks
Component: Access Policy Manager
Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.
Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.
Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.
614865-5 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()
Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.
Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.
Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.
- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.
Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.
614788-1 : zxfrd crash due to lack of disk space
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible that the zone transfer daemon (zxfrd) can crash if the /var disk partition fills up and zxfrd needs to increase the size of its database.
Conditions:
DNS Express configured
Full /var partition
Changes to the zone database require more space to be allocated for zxfrd.
Impact:
zxfrd may crash and restart. This process may repeat depending on the need for space on restart.
Workaround:
Free up space in the /var partition.
Fix:
zxfrd now correctly handles the out of space condition.
614766-1 : lsusb uses unknown ioctl and spams kernel logs
Component: TMOS
Symptoms:
RHEL6 version of lsusb and associated libusb1 libraries
are using an ioctl that isn't properly supported by the kernel in the 32-bit syscall path.
Conditions:
RHEL6 version of lsusb and associated libusb1 libraries.
Impact:
Spamming of kernel logs.
Workaround:
None.
Fix:
kernel.el6.5: fix missing ia32 compat mapping for USBDEVFS_GET_CAPABILITIES.
614702-1 : Race condition when using SSL Orchestrator can cause TMM to core
Solution Article: K24172560
Component: Local Traffic Manager
Symptoms:
A race condition you encounter when you use the F5 Herculon SSL Orchestrator system can cause the Traffic Management Microkernel (TMM) to restart.
Conditions:
Running the F5 Herculon SSL Orchestrator system with large numbers of connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes the race condition so that TMM does not restart.
614563-3 : AVR TPS calculation is inaccurate
Component: Advanced Firewall Manager
Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.
Conditions:
DoS profile attached to the virtual server.
Impact:
Attack can wrongly be detected.
Workaround:
None.
Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.
614530-2 : Dynamic ECMP routes missing from Linux host
Component: TMOS
Symptoms:
When an ECMP route is learned via dynamic routing, it is not added to the Linux host and local processes may not be able to reach the destination prefix. Load balanced traffic is not affected.
Conditions:
Dynamic routing in use, ECMP configured, ECMP route received from neighbors.
Impact:
Monitors may fail, other host-originated traffic may be sent out the wrong interface or nowhere at all.
Workaround:
Disable ECMP in ZebOS by setting "maximum-paths 1" in imish.
Fix:
ECMP routes are correctly added to the Linux host.
614509-1 : iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
Component: Local Traffic Manager
Symptoms:
When the 'all' keyword is used with 'class match' on large external datagroups, the results will be incorrect and may result in TMM restarting.
Conditions:
iRule utilizing 'all' keyword with 'class match' on large external datagroups. A more unusual case is external datagroups with the tmm.classallocatemetadata bigdb entry set to the non-default 'disable' value.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No reasonable workaround short of not using 'all' keyword with 'class match' in iRules.
Fix:
'all' keyword with 'class match' now returns the correct results and TMM does not restart.
614486-1 : BGP community lower bytes of zero is not allowed to be set in route-map
Component: TMOS
Symptoms:
The bgpd process does not accept community attributes that contain values of the form ASN:0.
Conditions:
set the BGP community value to a value of form ASN:0
Impact:
if you attempt to configure a BGP daemon community attribute with a value of the form ASN:0, the system does not set the community value. This could also impact upgrading from the old versions to the version that doesn't support community values of the form ASN:0.
Workaround:
None
Fix:
BGP community can be set to values of the form ASN:0.
614441-4 : False Positive for illegal method (GET)
Solution Article: K04950182
Component: Application Security Manager
Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----
Conditions:
This was seen after upgrade and/or failover.
Impact:
-- False positives.
-- BD has the incorrect security configuration.
Workaround:
Run the following command: restart asm.
614322-1 : TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
Solution Article: K31063537
Component: Access Policy Manager
Symptoms:
TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway.
Conditions:
RDP client uses RDG-RPC protocol to connect via APM's RD Gateway implementation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Fixed TMM crash, which occurred during RDG-RPC protocol handling.
614296-1 : Dynamic routing process ripd may core
Component: TMOS
Symptoms:
As a result of a known issue the dynamic routing protocol daemon ripd, used for the RIP protocol may produce a core file when configuring it to use a interface configured with multiple self IP addresses on different subnets on the same VLAN.
Conditions:
- Use the RIP dynamic routing on an affected version.
- Have multiple self IP addresses belonging to different subnets on the same VLAN
- Add one of the subnets with the network command within the "router RIP" stanza.
Impact:
ripd will core and the configuration will not be allowed.
Workaround:
Configure one subnet/self IP address per VLAN.
Fix:
ripd no longer cores when configured with multiple subnets on the same VLAN.
614284-2 : Performance fix to not reset a data structure in the packet receive hotpath.
Component: Advanced Firewall Manager
Symptoms:
No symptoms. This is a performance fix.
Conditions:
This will happen always in the packet receive hotpath.
Impact:
No impact. Without this fix BIG-IP could have 0.5% (hard to measure) performance impact.
Workaround:
No workaround.
Fix:
Made an optimization to the packet receive hotpath.
614180-1 : ASM is not available in LTM policy when ASM is licensed as the main active module
Component: TMOS
Symptoms:
ASM is not available in LTM policy rule creation when ASM is licensed as the main active module
Conditions:
ASM is licensed as the main active module
Impact:
ASM is not available in LTM policy rule creation
Workaround:
Use a license that has ASM as a sub-module. For example, LTM with Best Bundle.
Fix:
Fixed license data parsing so that the main module is also included in the license map used to determine whether a module is licensed or not.
614147-1 : SOCKS proxy defect resolution
Solution Article: K02692210
614097-1 : HTTP Explicit proxy defect resolution
Solution Article: K02692210
613765-3 : Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
Component: TMOS
Symptoms:
Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
Conditions:
When a virtual server with a destination address of 0.0.0.0:0 is in the list, sorting the list is slow because of extra name resolution performed.
Impact:
Degraded user experience waiting for the extra logic and misleading error in logs.
Workaround:
None.
Fix:
Creating 0.0.0.0:0 Virtual Server in TMUI no longer results in slow-loading virtual server page and name resolution errors.
613671-2 : Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation
Component: Fraud Protection Services
Symptoms:
Wrong handling of nonexistent parameter configured with Encryption and Obfuscation
Conditions:
nonexistent parameter configured with Encryption and Obfuscation
Impact:
Error in console
Fix:
Ignore nonsexist parameter
613613-2 : Incorrect handling of form that contains a tag with id=action
Component: Access Policy Manager
Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.
Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.
Impact:
The impact of this issue is that the web application can not work as expected.
Workaround:
This issue has no workaround at this time.
Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.
613576-1 : QOS load balancing links display as gray
Component: Global Traffic Manager (DNS)
Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.
Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.
Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.
Workaround:
Remove all ilnks from configuration or install this hotfix.
613536-5 : tmm core while running the iRule STATS:: command
Component: TMOS
Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.
Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED
613459-1 : Non-common browsers blocked by Proactive Bot Defense
Component: Advanced Firewall Manager
Symptoms:
Some non-common browsers may get blocked by the Proactive Bot Defense feature. This has been seen in rare cases, and causes these browsers to remain in a white page while the request is not being sent to the back-end server.
Conditions:
Proactive Bot Defense enable on the DoS profile.
Impact:
In rare cases, some non-common browsers may get blocked.
Workaround:
None
Fix:
Non-common browsers no longer get blocked when Proactive Bot Defense is enabled.
613429-2 : Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
Component: Local Traffic Manager
Symptoms:
Assigning a wide IP with wildcard characters in the name to a DHS distributed application may not work properly when done via tmsh, and such configurations created via the GUI will result in configuration files that fail to load.
Conditions:
A wide IP with a wildcard character in its name.
Impact:
Unable to assign wide IP to BIG-IP DNS distributed-app.
Workaround:
None.
Fix:
Fixed issue preventing wide IPs to be assigned to BIG-IP DNS distributed apps if those wide IPs have a wildcard character in their name.
613415-2 : Memory leak in ospfd when distribute-list is used
Component: TMOS
Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.
Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.
Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.
Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.
Fix:
ospfd no longer leaks memory when a distribute-list is configured.
613396-1 : Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
Component: Application Security Manager
Symptoms:
Exported Policy in XML format cannot be imported.
Conditions:
Metacharacter overrides are defined on a Websocket URL in the policy.
Impact:
Exported XML policies cannot be imported back into the system without manual manipulation
Workaround:
If such a policy has already been exported only manual manipulation would allow it to be imported again.
Fix:
Policy export now correctly creates valid XML Policies for configurations with metachar overrides configured on Websocket URLs.
613373-2 : Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page
Component: Access Policy Manager
Symptoms:
When accessing the SAML Authentication Context UI page with application editor user role, the following error will be displayed:
Read Access Denied: user (username) type (SAML authentication context classes list)
Conditions:
User attempting to view the page belongs to application editor group/role
Impact:
SAML Authentication Context UI page will not display existing objects
Workaround:
SAML Authentication Context UI page will still show existing object for users with administrative role.
Fix:
With the fix, no errors will be shown to users with Application Editor role when accessing SAML Authentication Context UI page
613369-4 : Half-Open TCP Connections Not Discoverable
Component: Local Traffic Manager
Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.
Conditions:
A TCP connection in half-open state.
Impact:
Half-open TCP connections are not discoverable
Fix:
Properly acknowledge half-open TCP connections.
613326-1 : SASP monitor improvements
Component: Local Traffic Manager
Symptoms:
A SASP monitor created in versions earlier than 13.0.0 might exhibit problems in certain situations, such as:
-- Attempting to connect multiple times with GWM pairs.
-- Dropping and reconnecting frequently with GWM pairs.
-- Problematic behavior with mixed Push/Pull workgroups on the same GWM.
-- Overly-chatty use of the SASP protocol when establishing/reestablishing connections.
-- Marking pool members down during GWM switch-over.
.-- Inability to handle many hundreds of workgroups/workloads
Conditions:
Using versions of the SASP monitor created in versions earlier than 13.0.0.
Impact:
Might cause flapping pool members or unstable pools.
Workaround:
None.
Fix:
A significantly improved SASP monitor has been developed in version 13.0.0. It properly handles the SASP protocol, GWM pairs, and connection semantics. In addition, it has the ability to briefly delay node down on GWM switchover, resulting in no interrupted traffic in most cases, and has vastly improved scalability.
When run in push mode (now the default), it is more efficient with the SASP protocol, only asking for changes from GWM, and pinging GWM infrequently if no traffic has been received.
The improved monitor uses Pool name rather than Monitor name as the Workload name. This allows a single Monitor definition to be shared among many Pools, where previously a single unique Monitor was required for each SASP Pool.
613297-3 : Default generic message routing profile settings may core
Component: Service Provider
Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.
Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.
Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.
Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.
Fix:
In this release, the system automatically disables the internal parser if no separator is provided, so if a virtual is created using the default generic message profile, the first packet received no longer produces an infinite number of messages and overflows the internal buffers.
613282-2 : NodeJS vulnerability CVE-2016-2086
Solution Article: K15311661
613275-2 : SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up
Solution Article: K62581339
Component: TMOS
Symptoms:
The values returned during an SNMP get/MIB walk are incorrect for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.
The values should match what is displayed in tmsh list net interface media-max and tmsh list net interface media-active respectively which are correct.
Conditions:
-- Performing an SNMP get or MIB walk.
-- Viewing values for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.
Impact:
The system reports inaccurate information for these objects.
Workaround:
To get the correct results, use the following commands:
tmsh list net interface media-max
tmsh list net interface media-active
Fix:
SNMP get/MIB walk now return correct information for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.
613225-7 : OpenSSL vulnerability CVE-2016-6306
Solution Article: K90492697
613127-3 : Linux TCP Stack vulnerability CVE-2016-5696
Solution Article: K46514822
613088-3 : pkcs11d thread has session initialization problem.
Component: Local Traffic Manager
Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.
Conditions:
This occurs when SafeNet is configured with VIPRION chassis
Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.
Workaround:
None.
Fix:
Fixed a pkcs11d thread session initialization problem that prevented SafeNet connections.
613079-4 : Diameter monitor watchdog timeout fires after only 3 seconds
Component: Local Traffic Manager
Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.
Conditions:
A Diameter monitor must be configured.
Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.
Workaround:
None.
Fix:
Removed the 3-second Diameter monitor watchdog timeout so that interval and timeout can be used like other external monitors.
613065-1 : User can't generate netHSM key with Safenet 6.2 client using GUI
Component: Local Traffic Manager
Symptoms:
With Safenet6.2, creating key using GUI may hang and timeout. The GUI eventually quits with error message.
Conditions:
Installing Safenet6.2 client and attempting to create netHSM key from the GUI
Impact:
netHSM key creation fails, GUI hang.
Workaround:
You can use the corresponding tmsh command to create key.
Fix:
NetHSM key waiting time has been increased and you can now create a netHSM key using GUI.
613045-7 : Interaction between GTM and 10.x LTM results in some virtual servers marked down
Component: Global Traffic Manager (DNS)
Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.
Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.
Impact:
On the GTM side, that LTM virtual server will never get marked up.
Workaround:
None.
Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.
612952-1 : PSU FW revision not displayed correctly
Component: TMOS
Symptoms:
When EUD displays the PSU FW revison it is truncated from 16 bytes to 14 bytes.
Conditions:
This occurs when using a Murata REV02 M1845 PSU with AOM FW less than 2.7.14
Impact:
Incomplete PSU FW rev.
Workaround:
Infer the last 2 characters of the PSU FW rev from the 14 that are displayed and the HW revision of the PSU.
612874-1 : iRule with FLOW_INIT stage execution can cause TMM restart
Component: Advanced Firewall Manager
Symptoms:
If you have an iRule that has FLOW_INIT stage execution, it is likely to result in random TMM crashes.
Conditions:
iRule that has FLOW_INIT stage action in it.
The FLOW_INIT stage iRule could be executed either because it was attached to a Virtual Server or configured on an AFM ACL Rule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use iRule with FLOW_INIT action. Other stage iRules does not cause this problem.
Fix:
Memory allocation and release during iRule FLOW_INIT execution was not handled right in a specific scenario, which was corrected.
612809-1 : Bootup script fails to run on on a vCMP guest due to a missing reference file.
Component: TMOS
Symptoms:
Script /etc/sysconfig/sysinit/10virtual-platform.sysinit fails to run. sod log spamming.
Conditions:
Startup in a vCMP guest.
Impact:
vCMP guests shows dbg_echo related errors in /var/log/boot.log.
Workaround:
Disable sys db variable "failover.usetty01" and restart sod.
If unable to restart sod at the moment, apply a filter with no publisher matching message-id 012a0003:
sys log-config filter no-serial-failover-logs {
message-id 012a0003
}
Fix:
This release adds a separate sysinit file for vCMP instead of using sysinit-virtual-platform.
612769-1 : Hard to use search capabilities on the Pool Members Manage page.
Solution Article: K33842313
Component: Global Traffic Manager (DNS)
Symptoms:
With hundreds of potential pool members the GUI does not make it easy to search for them. The search list only supports searches that match the beginning of the pool member's name.
Conditions:
This difficulty exists when there are more than a few potential pool members.
Impact:
Frustrating BIG-IP system administrator experience.
Workaround:
A workaround is to perform the needed virtual server/member addition to the pool via TMOS/CLI using a command similar to the following:
$ tmsh modify gtm pool <record> <pool> members add { <member> }.
Tip: You can take advantage of auto-completing the member's name by pressing the <tab> key, which saves typing the entire name.
Fix:
The system now provides better search capabilities on the Pool Members Manage page.
612752-1 : UCS load or upgrade may fail under certain conditions.★
Component: TMOS
Symptoms:
UCS load fails, with the following error message: loaddb[20786]: 01080023:3: Error return while getting reply from mcpd: 0x10718e6, 010718e6:3: The requested primary admin user (user1) must exist in local user database.
Conditions:
Root login is disabled and the primary administrative user is set to anything other than 'admin', the default.
Impact:
UCS load or upgrade will fail.
Workaround:
Before upgrading or generating the UCS, re-enable the root account by setting DB variable systemauth.disablerootlogin to 'false'.
Unset the custom primary administrative user by setting DB variable systemauth.primaryadminuser to 'admin'.
These settings may be safely reinstated after the upgrade is complete.
612721-4 : FIPS: .exp keys cannot be imported when the local source directory contains .key file
Component: TMOS
Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.
Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).
Impact:
Unable to import the FIPS key
Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.
612694-5 : TCP::close with no pool member results in zombie flows
Component: Local Traffic Manager
Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.
Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).
Impact:
Connection does not tear itself down.
Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.
Fix:
The system now properly handles TCP teardown when TCP::close has already torn down the rest of the stack.
612564 : mysql does not start
Component: TMOS
Symptoms:
ASM storage initialization does not happen.
Conditions:
BIG-IP iSeries platforms; this occurs after new software install.
Impact:
Application is non-functional.
Workaround:
remove the sentinel file ;
/appdata/mprov/local/HD1.4/mysqldb/.moved.to.asmdbvol.
and reboot.
612419-1 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
Component: Access Policy Manager
Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.
Conditions:
Network access; full webtop, multiple Network Access resources.
Impact:
Memory usage increases over time.
Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.
Fix:
Fixed a memory leak related to network access.
612229-1 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
Component: Local Traffic Manager
Symptoms:
TMM may crash while processing an LTM policy.
Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.
Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.
Workaround:
Ensure any LTM policy disable action is the last in the list of actions.
Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.
612135-3 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
Component: Service Provider
Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.
Conditions:
Configuring a virtual server with generic message profile without message routing profile.
Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.
Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.
Fix:
Validation has been improved to fail unless both a generic message profile and a message routing profile are used.
612040-4 : Statistics added for all crypto queues
Component: Local Traffic Manager
Symptoms:
Requests for crypto operations that have been issued but not yet actively queued in the crypto hardware will not show up in the "tmm/crypto" statistics table.
Conditions:
Crypto requests issued but not actively queued in the crypto hardware.
Impact:
Crypto requests do not show up in the "tmm/crypto" statistics table.
Fix:
New rows have been added to the "tmm/crypto" statistics table that will count requests that have been issued but not actively queued to the crypto hardware.
611968-3 : JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
Component: Access Policy Manager
Symptoms:
JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow.
Conditions:
- IE8 only.
- Significant number of links: >1000.
- JavaScript event handlers presence.
Impact:
Web application performance slowdown.
Workaround:
None
Fix:
Fixed.
611922-1 : Policy sync fails with policy that includes custom CA Bundle.
Component: Access Policy Manager
Symptoms:
Policy sync fails with a policy that includes a custom CA Bundle with an error similar to the following: mcpd[6191]: 01070710:3: Database error (65), Can't set attribute value, type:certificate_summary attribute:name.
Conditions:
- Add a custom certificate bundle
- Add it to a policy, e.g. create an LTM SSL CA profile and add it to the endpoint security check agent in the access policy.
- Initiate a policy sync.
Impact:
Policy sync fails.
Workaround:
Use a built-in certificate bundle on source device and sync the policy.
Import the custom certificate bundle to all devices
Replace the built-in certificate bundle with the custom one in the policy.
Fix:
Policy sync now succeeds when the policy includes a custom certificate bundle.
611704-5 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
Component: Local Traffic Manager
Symptoms:
A tmm crash was discovered during internal testing.
Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT
611691-5 : Packet payload ignored when DSS option contains DATA_FIN
Component: Local Traffic Manager
Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.
Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.
Impact:
The last packet of data is not received.
Workaround:
Disable MPTCP.
Fix:
Accept data when a packet contains both a payload and an MPTCP DSS option with DATA_FIN set.
611669-4 : Mac Edge Client customization is not applied on macOS 10.12 Sierra
Component: Access Policy Manager
Symptoms:
Mac Edge Client's Icon, application name, company name, amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.
Conditions:
macOS Sierra 10.12, Edge client, customization
Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.
Workaround:
run following command on Terminal and re-launch Edge client:
For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"
For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"
For Japanese
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"
For French
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"
For spanish
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"
For Chinese traditional
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"
For Chinese simplified
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"
Fix:
Edge client honors customization on macOS Sierra 10.12 now.
611658-3 : "less" utility logs an error for remotely authenticated users using the tmsh shell
Component: TMOS
Symptoms:
when using 'less' Syntax Error: unexpected argument "/usr/bin/lesspipe.sh"
Conditions:
admin user configured with tmsh shell
Impact:
admin user cannot use the less command from shell
Workaround:
configure admin user to use the bash shell
611512-1 : AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
Component: TMOS
Symptoms:
In AWS, Pool member autoscaling in BIG-IP fails to add pool members when pool name in BIG-IP is same as Autoscaling Group name in AWS.
Conditions:
- BIG-IP is configured to perform autoscaling of pool members in AWS.
- Pool name in BIG-IP is same as the autoscaling group name in AWS attached with it.
Impact:
- Pool member autoscaling doesn't occur correctly without user intervention.
Workaround:
When configuring pool member auto-scaling in AWS, you must choose a different name for the pool compared to the autoscaling group name attached with it.
Fix:
Choose different names for Pool in BIG-IP and autoscaling group in AWS to correctly configure Pool member autoscaling in BIG-IP .
611487-3 : vCMP: VLAN failsafe does not trigger on guest
Component: TMOS
Symptoms:
vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host.
Conditions:
vCMP host configured, VLAN failsafe enabled on a VLAN, one or more VCMP guests enabled that use that VLAN
Impact:
Since the heartbeat messages going over IPv6 link-local addresses continue to be successfully passed from host to guest, VLAN failsafe does not trigger if a downstream router or switch goes down that's connected to the VLAN.
Workaround:
If you are able to, disabling IPv6 on the host will allow VLAN failsafe to work as expected.
611469-3 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
Solution Article: K95444512
611467-3 : TMM coredump at dhcpv4_server_set_flow_key().
Component: Policy Enforcement Manager
Symptoms:
TMM coredump at dhcpv4_server_set_flow_key().
Conditions:
1. You are using Policy Enforcement Manager (PEM) DHCP to discover subscribers.
2. You have configured a DHCP relay virtual server.
3. Two PEM DHCP subscriber connections share the same connection to a remote DHCP server.
4. One of the PEM DHCP subscriber connections expires.
5. The non-expired PEM DHCP subscriber connection sends a new DHCP request.
6. The remote PEM DHCP server responds to the new PEM subscriber request.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The client uses broadcast to do DHCP renewal is an indication the client did not get ACK from DHCP server when it uses unicast to talk to DHCP server directly. The most likely reason for this to happen is the server routing table is not configured to send DHCP ACK packets back to the client.
You can work around this problem by configuring DHCP server routing table so that it knows how to send DHCP ACK to the client.
611385-1 : "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
Component: Application Security Manager
Symptoms:
Under some scenarios, setting "Learn Explicit Entities" to 'Never' has no effect; it continues to work as if it is 'Add All Entities'
Conditions:
Steps to Reproduce:
1) Create a default policy, set "Learn New HTTP URLs" to "Add All Entities".
2) Create a non-pure wildcard URL "/in*".
3) Send the following request:
GET /index.html HTTP/1.1\r\n
Host: <Host URL>\r\n
\r\n
4) There will be no suggestion to add /index.html URL since learning mode on "/in*" wildcard is "Never" by default.
5) Set "Learn Explicit Entities" to "Add All Entities" on "/in*" wildcard.
6) Send the same traffic again; there will be suggestion to add /index.html URL (which is still correct).
7) Delete all suggestions.
8) Set "Learn Explicit Entities" to "Never" on "/in*" wildcard.
9) Send the same traffic again.
Impact:
There is suggestion to add /index.html URL when there should be no such suggestion since the wildcard is in 'Never' mode now.
Workaround:
Go to "Learning and Blocking Settings", set "Learn New HTTP URLs" to "Never" press "Save", then set it back to "Add All Entities". press "Save" again.
Fix:
"Learn Explicit Entities" to 'Never' now works as expected.
611352 : Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms
Solution Article: K68092141
Component: TMOS
Symptoms:
In /var/log/sel you see these errors:
0082 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: corerrsts: replay_num_rollover_status
0083 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: rperrsts: correctable_error_received
Conditions:
This can be seen on BIG-IP iSeries platforms.
Impact:
This error message is benign and can be safely ignored.
Workaround:
N/A
Fix:
Benign message "replay num rollover error condition correctable errors" counter is no longer seen.
611320-3 : Mirrored connection on Active unit of HA pair may be unexpectedly torndown
Component: Local Traffic Manager
Symptoms:
Mirrored connection on Active unit is torn down. TCP connection is RST with cause of 'HA Expire flow'.
Conditions:
Mirrored connection on Standby unit times out due state mismatch with connection on Active unit.
Impact:
Traffic loss.
Workaround:
Disable mirroring.
Fix:
The system no longer mirrors connflow expiration from Standby to Active. This is correct behavior.
611240-3 : Import of config with securid might fail
Component: Access Policy Manager
Symptoms:
Import of the profile used for securid auth might fail if the profile has already been used for auth purposes at the moment of export.
Conditions:
This occurs when the following conditions are met:
-- Profile configured for securid authenticaiton with securid server attached.
-- Profile has been used for authentication more than 0 times.
-- Full import (no reuse) or Reuse import when secureid server under the same name is not present.
Impact:
Unable to import certain configurations.
Workaround:
1. In VPE, open securid auth item and set server to none before export.
2. Export profile.
3. Import profile.
4. Re-create the aaa securid server.
5. In VPE, open the securid auth item and set server to one from step #4.
Or
1. Export profile.
2. Create aaa securid server under the same name.
2. Import profile with reuse.
It is also possible to remove securid entry from config-files of securid server configuration in .conf.tar.gz, which would also work.
Fix:
It is now possible to successfully export and the import profile using securid in any state.
611161-3 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
Solution Article: K28540353
Component: Local Traffic Manager
Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.
Impact:
There are very rare situations in which failsafe triggers but it should have not.
Workaround:
None.
Fix:
VLAN failsafe no longer generates traffic using ICMP, and now supports non-default cmp-hash on VLAN.
611154-1 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
An iRule (or other non-ASM module) that adds or delete the server headers. Especially if it touches the Set-Cookies header
Impact:
Failover, traffic disrupted while TMM restarts.
Workaround:
No workaround at this time.
Fix:
Added checking for bad dictionary on the response side.
611151-2 : An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
Component: Application Security Manager
Symptoms:
If you configure a sensitive parameter with an upper-case character (like "Password"), the data masking does not take place. When the sensitive parameter is all lower-case (like "password"), the data masking takes place as expected.
Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ a sensitive parameter with an upper-case character
Impact:
no data masking for a JSON sensitive parameter
Workaround:
N/A
Fix:
We've made sure that JSON parameters are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.
610897-2 : FPS generated request failure throw "unspecified error" error in old IE.
Component: Fraud Protection Services
Symptoms:
If FPS generated request sent and failed in old IE, it will throw "unspecified error" error.
Conditions:
FPS generated request sent and failed in old IE
Impact:
The browser will show error message in the left bottom side.
Workaround:
N\A
Fix:
N\A
610857-1 : DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
Component: Advanced Firewall Manager
Symptoms:
When selenium client webdriver is detected running a browser Chrome or Firefox it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.
Impact:
A bot which running selenium Chrome or Firefox webdriver isn't mitigated by DoSL7 PBD mechanism.
Workaround:
N/A
Fix:
Adjusted scoring for selenium detection to trigger CAPTCHA upon an attempt to access a website without TSPD101 cookie (usually occurs upon accessing a website's first page)
610830-1 : FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
Component: Advanced Firewall Manager
Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.
Conditions:
This occurs when ASM is provisioned and to a virtual sever assigned dos application profile where Device ID mitigation configured or ASM policy with WebScraping and FingerPrint detection enabled.
Impact:
Bad user experience when accessing the website's first page.
Workaround:
tmsh modify sys db dosl7.fp_fonts_enabled disabled
Fix:
The javascript slowness bottleneck is fonts collection, to improve the performance the number of font reduced from 300 to 50. If you wish to eliminate the slowness of the fonts collection at all, a new sys db has been added. tmsh list sys db dosl7.fp_fonts_enable. Note, that eliminating the fonts collection for the fingerprint can reduce the its entropy.
610710-2 : Pass IP TOS bits from incoming connection to outgoing connection
Component: Service Provider
Symptoms:
ToS is set to 0 when going through a SIP profile.
Conditions:
This occurs when a SIP profile is in use and ToS is set.
Impact:
Currently outgoing packets TOS bits are configured via profile and are not affected by TOS bits of incoming packet.
Workaround:
NA
Fix:
Outgoing packets TOS bits can be configured via profile to preserve the TOS bits of incoming packet.
Behavior Change:
This change will only change existing behavior if the transport protocol (TCP, UDP or SCTP) has the ip-tos-to-client attribute set to pass-through. If configured as pass-through, the TOS bits of the incoming packet containing a message will be used on the outgoing packets containing the message. Without this change, the TOS bits of the outgoing packet would be undefined if configured this way.
610609-3 : Total connections in bigtop, SNMP are incorrect
Component: Local Traffic Manager
Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.
Conditions:
This occurs on PVA-enabled hardware platforms.
Impact:
The total connection count statistic is incorrect.
610582-2 : Device Guard prevents Edge Client connections
Component: Access Policy Manager
Symptoms:
When Device Guard is enabled, BIG-IP Edge Client cannot establish a VPN connection.
Conditions:
-- Clients running Windows 10.
-- Device Guard enabled.
-- Attempting to connect using the Edge client.
Impact:
Clients are unable to establish a VPN connection.
Workaround:
As a workaround, have the affected Edge Client users disable Device Guard.
Note: Previously, Device Guard was disabled by default. Starting with the Windows 10 Creators Update, however, Device Guard is enabled by default.
Fix:
The F5 VPN Driver is recertified and is now compliant with Microsoft Device Guard, so that Edge Client users can now establish a VPN connection as expected.
610442-2 : vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★
Solution Article: K75051412
Component: TMOS
Symptoms:
On a vCMP guest, If a user attempts to install using the block-device-image argument (e.g., install sys software block-device-image <some.iso>), and the .iso file has incorrect file permissions (e.g., $chmod 600 <some.iso>), then the lind process on the guest will enter a restart loop, and the system posts the following error:
lind[23565]: 013c0004:3: Fatal error: vcmp_media_insert failed
Conditions:
-- vCMP guest.
-- Run a command similar to the following:
install sys software block-device-image <some.iso>.
-- <some.iso> has bad permissions, e.g., -r--------.
Impact:
On the guest, lind restarts continuously, logging its restart to /var/log/ltm each time and posting the vcmp_media_insert failed error message.
Workaround:
Use either of the following workarounds:
-- Avoid installing block-device-images known to have bad permissions.
-- From the host, attempt to repair the file with bad permissions, copy the repaired file to /shared/images/, and try the install again. To do so, follow this procedure, running these commands from the host:
1. To repair the file, run the following command:
chmod 644 <some.iso>
2. To copy the file, run the following command:
scp <some.iso> mysystem:/shared/images/
3. To install the guest, run the following commands:
bigstart restart lind
tmsh install sys software block-device-image <some.iso>
Fix:
Instead of throwing a runtime error, lind will log an error to /var/log/ltm and return.
610441-3 : When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
Component: TMOS
Symptoms:
When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
Conditions:
This occurs when adding a new member to an existing pool using iControl REST.
Impact:
Unable to tell if the request has succeeded or failed via iControl REST.
Workaround:
Add the following to partitionInfo in icrd.conf.
{"gtm/pool/a/members":[true, true]},
{"gtm/pool/aaaa/members":[true, true]}
610429-5 : X509::cert_fields iRule command may memory with subpubkey argument
Component: Local Traffic Manager
Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.
Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.
Example/signature to look for:
ltm rule rule_leak {
when HTTP_REQUEST {
if { [SSL::cert 0] ne "" } {
HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
} else {
HTTP::respond 200 content "no client cert (WRONG!)"
}
}
}
Impact:
Memory will leak, eventually impacting the operation of tmm.
Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields
610417-1 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
Solution Article: K54511423
Component: TMOS
Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2
If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established
Conditions:
This exists when configuring devices in a device cluster.
Impact:
Unable to configure stronger ciphers for device trust.
If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.
Workaround:
None.
Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).
610354-1 : TMM crash on invalid memory access to loopback interface stats object
Component: TMOS
Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.
Conditions:
TMM drops packets on its internal loopback interfaces.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround.
610352-1 : sys-icheck reports error with /etc/sysconfig/modules/unic.modules
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /etc/sysconfig/modules/unic.modules:
ERROR: S.5...... /etc/sysconfig/modules/unic.modules
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with files in /etc/sysconfig/modules/unic.modules that was causing sys-icheck to report errors.
610350-1 : sys-icheck reports error with /config/bigpipe/defaults.scf
Component: TMOS
Symptoms:
n Azure cloud, running sys-icheck may report an error with /config/bigpipe/defaults.scf and /usr/share/defaults/defaults.scf:
ERROR: S.5...... c /config/bigpipe/defaults.scf (no backup)
ERROR: S.5...... /usr/share/defaults/defaults.scf
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with files in /config/bigpipe/defaults.scf that was causing sys-icheck to report errors.
610307 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
Component: TMOS
Symptoms:
This error message may be generated once or twice at shutdown:
01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.
Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.
Impact:
None. This can be ignored.
Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.
Fix:
This error message could have been generated once or twice at shutdown:
01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.
It no longer appears. Note that even when it was present, it only occurred at system shutdown and could be ignored.
610302-1 : Link throughput graphs might be incorrect.
Component: Local Traffic Manager
Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.
Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.
For example, there are two links defined and named "mylink" and "mylink2".
Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.
For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"
As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.
Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.
Fix:
Link throughput graphs now collect and show the throughput for the proper link when one link name is a prefix of one or more other links. Note that historical information gathered before the fix will not be corrected.
610295-1 : TMM may crash due to internal backplane inconsistency after reprovisioning
Solution Article: K32305923
Component: TMOS
Symptoms:
In some scenarios on BIG-IP Virtual Edition (VE) platforms, TMM may crash due to backplane inconsistency shortly after a provisioning change.
Conditions:
- BIG-IP VE with performance-limited license.
- Additional licensing/provisioning of modules raises performance limits. New TMM processes are started.
- No reboot has occurred after provisioning.
Impact:
TMM may core with panic and post the following message in /var/log/tmm log: 'Unexpected backplane address'. Traffic disrupted while tmm restarts.
Workaround:
Reboot after provisioning if new license add-on keys raises performance of the BIG-IP system.
Fix:
TMM no longer crashes after provisioning if new license add-on keys raises performance of the BIG-IP system.
610273-3 : Not possible to do targeted failover with HA Group configured
Component: TMOS
Symptoms:
With a traffic-group configured to use HA Group, it is not possible to disable the HA Group to perform targeted failover. Running tmsh run sys failover standby traffic-group traffic-group-1 produces an error:
"Unexpected Error: SOD command standby may not be issued for traffic group /Common/traffic-group-1 because it is configured to use HA group."
Conditions:
Traffic-group configured to use HA Group. Versions prior to 12.0.0 allowed you to disable the HA Group to do targeted failover.
Impact:
Unable to force the traffic-group to standby if HA Group is configured. You would need to change it to use a different mode, such as HA Order.
Workaround:
Temporarily change the traffic group to use a different Failover Method such as Load Aware or HA Order in order to failover. Note that this will disable HA Group functionality until the Failover Method is restored.
610255-1 : CMI improvement
Solution Article: K62279530
610224-3 : APM client may fetch expired certificate when a valid and an expired certificate co-exist
Component: Access Policy Manager
Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.
Conditions:
A valid and an expired certificate co-exist in the certificate store.
Impact:
Machine Certificate check fails.
Workaround:
Remove the expired certificate from the store.
Fix:
When a valid and an expired certificate co-exist, the system now matches the valid certificate.
610180-2 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.
Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO
Impact:
SSO plugin leaks memory
Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.
Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.
610129-3 : Config load failure when cluster management IP is not defined, but instead uses address-list.
Solution Article: K43320840
Component: Advanced Firewall Manager
Symptoms:
In Cluster setup with multiple blades, if configurations do not have management IP addresses assigned to individual blades, but instead assign a cluster management IP address list to the cluster of blades. The configuration load will fail. System posts an error message similar to the following: err mcpd[24235]: 01071824:3: The address list is referenced by one of the rules of the admin IP either directly or in a nested manner, and the entry is of a different address family from that of the Admin IP.
Conditions:
1. Cluster setup with multiple blades.
2. No management IP assigned to individual blades.
3. Assign cluster management IP address list to the cluster of blades.
Impact:
After reboot, configuration load failure on secondary blades.
Workaround:
Define the cluster management IP address as the destination (in rule) without using address list.
Fix:
Config load failure no longer occurs when cluster management IP is not defined, but instead uses address-list.
610122-1 : Hotfix installation fails: can't create /service/snmpd/run★
Component: TMOS
Symptoms:
Hotfix installation fails with RPM transaction errors.
The system posts several errors similar to the following in /var/log/liveinstall.log: info: RPM: can't create /service/snmpd/run at usr/share/perl5/vendor_perl/daemon.pm line 99.
Conditions:
12.x hotfix installation from 11.6.0 on top of a 12.x base image that was previously booted.
Impact:
It is not possible to perform a hotfix installation to a 12.x volume from 11.6.0 after the 12.x volume has been booted.
Workaround:
- Install the hotfix directly to a new slot which has not been booted into before using a command similar to the following:
tmsh install sys software hotfix 12.1.0-hf1 create-volume volume HD1.4
609967-2 : qkview missing some HugePage memory data
Solution Article: K55424912
Component: TMOS
Symptoms:
Some HugePage status data is missing from qkview, if the contents of /proc/meminfo does not list a units column for the Huge Page data.
Conditions:
/proc/meminfo file does not list units for HugePage data.
Impact:
HugePage data is missing from qkview diagnostics file.
Workaround:
Separately provide /proc/meminfo file.
Fix:
HugePage status data is now collected as expected.
609788 : PCP may pick an endpoint outside the deterministic mapping
Component: Carrier-Grade NAT
Symptoms:
When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.
Conditions:
With PCP configured and enabled with a lsn-pool in deterministic mode.
Impact:
Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.
Workaround:
Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.
Fix:
PCP no longer picks mappings outside of a client's DNAT range after the first mapping attempt fails.
609691-1 : GnuPG vulnerability CVE-2014-4617
Solution Article: K21284031
609677-1 : Dossier warning 14
Component: TMOS
Symptoms:
After each boot, the var/log/ltm log file contains messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.
Conditions:
This occurs upon reboot after licensing and management port configuration is complete on i5000/i7000/i10000-Series platforms.
Impact:
There is no functional impact. This is a benign message that can be safely ignored.
Workaround:
None.
Fix:
The var/log/ltm log file no longer contains the benign messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.
609628-2 : CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
Component: Local Traffic Manager
Symptoms:
When a client performs an abbreviated handshake by reusing the session from a previously established full handshake, the SSL forward proxy does not raise the CLIENTSSL_SERVERHELLO_SEND event.
Conditions:
This occurs when the following conditions are met:
-- SSL forward proxy configured
-- Session cache is enabled.
Impact:
iRule commands inside of the CLIENTSSL_SERVERHELLO_SEND are only executed for full handshakes but not for abbreviated handshakes; thus any logic that's applied per SSL connection should not run inside of CLIENTSSL_SERVERHELLO_SEND event since it is not reliably raised under all types of handshakes.
Workaround:
To make sure that the CLIENTSSL_SERVERHELLO_SEND event is reliably raised, disable session cache in the client SSL profile.
609614-3 : Yafuflash 4.25 for iSeries appliances
Component: TMOS
Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to Yafuflash 4.25.
Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Yafuflash.
Impact:
This is a firmware upgrade.
Workaround:
None.
Fix:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
Behavior Change:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
609575-5 : BIG-IP drops ACKs containing no max-forwards header
Component: Service Provider
Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.
Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.
Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".
609499-1 : Compiled signature collections use more memory than prior versions
Component: Application Security Manager
Symptoms:
Compiled signature collections use more memory than prior versions.
Conditions:
Different signature sets are used for different policies.
Impact:
BD memory usage for compiled signature collections is increased.
Fix:
Compiled signature collections memory usage was consolidated and reduced.
609496-2 : Improved diagnostics in BD config update (bd_agent) added
Component: Application Security Manager
Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.
Conditions:
Further troubleshooting of BD config update transmission is needed.
Impact:
No diagnostics are available.
Workaround:
None.
Fix:
Improved diagnostics in BD config update (bd_agent) were added.
609335-1 : IPsec tmm devbuf memory leak.
Component: TMOS
Symptoms:
A small memory leak was discovered during internal testing of IPsec tunnels. Over time tmm might run out of memory and crash.
Conditions:
It is not known exactly what triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
609328-3 : SIP Parser incorrectly parsers empty header
Solution Article: K53447441
Component: Service Provider
Symptoms:
If a SIP message contains an empty header, the following header will be included as the value of the empty header.
Conditions:
A SIP header without any value will incorrectly cause the next header to be used as the value.
Impact:
If the following header is needed for processing the message, it will not be seen (since it is incorrectly considered the value of the previous header).
Workaround:
None.
Fix:
Parser has been corrected to terminate an empty header when a line ending is seen.
609325 : Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
Component: TMOS
Symptoms:
QSFP modules that do not support DDM (Digital Diagnostic Monitoring), write messages to /var/log/ltm indicating DDM is not supported, however, there are certain unsupported DDM F5-branded SFP modules that do not write a message to the log.
Conditions:
Upon inserting the unsupported DDM SFP modules.
Impact:
DDM is not reporting information for the following optics:
Unsupported DDM 1Gb-10GB SFP modules:
OPT-0004
OPT-0007
OPT-0011
OPT-0015
OPT-0051
OPT-0033
Workaround:
None.
Fix:
All DDM SFP 1Gb-10GB modules now log in /var/log/ltm that DDM is not supported with that optical transceiver.
609244-4 : tmsh show ltm persistence persist-records leaks memory
Component: Local Traffic Manager
Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.
Conditions:
This occurs when running tmsh show ltm persistence persist-records.
Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.
Workaround:
None.
Fix:
tmsh show ltm persistence persist-records no longer leaks memory.
609199-6 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
Component: Local Traffic Manager
Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.
Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP.
Fix:
Remove unestablished joining subflows when freeing the MPTCP connection structure.
609119-7 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
Component: TMOS
Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:
-- err mcpd[19114]: 01070711:3:
For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.
Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.
Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.
Workaround:
None. The problem corrects automatically when the system rewrites the log.
Fix:
The logging system prints out a blank message in response to failed file object configuration change validations.
609114-1 : Add the ability to control dropping of alerts by before-load-function
Component: Fraud Protection Services
Symptoms:
Too many alerts prevents you from enabling FPS. If it does get enabled, a large number of 'missing component' alerts are generated.
Conditions:
This can occur when enabling FPS will trigger a high number of alerts.
Impact:
FPS is disabled, or alerts are not categorized.
Fix:
Add before-load-function capability to drop alert on client.
609107-1 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
Component: TMOS
Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.
Conditions:
A folder is removed from a previously valid configuration file.
Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.
Workaround:
Do not remove folders from the configuration file.
Fix:
mcpd now properly validates missing 'sys folder' config in bigip_base.conf, so the config performs as expected.
609098-1 : Improve details of ajax failure
Component: Fraud Protection Services
Symptoms:
When AJAX request fails, insufficient information is provided to debug the failure.
Conditions:
AJAX failure
Impact:
Difficult to diagnose the failure.
Workaround:
Not relevant
Fix:
Add information to alert about AJAX failure.
609095-1 : mcpd memory grows when updating firewall rules
Component: Advanced Firewall Manager
Symptoms:
While updating firewall rules such as adding/deleting a blacklist, mcpd memory grows by a small amount with each update.
Conditions:
This can occur when making changes to firewall policies.
Impact:
mcpd memory grows unbounded; over a significant amount of time with many changes and no restarts, mcpd can run out of memory and oom killer can trigger a failover.
609084-2 : Max number of chunks not configurable above 1000 chunks
Solution Article: K03808942
Component: Application Security Manager
Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:
Unparsable request content Chunks number exceeds request chunks limit: 1000.
Conditions:
This occurs when the request exceeds 1000 chunks.
Impact:
Requests that are valid from the server side are being rejected.
Workaround:
None.
Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000
Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000
609027-1 : TMM crashes when SSL forward proxy is enabled.
Component: Local Traffic Manager
Symptoms:
TMM crashes when SSL forward proxy is enabled.
Conditions:
This can occur when SSL forward proxy is enabled and there is a server handshake done when client SSL handshake is not ongoing.
Impact:
Traffic disrupted while tmm restarts.
Fix:
SSL forward proxy now ignores server handshake done when client SSL handshake is not ongoing, so an intermittent TMM crash no longer occurs.
609005-2 : Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
Component: Policy Enforcement Manager
Symptoms:
Two client side DHCP packets with giaddr field set, one with source port 67 and another client side packet with source port 68 (not conforming to RFC since giaddr set DHCP packet (from relay agent) should use 67 as source port per RFC),
tmm will crash during err message logging.
Conditions:
1) Two client side DHCP packets arrive one after another.
2) Both DHCP packets have giaddr fields set
3) One packet uses 67 as source port, the other uses 68
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The conditions that cause the crash should not happen in a normal network setup. A DHCP relay agent should only use 67 as source port.
608991-7 : BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed
Component: Local Traffic Manager
Symptoms:
If a SYN with MP_JOIN is received on a new subflow during an MPTCP connection and the connection closes before the three-way handshake is complete, the BIG-IP will continue trying to complete the three-way handshake.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a SYN with MP_JOIN is received on another flow during an MPTCP connection.
Impact:
The BIG-IP retransmits the SYN/ACK to the joining flow after the connection is closed.
Workaround:
There is no workaround
Fix:
Free joining connections when an MPTCP connection is closed.
608941-1 : AAA RADIUS system authentication fails on IPv6 network
Component: Access Policy Manager
Symptoms:
APM supports RADIUS authentication to IPv6 servers for APM clients if the IPv6 servers are in a pool, but using RADIUS for system authentication directly to a RADIUS server fails on invalid IP address. The signature in the log file is as follows:
err apmd[13481]: 01490108:3: /Common/profilename: RADIUS module: authentication with 'aa' failed: Invalid Server IP(0)/Port(0) (1)
Conditions:
RADIUS authentication configured for system authentication direct to a RADIUS server, and the RADIUS server is an IPv6 server.
Impact:
RADIUS is unable to connect directly to the IPv6 RADIUS server, clients unable to log into the system.
608826-1 : Greylist (bad actors list) is not cleaned when attack ends
Component: Anomaly Detection Services
Symptoms:
When attack ends the greylist (detected bad actors) remains till the timeout expiration.
Conditions:
Detected bad actors and attack end.
Impact:
If new attack will start sooner than greylist expiration time, greylist member will be mitigated even if they are not related to the current attack.
Workaround:
It it's necessary it's possible to clear greylist manually using ipidr utility.
Fix:
Clear the greylist upon attack end.
608742-2 : DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.
Solution Article: K48561135
Component: Policy Enforcement Manager
Symptoms:
When the BIG-IP system is configured in Forwarding mode, the BIG-IP system drops the renewal ACK message from the server in response to unicast renewal message from DHCP clients.
Conditions:
-- BIG IP system configured in forwarding mode.
-- DHCP clients sending unicast renewal message to DHCP server.
Impact:
Unicast DHCP renewal requests are not responded to with ACKs. DHCP clients will send broadcast renewal messages and will receive ACK from servers.
Workaround:
None.
Fix:
After being unable to receive ACK responses from DHCP servers for unicast DHCP renewal messages, the DHCP client will send broadcast DHCP renewal messages and receive an ACK from the DHCP server and ACKs forwarded by the BIG-IP system and received by DHCP clients.
608591-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
Component: Policy Enforcement Manager
Symptoms:
CCR-I requests from PEM to PCRF have subscriber ID type set to 6 (UNKNOWN) for DHCP subscribers instead of 3 (NAI).
Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.
Impact:
Might impact the way policies are provided from the PCRF.
Workaround:
None
Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.
608566-1 : The reference count of NW dos log profile in tmm log is incorrect
Component: Advanced Firewall Manager
Symptoms:
In certain circumstances when virtual servers are configured with security log profiles, the log message in tmm log is showing incorrect reference cnt to the log profiles.
Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.
Impact:
This may lead to issues such as TMM crash if the reference count is not calculated correctly
Fix:
The reference count now is showing correct number in the log message after the fix
608555-1 : Configuring asymmetric routing with a VE rate limited license will result in tmm crash
Component: Local Traffic Manager
Symptoms:
Configuring asymmetric routing with a VE rate limited license results in tmm crash.
Conditions:
Asymmetric routing is configured (i.e., client and/or server ingress and egress travel on different VLANs), and a VE rate limited license is used.
Impact:
tmm might continually crash when passing traffic. Traffic disrupted while tmm restarts.
Workaround:
Do not use asymmetric routing with a rate limited license.
Fix:
The VE rate shaper now works correctly when asymmetric routing is configured, tmm does not crash.
608551-3 : Half-closed congested SSL connections with unclean shutdown might stall.
Component: Local Traffic Manager
Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.
Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.
Impact:
Possible stalled flow.
Workaround:
Use SSL client that sends clean shutdown.
Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.
608509-1 : Policy learning is slow under high load
Component: Application Security Manager
Symptoms:
On systems with high load, policy learning is slow and learning suggestions are slow to arrive.
Conditions:
Policy builder generates many learning suggestions on a system that processes intense traffic.
Impact:
Learning suggestions appear with considerable delay, policy learning speed goes down.
Workaround:
No workaround
Fix:
Fixed an issue with slow policy learning on heavily loaded systems.
608424-2 : Dynamic ACL agent error log message contains garbage data
Component: Access Policy Manager
Symptoms:
Starting in BIG-IP version 12.0.0, Dynamic ACL error log messages might contain garbage data.
Conditions:
This occurs when Dynamic ACL detects incorrect syntax of an ACL entry.
Impact:
The system logs garbage data.
Workaround:
Make sure the ACL entry is correct.
Fix:
Dynamic ACL error log messages no longer contain garbage data when Dynamic ACL detects incorrect syntax of an ACL entry.
608408-2 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
Component: Access Policy Manager
Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.
Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.
Impact:
TMM may restart.
Workaround:
None.
Fix:
TMM no longer restarts when internal error happens upon adding new SAML SSO configurations. Instead, the system logs the following error in /var/log/apm to indicate problematic configuration object: Internal error processing sso config <name>.
608373-2 : Some iApp LX packages will not be saved during upgrade or UCS save/restore
Component: iApp Technology
Symptoms:
iApp LX packages that include dependencies on system utilities (like /bin/sh, /bin/bash, python etc.) cannot be imported to iApp LX RPM database.
Conditions:
oApp LX packages that depends on system utilities.
Impact:
iApp LX packages with dependencies will not be restored during upgrade or UCS restore process.
Workaround:
None.
Fix:
iApp LX UCS save process is updated turn off automatic dependency generation by rpmbuild so iApp LX package can be imported during UCS restore or upgrade.
608320-3 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
608304-1 : TMM crash on memory corruption
Solution Article: K55292305
Component: Local Traffic Manager
Symptoms:
In rare cases tmm might crash on memory corruption.
Conditions:
It is not known what sequence of events triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes on memory corruption in rare cases.
608245 : Reporting missing parameter details when attack signature is matched against parameter value
Component: Application Security Manager
Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.
Conditions:
An attack signature was detected in a parameter value.
Impact:
Bad reporting
Workaround:
N/A
608024-3 : Unnecessary DTLS retransmissions occur during handshake.
Component: Local Traffic Manager
Symptoms:
Unnecessary DTLS retransmissions occur during handshake.
Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.
Impact:
Possible DTLS handshake failure on VE platform.
Workaround:
None.
Fix:
This release fixes a possible failed DTLS handshake on VE platforms.
608009-1 : Crash: Tmm crashing when active system connections are deleted from cli
Component: Policy Enforcement Manager
Symptoms:
When the BIG-IP is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address by relay agent, tmm may crash when active system connections are deleted from cli or via aging.
Conditions:
1) BIG-IP in forwarding mode
2) giaddr field in unicast DHCP renewal packet is set to IP address of relay agent (Typically, it is set to 0 by the DHCP client)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This is not a typical network setup. Usually DHCP relay agent will not modify DHCP renewal packet to insert its own address as giaddr.
607961-1 : Secondary blades restart when modifying a virtual server's route domain in a different partition.
Component: TMOS
Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).
Conditions:
- Only happens on chassis.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.
Impact:
Traffic disrupted while secondary blades restart.
Workaround:
None.
Fix:
Secondary blades no longer restart when modifying a virtual server's route domain in a different partition.
607857-1 : Some information displayed in "list net interface" will be stale for interfaces that change bundle state
Component: TMOS
Symptoms:
Changing the bundling on an interface does not clear the following fields in the previously configured interface:
module-description, serial, vendor, vendor-oui, vendor-partnum, vendor-revision.
That information will be correct for the active interface, it is just not cleared for the previously configured interface.
Module description is not correctly reported on unbundled interfaces.
Conditions:
Bundling change on an interface
Impact:
"list net interface" on previously configured interfaces will show stale information. May be confusing.
Module description is missing from "list net interface" on unbundled interfaces.
Workaround:
Stale data will clear on a reboot. This is purely a display issue, it does not affect the functionality of the currently configured interfaces.
607803-3 : DTLS client (serverssl profile) fails to complete resumed handshake.
Solution Article: K33954223
Component: Local Traffic Manager
Symptoms:
DTLS client (serverssl profile) fails to complete resumed handshake.
Conditions:
This occurs when the BIG-IP system acts as a DTLS client.
Impact:
Possible failed resumed handshake.
Workaround:
Disable session reuse.
Fix:
This release fixes a possible failed resumed DTLS handshake.
607724-2 : TMM may crash when in Fallback state.
Solution Article: K25713491
Component: Local Traffic Manager
Symptoms:
There is a chance, when HTTP in Fallback mode, that the HTTP filter will send an Abort event to the TCP filter (causing tear down) prematurely while the Aborting that was triggered by the upper filter/proxy is occurring.
TMM may crash when this happens.
Conditions:
It is not known exactly what conditions trigger this, but it has been known to occur when issuing HTTP::respond in the LB_FAILED event in an iRule, and it has been seen only rarely.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a rarely occurring tmm crash that might be related to issuing HTTP::respond in the LB_FAILED event in an iRule.
607713-3 : SIP Parser fails header with multiple sequential separators inside quoted string.
Component: Service Provider
Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.
Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.
Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.
Workaround:
None.
Fix:
The SIP parser has been improved to ignore multiple sequential separators if within quotes.
607658-1 : GUI becomes unresponsive when managing GSLB Pool
Component: Global Traffic Manager (DNS)
Symptoms:
GUI Locks Up and becomes unresponsive. Most major web browsers will complain about slow javascript and prompt you to kill the script.
Conditions:
Managing an A type GSLB pool when hundereds of virtual servers exist. These virtual servers do not have to be associated with the pool you are attempting to manage.
Impact:
Page takes a significantly long time to load.
Workaround:
Manage pools through tmsh, or wait for it to load.
607524-2 : Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
Component: Local Traffic Manager
Symptoms:
When the last member of a list of multiple DHCP servers is down, the original DHCP packet from client is not freed and memory is leaked.
Conditions:
Multiple DHCP servers are configured, and the last DHCP server configured is down.
Impact:
Packet memory is leaked.
Workaround:
Remove the last DHCP server that is down, or move it to the middle or front of the server member list.
Fix:
Free the original packet memory when last DHCP server is down.
607360-5 : Safenet 6.2 library missing after upgrade★
Component: Local Traffic Manager
Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.
Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.
Impact:
Safenet 6.2 is not functional.
Workaround:
Reinstall Safenet 6.2. Or,
run this command at all blades of BIG-IP after the installation.
ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so
Fix:
Add symbolic link to libgem at time of pkcs11d daemon start/restart.
607314-1 : Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
Solution Article: K25075696
607304-5 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Component: Local Traffic Manager
Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Conditions:
This can occur under normal operation, while running the geo_update command.
Impact:
Traffic disrupted while tmm restarts.
607246-10 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
Component: Local Traffic Manager
Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile
Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.
Impact:
Persistence fails after fallback expired.
Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.
607200-1 : Switch interfaces may seem up after bcm56xxd goes down
Component: TMOS
Symptoms:
'tmsh show net interface' may show that switch ports are still up after bcm56xxd is brought down. This is because bcm56xxd does not notify mcpd that bcm56xxd will go down.
Conditions:
If the switch ports are up and bcm56xxd is brought down, 'tmsh show net interface' will show that the switch ports are still up.
Impact:
The switch ports may seem up, but traffic can't be sent/received.
Workaround:
None.
Fix:
Fix for bcm56xxd to notify mcpd that all ports become uninitialized before it goes down has already been implemented.
607152-1 : Large Websocket frames corrupted
Component: Local Traffic Manager
Symptoms:
If large Websocket frames are being sent by the end-point and this transfer is interleaved with frames being sent by the other endpoint, corrupted frames could be sent by BIG-IP.
Conditions:
Websocket profile is attached to the virtual. Large Websocket frames are sent by the end-point. This transfer is interleaved with frames being sent in the other direction.
Impact:
Connection reset because of corrupted frames being received by the end-point.
606940-3 : Clustered Multiprocessing (CMP) peer connection may not be removed
Component: Local Traffic Manager
Symptoms:
- High memory usage due to connflow allocations
- conn_remove_cf_not_found stat is non-zero
Conditions:
CMP with multiple TMMs. CMP peer connection is removed before it has been established.
Impact:
Low memory may lead to allocation failures that may lead to tmm core
Fix:
Fix validation performed on parsed CMP flow keys that allows unknown CMP connections to be removed.
606875-1 : DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
Component: Advanced Firewall Manager
Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.
Impact:
Bad user experience when accessing the website's first page.
Workaround:
N/A
Fix:
The javascript has improved as much as possible to reduce the time to get the website's first page.
606807-1 : i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
Component: TMOS
Symptoms:
If the LCD is not communicating with BIG-IP when the chassis manager daemon starts occasionally LCD errors will be displayed using the sensor number rather than the name "LCD"
Conditions:
chmand restart and LCD unable to commuicate
Impact:
cosmetic
Fix:
LCD error will show name "LCD" rather than sensor number in communication error.
606771-2 : Multiple PHP vulnerabilities
Solution Article: K35799130
606710-10 : Mozilla NSS vulnerability CVE-2016-2834
Solution Article: K15479471
606575-6 : Request-oriented OneConnect load balancing ends when the server returns an error status code.
Component: Local Traffic Manager
Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.
Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.
Impact:
The client remains connected to the server, and no further load-balancing decisions are made.
Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.
To do so, use an iRule similar to the following:
when HTTP_RESPONSE {
if { [HTTP::status] == 200 } { return }
if { [HTTP::status] == 401 } {
set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
# Connection-oriented auth. System should already be doing the right thing
unset auth_header
return
}
unset auth_header
}
catch { ONECONNECT::detach enable }
}.
Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).
Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.
606573-3 : FTP traffic does not work through SNAT when configured without Virtual Server★
Component: Local Traffic Manager
Symptoms:
After upgrading to 12.1.0 or 12.1.1, FTP traffic no longer works correctly with SNAT, when SNAT is configured without a virtual server.
Conditions:
The BIG-IP system configured to allow FTP traffic through, and SNAT is configured without a virtual server.
Impact:
The BIG-IP system does not SNAT port 21 traffic. In rare circumstances this can cause tmm to restart.
Workaround:
None.
Fix:
FTP traffic now works through SNAT when SNAT is configured without a virtual server.
606565-2 : TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
Solution Article: K52231531
Component: Local Traffic Manager
Symptoms:
When the /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection', TMM may crash during a TCP simultaneous 4 way handshake.
Conditions:
1. The /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection'.
2. A TCP 4 way handshake (simultaneous open) occurs as described in RFC 793.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The crash can be avoided, while still mitigating TCP 4 way handshakes, by setting the /sys db tm.simultaneousopen variable to 'drop_pkt'.
606521-1 : Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade
Component: Application Security Manager
Symptoms:
Policy with UTF-8 encoding has disallowed high ASCII meta-characters even after upgrade, which results in suggestions for allowing meta-characters that cannot be accepted.
Conditions:
System with a policy with encoding set to UTF-8 (uppercase).
Upgrading from v11.6.x/v12.x to v12.1.2 or 13.0.0.
Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.
Workaround:
None.
Fix:
The upgrade process now fixes policies that had their encoding stored in uppercase as well.
606518-3 : iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.
Component: Device Management
Symptoms:
Cannot use username containing an 'at' ( @ ) character, or specify the email address when requesting authentication token using iControl REST when 3rd party authentication provider being used.
Conditions:
Set-up the BIG-IP system to use 3rd party RADIUS or LDAP authentication and configure a username containing an 'at' ( @ ) character, or specify the email address.
Impact:
Cannot authenticate and get authentication token using iControl REST.
Workaround:
Do not use username with special characters, such as 'at' ( @ ), period ( . ), and so on).
Fix:
Updated logic to allow any special characters in username and password when 3rd party authentication system is used on the BIG-IP system.
606509-4 : Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★
Component: TMOS
Symptoms:
Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover.
Conditions:
This occurs when the following conditions are met:
* vCMP provisioned.
* vCMP hypervisor (host) running 12.1.0
* vCMP guest with 2 or more cores deployed and running 11.5.0 or greater.
* vCMP guest has HT-Split enabled (tmsh list sys db scheduler.splitplanes.ltm).
Impact:
vCMP guests may experience control-plane issues (such as failures to send or receive network failover traffic in an HA-pair, causing a failover).
Fix:
This release restores the process nice value of VCMP guest control-plane, so the vCMP guest no longer experiences potential frequent failovers.
606316-4 : HTTPS request to F5 licensing server fails
Component: iApp Technology
Symptoms:
Licensing BIG-IP systems through REST API fails.
Conditions:
Licensing BIG-IP systems using the REST API.
Impact:
Cannot use REST API to license BIG-IP systems.
Workaround:
Use TMUI or TMSH to license BIG-IP systems.
Fix:
Licensing BIG-IP systems through REST API now completes successfully.
606257-3 : TCP FIN sent with Connection: Keep-Alive header for webtop page resources
Solution Article: K56716107
Component: Access Policy Manager
Symptoms:
When using customized webtops (for example, using custom images for the webtop links), sometimes a TCP FIN flag will be sent with a packet with an HTTP "Connection: Keep-Alive" header. Not all clients recover from this.
Conditions:
Use a customized webtop link.
Impact:
The webtop links page does not render correctly.
Fix:
Weptop page resources no longer send FIN flags with Keep-Alive headers.
606110-2 : BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
Component: TMOS
Symptoms:
On AWS and Azure, dataplane interfaces use socket-based networking instead of UNIC modules. After upgrading a version later than 12.1.0, the default module for dataplane interfaces is UNIC modules instead of socket-based networking.
Conditions:
Upgrading BIG-IP VE on AWS or Azure running versions 12.0.0 or 12.1.0.
Impact:
The raw socket-based tmm driver is replaced by a UNIC driver. The socket-based driver eliminates kernel driver dependencies and provides better portability during kernel/driver upgrades.
Workaround:
None.
Fix:
BIG-IP VE socket-based networking driver retained after upgrade on AWS or Azure.
606066-2 : LSN_DELETE messages may be lost after HA failover
Component: Carrier-Grade NAT
Symptoms:
After a failover, an LSN_DELETE message may be lost if the connection continued after the failover.
Conditions:
CGNAT configured as an HA pair, with session logging enabled.
Impact:
An LSN_DELETE message may be missing from the logs.
Fix:
After the fix, the LSN_DELETE message will not be lost.
605983-1 : tmrouted may crash when being restarted in debug mode
Component: Local Traffic Manager
Symptoms:
tmrouted may restart after it being manually restarted with debug level equal or higher than 2.
Conditions:
tmrouted is manually restarted with debug level equal or higher than 2.
Multi route-domain setup with independent routing processes enabled on several route-domains.
Impact:
tmrouted may restart additional times which can add delay to getting back to service after manually restarting tmrouted.
Any restart of tmrouted already causes loss of dynamic routing sessions.
Workaround:
Do not use equal or higher than 2 debug level for tmrouted. This should be carried out only under recommendation from F5 Support.
Fix:
tmrouted no longer crashes when being restarted in debug mode
605982-1 : Policy settings change during export/import
Component: Application Security Manager
Symptoms:
Exporting a security policy from one device with specific learning and blocking settings selected, and then imports it to another device, the security policy does not load the expected learning and blocking settings on the target device, and is a mismatch from what is on the source device.
Conditions:
On device A: Security :: Application Security : Policy Building : Learning and Blocking Settings
• Select 'Enable' and 'Learn' under HTTP protocol compliance failed for all the sub-violations.
• Save and export the policy in XML format.
• Import to device B.
Impact:
The loaded policy on device B does not have all the options checked for HTTP protocol compliance failed for all the sub-violations as expected.
When exporting the policy from device B, the name of the exported file does not change to match device B's name, but still remains as device A's name.
Workaround:
For exporting a policy that has Policy Builder enabled, use either of the methods below:
-- Use XML export:
+ On export:
- Stop policy builder.
- Export to XML policy.
- Start policy builder.
+ On import:
- Import the XML policy.
- Start the policy builder on the newly imported policy.
2) Use binary export/import.
Fix:
This release fixes the XML Policy export/import processes so that there are no differences created in the 'HTTP protocol compliance' learning settings
605894-3 : Remote authentication for BIG-IP users can fail
Component: TMOS
Symptoms:
While trying to log into the command line of BIG-IP as a remotely authenticated user, login will intermittently fail. You may see the following in /var/log/secure: "err httpd[19596]: pam_ldap: ldap_simple_bind Can't contact LDAP server" but the LDAP server is up and is accessible by the BIG-IP
Conditions:
Remote authentication configured, users configured to use remote authentication, ssl-check-peer is enabled and one or more of these properties are different than "none": ssl-ca-cert-file, ssl-client-cert, ssl-client-key.
Impact:
The remote authentication service will fail to initiate a connection to the LDAP server with the ssl-check-peer setting enabled, even if the ssl-ca-cert-file is valid. It will terminate the connection and remote authentication will fail.
Workaround:
Disabling ssl-check-peer and setting ssl-ca-cert-file, ssl-client-cert and ssl-client-key to "none" can work around this issue.
605865-4 : Debug TMM produces core on certain ICMP PMTUD packets
Component: Local Traffic Manager
Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.
Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.
Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.
Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.
Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.
605792-1 : Installing a new version changes the ownership of administrative users' files★
Component: TMOS
Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.
Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.
Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.
Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.
Fix:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID. This still happens by design, but no longer applies to the user's SSH configuration files, which stay at UID 0. Therefore, these users are no longer be prevented from using stored public keys in authorized_keys.
605682-2 : With forward proxy enabled, sometimes the client connection will not complete.
Component: Local Traffic Manager
Symptoms:
If forward proxy is enabled, and a required forged certificate is not in the cache, the connection might not complete.
Conditions:
Forward proxy is enabled, and a required forged certificate is not in the cache.
Impact:
Degraded service due to connections not completing.
Workaround:
None.
Fix:
The stalling caused by a missing forged certificate no longer happens.
605627 : Selinux denial seen for apmd when it is being shutdown.
Component: Access Policy Manager
Symptoms:
When Apmd process is stopped, you observe a selinux related log which indicates that apmd process does not have the getattr permission for shared memory component owned by tmm.
Conditions:
When apmd is stopped or restarted.
Impact:
No Impact to APMD functionality. APMd stops and starts normally.
605616-1 : Creating 256 Fundamental Security policies will result in an out of memory error
Component: Application Security Manager
Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.
Conditions:
Create 256 fundamental security policies.
Impact:
Out of memory error.
Workaround:
None.
Fix:
Improved memory allocations for shared XML profiles to enable more than 256 fundamental security policies.
605579-8 : iControl-SOAP expat client library is subjected to entropy attack
Solution Article: K65460334
605525-1 : Deterministic NAT combined with NAT64 may cause a TMM core
Component: Carrier-Grade NAT
Symptoms:
TMM crashes when a virtual is configured with nat64 enabled, and a deterministic NAT lsn-pool, and there is traffic.
Conditions:
lsn-pool in deterministic mode is attached to a virtual server with nat64 enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Deterministic NAT is not supported with nat64, and should not be configured.
605480-4 : BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection
Component: Local Traffic Manager
Symptoms:
After completing an active close of an MPTCP connection, the BIG-IP sends MP_FASTCLOSE.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and MPTCP performs an active close of a connection.
Impact:
The BIG-IP retransmits MP_FASTCLOSE after the connection closing is complete until the maximum number of retransmissions is reached.
Fix:
Fixed sequence of events on connection closure.
605476-3 : statsd can core when reading corrupt stats files.
Component: TMOS
Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.
Conditions:
This issue occurs when the following condition is met:
The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.
Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.
Impact:
iStatsd process will restart due to resource exhaustion.
Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:
Impact of workaround: This workaround will cause all statistics in the iStats files to reset.
1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.
3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.
4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.
Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.
605427-1 : TMM may crash when adding and removing virtual servers with security log profiles
Component: Advanced Firewall Manager
Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.
Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.
Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.
Traffic disrupted while tmm restarts.
Fix:
TMM no longer crashes with multiple creation, modification and deletion of many virtual servers with security log profiles attached.
605420-5 : httpd security update - CVE-2016-5387
Component: TMOS
Symptoms:
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests
Conditions:
None.
Impact:
A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
Workaround:
None.
Fix:
Install latest build that includes httpd-2.2.15-54.el6_8 or higher.
605260-1 : [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
Component: Global Traffic Manager (DNS)
Symptoms:
When a listener is created in a partition that has a default route domain set, you cannot make changes to the listener in the GUI via DNS -> Delivery -> Listeners. It gives 'Instance not found' error when you try to save the change. Also, a listener in the /Common partition cannot even be viewed when a partition that has a default route domain other than 0 is selected.
Conditions:
This occurs when using partitions that have default-route-domain set to something other than 0.
Impact:
You will be unable to make changes to the listener.
Workaround:
Use TMSH or through LTM GUI: Local Traffic :: Virtual Servers.
605125-2 : Sometimes, passwords fields are readonly
Component: Fraud Protection Services
Symptoms:
Sometimes, passwords fields are readonly so the user won't be able to type any password.
Conditions:
WebSafe protection enabled on a site
Impact:
the user won't be able to type any password on the site.
Workaround:
N/A
Fix:
N/A
605123-1 : IAppLX objects fail to sync after establishing HA in auto-sync mode★
Component: Device Management
Symptoms:
IAppLX objects are part of REST Framework. REST Framework implements gossip based replication. This replication might not work when restFrameworkVersion in device-group device out of sync with actual restFrameworkVersion
Conditions:
DeviceInfoWorker detects and update the framework version after rest RPM upgrade. But device group device doesn't get updated correctly
Impact:
REST framework objects (Including iAppLX instances, templates, packages) fail to sync to HA peer
Workaround:
Mitigation is to run DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update. Workaround is to patch the restFrameworkVersion manually on the device-group device.
Fix:
Run the DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update.
605039-3 : lwresd and bind vulnerability CVE-2016-2775
Solution Article: K92991044
605010-1 : Thrift::TException error
Component: Application Visibility and Reporting
Symptoms:
Trying to send a scheduled report might fail in some cases with the error "Thrift::TException=HASH(0x9a65410)".
Conditions:
This occurs when sending scheduled reports.
Impact:
Failure on sending scheduled-report.
Workaround:
Modify the script to use the explicit address instead of the 'localhost' value. This can be achieved with the following command:
mount -o remount -rw /usr
sed -i 's/localhost/127\.0\.0\.1/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
mount -o remount -r /usr
Fix:
Changing script to use explicit address instead of 'localhost'.
604977-2 : Wrong alert when DTLS cookie size is 32
Solution Article: K08905542
Component: Local Traffic Manager
Symptoms:
When ServerSSL profile using DTLS receives a cookie with length of 32 bytes, the system reports a fatal alert.
Conditions:
Another LTM with ClientSSL profile issues 32-byte long cookie.
Impact:
DTLS with cookie size 32-byte fails.
Workaround:
None.
Fix:
DTLS now accepts cookies with a length of 32 bytes.
604926-3 : The TMM may become unresponsive when using SessionDB data larger than ~400K
Solution Article: K50041125
Component: Local Traffic Manager
Symptoms:
There is a hard limit on messages sizes sent on the backplane on chassis platforms. Messages larger than the limit (~400K) are refused from being sent at a lower layer but buffered for resending at a higher layer. The messages are never sent which cases backplane communication to lockup.
Conditions:
-- The BIG-IP system is a chassis with more than one blade.
-- Client traffic triggers the creation of SessionDB data larger than ~400K.
Impact:
The TMM becomes unresponsive to client traffic. If left running under load, the TMM might run out of memory from buffering SessionDB data and crash.
Workaround:
The workaround is the avoid sending large SessionDB data. The TMM may be restarted in the event it does become unresponsive.
Fix:
There is no longer a hard limit for sending SessionDB data on the backplane.
604923-5 : REST id for Signatures change after update
Component: Application Security Manager
Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.
Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.
Impact:
The REST id of the modified signatures is changed which may confuse REST clients.
Workaround:
Execution of the following script will repair an affected device:
perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'
Fix:
Updated Signatures now retain the correct REST id.
604885-1 : Redirect/Route action doesn't work if there is an alert logging iRule
Component: Fraud Protection Services
Symptoms:
When "Trigger iRule Events" is enabled in FPS profile and there are configured FPS rules with Route/Redirect actions, the actions will not be performed.
Conditions:
"Trigger iRule Events" is enabled in FPS profile and the virtual server has at least one iRule with ANTIFRAUD_ALERT or ANTIFRAUD_LOGIN events.
Impact:
Configured FPS rules with Route/Redirect actions will not be performed.
Workaround:
Disabling the "Trigger iRule Events" in FPS profile.
Fix:
"Trigger iRule Events" no longer breaks FPS rules with configured Route/Redirect actions.
604880-4 : tmm assert "valid pcb" in tcp.c
Component: Local Traffic Manager
Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed
Conditions:
Unknown.
Impact:
Traffic disrupted while tmm restarts.
604767-1 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
Component: Access Policy Manager
Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.
Conditions:
BIG-IP is used as SAML SP.
Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.
Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.
604727-1 : Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★
Component: TMOS
Symptoms:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. After upgrade from 10.2.4 to 12.1.x, you are unable to use the GUI. The system posts the following message: The configuration has not yet loaded. CLI login works, and /var/log/ltm shows that the following message was recorded during the device bootup phase:
emerg load_config_files: "/usr/libexec/bigpipe base daol" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip_sys.conf Line 113): 012e0010:3: The requested value ({ i192_168_0_20_1) is invalid (<trapsess list> ` none) [add ` delete]) for 'trapsess' in 'snmpd'.
Conditions:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. The root cause is that the host parameter in the trap is encapsulated in quotation marks.
Impact:
The upgrade completes, but the configuration does not load when the system restarts.
Workaround:
After the configuration fails to load in this case, you can remove the SNMP trap destination configuration by editing the /config/bigpipe/bigip_sys.conf file, and performing a manual configuration conversion and reload to recover.
Alternatively, to prevent the configuration load failure from occurring, you can remove the SNMP trap destination configuration before you upgrade to BIG-IP 12.1.x. Both procedures require that you re-create the SNMP trap destination configuration once the upgrade to BIG-IP 12.1.x and/or configuration load are complete.
Fix:
Upgrade from 10.2.4 now completes successfully when the host parameter exists in the 10.2.4 configuration includes SNMP traps.
604612-1 : Modified ASM cookie violation happens after upgrade to 12.1.x★
Solution Article: K20323120
Component: Application Security Manager
Symptoms:
False positive modified ASM cookie violation. Perhaps other false positive cookie related violations.
Conditions:
System upgraded to 12.1.x. Existing end users are connected with their browsers to the site.
Impact:
False positive violations. A blocking page will be shown in case the modified ASM cookie is set to blocking (which is the default for this violation in case the policy is in blocking state).
Workaround:
There are three options:
A. Set the modified ASM cookie violation to transparent after an upgrade for some time after the upgrade.
B. Use the erase cookie blocking page as the default blocking page for some time after the upgrade.
C. Use an iRule similar to the following:
when ASM_REQUEST_DONE {
if {[ASM::violation names] contains "VIOLATION_MOD_ASM_COOKIE"} {
log local0. "remove TS01d2cce8 cookie"
HTTP::respond 302 Location "http://sub.some_domain.com/index.html?[ASM::support_id]" "Set-Cookie" "TS01d2cce8=deleteOldTSCookie;expires=Thu, 01 Jan 1970 00:00:01 GMT"
}
Fix:
Modified ASM cookie violation no longer happens after upgrade to this version.
604549-7 : MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data
Component: Local Traffic Manager
Symptoms:
If a DATA_FIN is received with a DATA_ACK that acknowledges data, the BIG-IP will not process the DATA_ACK and will not shutdown the connection properly as it thinks there is still outstanding data to be acknowledged.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a DATA_FIN that DATA_ACKs data is received on an MPTCP connection.
Impact:
The connection is not closed properly and eventually times out.
Fix:
Fixed DATA_FIN handling.
604547-1 : Unix daemon configuration may lost or not be updated upon reboot
Component: TMOS
Symptoms:
The confpp script is invoked to pass TMOS configuration information to other non-TMOS daemons running on a BIG-IP system. When a BIG-IP system is rebooted, if TMOS configuration elements are parsed or configuration changes or other events occur early in the boot process, the corresponding changes may not be propagated to the confpp.dat file and processed by the confpp script. As a result, configuration information may not be propagated as expected to non-TMOS daemons.
A common symptom of this issue is that syslog-ng configuration is not updated to reflect the selection of the primary blade in a VIPRION chassis.
Conditions:
This issue may occur when booting an affected version of BIG-IP, such as:
- Rebooting blades in a VIPRION chassis.
- Rebooting a BIG-IP appliance or Virtual Edition instance.
Impact:
Expected configuration settings may not be applied to non-TMOS daemons upon a reboot.
For example, syslog-ng configuration may not be updated to include expected logging on the primary blade in a VIPRION chassis.
Workaround:
On a running BIG-IP system that shows symptoms of this issue, changing a db variable will trigger the confpp script to run and update the relevant non-TMOS daemons with appropriate settings from the current configuration. To implement this workaround, use the Traffic Management Shell (tmsh) to update a db variable.
For example:
tmsh modify sys db log.clusterd.level value "Informational"
This issue can be avoided by forcing the MCP configuration to be reloaded from configuration files instead of from the MCP binary database (mcpdb.bin).
For details, see:
K13030: Forcing the mcpd process to reload the BIG-IP configuration.
Fix:
Configuration data/changes that occur early in the BIG-IP boot process are propagated successfully to non-TMOS daemons by the confpp script.
604496-4 : SQL (Oracle) monitor daemon might hang.
Component: Local Traffic Manager
Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.
Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.
Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.
Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.
Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.
604459-1 : On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
Component: TMOS
Symptoms:
The following message appears on the console shortly after the system boots:
emerg logger: Re-starting bcm56xxd.
Conditions:
This occurs as a result of a possible race condition on On i5x00, i7x00 and i10x00 platforms.
Impact:
No functional impact, bcm56xxd daemon restarts successfully.
Workaround:
None.
604371-1 : Pagination controls missing for GSLB pool members
Component: Global Traffic Manager (DNS)
Symptoms:
The pagination controls for GSLB pool members do not appear when there are more items in the list than can be displayed (Record Per Screen)
Conditions:
Customer is running 12.1.0 - 12.1.2
Impact:
Unable to view the status of, or modify GSLB pool members beyond those displayed on the screen
Workaround:
Increase the number of Records Per Screen (System / Preferences / Records Per Screen) to a number larger than the number of items in your pool
604237-3 : Vlan allowed mismatch found error in VCMP guest
Component: TMOS
Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "
Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."
Impact:
Unable to use VLAN.
Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.
604223-2 : pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"
Component: Local Traffic Manager
Symptoms:
The current signal handler use 'exit' at time of 'SIGTERM'. This may result in a core under some abnormal situations.
Conditions:
When stopping pkcs11d using command like 'bigstart restart pkcs11d' or 'kill pkcs11d'.
Impact:
pkcs11d cores.
Workaround:
pkcs11d automatically comes up again after the core.
Fix:
The system now waits for all threads to finish before the pkcs11d program exits, so the core no longer occurs.
604211-1 : License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★
Solution Article: K72931250
Component: TMOS
Symptoms:
On Azure, after upgrading to any version other than 12.0.0 HF1-EHF14 or 12.1.0-HF1-EHF22, the system boots up as Not Licensed and Inoperative.
Although certain cloud-specific 12.x EHFs such as BIG-IP Virtual Edition 12.1.0 HF1 EHF1 is intended for AWS only, BIG-IP does not prevent you from accidentally downloading and installing it into Azure environments. If you upgrade Azure from BIG-IP Virtual Edition 12.0.0 HF1 EHF14 to the 12.1.0 HF1 EHF1 or 12.0.0-hf4 or 12.1.1, the Azure license becomes nonoperational and gets invalidated.
Conditions:
Upgrading a BYOL instance on Azure to 12.1.0 HF1 EHF1 or 12.1.1. The Azure-specific versions are as follows:
- 12.0.0-HF1-EHF14.
- 12.1.0-HF1-EHF22.
Impact:
License becomes unusable. Re-licensing the instance gets an invalid license.
Workaround:
The workaround for this issue is to boot back into previous boot volume, and then upgrade to 12.1.0-HF1-EHF22 in Azure.
To change default boot volume, choose one of the following methods:
1. tmsh reboot volume volume-name.
2. switchboot utility (interactive mode by default).
3. Admin UI.
For more information about the switchboot utility, see SOL5658: Overview of the switchboot utility, available here: https://support.f5.com/csp/#/article/K5658
Fix:
This release fixes the issue that occurred when the Azure license become nonoperational after upgrading to BIG-IP Virtual Edition 12.1.0 HF1 EHF1 from 12.0.0 HF1 EHF14.
Note: Do not use BIG-IP 12.1.0 HF1 EHF1 in the Azure environments.
604191-1 : AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★
Component: Application Visibility and Reporting
Symptoms:
Loading the configuration after upgrade might fail due to mishandling of scheduled-reports, with an error similar to the following:
err mcpd[5492]: 01071afc:3: Report scheduling requires specifying valid measures for entity asm_repev_ip.
Conditions:
-- AVR provisioned.
-- Having scheduled report defined on a version earlier than v12.1.0, and upgrading to v12.1.0, v12.1.0, or v12.1.0.
Impact:
Loading the configuration after upgrade might fail.
Workaround:
None.
Fix:
Loading the configuration after upgrade of scheduled-reports is now properly handled.
604133-2 : Ramcache may leave the HTTP Cookie Cache in an inconsistent state
Component: Local Traffic Manager
Symptoms:
Ramcache may re-use internal HTTP data without clearing the cookie cache. If other filters later inspect that cache they may read corrupted cookie information, or cause a TMM crash.
Conditions:
Ramcache + another filter or iRule inspecting/modifying cookies in a Ramcache response.
Impact:
The modifications of the corrupt cookie cache may cause HTTP headers to be malformed. Inspecting the cookie cache may cause the TMM to crash with an assert. Traffic disrupted while tmm restarts.
Fix:
Ramcache clears the HTTP cookie cache in its responses.
604061-2 : Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
Component: TMOS
Symptoms:
Traffic does not pass through a trunk interface and /var/log/ltm contains messages such as:
lacpd[6636]: 01160011:6: Link 2.2 Actor Out of Sync
lacpd[6636]: 01160012:6: Link 2.2 Partner Out of Sync
Conditions:
1) BIG-IP 2000/4000 or similar platform where "qprop tmos.lacpd_depends_on_tmm == true"
2) Passive LACP trunk
3) tmm has crashed after box has come up
4) tmm startup delayed by dumping large core file
5) tmm startup delayed by large config or busy control plane
Impact:
Trunks created by LACP do not pass traffic.
Workaround:
Restart lacpd after tmm has come up again: "bigstart restart lacpd"
Alternatively, modify /etc/bigstart/scripts/tmm.finish to restart lacpd on tmm going down
Modify this line:
for d in admd asm avrd dosl7d; do
With these:
for d in lacpd admd asm avrd dosl7d; do
if [ `$BIGSTART singlestatus $d` = "run" ]; then
$BIGSTART restart $d &
fi
done
604011-1 : Sync fails when iRule or policy is in use★
Component: TMOS
Symptoms:
After upgrading and attempting to sync to devices in a sync group, sync fails with the following error:
Load failed from 119.big.ip 01070621:3: Rule priorities for virtual server (vs1) must be unique.
Load failed from /Common/big152 01070712:3: Caught configuration exception (0), Values (/Common/vs1) specified for virtual server policy (/Common/vs1 /Common/asm_auto_l7_policy__vs1): foreign key index (vs_FK) do not point at an item that exists in the database.
Conditions:
- A virtual address exists in the traffic-group-local-only group, meaning that it is not synced
- A CPM policy or iRule is applied to that virtual server
- Conduct a sync
This was seen on an upgrade from 12.0.0 to 12.1.0 HF1 or beyond, but could be triggered on an upgrade from any version from 11.4.0 and beyond to 12.1.0 HF1.
Impact:
Config sync fails.
Workaround:
Disassociate the iRule or policy from the virtual server, then attempt to sync.
603997 : Plugin should not inject nonce to CSP header with unsafe-inline
Component: Fraud Protection Services
Symptoms:
When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may invalidate the application's 'allow inline script' policy, since the more restrictive directive is always applied.
Conditions:
Server response contains either header from the 'Content-Security-Policy' header family.
Impact:
The application's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.
Workaround:
None.
Fix:
CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.
603979-4 : Data transfer from the BIG-IP system self IP might be slow
Component: Local Traffic Manager
Symptoms:
When a large amount of data needs to be transferred using a selp IP address, the BIG-IP system might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput
Conditions:
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set.
Impact:
Data transfer from the BIG-IP system's self IP might be slow.
Workaround:
Run the following command: ethtool -K tmm tso off.
Note: This has a different effect from setting db key tm.tcpsegmentationoffload to 'disable' (which is not a workaround for the issue).
Note: To persist the effect of this command across reboots, use the solution specified in K14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/csp/#/article/K14397. For example,
alert tmmready "Tmm ready" {
exec command="/sbin/ethtool -K tmm tso off"
}
Fix:
Data transfer from the BIG-IP system self IP has been improved.
603945-2 : BD config update should be considered as config addition in case of update failure
Component: Application Security Manager
Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.
Conditions:
The condition that leads to this scenario is not clear and is still under investigation.
Impact:
The update fails and the entity is not added.
Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.
This fixes the issue in the cases in which it is a single entity.
Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.
603875-2 : The statistic ASM memory Utilization - bd swap size: stats are wrong
Component: Application Visibility and Reporting
Symptoms:
AVR reports incorrect bd swap size statistics.
Conditions:
-- ASM provisioned.
-- Viewing swap size statistics.
Impact:
Wrong value is displayed.
Workaround:
1. Edit /etc/avr/tmstat_tables.xml
2. Change the following line:
From:
<value publishName="swap_size" columnName="swap_size" behavior="total" type="diff"/>
To:
<value publishName="swap_size" columnName="swap_size" behavior="average" type="status"/>
3. Run the following command: restart avrd.
Fix:
The statistic ASM memory Utilization - bd swap size: stats are now correct.
603825-2 : Crash when a Gy update message is received by a debug TMM
Component: Policy Enforcement Manager
Symptoms:
Debug TMM will crash when a Gy update message is received.
Conditions:
- Need a Debug TMM running
- Gy update message must be received by the BIG-IP
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use non-debug TMM.
Fix:
Added checks to detect Gy udpate messages and handle them accordingly in the debug TMM. Thus, preventing a crash in the debug TMM.
603758-1 : Big3D security hardening
Component: Global Traffic Manager (DNS)
Symptoms:
The Big3D utility, used in GTM, does not follow current secure coding best practices.
Conditions:
GTM active
Impact:
Big3D usage does not follow current secure coding best practices.
Workaround:
None.
Fix:
Update Big3D use to use current secure coding best practices.
603723-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
None.
Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.
603700 : tmm core on multiple SSL::disable calls
Component: Local Traffic Manager
Symptoms:
tmm can crash if SSL::disable is called repeatedly in an iRule event.
Conditions:
Invoking SSL::disable multiple times in the same iRule event
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a crash related to multiple calls of SSL::disable
603667-2 : TMM may leak or corrupt memory when configuration changes occur with plugins in use
Component: Local Traffic Manager
Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.
Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.
Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.
Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).
Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.
603609-2 : Policy unable to match initial path segment when request-URI starts with "//"
Component: Local Traffic Manager
Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".
Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".
Impact:
The policy does not match in this case.
Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.
603605-1 : Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
Component: iApp Technology
Symptoms:
After installation, the rpm on active device applications will be replicated to the standby. If standby does not have DHD installed, the installation page is never shown.
Conditions:
HA setup for DoS Hybrid Defender, with DHD only installed on Active.
Impact:
HA cannot be supported for DHD application on 12.1.0 and 12.1.1.
Workaround:
None.
Fix:
Can now install DoS Hybrid Defender on standby device in HA pair if it's already installed on active.
603598-3 : big3d memory under extreme load conditions
Component: Global Traffic Manager (DNS)
Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.
This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.
Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.
When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.
For this to happen, the Active queue must be full as well as the Pending queue.
One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.
Thus the Pending queue might become full and the memory leak can occur.
In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.
In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.
Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.
In later versions, the leak is still possible, but is less likely to occur.
Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.
Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.
This will minimize the chances that the Pending queue
does not become full.
There is no mechanism to resize the queues.
Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.
603550-1 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
Component: Local Traffic Manager
Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.
As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.
-- Virtual stats 'Current SYN Cache' does not decrease.
Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).
Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.
Workaround:
None.
Fix:
Virtual servers that use both FastL4 and HTTP profiles will have correct syn cache stats.
603397-2 : tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
Component: Service Provider
Symptoms:
tmm will core if the transport config specified in a MR::message route iRule command does not exist.
Conditions:
the transport config specified in a MR::message route iRule command does not exist.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use the correct name for the trasnport-config object.
Fix:
fixed a tmm core.
603236-1 : 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
Component: Local Traffic Manager
Symptoms:
Creating 1024 and 4096 size keys fail when the SafeNet client version installed on BIG-IP is 6.2 and SafeNet appliance firmware is 6.10.9.
Conditions:
-- SafeNet appliance: 6.2.
-- SafeNet client: 6.2.
-- SafeNet firmware: 6.10.9.
Impact:
Cannot create 1024 or 4096 size RSA keys.
Workaround:
None.
Fix:
Removed the config line, RSAKeyGenMechRemap = 1, that was conflicting with 6.10.9 firmware.
603234-3 : Performance Improvements
Component: Fraud Protection Services
Symptoms:
Certain detection algorithms can slow down the client application.
Conditions:
FPS enabled, full AJAX encryption enabled
Impact:
Client side AJAX detection can be slow.
Fix:
The performance of some detection algorithms has been improved
603149-2 : Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
Component: TMOS
Symptoms:
Setting max data limit transmitted (in kilobytes) to a very large limit results in a smaller limit, causing SAs to expire too quickly. Values for ike-phase2-lifetime-kilobytes inside ipsec-policy can reach 2^32-1 kilobytes, but will be processed incorrectly, as if the value were smaller.
Conditions:
When lifetime-kilobytes is large enough, it can act as though it were smaller.
Impact:
Negotiated SAs expire too quickly when size lifetime is calculated too small.
Workaround:
Before the fix, decrease lifetime-kilobytes until properly stable.
Fix:
The fix should make every value no more than 4294967295 kilobytes work correctly, without becoming some smaller value. (Note this value is 2^32-1.) If the size of ike-phase2-lifetime-kilobytes becomes 64-bit in the future, this will also work, causing a 64-bit value for kilobytes to occur in isakmp negotiation.
603082-3 : Ephemeral pool members are getting deleted/created over and over again.
Component: Local Traffic Manager
Symptoms:
When fqdn nodes are configured, you may see ephemeral pool members getting created and deleted continuously. In severe cases, this can cause mcpd to run out of memory and crash.
Conditions:
It is not known exactly what triggers this condition, but it has been observed after running bigstart restart in a configuration containing many fqdn nodes.
Impact:
Traffic disrupted while mcpd restarts.
603032-1 : clientssl profiles with sni-default enabled may leak X509 objects
Component: Local Traffic Manager
Symptoms:
SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.
Conditions:
clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.
Impact:
The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.
Workaround:
No workaround short of not using sni-default.
Fix:
SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.
603019-3 : Inserted SIP VIA branch parameter not unique between INVITE and ACK
Component: Service Provider
Symptoms:
The branch parameter of the inserted VIA header is sometimes the same between an INVITE and ACK message.
Conditions:
If the CSEQ number of a SIP message is the same, the inserted VIA header will contain the same branch parameter.
Impact:
SIP proxy servers which perform strict message validations may reject the call.
Fix:
Included a hash of the branch parameter of the received top-most via header into the branch parameter of the inserted via header. Thus is the received top-most via conforms to the spec and generates a different branch parameter between INVITE and ACK, the inserted via will have a different branch parameter.
602975-1 : Unable to update the HTTP URL's "Header-Based Content Profiles" values
Component: Application Security Manager
Symptoms:
When HTML5 Cross-Domain Request Enforcement is enabled on a URL, Header-Based Content Profiles cannot be updated.
Conditions:
HTML5 Cross-Domain Request Enforcement is enabled on a URL.
Impact:
Header-Based Content Profiles cannot be updated on the URL.
Workaround:
Use the following procedure:
1. Disable HTML5 Cross-Domain Request Enforcement on the URL.
2. Update the Header-Based Content Profiles.
3. Re-enabled HTML5 Cross-Domain Request Enforcement.
Fix:
Updating Header-Based Content Profiles for a URL with HTML5 Cross-Domain Request Enforcement is now successful.
602854-8 : Missing ASM control option from LTM policy rule screen in the Configuration utility
Component: TMOS
Symptoms:
In the Configuration utility, when creating or editing a LTM policy, the ASM control option may be missing from the rule screen.
Conditions:
Whether the ASM control option is present or missing purely depends on the license installed on the system.
The system incorrectly reports certain licensed modules to the Configuration utility, which fails to parse them and ultimately to display the ASM control option. If you wish to determine whether you are affected by this issue, SSH to the advanced shell of the BIG-IP system and run this command:
# grep -E '^active module : [^|]*\|[^|]*$' /config/bigip.license
If any output is returned, then you are affected by this issue.
Impact:
ASM cannot be enabled in LTM policies using the Configuration utility.
Workaround:
Use the TMSH utility to enable ASM in LTM policies.
Fix:
ASM can now be enabled in LTM policies using the Configuration utility regardless of the license installed on the system.
602830-1 : BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode
Component: TMOS
Symptoms:
The LCD display does not indicate diagnostic mode when you stop BIG-IP daemons(bigstart stop) and run platform_check diagnostic command.
Conditions:
Dignostic mode is not displayed on LCD.
Impact:
There is no visible indication on LCD display to indicate when system in diagnostic mode.
Fix:
Diagnostic message display on LCD when system is diagnostic mode.
602654-2 : TMM crash when using AVR lookups
Component: Application Visibility and Reporting
Symptoms:
When trying to find/insert data into AVR lookups TMM/AVR core might occur.
Conditions:
AVR lookups in use.
Impact:
tmm crashes. The crash occur when two processes simultaneously try to access the same cell in the lookup. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when using AVR lookups.
602653-1 : TMM may crash after updating bot-signatures
Component: Local Traffic Manager
Symptoms:
TMM may crash after DOSL7 bot signatures config has changed.
Conditions:
This is likely to happen after DOSL7 bot signatures config has changed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Try adding/removing some signatures, this should avoid the crash.
Fix:
Fixed a memory corruption when updating bot signatures.
602502-2 : Unable to view the SSL Cert list from the GUI
Component: TMOS
Symptoms:
When you try to see information about any SSL certificates in the GUI, it displays an error: An error has occurred while trying to process your request.
Conditions:
Can not view any SSL certificates in the GUI if at least one certificate has a double extension(like test.crt.crt) in its name.
Impact:
Unable to view the any SSL Cert from the GUI
Workaround:
Delete such certificate through TMSH and reimport without .crt extension in the certificate name.
delete sys file ssl-cert test.crt.crt
Fix:
Should be able to view/delete/export certificates from GUI.
602434-1 : Tmm crash with compressed response
Component: Application Visibility and Reporting
Symptoms:
AVR decompressed all the traffic in order to do classification.
This can cause tmm core due to too many decompress request.
Conditions:
Sending stressed compressed traffic on virtual with dos profile.
Impact:
Traffic disrupted while tmm restarts.
Fix:
AVR will ask no more than 10 decompressed request simultaneously.
602385-1 : Add zLib compression
Component: Local Traffic Manager
Symptoms:
Current driver supports only compress GZip and compress deflate.
Conditions:
APM Network Access tunnel has an option for compression. Compression is implemented in GZIP hudfilter which uses COMPRESS_ZLIB compression method. Currently only 'zlib' compression provider (software based) is implementing this method. None of the hardware providers (such as Coleto Creek) support it; they support COMPRESS_DEFLATE and COMPRESS_GZIP. GZIP hudfilter could use all 3 methods, but only ZLIB is compatible with current and older versions of the client. To preserve backward compatibility it must use ZLIB.
Impact:
Current compression hardware (such as Coleto Creek) is needed to support ZLIB method, otherwise compression in APM Network Access tunnel does not scale.
Workaround:
None.
Fix:
zLib compression is now supported.
602376-1 : qkview excludes files
Component: TMOS
Symptoms:
When running the qkview command to generate a diagnostic file, some files are omitted from the qkview.
Conditions:
This occurs when running qkview, when the configuration settings for qkview for the admin user include the --exclude flag. For example if the setting has --exclude core then none of the core files will be included in the qkview even if it is run without the --exclude parameter.
Impact:
Debugging of issues impaired if the missing files were needed to resolve the problem.
Workaround:
None.
Fix:
Corrected errors and made sure all files are included or excluded as designed.
602366-1 : Safenet 6.2 HA performance
Component: Local Traffic Manager
Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.
Conditions:
Safenet 6.2 client is installed and Safenet HA is used.
Impact:
Only one HSM is used for the HA setup.
Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>
Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable
Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test
Fix:
Installation script is updated for Safenet 6.2 HA.
602358-5 : BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
Component: Local Traffic Manager
Symptoms:
During SSL/TLS renegotiation, the TLS standard requires that the new ClientHello version matches the first session.
Usually, SSL/TLS servers require the new ClientHello version to match the previous negotiated (ServerHello) version. The BIG-IP ServerSSL default behavior is to match this requirement.
The problem occurs if the SSL/TLS server requires the ClientHello (both in the Record layer and Handshake Protocol) in the new ClientHello to be exactly the same as the SSL/TLS version of the first ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************
As a result, the SSL/TLS server will reject the renegotiation handshake, causing the connection to terminate.
Conditions:
This occurs when using virtual servers configured with one or more ServerSSL profiles, and an SSL/TLS renegotiation occurs, and the server requires the new ClientHello version to match the first ClientHello instead of the previous ServerHello version.
Impact:
SSL/TLS renegotiation between BIG-IP ServerSSL profile and server may fail, resulting in an unexpected connection close or reset.
Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.
Fix:
A new db variable called ssl.RenegotiateWithInitialClientHello has been added to control the SSL/TLS version in the 2nd ClientHello:
1. The default is disable, which means that the 2nd ClientHello SSL/TLS version will be set to the negotiated version in the 1st round ServerHello.
2. If it is set to enable, both ClientHello versions will be exactly the same.
602326-1 : Intermittent pkcs11d core when installing Safenet 6.2 software
Component: Local Traffic Manager
Symptoms:
Sometimes you may see pkcs11d core when stopping/restarting pkcs11d service.
Conditions:
bigstart issues "stop" to pkcs11d while pkcs11d receives message.
Impact:
pkcs11d may core intermittently.
Workaround:
pkcs11d may automatically restart without intervention.
Fix:
Fixed pkcs11d signal handler and avoid sys_call in the signal handler.
602221-2 : Wrong parsing of redirect Domain
Component: Application Security Manager
Symptoms:
ASM learns wrong domain names
Conditions:
no '/' after domain name in the redirect domain
Impact:
wrong learning suggestion can lead to wrong policy
Workaround:
N/A
Fix:
Fixing an issue with parsing the URL in the location header
602171-1 : TMM may core when remote LSN operations time out
Component: Carrier-Grade NAT
Symptoms:
TMM configured with LSN may core during high utilization, when local endpoint resources are exhausted, and request for remote resources times out.
Conditions:
LSN remote operation time out. LSN can request remote TMM for resources when local resources are exhausted, when such request time out, this can result in a core in affected versions.
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM LSN remote operations will no longer cause core.
602136-5 : iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
Component: Local Traffic Manager
Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.
Conditions:
Client-side iRule that drops a connection.
Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server. Traffic disrupted while tmm restarts.
Workaround:
None.
602061 : i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
Component: TMOS
Symptoms:
When firmware is updated on a i5000, i7000, i10000 series series appliance messages appear on the console indicating the update is in progress. The messages are inconsistent, some give an expected time the update will take and some do not.
Conditions:
Firmware update following the installation of a new iso with new firmware that must be programmed.
Impact:
cosmetic
Workaround:
None
602040-3 : Truncated support ID for HTTP protocol security logging profile
Component: Local Traffic Manager
Symptoms:
The HTTP Protocol Security logging profile yields to incomplete support ID published in the local storage.
Conditions:
Configuration: LTM with Protocol Security Module provisioned, LTM virtual server with HTTP Protocol Security and local-storage logging profile attached. The log-db entries created by the HTTP Protocol Security logging profile have a truncated support ID.
Impact:
The support ID presented to the user does not match the one in the logs because the log entry is truncated (missing a few digits)
Workaround:
There is no workaround
601989-3 : Remote LDAP system authenticated username is case sensitive★
Solution Article: K88516119
Component: TMOS
Symptoms:
Unable to login via ssh, with cause being reported as 'user account has expired'. Wrong role being assigned for remote-user.
Conditions:
The character-case for the username returned from LDAP must match the login username and the configured account name. This can be exposed on an upgrade from 11.6.0 to 12.1.0 or 12.1.1.
Impact:
Unable to login via ssh with remote-user or remote-user being assigned incorrect role when multiple accounts exists with the same name and mixed case.
Workaround:
Avoid configuring the same account username with different case. The authenticated user account in TMOS used to login should exactly match the user account name returned from LDAP.
Fix:
When logging in to BIG-IP via ssh, the case of the logged-in user name is preserved when authenticating against an LDAP source, and matched in a case-sensitive manner to the appropriate locally defined user role.
601938-2 : MCPD stores certain data incorrectly
Solution Article: K52180214
601927-1 : Security hardening of control plane
Solution Article: K52180214
Component: TMOS
Symptoms:
File permissions changes needed as found by internal testing
Conditions:
N/A
Impact:
N/A
Fix:
Apply latest security practices to control plane files.
601924-1 : Selenium detection by ports scanning doesn't work even if the ports are opened
Component: Advanced Firewall Manager
Symptoms:
When selenium server package is running on an end point and a traffic being sent from there, proactive bot defense mechanism doesn't see selenium server opened ports.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.
Impact:
Low impact as the selenium detection by ports scan has a low score and doesn't mitigate a client, unless it has another suspicious client properties (for example tor browser)
Workaround:
N/A
Fix:
Ports scanning has fixed - wider range of ports are scanned.
601919-2 : Custom categories and custom url filter assignment must be specific to partition instead of global lookup
Component: Access Policy Manager
Symptoms:
Custom categories lookup and matching is not partition specific.
Conditions:
Create SWG Explicit VS, access policy, per-request policy, custom-category with a glob URL and URL filter in custom partition say partition1
and similarly create similar set in partition2 (Note make sure the glob URL is matched in custom categories in 2 different partitions). Set the browser to explicit proxy:port information of partition1 VS and access the URL to be matched to the custom category.
Impact:
Partition specific custom category match is not available if user specific whitelist needs to be applied.
Workaround:
None
Fix:
Code to check custom categories only for the partition that connflow belongs to and Common partition has been added
601905-1 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
Component: Access Policy Manager
Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.
Conditions:
Most likely, the POST request contains large post data.
Impact:
The POST request will fail.
Workaround:
The following iRule will workaround the issue:
when HTTP_REQUEST {
if {[HTTP::method] eq "POST"}{
# Trigger collection for up to $max_collect of data
set max_collect 1000000
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length $max_collect
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
601893-2 : TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
Component: TMOS
Symptoms:
Tmm cores. There might be messages similar to the following notice in /var/log/ltm just before the crash: notice BWC: instance already exist. This is an extremely rarely occurring issue.
Conditions:
This extremely rare issue occurs when the following conditions are met:
Dynamic BWC use with dynamic change in rate for each instance.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use dynamic modification of rates for dynamic policies.
Fix:
You can now successfully use dynamic modification of rates for dynamic policies.
601828-1 : An untrusted certificate can cause tmm to crash.
Solution Article: K13338433
Component: Local Traffic Manager
Symptoms:
If the certificate sent by an SSL server to the server-side BIG-IP profile is untrusted, tmm might crash.
Conditions:
-- Server-side SSL profile is attached to a virtual server.
-- The SSL server sends an untrusted certificate to the BIG-IP system.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The BIG-IP system will now log the certificate name 'unknown' if an SSL server sends an untrusted certificate, and tmm does not restart.
601709-2 : I2C error recovery for BIG-IP 4340N/4300 blades
Solution Article: K02314881
Component: TMOS
Symptoms:
The I2C internal bus for the front switch on BIG-IP 4340N/4300 blades may not work.
Conditions:
This rarely happens.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.
Workaround:
bigstart restart bcm56xxd
Fix:
The system now ensures that the I2C internal bus can recover from occasional errors.
601536-1 : Analytics load error stops load of configuration★
Component: Application Visibility and Reporting
Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.
Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.
Impact:
Configuration fails to load, will not pass traffic.
Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.
Fix:
An analytics configuration that was valid in a previous release now loads successfully in the current release.
601527-4 : mcpd memory leak and core
Component: TMOS
Symptoms:
Mcpd can leak memory during config update or config sync.
Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http
Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.
Fix:
Fixed a memory lean in mcpd
601502-4 : Excessive OCSP traffic
Component: TMOS
Symptoms:
With OCSP configured on a virtual server, you see excessive OCSP requests going to the OCSP server.
Conditions:
Virtual server configured with an OCSP profile
Impact:
OCSP responses are not cached properly and excessive requests are sent to the server.
Workaround:
None.
Fix:
OCSP responses are now cached properly, so excessive requests are no longer sent to the server.
601496-4 : iRules and OCSP Stapling
Component: Local Traffic Manager
Symptoms:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak.
You may notice warning messages similar to the following in /var/log/ltm:
warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.
Conditions:
This occurs when the following conditions are met:
-- Virtual server with OCSP Stabling enabled.
-- iRule attached to the virtual server that uses SSL::renegotiate.
Impact:
TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.
Workaround:
None.
Fix:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile no longer causes OCSP requests to be reissued, so there is no associated memory leak.
601420-3 : Possible SAML authentication loop with IE and multi-domain SSO.
Component: Access Policy Manager
Symptoms:
When APM is configured with SAML authentication and multi-domain SSO, Internet Explorer may encounter authentication loop and never complete the access policy.
Conditions:
APM is configured with SAML authentication and multi-domain SSO.
Impact:
Using Internet Explorer, the client may not be unable to connect to its desired destination.
Workaround:
Chrome and Firefox do not seem to be affected.
Fix:
Use cookie for session for multi-domain if TOKEN lookup fails. Previously, the cookie was ignored for multi-domain response URI. However, with the introduction of TOKEN based session lookup, this causes a failure if the client retries the request (since the TOKEN was consumed in the request prior to the retry).
601378-2 : Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
Component: Application Security Manager
Symptoms:
These errors can be observed in '/var/log/asm':
-------------------------
The caller:[F5::ASMConfig::Entity::Charset::get_policy_encoding_type] did not pass in a value for 'encoding_name' to retrieve the 'encoding_type' for -- aborting.
ASM subsystem error (asm_config_server.pl,): ASM Config server died unexpectedly
ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads.
ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: asm_config_server.pl, Failure: Insufficient number of threads.
-------------------------
Conditions:
ASM provisioned.
Create security policy with "Auto accept" language.
Impact:
ASM daemons restart, numerous errors in asm log.
Workaround:
None.
Fix:
Creating an ASM security policy with "Auto accept" language no longer leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
601309 : Locator LED no longer persists across reboots
Component: TMOS
Symptoms:
The Locator LED (blinking F5 logo ball) state could be retained across reboots if the TMSH config was saved. The intended behavior is to default to disabled on reboot.
Conditions:
Setting the Locator to "enabled" via either the LCD or TMSH, then saving the TMSH config.
Impact:
i5600, i5800, i7600, i7800, i10600, and i10800 appliances
Workaround:
Disable the Locator LED and save the TMSH config
Fix:
Fixed Locator LED state persisting through reboots
601268-5 : PHP vulnerability CVE-2016-5766
Solution Article: K43267483
601255-4 : RTSP response to SETUP request has incorrect client_port attribute
Component: Service Provider
Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)
Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection
Impact:
Unicast media may forwarded to incorrect UDP port (0).
Fix:
Initialize 'client_port' attribute to value received from server when re-writing response to client.
601180-2 : Link Controller base license does not allow DNS namespace iRule commands.★
Solution Article: K73505027
Component: Global Traffic Manager (DNS)
Symptoms:
The Link Controller base license improperly prevents DNS namespace iRule commands.
Conditions:
A Link Controller license without an add-on that allows Layer 7 iRule commands.
Impact:
An administrator cannot add DNS namespace commands to an iRule. Cannot upgrade from a pre-11.5 configuration, where the commands were working, to 11.5.4 through 12.1.2.
Workaround:
To enable upgrade, remove DNS namespace commands from the configuration prior to upgrade.
Fix:
DNS namespace iRule commands are now properly accepted with a Link Controller base license.
601178-6 : HTTP cookie persistence 'preferred' encryption
Component: Local Traffic Manager
Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.
Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.
Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.
601168-1 : Incorrect virtual server CPU utilization may be observed.
Component: TMOS
Symptoms:
The virtual_server_cpu_stat table counters are always at zero.
Conditions:
ASM license is in effect.
Impact:
Wrong CPU utilization per virtual server.
Workaround:
No workaround.
Fix:
An issue in computing CPU averages for virtual server has been resolved.
601083-1 : FPS Globally Forbidden Words lists freeze in IE 11
Component: Fraud Protection Services
Symptoms:
When attempting to move more than 1 item in Globally Forbidden Words in Internet Explorer 11 browser, the lists freeze.
Conditions:
FPS Provisioned
Add 2 or words in "Search for malicious words in the HTML or JavaScript code"
Impact:
FPS GUI freezes
Workaround:
Add 1 item each time and save.
Use tmsh.
Fix:
Internet Explorer 11 will not freeze if moving more than one item at a time.
601076 : Fix watchdog event for accelerated compression request overflow
Component: TMOS
Symptoms:
Accelerated compression requests that exceed 128 in-flight requests can cause a watchdog event.
Conditions:
Very rapid queuing of concurrent accelerated compression requests.
Impact:
TMM generates an HA failover driven by the accelerated compression watchdog timer.
Workaround:
Disable accelerated compression by disabling hardware accelerated compression with:
% tmsh modify sys db compression.strategy value softwareonly
Fix:
Apply a constraint on accelerated compression request DMA ring so no more than 128 in-flight requests are queued at any one time.
601059-6 : libxml2 vulnerability CVE-2016-1840
Solution Article: K14614344
601056 : TCP-Analytics, error message not using rate-limit mechanism can halt TMM
Component: Application Visibility and Reporting
Symptoms:
An error message is displayed when TCP-Analytics fails to save new data. This error message is not rate-limited, as all other TMM error messages are, so if the error situation is encountered very frequently, the message will be displayed only occasionally, and not for every error event.
Since the error message is not rate-limited, hitting this error many times might eventually lead to TMM halt.
Conditions:
-- TCP-Analytics is assigned to virtual server.
-- The aggregation method of TCP Analytics causes a full table situation because of the distribution of the client IP addresses and subnets.
Impact:
TMM can halt. Traffic disrupted while tmm restarts.
Workaround:
Remove TCP-Analytics from virtual servers.
Fix:
Error message is performed with rate-limiting mechanism.
601035 : TCP-Analytics can fail to collect all the activity
Component: Application Visibility and Reporting
Symptoms:
When the traffic reaching the BIG-IP system comes from a very large number of different client IP addresses and subnets, the TCP-Analytics table can get full, which leads to ignoring the activity that follows, until next snapshot of data.
Conditions:
-- TCP-Analytics profile is attached to a virtual server.
-- Incoming traffic represents a large amount of client IP addresses and subnets (the exact number that causes the full table condition depends on machine type and provisioned modules).
Impact:
TCP Analytics is showing only some of the activity, not all of it. In addition, numerous log messages might fill the logs.
Workaround:
Disable TCP-Analytics.
Fix:
Aggregation method of TCP Analytics was fixed, so the system no longer reaches the full table situation, no matter the distribution of the client IP addresses.
600982-5 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
Component: Local Traffic Manager
Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.
Conditions:
No conditions to be set, however this is a very rare occurrence in which a random number generator can technically generate the number Zero ( 0 ) which would trigger this.
Impact:
Traffic disrupted while TMM restarts, and failover occurs if high availability is configured. Mirroring and LB may be lost with renegotiation for certain types of traffic.
Workaround:
None.
Fix:
When SSL is configured, the TMM no longer intermittently crashes with the message: Assertion "cached" failed.
600894-1 : In certain situations, the MCPD process can leak memory
Component: TMOS
Symptoms:
In certain situations, the MCPD process can leak memory. This has been observed, for example, while updating large external data-group file objects. Each time an external data-group file is updated, MCPD's memory utilization grows a little bit. Once enough iterations have occurred, the system may no longer be able to update the external data-group file, but instead return the following error message:
err mcpd[xxxx]: 01070711:3: Caught runtime exception, std::bad_alloc.
Conditions:
So far, this issue has only been observed while updating a large external data-group file object.
Impact:
The system may no longer be able to update the external data-group file object. It is also possible for MCPD to crash, or be killed by the Linux OOM killer, as a result of the memory leak.
600859-2 : Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★
Component: TMOS
Symptoms:
After upgrading 11.6.0 Hourly instances to 12.1.0 EHF Hourly instances with Instance Registration support, instance license becomes invalid and BIG-IP is unable to acquire a new hourly license.
Conditions:
Upgrading 11.6.0, or earlier Hourly Licensing instance to 12.1.0 HF1 EHF.
Impact:
License is invalidated and instance becomes unusable.
Workaround:
- Run "/usr/libexec/autoLicense -l" from command-line.
Fix:
Module licenses correctly after upgrade from 11.6.0 to 12.1.0 HF2 or later.
600827-8 : Stuck Nitrox crypto queue can erroneously be reported
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Hardware Error(Co-Processor): n3-crypto0 request queue stuck.
Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses Nitrox PX or Nitrox 3 encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.
Workaround:
None.
Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.
600811-2 : CATEGORY::lookup command change in behaviour★
Component: Access Policy Manager
Symptoms:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.
Only a valid hostname can be used and have its category returned.
In versions prior to v12.1.1, the following iRule command is valid:
when HTTP_REQUEST {
set this_uri http://[HTTP::host][HTTP::uri]
set reply [CATEGORY::lookup $this_uri]
log local0. "Category lookup for $this_uri returns $reply"
}
Starting in v12.1.1, the previous example you need to remove the HTTP::uri statement. If an HTTP::uri is provided to the command, an error will be returned
err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"
Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:
when HTTP_REQUEST {
set this_uri http://[HTTP::host]
set reply [CATEGORY::lookup $this_uri]
log local0. "Category lookup for $this_uri returns $reply"
}
Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.
Conditions:
- BIG-IP licensed and provisioned for:
o APM and URL Filtering
o URL Filtering (used for SSL Bypass decisions in SSL Air-Gap deployments).
- An iRule that supplies a URI path to the CATEGORY::lookup iRule command.
- Upgrading from pre-v12.1.1 versions that use the CATEGORY::lookup iRule command and use an HTTP::uri or pass in a plain text string that contains anything other than an HTTP hostname.
Impact:
There is an error returned from the command. This can cause errors in existing deployments.
Workaround:
Update the iRule to only pass an HTTP hostname to the CATEGORY::lookup iRule command
Fix:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.
Only a valid hostname can be used and have its category returned.
Behavior Change:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.
Only a valid hostname can be used and have its category returned.
In versions prior to v12.1.1, the following iRule command is valid:
when HTTP_REQUEST {
set this_uri http://[HTTP::host][HTTP::uri]
set reply [CATEGORY::lookup $this_uri]
log local0. "Category lookup for $this_uri returns $reply"
}
Starting in v12.1.1, the previous example you need to remove the HTTP::uri statement. If an HTTP::uri is provided to the command, an error will be returned
err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"
Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:
when HTTP_REQUEST {
set this_uri http://[HTTP::host]
set reply [CATEGORY::lookup $this_uri]
log local0. "Category lookup for $this_uri returns $reply"
}
Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.
600662-9 : NAT64 vulnerability CVE-2016-5745
Solution Article: K64743453
600614-5 : External crypto offload fails when SSL connection is renegotiated
Component: Local Traffic Manager
Symptoms:
If and external crypto offload client is configured with an SSL profile and renegotiation is enabled for the SSL profile, the crypto client connection will fail when the SSL connection is renegotiated.
Conditions:
External crypto offload client configured with an SSL profile with renegotiation enabled.
Impact:
Crypto client connection to the crypto server will fail.
Workaround:
Disable renegotiation on the SSL profile.
Fix:
The crypto client connection to the crypto server will no longer fail when the SSL connection is renegotiated.
600593-1 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
Component: Local Traffic Manager
Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.
Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.
Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.
Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:
when HTTP_PROXY_REQUEST {
if { [HTTP::method] equals "CONNECT" } {
ONECONNECT::reuse disable
}
else {
ONECONNECT::reuse enable
}
}
600558-5 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:
1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
Fix:
Errors are no longer logged after deleting user in GUI.
600357-2 : bd crash when asm policy is removed from virtual during specific configuration change
Component: Application Security Manager
Symptoms:
BD restarts and produces a core file
Conditions:
A configuration change which involves headers configuration or a policy re-configuration and at the same time, while this update is taking place the ASM policy is removed from the virtual.
This is more likely to happen in scripted tests than in the field.
Impact:
Traffic gets dropped while the ASM gets restarted.
Workaround:
Don't change ASM configuration at the same time as changing the virtual server configuration.
Fix:
System will still restart but will not produce a core file when this happens.
600232-9 : OpenSSL vulnerability CVE-2016-2177
Solution Article: K23873366
600223-2 : OpenSSL vulnerability CVE-2016-2177
Solution Article: K23873366
600205-9 : OpenSSL Vulnerability: CVE-2016-2178
Solution Article: K53084033
600198-2 : OpenSSL vulnerability CVE-2016-2178
Solution Article: K53084033
600119-3 : DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
Component: Access Policy Manager
Symptoms:
When connected to the vpn and wifi adapter is enabled (not connected to any wlan) access to websites outside the vpn is very slow.
Access is fine when wifi interface is disabled.
Conditions:
- number of DNS servers configured for active network adapters matches the number of DNS servers configured in Network Access resource
Impact:
User experience while navigating servers outside of VPN scope is impacted by increased connection time
Workaround:
Disable unused adapters or change the number of configured DNS servers
Fix:
DNS requests for names outside the VPN scope sent to VPN DNS server are redirected to DNS servers from NIC using Round Robin algorithm
600069-6 : Portal Access: Requests handled incorrectly
Solution Article: K54358225
600052-1 : GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
Component: Local Traffic Manager
Symptoms:
Cannot access SSL certs/keys using the GUI. GUI displays "Internal Server Error" page.
Conditions:
Having large (~3k) number of SSL certs/keys in the system.
Impact:
Cannot use the GUI to view/edit the SSL certs/keys.
Workaround:
User tmsh to access SSL certs/keys.
Fix:
Can now access SSL certs/keys using the GUI
599858-7 : ImageMagick vulnerability CVE-2015-8898
Solution Article: K68785753
599839-3 : Add new keyords to SIP::persist command to specify how Persistence table is updated
Component: Service Provider
Symptoms:
SIP::persist command keywords were not present prior to 12.1.2
Conditions:
Using the SIP::persist command in an iRule
Impact:
Limited control via SIP::persist
Workaround:
N/A
Fix:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.
-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.
Behavior Change:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.
-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.
599816-2 : Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
Component: TMOS
Symptoms:
Packets arriving on members of the VLAN group are CMP redirected. Redirections may be tracked with the tmm/flow_redir_stats table.
Conditions:
VLANs in the VLAN group must have different cmp-hash settings. For example, one VLAN may configure src-ip and another dst-ip.
Impact:
Throughput drops because of the redirections. However, because this is an error in the software disaggregator, components and features which depend on correct disaggregation may fail. Some features of PEM may fail.
Fix:
Packets are correctly disaggregated without redirections.
599803 : TMM accelerated compression incorrectly destroying in-flight contexts.
Component: Performance
Symptoms:
You see a tmm core while using compression profiles.
Conditions:
Related to use of hardware compression.
Impact:
Report of a watchdog event, or an ASSERT generated by the compression layer. Traffic disrupted while tmm restarts.
Workaround:
Disable accelerated compression using the following command:
% tmsh modify sys db compression.strategy value softwareonly.
Fix:
The system now correctly dispatches cancelled in-flight accelerated compression contexts when cancellation comes while hardware is still actively compressing.
599769 : TMM may crash when managing APM clients.
Component: Local Traffic Manager
Symptoms:
When managing APM clients it is possible to encounter a rare tmm crash.
Conditions:
APM enabled and actively managing clients.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
There is no longer a rarely encountered TMM crash when managing APM clients.
599720-2 : TMM may crash in bigtcp due to null pointer dereference
Component: Local Traffic Manager
Symptoms:
TMM crashed in bigtcp_queue_pkt() due to null pointer dereference of clientside flow.
Conditions:
This only occurs for serverside flow whose peer no longer exists.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
A problem of null pointer dereferece in bigtcp has been fixed.
599536-1 : IPsec peer with wildcard selector brings up wrong phase2 SAs
Solution Article: K05263202
599521-5 : Persistence entries not added if message is routed via an iRule
Component: Service Provider
Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.
Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.
Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.
Workaround:
An iRule could be used to route messages directed towards the original client.
Fix:
MRF SIP will add a persistence entry for message routed via an iRule.
599424-2 : iApps LX fails to sync★
Component: iApp Technology
Symptoms:
In a device group, iApps LX applications fail to sync to the other devices. In restjavad.0.log you notice this log entry, approximately once per hour:
[8100/tm/shared/BIG-IP-failover-state BIG-IPFailoverStateWorker] Failed to discover [address]: java.lang.IllegalStateException: Authentication Failure to host [address]. Please check the credentials provided.
Conditions:
- This occurs after upgrading devices in a device group from 12.1.1 to a version higher than 12.1.1, such as 12.1.1 HF1.
- It can also occur on UCS restore.
- This occurs after upgrading devices in a device group from 12.1.0 to a version higher than 12.1.0, such as 12.1.0-HF1 (or above).
- Also found this can occur with a clean install of v12.1.2-Final and upgraded to v12.1.2 HF1.
Impact:
If you do not have iApps LX configured, there should be no impact other than the warning in restjavad.0.log which you can safely ignore. If you have iApps LX configured and the iApp is not syncing, then this will impact traffic if a failover event occurs.
Workaround:
None.
Fix:
iApps LX will now sync correctly.
599423-1 : merged cores and restarts
Solution Article: K24584925
Component: TMOS
Symptoms:
The vCMP host overwrites the stats table with data from guests.
Conditions:
vCMP running SSL traffic for more than one day.
Impact:
An internal value that tracks the interfaces changes, and merged cores and restarts.
Workaround:
None.
Fix:
The host no longer overwrites the reference values in the interface stats table, so merged does not core and restart.
599285-2 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
Solution Article: K51390683
599221-1 : ASM Policy cannot be created in non-default partition via the Import Policy Task
Component: Application Security Manager
Symptoms:
An ASM Policy cannot be created in a non-default (/Common) partition using the Import Policy Task (/mgmt/tm/asm/tasks/import-policy).
Conditions:
User attempts to create a new ASM policy in a non-/Common partition using a file or template via the import policy tasks.
Impact:
Policy is created in /Common instead of the specified partition.
Workaround:
1) Create a Policy in the desired partition via a POST to the /mgmt/tm/asm/policies endpoint.
2) Execute the Import Policy Task (/mgmt/tm/asm/tasks/import-policy) using the created policy as the policyReference to overwrite it.
Fix:
Policy Import creates new policies in the specified partition.
599191-2 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
Component: TMOS
Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.
Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync
Impact:
A stale key is left on the FIPS card. There is no impact to functionality.
Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>
599168-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Solution Article: K35520031
599135-2 : B2250 blades may suffer from high TMM CPU utilisation with tcpdump
Component: Local Traffic Manager
Symptoms:
B2250 blades may suffer from continuous TMM CPU utilization when tcpdump has been in use.
Conditions:
Run tcpdump on a B2250 platform
Impact:
Increment in TMM CPU utilization with every run of tcpdump.
Workaround:
Restart TMM, avoid the use of tcpdump.
Fix:
B2250 blades no longer suffer from high TMM CPU utilisation with tcpdump
599121-2 : Under heavy load, hardware crypto queues may become unavailable.
Solution Article: K24036315
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.
Conditions:
BIG-IP system under heavy load and using hardware crypto.
Impact:
HA failover. You might see messages similar to the following:
-- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
-- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
-- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.
Workaround:
None.
Fix:
BIG-IP system now performs an extra check to determine whether the crypto hardware queues are available.
599054-2 : LTM policies may incorrectly use those of another virtual server
Component: Local Traffic Manager
Symptoms:
LTM policies may use policies configured on another virtual server.
Conditions:
- A configurations with several virtual servers and several configured ltm policies attached to those virtual servers.
- Configuration load: manually using the command tmsh load sys conf, or automatically by an upgrade or full config-sync.
Impact:
LTM policies get incrementally added to virtual servers as the policies are compiled, causing unexpected traffic handling decisions based on other policies.
Workaround:
Do not run tmsh load sys conf if you have policies configured. After an upgrade or full config-sync issuing a bigstart restart command or restarting the device will fix this condition.
Fix:
LTM policies no longer incorrectly use those of another virtual server
599033-5 : Traffic directed to incorrect instance after network partition is resolved
Component: TMOS
Symptoms:
After a network partition is resolved, the BIG-IP high availability subsystem may select a different device to handle traffic than the external network.
Conditions:
If the external network does not respond to GARP (Gratuitous ARP) messages to direct IP traffic to the correct device after an Active/Active condition is resolved, then it may continue to send traffic to a device that is now in Standby mode.
Impact:
Traffic will be interrupted since the upstream network is sending traffic to a device that won't process it.
Workaround:
The administrator might be able to manually run a script or command to redirect traffic to the correct device that is hosting the virtual service.
Fix:
When a network partition is resolved, and an Active/Active high availability pair chooses a single Active node, it now invokes a script that can be used to automatically notify the external network infrastructure of the new location for the virtual service. This new script is located in /config/failover/tgrefresh, and is invoked in addition to the transmission of GARP messages.
598983-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Solution Article: K35520031
598981-3 : APM ACL does not get enforced all the time under certain conditions
Solution Article: K06913155
Component: Access Policy Manager
Symptoms:
APM ACL does not get enforced all the time under certain conditions
Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.
Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.
Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.
Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.
598874-2 : GTM Resolver sends FIN after SYN retransmission timeout
Component: Local Traffic Manager
Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.
Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.
Impact:
Firewalls may log the FIN as a possible attack.
Fix:
Do not send anything in response to a SYN retransmission timeout.
598860-4 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
Component: Local Traffic Manager
Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.
Example:
ltm rule test_bug {
when CLIENT_DATA {
log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}
Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1
Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1
Conditions:
using IP::addr to convert an IPv6 to an IPv4 address
Impact:
Address is converted into an IPv4-compatible IPv6 address.
598854-3 : sipdb tool incorrectly displays persistence records without a pool name
Component: Service Provider
Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb
Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.
Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.
Fix:
The fix corrects the sipdb tool so that entries which do not have a pool name will display correctly.
598748 : IPsec AES-GCM IVs are now based on a monotonically increasing counter
Component: TMOS
Symptoms:
IPsec was using random IVs.
With random IVs and shortest packets the complete integrity loss will happen before 8 Gb of data are exchanged over the security association in one direction (assuming probability of collision at 0.1%).
Conditions:
Use of AES-GCM or GMAC in IPsec.
Impact:
The use of random IVs limits the amount of traffic that can be sent with AES-GCM in IPsec.
Workaround:
The workaround is to limit the amount of traffic per above guidelines for long-lived security associations in IPsec.
A re-key before 10 Gbyte of data are exchanged is recommended. For 1 Gbps connection the rekey should happen in under 1 min (100 Mbps -- 15 min, 10 Gbps -- 10 sec).
Fix:
Changed IPsec AES-GCM IV scheme to use a counter-based IV.
This is an improvement that allows maximum amount of traffic to be sent on the same security association for AES-GCM in IPsec.
598724-1 : Abandoned indefinite lifetime SessionDB entries on STANDBY devices.
Component: TMOS
Symptoms:
Memory hold/leak in SessionDB due to poor HA connection. Active device cannot tell the Standby device that an entry has been deleted because of poor HA connection. These entries accumulate on the Standby device, consuming extra memory which is not released.
Conditions:
A poor HA or insufficient connection exists, one that is not capable of handling the required HA traffic between devices.
Impact:
Eventual out-of-memory errors on standby device.
Workaround:
The mitigation steps in ID 555465 apply to this as well:
You can mitigate by temporarily disabling HA:
- Disable session mirroring: tmsh modify sys db statemirror.mirrorsessions value disable
- Wait a minute for HA connections to stabilize
- Sync the config changes
- Reboot the standby
- Re-enable session mirroring: tmsh modify sys db statemirror.mirrorsessions value enable
Fix:
On the Next Active ("Standby") device, SessionDB will remove all Subkey entries that the Next Active did not receive HA (re)mirror messages for during the HA sync that occurs after an HA (re)connect; the Next Active not receiving a (re)mirror for an entry generally indicates that the entry no longer exists on the Active.
598700-6 : MRF SIP Bidirectional Persistence does not work with multiple virtual servers
Component: Service Provider
Symptoms:
Messages received by different virtual servers (sharing the same router) are not able to be properly routed using the call-id persistence.
Conditions:
A router with multiple virtual servers bridging between networks are not able to use the same call-id persistence entry for routing messages. Messages trying to use a persistence entry created by a different virtual server may be routed to the wrong device.
Impact:
Messages received on another virtual server trying to use the persistence entry will be routed to the wrong device.
Fix:
Fix corrects problems identifying which end of the bi-directional persistence the message has arrived on so that it can be forwarded to the proper device.
598697-1 : vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★
Component: TMOS
Symptoms:
After installing v12.1.0 on a vCMP host system the guests don't start anymore and remain in "failed" state.
Errors similar to these are logged in the ltm log file:
Jun 10 08:17:22 slot1/VIP4480-R68-S26 crit vcmpd[14354]: 01510003:2: User "qemu" doesn't exist
<..>
Jun 10 08:17:22 slot1/VIP4480-R68-S26 err vcmpd[14354]: 01510004:3: Guest (test-guest): Failure - Error starting VM.
Jun 10 08:17:22 slot1/VIP4480-R68-S26 info vcmpd[14354]: 01510007:6: Guest (test-guest): VS_STARTING->VS_FAILED
Conditions:
Upgrade vCMP host to v12.1.0 or higher
vCMP host system was originally installed with v11.6.0 or older builds.
Impact:
After installing v12.1.0 on a vCMP host system the guest don't start anymore and remain in "failed" state.
Workaround:
Workaround is to run the following command:
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
then:
bigstart restart vcmpd
598498-7 : Cannot remove Self IP when an unrelated static ARP entry exists.
Component: TMOS
Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.
Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.
Impact:
Must delete static ARP entries in order to delete Self IP addresses.
Workaround:
None.
Fix:
In this release, you can delete Self IP addresses if unrelated static ARP entries exist.
598443-1 : Temporary files from TMSH not being cleaned up intermittently.
Component: TMOS
Symptoms:
/var/tmp/tmsh and /var/system/tmp/tmsh can have left over unused directories if there was an abrupt termination wherein TMSH does not get a chance to clean up remaining directories. This script does not automatically run, but instead provides a way for you to manually clean up these scripts. To execute script run bin # ./clean_tmsh_tmp_dirs and follow the prompts.
Conditions:
This can occur if a running task creates a TMSH tmp file, then gets killed before it finishes its clean-up.
Impact:
This can cause the directories /var/tmp/tmsh and /var/system/tmp/tmsh to fill up and cause out of memory exceptions.
Workaround:
Manually delete all unused files in /var/tmp/tmsh and /var/system/tmp/tmsh.
Fix:
The BIG-IP system now contains a command ("clean_tmsh_tmp_dirs") that can be run to clean-up temporary files in /var/system/tmp/tmsh and /var/tmp/tmsh.
598437-1 : SNMP process monitoring is incorrect for tmm and bigd
Component: TMOS
Symptoms:
The default configuration for SNMP process monitoring causes an error of "Too many bigd running", and "No tmm process running".
snmpwalk -c public -v 2c localhost prErrMessage
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too many bigd running (# = 2)
...
UCD-SNMP-MIB::prErrMessage.6 = STRING: No tmm process running
Conditions:
Depending on system capacity and configuration, more than one "bigd" process may be running, resulting in the incorrect report of "Too many bigd running".
The system does not properly count instances of the "tmm" process. In older releases, the system always detected a single "tmm" process, even if more than one existed. In the affected releases, no "tmm" process is detected.
Impact:
SNMP monitoring of system health incorrectly reports error conditions.
Workaround:
For the 'bigd' problem, the administrator can change the the process-monitor max-processes to allow for more instances of "bigd". For example:
(tmos)# modify sys snmp process-monitors modify { bigd { max-processes infinity } }
max-processes should be set to the same value as the sys dbvar bigdb.numprocs or "infinity" if the dbvar is set to "0", allowing bigd to dynamically adjust the number of processes.
For tmm process count
(twos)# modify sys snap process-monitors modify { tmm { process tmm.0 max-processes 1 } }
Fix:
The system now correctly counts the number of TMM process instances, which is not the same as the number of TMM threads. but is based on the hardware capabilities.
Existing/upgraded configurations need to manually adjust the bigd 'max-processes' attribute as described in the Mitigation section. New configurations will be configured appropriately.
598294-1 : BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
Solution Article: K17119920
598211-1 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
Component: Access Policy Manager
Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.
Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.
Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.
Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.
when HTTP_REQUEST {
if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
HTTP::path "/Citrix/$store_name/"
}
}
Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.
598134-1 : Stats query may generate an error when tmm on secondary is down
Component: TMOS
Symptoms:
Querying for stats results in an error and further iControl messages are incorrect.
Conditions:
Must be on a chassis. The query must be for stats generated by tmm. A secondary tmm must be down.
Impact:
The iControl session must be restarted.
Workaround:
Ensure all tmms are up and running.
Fix:
The request is handled appropriately even if a tmm is down and no unexpected error is generated.
598052-1 : SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
Component: Local Traffic Manager
Symptoms:
When enabling the SSL Forward Proxy "Cache Certificate by Addr-Port" on the client SSL profile, later flows on cached certificate lookups by "Addr-Port" do not hit the cache.
Conditions:
Enable SSL Forward Proxy and use "Cache certificate by Addr-Port".
Impact:
The client side certificate lookup failed, it may trigger the server side SSL handshake.
Fix:
With this fix, the certificate lookup by "Addr-Port" may have a cache hit.
598039-6 : MCP memory may leak when performing a wildcard query
Component: TMOS
Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.
Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).
Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).
Workaround:
Do not perform wildcard queries.
Fix:
Stopped MCP leaking when wildcard queries are performed.
598002-10 : OpenSSL vulnerability CVE-2016-2178
Solution Article: K53084033
597978-2 : GARPs may be transmitted by active going offline
Component: Local Traffic Manager
Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.
Conditions:
Multiple traffic-groups configured and active goes offline.
Impact:
It is not expected that this will cause any impact.
Workaround:
Make the unit standby before forcing offline.
597879-1 : CDG Congestion Control can lead to instability
Component: Local Traffic Manager
Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.
Conditions:
Running the Debug TMM with CDG Congestion Control.
Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.
Workaround:
Use a congestion control algorithm other than CDG.
Switch to the default TMM.
Fix:
Fixed congestion window calculation in CDG.
597835-3 : Branch parameter in inserted VIA header not consistent as per spec
Solution Article: K12228503
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.
Workaround:
None.
Fix:
The system now ensures the branch field in the via header does not change.
597828-1 : SSL forward proxy crashes in some cases
Component: Local Traffic Manager
Symptoms:
SSL forward proxy crashes when a check in the state machine is called with something other than a fwdp lookup result
Conditions:
SSL forward proxy is enabled.
Impact:
SSL forward proxy crashes sometimes.
Workaround:
None.
Fix:
Fixed a crash in the SSL forward proxy.
597797-4 : Allow users to disable enforcement of RFC 7057
Solution Article: K78449695
Component: Local Traffic Manager
Symptoms:
When RFC7057 (fallback SCSV) was implemented, some BIG-IP administrators found their SSL clients were incompatible and could no longer connect to the BIG-IP system.
Conditions:
Incompatible SSL clients were not able to connect to the the BIG-IP system.
Impact:
Service disruption.
Workaround:
There is no workaround.
Fix:
When SSL.fallback_SCSV is set to disable, the RFC 7057 implementation will be disabled, though it must be acknowledged that this introduces a security hole when negotiating SSLv3.
Behavior Change:
When RFC7057 was implemented, some BIG-IP administrators found that their SSL clients were incompatible. This change introduces a bigdb variable (SSL.fallback_SCSV) to disable this.
597729-5 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:
1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
597708-4 : Stats are unavailable and VCMP state and status is incorrect
Component: Local Traffic Manager
Symptoms:
Unable to retrieve statistics or statistics are all 0 (zero) when they should not be zero.
This is VCMP related.
Guest Virtual-disk always show in-use even when guest not in the running state.
When the guest OS is shut down, the GUI and TMSH do not show accurate information about status.
Conditions:
If a directory is removed from /shared/tmstat/snapshots merged might run at 100% CPU utilization and become unresponsive.
Impact:
No statistics are available. Some statistics, such as traffic stats from TMM, will not be updated, though they may be non-zero. Others, such as system CPU stats that are calculated by merged, will be zero. This will be evident through all management interfaces such as TMSH, TMUI, SNMP, etc.
VCMP guest O/S status is reportedly incorrectly.
Workaround:
If merged is hung, restart the daemon using the following command:
bigstart restart merged.
To prevent the issue from occurring, disable tmstat snapshots using the following command:
tmsh modify sys db merged.snapshots value false.
Fix:
The merged process no longer becomes unresponsive when a directory is removed from /shared/tmstat/snapshots.
597532-1 : iRule: RADIUS avp command returns a signed integer
Component: Local Traffic Manager
Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.
Conditions:
iRules using RADIUS::avp to retrieve data.
Impact:
iRules using the RADIUS::avp command will not work as expected.
Workaround:
The result can be cast to an unsigned integer after obtaining the value, as follows:
ltm rule radius_avp_integer {
when CLIENT_DATA {
set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}
Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.
Fix:
Ensure that the system uses unsigned integers for RADIUS AVPs.
597471 : Some Alerts are sent with outdated username value
Component: Fraud Protection Services
Symptoms:
user-defined, components validation and vtrack Alerts are sent with outdated username value
Conditions:
Log in, then log in again with different user (with conditions to generate an alert)
Impact:
Alert is sent with username of the first login
Fix:
Alerts sending is blocked until after parameters processing is done
597431-2 : VPN establishment may fail when computer wakes up from sleep
Component: Access Policy Manager
Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues
Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation
Impact:
Issues with Network connectivity
Workaround:
Renew DHCP lease by running
ipconfig/renew.
or
reboot the machine.
597394-2 : Improper handling of IP options
Solution Article: K46535047
597309-2 : Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
Component: TMOS
Symptoms:
The Maximum Members Per Trunk limits is 8 or 16 depending on platform. This is due to
1. The limitation of an SDK from a third party vendor.
2. The number of external interfaces actually provided by the platform.
Conditions:
These platform limits are on the BIG-IP 10000 appliance and B2400, B4300, and B4450 blades.
Impact:
The number of interfaces per trunk is limited to either 8 or 16.
Workaround:
None.
Fix:
New limit of 32 is implemented for the BIG-IP 10000 appliance, and on VIPRION 2400 and VIPRION 4300. New limit 64 is implemented for VIPRION 4450N.
597303 : "tmsh create net trunk" may fail
Component: TMOS
Symptoms:
When a trunk is created with "tmsh create net trunk", with LACP enabled or disabled, the addition of a trunk member may fail. When it fails, there will be log in /var/log/ltm like
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: bs_trunk_addr_set: unit=0 Invalid parameter bs_trunk.cpp(2406)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: Trouble setting trunk 1, unit 0 bs_trunk.cpp(2591)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: SDK error Invalid parameter bs_trunk.cpp(2592)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble setting trunk: unit=0, trunk=testTrunk bs_trunk.cpp(1886)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble adding interface to trunk=testTrunk bsx.c(3109)
Conditions:
The problem tends to happen when a trunk is created right after it is deleted. If you wait for over 30 seconds, it is unlikely to happen.
Impact:
A trunk can't be created, and no trunk members can be added.
Workaround:
Wait for over 30 seconds before adding back the same trunk.
Fix:
A fix is already staged, and may show up in a hot fix later.
597270-2 : tcpdump support missing for VXLAN-GPE NSH
Component: TMOS
Symptoms:
The tcpdump utility does not support VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).
Conditions:
Running tcpdump on BIG-IP systems.
Impact:
No support for VXLAN-GPE NSH.
Workaround:
None.
Fix:
tcpdump now has support for VXLAN-GPE NSH.
Behavior Change:
tcpdump now has support for VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).
597214-5 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
It is possible to use iRule to rename field names in original code.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
597176-1 : Multiple Wireshark (tshark) vulnerabilities
Solution Article: K01837042
597089-8 : Connections are terminated after 5 seconds when using ePVA full acceleration
Component: Local Traffic Manager
Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.
Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.
Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.
Workaround:
Disabling the PVA resolves the issue.
597023-1 : NTP vulnerability CVE-2016-4954
Solution Article: K82644737
597010-1 : NTP vulnerability CVE-2016-4955
Solution Article: K03331206
596997-1 : NTP vulnerability CVE-2016-4956
Solution Article: K64505405
596814-4 : HA Failover fails in certain valid AWS configurations
Component: TMOS
Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.
Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.
Fix:
Failover now narrows network description by filtering with VPC id.
596809-1 : It is possible to create ssh rules with blank space for auth-info
Component: Advanced Firewall Manager
Symptoms:
In tmsh it is possible to create profile actions that contain blank spaces, such as in this example:
create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }
Conditions:
This occurs when creating profile actions.
Impact:
Actions can be created with blank spaces in them, you should be receiving a validation error. These rules also cannot be deleted.
Workaround:
Do not create profile actions with blank spaces.
Fix:
BIG-IP will now throw a validation error if you create a profile action containing only a blank space.
596685-1 : Request Log failure on request with XML format violation
Solution Article: K76841626
Component: Application Security Manager
Symptoms:
When Request Log entry with violations for XML format violation is selected, it cannot be displayed and an error is returned.
Conditions:
Request Log entry with violations for XML format violation is selected.
Impact:
Request Log entry cannot be displayed.
Workaround:
None.
Fix:
Requests with XML format violations are now displayed correctly.
596674-2 : High memory usage when using CS features with gzip HTML responses.
Component: Application Visibility and Reporting
Symptoms:
AVR use consumes a lot of memory while trying to decompress responses. This can cause tmm core during stress traffic.
Conditions:
-- Enabled Dosl7d virtual server with CS features.
-- The server is sending compressed responses.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
High memory usage no longer occurs when using CS features with gzip HTML responses.
596631-2 : SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
Component: Service Provider
Symptoms:
A SIP media flow deny-listener was to have been deleted but an unrelated listener was deleted instead due to an incorrect address/port match.
For example, when the wrongly deleted listener is later meant to be deleted, there might be a SIGFPE with assertion failure "Assertion "bound listener" failed.".
Conditions:
A SIP MRF media flow existed and was deleted.
An unrelated flow exists with an address/port with wildcards such that it includes that of the media flow.
Impact:
Later when the wrongly deleted listener is referenced, the TMM crashes.
Fix:
When a SIP media flow deny-listener is searched for deletion, an exact match is required that uniquely identifies the deny-listener, so that an unrelated listener is not deleted.
596603-2 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
Component: TMOS
Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.
Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.
Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.
Workaround:
Choose c4.4xlarge or other instance types in AWS.
Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.
596502-1 : Unable to force Bot Defense action to Allow in iRule
Component: Advanced Firewall Manager
Symptoms:
When a request is being blocked (or challenged with CAPTCHA) due to being a suspicious browser, the action cannot be forced to allow in the iRule
Conditions:
This occurs when a bot defense action is triggered on suspicious browser, and you wish to allow the request to go through anyway and not send a RST.
Impact:
The bot defense action cannot be forced to "allow", the RST will still be sent.
596488-1 : GraphicsMagick vulnerability CVE-2016-5118.
Solution Article: K82747025
596450-1 : TMM may produce a core file after updating SSL session ticket key
Component: Local Traffic Manager
Symptoms:
When regenerating SSL session ticket key, TMM may restart unexpectedly, leaving a core file.
Conditions:
When the value of ssl.sessionticketkey.regen is reached (every 3 days by default), TMM will regenerate its SSL session ticket key. This operation may lead to an assert: "shared random data inited".
Impact:
TMM core and restart.
Workaround:
None.
Fix:
Resolved a problem that could cause TMM to restart when regenerating the SSL session ticket key
596433-3 : Virtual with lasthop configured rejects request with no route to client.
Component: Local Traffic Manager
Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.
Conditions:
This issue occurs when the following conditions are meet:
- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.
Impact:
Connection is erroneously reset with no route to client.
Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.
596340-8 : F5 TLS vulnerability CVE-2016-9244
Solution Article: K05121675
596242-1 : [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record
Solution Article: K17065223
Component: Local Traffic Manager
Symptoms:
Improperly configured master name server for one zone prevents updates to other, properly configured zones
from propagating to tmm, thus making DNS Express respond with an old record.
Conditions:
Incorrectly configured DNS zone that cannot get updates correctly.
Impact:
DNS Express responds with previous record after zone transfer.
Workaround:
Correct the configuration on the incorrectly configured zone.
Fix:
DNS Express now responds with current record after zone transfer.
596116-3 : LDAP Query does not resolve group membership, when required attribute(s) specified
Component: Access Policy Manager
Symptoms:
Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.
Conditions:
This occurs when the following conditions are met:
-- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All".
-- The Required Attribute includes the "memberOf" LDAP attribute.
Impact:
Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.
Workaround:
Add the following attribute to the "Required Attributes" list:
"objectClass"
If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list:
"primaryGroupID"
Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.
Fix:
LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.
596104-1 : HA trunk unavailable for vCMP guest★
Solution Article: K84539934
Component: TMOS
Symptoms:
If a vCMP guest is configured with a high availability (HA) trunk with a threshold value greater than 0, the HA trunk configuration fails with a message similar to the following:
err mcpd[5926]: 01071569:3: Ha group ha_group threshold for trunk _your_trunk_name_here_ 1 is greater than the maximum number of members 0.
Conditions:
This occurs when an HA trunk is configured a vCMP guest, with a threshold value greater than 0. This may occur by any of the following means:
1) Attempting to upgrade a guest to an affected version of BIG-IP, with an HA trunk configured with a threshold value greater than 0. The upgrade fails with the indicated error message.
2) Attempting to load a UCS from a guest with an HA trunk configured with a threshold value greater than 0. The UCS load fails with the indicated error message.
3) Creating an HA group and then attempting to modify the threshold value for the HA trunk. The modify command fails with the indicated error message.
Impact:
HA trunks do not work.
You cannot upgrade the vCMP guest to an affected version of BIG-IP or load a configuration with an HA trunk configured with a threshold value greater than 0.
Workaround:
To allow the upgrade to succeed or the configuration to load, configure the HA trunk threshold to 0.
Important! This disables the HA trunk feature.
Fix:
HA trunks with a threshold value greater than 0 are supported on vCMP guests.
596083-1 : Error running custom APM Reports with "session creation time" on Viprion Platform
Component: Access Policy Manager
Symptoms:
Error is encountered when running custom APM Reports with "session creation time" on Viprion Platform
Conditions:
- On Viprion platform
- Create a APM custom report
- Select "Session creation time" field
- Run the report
Impact:
Won't be able to run custom APM report on Viprion platform
596067-2 : GUI on VIPRION hangs on secondary blade reboot
Component: TMOS
Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.
Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.
Impact:
GUI becomes unresponsive
Workaround:
bigstart restart httpd will clear this condition if it occurs.
595900-4 : Cookie Signature overrides may be ignored after Signature Update
Solution Article: K11833633
Component: Application Security Manager
Symptoms:
Cookie Signature overrides may be ignored after Attack Signature Update.
Conditions:
Cookie Signature overrides are configured in the policy, and Attack Signatures are updated.
Impact:
Cookie Signature overrides are ignored.
Workaround:
Remove Cookie Signature override and re-add it.
Fix:
Cookie Signature overrides are observed correctly, even after Signature Update.
595819-1 : Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
Component: Access Policy Manager
Symptoms:
Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a HTTP/2 enabled browser and HTTP/2 profile attached.
Conditions:
This occurs when the following conditions are met:
- An HTTP/2 enabled browser is in use.
- APM and HTTP/2 are enabled on the same virtual.
Impact:
APM statistics for bytes in and out are not updated.
Workaround:
None.
Fix:
Access session 'Bytes In' and 'Bytes Out' are now getting updated when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595783 : Changing console baud rate for B2100, B2150 and B2250 blades does not work
Component: TMOS
Symptoms:
Changing the console baud rate does not take effect and leaves the setting unchanged.
Conditions:
Whenever the console baud rate is changed via tmsh, GUI, or iControl on the VIPRION B2100, B2150 and B2250 blades.
Impact:
Changing the console baud rate causes the front panel display manager to restart and does not actually modify the baud rate.
Workaround:
None.
Fix:
Added needed object to global config map for VIPRION B2100, B2150 and B2250 blades so modify message no longer fail the object lookup.
595773-4 : Cancellation requests for chunked stats queries do not propagate to secondary blades
Component: TMOS
Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.
Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).
Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.
Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.
595712-1 : Not able to add remote user locally
Component: TMOS
Symptoms:
When a user has logged in remotely, using tmsh to add a user with the same name will fail:
01020066:3: The requested user role partition (raduser TestPartition) already exists in partition Common.
Conditions:
Remote authentication is configured and a remote user has logged in.
Impact:
Changing remote user to local fails.
Workaround:
Use "replace-all-with" for partition access:
create auth user raduser password raduser1 partition-access replace-all-with { TestPartition {role manager }}
595693 : Incorrect PVA indication on B4450 blade
Component: TMOS
Symptoms:
When you run guishell -c "select HAS_PVA, PVA_VERSION from platform" on a B4450 blade (which includes PVA), the output indicates that it does not have PVA.
Conditions:
This occurs when looking at platform information on B4450 blades.
Impact:
PVA acceleration is not detected properly
Fix:
PVA service is now indicated properly on the B4450 blade.
595605 : Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★
Component: TMOS
Symptoms:
An upgrade to BIG-IP v12.0.0 will fail when all of the following conditions are met:
- AVR provisioned
- Upgrading to v12.0.0 from the following versions :
- 11.6.1
Certain engineering hotfixes are also affected.
Conditions:
The following Engineering Hotfixes are affected.
- 11.6.0-hf5 EHF index 110 (Hotfix-BIGIP-11.6.0.5.110.429-HF5-ENG.iso)
- 11.6.0-hf5 EHF Index 214
- 11.6.0-hf5 EHF index 233
- 11.6.0-hf6 EHF index 240
11.6.1 is also affected.
Impact:
The upgrade to 12.0.0 will succeed but the configuration will fail to load.
This can be detected by running tmsh load sys config verify. You will see the following signature:
Unexpected Error: "Can't load keyword definition (analytics-report.device_group)"
Workaround:
12.1.1 is schema compatible with 11.6.1, so upgrade to 12.1.1 instead.
595394-3 : Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★
Component: TMOS
Symptoms:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.
Conditions:
11.5.x/11.6.x Hourly Billing instances with multiple NICs attached.
Impact:
User might not be able to log-in to the instance.
Workaround:
Rebooting the instance corrects the problem.
Fix:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x works with new Hourly billing licenses.
595293-4 : Deleting GTM links could cause gtm_add to fail on new devices.
Component: Global Traffic Manager (DNS)
Symptoms:
Once links are auto-discovered, if auto discovery is disabled and the links are deleted, they could become stuck in the Server > Virtual Server list, preventing new devices from joining the sync group. If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.
Conditions:
Links are auto-discovered
Auto discovery is disabled
The links are deleted
Impact:
If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.
Workaround:
None
Fix:
Cleanup all aspects of a GTM link when it is deleted.
595275-5 : Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
Component: Local Traffic Manager
Symptoms:
Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN when pool goes empty.
Conditions:
This occurs when the configuration contains a pool with only one FQDN pool member.
Impact:
VIP can go briefly RED and offline.
Workaround:
Configuring a fallback static IP node or multiple FQDN pool members removes this risk.
595272-1 : Edge client may show a windows displaying plain text in some cases
Component: Access Policy Manager
Symptoms:
Under captive portal environment, sometimes edge client may show a windows with some plain text content.
Conditions:
Edge client is launched when users machine is inside captive portal network.
Impact:
User may not be able to establish VPN
Workaround:
Authenticate to captive portal using browser and Launch edge client again.
595242-1 : libxml2 vulnerabilities CVE-2016-3705
Solution Article: K54225343
595231-1 : libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
Solution Article: K54225343
595227-1 : SWG Custom Category: unable to have a URL in multiple custom categories
Component: Access Policy Manager
Symptoms:
When configuring a url in multiple categories you receive a validation error message:
May 19 16:13:44 bigip12 err mcpd[8992]: 010717f3:3: Custom category (/Common/category_allow_group2) has invalid URL (http://172.16.20.1/*). Reason: You cannot have the same URL in two or more custom categories. URL used in category (/Common/category_allow_group1).
Conditions:
Configuring the same URL in multiple custom categories.
Impact:
Unable to have the same URL in multiple custom categories, and therefore cannot configure the system to have a URL allowed for one group but not for another.
Workaround:
None
Fix:
Validation preventing the configuration of same URL for multiple custom categories has been fixed.
594910-1 : FPS flags no cookie when length check fails
Component: Fraud Protection Services
Symptoms:
You see No Cookie errors for validation errors other than No Cookie.
Conditions:
Malformed component validation cookie
Impact:
No Cookie errors counted when the validation error was not due to No Cookie
Workaround:
No
Fix:
Fixed an issue with No Cookie error counting.
594869-4 : AFM can log DoS attack against the internal mpi interface and not the actual interface
Component: Advanced Firewall Manager
Symptoms:
While under an attack that matches a DoS profile, BIG-IP may indicate that the interface is the internal mpi interface and not the interface that the attack is happening on.
Conditions:
This can occur in CMP-enabled systems.
Impact:
A valid DoS attack will be misreported
594642-3 : Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
Component: Local Traffic Manager
Symptoms:
Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
Conditions:
Stream filter is active during low memory situations
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Stream may now be configured to parse xbufs in chunks. This limits the maximum amount of memory required and reduces the chance of an allocation failure.
594496-1 : PHP Vulnerability CVE-2016-4539
Solution Article: K35240323
594426-2 : Audit forwarding Radius packets may be rejected by Radius server
Component: TMOS
Symptoms:
The Accounting-Request packets are missing two required AVPs (Attribute Value Pair), Acct-Session-ID and Acct-Status-Type. Some Radius servers drop Radius Accounting-Requests which are missing these AVPs.
Conditions:
Configured to use audit forwarding with radius and audit messages are not logged on the Radius server.
Impact:
Unable to log audit messages from BIG-IP using audit forwarding.
594302-1 : Connection hangs when processing large compressed responses from server
Component: Local Traffic Manager
Symptoms:
When large compressed responses are sent by the server, the connection hangs when trying to send decompressed content to the client.
Conditions:
An LTM policy which enforces decompression for responses is attached to the virtual server. The virtual server also has http compression profile attached to it. Server sends large compressed responses.
Impact:
Connection hangs when trying to process the compressed response in order to send decompressed content to client.
Fix:
The large compressed responses are successfully processed and no connection hangs are seen.
594288-1 : Access profile configured with SWG Transparent results in memory leak.
Component: Access Policy Manager
Symptoms:
Access profile configured with SWG Transparent results in memory leak.
Conditions:
Create an access profile of type SWG Transparent, and assign to a virtual. Run traffic through this virtual.
Impact:
TMM leaks memory.
Workaround:
None
Fix:
Fixed the memory leak caused by access filter for SWG transparent use case.
594127-2 : Pages using Angular may hang when Websafe is enabled
Component: Fraud Protection Services
Symptoms:
Pages using angular may not load correctly when Websafe "inject Javascript into page" is enabled
Conditions:
Application using Angular.js
Websafe: "inject Javascript into page" is enabled
Impact:
Page does not load fully
Fix:
Websafe no longer changes the page's "documentMode"
594075-2 : Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
Component: Advanced Firewall Manager
Symptoms:
With pccd.alwaysfromscratch set to true, the blob doesn't compile and pccd restarts periodically when firewall rules are modified.
Conditions:
1. pccd.alwaysfromscratch is set to true (default value is false)
2. Modify some firewall rules.
Impact:
The blob doesn't compile and pccd keeps restarting without loading new rules.
Workaround:
Remove saved blob files in /var/pktclass/ (rm -f /var/pktclass/*) and restart pccd.
593925-1 : ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
Component: Advanced Firewall Manager
Symptoms:
When attempting to delete a rule for an ssh profile and committing the changes in the GUI, you get an error: "Operation is not supported on property /security/ssh/profile/~Common~ssh-test/rules."
Conditions:
This occurs if you previously created ssh profile rules that contain spaces in them, such as this example:
create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }
Impact:
Unable to delete the rules
Fix:
You can now delete ssh profile rules that contain spaces for the rules.
593696-1 : Sync fails when deleting an ssh profile
Component: Advanced Firewall Manager
Symptoms:
After creating an ssh profile and successfully syncing it to the sync group, you later delete the profile and sync fails with this error on the target device:
"err mcpd[5178]: 01071488:3: Remote transaction for device group /Common/syncme to commit id 6 6285666289815053813 /Common/bigip2.mysite.com 0 failed with error 01071aaf:3: SSH profile: [/Common/ssh1] default actions is required and cannot be removed."
Conditions:
This is triggered when deleting an ssh profile that has been synced in a sync group. Sync group is configured for manual sync. It is not known if automatic sync also exhibits this behavior.
Impact:
Sync fails.
593530-6 : In rare cases, connections may fail to expire
Component: Local Traffic Manager
Symptoms:
Connections have an idle timeout of 4294967295 seconds.
Conditions:
Any IP (ipother) profile is assigned to virtual server.
Impact:
Connections may linger.
Workaround:
None.
Fix:
Fixed idle initialization error when using Any IP (ipother) profile.
593447-1 : BIG-IP TMM iRules vulnerability CVE-2016-5024
Solution Article: K92859602
593390-4 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
Component: Local Traffic Manager
Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.
Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.
Impact:
Higher memory usage than necessary.
Workaround:
Always have iRules select profiles using the complete path.
Fix:
If an iRule attempts to select a profile using only its name, the system now prepends the /Common path prior to looking it up, so there is no potential of instantiating another version of the profile, so no memory issue occurs.
593355 : FPS may erroneously flag missing cookie
Component: Fraud Protection Services
Symptoms:
You see Missing Cookie errors for validation errors other than Missing Cookie.
Conditions:
Any component validation error.
Impact:
Missing Cookie errors counted when the validation error was not due to Missing Cookie
Workaround:
No.
Fix:
Fixed an issue with Missing Cookie error counting.
593139-9 : glibc vulnerability CVE-2014-9761
Solution Article: K31211252
593137-1 : userDefined property for bot signatures is not shown in REST
Component: TMOS
Symptoms:
The user defined property of the signature is not exposed in iControl REST.
Conditions:
Attempting an iControl REST API call to see a signature.
Impact:
The userDefined field is not shown. Impacts external interfaces interacting with the BIG-IP configuration and expecting to see a field and a value there.
Workaround:
None.
Fix:
The userDefined field exists now and has a true/false values.
593078-1 : CATEGORY::filetype command may cause tmm to crash and restart
Component: Access Policy Manager
Symptoms:
If an iRule command is created using the CATEGORY::filetype command, the tmm may eventually suffer a failure, and restart.
Conditions:
This can occur when using the CATEGORY::filetype iRule under normal operation.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash in CATEGORY::filetype
593070-2 : TMM may crash with multiple IP addresses per session
Component: Policy Enforcement Manager
Symptoms:
TMM crash
Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Check for timer expiration prior to processing the timer.
592871-3 : Cavium Nitrox PX/III stuck queue diagnostics missing.
Component: Local Traffic Manager
Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.
Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.
Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.
Workaround:
None.
Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.
592870-2 : Fast successive MTU changes to IPsec tunnel interface crashes TMM
Component: TMOS
Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.
Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.
Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).
592868-3 : Rewrite may crash processing HTML tag with HTML entity in attribute value
Component: Access Policy Manager
Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.
Conditions:
HTML tag like this:
<script src=" " type="text/javascript"></script>
Impact:
Web application may not work correctly.
Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.
Fix:
Now rewrite correctly handles HTML entities in attribute values.
592854-1 : Protocol version set incorrectly on serverssl renegotiation
Component: Local Traffic Manager
Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.
Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.
Impact:
Protocol field is invalid (0), and the server will reset the connection.
Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.
592784-2 : Compression stalls, does not recover, and compression facilities cease.
Component: Local Traffic Manager
Symptoms:
Compression stalls, does not recover, and compression facilities may cease.
Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).
Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.
Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.
Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.
592731-1 : Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.
Solution Article: K34220124
Component: Local Traffic Manager
Symptoms:
Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.
Conditions:
In case of heavy SSL traffic, Cavium Nitrox SSL hardware accelerator card might need more time than the default interval to complete the encryption or decryption.
Impact:
The /var/log/ltm log contains the following message: Hardware Error(Co-Processor): n3-crypto1 request queue stuck. tmm will be in failure state.
Workaround:
Use tmsh to increase the device.request.timeoutfactor db variable to allow more time for encryption or decryption to complete. For example, to increase device.request.timeoutfactor to 200, run the following command: tmsh modify sys db device.request.timeoutfactor value 200.
Fix:
The default value of device.request.timeoutfactor is now sufficient to allow the Cavium Nitrox SSL hardware accelerator card to complete the encryption or decryption as expected.
592716-1 : BMC timezone value was not being synchronized by BIG-IP
Component: TMOS
Symptoms:
You notice that errors on the LCD have an incorrect timestamp compared to what is reported in BIG-IP
Conditions:
This can occur when running the 12.1.1 base release on the BIG-IP i-Series platforms.
Impact:
Timestamp is reported in the wrong time zone.
Fix:
Fixed an issue with incorrect timestamp reporting on the LCD display
592699-3 : IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
Component: Local Traffic Manager
Symptoms:
IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP might encounter significant performance impacts when initiated over a BIG-IP data port using IPv6.
Conditions:
-- Protocols: HTTPS, SCP, SSH, DNS, SMTP.
-- IPv6.
Note: Management port is not impacted.
Impact:
Performance impact pulling data over affected ports from the BIG-IP over IPv6.
BIG-IQ performance is impacted trying to manage BIG-IP devices over IPv6.
Workaround:
Disable TSO for IPv6 at the command line by running the following command: ethtool -K tmm tso off.
Note: This command must be run each time after reboot.
Fix:
The issue has been corrected, so that there is no performance impact pulling data over affected ports using HTTPS, SCP, SSH, DNS or SMTP from the BIG-IP over IPv6, and there is no BIG-IQ performance issue managing BIG-IP devices over IPv6.
592682-1 : TCP: connections may stall or be dropped
Component: Local Traffic Manager
Symptoms:
TCP connections stall or get dropped.
Conditions:
Under some network conditions especially with rateshaper enabled TCP connection could stall and ultimately get reset.
Impact:
This usually happens with rateshaper or BWC enabled. Rarely could also happen with very lossy networks.
Fix:
Properly manage re-transmissions after a tail drop by not not doing the exponential back-off. Reset the re-transmit timer for every partial ack received after a tail drop.
592497-1 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
Component: Local Traffic Manager
Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.
Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.
Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.
Workaround:
None.
Fix:
This release honors the idle timeout in FIN_WAIT_2 when server-side expired and HTTP in fallback state.
592485 : Linux kernel vulnerability CVE-2015-5157
Solution Article: K17326
592414-4 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
Component: Access Policy Manager
Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.
Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.
Impact:
Web application malfunction.
Workaround:
None.
Fix:
Fixed.
592363 : Remove debug output during first boot of VE
Component: TMOS
Symptoms:
There was unneeded debug output during 1st boot of VE on Cloud deployments.
Conditions:
Cloud deployment - AWS and Azure.
Impact:
Extra debug output on 1st boot.
Fix:
Debug output was removed.
592354 : Raw sockets are not enabled on Cloud platforms
Component: TMOS
Symptoms:
Cloud VMs come configured with UNIC driver instead of using raw sockets.
Conditions:
Cloud deployment - AWS and Azure.
Impact:
UNIC is used instead of raw sockets.
Workaround:
Manually disabling unic driver will force raw sockets to be used.
Fix:
Enabled raw sockets by default on Cloud deployments.
592320-5 : ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
Component: TMOS
Symptoms:
When a fastL4 profile's pva-offload-state set to establish (default is embryonic), the corresponding UDP virtual server using that profile won't offload UDP traffic and causes performance degradation.
Conditions:
This issue is introduced during v12.0.0 development and only impacts v12.1.0 and v12.1.1 releases.
A fastL4 UDP virtual server is using a fastL4 profile that has pva-offload-state set to establish.
Impact:
Performance degradation.
Workaround:
Use default setting for pva-offload-state of embryonic for fastL4 profile.
Fix:
With the fix in 12.1.2 and 13.0.0, ePVA will load UDP traffic when pva-offload-state set to establish.
592274-3 : RAT-Detection alerts sent with incorrect duration details
Component: Fraud Protection Services
Symptoms:
If a remote access trojan (RAT) detection alert is thrown immediately upon initialization, the timestamp of the alert will be incorrect.
Impact:
False positives
Workaround:
n/a
Fix:
When generating RAT Detected alert within 5 seconds from page load, actualCounter in alert details is lower than 5 seconds for example:
"timeToResetCounter":5000,"actualCounter":4296
592113-5 : tmm core on the standby unit with dos vectors configured
Component: Advanced Firewall Manager
Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump
Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured
Impact:
Traffic disrupted while tmm restarts.
592070-5 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
Component: Policy Enforcement Manager
Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.
Conditions:
DHCP virtual created in a non-local traffic group.
Impact:
Variable sharing in the TCL context will not work.
Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.
Fix:
Copy the traffic group from client to server connFlows such that both connFlows have the same traffic group.
592001-1 : CVE-2016-4073 PHP vulnerabilities
Solution Article: K64412100
591918-2 : ImageMagick vulnerability CVE-2016-3718
Solution Article: K61974123
591908-2 : ImageMagick vulnerability CVE-2016-3717
Solution Article: K29154575
591894-2 : ImageMagick vulnerability CVE-2016-3715
Solution Article: K10550253
591881-1 : ImageMagick vulnerability CVE-2016-3716
Solution Article: K25102203
591840-1 : encryption_key in access config is NULL in whitelist
Component: Access Policy Manager
Symptoms:
encryption_key in access config is NULL sometime when applying 404 whitelist action and will result in TMM crash.
Conditions:
All the following must be true:
- Access policy action resulted in a "not found".
- The session corresponding to above action must be expired.
- FIPS platform.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Data required to serve a "not found" action is retrieved and made available early so that such responses can be served correctly.
591828-4 : For unmatched connection, TCP RST may not be sent for data packet
Component: Advanced Firewall Manager
Symptoms:
When TCP connection times out (no entry in 'show sys conn'), and subsequent data packet comes in (not SYN), The BIG-IP system does not send a RST to the client to reset the connection.
Conditions:
This issue occurs if AFM is provisioned. Additionally, in BIG-IP v12.1.0 and above, it occurs if ASM is provisioned (regardless of AFM provisioning).
-- Packets other than SYN with no entry in the connection table arrive.
This can occur either after a failover (when mirroring is disabled) when traffic arrives at the newly-active system, or can occur if the relevant virtual server has 'reset-on-timeout' disabled.
Impact:
Client retransmits several times and then terminates TCP connection. There is no RST sent from BIG-IP to client for unmatched connection.
Workaround:
Enable the reset on timeout option to send TCP RST to client when connection times out.
Note: This workaround does not address the circumstances where a newly-active BIG-IP system receives traffic (e.g. after a failover or system reboot).
Fix:
The BIG-IP system now sends a TCP RST for unknown connections so the clients and backend servers can start a new connection.
591806-8 : ImageMagick vulnerability CVE-2016-3714
Solution Article: K03151140
591767-8 : NTP vulnerability CVE-2016-1547
Solution Article: K11251130
591733-4 : Save on Auto-Sync is missing from the configuration utility.
Solution Article: K83175883
Component: TMOS
Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.
Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.
Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.
Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.
Fix:
This release adds per-device-group save_on_auto_sync flag to GUI: flag now shows in GUI and correctly saves.
GUI: The "Sync Type" option in the GUI must be set to "Automatic with Full/Incremental Sync" in order for "Save on Auto-Sync" option to show.
Behavior Change:
Beginning in version 11.5.0, the /cm trust-domain 'save-on-auto-sync' attribute is no longer configured as part of the trust-domain, but is part of the configuration of a device group. With this change, the option to set that attribute becomes available in the GUI on the condition that the "Sync Type" option is set to "Automatic with Full/Incremental Sync".
591666-3 : TMM crash in DNS processing on TCP virtual with no available pool members
Component: Local Traffic Manager
Symptoms:
TMM crash when processing requests to a DNS virtual server.
Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.
Ensure datagram LB mode is enabled on UDP DNS virtuals.
Fix:
Product corrected to prevent crash when there are no available members.
591659-5 : Server shutdown is propagated to client after X-Cnection: close transformation.
Solution Article: K47203554
Component: Local Traffic Manager
Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.
Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.
Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.
Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.
Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.
591590-1 : APM policy sync results are not persisted on target devices
Component: Access Policy Manager
Symptoms:
Policy sync results, including profile, sync folder, new partition, statuses, history are not persisted on target devices after sync, when there is no LSO resolution.
Conditions:
1. Create an APM policy with no LSO to resolve, or have an APM policy that has LSO resolved by the previous sync.
2. Start a policy sync.
Impact:
Sync results including the policy profiles are not persisted, so when the BIG-IP system restarts, all the sync data will be lost.
Workaround:
Run tmsh command to save config:
tmsh save sys config
Fix:
Policy sync result will be persisted on target devices so even when those devices restart, the data will still be there.
591495-2 : VCMP guests sflow agent can crash due to duplicate vlan interface indices
Component: TMOS
Symptoms:
When a VCMP guest uses sflow, the sflow agent will crash when it tries to add a row to its internal data structure and finds the key already exists for some other entry.
Conditions:
This issue can occur on systems with VCMP guests, its occurrence is is more likely with a higher number of cores.
Impact:
sflow agent will crash.
Fix:
Make sure the allocated interface index for a vlan is not already taken by another interface object.
591476-7 : Stuck crypto queue can erroneously be reported
Solution Article: K53220379
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck.
Conditions:
-- Running on one of the following platforms:
+ BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 2xxx, 4xxx, 5xxx, 7xxx, 10xxx, 11xxx, 12xxx, i2xxx, and i4xxx
+ VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.
Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:
tmsh modify sys db crypto.queue.timeout value 0
Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue on Nitrox devices.
591455-7 : NTP vulnerability CVE-2016-2516
Solution Article: K24613253
591447-1 : PHP vulnerability CVE-2016-4070
Solution Article: K42065024
591438-7 : PHP vulnerability CVE-2015-8865
Solution Article: K54924436
591358-1 : Oracle Java SE vulnerability CVE-2016-3425
Solution Article: K81223200
591343-5 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
Solution Article: K03842525
Component: Local Traffic Manager
Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.
Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.
Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.
Workaround:
None.
Fix:
The returned session ID in both the SERVERSSL_SERVERHELLO and SERVERSSL_HANDSHAKE events is the one presented by the SSL server.
591328-7 : OpenSSL vulnerability CVE-2016-2106
Solution Article: K36488941
591325-8 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
Solution Article: K75152412
591268-1 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
Component: Access Policy Manager
Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns
Conditions:
Specific client machine configuration
Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue
Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service
Fix:
Now DNS Relay proxy service cleans up DNS cache after initialization mitigating issue described
591261 : BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
Component: TMOS
Symptoms:
The BIG-IP VPR-B4450N blade does not show the correct Object ID for SNMP. An SNMP query will return "unknown".
Conditions:
This issue may occur on VIPRION B4450N blades running affected versions of BIG-IP software.
Impact:
Some network management applications may complain and fail.
Workaround:
None.
Fix:
A new SNMP Object ID is added to TMOS v12.1.1 for VPR-B4450N.
591246-1 : Unable to launch View HTML5 connections in non-zero route domain virtual servers
Component: Access Policy Manager
Symptoms:
Currently APM always attempts to uze the RTDom 0 when VMware View HTML5 client is launched.
This doesn't work with the virtual servers in non-zero route domains.
Conditions:
APM configured as a PCoIP proxy on a VS in non-zero route domain.
Impact:
You cannot use virtuals in non-zero route domains if they need VMware View HTML5 client functionality
Fix:
APM now uses the proper route domain from the virtual server to handle VMware View HTML5 client connections.
591139 : TMM QAT segfault after zlib/QAT compression conflation.
Component: Local Traffic Manager
Symptoms:
TMM can segfault during prolonged mixture of software and hardware accelerated compression.
Conditions:
Continuous and prolonged mixture of software and hardware accelerated compression.
Impact:
TMM segfaults.
Workaround:
Disable hardware accelerated compression with:
tmsh modify sys db compression.strategy value speed
Fix:
TMM QAT compression added pointer-hardening for compression context.
591119 : OOM with session messaging may result in TMM crash
Component: TMOS
Symptoms:
Under out of memory conditions, session messaging may not initialize storage correctly, resulting in a later TMM crash.
Conditions:
Under out of memory conditions, memory allocation for session messaging fails, and storage is not initialized correctly.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Reduce load on box in order to avoid OOM conditions.
Fix:
Initialize storage on memory allocation failure.
591117-3 : APM ACL construction may cause TMM to core if TMM is out of memory
Component: Access Policy Manager
Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.
Conditions:
BIG-IP is extremely loaded and out of memory.
Impact:
Traffic disrupted while tmm restarts.
Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.
591104-1 : ospfd cores due to an incorrect debug statement.
Component: TMOS
Symptoms:
ospfd cores due to an incorrect debug statement.
Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.
Impact:
ospfd might crash, interrupting dynamic routing.
Workaround:
Do not enable debugging in ospf that includes 'route ase'.
Fix:
ospfd no longer crashes when debugging is enabled in imish.
591042-17 : OpenSSL vulnerabilities
Solution Article: K23230229
591039 : DHCP lease is saved on the Custom AMI used for auto-scaling VE
Component: TMOS
Symptoms:
When configuring the instance for auto-scaling purpose and subsequently generating the Custom/Model AMI that is used for autoscaling VEs, the new instances generated from this image, might have the old DHCP lease acquired by the custom instance before an AMI was generated from it. This can collide with the new lease that the new instances get in their boot-up.
Conditions:
This occurs when Auto-scaling VEs.
Impact:
Multiple valid DHClient leases exist, which could result dhclient in BIG-IP choosing wrong IP address for the management interface.
Workaround:
Delete the /var/lib/dhclient/dhclient.leases before shutting down the custom instance and generating a Custom/Model AMI out of it.
Fix:
Auto-scaling AMI will no longer contain a DHCP lease when they are saved.
590993 : Unable to load configs from /usr/libexec/aws/.
Component: TMOS
Symptoms:
In 12.1.0, a new tmsh object 'sys global-settings file-whitelist-path-prefix' controls the path from which config can be loaded. To be allowed as a config storage location, the path must exist in file-whitelist-path-prefix. Because /usr/libexec/ is not part of the path, loading auto-scaling and CloudWatch iCall configuration files from /usr/libexec/aws/ fails.
Conditions:
The issue occurs with AWS auto-scaling- and CloudWatch-related configuration files in TMOS v12.1.0.
Impact:
AWS auto-scaling-related automation and CloudFormation Templates (CFTs) for deploying BIG-IP will not work because 'sys global-settings file-whitelist-path-prefix' disallows /usr/libexec/aws/ is disallowed as legitimate config location.
Workaround:
To work around this, add /usr/libexec/aws/ into the 'sys global-settings file-whitelist-path-prefix'. To do so, run the following tmsh command:
tmsh modify sys global-settings file-whitelist-path-prefix "{/var/local/scf} {/tmp/} {/shared/} {/config/} {/usr/libexec/aws}".
Fix:
Starting in 12.1.0-HF1, F5 Networks has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.
Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.
12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:
The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.
Behavior Change:
Starting in 12.1.0-HF1, the system has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.
Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.
12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:
The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.
590992-3 : If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working
Component: Access Policy Manager
Symptoms:
- If an IP address on an interface changes after the connection to APM is established, DNS resolution stops working if the DNS on that adapter has not changed.
- DNS resolution stops working until DNS relay proxy service is restarted or stopped.
Conditions:
- Using Microsoft Windows version 10.
- Split tunneling configuration with split DNS scope.
- IP address on the network adapter changes after the connection to APM is established, but the DNS on that adapter remains unchanged.
- This might also occur when adapter 1 goes down and adapter 2 with same DNS as adapter 1 comes up.
Impact:
DNS resolution stops working until DNS relay proxy is stopped or restarted.
Workaround:
Stop or restart DNS relay proxy.
Fix:
This issue has been fixed.
590938-3 : The CMI rsync daemon may fail to start
Component: TMOS
Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.
Conditions:
The rsync daemon failed unexpectedly.
Impact:
Sync of file objects will fail with an error like this:
01070712:3: Caught configuration exception (0), Failed to sync files...
Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.
590904-1 : New HA Pair created using serial cable failover only will remain Active/Active
Component: TMOS
Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.
Conditions:
Create a new sync-failover device-group without enabling network failover.
Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.
Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.
Fix:
After creating the sync-failover group with without network failover configured, but a serial failover cable installed, one of the devices becomes Standby and the other remains Active.
590840-2 : OpenSSH vulnerability CVE-2015-8325
Solution Article: K20911042
590820-3 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Component: Access Policy Manager
Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.
Impact:
Very low web application performance when using Microsoft Internet Explorer.
Workaround:
None.
Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.
590805-4 : Active Rules page displays a different time zone.
Component: Advanced Firewall Manager
Symptoms:
Active Rules page displays a different time zone.
Conditions:
When Active Rules page is loaded after the BIG-IP system timezone has changed.
Impact:
GUI shows incorrect timezone.
Workaround:
Run the following command after changing BIG-IP timezone: bigstart restart tomcat.
Fix:
Active Rules page now shows the correct timezone after the BIG-IP system timezone has changed.
590795-1 : tmm crash when loading default signatures or updating classification signature★
Component: Traffic Classification Engine
Symptoms:
When upgrading classification signatures or downgrading to the default signatures, tmm will crash.
Conditions:
This occurs when loading updated classification signatures on versions 12.1.0 and 12.1.1.
Impact:
tmm will crash during the load. Traffic disrupted while tmm restarts.
Fix:
Fixed a crash when loading classification signatures.
590779 : Rest API - log profile in json return does not include the partition but needs to
Component: TMOS
Symptoms:
When querying the log profile via the Rest API, the returned response does not include the partition name in FullPath.
For example, for a log profile named mySample:
https://bigip_ip/mgmt/tm/security/log/profile/~Common~mySample/application/mySample
The JSON returned will contain
"fullPath": "testProfile",
It should contain
"fullPath": "/Common/testProfile",
This can cause BIG-IQ to fail to sync.
Conditions:
Log profile created. This is most visible when using BIG-IQ to sync.
Impact:
Applications relying on the folder path can fail
Fix:
The Rest API will now provide the full path to the log profile.
590608-1 : Alert is not redirected to alert server when unseal fails
Component: Fraud Protection Services
Symptoms:
Alert is not redirected to the alert server when unseal fails and iRule is enabled.
Conditions:
1. Unsealing alert failure.
2. iRule enabled.
Impact:
Alert is not redirected to the alert server and FPS returns 404 response.
Workaround:
Disable iRule.
Fix:
FPS now correctly redirects the alert.
590601-2 : BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
Component: Access Policy Manager
Symptoms:
After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI.
Conditions:
BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP
Impact:
User is not redirected to original request URI.
Workaround:
Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'.
SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri}
After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).
Fix:
SAML SSO requests will now be redirected to the original request URI.
590578-4 : False positive "URL error" alerts on URLs with GET parameters
Component: Fraud Protection Services
Symptoms:
False-positive URL Error alerts are sometimes generated on URLs with GET parameters.
Conditions:
Use of URLs with GET parameters.
Impact:
Unwanted alerts in alert server.
Workaround:
None
Fix:
Hash calculation is done on slightly different URL inputs, causing mismatch.
590428-1 : The "ACCESS::session create" iRule command does not work
Component: Access Policy Manager
Symptoms:
When the "ACCESS::session create" iRule command is used with an APM virtual, the command does not resume properly and causing the sessions to disconnect/hang.
Conditions:
APM virtual configured with an iRule that includes "ACCESS::session create" iRule command.
Impact:
APM virtual won't function correctly.
Workaround:
The "ACCESS::session create" iRule command should be removed from the iRule attached to the virtual.
Fix:
Updated the session DB calls to include req_id parameter so that the TCL context gets updated/saved and used upon resume.
590345-1 : ACCESS policy running iRule event agent intermittently hangs
Component: Access Policy Manager
Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.
Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.
Impact:
Policy execution intermittently hangs.
Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}
Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.
590211-2 : jitterentropy-rngd quietly fails to start
Component: TMOS
Symptoms:
If jitterentropy-rngd fails to start, it does so quietly during system start, causing init.d script [ OK ] when it should be [ FAILED ].
This can cause the system to hang indefinitely at boot time at the following step (the key name may vary, depending on what needs to be generated):
Generating /var/named/config/rndc.key ( 09:08:10 ) ...
Similarly, if jitterentropy-rngd fails to start but there are no keys to be generated at boot time, the system will boot successfully. However, the genkeys and genkeys-1024 processes invoked by crontab every hour might hang.
Conditions:
This can occur on any BIG-IP system if jitterentropy-rngd fails to start. The issue has been observed chiefly on vCMP guests running on VIPRION B21x0 blades.
Impact:
1) The system may fail to boot (user intervention will be required at this point to recover the system).
2) As crontab invokes the genkeys and genkeys-1024 processes every hour, these may start but never terminate (any hung processes might eventually cause increased memory and CPU utilization, potentially leading to unpredictable system failures).
Fix:
jitterentropy-rngd now starts up as expected, so no failures occur.
590122-2 : Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
Component: Local Traffic Manager
Symptoms:
Standard TLS rollback detection for TLSv1 or earlier clients might be too strict for clients that do not comply with RFC 2246 and later. These clients may require 'tls-rollback-bug' option set.
Conditions:
Standard behaviour of TLS clients is to use ClientHello.client_version in pre-master secret (PMS).
Some clients, incorrectly, might use negotiated version in PMS.
Impact:
Failed TLS handshake.
Workaround:
Configure the BIG-IP client SSL profile to include tls-rollback-bug, using a command similar to the following:
create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.
Fix:
Added support for tls-rollback-bug
Behavior Change:
This release provides improved support for "TLS rollback bug workaround" feature described in Managing SSL Traffic :: Configuring workarounds in the LTM documentation on AskF5. ([1] link below). The value is set by existing tls-rollback-bug option, using the command described in [2], below.
This is an existing option.
When this option is enabled in clientssl profile, RSA-only ciphersuites will have relaxed treatment of the version field set by the SSL/TLS client as part of the sequence of bytes encrypted to the server RSA key, called pre-master secret (PMS).
With the option enabled, PMS can contain either ClientHello.client_version, or negotiated version. Standard behaviour of TLS clients is to use ClientHello.client_version in PMS.
[1] https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_ssl_profiles.html.
[2] create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.
590074-1 : Wrong value for TCP connections closed measure
Component: Application Visibility and Reporting
Symptoms:
In TCP analytics, the measure 'connections closed' displays the wrong value.
Conditions:
TMM_API debug enabled.
Impact:
Wrong value displayed.
Workaround:
Do not turn on debug printing.
Fix:
Memory corruption found and fixed. All debug printing organized together at the beginning of the function.
589661 : PS2 power supply status incorrect after removal
Component: TMOS
Symptoms:
After removing the second power supply (PS2), running system_check indicates that the power supply status is still good:
system_check -d | grep power
Chassis power supply 1: status FAN=good; VINPUT=good; VOUTPUT=good; STATUS=good
Chassis power supply 2: status VINPUT=good; VOUTPUT=good; STATUS=not present
Conditions:
This occurs on 10000-series and 12000-series platforms when removing the PS2 power supply and running system_check
Impact:
Erroneous indication that the power supply is still good
Fix:
Power supply status for PS2 is now correctly indicated when the power supply is removed.
589400-1 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Component: Local Traffic Manager
Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.
Impact:
Additional connection latency.
Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.
If init-cwnd is low, raising it might also help.
Disabling abc can also reduce the problem, but might have other negative network implications.
Fix:
Incoming packets are now pulled more aggressively into the send buffer, if there are no negative implications for CPU performance.
589379-2 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
Solution Article: K20937139
Component: TMOS
Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.
Conditions:
OSPF using route health injection for default route.
Impact:
No functional impact. The extraneous LSA is immediately aged out.
Workaround:
Configure a static default route in imish instead of using RHI for the default route.
Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
589318-1 : Clicking 'Customize All' checkbox does not work.
Component: Fraud Protection Services
Symptoms:
Clicking 'Customize All' in Safari browser does not check the checkboxes below, and the settings remain grayed out.
Conditions:
Provision and license FPS.
Impact:
FPS child profile page.
Workaround:
Use tmsh.
Fix:
Clicking 'Customize All' checkbox in Safari browser now checks the checkboxes below and changes the state of the cosponsoring settings.
589256-1 : DNSSEC NSEC3 records with different type bitmap for same name.
Component: Global Traffic Manager (DNS)
Symptoms:
For a delegation from a secure zone to an insecure zone, the BIG-IP system returns different type of bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.
Conditions:
For insecure delegations, the DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND, if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which the system dynamically signs.
Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.
Workaround:
None.
Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.
589223-1 : TMM crash and core dump when processing SSL protocol alert.
Component: Local Traffic Manager
Symptoms:
TMM crash and core dump when processing SSL protocol alert.
Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
A problem of TMM restarting when processing SSL protocol alert has been fixed.
589083-2 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
Component: TMOS
Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.
Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.
Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:
Can't create tmsh temp directory "/config/.config.backup" Permission denied
Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.
Impact:
Cannot save the configuration.
Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.
Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.
589006-5 : SSL does not cancel pending sign request before the handshake times out or is canceled.
Component: Local Traffic Manager
Symptoms:
When TMM has many SSL handshake, for ephemeral key, SSL does not sign for ServerKeyExchange message. Then it is possible that sign request is pending on crypto SSL queue. Even the handshake is timeout or canceled, the sign request is still in the queue. This might cause memory accumulation.
Conditions:
When TMM has many SSL handshake, for ephemeral key, SSL should sign for ServerKeyExchange message.
Impact:
Even if the handshake times out or canceled, the sign request is still in the queue. This might cause memory accumulation.
Note: Although this issue was fixed in 11.5.4 HF3, the fix was reverted in 11.5.4 HF4, meaning that the issue is not fixed in 11.5.4 HF4.
Workaround:
None.
Fix:
SSL now cancels sign pending request before it times out or is canceled.
588959-2 : TMM may crash or behave abnormally on a Standby BIG-IP unit
Solution Article: K34453301
Component: Local Traffic Manager
Symptoms:
TMM may crash or behave abnormally on a Standby BIG-IP unit. Memory utilization before the crash can appear to be unusually high.
Conditions:
This is a rare issue, currently known to occur only in WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring. Virtual servers that make use of the standard TCP profile are not affected.
Impact:
The unit is not operational until TMM has finished writing the core file to disk and restarting. If the unit was Active for a different traffic-group, traffic for that traffic-group will be disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes in the rare case of WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring.
588888-3 : Empty URI rewriting is not done as required by browser.
Solution Article: K80124134
Component: Access Policy Manager
Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat this type of URI in a specific way).
Conditions:
A tag with an empty 'src' or 'href' attribute.
Impact:
Web application malfunction, such as incorrect or unexpected behavior or error messages.
Workaround:
Use an application-specific iRule that modifies the empty URI.
-- For example, for JavaScript methods such as setAttribute(), an iRule should change this:
'F5_Invoke_setAttribute(o, "src", uri)'
to this:
'(uri=="")?o.setAttribute("src", uri):F5_Invoke_setAttribute(o, "src", uri)'.
-- As another example, for JavaScript methods such as write(str), writeln(str), innerHTML=str, outerHTML=str, and similar methods, if str contains <img src="" ... >, the iRule must remove the src attribute.
Fix:
This release fixes the issue of rewriting the empty URI the same way at the server side and client side: as empty URI (all browsers treat this type of URI in a specific way).
588879-2 : apmd crash under rare conditions with LDAP
Component: Performance
Symptoms:
apmd crashes during periods of high Active Directory (AD) lookups.
Conditions:
-- APM configured to use LDAP.
-- Might be related to stress testing AD queries.
Impact:
apmd crashes, clients unable to connect.
Workaround:
None.
Fix:
apmd no longer crashes during periods of high Active Directory (AD) lookups.
588686 : High-speed logging to remote logging node stops sending logs after all logging nodes go down
Component: TMOS
Symptoms:
All logging to external logging nodes (such as BIG-IQ) suddenly stop.
Conditions:
This occurs when all of the configured logging nodes go down. Even when they are brought back up, tmm will not send logs to the remote servers.
Impact:
Remote logging stops and will only resume if tmm is restarted.
588456-3 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
Solution Article: K60250444
Component: Policy Enforcement Manager
Symptoms:
When the BIG-IP system is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP (giaddr) instead of ciaddr. BIG-IP DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.
Conditions:
-- The BIG-IP system is configured in forwarding mode.
-- The giaddr field in the unicast DHCP renewal packet is set to the IP address of relay agent. (Typically, it is set to 0 by the DHCP client.)
Impact:
PEM Subscriber Session will age out.
Workaround:
None.
Fix:
PEM no longer deletes existing PEM Subscriber Sessions after the lease time expires, so the DHCP renewal is now processed.
588405-1 : BADOS - BIG-IP Self-protection during (D)DOS attack
Component: Anomaly Detection Services
Symptoms:
Problem: 100% accurate detection may not help to prevent an attack
It's necessary to protect BIG-IP CPU utilization during attack - for BAD actors (in addition to shunlist) and for unknown IPs.
This mechanism should allow bad actors detection and keep CPU utilization in reasonable limits.
Conditions:
High BIG-IP CPU utilization during (D)DOS attack
Impact:
Service impact due to BIG-IP CPU high utilization
Workaround:
No workaround
Fix:
Added additional CPU protection during a (D)DOS attack
588399-1 : BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
Component: Anomaly Detection Services
Symptoms:
BIG-IP CPU utilization can be excessively high even after mitigating bad actors.
Conditions:
This can occur when Bad Actor detection is used
Impact:
CPU utilization will be higher than expected.
Fix:
An issue with referencing bad actors that have been detected and affecting CPU utilization has been fixed.
588351-5 : IPv6 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
IPv6 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.
588327 : Observe "err bcm56xxd' liked log from /var/log/ltm
Component: TMOS
Symptoms:
Some "err bcm56xxd" log is observed from /var/log/ltm that read "err bcm56xxd[10968]: 012c0012:3: bs_module_do_precond:No preconditioning provided for module on port 3/5.0"
Conditions:
This occurs when during system start.
Impact:
The error is benign and can be ignored.
Fix:
The "No preconditioning provided for module" message is now logged at the info level.
588289-1 : GTM is Re-ordering pools when adding pool including order designation
Component: Global Traffic Manager (DNS)
Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.
Conditions:
This occurs when adding pools with a specified order.
Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.
588140 : Pool licensing fails in some KVM/OpenStack environments
Component: TMOS
Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.
Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.
Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.
Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.
588115-1 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
Component: Local Traffic Manager
Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.
Conditions:
- Unit configured with a floating self-IP and allow-service != none.
- More specific route exists via GW to the self-IP.
- Configured gateway for the overlapping route is unreachable.
- Ingress traffic to the floating self-IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.
Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.
588089-3 : SSL resumed connections may fail during mirroring
Component: Local Traffic Manager
Symptoms:
SSL resumed connections when using SSL mirroring may fail during mirroring. This could result in SSL connections being unable to recover after failover.
Conditions:
Mirroring enabled on virtual with an associated client-ssl profile.
Impact:
SSL connections unable to recover after failover.
Workaround:
Disable session cache to prevent connections from resuming.
588087-1 : Attack prevention isn't escalating under some conditions in session opening mitigation
Component: Application Security Manager
Symptoms:
Attack is detected and isn't escalating in session opening
Conditions:
A session opening attack, challenges are being answered by the attacker.
Impact:
The attack continues.
Workaround:
Configure the attack prevention as rate limit.
Fix:
Fixed attack escalation in some cases on session opening.
588058-3 : False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
Component: Fraud Protection Services
Symptoms:
Large numbers of "failed to unseal" Source Integrity alerts.
Conditions:
Source integrity feature enabled. Clients using Internet Explorer 8 to 10.
Impact:
High number of false positive alerts in alert dashboard.
Workaround:
Create alert dashboard signature to ignore source integrity alerts containing "failed to unseal" and Internet Explorer 8 to 10 user agent.
Fix:
Fixed parsing in relevant browsers.
588049-1 : Improve detection of browser capabilities
Component: Application Security Manager
Symptoms:
Browsers can override native functions, and manipulate the PBD capabilities test.
Conditions:
1. Proactive Bot defense is on.
2. Attacker override its native functions.
Impact:
Malicious browsers can go undetected by PBD.
Workaround:
N/A
Fix:
Check that majority of browsers native functions are not overridden.
587966-1 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
Solution Article: K77283304
Component: Local Traffic Manager
Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.
Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.
Impact:
A Type DNS Query dropped intermittently.
Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.
Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.
587791-1 : Set execute permission on /var/lib/waagent
Component: TMOS
Symptoms:
Due to recent changes of the build process /var/lib/waagent didn't have proper execute permission set. This caused failure in executing user custom scripts during deploying.
Conditions:
First deployment of VM in Azure, which requires executing custom scripts.
Impact:
Custom scripts cannot be executed.
Workaround:
N/A
Fix:
Properly set execute permissions to /var/lib/waagent directory.
587780 : warning: HSBe2 XLMAC initial recovery failed after 11 retries.
Component: TMOS
Symptoms:
ltm log contains multiple instances of the following message on VIPRION B4450 blades: warning: HSBe2 XLMAC initial recovery failed after 11 retries.
Conditions:
This often happens when VIPRION 4480 or 4800 chassis with B4450 blades is rebooting.
Impact:
No operation impact. This is a cosmetic message that you can safely ignore.
Workaround:
None needed. This message is cosmetic only.
Fix:
A more robust XLMAC recovery mechanism has been implemented which reduces the maximum retries to four. It does not completely eliminate this warning message (HSBe2 XLMAC initial recovery failed after 11 retries), but its frequency is greatly reduced.
587735 : False alarm on LCD indicating bad fan
Component: TMOS
Symptoms:
During some blade power ON conditions, a false alarm message is displayed on the LCD on the chassis bezel.
This alarm indicates that several chassis fans are bad, however in reality the fans are not bad.
Typically, the messages look like this:
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 2: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 3: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 4: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 5: status (0) is bad.
Conditions:
Erroneous fan warnings may occur when a blade is inserted into a VIPRION 4800 chassis.
Impact:
No functional impact. The user may experience concern over the false alarms.
Workaround:
Press green check button on the front of chassis bezel to clear the alarm.
587705-5 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
Solution Article: K98547701
Component: Local Traffic Manager
Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.
Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.
Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.
Workaround:
None.
Fix:
Persist lookups now succeed for source_addr with match-across-virtual servers when multiple entries exist with different pools.
587698-3 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
Component: TMOS
Symptoms:
bgpd daemon crashes
Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.
Impact:
bgpd daemon crashes leading to route loss and traffic loss.
Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.
587676-2 : SMB monitor fails due to internal configuration issue
Component: Local Traffic Manager
Symptoms:
SMB monitor fails due to internal configuration issue
Conditions:
Configure the SMB monitor
Impact:
SMB monitor fails to execute
Fix:
Fixed an internal configuration issue so that the SMB monitor will load properly
587668 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
Component: TMOS
Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.
Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.
Impact:
Cannot clear the alert using the LCD.
Workaround:
Press the checkmark button followed by the left or right arrow buttons.
Fix:
In this release, unneeded LCD updates that might have clogged the message channel have been optimized, and the keypress passed along at a later time, so it is not lost. So pressing the LCD checkmark button now correctly brings up clearing prompt on VIPRION blades.
587656-2 : GTM auto discovery problem with EHF for ID574052
Component: Global Traffic Manager (DNS)
Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.
Conditions:
After applying EHF9-685.88-ENG
Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.
Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG
Fix:
This problem only occurs with the one faulty EHF9-685.88-ENG and does not occur anywhere else.
587629-2 : IP exceptions may have issues with route domain
Component: Application Security Manager
Symptoms:
The IP exception feature doesn't work as expected.
Conditions:
There are many defined same IPs but with different route domain.
There were config changes to these IPs regarding their exception properties.
Impact:
An ignored IP is not ignored etc.
Workaround:
bigstart restart asm
Fix:
Fixed an issue with IPs and route domain.
587617-1 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.
Conditions:
No GTM server object configured with existent selfip.
Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.
Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671
Fix:
gtmd will not core.
587419-1 : TMM may restart when SAML SLO is performed after APM session is closed
Component: Access Policy Manager
Symptoms:
TMM may core when user performs SAML SLO on external to BIG-IP SP/IdP, and BIG-IP's APM session is no longer valid.
Conditions:
- User initiated SAML SLO on external SAML provider, and external provider redirect users to BIG-IP with SLO request.
- User does not have a valid session on BIG-IP when SLO request is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable SAML SLO by removing SLO request/response URLs from configuration
Fix:
TMM will no longer restart in the case described above.
587107-3 : Allow iQuery to negotiate up to version TLS1.2
Component: Global Traffic Manager (DNS)
Symptoms:
big3d accepts only TLS1.0, and gtmd offers only TLS1.0 during iQuery SSL handshake. iQuery does not negotiate up to TLS 1.2.
Conditions:
Establishing iQuery connections.
Impact:
The older, less secure TLS1.0 version is the only possible iQuery connection.
Workaround:
None.
Fix:
big3d now accepts, and gtmd now offers up to, TLS1.2 in iQuery handshakes.
TLS1 and TLS1.1 are still accepted by both ends of the iQuery connection (gtmd and big3d) to enable older clients (gtmd) to connect to newer servers (big3d) and vice versa.
Behavior Change:
big3d now accepts TLS1.2 in iQuery handshakes, and gtmd now offers up to TLS1.2.
587106-1 : Inbound connections are reset prematurely when zombie timeout is configured.
Component: Carrier-Grade NAT
Symptoms:
When an LSN pool is configured in PBA mode with a non-zero zombie timeout, inbound connections are killed and reset prematurely, often in a matter of seconds.
Conditions:
PBA mode configured on the pool, and zombie_timeout set to a non-zero value.
Impact:
Inbound connections to PBA pools with a zombie timeout configured may not be usable.
Workaround:
None.
Fix:
Inbound connections are no longer reset when zombie_timout is configured to a non-zero value.
587077-1 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
Solution Article: K37603172
587016-3 : SIP monitor in TLS mode marks pool member down after positive response.
Component: Local Traffic Manager
Symptoms:
SIP monitor in TLS mode marks pool member down after positive response. The SIP monitor in TLS mode is constantly marked down.
Conditions:
SIP monitor configured in TLS mode.
Server does not send close_notify alert in response to the monitor's close_notify request.
Impact:
Unable to monitor the status of the TLS SIP server.
Workaround:
None.
Fix:
SIP monitor in TLS mode now marks pool member up after positive response. This is correct behavior.
586887-2 : SCTP tmm crash with virtual server destination.
Solution Article: K25883308
Component: TMOS
Symptoms:
Rare configuration with SCTP can cause TMM core.
Conditions:
Complex configurations including wildcards, virtual servers and SCTP profiles.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes a rare SCTP tmm crash with virtual server destination when using complex configurations including wildcards, virtual servers and SCTP profiles.
586878-4 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
Component: TMOS
Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.
The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.
Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).
Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.
Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
For example, it might look similar to the following:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
"" { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
default { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.
586738-4 : The tmm might crash with a segfault.
Component: Local Traffic Manager
Symptoms:
The tmm might crash with a segfault.
Conditions:
Using IPsec with hardware encryption.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.
586718-1 : Session variable substitutions are logged
Component: Access Policy Manager
Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged
Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.
Impact:
Session variable substitution should not be logged, even if it is secure.
Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.
Fix:
Session variable substitutions are no longer logged.
586449-1 : Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
Component: Local Traffic Manager
Symptoms:
If an under provisioned TMM runs out of memory, then this may result in allocation failures. Incorrect error handling of allocation failures in HTTP cookie code results in TMM core.
Conditions:
Cookie persistence with encryption required is enabled on the virtual. If an under provisioned TMM runs out of memory, then this may result in allocation failures.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fix error handling in HTTP cookie code. Allocation errors result in connection resets as opposed to core due to assert.
586412-2 : BGP peer-group members address-family configuration not saved to configuration
Component: TMOS
Symptoms:
Deactivation of the ipv6 address-family for an IPv6 BGP neighbor that is a member of a peer group may be removed when the configuration is reloaded or the system restarts.
Conditions:
IPv6 BGP neighbors in a peer group
Individual group members with different address-family configurations than the peer-group
Impact:
BGP behavior may change after reboot
Workaround:
If a neighbor must have different behavior than other peer group members it can be removed from the peer group and configured individually.
Fix:
BGP address-family configuration is now correctly saved and reloaded for neighbors belonging to a peer-group.
586070 : 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
Component: Advanced Firewall Manager
Symptoms:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
Conditions:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
Impact:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
Workaround:
N/A
Fix:
Fixed a typo in GUI
586006-1 : Failed to retrieve CRLDP list from client certificate if DirName type is present
Component: Access Policy Manager
Symptoms:
Client certification revocation check will fail.
Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.
Impact:
Users may fail access policy evaluation when client certification is used.
Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.
585905-1 : Citrix Storefront integration mode with pass-through authentication fails
Component: Access Policy Manager
Symptoms:
Citrix Storefront integration mode with pass-through authentication fails. Client fails with error message saying "Authentication service is not reachable"
Conditions:
Citrix Storefront integration mode with only pass-through authentication enabled on the Storefront.
Impact:
Could not use pass through authentication on the storefront for remote access of the store.
Workaround:
None
Fix:
Passthrough authentication could be used for remote-access of the store.
585833-3 : Qkview will abort if /shared partition has less than 2GB free space
Component: TMOS
Symptoms:
In order to inform the user that the /shared partition needed to be cleaned up, qkview was checking for at least 2GB of free space. This isn't a hard requirement to build a qkview which potentially could use much less than the 2GB limit. Additionally, some F5 VE systems are shipped with less than 2GB in /shared, thus qkviews cannot be produced.
Conditions:
The /shared partition is smaller than 2GB or has less than 2GB free.
Impact:
User is unable to create a qkview despite having enough room to build one.
Workaround:
Increase the size of /shared so that it has at least 2GB of free space. See https://support.f5.com/csp/#/article/K14952 for detailed instructions on resizing volumes.
Fix:
A warning about having less than 2GB will still be issued, but the qkview will continue to attempt to finish.
585823-1 : FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)
Component: Advanced Firewall Manager
Symptoms:
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic
Conditions:
Following conditions suffice for the issue:
a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic
AND
b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)
Impact:
Translation failure occurs as described resulting in the connection failures.
Workaround:
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.
Fix:
Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.
585813-3 : SIP monitor with TLS mode fails to find cert and key files.
Component: Local Traffic Manager
Symptoms:
SIP monitor with TLS enabled fails to find cert and key in filestore.
Conditions:
SIP monitor with TLS mode.
Impact:
Cannot create SIP monitor with TLS mode enabled and have the pool correctly checked.
Workaround:
Create an external monitor script to invoke the SIP monitor. Supply the correct arguments to the script.
Fix:
SIP monitor with TLS mode now finds cert and key files, so you can create SIP monitor with TLS mode enabled and have the pool correctly checked.
585807-2 : 'ICAP::method <method>' iRule is documented but is read-only
Component: Service Provider
Symptoms:
'ICAP::method' iRule function is documented as 'ICAP::method <REQMOD|RESPMOD>' which is said to get as well as set (modify) the ICAP method type in the ICAP_REQUEST event. Validation has at times rejected an argument, and at times accepted it. In fact the argument is ignored even if validation accepts it: the method type cannot be changed by the iRule. When validation rejects it, the system posts an error similar to the following: 01070151:3: Rule [/Common/icap_test] error: /Common/icap_test:2: error: [unexpected extra argument "REQMOD"][ICAP::method "REQMOD"]
Conditions:
iRule in ICAP_REQUEST event with 'ICAP::method REQMOD' or 'ICAP::method RESPMOD'.
Impact:
Users may attempt to change the method type. Usually the validator rejects it. In some versions the validator accepts it, but the methods only return the existing method type.
Workaround:
Do not attempt to change the method type with 'ICAP::method <method>'.
Fix:
ICAP::method is now documented as simply 'ICAP::method' with no argument, and it simply returns the current method type 'REQMOD' or 'RESPMOD'.
585745-2 : sod core during upgrade from 10.x to 12.x.
Component: TMOS
Symptoms:
The failover daemon (sod) may core during an upgrade, when the peer device upgrade completes and rejoins the trust.
Conditions:
Upgrading a high availability configuration from 10.x to 12.x or later.
Impact:
Corefile generated, and system will temporarily go offline, resulting in an interruption of service.
Workaround:
Upgrade multiple devices in the high availability configuration from 10.x to a supported 11.x release, and then upgrade to the desired 12.x release.
Fix:
The failover daemon (sod) no longer cores during an upgrade, when the peer device upgrade completes and rejoins the trust.
585654 : Enhanced implementation of AES in Common Criteria mode
Component: Local Traffic Manager
Symptoms:
Common Criteria (CC) mode disallows the use of dedicated BIG-IP accelerator. It can be observed that performance of the BIG-IP in CC mode may not be as fast as benchmarks for some implementations AES on CPU.
Conditions:
Common Criteria (CC) mode is enabled.
Impact:
Lower performance with CBC-based AES ciphersuites.
Fix:
Updated AES implementation may achieve higher performance of CBC-based AES ciphersuites.
585562-3 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
Component: Access Policy Manager
Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.
Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.
Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.
Workaround:
when HTTP_REQUEST {
if { [HTTP::header "Origin"] ne "" } {
HTTP::header remove "Origin"
}
}
Fix:
VMware View HTML5 client shipped with Horizon 7 now work sthrough BIG-IP APM in Chrome/Safari.
585547-1 : NTP configuration items are no longer collected by qkview★
Solution Article: K58243048
Component: TMOS
Symptoms:
qkview was collecting the file "/etc/ntp/keys" which in some cases, contains secret keys used for integrity verification of NTP messages.
Conditions:
Execute qkview to collect diagnostic information.
Impact:
Possibility for keys to be exposed.
Workaround:
1. Do not execute qkview.
2. If executing qkview, do not share this file with untrusted parties.
Fix:
With this release, qkview no longer collects this file.
585485-3 : inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system
Component: TMOS
Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.
The BIG-IP system sends and expect messages with two SPI's inside.
Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.
Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.
Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:
(tmos)# delete net ipsec ipsec-sa ?
Properties:
"{" Optional delimiter
dst-addr Specifies the destination address of the security associations
spi Specifies the SPI of the security associations
src-addr Specifies the source address of the security associations
traffic-selector Specifies the name of the traffic selector
Fix:
The BIG-IP system will remove both SAs associated with one traffic-selector (tunnel) when the peer sends a delete SPI message.
585442-2 : Provisioning APM to "none" creates a core file
Component: Access Policy Manager
Symptoms:
Provisioning APM level to "none" may result in apmd creating a core file.
Conditions:
When the APM service is shut down, the apmd daemon may create a core file.
Impact:
Harmless
Workaround:
There is no loss in functionality.
585424-1 : Mozilla NSS vulnerability CVE-2016-1979
Solution Article: K20145801
585412-4 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
Component: Local Traffic Manager
Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'
Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.
8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.
Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.
Workaround:
None.
Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.
585352-2 : bruteForce record selfLink gets corrupted by change to brute force settings in GUI
Component: Application Security Manager
Symptoms:
If you update the brute force settings in the GUI, rest_uuid is updated as well, which breaks the self-link in the iControl REST API
Conditions:
Update brute force settings in GUI
Impact:
Unique record part updated
Workaround:
Update brute force settings using the REST API
Fix:
GUI is not changing rest_uuid when brute force settings are updated
585332 : Virtual Edition network settings aren't pinned correctly on startup★
Component: TMOS
Symptoms:
You notice unusually high CPU utilization on Virtual Edition after upgrading to 12.1.0 when compared to a previous release (such as version 11.6.1).
Conditions:
This occurs after upgrading to 12.1.0. In Virtual Edition version 12.1.0, there is an issue where network interface IRQs don't get pinned correctly at startup.
Impact:
Since CPU0 is unusually high compared to previous releases, upgrading could put Virtual Edition into an overloaded state.
Workaround:
bigstart restart tmm will start the network interfaces and pin them to the right IRQ.
Fix:
Fixed an issue where interfaces and their IRQs were not configured correctly during system boot.
585120-1 : Memory leak in bd under rare scenario
Component: Application Security Manager
Symptoms:
Under high traffic, bd may leak memory and cause an ASM restart under certain rare conditions
Conditions:
ASM enabled and under high traffic
Impact:
Causes traffic abort while restart is happening. High swap and memory.
Workaround:
None.
Fix:
A memory leak in the bd was fixed.
585097-1 : Traffic Group score formula does not result in unique values.
Component: TMOS
Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.
Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.
The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.
Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.
Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.
Fix:
The Active device selection logic has been changed to deterministically choose the Active device location, even in cases with identical static scores.
585054-1 : BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
Component: Application Security Manager
Symptoms:
When you import an XML file that contain references to violations in the delay blocking session tracking configuration, extra violations get added to the list.
Conditions:
This occurs when importing delay-type violations in ASM
Impact:
A very large subset of the violations is added to the policy
Fix:
BIG-IP now imports delay-type violations correctly.
584926-1 : Accelerated compression segfault when devices are all in error state.
Component: Local Traffic Manager
Symptoms:
TMM segfaults. Kernel log contains "Uncorrectable Error" and "icp_qa_al err" messages.
Conditions:
All physical or virtual devices concurrently enter error state.
Impact:
Tmm segfaults and restarts. May require a reboot.
Workaround:
Disable QAT compression using tmsh:
tmsh modify sys db compression.strategy value softwareonly
Fix:
TMM QAT compression driver will not fail if all QAT devices concurrently go down.
584921-1 : Inbound connections fail to keep port block alive
Component: Carrier-Grade NAT
Symptoms:
Connections that use a PBA port block should keep the port block from expiring. However inbound connections to a client using a port block will fail to refresh the block, causing the block to expire pre-maturely. An inbound connection can remain active while the port block has been deleted.
Conditions:
An inbound connection with no outbound connections fails to keep a port block alive, resulting in an inbound connection to a client without a corresponding port block.
Impact:
When reverse mapping an inbound connection to a subscriber (e.g. trying to find who was using an ip address/port at a particular time), customers may find no corresponding port block, or a port block belonging to another client when the reverse map is performed at a time when the connection is closed.
Workaround:
When performing a reverse map, customers should use the start time of a connection to determine which port block was in use.
Fix:
Inbound connections properly refresh the port block, preventing premature expiration of the port block.
584865-1 : Primary slot mismatch after primary cluster member leaves and then rejoins the cluster
Component: Local Traffic Manager
Symptoms:
Secondary blades in a Viprion system can disagree about the identity of the Primary blade.
Conditions:
Viprion chassis with 3 or more blades. If the primary is temporarily isolated from the other blades, a new primary will be elected. When the primary rejoins, the non-primary blades do not correctly switch back to the newly re-elected primary.
Impact:
Configuration and status may not be kept properly in sync between blades.
Fix:
Secondary blades properly identify the Primary on changes.
584670 : Output of tmsh show sys crypto master-key
Component: TMOS
Symptoms:
In this release, tmsh show sys crypto master-key has changed and will now display its output as the base 64 encoded form of a SHA512 hash.
Conditions:
You will see this when running tmsh show sys crypto master-key, or f5mku -Z, or f5mku -U
Impact:
None
584661 : Last good master key
Component: TMOS
Symptoms:
When applying a UCS file to a platform that was different from the one the UCS was taken on, for example after RMA, you get a master key decrypt error because the master key is different.
Conditions:
This can occur either when applying a UCS file to an identical platform you received as an RMA exchange, or while performing the platform-migrate command.
Impact:
UCS load fails when extracting a UCS that came from another system.
Fix:
Secure Vault now stores the last good master key, which allows you to set the master key password to be the same as the other device you are importing from, then load the UCS from the other system. If master key decryption fails, the system will load the master key that was in effect before the UCS load was initiated. If that master key matched the master key from the system where the UCS was taken then encrypted attributes in the UCS can be loaded into the configuration.
584655 : platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
Component: TMOS
Symptoms:
If you run the platform-migrate command to migrate from a UCS file generated on a platform running 10.2.4, the password protected master key won't import
Conditions:
You would encounter this when doing platform migration from an older platform running 10.2.4, and using the UCS file from that platform to platform-migrate to 12.1.1. This also only occurs if your 10.2.4 UCS contains secure attributes, such as clientssl or serverssl keys and profiles
Impact:
The platform-migrate command will fail if the 10.2.4 UCS contains a password protected master key.
Fix:
The 12.1.1 release can successfully platform-migrate UCS files from a 10.2.4 configuration if some steps are taken to generate a password protected master key on the 10.2.4 release. Without these steps, this impact exists. The 10.2.4-specific solution https://support.f5.com/csp/#/article/K9420
584642-1 : Apply Policy Failure
Component: Application Security Manager
Symptoms:
Some Policies cannot be successfully applied/activated
Conditions:
Signature overrides on Content Profiles are configured
Impact:
Policy cannot be applied
Workaround:
None.
Fix:
Policies can be successfully applied.
584623-2 : Response to -list iRules command gets truncated when dealing with MX type wide IP
Component: Global Traffic Manager (DNS)
Symptoms:
GTM iRule "members" with the "-list" flag will truncate MX-type WideIP pool members when printed out to a log.
Conditions:
Use the GTM iRule "members" with the "-list" flag to print out the members of an MX WideIP pool during a DNS event.
Impact:
WideIP MX-type pool members are truncated in the log.
Workaround:
None
584583-3 : Timeout error when using the REST API to retrieve large amount of data
Component: TMOS
Symptoms:
The Rest API might time out when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API appears as follows: errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET
Conditions:
Configuration containing a large number of GTM pools and pool members (numbering in the thousands).
Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.
Workaround:
There is no workaround at this time.
Fix:
TMSH performance has been improved for this GTM case (improvement ~5-10 times), which is root case for REST failure. Timeout is no longer triggered for this amount of data.
584582-1 : JavaScript: 'baseURI' property may be handled incorrectly
Component: Access Policy Manager
Symptoms:
If generic JavaScript object has 'baseURI' property, it may be handled incorrectly via Portal Access: web application may get 'undefined' value for this property.
Conditions:
User-defined JavaScript object with 'baseURI' property.
Impact:
Web application may work incorrectly.
Workaround:
iRule can be used to remove F5_Deflate_baseURI() calls from rewritten JavaScript code.
Fix:
Now JavaScript objects with 'baseURI' property are handled correctly by Portal Access.
584545-2 : Failure to stabilize internal HiGig link will not trigger failover event
Component: Local Traffic Manager
Symptoms:
The internal HiGig interface potentially and repeatedly report FCS errors or does not become stable in rare cases.
Conditions:
The internal HiGig interfaces experiences FCS or XLMAC link failures.
Impact:
Device is left in a state where it cannot receive or pass traffic or have frame checksum errors.
Workaround:
None.
Fix:
HA failover mechanism is now activated when internal HSB ports on critical data path are consistently unstable.
Behavior Change:
There is a condition in which failures happen on the internal HiGig interfaces on the critical packet path between the HSB and the Broadcom switch, causing traffic interruption. Such failures can be inferred by HSB XLMAC instability or by observing increasing FCS errors. When these HSB XLMAC failures happened in the past, TMOS initiated a recovery mechanism by resetting the HSB MAC interface. However, if the failure persisted even after repeated recovery attempts, TMOS triggered a high availability (HA) failover event to prevent prolonged traffic disruption. The failover triggering condition is set as either the consecutive recovery attempts or consecutive FCS failure events that reach a configurable preset limit. After the HA failover was triggered, the original active unit will still keep trying to recover, and will mark itself ready if the failure condition is no longer observed. The XLMAC reset was existing behavior. The new behavior also applies to FCS failure events.
584471-1 : Priority order of clientssl profile selection of virtual server.
Component: Local Traffic Manager
Symptoms:
When a SSL connection with specified server name is received in a virtual server from the client side, the BIG-IP system selects one clientssl profile for this connection based on the given server name. Currently the system matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the common names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.
The issue is, based on RFC6125, common name should be used as a 'last resort'. In other words, the third rule should be the second rule.
Conditions:
The issue occurs when all of the following conditions are met.
(1) The incoming SSL request includes SNI (server name) extension in the clienthello, used to specify its desirable SSL server.
(2) The given server name from the client side does not match any server name configured in all the clientssl profiles of the virtual server.
(3) The certificates used by the clientssl profile of the virtual server have subject alternative names (note that every certificate has common name but not necessarily subject alternative names).
Impact:
The virtual server might select a clientssl profile that is not preferred by the client side.
Workaround:
None.
Fix:
Priority order of clientssl profile selection of virtual server. The system now matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the common names of the certificates used by the clientssl profiles.
So the common-name match is last, which is correct according to RFC6125.
584374-2 : iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
Solution Article: K67622400
Component: Global Traffic Manager (DNS)
Symptoms:
iRule command RESOLV::lookup causes tmm crash when resolving an IP address.
Conditions:
Using the RESOLV::lookup iRule command to resolve an IP address.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the RESOLV::lookup command to resolve an IP address.
Fix:
TMM no longer crashes when the iRule command RESOLV::lookup is used.
584373-2 : AD/LDAP resource group mapping table controls are not accessible sometimes
Component: Access Policy Manager
Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds
Conditions:
very long group names and resource names
Impact:
Impossible to delete and move rows in table - still possible to edit tho.
Workaround:
Spread one assign thru multiple rows
Fix:
Scroll bar is appearing when needed
584310-1 : TCP:Collect ignores the 'skip' parameter when used in serverside events
Component: Local Traffic Manager
Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.
Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.
Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.
Workaround:
None.
Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.
584213-1 : Transparent HTTP profiles cannot have iRules configured
Component: Local Traffic Manager
Symptoms:
When an HTTP profile is configured in transparent mode, but has a nonexistent iRule attached to it, then tmm will crash.
Conditions:
-- There is iRule.
-- Proxy is transparent.
when HTTP_PROXY_REQUEST {
after 1000
}
-- Change configuration from explicit to transparent while the system is processing in the after command.
-- There is then an attempt to use a configuration that does not exist.
Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.
Workaround:
This is incorrect configuration. Either detach the iRule or configure the profile in a mode other than transparent.
Fix:
Incorrectly configured proxy types from TMOS installations of earlier versions will be corrected at upgrade time. A warning will be logged that describes the change made.
584210-1 : TMM may core when running two simultaneous WebSocket collect commands
Component: Local Traffic Manager
Symptoms:
TMM may core with a SIGFPE when running two or more WebSocket collect commands in parallel.
Conditions:
-- WebSocket profile is attached to the virtual server.
-- Multiple iRules with WebSocket collect commands are attached to the virtual server.
Impact:
TMM may core with a SIGFPE resulting in loss of service.
Workaround:
Behavior is undefined when multiple collect commands are running at the same time. Rewrite iRules to have only one collect command executing at a time.
Fix:
iRule documentation was updated and WebSocket filter state machine was changed to reject multiple collect commands.
584103-2 : FPS periodic updates (cron) write errors to log
Component: Application Security Manager
Symptoms:
FPS periodic updates (run via cron) write errors to log when FPS is not provisioned.
Conditions:
FPS is not provisioned.
Impact:
Errors appears in FPS logs.
584082-3 : BD daemon crashes unexpectedly
Component: Application Security Manager
Symptoms:
bd crashes, with the following log signature immediately before the crash in /var/log/bd.log:
"IO_PLUGIN|ERR |Mar 29 20:48:02.217|17328|plugin_common.c:0085|plugin context doesn't match the argument which was originally set on it".
Conditions:
It is not known exactly what triggers this condition; it can occur intermittently during normal use of ASM.
Impact:
A bd crash, failover, traffic disturbance.
Workaround:
None.
Fix:
Fix a bd crash scenario.
584029-6 : Fragmented packets may cause tmm to core under heavy load
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file while processing fragmented packets.
As a result of this issue, you may encounter one or more of the following symptoms:
-- TMM generates a core file in the /shared/core directory.
-- In one of the /var/log/tmm log files, you observe an error message similar to the following example:
notice panic: ../base/flow_fwd.c:255: Assertion "ffwd flag set" failed.
panic: ../net/packet.c:168: Assertion "packet is locked by a driver" failed.
notice ** SIGFPE **
Conditions:
This issue occurs when all of the following conditions are met:
-- The TMM process offloads a fragmented packet by way of an ffwd operation.
-- Your BIG-IP system is under heavy load.
Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.
Workaround:
None.
Fix:
Fragmented packets no longer cause tmm to core under heavy load.
583957-6 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.
Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.
Impact:
The TMM will be restarted by SOD.
Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.
583943-1 : Forward proxy does not work when netHSM is configured on TMM interfaces
Solution Article: K27491104
Component: Local Traffic Manager
Symptoms:
Forward proxy feature does not always work when netHSM is configured on TMM interfaces.
Conditions:
When netHSM device is configured on TMM interface.
Impact:
The forward proxy feature does not work. This is an intermittent issue.
Workaround:
None.
Fix:
Forward proxy now works consistently when netHSM is configured on TMM interfaces.
583936-5 : Removing ECMP route from BGP does not clear route from NSM
Component: TMOS
Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.
Conditions:
ECMP routing must be enabled and in-use.
Impact:
ECMP routes are not properly removed from the main routing table.
Fix:
Now properly removing ECMP routes from the routing table.
583754-7 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
Component: TMOS
Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.
Conditions:
TMM must be down.
Impact:
Non-obvious / unhelpful error message is generated, leading to confusion.
Workaround:
N/A
583700-3 : tmm core on out of memory
Component: Local Traffic Manager
Symptoms:
tmm memory increases quickly, then crashes on out of memory condition
Conditions:
It is not known exactly what triggers this, but it was observed on a hardware platform processing a large number of ECDH ciphers.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Cancel ongoing crypto requests when handshake is dropped.
583686-2 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
Component: Application Security Manager
Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.
Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.
Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered
583678-1 : SSHD session.c vulnerability CVE-2016-3115
Solution Article: K93532943
583631-2 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
Component: Local Traffic Manager
Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.
Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.
Impact:
The connection fails. The system might generate an alert.
Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.
Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.
Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.
583516-2 : tmm ASSERT's "valid node" on Active, after timer fire..
Component: TMOS
Symptoms:
TMM crashes on ASSERT's "valid node".
Conditions:
The cause is unknown, and this happens rarely.
Impact:
tmm crash
Workaround:
no
Fix:
TMM no longer asserts on 'valid node'
583475-1 : The BIG-IP may core while recompiling LTM policies
Component: TMOS
Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.
Conditions:
Creating or modifying LTM policies.
Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.
Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.
Fix:
Not fixed yet.
583355-1 : The TMM may crash when changing profiles associated with plugins
Component: Local Traffic Manager
Symptoms:
The TMM may crash when changing profiles associated with plugins.
Conditions:
The must be a profile associated with a plugin already on a virtual server and traffic must be running. When the profile is removed or swapped for another, the crash may occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
A safe way to definitely avoid a crash is to stop the plugin before making changes to its profile.
583285-5 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Solution Article: K24331010
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.
Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.
Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.
583272-2 : "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
Component: Access Policy Manager
Symptoms:
Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server.
The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this:
Location: https://[login.example.com]/my.policy
Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.
Conditions:
IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.
Impact:
Client is unable to authenticate.
Workaround:
None.
Fix:
Clients connecting to an APM access policy with on-demand certificate authentication to an IPv6 virtual server now transmit the client certificate correctly when executing the access policy.
583177 : LCD text truncated by heartbeat icon on VIPRION
Component: TMOS
Symptoms:
while looking at informational text on the first line of the LCD display on a VIPRION, the end of the string is truncated by a heartbeat icon.
Conditions:
This occurs on platforms that display a heartbeat icon on the LCD display.
Impact:
The heartbeat icon is displayed over the last character of the string, this is cosmetic.
Fix:
In this release, longer messages on the LCD are now displayed on multiple lines.
583113-1 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials.
when HTTP_PROXY_REQUEST {
if { [HTTP::uri] contains "disable" } {
ACCESS::disable
}
}
Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.
Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.
Workaround:
The following iRule works from HTTP_REQUEST
when HTTP_REQUEST {
if { [HTTP::uri] contains "disable" } {
ACCESS::disable
ECA::disable
}
}
Fix:
When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin"
Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."
583111-1 : BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured
Component: TMOS
Symptoms:
When BGP is configured with 'no bgp default ipv4-unicast,' configuring a peer-group with IPv6 members adds 'neighbor <neighbor> activate' for the IPv6 neighbors under address-family ipv4.
Conditions:
This occurs when the following conditions are met:
-- 'no bgp default ipv4-unicast' is configured in imish.
-- 'neighbor <neighbor> peer-group <peergroup>' is configured.
Impact:
Despite disabling IPv4 unicast for BGP by default, neighbors in the peer group have the IPv4 unicast address family enabled.
Workaround:
Delete the line in the configuration that was automatically added in imish in the 'router bgp' section:
no neighbor <neighbor> activate
Fix:
Configuring IPv6 members of a peer-group when 'no bgp default ipv4-unicast' no longer automatically enables IPv4 unicast for the peer-group members.
583108-1 : Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.
Component: TMOS
Symptoms:
when a neighbor with ipv4 address is disabled in ipv6 address family, show running configuration displays that the neighbor is disabled. However, when we restart or reboot the tmrouted or bgp protocol, the neighbor is enabled again. The configuration persistence is not maintained.
Conditions:
1. disable a neighbor with ipv4 address in ipv6 address family.
2. reboot/restart tmrouted or bgp protocol
Impact:
configuration persistence is not maintained. This impacts the BIGIP upgrades as the configuration loaded is not the same as it was before the upgrade. Similarly, a restart/reboot will also have different configuration loaded than originally used. This might alter the intended behavior of the protocol that the use expects to function.
Workaround:
disable the neighbor again.
Fix:
configuration persistence is maintained for the disabled neighbor with ipv4 address in the ipv6 address family.
583024-1 : TMM restart rarely during startup
Component: Advanced Firewall Manager
Symptoms:
A TMM crashes with a core file during startup. It restarts then correctly.
Conditions:
The system starts up.
Impact:
The system startup takes longer. A core file appears. Traffic is not impacted and a failover usually doesn't occur since the system didn't reach the active state.
Workaround:
None.
Fix:
TMM no longer crashes during startup.
583010-4 : Sending a SIP invite with 'tel' URI fails with a reset
Component: Service Provider
Symptoms:
Using a 'INVITE tel:' URI results in SIP error (Illegal value).
Conditions:
Sending a SIP "INVITE tel:" to the BIG-IP system.
Impact:
'INVITE tel:' messages are not accepted by BIG-IP system.
Workaround:
None.
Fix:
'INVITE tel:' messages are now accepted by BIG-IP system.
582773-5 : DNS server for child zone can continue to resolve domain names after revoked from parent
Component: Global Traffic Manager (DNS)
Symptoms:
See CVE-2012-1192. A domain name in a child server may continue to be resolved by the child server even after the parent server revokes the NS record for the child server.
Conditions:
A steady series of DNS queries for a domain name in the child. The TTL for the domain name A record is shorter than the TTL for the NS record for the child name server. The NS record is removed from the parent server.
Impact:
The revoked child server will still be used by a client after it is revoked.
Workaround:
Restart the TMM to clear out the cache.
Fix:
Do not update the NS record TTL to the value returned from the child server.
582769-1 : WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
Solution Article: K99405272
Component: Local Traffic Manager
Symptoms:
WebSockets frames are not forwarded with WebSocket profile and ASM enabled on virtual.
Conditions:
Virtual has WebSocket profile attached to it. ASM is enabled on the virtual. WebSockets server replies with a "Connection: upgrade" header. The issue is also seen if multiple header values are present in Connection header.
Impact:
WebSockets frames are not forwarded to the pool member
Workaround:
Use a simple iRule similar to the following:
when HTTP_RESPONSE {
if { [HTTP::status] == 101 } {
HTTP::header replace "Connection" "Upgrade"
}
}
Fix:
The system now accepts "Connection: UPGRADE" or "Connection: upgrade" as valid header for WebSocket handshake, and supports a comma-separated list of values for the Connection response header.
582752-3 : Macrocall could be topologically not connected with the rest of policy.★
Component: Access Policy Manager
Symptoms:
It is possible to create macrocall access policy item that:
1. Belongs to policy items list.
2. Correctly connected to ending.
3. Have no incoming rules (i.e., no items pointing at it).
Conditions:
1. Create access policy with macrocall item in one of the branches.
2. Remove the item which refers to this macrocall item from AP
As a result, macrocall item remains.
Impact:
VPE fails to render this access policy.
Workaround:
Delete macrocall access policy item manually using tmsh commands.
Fix:
Any modification of access policy is not allowed if it makes any access policy item non-referenced.
At upgrade time, non-referenced access policy items are deleted. All subsequent access policy items are deleted as well. Resulting access policies can be rendered correctly by VPE. Note that only active configuration is corrected, saved configuration file (/config/bigip.conf) contains uncorrected version until any new configuration changes are done. Active configuration can be saved by explicit tmsh command ('tmsh save sys config partitions all").
582683-2 : xpath parser doesn't reset a namespace hash value between each and every scan
Component: Application Security Manager
Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.
Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.
Impact:
XML content based routing does not work dependably.
Workaround:
N/A
Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.
582629-1 : User Sessions lookups are not cleared, session stats show marked as invalid
Component: Application Visibility and Reporting
Symptoms:
AVR session statistics may be reported as excessively high, and when the sessions time out they get marked as invalid instead of being removed.
Conditions:
The exact conditions which cause this in a production configuration are unknown, as this was discovered during internal testing.
Impact:
Session statistics will report incorrectly
Fix:
An issue with session statistics not clearing after session timeout has been fixed.
582526-3 : Unable to display and edit huge policies (more than 4000 elements)
Component: Access Policy Manager
Symptoms:
It takes a very long time or is not possible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple halts.
Conditions:
Huge Access Policy, for example, containing 4000 or more elements.
Impact:
Unable to edit policy because VPE times out.
Workaround:
None.
Fix:
VPE loading times for APM policies is greatly improved, so displaying very large policies (for example, 4000 elements) now completes successfully.
582487-2 : 'merged.method' set to 'slow_merge,' does not update system stats
Component: Local Traffic Manager
Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats is not updated and remains zero.
Conditions:
Merged.method is set to slow_merge.
Impact:
System stats such as overall CPU usage remain at zero.
Workaround:
Set Merged.method to fast_merge.
Fix:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats are not updated as expected.
582465-1 : Cannot generate key after SafeNet HSM is rebooted
Component: Local Traffic Manager
Symptoms:
After the SafeNet Hardware Security Module (HSM) is restarted, users cannot generate a new key.
Conditions:
The BIG-IP system uses the SafeNet HSM.
Impact:
HSM service is not usable even after restarting pkcs11d. Users must re-authenticate.
Workaround:
To generate a new key, after HSM finishes starting up, run the following commands:
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -c
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -o -p <hsm_partition_password>
Or, you can reinstall SafeNet client.
Fix:
After the SafeNet Hardware Security Module (HSM) is restarted, users can now generate a new key.
582374-1 : Multiple 'Loading state for virtual server' messages in admd.log
Component: Anomaly Detection Services
Symptoms:
When a dosl7d profile is configured on a BIG-IP that's in a device group and the BIG-IP is set to "Forced Offline" in the Device Management settings, admd will log multiple messages to admd.log similar to 47854390298368 Mar 22 02:38:50 [info] virtual bool CVirtualServerImpl::loadState() : Loading state for virtual server
Conditions:
- dosl7d profile attached to a virtual server
- BIG-IP is part of a DSC cluster
- a BIG-IP is forced offline in the cluster
Impact:
Excessive logging occurs to /var/log/adm/admd.log
Workaround:
None
Fix:
An issue with excessive logging to admd.log has been fixed.
582133-1 : Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
Component: Application Security Manager
Symptoms:
When conditions of "Track Site Change" settings are met the staging flag on "*" entities is supposed to be turned ON in order to learn sub-sequences of site changes without blocking traffic. However it doesn't happen. The staging flag stays OFF.
Conditions:
Staging was set OFF on "*" entity. After that conditions of "Track Site Change" settings are met.
Impact:
in a situation when the protected Web application was changed, ASM can block traffic when it should not be blocked.
Workaround:
Staging flag can be changed manually via GUI
Fix:
The problem was a sub-sequence of other code changes. The code was fixed he way it should count for "Track Site Change" conditions and change Staging flag when it is needed.
582084-1 : BWC policy in device sync groups.
Component: TMOS
Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.
Conditions:
If BWC policy is created both in global sync and local.
Impact:
Configuration error, BWC policies will not be synced due to errors.
Workaround:
Ensure that BWC policy is in global sync only.
Fix:
BWC policy is now configured for device group sync only in the global group and not local.
582029-4 : AVR might report incorrect statistics when used together with other modules.
Component: Application Visibility and Reporting
Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.
Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.
Impact:
AVR reports incorrect statistics: unexpectedly large numbers.
Workaround:
None.
Fix:
AVR now identifies the other modules' activity and collects the activity statistics accordingly.
581991-1 : Logging filter for remote loggers doesn't work correctly with more than one logging profile
Component: Application Security Manager
Symptoms:
A logging message arrived at a remote logger while the remote logger's filter have a criteria that doesn't match.
Conditions:
More than one logging profile is attached to a virtual server, the logging profiles have different filters conditions.
Impact:
A non related messages will be presented at the remote logger
Fix:
Fixed an issue with multiple remote logging with different filters.
581945-2 : Device-group 'datasync-global-dg' becomes out-of-sync every hour
Component: TMOS
Symptoms:
The datasync-global-dg device-group may become out-of-sync unexpectedly without any user changes.
When this happens, you can manually sync the device-group, but after about an hour, the device-group becomes out-of-sync again.
Conditions:
-- This happens only in certain timezones, depending on the timezone configured on the BIG-IP system. (This issue has been seen only in relation to the Europe/London timezone.)
-- The problem starts happening about three days after the first installation of an ASM Signature Update (ASU) or FPS Engine/Signature Update.
Impact:
GUI/shell shows config-sync 'possible change conflict' or 'changes pending' in regards to the datasync-global-dg device-group.
Workaround:
There is no workaround other than manually syncing the device-group approximately every hour.
Fix:
The datasync-global-dg device-group no longer becomes out-of-sync unexpectedly and repeatedly every hour.
581840-5 : Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
Solution Article: K46576869
Component: Device Management
Symptoms:
If trying to manage a BIG-IP version 11.6.1 or 11.6.1 HF1 with an administrator account named other than “admin”, this can fail.
Conditions:
This can occur with a BIG-IQ managing a BIG-IP version 11.6.1 or 11.6.1HF1 system with a different account than “admin”.
Impact:
You cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
Workaround:
Install 11.6.1 HF2 on the BIG-IP system, or use an administrator account named “admin” for managing the device.
Fix:
Can now manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
Behavior Change:
local requests through iControl client are now made on port 80, instead of 443.
581835-1 : Command failing: tmsh show ltm virtual vs_name detail.
Component: TMOS
Symptoms:
The following command fails: tmsh show ltm virtual vs_name detail. The system posts the following error:
01020036:3: The requested profile exchange: virtual server object (exchange_profile_name:vs_name) was not found.
Conditions:
Occurs when an APM Access Profile has an Exchange Profile attached and the access profile is then assigned to a virtual server.
Impact:
No information is displayed by the tmsh show command.
Workaround:
None.
Fix:
The tmsh show command now presents information, and 'tmsh show ltm virtual vs_name detail' shows the expected details without error.
581834-5 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above
Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin
Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above
Fix:
The Firefox plugin now supports all versions.
581824-2 : "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.
Component: Global Traffic Manager (DNS)
Symptoms:
When you attempt to view the monitors' properties, the page throws an "Instance not found" error.
Conditions:
Viewing the GSLB Monitors tcp_half_open, gateway_icmp and bigip_link's properties page.
Impact:
You cannot view some of their monitors' properties.
Fix:
Fixed the "Instance not found" error.
581811 : The blade alarm LED may not reflect the warning that non F5 optics is used.
Component: TMOS
Symptoms:
When non F5 optics is used for front switch ports, the LCD and /var/log/ltm will display some warning message. But the alarm LED may not reflect that.
Conditions:
This is caused by a race condition. When a blade comes up and decides its role as a primary blade or a secondary blade, it will clear the alarm LED. So the last blade coming up may have its alarm LED in the right state, but the blades that came up earlier may have their alarm LEDs cleared.
Impact:
The alarm LED may not reflect the warning.
Workaround:
None.
Fix:
The problem is fixed in TMOS v12.1.1.
581746-1 : MPTCP or SSL traffic handling may cause a BIG-IP outage
Solution Article: K42175594
Component: Local Traffic Manager
Symptoms:
Occasional BIG-IP outages may occur when MPTCP or SSL traffic is being handled by a virtual server.
Conditions:
MPTCP has been enabled on a TCP profile on a virtual server, or SSL is in use.
Impact:
A system outage may occur.
Workaround:
None.
Fix:
An issue with handling of MPTCP and SSL traffic has been corrected.
581438-2 : Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
Component: Global Traffic Manager (DNS)
Symptoms:
Prior to this, only 16 pool members could be chosen during a single load-balancing decision.
Impact:
Cannot return more than 16 pool members in a DNS response.
Fix:
GTM now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.
Behavior Change:
BIG-IP DNS GSLB now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.
581406-1 : SQL Error on Peer Device After Receiving ASM Sync in a Device Group
Component: Application Security Manager
Symptoms:
When:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)
Then upon loading the full sync in the peer an SQL error will appear during the load:
"Failed on insert to PLC.PL_SESSION_AWARENESS_DATA_POINT (DBD::mysql::db do failed: Duplicate entry '<ID>' for key 'PRIMARY')"
Conditions:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)
Impact:
Benign error which does not affect configuration or enforcement.
Workaround:
None
Fix:
SQL error no longer occurs on CMI Sync with Session Awareness
581315-1 : Selenium detection not blocked
Component: Application Security Manager
Symptoms:
When selenium client webdriver is detected running the Chrome browser it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.
Impact:
A bot which running selenium Chrome webdriver isn't mitigated by DoSL7 PBD mechanism.
Workaround:
N/A
Fix:
Only for Desktop Google Chrome browsers, the PBD javascript code checks if a plugin called "Widevine Content Decryption Module" doesn't exists, the browser considered as running via the selenium tool and will be blocked by PBD.
581101-1 : non-admin user running list cmd: can't get object count
Component: TMOS
Symptoms:
Non-admin user running list cmd: can't get object count.
Conditions:
Login as non admin user
Impact:
Very minor
non-admin user got some restrictions to view.
Workaround:
Use admin account.
Fix:
Non admin user rights fixed.
580893-2 : Support for Single FQDN usage with Citrix Storefront Integration mode
Solution Article: K08731969
Component: Access Policy Manager
Symptoms:
Adding a new login account onto Citrix Receiver enumerates the applications and desktop. Logging off and reconnecting using the same account starts failing.
Conditions:
-- Citrix Storefront Integration mode with APM.
-- Using the same FQDN to access both Storefront as well as an APM virtual server.
Impact:
Clients are unable to connect.
Workaround:
No workaround other than using different FQDNs.
Fix:
You can now use the same FQDN to successfully access both Storefront as well as an APM virtual server.
580753-1 : eventd might core on transition to secondary.
Solution Article: K82583534
Component: TMOS
Symptoms:
Upon transition to secondary, eventd shuts down its consumer list. However, during this shutdown, there could still be queued events yet to be process. This leads to a race condition between processing the events and freeing the memory of the consumer.
Conditions:
This happens when eventd is being shutdown while processing events.
Impact:
Causes eventd segmentation fault and core dump
Workaround:
None.
Fix:
eventd no longer cores on transition to secondary when eventd is being shutdown while processing events.
580747-1 : libssh vulnerability CVE-2016-0739
Solution Article: K57255643
580596-1 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
Solution Article: K14190 K39508724
580567-1 : LDAP Query agent failed to resolve nested group membership
Component: Access Policy Manager
Symptoms:
Not all of the nested group membership are resolved for a user
Conditions:
Several conditions need to be met:
1. LDAP Query agent is configured to connect to GC (Global Catalog) in AD environment; AND
2. There are sub domains in the AD environment; AND
3. A user who is a member of a group from one of the sub domains login in.
Impact:
User authentication might fail or not getting all the assigned resources due to missing nested group membership.
Fix:
after fix, LDAP agent retrieve group from server when talking to Global Catalog
580537-1 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
Component: Global Traffic Manager (DNS)
Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.
Conditions:
Attempting to install the City2 GeoIP data.
Impact:
The City2 GeoIP data must be installed manually.
Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:
rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat
Fix:
The geoip_update_data script was updated to support installing City2 GeoIP data.
580500-1 : /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
Component: TMOS
Symptoms:
/etc/logrotate.d/sysstat fails to read /var/log/sa6 or fails to write to /var/log/sa6,, diskspace in /var/log/sa6 is not rotated and disk space reclaimed.
Conditions:
/var/log/sa6 becomes corrupt or disk space becomes full in /var/log/sa6
Impact:
Disk space is not reclaimed in /var/log/sa6
Workaround:
edit /etc/logrotate.d/sysstat
Add "exit 0" after sadf line
Fix:
When /etc/logrotate.d/sysstat's sadf fails, exit cleanly
so logrotate reclaims disk space
580340-1 : OpenSSL vulnerability CVE-2016-2842
Solution Article: K52349521
580313-1 : OpenSSL vulnerability CVE-2016-0799
Solution Article: K22334603
580303-5 : When going from active to offline, tmm might send a GARP for a floating address.
Component: Local Traffic Manager
Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.
Conditions:
Using high availability, and switching a device from active to offline.
Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.
Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.
Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.
580168-4 : Information missing from ASM event logs after a switchboot and switchboot back
Component: Application Security Manager
Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back
Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone
Impact:
Information missing from ASM event logs after a switchboot and switchboot back
Workaround:
N/A
Fix:
N/A
580026-5 : HSM logging error
Solution Article: K74759095
579955-6 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
Solution Article: K01587042
579953 : Updated the list of Common Criteria ciphersuites
Component: Local Traffic Manager
Symptoms:
This is a continuous maintenance of the default set per certification requirements
Conditions:
These changes are only in effect when ccmode script is executed.
Impact:
Current set of ciphersuites is the following, subject to change in future releases:
AES{128,256}-{SHA,SHA256}
ECDHE-RSA-AES128-CBC-{SHA,SHA256}
ECDHE-RSA-AES256-CBC-{SHA,SHA384}
ECDHE-RSA-AES128-GCM-{SHA256,SHA384}
ECDHE-ECDSA-AES128-{SHA,SHA256}
ECDHE-ECDSA-AES256-{SHA,SHA384 }
ECDHE-ECDSA-AES128-GCM-{SHA256,SHA384}
579926-1 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode
Component: Local Traffic Manager
Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.
Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.
Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.
Workaround:
No workaround.
579917-1 : User-defined signature set cannot be created/updated with Signature Type = "All"
Component: Application Security Manager
Symptoms:
When creating a User-Defined Signature Set the Signature Type cannot be set to "All". After saving the setting, it resets back to Request.
Conditions:
Creating a new signature set with Signature Type set to "All" (the dropdown defaults to "Request" when opening the create page).
Impact:
A Custom Signature Set cannot be created for with Request and Response Signatures
Workaround:
No workaround, but can be mitigated by creating two signature sets, or using manual sets.
Fix:
Signature Type can now successfully be set to "All" Signatures
579843-1 : tmrouted may not re-announce routes after a specific succession of failover states
Component: Local Traffic Manager
Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
Conditions:
- Active/Standby HA pair set up
- Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
- Active unit has the following succession of failover states:
Active->Offline->Online->Standby->Active
Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.
Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.
Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
579829-7 : OpenSSL vulnerability CVE-2016-0702
Solution Article: K79215841
579760-3 : HSL::send may fail to resume after log server pool member goes down/up
Solution Article: K55703840
Component: TMOS
Symptoms:
High speed logging (HSL): asymmetric bandwidth loss might result in no bandwidth tracking.
Conditions:
This will occur if the log server pool only has a single member in it, and that member goes down and up while HSL::send is occurring during traffic processing.
Impact:
For a period of time after the logging node comes back up, HSL::send events will not be sent to the log server. Sometimes it never recovers and tmm needs to be restarted.
Workaround:
If possible, configure log server pools with multiple members to avoid this condition.
579529 : Stats file descriptors kept open in spawned child processes
Component: TMOS
Symptoms:
No known user visible impact.
Conditions:
This occurs in all multi-blade platforms where clusterd is running.
Impact:
No known user visible impact.
Workaround:
None.
Fix:
Stats file descriptors are opened so that they are closed when a child process is spawned.
579495-1 : Error when loading Upgrade UCS★
Component: Application Security Manager
Symptoms:
When loading an older version UCS file while ASM is live an error may occur when processing the new configuration. You will see the following error in the asm log:
Mar 9 07:16:06 dut30 err perl[22696]: 01310011:3: ASM configuration error: event code T1499 Failed to update configuration table CONFIG_TYPE_DYNAMIC_TABLES
Conditions:
Loading an older version UCS on a live system.
Impact:
Enforcement of Allowed Methods may be incorrect
Workaround:
Restart ASM
Fix:
Configuration is correctly processed when loading a UCS file for upgrade on a live device.
579371-4 : BIG-IP may generate ARPs after transition to standby
Solution Article: K70126130
Component: Local Traffic Manager
Symptoms:
tmm generates unexpected ARPs after entering standby.
Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.
Impact:
Unexpected ARP requests that might result in packet loops.
Workaround:
None.
Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.
579220-1 : Mozilla NSS vulnerability CVE-2016-1950
Solution Article: K91100352
579210-3 : VIPRION B4400N blades might fail to go Active under rare conditions.
Solution Article: K11418051
Component: TMOS
Symptoms:
Over extended periods of booting and rebooting a VIPRION system containing B4400N blades, a switch port connected to the HSB might fail to initialize properly. In some cases, logs indicate an occurrence of the problem in the following form: hgm_fcs_errs[higig mac #] exceeds 1000.
Conditions:
This happens under very rare conditions on B4400N blades; for example, after approximately 8-12 hours of continuous rebooting.
Impact:
When the problem is manifest, the HSB receives FCS errors at a high-frequency and does not receive any valid traffic from the port switch. The B4400N blade might be unable to go active and join the cluster.
Workaround:
To recover, reboot the system once.
579085-6 : OpenSSL vulnerability CVE-2016-0797
Solution Article: K40524634
578983-4 : glibc: Integer overflow in hcreate and hcreate_r
Solution Article: K51079478
578951-2 : TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
Component: Local Traffic Manager
Symptoms:
If a TCP connection is started and contains a valid Fast Open cookie, then times out during the three-way handshake, the failure is not accounted for properly. If this occurs more than a threshold number of times, BIG-IP will stop performing TCP Fast Open.
Conditions:
A TCP connection using TCP Fast Open with a valid Fast Open cookie times out during the three-way handshake.
Impact:
Each connection that times out in this fashion decreases the number of valid pre-established connections that the BIG-IP can support. If the number of connections timed out in this fashion rises above a threshold, BIG-IP will act as if TCP Fast Open is disabled. This threshold cannot be changed.
Fix:
Decrement the pre-established connections counter when a TCP Fast Open connection times out during the initial handshake.
578573-1 : SSL Forward Proxy Forged Certificate Signature Algorithm
Component: Local Traffic Manager
Symptoms:
In SSL Forward Proxy, the signature algorithm used by the CA certificate configured on the client SSL profile can change the signature algorithm used by the server certificate.
For example, if the server certificate uses SHA1 but the CA certificate configured in client SSL profile uses SHA256, the forged certificate will use SHA256. If the server certificate uses SHA256 but the CA certificate configured in client SSL uses SHA1, the forged certificate will use SHA1.
Both scenarios are a problem for a customer.
Conditions:
when the signature algorithm of the CA certificate configured in client SSL profile differs from the signature algorithm of the server certificate.
Impact:
The signature algorithm of forged certificate may differ from the signature algorithm of the server certificate.
Workaround:
Configure the CA certificate in client SSL profile so that the signature algorithm matches that in server certificate.
578570-1 : OpenSSL Vulnerability CVE-2016-0705
Solution Article: K93122894
578564-4 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
Component: Service Provider
Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"
Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.
Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.
Fix:
HTTP::respond works as expected even on an HTTP response returned by an ICAP server after request adaption.
578551-5 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
Component: TMOS
Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot
Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp
Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp
Fix:
the persistence of "network 0.0.0.0/0 route-map Default" in bgp is maintained after a restart/reboot
578415-2 : Support for hardware accelerated bulk crypto SHA256 missing
Component: Local Traffic Manager
Symptoms:
Requests for bulk crypto SHA256 will be performed in software, not by the accelerator.
Conditions:
Any bulk crypto operation that uses SHA256 on the BIG-IP 1600, 3600, 5000, 6900, 7000, 8900, 10000, 11000, 11050, and 12000 platforms, and on VIPRION B2250 blades.
Impact:
The request will be completed in software which may result in increased CPU load.
Workaround:
None.
Fix:
Requests for bulk crypto operations using SHA256 will be assigned to a hardware accelerator, and no longer serviced in software.
578413-1 : Missing reference to customization-group from connectivity profile if created via portal access wizard
Component: Access Policy Manager
Symptoms:
An extra customization group is created for connectivity profile when the profile is created via portal access wizard and the configuration is reloaded.
Conditions:
Use portal access wizard to create configure objects.
Impact:
There is no functional impact since customization is not actually used for connectivity group.
Workaround:
Create configure object manually rather than via wizard.
Fix:
There will be a reference to customization group from connectivity profile when the profile is created by wizard.
578064 : tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
Component: TMOS
Symptoms:
tmsh show sys hardware show "unavailable" for hard disk manufacturer
Conditions:
In VIPRION B4400/B4450 blades, tmsh show sys hardware always shows "unavailable" for hard disk manufacturer.
Impact:
Can't get correct hard disk manufacturer information.
Fix:
Fixed
578036-1 : incorrect crontab can cause large number of email alerts
Component: TMOS
Symptoms:
There is an incorrect crontab entry in /etc/cron.usbflush for /sbin/lsusb
Conditions:
This occurs for the usbflush entry.
Impact:
usbflush does not run, alert email is generated once per minute.
Workaround:
change /etc/cron.usbflush to use /usr/sbin/lsusb
Fix:
Fix /etc/cron.usbflush to use /usr/sbin/lsusb
577863-5 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time
Solution Article: K56504204
Component: Policy Enforcement Manager
Symptoms:
If the routing table on the DHCP server is misconfigured, so that the DHCP server knows how to send packets to the BIG-IP self IP address (used by the BIG-IP system DHCP relay), but does not know how to send packets to DHCP clients, DHCP clients will not receive a DHCP reply for unicast requests and will start to broadcast DHCP renewal. After a while, the BIG-IP system will stop relaying DHCPOFFER and DHCPACK back to DHCP clients altogether.
Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets (with client's IP address as the source IP address).
Impact:
The BIG-IP system stops relaying DHCPOFFER and DHCPACK back
to DHCP clients.
Workaround:
Modify the DHCP server routing table, so that the DHCP server can deliver DHCP reply packets back to clients successfully.
Fix:
DHCP relay now continues forwarding the server DHCPOFFER and DHCPACK messages under these conditions.
577474-3 : Users with auditor role are unable to use tmsh list sys crypto cert
Solution Article: K35208043
Component: TMOS
Symptoms:
The system returns error messages after running the following command: tmsh list sys crypto cert. Error messages appear similar to the following:
-- Key management library returned bad status: -4, Invalid Parameter.
-- Unexpected Error: Can't chmod key management directory: "/var/tmp/key_mgmt", error: [1] Operation not permitted".
Conditions:
-- BIG-IP user accounts configured with the auditor role.
-- Running the command: tmsh list sys crypto cert.
Impact:
BIG-IP users with the auditor role cannot view certificates using the command: list sys crypto cert.
Workaround:
Use the following command: sys file ssl-cert
For example, use either of the following:
-- list sys file ssl-cert default.crt
-- list sys file ssl-cert
Fix:
BIG-IP users with the auditor users can now see certificates using the following command: list sys crypto cert.
576591-6 : Support for some future credit card number ranges
Component: Application Security Manager
Symptoms:
ASM does not block or mask when a specific credit card number range appears in the response.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.
Impact:
The traffic passes unmasked or unblocked to the end client.
Workaround:
A custom pattern is possible for these cases, but should be adjusted to each configuration specifically.
576478 : Enable support for the Purpose-Built DDoS Hybrid Defender Platform
Component: Advanced Firewall Manager
Symptoms:
N/A
Conditions:
Requires new DoS License
Impact:
None
Fix:
This fix adds support for recognition of a Purpose-Built DDoS Hybrid Defender license, and the necessary mechanisms to launch the DDoS Application.
Behavior Change:
There is no change in behavior to existing behavior and functionalities. However, when a DoS License is installed, the Big-IP platform takes on the role of a dedicated DoS protection device. Consequently most non-DoS related functionalities are either disabled or function in limited capacity.
576305-7 : Potential MCPd leak in IPSEC SPD stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IPSEC SPD stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.
576123-3 : ASM policies are created as inactive policies on the peer device
Component: Application Security Manager
Symptoms:
ASM policies are created as inactive policies on the peer device.
Conditions:
This occurs when the following conditions are met:
-- ASM Sync is enabled on a Sync-Only auto-sync Device Group.
-- There is either no failover group, or the failover group is a manual sync group.
Impact:
ASM policies are created as inactive policies on the peer device, resulting in an inconsistency between peers.
Workaround:
You can use either of the following workarounds:
-- Set the device group with ASM sync enabled to manual sync.
-- Enable auto-sync for the failover group.
Fix:
This release fixes the ASM Synchronization mechanism so that ASM policies are correctly created on the peer device
575649-5 : MCPd might leak memory in IPFIX destination stats query
Component: TMOS
Symptoms:
MCPd might leak memory in IPFIX destination stats query.
Conditions:
In some cases, querying IPFIX destination stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPFIX destination stats.
575629-3 : NTP vulnerability: CVE-2015-8139
Solution Article: K00329831
575591-6 : Potential MCPd leak in IKE message stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IKE message stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IKE message stats.
575589-5 : Potential MCPd leak in IKE event stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IKE event stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IKE event stats.
575587-7 : Potential MCPd leak in BWC policy class stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying BWC policy stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.
575444-1 : Wininfo agent incorrectly reports OS version on Windows 10 in some cases
Component: Access Policy Manager
Symptoms:
If Custom Dialer client is used to establish VPN, Wininfo agent incorrectly reports OS as Win8 on Microsoft Windows 10.
This could result in VPN establishment failure.
Conditions:
Custom Dialer client is used on Windows 10
Access policy uses Wininfo agent.
Impact:
VPN cannot be established.
Workaround:
None.
Fix:
Wininfo agent now correctly reports OS version when running Custom Dialer client on Microsoft Windows 10.
575176-1 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
Component: TMOS
Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.
Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.
Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.
Fix:
The BIG-IP system no longer increases Syn Cookie cache statistics on ePVA enabled devices with UDP traffic.
575170-2 : Analytics reports may not identify virtual servers correctly
Component: Application Visibility and Reporting
Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.
Conditions:
This occurs for virtual servers that are configured in one of these ways:
1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.
2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).
Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.
Workaround:
None.
Fix:
Correct identification of the virtual server and the activity reported in the charts is displaying to the right virtual server.
575133-1 : asm_config_server_rpc_handler_async.pl SIGSEGV and core
Component: Application Security Manager
Symptoms:
asm_config_server_rpc_handler_async.pl SIGSEGV and core
Conditions:
Import ASM XML security policy
Impact:
asm_config_server_rpc_handler_async.pl SIGSEGV and core. This occurs after the policy import completes.
Workaround:
N/A
Fix:
The asm_config_server_rpc_handler_async.pl no longer crashes upon import ASM XML security policy.
575066-1 : Management DHCP settings do not take effect
Component: TMOS
Symptoms:
Modifications to /sys management-dhcp do not take effect.
Conditions:
Custom management-dhcp settings configured.
Impact:
DHCP for management interface does not function correctly.
Workaround:
Perform the following procedure:
1. Remount /usr to be read-write.
# mount -o rw,remount /usr
2. Edit the following file, which is a symlink into /usr.
# vi /defaults/config/templates/dhcp.tmpl
3. Change this line around line 7 to add escaped quotes
print "interface \"$mgmt_interface\" {\n";
4. Remount /usr back to read-only.
# mount -o ro,remount /usr
5. Make a change to the list of DHCP requested options.
# tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { ntp-servers }
6. Verify that "eth0" is quoted in this file:
# grep interface /etc/dhclient.conf
interface "eth0" {
7. Create a symbolic link to dhclient.conf
# cd /etc/dhcp
# ln -s ../dhclient.conf .
8. Restart DHCP on the management interface.
# tmsh modify sys global-settings mgmt-dhcp disabled
# tmsh modify sys global-settings mgmt-dhcp enabled
No system reboot should be necessary.
Fix:
Management DHCP settings now take effect as expected when custom management-dhcp settings are configured.
575027-1 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Component: TMOS
Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.
Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)
Workaround:
Use untagged VLANs and hypervisor side tagging.
Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.
575011-1 : Memory leak. Nitrox3 Hang Detected.
Solution Article: K21137299
Component: Local Traffic Manager
Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".
Conditions:
Compression device unavailable during creation of a new context.
Impact:
System can run out of memory.
Workaround:
Disable hardware compression using tmsh:
% tmsh modify sys db compression.strategy softwareonly
Fix:
Repaired memory leak.
574880-3 : Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
Component: Local Traffic Manager
Symptoms:
When connection rate limit is set on a fastL4 virtual server,
client connections hang with high probability.
Conditions:
Set Connection Rate Limit on a fastL4 virtual server.
Impact:
Client connections hang with high probability.
Workaround:
Do rate limiting using iRules.
https://devcentral.f5.com/articles/iruleology-table-based-rate-limiting
Fix:
Fixed Connection Rate Limiting on a fastL4 virtual server.
574526-1 : HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter
Solution Article: K55542554
Component: Local Traffic Manager
Symptoms:
HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter.
Conditions:
when http/2 or spdy is configured and client query URI contains '?' (question mark).
Impact:
No query parameter will be returned.
Workaround:
None.
Fix:
Issue fixed.
574052-4 : GTM autoconf can cause high CPU usage for gtmd
Component: Global Traffic Manager (DNS)
Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.
In large configurations of LTM vses that contain "." (dot) in the name.
Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.
This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.
This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)
Impact:
CPU usage is high, which may impact monitoring and LB decisions.
Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.
1. Rename the virtual servers on the LTM to remove the "."
This would require deleting the GTM configuration and
rediscovering it and recreating pools.
2. Turn off autoconf.
Run autoconf once to populate the config, then turn it
off.
3. Reduce the frequency of autoconf. It will still cause
a high CPU usage scenario, but it will be less frequent.
Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.
Fix:
Change algorithm used to match LTM VS names to GTM VS to reduce linear walk of all VSes on a server.
574020-5 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')
Component: Local Traffic Manager
Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').
Conditions:
This issue occurs when the following conditions are met:
-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').
Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.
Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).
Fix:
Safenet HSM installation script install now completes successfully if partition password contains special metacharacters (!#{}').
Note: When using passwords with non-alphanumeric characters, make sure that they are escaped correctly, so that bash does not attempt to reinterpret or expand the password.
573764-1 : In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
Component: Application Visibility and Reporting
Symptoms:
Statistics from the primary blade remain after upgrade, but not from the other blades.
Conditions:
Upgrade to new version in multi bladed system.
Impact:
Not all statistics are present after upgrade.
Workaround:
No workaround
573643-3 : flash.utils.Proxy functionality is not negotiated
Component: Access Policy Manager
Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.
Conditions:
Presence of flash.utils.Proxy descendants.
Impact:
Customer application malfunction.
Workaround:
None.
573611-1 : Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
Component: Access Policy Manager
Symptoms:
When a user session times out, then subsequently attempts access using the expired session ID, APM may log a log message at "err" level similar to this:
Aug 15 14:54:25 bigip.hostname err tmm[10206]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete, Line:
Conditions:
User is logged into APM and session times out.
Impact:
Error log messages may be confusing to BIG-IP APM administrators. The client is able to successfully reconnect.
Fix:
Erroneous messages of "Access encountered error: ERR_NOT_FOUND" are no longer logged in the APM log.
573602-1 : FQDN pool members not shown by tmsh show ltm monitor
Component: Local Traffic Manager
Symptoms:
The tmsh 'show ltm monitor <monitor-type>' command does not display the status of FQDN pool members.
Conditions:
-- LTM monitor is assigned to FQDN pool members (including FQDN members of an LTM pool to which the monitor is assigned).
-- Running the tmsh command: show ltm monitor <monitor-type>.
Impact:
Unable to view status of FQDN pool members via the tmsh 'show ltm monitor <monitor-type>' command.
Workaround:
There is no workaround at this time.
Fix:
The status of FQDN pool members is displayed by the tmsh 'show ltm monitor <monitor-type>' command. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
573584 : CPLD update success logs at the same error level as an update failure
Component: TMOS
Symptoms:
On booting after a successful CPLD update, you see an error in /var/log/ltm: "err chmand[4933]: 012a0003:3: CPLD not updated after previous power cycle."
Conditions:
This occurs during reboot after a successful firmware update
Impact:
The message is logged as an error, but it actually means that the CPLD version is as it is expected to be. This error can be safely ignored.
Fix:
CPLD update not required is now logged at the info level, not error.
573366-4 : parking command used in the nesting script of clientside and serverside command can cause tmm core
Component: Local Traffic Manager
Symptoms:
tmm cores in configuration using certain iRules
Conditions:
An iRule that parks the interpreter is used in the nesting script of clientside and serverside command. (e.g. when doing a table lookup).
For more information on iRule commands that park, see SOL12962: Some iRule commands temporarily suspend iRule processing, https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html
Impact:
Traffic disrupted while tmm restarts.
Workaround:
move the parking command outside the nesting script.
573343-1 : NTP vulnerability CVE-2015-8158
Solution Article: K01324833
573302-1 : FQDN pool member remains in disabled state after removing monitor
Component: Local Traffic Manager
Symptoms:
If an FQDN pool member has been disabled by a monitor (for example, after the monitor receives the configured recv-disable string from the node) and the monitor is then removed from the pool or member configuration, the FQDN pool member remains in a 'disabled' state (state and session-status are 'disabled') instead of changing to an 'unknown' state.
Conditions:
-- FQDN pool member is marked 'disabled' by a monitor.
-- The monitor is then removed.
Impact:
The FQDN pool member remains in a 'disabled' state and is unable to receive traffic.
Workaround:
There is no workaround at this time.
Fix:
When an FQDN pool member is marked 'disabled' by a monitor, then the monitor is removed, the FQDN pool member is updated to an 'unknown' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
573075-4 : ADAPT recursive loop when handling successive iRule events
Component: Service Provider
Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause "ADAPT unexpected state transition".
The adapt profile statistic "records adapted" reaches a very high number as it counts every attempt.
Conditions:
A requestadapt or responseadapt profile is configured.
An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.
Impact:
The connection is aborted with RST cause "ADAPT unexpected state transition".
The statistic "records adapted" reaches a very high number.
Eventually the TMM crashes and the Big-IP fails over.
Workaround:
If possible, arrange the iRules to avoid the conditions above.
In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.
Fix:
ADAPT correctly processes successive iRule events exactly once for each adaptation, and the "records adapted" statistic reports the correct number.
572885-1 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
ASM provisioned.
Device group w/ ASM policy sync configured.
ASM Policy is in automatic learning mode.
A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.
572568-2 : Gy CCR-i requests are not being re-sent after initial configured re-transmits
Component: Policy Enforcement Manager
Symptoms:
For Gy interface, if OCS doesn't respond to the initial set of CCR-I requests as per the diameter-endpoint profile (1+ msg-max-retransmits <n>), the new set of CCR-I requests are not being generated, even after provisioning pending timeout happens.
Conditions:
This issues happens only for Gy interface and when initial set of CCR-I request doesn't get a CCA response.
Impact:
The subscriber will be left in Idle state till the default quota is breached and brought down or subscriber can reconnect once OCS CCA response is fixed.
Workaround:
Re-connect the subscriber once the CCA response is fixed in OCS
Fix:
The solution is to resend CCR-I requests once the provisioning timeout happens
572558-1 : Internet Explorer: incorrect handling of document.write() to closed document
Component: Access Policy Manager
Symptoms:
HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page.
Conditions:
HTML page with document.write() calls inside event handlers or another scripts executed after document loading.
Strings passed to document.write() function contain HTML tags with URL or another re-writable content in attributes.
Impact:
HTML page is not shown at all or works incorrectly in Internet Explorer.
Workaround:
No workaround known
Fix:
Now HTML pages with document.write() calls for closed document are handled correctly by Portal Access.
572281-5 : Variable value in the nesting script of foreach command get reset when there is parking command in the script
Component: Local Traffic Manager
Symptoms:
When there is something like the following script:
foreach a [list 1 2 3 4] {
set a 10
after 100
}
There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.
Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962
Impact:
Variable values get reset.
Workaround:
Set(or set again) the variable value after the parking command.
Fix:
Will fix in later release.
572272-5 : BIG-IP - Anonymous Certificate ID Enumeration
Solution Article: K65355492
572133-5 : tmsh save /sys ucs command sends status messages to stderr
Component: TMOS
Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.
Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.
Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.
Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.
Fix:
The command will send the status messages to stdout.
571095-1 : Monitor probing to pool member stops after FQDN pool member with same IP address is deleted
Component: Local Traffic Manager
Symptoms:
If an FQDN pool member resolves to the same IP address (node) as a non-FQDN (static) pool member, and the FQDN pool/member is deleted, no further monitor probes are sent to the remaining non-FQDN (static) pool member.
Conditions:
This occurs if an FQDN pool member resolves to the same IP address (node) as an existing non-FQDN (static) pool member.
Impact:
Loss of health monitoring to remaining non-FQDN (static) pool member.
Workaround:
There is no workaround other than avoiding creating a static pool member with the same IP address that could be resolved to an FQDN name.
Fix:
An FQDN pool member and static (non-FQDN) pool member can no longer be created with the same IP address, preventing loss of monitoring of the static member of the conflicting FQDN pool member is deleted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
570818-4 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
Component: TMOS
Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.
Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.
Impact:
Failure in establishing IPsec SA.
Workaround:
None.
Fix:
Address lease-pool in IKEv2 no longer interferes with IKEv2 negotiations.
570697-1 : NTP vulnerability CVE-2015-8138
Solution Article: K71245322
570667-2 : OpenSSL vulnerabilities
Solution Article: K64009378
570570-5 : Default crypto failure action is now 'go-offline-downlinks'.
Component: Local Traffic Manager
Symptoms:
Previously, if a crypto accelerator encountered a failure, the default action was "none" or "failover". Now, the default behavior is "go-offline-downlinks".
(Note: You can find information on crypto accelerator fail-safe behavior in K16951: Overview of SSL hardware acceleration fail-safe :: https://support.f5.com/csp/article/K16951.)
Conditions:
Crypto accelerator encounters a failure and crypto.ha.action has not been changed from its default.
Impact:
If a hardware accelerator failed on a blade in a chassis, the system would failover, but if there was a second failover back to the chassis with the failed blade, SSL traffic might get dropped.
Workaround:
Set the db variable crypto.ha.action to your desired value.
Fix:
Previously, if a crypto accelerator encountered a failure, the default action was either 'none' or 'failover'. Now, the default behavior is 'go-offline-downlinks'.
Behavior Change:
The default value of the db variable crypto.ha.action has changed to 'go-offline-downlinks'. The only time this has an effect on the system is when a crypto accelerator fails. For a chassis, this value will cause the blade that had the failed crypto device to go offline, leaving the other blades to handle the load, while an appliance will failover to its standby peer. See https://support.f5.com/csp/article/K16951 for more details.
570217-2 : BIG-IP APM now uses Airwatch v2 API to retreive device posture information
Component: Access Policy Manager
Symptoms:
Airwatch version 8.3 and above no longer use the v1 REST API. APM is not be able to retrieve device information from Airwatch MDM version 8.3 and higher and device posture checking in APM policies fails.
Conditions:
- Airwatch configured on APM
- Airwatch is upgraded to version 8.3 or higher
Impact:
BIG-IP APM is unable to retrieve device information and device posture check will fail.
Workaround:
n/a
Fix:
BIG-IP APM now utilizes the Airwatch v2 API to access device posture information.
Important: you must be using Airwatch release 8.3 and up because older releases do not support the v2 REST API end points.
570057-2 : Can't install more than 16 SafeNet HSMs in its HA group
Component: Local Traffic Manager
Symptoms:
With installation script on the BIG-IP, you can't install more than 16 SafeNet HSMs in its high availability group with versions 5.2 and 5.4.
Conditions:
Attempt to install more than 16 SafeNet HSMs.
Impact:
Installer script failure.
Workaround:
The limit is set by SafeNet. Currently, with F5-supported 5.2 and 5.4 client software, SafeNet doesn't allow more than 16 HSMs in one high availability configuration.
Fix:
Updated SafeNet installation scripts by replacing "vtl" to "lunacm" for high availability group creation and member adding operations for version 6.2.
569814-2 : iRule "nexthop IP_ADDR" rejected by validator
Solution Article: K30240351
Component: Local Traffic Manager
Symptoms:
The nexthop command allows an administrator the ability to specify a forwarding address in an iRule. The form which takes an IP address may be rejected by the validator with an error message of the form:
01070151:3: Rule [/Common/irule_example] error: Unable to find vlan, vlangroup or tunnel (10.0.0.1) referenced at line 2: [nexthop 10.0.0.1]
Conditions:
This occurs when the nexthop command contains only the IP address, for example:
when HTTP_REQUEST {
nexthop 10.0.0.1
}
Impact:
The iRule containing the 'nexthop IP_ADDR' command cannot be associated with a virtual server.
Workaround:
The 'nexthop VLAN IP_ADDR' form of the command does pass the validator. Choose the named vlan on which IP_ADDR can be reached. For example:
when HTTP_REQUEST {
nexthop internal 10.0.0.1
}
Fix:
Validator now allows 'nexthop IP_ADDR' in iRules.
569563-3 : Sockets resource leak after loading complex policy
Component: Access Policy Manager
Symptoms:
File descriptors used by apmd remain unclosed (TCP and UDP) after loading a complex access policy.
After some time, the APM process file descriptor table is exhausted and no more access policies are processed.
The following error messages may be observed in the logs:
err apmd[16013]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 86 Msg: epoll_create() failed [Too many open files].
Conditions:
This can happen at the initial stage after apmd starts, or later when policies are reloaded. Although this is not directly related to log-level, this problem is easier to observe when the access control log-level is Warning or lower (Notice, Info, Debug).
File descriptors leak (remain unclosed) after loading complex policies that contain many agents.
Impact:
The APM process is unable to create new sessions, leading to an inability to process access policy operations.
Workaround:
This can happen at the initial stage after apmd starts, or later when policies are reloaded.
Current preferred workaround is to set log level to ERROR or higher and restart apmd.
When a large number of file descriptors has already been observed, the only way to close them other than disabling logging is to raise log levels to ERROR or above, and then issue the following command:
bigstart restart apmd
Note 1: Do not use sys db variables to change log level for versions 12.0.0 and later.
Note 2: Double-check log levels using the following command: tmsh list apm log-setting all-properties
Note 3: Opened file descriptors do not close until apmd is restarted.
Note 4: When in doubt (about whether file descriptors are leaking), run the following command on the BIG-IP system:
lsof -p `pidof apmd` | grep TCP; lsof -p `pidof apmd` | grep UDP. This gives you the number of open files.
- Detailed steps to change logging-level to ERROR:
Step 1. Modify access control log level using the following command: tmsh modify apm log-setting all access modify { all { log-level { access-control err } } }
Step 2. Check the log levels using the following command: tmsh list apm log-setting all-properties
Step 3. Manually restart apmd using the following command: bigstart restart apmd
Fix:
Sockets are now closed properly, so there is no longer file descriptor leakage when loading or reloading complex access policies.
569542-1 : After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★
Component: Access Policy Manager
Symptoms:
After upgrade, an existing user-created partition will not be able to load any existing hosted-content file or upload a new one.
The issue happens because the required APM Sandbox directory w.r.t. this partition is missing after the upgrade.
01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_file_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Loading configuration process failed.
REPRODUCTION STEPS:
1) Before upgrade, create a partition (make sure APM is provisioned), say 'p1'.
2) Install the upgrade and reboot.
3) After upgrade, partition 'p1' is created but the required directory '/var/sam/www/webtop/sandbox/files_d/p1_d' is not created.
This can occur on upgrades from prior to 11.6.0 to 11.6.0 through 12.1.0.
Conditions:
Partition is created before the upgrade.
Impact:
Configuration load fails if the existing partition had any hosted-content file before upgrade. If it did not have any hosted-content file before upgrade, the configuration load will be successful, but the user cannot upload/create a new hosted-content file in this partition sandbox.
Workaround:
Workaround is manually create the required sandbox directory using bash command:
mkdir -p /var/sam/www/webtop/sandbox/files_d/p1_d
569467-5 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
Solution Article: K11772107
569355-1 : Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
Solution Article: K50118123
569316-1 : Core occurs on standby in MRF when routing to a route using a transport config
Component: Service Provider
Symptoms:
If routing a message to a route that uses a transport-config to define how to create an outgoing connection, the standby device will core.
Conditions:
routing a message to a route that uses a transport-config to define how to create an outgoing connection.
Impact:
The standby device will core.
Workaround:
NA
Fix:
Fix properly initializes a field on the standby.
569309-3 : Clientside HTML parser does not recognize HTML event attributes without value
Component: Access Policy Manager
Symptoms:
Assignment of a specific HTML content to tag.innerHTML could lead to a JavaScript error. This happens when one or more of tags in HTML text contain html event attributes without value (such as <div onclick />)
Following or similar error is logged in browser JavaScript console:
Unable to get property 'charAt' of undefined or null reference
Impact:
Web application does not work when accessed through Portal Access.
Workaround:
iRule could be provided for specific application.
Fix:
Now empty inline event handler attributes are not rewritten on client side.
569288-6 : Different LACP key may be used in different blades in a chassis system causing trunking failures
Component: Local Traffic Manager
Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.
Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.
Impact:
Non aggregated trunk members won't be able to pass traffic.
Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"
569121-1 : Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
Component: Anomaly Detection Services
Symptoms:
If you have a large CMP configuration using Advanced Detection and rate limiting with a low rate limit applied, the per-core rate limit on attack traffic can end up being lower than the desired overall rate limit.
Conditions:
This was seen during internal testing with a large number of cores (3 blades / 24 cores) and a very low rate limit applied.
Impact:
Overall rate limit is lower than expected.
Fix:
Improvements were made to rate limiting in environments with a high number of tmms
569100-1 : Virtual server using NTLM profile results in benign Tcl error
Component: TMOS
Symptoms:
Tcl error in /var/log/ltm.
Tcl error: bad option "serverside": must be require or preclude while executing "constrain NTLM require clientside {HTTP} serverside {CONNPOOL} preclude FTP
Conditions:
Virtual server using the NTLM profile. Only logged when the first virtual server is created or when TMM restarts.
Impact:
If you are using TMSH to configure virtual server and NTLM profile, validation/constraint is not performed/enforced.
Workaround:
This is a benign, cosmetic error. There should be no functional impact to the system.
Fix:
Fixed the unexpected error message encountered and added validation when creating a virtual server with an NTLM profile.
568672-1 : Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
Component: TMOS
Symptoms:
After an SA goes down, 'show net ipsec traffic-selector' may report that the traffic-selector is up. The Web UI also reports up.
Conditions:
This occurs if a tunnel times out and goes to the down state.
Impact:
Confusion on the true state of the tunnel.
Workaround:
None needed.
Fix:
Now, when a tunnel times out and goes to the down state, the state is shown correctly.
568545-2 : iRules commands that refer to a transport-config will fail validation
Solution Article: K17124802
Component: Service Provider
Symptoms:
If an iRule command refers to a transport-config, the iRule fails validation even if the object exists.
Conditions:
-- iRule command refers to a transport-config.
-- iRule validation occurs.
Example:
create ltm pool p1 members add { 10.2.3.4:5060 }
create ltm message-routing sip transport-config tc1 profiles add { udp sipsession }
create ltm virtual vs1 destination 10.1.1.50:5060 profiles add { udp sipsession siprouter }
create ltm rule r1
ltm rule r1 {
when MR_INGRESS {
MR::message route config tc1 pool p1 <==command refers to tc1 which is a transport-config object
}
}
Impact:
Validation fails even though object exists. Unable to directly refer to a transport-config from an iRule command.
Workaround:
If the name of the transport-config is loaded into a Tcl variable, the Tcl variable can be use to indirectly refer to the transport-config object.
Fix:
iRule validation logic has been improved to check for the existence of a transport config object.
568543-4 : Syncookie mode is activated on wildcard virtuals
Component: Local Traffic Manager
Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.
Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.
Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.
Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.
Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)
567743-2 : Possible gtmd crash under certain conditions.
Solution Article: K70663134
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core leading to a SIGSEV due to a possible race condition.
Conditions:
Due to a possible race condition that occurs under certain conditions (such as a sync event), gtmd might core.
Impact:
This event could lead to an outage.
Workaround:
None.
Fix:
The system now correctly processes this condition so that no race condition occurs.
567546-1 : Files with file names larger than 100 characters are omitted from qkview
Component: TMOS
Symptoms:
If the filename of a file being gathered by qkview happens to be larger than 100 characters, the qkview will simply not include it.
Conditions:
No conditions necessary. Any file with a name larger than 100 characters is automatically omitted.
Impact:
Files with names larger than 100 characters are being omitted from the qkview. Since UNIX files can be 256 characters long, this potentially could omit important files that could help diagnose problems.
Workaround:
One would have to rename any files with names larger than 100 characters to names with less than 100 characters.
Fix:
Qkview was fixed to not use POSIX as the tar format, but instead to use the "GNU" format which allows for up to 256 characters (the system limit). The fixed program now allows any length of characters possible.
567457-2 : TMM may crash when changing the IKE peer config.
Component: TMOS
Symptoms:
TMM might crash when changing the IKE peer config. It can happen with either IKEv1 or IKEv2 (TMM config crash).
Conditions:
This occurs when making changes to IPsec tunnels that causes the configuration to become invalid. For example, changing ISAKMP phase1 from SHA-1 to MD5 results in an invalid configuration.
Note: This occurs in the GUI only. The tmsh 'create' command does not cause this core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use tmsh to make the affected configuration changes... this occurs in the GUI only. The tmsh 'create' command does not cause this core.
Fix:
TMM no longer crashes when changing the IKEv1 or IKEv2 peer config, even if the changes are not valid for the configuration.
567233-1 : Multiple samba vulnerabilities
Solution Article: K92616530
567177-1 : Log all attempts of key export in ltm log
Component: TMOS
Symptoms:
Attempts to export keys are not logged.
Conditions:
-- Exporting keys.
-- Viewing ltm log.
Impact:
No messages logged to indicate the export attempts.
Workaround:
None.
Fix:
iControl:
======================
When any of the following iControl functions is called (either by the GUI or directly by a system user), the system logs it in ltm log. The log will include the iControl function name, key names, and BIG-IP user name.
key_export_to_file
key_export_to_pem
export_all_to_archive_stream
export_to_archive_stream
export_all_to_archive_file
export_to_archive_file
ltm logs example:
======================
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_file()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key, /Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_pem()
-- info iControlPortal.cgi[26687]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: keys (/Common/kc.key, /Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()
tmsh:
======================
The only possibility for using tmsh to export a key is saving a UCS file, so that will be logged.
ltm logs example:
======================
notice tmsh[21886]: 01420012:5: private key export: All keys are being exported by user "admin" via UCS saving.
GUI:
======================
There are 3 ways that a user can get key export from GUI:
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: default : Key Export
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: Archive...
-- System :: Archives :: New Archive...
These are internally implemented by using iControl and tmsh calls, so they will be automatically be logged in ltm log as iControl or tmsh users.
Behavior Change:
With this change, any attempt to export key will be logged in ltm log. Logged attempts include: save a UCS file, archive key files, or export key files, using tmsh/iControl/GUI.
566576-6 : ICAP/OneConnect reuses connection while previous response is in progress
Component: Service Provider
Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.
Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.
Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.
Workaround:
Remove OneConnect.
Fix:
Big-IP with ICAP and OneConnect never reuses a server connection while a previous ICAP transaction is still in progress. Whenever the IVS disconnects prior to completion of an ICAP transaction, the connection is not pooled for reuse.
566507-4 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system. Note: The ZebOS routing protocol suite available for BIG-IP configurations does not support traffic groups, so this issue might still be seen in certain circumstances.
566342 : Cannot set 10T-FD or 10T-HD on management port
Component: Local Traffic Manager
Symptoms:
When setting the B4450 or B4300 mgmt port to 10T-FD or 10T-HD, there is no link LED. However, the peer unit shows the correct link LED for this setting.
Conditions:
B4450 or B4300 blade and you want to set 10T-FD or 10T-HD media type
Impact:
Unable to set this media type.
Fix:
The management port of B4450 and B4300 blades can now be configured with 10T-FD or 10T-HD
566071-5 : network-HSM may not be operational on secondary slots of a standby chassis.
Component: Local Traffic Manager
Symptoms:
pkcs11d may not be running on secondary slots of a chassis.
Conditions:
This might occur when the following conditions are true:
1. Network-HSM installed on BIG-IP chassis.
2. Chassis is in standby state OR Secondary slots do not have management IP configured.
Impact:
If SSL profiles are configured with keys of security-type 'nethsm' when the specified conditions are true, traffic for such profiles will fail when the affected slots process traffic.
Workaround:
Manually install netHSM on each secondary slot.
Fix:
netHSM install no longer depends on management IP of secondary slots and also successfully installs on slots of a standby chassis.
565895-1 : Multiple PCRE Vulnerabilities
Solution Article: K17235
565799-4 : CPU Usage increases when using masquerade addresses
Component: Local Traffic Manager
Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.
Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.
Impact:
Possible performance degradation or reduction in capacity
Fix:
Performance of masquerade address checks is restored.
565137 : Pool licensing fails in some KVM/OpenStack environments.
Solution Article: K12372003
Component: TMOS
Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.
Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.
Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.
Workaround:
There is no workaround.
Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.
564876-2 : New DB variable log.lsn.comma changes CGNAT logs to CSV format
Component: Carrier-Grade NAT
Symptoms:
New CSV format that does not use quotes as delimiters was not present prior to 12.1.2.
Conditions:
Setting the DB variable log.lsn.comma
Impact:
More control of logging format via the DB variable log.lsn.comma
Workaround:
N/A
Fix:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.
Behavior Change:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.
564771-1 : cron sends purge_mysql_logs.pl email error on LTM-only device
Component: TMOS
Symptoms:
On a device provisioned with LTM only, cron may log or send an email containing the following perl error:
/etc/cron.hourly/purge_mysql_logs.pl:
Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27
This script was only intended to be run with AM, ASM, or ASM provisioned and it generates an error if it is not.
Conditions:
Any device with AM, ASM, and PSM not provisioned. LTM-only devices are impacted.
Impact:
If cron can send email, it will send the perl error in the email once per hour.
564522-2 : cron is configured with MAILTO=root but mailhost defaults to 'mail'
Solution Article: K40547220
Component: TMOS
Symptoms:
The crontab and ssmtp configurations environment is MAILTO="", which means no email and it is difficult to find where the email went.
Conditions:
This exists in the default crontab and ssmtp configurations.
Impact:
- You may receive unexpected messages addressed to "root" at a host named "mail" on your network
OR
- You may encounter messages similar to the following in /var/log/maillog:
Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Unable to connect to "mail" port 25.
Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Cannot open mail:25
Workaround:
Change outbound-smtp mailhub to localhost with tmsh:
tmsh modify /sys outbound-smtp mailhub localhost
Fix:
Default mailhub has been changed to localhost. Starting in 12.0.0, MAILTO is set to root instead of "" in /etc/crontab so that the output of cron jobs can be captured. However, ssmtp is configured by default with a mailhost of 'mail', which may result in either error messages logged to /var/log/maillog or unexpected messages received on another system.
564281-3 : TMM (debug) assert seen during Failover with Gy
Component: Policy Enforcement Manager
Symptoms:
When using the debug version of the tmm, HA fail over may cause the tmm to assert when Gy is configured.
Conditions:
Using PEM and Gy is configured.
Impact:
The TMM (debug version) may core and restart, resetting all connections.
Workaround:
Do not use the debug tmm with Gy.
Fix:
This debug assert has been changed to a debug log message.
564058-1 : AutoDoS daemon aborts intermittently after it's being up for several days
Solution Article: K91467162
Component: Advanced Firewall Manager
Symptoms:
AutoDoS daemon aborts intermittently when accessing session db api for memcache interface.
Conditions:
This happens in control plan AutoDoS daemon. This is an intermittent issue that occurs in few platforms under specific stress testing.
Impact:
Core will be seen, but the daemon will restart, and there is no loss of state.
Workaround:
No workaround.
Fix:
AutoDoS daemon no longer aborts intermittently when accessing session db api for memcache interface.
563933-4 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
Component: Local Traffic Manager
Symptoms:
A and AAAA RRsets in the additional section are dropped.
Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.
Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.
Workaround:
Set dns64-additional-section-rewrite is 'any'.
Fix:
v4-only and v6-only options work as expected. Note that DNS64 prefix operations occur after all other DNS processing blocks -- including GTM.
563727-1 : Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'
Component: Application Security Manager
Symptoms:
A GET request without payload but with payload indication doesn't issue the body in get violation.
Conditions:
A Get request without payload arrives.
The request has a 'transfer-encoding: chunked' header although there is no payload.
Impact:
A suspicious request goes by undetected.
Workaround:
Add an iRule that removes this header from the ASM and issues a custom violation.
Fix:
A GET request without payload but with 'transfer-encoding: chunked' will issue the body in GET sub violation.
563661-2 : Datastor may crash
Component: TMOS
Symptoms:
In rare cases datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.
Conditions:
WAM provisioned and enabled
Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.
563592 : Content diagnostics and LCD
Component: TMOS
Symptoms:
While running platform_check, you notice this on the LCD:
F5 LCD Server
Clients: 0
Screens: 0
Conditions:
This occurs when running platform_check after running bigstart stop
Impact:
This is cosmetic, the LCD does not indicate that it is in diagnostic mode.
Fix:
When the LCD is unable to communicate with BIG-IP, such as during shutdown or platform_check, the LCD now displays the following:
F5 LCD Server
Host inaccessible or
in diagnostic mode
563135-3 : SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
Component: Access Policy Manager
Symptoms:
When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. http://www.example.com:8080) the first request after authentication will fail.
Conditions:
SWG Explicit Proxy configured
HTTP 407 Authorization configured in Per-Request Policy for authentication
Client requests a non-standard HTTP port in request
Impact:
The first request after authentication will fail.
Workaround:
If the user refreshes their browser request, subsequent requests will work as expected.
562928-2 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
Component: TMOS
Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.
Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.
Impact:
TCP connections do not complete the three way handshake and traffic does not pass.
Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.
Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.
562921-4 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
Solution Article: K55736054
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.
Conditions:
The value is hardcoded into the product.
Note: This is completely independent of the TMM profiles or the httpd cipher values.
Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.
Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.
Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"
562636-2 : Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
Solution Article: K05489319
Component: Access Policy Manager
Symptoms:
When certain end user interface pages (e.g. 401 response) are served by the APM, these include a unique parameter in the URL. This results in the leak of objects representing caches for these pages, because their unique parameter renders caching ineffective.
Conditions:
This occurs when the following conditions are met:
-- Use of SWG in Transparent mode.
-- One of the following:
+ Use a logon page agent, an external logon page agent, or a 401 agent in the access policy.
+ Trigger an access policy evaluation when one is already in progress or when accessing a page that requires an established session.
Impact:
A memory leak in the TMM.
Workaround:
None (when the triggering conditions are encountered).
Fix:
This release corrects the possible memory exhaustion issue in access end-user interface pages for transparent proxy/SWG cases.
562267-3 : FQDN nodes do not support monitor alias destinations.
Component: Local Traffic Manager
Symptoms:
FQDN nodes do not support monitor alias destinations.
Conditions:
Configure a monitor with an alias address or port. The system will either prevent you from configuring, or the monitor will only be directed to the node address or port.
Impact:
The BIG-IP system does not send health checks to the configured monitor alias port. Monitor doesn't work as expected.
Workaround:
Depending on the functionality needed, you might be able to work around this by using an alternative configuration.
Fix:
FQDN nodes now support monitor alias destinations.
561892-2 : Kerberos cache is not cleared when Administrator password is changed in AAA AD Server
Component: Access Policy Manager
Symptoms:
BIG-IP Administrator's password is changed and AD Query fails.
Conditions:
-- Administrator's password is changed for AAA AD Server.
-- Access policy applied.
Impact:
AD Query fails.
Workaround:
Remove Kerberos cache files (krb5cc_0 and krb5cc_1) manually in /var/run/apmd/krb5cc/ and all subdirectories.
Fix:
Kerberos cache is removed by apmd, if the administrator's password is changed and an access policy is applied.
561500-4 : ICAP Parsing improvement
Component: Service Provider
Symptoms:
If a malformed ICAP message is sent to the Big-IP the ICAP parser can enter a state where it consumes an increasing amount of CPU and memory.
Conditions:
A request-adapt or response-adapt profile is configured.
An ICAP message is received from an ICAP server lacking "ICAP/1.0" as initial header line.
Impact:
Memory and CPU usage increase.
Eventually the TMM may crash causing Big-IP fail-over.
Fix:
ICAP parser checks for correct initial ICAP/1.0 header line and rejects message if missing.
561444-1 : LCD might display incorrect output.
Component: TMOS
Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.
Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.
Impact:
LCD may display incorrect data.
Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.
Fix:
The issue allowing garbled messages between the front panel display daemon (fpdd) and the LCD daemon (LCDd) is now prevented from happening.
561348-7 : krb5.conf file is not synchronized between blades and not backed up
Component: Access Policy Manager
Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.
Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.
Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.
Workaround:
None.
Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.
In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.
Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.
When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.
560471-1 : Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
Component: Local Traffic Manager
Symptoms:
Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down.
Conditions:
Changing the monitor configuration of a pool. For example:
tmsh modify ltm pool http-pool monitor http and tcp
tmsh modify ltm pool http-pool monitor min 1 of { http tcp }
Impact:
Virtual server may be incorrectly marked down, when it should not be.
Fix:
Changing the monitor configuration of a pool no longer causes the virtual server to be marked as down.
560114-6 : Monpd is being affected by an I/O issue which makes some of its threads freeze
Component: Application Visibility and Reporting
Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T
Conditions:
A system I/O issue (maybe caused by /var/log being full).
Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.
Workaround:
Run the following:
find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd
560109-7 : Client capabilities failure
Solution Article: K19430431
559953-1 : tmm core on long DIAMETER::host value
Component: Service Provider
Symptoms:
tmm crashes and restarts when an iRule is accessed that contains a large DIAMETER::host value.
Conditions:
This occurs with a DIAMETER::host iRule parameter set to a very large value (2000 characters).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Limit the length of the DIAMETER::host parameter to less than 1000 characters.
Fix:
BIG-IP now limits the DIAMETER::host parameter to 1000 characters.
559837-4 : Misleading error message in catalina.out when listing certificates.
Component: TMOS
Symptoms:
GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation. The exceptions are the actual cause of the failure.
java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229].
Conditions:
This occurs when listing certificates, and exceptions are returned.
Impact:
1. Throws table creation exceptions when randomly generated table name contains invalid character ('-').
2. Misleading 'Table not found" message in catalina.out.
Workaround:
Refreshing the page might fix the invalid table name issue because doing so generates a new table name. In some situations a restart of tomcat and httpd may be required.
Fix:
Errors occur when listing certificates that contain invalid characters from the randomly generated table names, so the GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation.
559655 : Post RMA, system does not display correct platform name regardless of license
Component: TMOS
Symptoms:
When you get an RMA and you are licensed for a 4000 and the unit received has been licensed as a 4200, you will have a difference between hardware on site and the new hardware received, regardless of what license you have.
Conditions:
Take a 4000 from manufacturing and license it for a 4200 wipe system and rebuild and license for a 4000 and tmsh show sys hardware and device groups will indicate it to be a 4200
if you have a 4200 from manufacturing and license it as a 4000 it will still indicate that it is a 4200
Affected platforms is following
2000/2200 4000/4200 5000/5200 7000/7200 10000/10200
Impact:
Confusion as to what the actual platform is
559080-5 : High Speed Logging to specific destinations stops from individual TMMs
Component: TMOS
Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.
Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.
Impact:
Logs are silently lost.
Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.
Fix:
The system now resets the expire timer when it initiates the close. If the server fails to reset or complete the close, the flow is aborted on the next expiration event.
559030-1 : TMM may core during ILX RPC activity if a connflow closes before the RPC returns
Solution Article: K65244513
Component: Local Traffic Manager
Symptoms:
TMM core with plugin context refcount error.
Conditions:
-- Using ILX RPC calls.
-- Connflow closes before the RPC returns.
Note: Most likely to occur when using a low-end unit or virtual edition configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
ILX plugin timeout no longer causes TMM core.
557680-4 : Fast successive MTU changes to IPsec tunnel interface crashes TMM
Component: TMOS
Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.
Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.
Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).
557471-3 : LTM Policy statistics showing zeros in GUI
Component: TMOS
Symptoms:
Statistics for LTM Policies, e.g., the total count of policy action invocations and number of successful policy action invocations, are not being updated in the GUI. The GUI shows zeros for both of these stats for every LTM Policy.
Conditions:
Occurs under all conditions.
Impact:
Through the GUI, Administrators cannot see invocation counts for general troubleshooting or to determine which policies are being used.
Workaround:
To work around this issue, you can use the tmsh utility to view BIG-IP LTM traffic policy statistics. To do so, perform the following procedure:
To retrieve stats for all policies, run the following command:
# tmsh show ltm policy.
To retrieve stats for a specific policy, run the following command:
# tmsh show ltm policy <policy-name>.
Fix:
LTM Policy statistics now shows the correct values in the GUI.
557434-4 : After setting a Last Resort Pool on a Wide IP, cannot reset back to None
Component: Global Traffic Manager (DNS)
Symptoms:
After configuring a wide IP with a Last Resort Pool set to something other than None, you can no longer change the Last Resort Pool back to None.
Conditions:
Last Resort Pool is set to something other than None.
Impact:
There is no None option in TMSH or GUI.
Workaround:
Setting the Pool Name to an empty string via tmsh will set it to None.
For example
modify gtm wideip a wip.f5.com last-resort-pool a
Fix:
None options added to tmsh and GUI.
557411-1 : Full Webtop resources appear overlapping in IE11 compatibility mode
Component: Access Policy Manager
Symptoms:
Full Webtop resources appear overlapping each other in MSIE 11 in compartibility mode
Conditions:
MSIE 11, compartibility mode. Full Webtop in use
Impact:
Everything is working but the icons overlap.
Workaround:
1. modify advanced customization of apm.css
#webtop_favorites_inner_container span.favorite span.caption{
...
<? if( $_GET['ctype'] == 'IE' && $_GET['cversion'] < 9){ ?>
zoom: 1;
<? }elseif( $_GET['ctype'] == 'IE' && $_GET['cversion'] == 11){ ?>
zoom: 0;
<? } ?>
}
2. an irule that would change apm.css to
#webtop_favorites_inner_container SPAN.favorite SPAN.caption {
...
zoom: 1; /* <--- set 0 if msie 11 in compartibility mode */
}
Fix:
Everything is back to normal
557358-5 : TMM SIGSEGV and crash when memory allocation fails.
Component: Local Traffic Manager
Symptoms:
TMM SIGSEGV and crash when memory allocation fails.
Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.
Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.
Workaround:
None known at this time.
Fix:
TMM SIGSEGV and crash no longer occur when memory allocation fails due to a command attempting to remove the connection for removal from the SSL queue a second time.
557190-3 : 'packet_free: double free!' tmm core
Solution Article: K65615624
557155-8 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
Component: TMOS
Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
Conditions:
Sustained high packet rate with a very small payload.
Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.
Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
sysctl vm.panic_on_oom=1
Fix:
BIG-IP Virtual Edition becomes unresponsive under extreme load test due to kernel memory exhaustion from over-provisioning.
555039-4 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
Solution Article: K24458124
Component: TMOS
Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop
Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.
Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.
Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.
Workaround:
None.
Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.
554713-2 : Deployment failed: Failed submitting iControl REST transaction
Component: TMOS
Symptoms:
When deploying an access control policy to a sync group, you notice the following error: Deployment failed:
Failed submitting iControl REST transaction 1445978291443908: remoteSender:ip_address
Conditions:
This can happen on policy sync with a large number of ACLs.
Impact:
The system will function properly, but some transactions may take longer than expected. BIG-IQ deployment of APM access control lists is one known case to fail due to timeouts.
Workaround:
None.
Fix:
The audit log contains every database modification request message sent to mcpd. Certain messages once took an unexpectedly long time to render, which has been fixed.
553795-7 : Differing certificate/key after successful config-sync
Component: TMOS
Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.
2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.
Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.
2) High Availability failover systems configured with Manual Sync.
Impact:
1) An abandoned FIPS key is left behind.
2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.
Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Delete the FIPS key by-handle on the peer system(s).
2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).
Fix:
Systems now have the same certificate/key after successful config-sync of High Availability configurations.
551795-1 : Portal Access: corrections to CORS support for XMLHttpRequest
Component: Access Policy Manager
Symptoms:
XMLHttpRequest to external domain should fail if the server does not include 'Access-Control-Allow-Origin' header into response. Current implementation of CORS support in Portal Access does not enforce this failure.
If XMLHttpRequest to same-origin resource is redirected to external one, it has to be treated as cross-domain request. Current implementation of CORS support in Portal Access does not handle this case correctly.
Conditions:
XMLHttpRequest to external domain via Portal Access succeeds even when the server response does not include 'Access-Control-Allow-Origin' header.
XMLHttpRequest to same-origin resource succeeds via Portal Access in spite of response redirection.
Impact:
Web application may work incorrectly; some data access restrictions may not work.
Fix:
Now Portal Access supports CORS in case of response redirection for XMLHttpRequest.
CORS support enforces error in the case when 'Access-Control-Allow-Origin' header is absent in server response.
551349-5 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
Solution Article: K80203854
Component: TMOS
Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.
Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)
Impact:
Monitors appears to function normally but they will have the wrong format in the config file.
Workaround:
None.
Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.
551208-6 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.
Component: Local Traffic Manager
Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.
Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435
Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.
Workaround:
None.
Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.
550547-2 : URL including a "token" query fails results in a connection reset
Component: Access Policy Manager
Symptoms:
Per Request Policy access to URL containing a "token" query parameter fails and results in a connection reset with the following error:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"
Conditions:
Configure an Explicit SWG with a PRP that includes [protocol lookup (https) + category-lookup]
It does not matter ntlm or basic auth.
This is triggered on sites that have "token" in the query parameters.
Impact:
Clients receive this response:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"
Workaround:
Workaround iRule:
when HTTP_REQUEST {
if { [HTTP::query] contains "token" } {
set fix 1
HTTP::query [string map "token aabbcc" [HTTP::query]]
}
}
when HTTP_REQUEST_SEND {
if { [info exists fix] && $fix equals 1 } {
clientside {
HTTP::query [string map "aabbcc token" [HTTP::query]]
unset fix
}
}
}
Fix:
Customization namespace for subsession state prefix with default value as "000fffff" has been added controlled via db variable "tmm.access.subsessionstateprefix" before state/token query param and validation is ensured to check for the prefix value before triggering serialize/deserialize code to avoid RST.
In case if a UCS is being restored and used for a Hotfix, the newly added DB variable may not be present in /config/Bigdb.dat file. The following information needs to be added in /config/Bigdb.dat file followed by a "bigstart restart" to ensure proper working.
#
# This string is used as the prefix for the subsession state value that is sent as
# part of the redirect URI being sent to the client.
#
[Tmm.Access.SubsessionStatePrefix]
default=000fffff
type=string
realm=local
display_name=Tmm.Access.SubsessionStatePrefix
scf_config=true
max=32
550161-4 : Networking devices might block a packet that has a TTL value higher than 230.
Component: Local Traffic Manager
Symptoms:
Some networking devices block a packet that has a TTL value higher than 230. The TTL value for the BIG-IP system is set to 255 internally and cannot be changed.
Conditions:
The issue occurs when traffic originates from the BIG-IP system (as a client).
Impact:
No access to the resources.
Workaround:
None.
Fix:
The TTL value can now be changed from the hardcoded value of 255. This supports the requirement that some networking devices have to block a packet whose TTL value is higher than 230.
549329-3 : L7 mirrored ACK from standby to active box can cause tmm core on active
Solution Article: K02020031
Component: Local Traffic Manager
Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.
Conditions:
HA active-standby configuration setup for L7 packet mirroring.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
547479-5 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
Component: TMOS
Symptoms:
TMM crashes with a subkey that has master_record field set to true.
Conditions:
Unknown.
Impact:
Traffic disrupted while tmm restarts.
547053-1 : Bad actor quarantining
Component: Anomaly Detection Services
Symptoms:
An issue was found where bad actors could be released from quarantine due to a timing issue
Conditions:
This is a timing issue related to an having unusually high number of bad actors at the same time.
Impact:
Traffic can be removed from quarantine and passed to the web server
Fix:
An issue was fixed related to bad actor quarantining
546145-1 : Creating local user for previously remote user results in incomplete user definition.
Component: TMOS
Symptoms:
Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI.
Conditions:
Configure remote system authentication. Create a local user for remotely authenticated user.
Impact:
User cannot authenticate. User name does not appear in User List.
Workaround:
After initial creation, modify local user via tmsh to include appropriate partition-access.
545810-3 : TMM halts and restarts
Solution Article: K14304373
Component: Local Traffic Manager
Symptoms:
TMM halts and restarts.
Conditions:
This crash can happen when passing egress traffic on LTM virtual servers that meet the following two configuration criteria:
-- The virtual server is configured with a Fast HTTP profile.
Impact:
Halt and restart of TMM. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Now the system receives only packets that it owns and can be re-used, so this issue no longer occurs.
545796-5 : [iRule] [Stats] iRule is not generating any stats for executed iRules.
Component: Local Traffic Manager
Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.
Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.
Impact:
No iRule usage stats available.
Workaround:
None.
Fix:
iRule now generates stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.
545450-5 : Log activation/deactivation of TM.TCPMemoryPressure
Component: Local Traffic Manager
Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.
Conditions:
TM.TCPMemoryPressure set to "enable".
Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.
Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.
544906-2 : Issues when using remote authentication when users have different partition access on different devices
Solution Article: K07388310
Component: TMOS
Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user.
For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].
Conditions:
Devices configured for remote authentication.
User A on device 1 with role on all-partitions.
User A on device 2 with role restricted to a single partition.
Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.
Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.
Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.
Fix:
User authentication completes successfully for operations on multiple devices on which a single user has different partition access configured.
544477 : New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.
Component: TMOS
Symptoms:
Phone support is not available for hourly billing customers in cloud marketplaces.
Conditions:
All hourly billing VE instances in AWS Marketplace.
Impact:
Phone support is not available for hourly billing VE instances.
Fix:
New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.
Behavior Change:
Changed licensing for hourly billing instances from pre-licensed image to template reg key which must be licensed through the license server.
544033-5 : ICMP fragmentation request is ignored by BIG-IP
Solution Article: K30404012
Component: Local Traffic Manager
Symptoms:
Client sends a large ICMP Echo Request whose size exceeds the MTU of the network the packet traverses requiring the ICMP Echo Response to be fragmented. BIG-IP ignores the fragmentation request and continues sending ICMP Echo Replies that exceed the network MTU.
Conditions:
-- A large (exceeds MTU of network traversed) ICMP Echo Request is directed to a Virtual Address on the BIG-IP system.
-- ICMP Echo Reply is larger than upstream networks MTU resulting in fragmentation needed being sent to BIG-IP.
Impact:
ICMP Echo Reply is not received by the requester.
Workaround:
None.
Fix:
Client now receives correctly ICMP echo response from Virtual Address when echo request has been fragmented.
543208-1 : Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★
Component: TMOS
Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:
01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..
Conditions:
This occurs when the following sets of conditions are met:
Condition set 1
===============
-- Your BIG-IP high availability (HA) device group members are running BIG-IP 11.6.0 or 11.6.1.
-- You upgrade a peer HA device to BIG-IP 12.x or later.
-- After you upgrade that peer, a failover event occurs.
Condition set 2
===============
-- Your BIG-IP HA device group members are running BIG-IP 12.0.0, 12.1.0, 12.1.1, or 12.1.2.
-- You upgrade a peer HA device to BIG-IP 13.x or later.
-- After you upgrade that peer, a failover event occurs.
Note: This might be most evident with APM configurations.
Impact:
mcpd on the devices running the affected versions may become unresponsive. Upgrade fails. This is fundamentally the result of device group members running different software versions.
Workaround:
None.
Fix:
This release corrects an issue in which a group of devices in a trust domain could potentially cause mcpd to become unresponsive and log failure messages.
542097-4 : Update to RHEL6 kernel
Component: TMOS
Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic
Conditions:
Running RHEL6 kernel under heavy disk load, more likely on a vCMP host
Impact:
Unexpected machine reboot causing loss of service
Workaround:
None.
Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:
jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()
541550-3 : Defining more than 10 remote-role groups can result in authentication failure
Component: TMOS
Symptoms:
Authentication fails, indicating the affected user is associated with an "unknown" role:
notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false
Conditions:
Define more than 10 remote-role groups and authenticate with a user having more than 10 roles.
Impact:
User cannot authenticate.
Workaround:
None.
541549-2 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
Component: TMOS
Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.
Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.
Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.
Workaround:
None.
Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
541320-10 : Sync of tunnels might cause restore of deleted tunnels.
Solution Article: K50973424
Component: TMOS
Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.
Conditions:
Viewing tunnels after a full load sync.
Impact:
This might result in a deleted tunnel being restored to the configuration.
Workaround:
None.
Fix:
Sync of tunnels no longer causes restore of deleted tunnels.
540928-1 : Memory leak due to unnecessary logging profile configuration updates.
Component: Application Security Manager
Symptoms:
There is a memory leak in ASM control plane daemons after processing many calls in a long lived process
Conditions:
A) Pool member state changes frequently.
or
B) Manual learning is enabled (versions 12.x)
Impact:
Memory consumption by ASM control plane daemons increases.
Workaround:
Restart ASM - which will cause a failover and a down time
OR just kill asm_config_server by:
-----------------------
pkill -f asm_config_server
-----------------------
which will get restarted back by ASM process watchdog in ~15 seconds and should not cause failover nor downtime.
Fix:
An async worker lifecycle was introduced so long lived processes will now dispatch a fixed number of calls to their workers before retiring them.
540872-1 : Config sync fails after creating a partition.
Component: TMOS
Symptoms:
Config sync fails after creating a partition. A config sync error similar to the following occurs:
Configuration error: Can't associate (/P1/pool1) with folder (/P1) folder does not exist
Conditions:
This error occurs when a folder is created in the same transaction that an object is also created in that folder.
This can be done either by explicitly using tmsh or iControl transaction mechanisms or through incremental sync of APM where folders get created.
Impact:
A transaction will fail or incremental sync on APM will fail on a peer.
Workaround:
In the case of transactions, create partitions and folders in a separate transaction from any object creation.
For incremental sync of APM, force a full sync by using the 'Overwrite Configuration' option in the UI.
539360 : Firmware update that includes might take over 15 minutes. Do not turn off device.
Component: TMOS
Symptoms:
On certain platforms, firmware updates might take over 15 minutes to complete. It is very important to wait until update completes. Do not turn on the device until the operation is finished.
Conditions:
This occurs on the following iSeries platforms: i2000, i4000, i5000, i7000, and i10000.
Impact:
Reboot takes a long time. The GUI posts the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.
Workaround:
None.
Fix:
Although reboot takes a long time on the iSeries platforms, the GUI posts a message containing a time range, similar to the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.
539093-1 : VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.
Solution Article: K26104530
Component: TMOS
Symptoms:
Virtual Edition (VE) deployed with 1 CPU only shows INOPERATIVE status until at least one VLAN is both configured and attached to an interface.
Conditions:
Install the BIG-IP Virtual Edition software on a VM with 1 CPU (1 CPU/2048 MB RAM option available in OVA) and license, but do not create any VLANs (or create VLANs, but do not attach them to an interface).
Impact:
In the CLI, device remains in INOPERATIVE state, but shows ACTIVE in the GUI. This might cause unneeded delay trying to rectify what appears to be a license issue when there is none.
Workaround:
To work around this, configure at least one VLAN and attach it to an interface.
537553-8 : tmm might crash after modifying virtual server SSL profiles in SNI configuration
Component: Local Traffic Manager
Symptoms:
Modifying a Secure Sockets Layer (SSL) profile associated with a virtual server may result in the Traffic Management Microkernel (TMM) producing a core file. As a result of this issue, you may encounter one or more of the following symptoms:
-- BIG-IP system sends an invalid memory access segmentation fault (SIGSEGV) or floating point error (SIGFPE), signal to TMM, resulting in a stack trace that appears in the /var/log/tmm file.
-- TMM restarts and produces a core file in the /shared/core directory.
-- The BIG-IP system generates an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
panic: ../kern/umem.c:3881: Assertion "valid type" failed
Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. A configuration change is made that affects the virtual server. Among others:
-- Configuration is reloaded either manually or automatically after config sync.
-- Change is made to any of the SSL profiles configured on the virtual server.
-- SSL profiles are added or removed from the virtual server profile list.
-- Change is made to the virtual server.
-- Virtual server is deleted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Making SSL profile configuration changes now completes successfully.
536563-7 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
Component: Local Traffic Manager
Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.
Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.
Impact:
Unexpected RSTs (Clientside).
Workaround:
None.
534520-1 : qkview may exclude certain log files from /var/log
Component: TMOS
Symptoms:
After generating a qkview, some log files are missing.
Conditions:
This can occur intermittently while generating a qkview.
Impact:
Certain key log files that might be needed for troubleshooting are missing from the qkview.
Workaround:
None.
Fix:
After generating a qkview, all log files are now present.
534457-4 : Dynamically discovered routes might fail to remirror connections.
Component: Local Traffic Manager
Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.
Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.
Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.
Workaround:
Provide a static route instead of dynamic routes.
Fix:
Remirroring L4 connections using dynamic routes works correctly. (Note that when using dynamic routes it is not guaranteed that the active and standby systems will use the same routes; if the same routing is required on both active and standby fails over, there might be some dropped connections.)
534247-1 : Issue a Body in Get sub violation for GET request with content type header
Component: Application Security Manager
Symptoms:
A GET request without payload but with payload indication doesn't issue the body in get violation.
Conditions:
A Get request without payload arrives.
The request has a content type header although there is no payload.
Impact:
A suspicious request goes by undetected.
Workaround:
Add an iRule that removes this request from the ASM and issues a custom violation.
Fix:
A GET request without payload but with content type header will issue the body in GET sub violation.
533956-3 : Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
Solution Article: K30515450
Component: Access Policy Manager
Symptoms:
Extended Unix Code (EUC) character sets include several white space characters which have no ASCII equivalents. These characters are not recognized as white spaces by Portal Access. This may lead to incorrect handling of HTML pages, XML files and/or JavaScript files in these character sets.
Conditions:
- HTML page, XML file or JavaScript file in any EUC encoding scheme (EUC-JP, for example).
Impact:
Page or file in EUC encoding scheme may not be parsed correctly.
Workaround:
Use an iRule to replace non-ASCII compatible white space characters by ordinal spaces.
Fix:
Now text content using EUC character encoding schemes is handled correctly by Portal Access.
531979-6 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.
Component: Local Traffic Manager
Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.
Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:
SSL Record:
Content Type: Handshake (22)
Version: $LOWEST_VERSION
Handshake Record:
Handshake Type: Client Hello (1)
Version: $HIGHEST_VERSION
The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.
Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.
For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.
Impact:
SSL handshake fails.
Workaround:
There is no workaround for this issue.
Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.
530927-8 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
Component: TMOS
Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.
Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.
Impact:
Interface cannot be added to the trunk.
Workaround:
Remove all interfaces, readd them all at the same time.
Fix:
The BIG-IP system now correctly adds interfaces to a trunk formed from interfaces running at a lowered speed.
530877-7 : TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.
Solution Article: K13887095
Component: Local Traffic Manager
Symptoms:
A specific combination of configuration options might cause iRule processing to run the CLIENT_ACCEPTED event twice.
If the iRule contains a suspending command, the system may eventually stop accepting connections to any TCP virtual servers with that have the Verified Accept option enabled.
Conditions:
This occurs when all of the following conditions are met:
- Standard Virtual Server is configured.
- Virtual Server is configured with a TCP profile in which Verified Accept is enabled.
- Client sends the initial data to be sent on the ACK of the three-way-handshake.
Impact:
Depending on the scenario, this might:
- Result in the specific connection being reset.
- Eventually result in TMM being unable to process any further connections to virtual servers with Verified Accept enabled.
Workaround:
You can use the following workarounds:
- Disable Verified Accept in the TCP profile.
- Modify the iRule to run the commands in the CLIENT_ACCEPTED event once, by setting a variable and checking whether the variable has been set on subsequent runs.
Fix:
The BIG-IP system now correctly processes initial data on the ACK of a three-way handshake when used with Verified Accept so iRule processing does not run the CLIENT_ACCEPTED event twice.
530530-6 : tmsh sys log filter is displays in UTC time
Component: TMOS
Symptoms:
When using the time-based log filters hour, minute, and second, tmsh returns results based on UTC time.
Conditions:
Use range filter for 'tmsh show sys log' in either of the following ways:
Filter logs by hour.
Filter logs for less than 8 hours.
Impact:
tmsh does not filter the log correctly with 'range' filter.
Workaround:
Calculate the difference between the local BIG-IP system time and UTC, or change the system time to UTC.
530266-7 : Rate limit configured on a node can be exceeded
Component: Local Traffic Manager
Symptoms:
Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10.
Conditions:
More than 1 tmm needs to be there. Rate limit needs to be configured on the node.
Impact:
Node rate limit feature does not work as intended.
Workaround:
Rate limit can be shifted from the node to pool member and it works.
530109-3 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
Component: Access Policy Manager
Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.
Impact:
OCSP auth might fail as wrong URL is used.
Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.
Fix:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.
Behavior Change:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.
528499-3 : AFM address lists are not sorted while trying to create a new rule.
Component: Advanced Firewall Manager
Symptoms:
AFM address lists are not sorted while trying to create a new rule.
Conditions:
Seen only in the rule creation page.
Impact:
AFM address lists are not sorted in the rule creation page.
Workaround:
none
Fix:
AFM address lists are now sorted in the rule creation page.
527720-1 : Rare 'No LopCmd reply match found' error in getLopReg
Component: TMOS
Symptoms:
An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally:
warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
This message might be followed by a log message similar to one of the following:
err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0.
err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50.
This message might be followed by a log message similar to the following:
warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
Conditions:
This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades.
Impact:
This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored.
Workaround:
None.
527206-5 : Management interface may flap due to LOP sync error
Component: TMOS
Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.
Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.
Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.
Workaround:
None.
Fix:
Rare Management interface flap due to LOP sync error no longer occurs on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.
526708 : system_check shows fan=good on removed PSU of 4000 platform
Component: TMOS
Symptoms:
Running system_check on a 4000 platform with one PSU removed will still show status FAN=good; STATUS=good
Conditions:
This applies only to the BIG-IP 4000 platform.
Impact:
Fan shows status of 'good' when the PSU is removed. Reading the power supply status in the system_check output will show the PSU as down.
Fix:
If a PSU has been removed, system_check will now show status STATUS=not present
525429-11 : DTLS renegotiation sequence number compatibility
Component: Access Policy Manager
Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.
Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.
Impact:
The current APM client is not compatible with new OpenSSL libary.
Fix:
The APM client is now compatible with both the old and new OpenSSL library.
524277-2 : Missing power supplies issue warning message that should be just a notice message.
Component: TMOS
Symptoms:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.
Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.
Conditions:
Running chassis with absent power supplies, or with power not applied, will cause ltm to issue warning messages.
Impact:
Extra logging.
Workaround:
Ignore missing power supply warning messages.
Fix:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.
Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.
521370-1 : Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
Component: Application Security Manager
Symptoms:
Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8, which results in suggestions for allowing meta-characters that cannot be accepted.
Conditions:
Auto-Detect Language policy is created, and then set to UTF-8 encoding.
Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.
Fix:
Auto-Detect Language policy no longer contains disallowed high ASCII meta-characters.
521270-1 : Hypervisor might replace vCMP guest SYN-Cookie secrets
Component: TMOS
Symptoms:
Traffic suddenly stops passing on platforms in vCMP mode when SYN-cookie mode is triggered.
Occasionally, under HW-SYN-Cookie mode, HW-SYN-Cookie validation can fail, which triggers the software SYN-Cookie procedure, which does succeed.
Under vCMP guest, you might notice hwalgo_accept increasing under TMCTL table epva_hwvipstat. If this packet's destination is the local high-layer TCP stack, there is no functional impact. Otherwise, there might be a performance impact.
Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, which causes the connection issue.
Conditions:
vCMP provisioning setup.
Impact:
Under vCMP guest, you might notice hwalgo_accept increased under TMCTL table epva_hwvipstat, which, if under HW-SYN-Cookie mode, everything will be validated automatically by FPGA instead.
You might also notice hwalgo_invalid, if the FPGA used
the updated secret for SYN-Cookie generation from the hypervisor, and when guest and hypervisor secret index overlaps.
Even though guest and hypervisor secret index might not be the same, the history secret might be updated by hypervisor, which might trigger additional hwalgo_accept.
Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, so the error rate could be higher.
Workaround:
On the vCMP hypervisor, run the following commands.
1. echo "EPVA::enable_secret_diag true" > /config/tmm_init.tcl.
2. bigstart restart TMM.
On a multiple blade system, you must run these commands on all blades.
Fix:
Hypervisor no longer replaces vCMP guest SYN-Cookie secrets.
521204-2 : Include default values in XML Policy Export
Component: Application Security Manager
Symptoms:
XML Policy Export does not include some entities, unless their values are different from the system's default settings.
Conditions:
-- ASM provisioned.
-- Configuration contains some entities whose values match the defaults.
-- Export security policy in XML format.
Impact:
XML Policy Export does not include those entities; it only includes entities when their values are different from the system's default settings
Workaround:
None.
Fix:
XML policy export operations now exclude defaults only when exporting a minimal XML configuration.
519612-1 : JavaScript challenge fails when coming within iframe with different domain than main page
Component: Advanced Firewall Manager
Symptoms:
The JavaScript Challenge fails when coming within an iframe that is on a different domain than the main page.
Conditions:
1. The web application uses an iframe coming from a different domain than the main page, AND
2. Any of the following options are enabled on an ASM Policy or Application DoS Profile attached to the Virtual Server which is handling the iframe:
a. DoS Client-Side Integrity Defense Mitigation (affecting only during attack mitigation)
b. DoS CAPTCHA Mitigation (affecting only during attack mitigation)
c. Device-ID (fingerprint)
d. Web Scraping Bot Detection Challenge
e. Proactive Bot Defense (with/without "Block Suspicious Browsers")
Impact:
On the browser, the iframe will fail to load, leaving a white box, or the following message:
"Please enable browser cookies to view the page content."
There may be error messages in the browser's console.
Workaround:
It is possible to workaround the problem using Proactive Bot Defense (DoS Profile) and iRules.
This works even if the problem is in Web Scraping and DoS profile was not previously used.
The following steps must be done for the Virtual Server handling the iframe, as well as the one handling the main page.
1. Attach a DoS profile to the Virtual Server (if not already attached).
2. Disable TPS-based detection (unless already enabled, or it is desired).
3. Enable Proactive Bot Defense on the DoS profile (if not already enabled).
a. Disable "Block Suspicious Browsers" (unless already enabled, or it is desired).
b. Configure Cross-Domain Requests to "Allow configured domains; validate upon request".
c. Add the domain of the main page to the Related Site Domains.
4. Attach the following iRule to the virtual server:
ltm rule rule_fix_cross_domain_challenges {
when HTTP_REQUEST {
set refdom ""
regexp -nocase {^https?://([^/]*).*$} [HTTP::header referer] -> refdom
log local0. "uri [HTTP::uri] host [HTTP::host] referer [HTTP::header referer] refdom $refdom"
if { $refdom ne "" && $refdom ne [HTTP::host] } {
BOTDEFENSE::cs_allowed false
}
}
}
NOTES:
1. The challenges must run on the main page. The following rule block could be used to force the challenges to run on a specified URL or URLs.
when HTTP_REQUEST {
if { [HTTP::uri] eq "/" } {
BOTDEFENSE::cs_allowed true
}
}
2. If additional URLs are getting blocked or challenged as a result of Proactive Bot Defense and it is unwanted, it is possible to control them in the iRule by checking for URLs and using the "BOTDEFENSE::action allow" command.
Fix:
JavaScript challenges no longer fail when coming within an iframe on a different domain than the main page.
518201-4 : ASM policy creation fails with after upgrading
Component: Application Security Manager
Symptoms:
You cannot create an ASM security policy after upgrading to version 11.6.x. You will see the following error message:
------------------
# tmsh create asm policy /Common/blabla active encoding utf-8
Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy.
------------------
It does not matter if the security policy was created by the command line or by the Configuration utility.
Conditions:
ASM provisioned
Upgrade to 11.6.X
Impact:
ASM policies cannot be created.
Workaround:
Please apply the following workaround, as root user, from the command line of the affected BIG-IP.
Please run these exact commands - copy and paste into the command line:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
Be advised that this operation will permanently affect the mentioned database table.
It is strongly advised to first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP:
---------------------
# tmsh save sys ucs /shared/tmp/backup.ucs
---------------------
Before applying the workaround, first make sure that you indeed need one.
You can do that by running this in the command line:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
In case this query does not return any output - it means that there is no need to apply the mentioned workaround.
In case you do need to apply the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.
Fix:
We've fixed ASM policy creation so that it does not fail after upgrade
517756-6 : Existing connections can choose incorrect route when crossing non-strict route-domains
Component: Local Traffic Manager
Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.
Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.
Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.
Workaround:
None.
Fix:
Existing connections now choose the correct route when crossing non-strict route-domains.
513288-7 : Management traffic from nodes being health monitored might cause health monitors to fail.
Component: Local Traffic Manager
Symptoms:
Management traffic from nodes being health monitored might cause health monitors to fail.
Conditions:
Health monitor checking node_ip:port where 1024 is less than or equal to port, which is less than 65536. Node periodically connects back to management service on self IP (e.g., iControl, GUI, SSH).
Impact:
Traffic is not sent to the node while the monitor is failing.
Workaround:
None.
Fix:
Management traffic from nodes being health monitored no longer causes health monitors to fail.
510631-1 : B4450 L4 No ePVA or L7 throughput lower than expected
Component: Performance
Symptoms:
L4 no ePVA and L7 performance was limited to as little as 146Gbps under some traffic conditions instead of the advertised capability of 160Gbps.
Conditions:
This occurs on the B4450 blade.
Impact:
Performance lower than expected
Fix:
Driver enhancements to 12.1.2 and 13.0 enable full 160G performance
509980-1 : Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.
Component: TMOS
Symptoms:
When a DSC cluster is configured using HA Groups, spurious HA group configuration errors can be displayed when rebooting another member of the DSC cluster.
These messages can appear in the output of the "show cm traffic-group", or on the Device Management -> Traffic Groups page.
Conditions:
HA-DSC Cluster with 2 or members. HA-Groups are configured on one or more traffic groups on all Cluster members.
A Cluster member is rebooted, and an administrator is viewing the Device Management- > Traffic Groups page, or issuing the "show cm traffic-group" .
Impact:
A message displaying that all traffic group(s) should have an HA Group configured may be incorrectly displayed. This has no affect on the operation of the system, and will clear once the cluster member has finished rebooting.
Workaround:
There is no workaround or mitigation other than upgrading to a release with the required fix.
Fix:
HA Daemon has been updated to correctly track the configuration of HA Groups on other devices during device reboots.
509858-5 : BIG-IP FastL4 profile vulnerability
Solution Article: K36300805
Component: Local Traffic Manager
Symptoms:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
Conditions:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
Impact:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
Fix:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
507240-4 : ICMP traffic cannot be disaggregated based on IP addresses
Solution Article: K13811263
Component: TMOS
Symptoms:
ICMP traffic might not be disaggregated evenly if there is not enough entropy from the ICMP header.
Conditions:
-- ICMP traffic has low entropy in ICMP header.
-- System is configured to disaggregate traffic.
Impact:
Traffic imbalance.
Workaround:
None.
Fix:
This release supports disaggregation of ICMP traffic based on IP addresses, in addition to ICMP headers. To enable the feature, use the following commands:
In v13.x:
tmsh modify net dag-globals icmp-hash ipicmp
In v12.x:
tmsh modify sys db dag.icmp_hash value ipicmp
Note: This feature cannot be used if the BIG-IP system translates IP addresses for ICMP traffic.
507206-1 : Multicast Out stats always zero for management interface.
Component: TMOS
Symptoms:
Multicast Out stats are always zero for the management interface.
Conditions:
Statistics information on the management interface.
Impact:
The Multicast Out stats can help determine whether multicast network failover is working (from looking at a qkview). The missing stat might also delay or confuse other troubleshooting activities unrelated to network failover.
Workaround:
Run the following command: clsh 'ethtool -S eth0 | grep tx_mcast_packets'.
506543-5 : Disabled ephemeral pool members continue to receive new connections
Component: Local Traffic Manager
Symptoms:
Disabled ephemeral pool members continue to be selected for new connections.
Conditions:
FQDN parent node is disabled causing its derived ephemeral pool members to be marked disabled.
Impact:
Unexpected traffic load balanced to disabled pool members
Workaround:
None.
Fix:
Traffic will no longer be load balanced to disabled ephemeral pool members.
503842-4 : Microsoft WebService HTML component does not work after rewriting
Component: Access Policy Manager
Symptoms:
The Microsoft webservice.htc component provides JavaScript interface for SOAP services for Microsoft Internet Explorer (IE). It stops working after rewriting through reverse proxy.
Conditions:
-- Using Microsoft webservice.htc component.
-- Rewriting through reverse proxy.
-- Running IE.
Impact:
Microsoft WebService component stops working.
Workaround:
You can use the following iRule to work around this issue:
---
when HTTP_REQUEST {
# Downgrade IE compatibility mode
set downgrade_ie_compat 0
if { [HTTP::path] contains "PreviewQualitySheet.aspx" } {
set UAString [string tolower [HTTP::header User-Agent]]
if { ! ($UAString contains "msie 8.") and ! ($UAString contains "msie 7.")} {
set downgrade_ie_compat 8
}
}
# do not rewrite WebService HTML Component
# because IE ignores it after rewriting.
# patching a few things manually instead
set ms_webservice_fix 0
if { [HTTP::uri] ends_with "webservice.htc"} {
set ms_webservice_fix 1
HTTP::uri "[HTTP::uri]?F5CH=I"
if { [HTTP::version] eq "1.1" } {
if { [HTTP::header is_keepalive] } {
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
}
}
when HTTP_RESPONSE {
if { $downgrade_ie_compat > 0 && ! [HTTP::header exists X-UA-Compatible] } {
HTTP::header replace "X-UA-Compatible" "IE=$downgrade_ie_compat"
}
if { $ms_webservice_fix == 1 } {
if { [HTTP::header exists "Content-Length"] and \
[HTTP::header "Content-Length"] > 0 and \
[HTTP::header "Content-Length"] <= 1048576 } {
HTTP::collect [HTTP::header Content-Length]
} else {
HTTP::collect 1048576
}
}
}
when HTTP_RESPONSE_DATA {
if { $ms_webservice_fix == 1 } {
set location [string first \
{if (co.userName == null)} \
[HTTP::payload]]
if { $location > 0 } {
HTTP::payload replace $location 0 {loc=F5_WrapURL(loc);}
}
}
HTTP::release
}
Fix:
Microsoft WebService HTML component no longer stops working after rewriting.
501892-1 : Selenium is not detected by headless mechanism when using client version without server
Component: Advanced Firewall Manager
Symptoms:
DoSL7 Proactive Bot Defense (Block requests from suspicious browsers) detects selenium when the selenium server is running and a listener has opened on one of specific ports.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.
Impact:
If a bot is running selenium client package only it is not being blocked by DoSL7 Proactive Bot Defense mechanism.
Workaround:
N/A
Fix:
Selenium detection mechanism has improved and if a bot uses FF or Chrome selenium driver it is detected by PBD's javascript code via checking existence of required chrome plugins and FF webdriver.
500452-8 : PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
Solution Article: K28520025
Component: TMOS
Symptoms:
PB4300 blade tries to disaggregate the ESP traffic based on the IPsec ESP Security Parameter Index (SPI) value in hardware. But the blade used doesn’t have that capability, which causes ESP traffic being sent to one HSB and results in throughput degradation.
Conditions:
When PB4300 receives ESP traffic.
Impact:
Throughput degradation.
Workaround:
None.
Fix:
The PB4300 blade now uses IP addresses to disaggregate ESP traffic in hardware, so throughput is no longer impacted.
487144-2 : tmm intermittently reports that it cannot find FIPS key
Solution Article: K52278479
Component: Global Traffic Manager (DNS)
Symptoms:
You may see the following critical error message in /var/log/ltm: "FIPS acceleration device failure: cannot locate key"
Conditions:
There is FIPS card in the BIG-IP and the key is retrieved. It is not known the exact conditions that cause this, but it seems to be related to GTM being enabled.
Impact:
SSL can not locate the key from the FIPS card, and SSL will not function properly.
Workaround:
None known, but restarting tmm or rebooting might correct the condition.
Fix:
There is now additional information in the error message that can help resolve the issue.
484542-1 : QinQ tag-mode can be set on unsupported platforms
Component: Local Traffic Manager
Symptoms:
tmsh does not validate QinQ tag-mode and allows invalid values to be set.
Conditions:
This occurs when trying to set QinQ tag-mode to values other than 'none' on unsupported platforms. Only platforms with ePVA support QinQ tagging.
Impact:
Although you can set !in! tag-mode, the configuration has no effect. There is no negative impact on system functionality.
Workaround:
Only configure QinQ tag-mode on the following platforms: BIG-IP 5050s/5250v/7050s/7250v/10050s/10250v and VIPRION B2150 SSD-based models.
Fix:
QinQ tag-mode is now properly validated when configuring a VLAN via tmsh.
483953-1 : Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
Component: Local Traffic Manager
Symptoms:
ICMP type 3 code 4 (needsfrag) messages are elicited when TMM transmits packets at the TM.MinPathMTU size if the path MTU is lower than that value.
Conditions:
Path MTU discovery results are cached by default. If a client responds to an IP datagram with an ICMP needsfrag message with a very small MTU (smaller than the value of the TM.MinPathMTU database variable), the cached path MTU value will be set to the TM.MinPathMTU value even though this still isn't able to traverse the path.
This can affect multiple endpoints when a low MTU is advertised by an endpoint (misconfigured or malicious) behind a shared NAT address.
Impact:
TMM may use and enforce a low path MTU for clients capable of handling a higher path MTU, but may use an MTU too high to reach clients whose path MTU is lower than TM.MinPathMTU.
This metric will live for 10 minutes by default.
Workaround:
This issue has no workaround at this time.
The route metric lifetime can be lowered using route.metrics.timeout db key.
Fix:
Path MTUs lower than the value of TM.MinPathMTU will no longer be cached by TMM.
480983-4 : tmrouted daemon may core due to daemon_heartbeat
Component: TMOS
Symptoms:
In rare instances, tmrouted for dynamic routing may core with a message similar to the following: warning sod[8953]: 01140029:4: HA daemon_heartbeat tmrouted fails action is restart.
Conditions:
This is a rarely occurring issue that occurs due to timing-related interactions in dynamic routing operations.
Impact:
tmrouted cores and restarts.
Workaround:
None.
Fix:
tmrouted now operates normally under these conditions.
478986 : Powered down DC PSU is treated as not-present
Component: TMOS
Symptoms:
When power is removed from the PSU but the PSU remains in the system, 'tmsh show sys hardware' reports the PSU as 'not-present'.
Conditions:
This occurs when an installed DC powered PSU loses power, and the user runs the command 'tmsh show sys hardware'.
Impact:
Only the message is incorrect. Although the PSU is present, the system cannot read its data without power, so the system marks the PSU 'not present'. Once power is restored, all information is available.
Workaround:
Plug the power cable into the PSU. The system can now detect the power supply status and read the PSU info.
472860-5 : RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
Component: Policy Enforcement Manager
Symptoms:
The RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
Conditions:
Session created via iRule running on the RADIUS virtual server.
Impact:
RADIUS session statistics are not incremented.
Workaround:
None.
Fix:
The session statistics for sessions created by RADIUS is now incremented whenever the user runs an iRule on the RADIUS virtual server, that creates a new session.
472571-7 : Memory leak with multiple client SSL profiles.
Component: Local Traffic Manager
Symptoms:
If multiple client SSL profiles are attached to a virtual server, memory will leak each time any profile is changed.
Conditions:
Multiple client SSL profiles are attached to a virtual server.
Impact:
Memory will leak a small amount of memory.
Workaround:
None.
Fix:
Multiple client SSL profiles attached to a virtual server no longer causes memory to be leaked.
471860-10 : Disabling interface keeps DISABLED state even after enabling
Solution Article: K16209
Component: TMOS
Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.
Conditions:
This occurs when using both tmsh and the GUI.
Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.
Workaround:
You can reboot correct the indicator.
Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.
471237-2 : BIG-IP VE instances do not work with an encrypted disk in AWS.
Solution Article: K12155235
Component: TMOS
Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.
Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.
Impact:
TMM cores at startup, and does not start.
Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.
Fix:
BIG-IP VE instances can now work with an encrypted disk in AWS.
471029-2 : If the configuration contains a filename with the $ character, then saving the UCS fails.
Component: TMOS
Symptoms:
If the configuration contains a filename or username with the $ character, then saving the UCS fails. Examples of filenames include cm cert cache-path and cm key cache-path.
tmsh save sys ucs <ucs-id> fails for such configuration.
The error displayed appears similar to the following.:
Fatal: executing: md5sum /var/tmp/filestore_temp/files_d/Common_d/certificate_d/:Common:?><.crt_53783_1
Operation aborted.
/var/tmp/configsync.spec: Error creating package.
Conditions:
Filenames or username in configuration contain $ character. For example, cm cert cache-path or cm key cache-path.
Impact:
Saving UCS fails.
Workaround:
Do not use the $ character as part of the filenames or usernames in the configuration.
467709-1 : FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN
Component: Local Traffic Manager
Symptoms:
FQDN nodes and pool members show a status of Green (Available) when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response.
Conditions:
This occurs when the DNS server returns an NXDOMAIN response for the configured FQDN name.
Impact:
FQDN nodes and pool members may appear to be Available when no ephemeral nodes/pool members have been created.
Workaround:
None.
Fix:
FQDN nodes and pool members show a status of Yellow (Unavailable) when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
466068-1 : Allow setting of the AAA Radius server timeout value larger than 60 seconds
Component: Access Policy Manager
Symptoms:
Sometimes 60 sec timeout for AAA Radius server is not enough especially when users need to provide input. Following error message will be displayed when user tries to set timeout value greater than 60 :
"01090676:3: The requested timeout value (120) out of range for aaa radius server (/Common/test-radius-server). (1-60)"
Conditions:
This only occurs whenever following conditions are met:
- APM is licensed and provisioned
- AAA Radius server is configured
- Radius Auth agent is included in the access policy
Impact:
Users can not set timeout value to more than 60 sec for AAA Radius server. If response time is more than 60 sec from AAA Radius server, users may not login and access resources if two factor auth is configured.
Workaround:
There is no workaround.
Fix:
Increased the AAA Radius Server timeout range from 0-60 to 0-180.
464801-3 : Intermittent tmm core
Component: Local Traffic Manager
Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an intermittent tmm core
463097-3 : Clock advanced messages with large amount of data maintained in DNS Express zones
Solution Article: K09247330
Component: Local Traffic Manager
Symptoms:
Clock advanced messages with a large amount of data maintained in DNS Express (DNSX) zones, the TMM can suffer from clock advances when performing the DB reload.
Conditions:
Large enough zones into DNSX (several hundred thousand to several million records depending on hardware).
Impact:
Clock advance messages in log. No traffic can be passed for this duration. When DNS Express zones are updated, you may see messages similar to the following in the /var/log/ltm log: notice tmm[25454]: 01010029:5: Clock advanced by 121 ticks.
Workaround:
Prevent all updates to DNSX zones.
Fix:
AXFR and IXFR to DNS Express (DNSX) with large zones has been significantly improved. DNSX DB now reside in /shared to resolve DB size issues.
462043-2 : DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms
Component: Local Traffic Manager
Symptoms:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged.
Conditions:
On 5000 and C2400 platforms.
Impact:
Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0.
Workaround:
None.
Fix:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner', the packets are now handled as expected.
460833-5 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This symptom may occur under the following conditions:
1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.
Fix:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.
459671-4 : iRules source different procs from different partitions and executes the incorrect proc.
Component: Local Traffic Manager
Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.
Conditions:
Multiple iRule procs defined in multiple admin partitions.
Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.
Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.
456376-4 : BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
Solution Article: K53153545
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI. When trying to add '::ffff:0.0.0.0/96' to an address list or directly to a rule the system posts an error: Error parsing IP address: ::ffff:0.0.0.0/96.
Conditions:
-- IPv4-mapped-IPv6 notation in the configuration.
-- Adding prefix length greater than 32.
Impact:
Cannot successfully specify an IPv4-mapped-IPv6 block to be configured in AFM firewall rule (and possibly other AFM configurations as well).
Workaround:
To drop the IPv4-mapped-IPv6 block, enable the following DoS db variable: dos.dropv4mapped.
Fix:
You can now use tmsh for IPv4-mapped-IPv6 notation with prefix length greater than 32.
455975-1 : Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
Component: Access Policy Manager
Symptoms:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.
Conditions:
Using SNMP MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns.
Impact:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.
Workaround:
This issue has no workaround at this time.
Fix:
Access Sessions and Connectivity Sessions are now exposed correctly in SNMP MIBS.
452283-2 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
Component: Local Traffic Manager
Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.
Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.
Impact:
A connection remains that never expires; its idle time periodically resets to 0.
Workaround:
There is no workaround at this time.
Fix:
Fixed MP_FASTCLOSE handling.
448409-1 : 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
Solution Article: K15491
Component: TMOS
Symptoms:
The commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect.
Conditions:
This affects the ConfigSync communication channel if configured.
Impact:
The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted.
Workaround:
You can avoid this issue by using the 'load sys config from-terminal verify' and 'load sys config file <filename> verify' commands 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the following command: tmsh load sys config partitions all.
Fix:
Previously, the commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' did some operations related to sync and provisioning, though they are supposed to check only the validity of the configuration (without changing it). This has been resolved.
447565-5 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Component: Access Policy Manager
Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.
Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.
Impact:
End users will be unable to connect.
Workaround:
Correct the problem by running the following command:
bigstart restart eca.
442231-4 : Pendsect log entries have an unexpected severity
Component: TMOS
Symptoms:
Pendsect logs non-errors with a 'warning' severity.
Conditions:
This occurs when pendsect is executed.
Impact:
Unexpected log entries. When pendsect is executed and does not find any disk errors, it logs the following at the warning level: warning pendsect[21788]: pendsect: /dev/sdb no Pending Sectors detected. This is not an error. The message is posted at the incorrect severity level and does not indicate a problem with the BIG-IP system.
Workaround:
None needed. This is cosmetic.
Fix:
Adjusted severity level of various logs generated by pendsect script, so that informational messages are not logged as warnings.
434821-1 : Remote logging of staged signatures and staged sets
Component: Application Security Manager
Symptoms:
There is no option to see matched staged signature in the remote logging
Conditions:
A user has remote logger configured. There is no configuration option to see the stage signatures.
Impact:
A user without local logger can't make good decisions about the staged signatures
Workaround:
Add a local logger
Fix:
Added staged signatures ids, names and sets to the remote logger .
434573-6 : Tmsh 'show sys hardware' displays Platform ID instead of platform name
Solution Article: K25051022
Component: TMOS
Symptoms:
While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name.
For example, the 'tmsh show sys hardware' command may display a Platform ID like the following:
Platform
Name D113
instead of the official platform marketing name, such as:
Platform
Name BIG-IP 10000F
Conditions:
This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release.
Impact:
Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID.
Workaround:
Update platform-identification scripts to include the relevant platform IDs among the recognized match values.
Fix:
update Hot Fix Rollups to display Platform name.
433678-2 : A monitor removed from GTM link cannot be deleted: 'monitor is in use'
Solution Article: K32401561
Component: Global Traffic Manager (DNS)
Symptoms:
A monitor removed from GTM link cannot be deleted. Attempting to delete the monitor results in an error message similar to the following: 01070083:3: Monitor /Common/custom_gtm_mon is in use.
Conditions:
Deleting a custom monitor that was formerly used by a GTM link.
1. Create a custom GTM monitor that can be used on a link.
2. Create a GTM link, and add the custom monitor to it.
3. Remove the monitor from the link.
4. Attempt to delete the monitor.
Impact:
Unable to delete monitor.
Workaround:
Reload the GTM config and delete the monitor.
Fix:
This release enables deletion of a monitor removed from GTM link, and no monitor-in-use error message is returned.
433357 : Management NIC speed reported as 'none'
Component: TMOS
Symptoms:
Sometimes,after mcpd get restarted, mcpd didn't get management port nic speed information from chmand, "tmsh show net interface" could shows the speed of mgmt interface as "none".
Conditions:
Management interface is up and then restart mcpd.
Impact:
"tmsh show net interface" commands can't show correct management speed.
Workaround:
Use "bigstart restart chmand" to restart chmand.
Fix:
Fixed.
431840-3 : Cannot add vlans to whitelist if they contain a hyphen
Component: Advanced Firewall Manager
Symptoms:
When attempting to add a vlan to the DoS protection whitelist and the vlan contains a hyphen, the following validation error is returned:
01071792:3: Vlan should be numeric form as vlan number / mask
Conditions:
Adding a vlan containing a hyphen to the whitelist
Impact:
Unable to add vlans that contain a hyphen
Workaround:
Instead of using the vlan by name, just specify the vlan tag #. Ignore the drop down menu offering the vlan names.
424542-5 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
Component: TMOS
Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"
Conditions:
Only happens on clustered or virtual environments, not on appliances.
Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.
Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"
423629-3 : bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
Solution Article: K08454006
Component: Local Traffic Manager
Symptoms:
bigd restarts once, and afterwards, subsequent pings from the monitor fails.
Conditions:
This can occur when assigning an ICMP monitor to a pool member, and specifying a route domain that does not exist.
Impact:
For bigd, a single restart is actually harmless. The invalid config will cause monitor failures, since the route domain no longer exists, the pool member will be marked down.
Workaround:
None.
Fix:
bigd no longer cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted.
423392-6 : tcl_platform is no longer in the static:: namespace
Component: Local Traffic Manager
Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.
Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.
Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.
Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see K14544: The tcl_platform iRules variable is not in the static:: namespace, available here: https://support.f5.com/csp/#/article/K14544.
421797-3 : ePVA continues to accelerate IP Forwarding VS traffic even in Standby
Component: TMOS
Symptoms:
When the active BIG-IP unit in a redundant configuration becomes the standby unit after a failover event, the traffic sent to the virtual servers with hardware acceleration enabled will continue to be accelerated by the ePVA hardware on the original active unit (current standby unit). These offloaded flows will eventually be evicted after the failover switch period (16 second by default) though, and it does not affect the new active unit (original standby unit) to offload the flows to hardware for acceleration. As a result, accelerated traffic can still be observed on the standby unit.
Conditions:
When a failover event happens in a redundant configuration with virtual servers that have hardware acceleration enabled.
Impact:
No performance impact or traffic interruption. You might observe unexpected traffic on standby unit.
Workaround:
None. This is a cosmetic issue.
Fix:
The standby unit now evicts the accelerated flows from the ePVA hardware after the failover event. This is correct behavior.
419741-3 : Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
Component: Local Traffic Manager
Symptoms:
Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause.
Conditions:
Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade.
Impact:
In rare situations, the TMM crashes.
Workaround:
None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.
418349-2 : Update/overwrite of FIPS keys error
Component: TMOS
Symptoms:
After deleting and re-creating a FIPS key, sync to other devices fails and /var/log/ltm gives the following error:
crit tmm[10817]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 78 status: 0x40000116 : ERR_HSM_ERROR
Note that this error is logged on any FIPS-related error, it might be this issue if you were attempting to replace FIPS keys with an identical name on devices in a device group.
Conditions:
This can occur on FIPS-enabled devices in a device group when a FIPS key is deleted and an identically-named FIPS key is added.
Impact:
Sync of the FIPS key fails.
Workaround:
If you are encountering this, you can do the following workaround.
Impact of workaround: this should have no negative impact to the system since your objective is to replace the FIPS keys.
- Detach all keys/certs from all SSL Profiles and delete all keys via script on the standby System
- Run “tmsh show sys crypto fips” and verify all keys have been deleted
- Run a configsync with override and verify the sync has been carried out successfully.
418009 : Hardware data display inaccuracies
Component: TMOS
Symptoms:
Sensor location fields show truncated. The Part Number and the PCA titles appear to be not right for some platforms because of the specific nature of the titles.
Conditions:
When displaying the hardware details you could see the problems in the sensor data and in the Hardware Version Information. This appears when running the command tmsh show sys hardware
Impact:
Missing sensor location data, and inaccuracy when naming the titles of the hardware characteristics.
Fix:
Fixed the truncation problem for the sensor location increasing the size of the data used for retrieving it; and used Part Number and PCA to have generic titles that apply to all platforms.
412817-3 : BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
Component: TMOS
Symptoms:
The BIG-IP system is unreachable for IPv6 traffic via PCI pass-through interfaces, because current ixgbevf drivers do not support multicast receive.
Conditions:
When configured to see IPv6 traffic on a PCI pass-through interface, the BIG-IP guest is not able to see this traffic.
Impact:
PCI pass-through interfaces are unable to see IPv6 traffic.
Workaround:
None.
Fix:
BIG-IP system is now reachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
401815-1 : BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic
Component: Service Provider
Symptoms:
The BIG-IP system resets the egress IP ToS to zero (0). As a result of this issue, you may encounter the following symptoms:
-- A packet capture on the affected traffic shows the DSCP value in the DS field is set to zero for SIP packets egressing from the BIG-IP system.
-- Traffic priority failure for SIP traffic egressing from the BIG-IP system, which may also cause voice quality degradation.
Conditions:
This issue occurs when all of the following conditions are met:
-- A virtual server is configured with both a SIP and UDP profile.
-- The IP ToS setting in the UDP profile is set to Pass Through.
The IP ToS setting controls the Differentiated Services Code Point (DSCP) values of the Differentiated Services (DS) field in the IP header. This information is used in Quality of Service (QoS) configurations to give specific traffic priority on the network. By resetting the DSCP values to zero, the SIP traffic egressing from the BIG-IP system does not receive the expected priority while traversing through the network.
Impact:
SIP traffic egressing the BIG-IP system does not receive the expected priority. This issue may cause voice quality degradation.
Workaround:
To work around this issue, you can use the following iRule to preserve the DSCP values when passing through the BIG-IP system:
when CLIENT_ACCEPTED {
set client_tos [IP::tos]
}
when SERVER_CONNECTED {
IP::tos $client_tos
}
Fix:
The BIG-IP system now propagates the ToS bit from ingress flow to the egress flow.
400778 : Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
Component: TMOS
Symptoms:
On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1.
Conditions:
This occurs on VIPRION systems.
Impact:
The ltm log displays messages: -- err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete'. -- err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'.
Workaround:
None. These messages are benign and you can safely ignore them.
400550 : LCD listener error during shutdown
Component: TMOS
Symptoms:
During shutdown you see this error message: 012a0004:4: LCD listener write to LCDd exception: Psuedo Terminal: File I/O Error [Bad file descriptor] at PseudoTermDev.cpp:93
Conditions:
This can occur when shutting down a blade on a VIPRION 4400 platform.
Impact:
This occurs on shutdown and is cosmetic, and can be ignored.
393270-1 : Configuration utility may become non-responsive or fail to load.
Component: TMOS
Symptoms:
While doing normal operations via the configuration utility, the status indicators may become non-responsive or fail to load, the GUI could become very sluggish, and you could be unable to load the GUI, or you could be taken to the license activation screen.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Unable to log into the GUI or GUI shows blank page
Workaround:
Run the command 'bigstart restart tomcat' or reboot the BIG-IP system.
Fix:
Configuration utility now responds as expected when deleting local users (Access Policy :: Local User DB : Manage Users), or under other conditions in which an internal timeout results in GUI non-responsiveness because of an incomplete transaction close.
392121-3 : TMSH Command to retrieve the memory consumption of the bd process
Component: Application Security Manager
Symptoms:
There is no tmsh commands to retrieve the memory consumption of the bd process.
Conditions:
tmsh commands don't show bd process memory usage.
Impact:
Difficult to diagnose memory consumption issues.
Workaround:
Review messages individually in /var/log/ts/bd.log.
### For ASM bd current memory consumption use the following grep command
cat /ts/log/bd.log | grep "UMU: total"
UMU: total 106 ( 0M) VM (1639M) RSS (164M) SWAP ( 0M) trans 0
UMU: total 106 ( 0M) VM (1639M) RSS (163M) SWAP ( 0M) trans 0
UMU: total 5 ( 0M) VM (1612M) RSS (163M) SWAP ( 0M) trans 0
### For XML memory consumption in bd process do the following on a big-ip.
*WARNING*: The following steps enable debug prints to the bd.log it may cause to an excessive io, handle with care on production boxes.
1. add the following 3 lines the /etc/ts/bd/logger.cfg
MODULE=BD_XML;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;
2. Run a CLI tool.
/usr/share/ts/bin/set_active.pl --update_logger_cfg
To stop the debug prints, remove the 3 mentioned lines from the logger.cfg file and run the CLI tool again.
Fix:
The following command now reports memory consumption of the bd process:
tmctl asm_memory_util_stats
For specific fields -s option can be used, for example:
tmctl asm_memory_util_stats -s total_xml_mem_used,total_xml_max_mem
389484-6 : OAM reporting Access Server down with JDK version 1.6.0_27 or later
Component: Access Policy Manager
Symptoms:
Cannot connect to Access Server.
When running eamtest tool to check the functionality between OAM and the access server are working correctly, the following error is seen:
Preparing to connect to Access Server. Please wait.
Access Server you specified is currently down. Please check your Access Server.oamconfig[2368]: Could not configure OAM
Conditions:
The problem occurs only when OAM server is installed with JDK version 1.6.0_27 or later.
Impact:
Cannot connect to backend OAM server using BIG-IP AccessGate.
Workaround:
Install older version of JDK than v1.6.0_27.
Fix:
Applied OAM ASDK patch given by Oracle, so OAM no longer reports Access Server down with JDK version 1.6.0_27 or later.
386517-1 : Multidomain SSO requires a default pool be configured
Component: Access Policy Manager
Symptoms:
When configuring multidomain SSO, a pool must be assigned to the virtual, even if one is not being used. A typical symptom of not assigning the pool is that after logon, the user will be redirected back to another logon page.
Conditions:
Any use case of multidomain SSO where there is no pool configured on the virtual servers, and there is not a webtop assigned.
Impact:
There are two known use cases where this is commonly encountered. 1) LTM + Secure Connectivity virtuals do not usually have a default pool configured.
2) The pool is being configured through an iRule
Workaround:
When configuring multidomain SSO, always assign a default pool to the virtual server.
Fix:
Some of the logic in ACCESS was updated to add consideration of dynamic pool assignments (eg. iRules) in addition to the default pool. Default pool is no longer needed for multidomain SSO.
371164-1 : BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
Component: Local Traffic Manager
Symptoms:
Since traffic groups are not bound to any specific VLAN, so Neighbor Discovery (ND) for link-local addresses go out on all VLANs. This occurs because traffic groups are not bound to any particular VLAN or interface. Since MAC is bound to the traffic group, it is not bounded to particular VLAN either.
Conditions:
Using MAC masquerade addresses on VLANs. TMM creates new link-local address for each masquerading MAC. Thus, the same link-local address might be used on all interfaces, which means that the system might use the same MAC on different VLANs.
For example, in the following configuration, you might expect that traffic-group-1 and MAC 02:23:e9:74:e2:c4 are bound only to VLAN Internal. However, you can create another self IP address, assign it to different VLANs or route domains, and have them be part of the same traffic group. A traffic group is about availability and not about routing or partitioning.
Configuration
===========
net self 10.10.10.10%1 {
address 10.10.10.10%1/23
allow-service {
default
}
floating enabled
traffic-group traffic-group-1
unit 1
vlan Internal
}.
Impact:
Although this is intended functionality, some users might not expect the behavior. BIG-IP sends ND probes for all masquerading addresses on all VLANs. Although switches typically build up forwarding tables per VLAN, there are some switches that might not correctly, which results in failure to forward packets as expected. That might impact other traffic, including IPv4.
Workaround:
Set the db variable tm.macmasqaddr_per_vlan to True. This ensures that a single source MAC is associated with a single VLAN ID, and is guaranteed to be unique per VLAN.
370131-4 : Loading UCS with low GTM Autoconf Delay drops pool Members from config
Component: Global Traffic Manager (DNS)
Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.
Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.
Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.
Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.
Fix:
Loading UCS with low GTM Autoconf Delay now completes correctly.
366695-1 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed
Component: Global Traffic Manager (DNS)
Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.
Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.
Impact:
Error message thrown
Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.
Fix:
Removed Manager's ability to create/modify/delete GTM data centers, links, servers, prober-pools, and topology objects. This was already prevented through validation code, but now TMSH users only have access to view these objects.
355806-7 : Starting mcpd manually at the command line interferes with running mcpd
Component: TMOS
Symptoms:
Starting mcpd at the command line while mcpd is running causes issues.
Conditions:
Having a running mcpd and executing mcpd at the command line.
Impact:
Various issues on the system, such as some utilities may no longer interact with mcpd, etc.
Workaround:
Don't try to use the mcpd directly.
Fix:
You are now told the PID of the current mcpd and the executed command will exit abnormally.
353229-2 : Buffer overflows in DIAMETER
Solution Article: K54130510
Component: Service Provider
Symptoms:
Under certain conditions TMM may overflow while processing DIAMETER transactions
Conditions:
Very large DIAMETER attribute-value pairs
Impact:
TMM crash, leading to a failover event
Workaround:
None.
Fix:
Prevent buffer overflows during DIAMETER processing.
352957-4 : Route lookup after change in route table on established flow ignores pool members
Solution Article: K03005026
Component: Local Traffic Manager
Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.
Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.
Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.
Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.
Fix:
The nexthop for established flows, set using "nexthop vlan addr" in an iRule for CLIENT_ACCEPTED state, does not change when there are changes in the route table. This is correct behavior.
246726-1 : System continues to process virtual server traffic after disabling virtual address
Solution Article: K8940
Component: Local Traffic Manager
Symptoms:
A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address.
Conditions:
When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers.
Impact:
Traffic is still processed.
Workaround:
Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/csp/#/article/K8940
Fix:
When disabling a VIP in LTM the VIP no longer passes traffic. This is correct behavior.
Behavior Change:
When disabling a VIP in LTM the VIP no longer passes traffic.
238444-3 : An L4 ACL has no effect when a layered virtual server is used.
Solution Article: K14219
Component: Access Policy Manager
Symptoms:
A layer 4 ACL is not applied to the network access tunnel. As a result of this issue, you may encounter the following symptoms:
-- Unexpected network traffic may be allowed to pass.
-- Expected network traffic may be blocked.
Conditions:
This issue occurs when the following conditions are met:
-- The APM virtual server is targeting a layered virtual server, such as an SSO layered virtual server.
-- The referenced BIG-IP APM access policy is configured with a layer 4 ACL.
-- When an ACL is applied to a BIG-IP APM access policy, the access policy dynamically creates an internal layered virtual server that is used to apply the ACL. However, if the BIG-IP APM virtual server targets a layered virtual server, such as an SSO layered virtual server, traffic bypasses the dynamically-created internal layered virtual server and the ACL is not applied.
Impact:
Access control using a layer 4 ACL will not work. This may allow unwanted traffic to pass, or can block valid traffic.
Workaround:
None. However, a layer 7 ACL may be implemented if the network traffic is HTTP.
Fix:
With this fix, an admin needs to perform below tasks:
1. Create an iRule similar to the following:
when CLIENT_ACCEPTED {
ACL::eval
}
2. Attach this iRule to admin-defined layered virtual servers.
225634-1 : The rate class feature does not honor the Burst Size setting.
Component: Local Traffic Manager
Symptoms:
The rate class feature does not honor a Burst Size setting other than the default of 0 (zero).
The Burst Size setting is intended to specify the maximum number of bytes that traffic is allowed to burst beyond the base rate configured for the rate class. When the burst rate is set to zero, no bursting is allowed.
Conditions:
When using a non-default Burst Size setting for a single rate class, the setting does not have the intended effect of allowing traffic to burst beyond the base rate configured for the rate class. When using a non-default Burst Size setting for a rate class referencing a hierarchical rate class (a child class referencing a parent class), traffic processed by the rate class may cause TMM to panic and generate a core file.
Impact:
Traffic does not burst beyond the base rate configured for the rate class. In the case of hierarchical rate classes, the BIG-IP may temporarily fail to process traffic.
Workaround:
To work around this issue, you can disable the Burst Size setting by changing the value to zero. To do so, perform the following procedure:
Impact of workaround: None.
Log in to the Configuration utility.
Click Network.
Click Rate Shaping.
Click the appropriate rate class.
Change the Burst Size to 0.
Click Update.
222034-4 : HTTP::respond in LB_FAILED with large header/body might result in truncated response
Component: Local Traffic Manager
Symptoms:
If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated.
Conditions:
This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client.
Impact:
The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points.
Workaround:
To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see K9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: https://support.f5.com/csp/#/article/K9456.
Known Issues in BIG-IP v12.1.x
TMOS Issues
ID Number | Severity | Solution Article(s) | Description |
708956 | 1-Blocking | During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' | |
694897-4 | 1-Blocking | Unsupported Copper SFP can trigger a crash on i4x00 platforms. | |
652223-1 | 1-Blocking | K50325308 | BWC: Non-TCP data going through Category can make policy active |
636774-1 | 1-Blocking | Potential TMM crash credits to BWC token distribution logic | |
603093 | 1-Blocking | AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system | |
538046-2 | 1-Blocking | The iControl response to adding a device to a device trust may time out | |
711683-4 | 2-Critical | bcm56xxd crash with empty trunk in QinQ VLAN | |
710277-2 | 2-Critical | IKEv2 further child_sa validity checks | |
708968-4 | 2-Critical | OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address | |
706423-2 | 2-Critical | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | |
703669-3 | 2-Critical | Eventd restarts on NULL pointer access | |
700386-1 | 2-Critical | mcpd may dump core on startup | |
697424 | 2-Critical | iControl-REST crashes on /example for firewall address-lists | |
696732 | 2-Critical | K54431534 | tmm may crash in a compression provider |
696113-1 | 2-Critical | Extra IPsec reference added per crypto operation overflows connflow refcount | |
693996-3 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis | |
692158-2 | 2-Critical | iCall and CLI script memory leak when saving configuration | |
691589 | 2-Critical | When using LDAP client auth, tamd may become stuck | |
690819-3 | 2-Critical | Using an iRule module after a 'session lookup' may result in crash | |
690793-2 | 2-Critical | TMM may crash and dump core due to improper connflow tracking | |
689437-2 | 2-Critical | icrd_child cores due to infinite recursion caused by incorrect group name handling | |
688148-1 | 2-Critical | IKEv1 racoon daemon SEGV during phase-two SA list iteration | |
685458-5 | 2-Critical | merged fails merging a table when a table row has incomplete keys defined. | |
681081-3 | 2-Critical | K48366429 | Running tmsh show commands may cause mcpd memory leak |
671314-4 | 2-Critical | K37093335 | BIG-IP system cores when sending SIP SCTP traffic |
667173 | 2-Critical | 13.1.0 cannot join a device group with 13.1.0.1 | |
667114-1 | 2-Critical | K32622880 | TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth. |
665362-4 | 2-Critical | MCPD might crash if the AOM restarts | |
644135 | 2-Critical | K53342451 | 12.1.1-hf1 does not support module tuning for Finisar 100G LR4 optics |
626861-2 | 2-Critical | K31220138 | Ensure unique IKEv2 sequence numbers |
613542-2 | 2-Critical | K81463390 | tmm core while running the iRule STATS:: command |
599223-1 | 2-Critical | Prevent static destructors in tmipsecd daemon | |
594366-1 | 2-Critical | K21271097 | Occasional crash of icrd_child when BIG-IP restarts |
581851-2 | 2-Critical | K16234725 | mcpd restarts due to interleaving of messages / folder contexts from primary to secondary blade |
714626-1 | 3-Major | When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect. | |
714187-1 | 3-Major | Changing console Baud-rate to a supported value requires reboot | |
713708-3 | 3-Major | Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI | |
712033-1 | 3-Major | When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name | |
711879 | 3-Major | Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor. | |
711249-2 | 3-Major | NAS-IP-Address added to RADIUS packet unexpectedly | |
710841 | 3-Major | 12.1.3.3 feature refinement might be lost after upgrade | |
710602 | 3-Major | iCRD commands requiring 'root' user access fixed | |
710039 | 3-Major | Merging config may not report syslog configuration errors | |
709559-3 | 3-Major | LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name | |
708803 | 3-Major | Remote admin user with misconfigured partition fallback to "All" | |
707740-3 | 3-Major | Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination | |
707445 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover |
707391-4 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
707320-1 | 3-Major | Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs | |
705037-3 | 3-Major | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart | |
704449-4 | 3-Major | Orphaned tmsh processes might eventually lead to an out-of-memory condition | |
704336-3 | 3-Major | Updating 3rd party device cert not copied correctly to trusted certificate store | |
704282-3 | 3-Major | TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy | |
704247-3 | 3-Major | K07356404 | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted |
701900 | 3-Major | K55938217 | DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease. |
701722-2 | 3-Major | Potential mcpd memory leak for signed iRules | |
701387-4 | 3-Major | qkview will not collect files greater than 2 GB | |
701341-2 | 3-Major | K52941103 | If /config/BigDB.dat is empty, mcpd continuously restarts |
700897-3 | 3-Major | sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG | |
700827-2 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
700757-2 | 3-Major | vcmpd may crash when it is exiting | |
700426-2 | 3-Major | K58033284 | Switching partitions while viewing objects in GUI can result in empty list |
700250-1 | 3-Major | K59327012 | qkviews for secondary blade appear to be corrupt |
698947-1 | 3-Major | BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. | |
698933-3 | 3-Major | Setting metric-type via ospf redistribute command may not work correctly | |
698844 | 3-Major | LCD splash screen may display incorrect platform name on iSeries appliance | |
698599 | 3-Major | Cave Creek Crypto HW accelerated SSL traffic may encounter errors and performance problems. | |
698597 | 3-Major | BIG-IP fails to go active after cryptographic hardware has recovered from a failure | |
698594 | 3-Major | K53752362 | Cave Creek Crypto hardware reports a false positive of a stuck queue state |
698429-3 | 3-Major | Misleading log error message: Store Read invalid store addr 0x3800, len 10 | |
698038 | 3-Major | K05730807 | TACACS+ system auth file descriptor leaks when servers are unreachable |
698013-4 | 3-Major | K27216452 | TACACS+ system auth and file descriptors leak |
696731-1 | 3-Major | K94062594 | The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled |
695090 | 3-Major | In rare situations hardware syncookies may be sent for a L7 virtual server when hardware syncookie protection is disabled | |
694740-1 | 3-Major | BIG-IP reboot during a TMM core results in an incomplete core dump | |
693884-3 | 3-Major | ospfd core on secondary blade during network unstability | |
693563-3 | 3-Major | K22942093 | No warning when LDAP is configured with SSL but with a client certificate with no matching key★ |
692753-3 | 3-Major | shutting down trap not sent when shutdown -r or shutdown -h issued from shell | |
692239-1 | 3-Major | K31554905 | AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds |
692189-3 | 3-Major | errdefsd fails to generate a core file on request. | |
692179-3 | 3-Major | Potential high memory usage from errdefsd. | |
691749-3 | 3-Major | Delete sys connection operations cannot be part of TMSH transactions | |
690890-3 | 3-Major | Running sod manually can cause issues/failover | |
689779 | 3-Major | VE HyperV packet drops under load due to interrupt distribution | |
689567-3 | 3-Major | Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned | |
689002-1 | 3-Major | Stackoverflow when JSON is deeply nested | |
688406-3 | 3-Major | K14513346 | HA-Group Score showing 0 |
687905 | 3-Major | OneConnect profile causes CMP redirected connections on the HA standby | |
687617-3 | 3-Major | DHCP request-options when set to "none" are reset to defaults when loading the config. | |
687534-3 | 3-Major | If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page | |
687172 | 3-Major | Pools do not appear as expected after deploying iApp via iWorkflow | |
686926-3 | 3-Major | IPsec: responder N(cookie) in SA_INIT response handled incorrectly | |
686816-3 | 3-Major | Link from iApps Components page to Policy Rules invalid | |
686626-2 | 3-Major | The BIG-IP system may connect to an OCSP server using an unexpected source IP address | |
686124-3 | 3-Major | IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs | |
684391-1 | 3-Major | Existing IPsec tunnels reload. tmipsecd creates a core file. | |
684218-3 | 3-Major | vADC 'live-install' Downgrade from v13.1.0 is not possible | |
684096-1 | 3-Major | stats self-link might include the oid twice | |
681782-4 | 3-Major | K30665653 | Unicast IP address can be configured in a failover multicast configuration |
680838-3 | 3-Major | IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator | |
679347-3 | 3-Major | ECP does not work for PFS in IKEv2 child SAs | |
679027 | 3-Major | Rare memory corruption in tmrouted while license is being reset | |
678925-4 | 3-Major | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | |
678380-3 | 3-Major | Deleting an IKEv1 peer in current use could SEGV on race conditions. | |
677928-2 | 3-Major | A wrong source MAC address may be used in the outgoing IPsec encapsulated packets. | |
676897-1 | 3-Major | K25082113 | IPsec keeps failing to reconnect |
676442-2 | 3-Major | K37113440 | Changes to RADIUS remote authentication may not fully sync |
676092-1 | 3-Major | IPsec keeps failing to reconnect | |
675742 | 3-Major | Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores | |
675718-1 | 3-Major | IPsec keeps failing to reconnect | |
675298-1 | 3-Major | F5 MIB value types changed to become RFC compliant | |
674997 | 3-Major | It is not possible to use tmsh to change the password for 'admin' after configuring Remote-APM Based Auth on the BIG-IP system. | |
674957-1 | 3-Major | If a certificate is stored in DER format, exporting it using the GUI corrupts the output. | |
674328-3 | 3-Major | Multicast UDP from BIG-IP may have incorrect checksums | |
673974-1 | 3-Major | K63225596 | agetty auto detects parity on console port incorrectly |
673952 | 3-Major | 1NIC VE in HA device-group shows 'Changes Pending' after reboot | |
673640 | 3-Major | Log messages for virtual server status changes are not immediately logged. | |
671712 | 3-Major | The values returned for the ltmUserStatProfileStat table are incorrect. | |
671553-2 | 3-Major | iCall scripts may make statistics request before the system is ready | |
671447-2 | 3-Major | ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form | |
671372-2 | 3-Major | K01930721 | When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified. |
671261-2 | 3-Major | K32306231 | MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo |
671236-2 | 3-Major | K27343382 | BGP local-as command may not work when applied to peer-group |
671178 | 3-Major | K20274760 | Date/time change after configuring HA may impair configuration sync |
669268 | 3-Major | Failover in the same availability zone of AWS may fail when AWS services are intermittently available. | |
669241-1 | 3-Major | Cannot create stateless virtual servers with ip-protocol set to 'gre'. | |
667476 | 3-Major | Upgrade and config load can fail if a data group record of type string contains a tab character | |
667257-2 | 3-Major | CPU Usage Reaches 100% After Traffic Flowed Into CGNAT | |
667223 | 3-Major | The merge option for the tmsh load sys config command removes existing nested objects | |
667082-2 | 3-Major | K21090061 | Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail. |
666884-2 | 3-Major | K27056204 | cpcfg cannot copy a configuration on a chassis platform★ |
666117-4 | 3-Major | Network failover without a management address causes active-active after unit1 reboot | |
658850 | 3-Major | Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP | |
658036-2 | 3-Major | K04651090 | Honoring negotiated MSS for TCP segmentation |
657912-1 | 3-Major | PIM can be configured to use a floating self IP address | |
657834-2 | 3-Major | K45005512 | Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent |
657727-2 | 3-Major | K39694060 | Running tcpdump from TMSH cannot capture the local "tmm" interface |
653888-2 | 3-Major | BGP advertisement-interval attribute ignored in peer group configuration | |
652877-3 | 3-Major | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades | |
652671-4 | 3-Major | K31326690 | Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. |
651136-2 | 3-Major | K36893451 | ReqLog profile on FTP virtual server with default profile can result in service disruption. |
648873-3 | 3-Major | K93513131 | Traffic-group failover-objects cannot be retrieved via iControl REST |
648621-1 | 3-Major | SCTP: Multihome connections may not expire | |
648316-3 | 3-Major | K10776106 | Flows using DEFLATE decompresion can generate error message during flow tear-down. |
647834-4 | 3-Major | Failover DB variables do not correctly implement 'reset-to-default' | |
647151-1 | 3-Major | CPU overtemp condition threshold is 75C | |
645206-4 | 3-Major | K23105004 | Missing cipher suites in outgoing LDAP TLS ClientHello★ |
644979-2 | 3-Major | Errors not logged from hourly 1k key generation cron job | |
643799-1 | 3-Major | Deleting a partition may cause a sync validation error | |
643459-3 | 3-Major | K81809012 | Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy |
642923-2 | 3-Major | K01951295 | MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system |
642422-2 | 3-Major | BFD may not remove dependant static routes when peer sends BFD Admin-Down | |
641582-1 | 3-Major | Rarely, an HSB transmitter failure occurs | |
641543-1 | 3-Major | bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled. | |
641450 | 3-Major | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
641001 | 3-Major | BWC: dynamic policy category sees lower bandwidth than expected in Congested policies | |
640054-1 | 3-Major | Selective ICMP-echo behavior is inconsistent, depending on where the virtual address is disabled | |
639774-5 | 3-Major | K30598276 | mysqld.err rollover log files are not collected by qkview |
639575-5 | 3-Major | K63042400 | Using libtar with files larger than 2 GB will create an unusable tarball |
638091-4 | 3-Major | Config sync after changing named pool members can cause mcpd on secondary blades to restart | |
638089-1 | 3-Major | LACP and CMP state simultaneous fail on A112 and A113 platform | |
637979-1 | 3-Major | IPsec over isession not working | |
637279 | 3-Major | Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS. | |
633824-2 | 3-Major | K39319200 | Cannot add pool members containing a colon in the node name |
633172 | 3-Major | K12473201 | External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command |
632825-5 | 3-Major | bcm56xxd crash following 'silent' port-mirror configuration failure | |
631046 | 3-Major | Unable to generate a FIPS key using the GUI | |
629834-4 | 3-Major | istatsd high CPU utilization with large number of entries | |
628402-4 | 3-Major | K79213220 | Operator users receive 'can't get object count from mcpd' error in response to certain commands |
627760-3 | 3-Major | gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card | |
626589-6 | 3-Major | K73230273 | iControl-SOAP prints beyond log buffer |
624626-3 | 3-Major | Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility | |
623488-4 | 3-Major | Custom adaptive reaper settings may be lost at upgrade time★ | |
623371-1 | 3-Major | After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed | |
623367-1 | 3-Major | K57879554 | When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key. |
623265-4 | 3-Major | K15645547 | UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★ |
621314-6 | 3-Major | K55358710 | SCTP virtual server with mirroring may cause excessive memory use on standby device |
620969-3 | 3-Major | iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards. | |
620954-3 | 3-Major | Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable | |
620311-1 | 3-Major | GUI Failover Unicast Address information incorrect | |
619419 | 3-Major | Workaround for Software Installation Failures in TMUI★ | |
618982-1 | 3-Major | IPSEC + chassis behavior for case secondary blades on-off switch. | |
618319-5 | 3-Major | K58255321 | HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked |
617865-1 | 3-Major | Missing health monitor information for FQDN members | |
617643-1 | 3-Major | iControl.ForceSessions enabled results in GUI error on certain pages | |
614493-1 | 3-Major | BIG-IP reset on ePVA accelerated flow may contain stale TCP window information. | |
613509-1 | 3-Major | K49101035 | 2000/4000 platforms reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve |
612083 | 3-Major | Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors. | |
610449-2 | 3-Major | restarting mcpd on guest makes block-device-images disappear | |
609200-2 | 3-Major | Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★ | |
609186-5 | 3-Major | TMM or MCP might core while getting connections via iControl. | |
606330-4 | 3-Major | The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family. | |
605840-5 | 3-Major | HSB receive failure lockup due to unreceived loopback packets | |
605800-3 | 3-Major | Web GUI submits changes to multiple pool members as separate transactions | |
605270-5 | 3-Major | On some platforms the SYN-Cookie status report is not accurate | |
603772-1 | 3-Major | Floating tunnels with names more than 15 characters may cause issues during config-sync. | |
602566-5 | 3-Major | sod daemon may crash during start-up | |
602193-4 | 3-Major | iControl REST call to get certificate fails if | |
601414-5 | 3-Major | Combined use of session and table irule commands can result in intermittent session lookup failures | |
600944-1 | 3-Major | tmsh does not reset route domain to 0 after cd /Common and loading bash | |
599543-3 | 3-Major | Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile | |
598650-1 | 3-Major | apache-ssl-cert objects do not support certificate bundles | |
597818-2 | 3-Major | Unable to configure IPsec NAT-T to "force" | |
597564-3 | 3-Major | 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items | |
596826-5 | 3-Major | Don't set the mirroring address to a floating self IP address | |
596815-1 | 3-Major | System DNS nameserver and search order configuration does not always sync to peers | |
596020-3 | 3-Major | Devices in a device-group may report out-of-sync after one of the devices is rebooted | |
595868-1 | 3-Major | HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. | |
595617-1 | 3-Major | K40420553 | Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA. |
595317-4 | 3-Major | Forwarding address for Type 7 in ospfv3 is not updated in the database | |
593845-3 | 3-Major | K24093205 | VE interface limit |
593361-1 | 3-Major | The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE. | |
591305 | 3-Major | Audit log messages with "user unknown" appear on install | |
589856-2 | 3-Major | iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients | |
588929-2 | 3-Major | SCTP emits 'address conflict detected' log messages during failover | |
588794-2 | 3-Major | Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements | |
588771-2 | 3-Major | SCTP needs traffic-group validation for server-side client alternate addresses | |
588646-1 | 3-Major | Use of Standard access list remarks in imish may causes later entries to fail on add | |
588028-1 | 3-Major | Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up | |
587821-5 | 3-Major | K91818030 | vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor. |
586938-1 | 3-Major | K57360106 | Standby device will respond to the ARP of the SCTP multihoming alternate address |
584041 | 3-Major | forward slash '/' is used in the description field, admin user will be demoted to guest. | |
580602-1 | 3-Major | Configuration containing LTM nodes with IPv6 link-local addresses fail to load. | |
580499-2 | 3-Major | K34082034 | Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled. |
579035-5 | 3-Major | K46145454 | Config sync error when a key with passphrase is converted into FIPS. |
575919-2 | 3-Major | Running concurrent TMSH instances can result in error in access to history file | |
575372 | 3-Major | BIG-IQ Discovery may fail due to an invalid passphrase. | |
575368-5 | 3-Major | Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card | |
571333-8 | 3-Major | K36155089 | fastL4 TCP handshake timeout not honored for offloaded flows |
569968 | 3-Major | snmpd core during startup | |
569331-3 | 3-Major | Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP | |
569281-6 | 3-Major | K33242855 | L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot |
567490-2 | 3-Major | db.proxy.__iter__ value is overwritten if it's manually set | |
563905-2 | 3-Major | K62975642 | vCMP guest fails to go Active after the host system is rebooted |
544568-5 | 3-Major | Flows for a FastL4 profile that are forwarded may now be accelerated. | |
535122-8 | 3-Major | [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects | |
528295-7 | 3-Major | K40735404 | Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later. |
525580-1 | 3-Major | K51013874 | tmsh load sys config merge file filename.scf base command does not work as expected |
524193-5 | 3-Major | Multiple Source addresses are not allowed on a TMSH SNMP community | |
524123-1 | 3-Major | iRule ISTATS::remove does not work | |
523797-2 | 3-Major | Upgrade: file path failure for process name attribute in snmp.★ | |
516167-2 | 3-Major | K21382264 | TMSH listing with wildcards prevents the child object from being displayed |
509497-1 | 3-Major | VCMP guests on a specific host may be restarted when that host system experiences large date/time changes | |
499348-5 | 3-Major | System statistics may fail to update, or report negative deltas due to delayed stats merging | |
489499-3 | 3-Major | chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd | |
469366-3 | 3-Major | K16237 | ConfigSync might fail with modified system-supplied profiles |
464650-4 | 3-Major | Failure of mcpd with invalid authentication context. | |
455066-2 | 3-Major | Read-only account can save system config | |
438574-1 | 3-Major | Web UI: iSession Profile properties page displays incorrect parent profile name. | |
375434-6 | 3-Major | HSB lockup might occur when TMM tries unsuccessfully to reset HSB. | |
247527-2 | 3-Major | K14890 | Mgmt interface cannot be disabled via tmsh |
224665-2 | 3-Major | K12711 | Proxy Exclusion List setting is not aware of administrative partitions |
713183 | 4-Minor | Malformed JSON files may be present on vCMP host | |
713138 | 4-Minor | TMUI ILX Editor inserts an unnecessary linefeed | |
713134-3 | 4-Minor | Small tmctl memory leak when viewing stats for snapshot files | |
710410-1 | 4-Minor | TMM hardware accelerated compression not registering for all compression levels. | |
708415 | 4-Minor | Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled | |
706106-1 | 4-Minor | PUT request sent to ltm/virtual failed because of ip-protocol property value any | |
703509-1 | 4-Minor | Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled | |
702615-1 | 4-Minor | During reboot to another volume, the GUI login page becomes prematurely available★ | |
698991 | 4-Minor | K64258832 | CPU utilization on i850 is not a reliable indicator of system capacity |
697766-3 | 4-Minor | K12431303 | Cisco IOS XR ISIS routers may report 'Authentication TLV not found' |
697605 | 4-Minor | tmrouted connection closed messages logged on shutdown | |
696363 | 4-Minor | Unable to create SNMP trap in the GUI | |
692172-2 | 4-Minor | rewrite profile causes "No available pool member" failures when connection limit reached | |
692165-2 | 4-Minor | A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token | |
691491-3 | 4-Minor | K13841403 | 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces |
690781 | 4-Minor | VIPRION systems with B2100 or B2150 blades cannot run four 1-slot 8-core vCMP guests | |
689211-2 | 4-Minor | IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } | |
689147-1 | 4-Minor | Confusing log messages on certain user/role/partition misconfiguration when using remote role groups | |
687343-3 | 4-Minor | Running 'load sys config merge verify' will add new users to the PostGres database | |
685582-5 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
685475-3 | 4-Minor | K93145012 | Unexpected error when applying hotfix |
685233-2 | 4-Minor | K13125441 | tmctl -d blade command does not work in an SNMP custom MIB |
683029-2 | 4-Minor | Sync of virtual address and self IP traffic groups only happens in one direction | |
680856-3 | 4-Minor | IPsec config via REST scripts may require post-definition touch of both policy and traffic selector | |
678388-3 | 4-Minor | K00050055 | IKEv1 racoon daemon is not restarted when killed multiple times |
678254-2 | 4-Minor | Error logged when restarting Tomcat | |
678117-1 | 4-Minor | 'Can't create a home directory' logged for remote users on secondary blades after configsync | |
675368-2 | 4-Minor | Unable to reorder rules when one of the rule names contain % or / | |
674145-3 | 4-Minor | chmand error log message missing data | |
673573 | 4-Minor | tmsh logs boost assertion when running child process and reaches idle-timeout | |
671044-3 | 4-Minor | K78612407 | FIPS certificate creation can cause failover to standby system |
671025 | 4-Minor | File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured | |
670691 | 4-Minor | K02331705 | Unable to list ntlm profile in different root folder or partition |
668964-2 | 4-Minor | K81873940 | 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group |
663911-2 | 4-Minor | When running out of memory, MCP can report an incorrect allocation size | |
662372-1 | 4-Minor | K41250179 | Uploading a new device certificate file via the GUI might not update the device certificate |
660760-1 | 4-Minor | K75105750 | DNS graphs fail to display in the GUI |
658298-3 | 4-Minor | SMB monitor marks node down when file not specified | |
655484-1 | 4-Minor | K69912019 | GUI LTM Pool Statistics Page running out of memory with large number of Pools |
650019-2 | 4-Minor | The commented-out sample functions in audit_forwarder.tcl are incorrect | |
647812-3 | 4-Minor | /tmp/wccp.log file grows unbounded | |
640863-2 | 4-Minor | K29231946 | Disabling partition selector in DNS Resolver's Forward Zones |
640489 | 4-Minor | K53571714 | iSeries LCD alerts screen returns to splash screen intermittently |
638960-2 | 4-Minor | A subset of the BIG-IP default profiles can be incorrectly deleted | |
638893-1 | 4-Minor | Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command | |
636823-3 | 4-Minor | Node name and node address | |
636164 | 4-Minor | Remote IP not working in IE 8 | |
636163 | 4-Minor | Certificate Key Chain not working in IE 8 | |
636031-4 | 4-Minor | K23313837 | GUI LTM Monitor Configuration String adding CR for type Oracle |
634014 | 4-Minor | Absolute timers may fire one second early during the leap second event | |
633495 | 4-Minor | Cannot switch between partitions in Local Traffic :: Policies | |
631334-4 | 4-Minor | TMSH does not preserve \? for config save/load operations | |
630795-1 | 4-Minor | No guestagentd entry in merged.conf | |
626279-1 | 4-Minor | After reboot LCD reports "unit going standby" even if it has gone active. | |
625428-1 | 4-Minor | SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit | |
624909-2 | 4-Minor | Static route create validation is less stringent than static route delete validation | |
624484-2 | 4-Minor | K09023677 | Timestamps not available in bash history on non-login interactive shells |
623536-2 | 4-Minor | SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent | |
623313 | 4-Minor | After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default.★ | |
619706-1 | 4-Minor | tmsh appears to allow password change for internal lcd admin user | |
618889-1 | 4-Minor | Clicking the policies list tab does not refresh the policies list on click. | |
611054-1 | 4-Minor | Network failover "enable" setting is sometimes ignored on chassis systems | |
608348-4 | 4-Minor | Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system | |
606799-1 | 4-Minor | K16703796 | GUI total number of records not correctly initialized with search string on several pages. |
605891-3 | 4-Minor | Enable ASM option disappears from L7 policy actions | |
598289-4 | 4-Minor | TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port> | |
591732-2 | 4-Minor | Local password policy not enforced when auth source is set to a remote type. | |
590415-1 | 4-Minor | Partition can be removed when remote role info entries refer to it | |
589862-6 | 4-Minor | HA Grioup percent-up display value is truncated, not rounded | |
587804-1 | 4-Minor | Symmetric Unit Key decrypt failure on base load | |
586348-1 | 4-Minor | Network Map Pool Member Parent Node Name display and Pool Member hyperlink | |
584788-1 | 4-Minor | Directed failover of HA pair using only hardwire failover will fail | |
584504-2 | 4-Minor | K36912228 | Allowing non-English characters on login screen |
583777-5 | 4-Minor | K33230520 | [TMSH] sys crypto cert missing tab completion function |
583084-5 | 4-Minor | K15101680 | iControl produces 404 error while creating records successfully |
582595-2 | 4-Minor | K52029952 | default-node-monitor is reset to none for HA configuration. |
582127-1 | 4-Minor | K55138704 | VE OVA logrotate max-file-size too big for /var/log partition size |
581865-2 | 4-Minor | K11053914 | 6900, 8900, 8950, or 11050 platforms missing swap storage★ |
573031-1 | 4-Minor | qkview may not collect certain configuration files in their entirety | |
571727-1 | 4-Minor | K52707821 | 'force-full-load-push' is not tab expandable |
571017-1 | 4-Minor | Extra log messages seen on optics removal. | |
565755 | 4-Minor | Dashboard does not work when custom port is used for management port. | |
520877-1 | 4-Minor | Alerts sent by the lcdwarn utility are not shown in tmsh | |
514703-1 | 4-Minor | gtm listener cannot be listed across partitions | |
501258-2 | 4-Minor | Unable to modify 'gtm region region-members' via iControl REST | |
479471-1 | 4-Minor | K00342205 | CPU statistics reported by the tmstat command may spike or go negative |
479262-4 | 4-Minor | 'readPowerSupplyRegister error' in LTM log | |
476544-2 | 4-Minor | mcpd core during sync | |
436116-1 | 4-Minor | K43726131 | The tcpdump utility may fail to capture packets |
713519-3 | 5-Cosmetic | Enabling MCP Audit logging does not produce log entry for audit logging change | |
679431-3 | 5-Cosmetic | In routing module the 'sh ipv6 interface <interface> brief' command may not show header | |
676395-1 | 5-Cosmetic | Syslog messages seen with error code while viewing ssl certificate detail with debug turned on. | |
653273 | 5-Cosmetic | "Unexpected Error" showing traffic-selector default-traffic-selector | |
651826-2 | 5-Cosmetic | SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly | |
633568 | 5-Cosmetic | Pool statistics page doesn't show all pool members in IE8 with compatibility view | |
617578-2 | 5-Cosmetic | Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware | |
617161-1 | 5-Cosmetic | Cosmetic: duplicated partition names in the "Resource Management" window when assigning iRules to Virtual Servers. | |
603092-5 | 5-Cosmetic | "displayservicenames" does not apply to show ltm pool members | |
602390-2 | 5-Cosmetic | K87506901 | Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI. |
590399-1 | 5-Cosmetic | K11304001 | Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'. |
571634-1 | 5-Cosmetic | tmstat CPU values can be incorrect | |
570013 | 5-Cosmetic | TCP Analytics Profile section in virtual server UI has erroneous caption | |
542347-2 | 5-Cosmetic | Denied message in audit log on first time boot | |
396273-2 | 5-Cosmetic | Error message in dmesg and kern.log: vpd r/w failed |
Local Traffic Manager Issues
ID Number | Severity | Solution Article(s) | Description |
709334-2 | 2-Critical | Memory leak when SSL Forward proxy is used and ssl re-negotiates | |
708114-3 | 2-Critical | TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed | |
707447-2 | 2-Critical | Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles. | |
707207-2 | 2-Critical | iRuleLx returning undefined value may cause TMM restart | |
703914-1 | 2-Critical | TMM SIGSEGV crash in poolmbr_conn_dec. | |
697259-1 | 2-Critical | Different versioned vCMP guests on the same chassis may crash. | |
694656-3 | 2-Critical | Routing changes may cause TMM to restart | |
686685-1 | 2-Critical | LTM Policy internal compilation error | |
683631-1 | 2-Critical | TMM crashes during stress test | |
683454 | 2-Critical | K99294671 | HTTP::header command may crash TMM on an erroneous argument |
676721-2 | 2-Critical | K33325265 | Missing check for NULL condition causes tmm crash. |
674004-1 | 2-Critical | K34448924 | tmm may crash when after deleting pool member in traffic |
673095 | 2-Critical | Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid' | |
670893-1 | 2-Critical | Sensitive monitor parameters recorded in monitor logs | |
670804-2 | 2-Critical | K03163260 | Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP |
666401-2 | 2-Critical | K03294104 | Memory might become corrupted when a Standby device transitions to Active during failover |
663178-1 | 2-Critical | tmm may crash sometimes usng VPN | |
662296-1 | 2-Critical | Under heavy traffic load tcpdump -i 0.0 can impact the VIPRION management cluster IP address | |
659709-1 | 2-Critical | K80024155 | Memory leak under rare conditions |
656898-2 | 2-Critical | "oops" "bad transition" messages occur | |
652523 | 2-Critical | TMM may restart while processing timers | |
641869-1 | 2-Critical | K62744980 | Assertion "vmem_hashlist_remove not found" failed. |
634369-2 | 2-Critical | Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes | |
618463-2 | 2-Critical | artificial low route mtu can cause SIGSEV core from monitor traffic | |
618106-1 | 2-Critical | K74714343 | bigd core due to memory leak, especially with FQDN nodes |
615303-2 | 2-Critical | K47381511 | bigd crash with Tcl monitors |
613524-3 | 2-Critical | TMM crash when call HTTP::respond twice in LB_FAILED | |
606035-1 | 2-Critical | csyncd crash | |
603690-2 | 2-Critical | K82210057 | CPU Saver option not working while the 'latency' compression provider selection algorithm is in use. |
586862-2 | 2-Critical | K30859144 | Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule. |
586587-1 | 2-Critical | RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. | |
513310-1 | 2-Critical | TMM might core when a profile is changed. | |
440620-2 | 2-Critical | New connections may be reset when a client reuses the same port as it used for a recently closed connection | |
714503-3 | 3-Major | When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl | |
714495-3 | 3-Major | When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl" | |
714384-5 | 3-Major | DHCP traffic may not be forwarded when BWC is configured | |
713951-3 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
713934-4 | 3-Major | Using iRule "DNS::question name" to shorten the name in DNS_REQUEST may result malformed TC response | |
713388 | 3-Major | SSL handshake fails for OCSP + TLS false start + SSL hardware acceleration | |
712664-4 | 3-Major | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | |
712475-1 | 3-Major | DNS zones without servers will prevent DNS Express reading zone data | |
712437-1 | 3-Major | K20355559 | Records containing hyphens (-) will prevent child zone from loading correctly |
711281-3 | 3-Major | nitrox_diag may run out of space on /shared | |
710996-1 | 3-Major | VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP | |
710564-3 | 3-Major | DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0 | |
710493 | 3-Major | Nitrox PX recovery failure will not retry as it was designed to. | |
709963-4 | 3-Major | Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members. | |
709837-3 | 3-Major | Cookie persistence profile may be configured with invalid parameter combination. | |
707951 | 3-Major | Stalled mirrored flows on HA next-active when OneConnect and a snatpool is used. | |
707691-2 | 3-Major | BIG-IP handles some pathmtu messages incorrectly | |
706505 | 3-Major | iRule table lookup command may crash tmm when used in FLOW_INIT | |
706102-3 | 3-Major | SMTP monitor does not handle all multi-line banner use cases | |
704764-2 | 3-Major | SASP monitor marks members down with non-default route domains | |
704450-2 | 3-Major | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | |
703580 | 3-Major | TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. | |
702450-4 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
702439-3 | 3-Major | K04964898 | Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset |
702151-2 | 3-Major | HTTP/2 can garble large headers | |
701690-3 | 3-Major | K53819652 | Fragmented ICMP forwarded with incorrect icmp checksum |
701678-1 | 3-Major | Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded | |
701033-1 | 3-Major | Tcl actions not run if conditions have overlapping IP ranges | |
700889-2 | 3-Major | K07330445 | Software syncookies without TCP TS improperly include TCP options that are not encoded |
700639 | 3-Major | The default value for the syncookie threshold is not set to the correct value | |
700061-3 | 3-Major | Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file | |
700057-3 | 3-Major | LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved | |
698916-3 | 3-Major | TMM crash with HTTP/2 under specific condition | |
698379-3 | 3-Major | K61238215 | HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( |
698211-3 | 3-Major | K35504512 | DNS express response to non-existent record is NOERROR instead of NXDOMAIN. |
695925-3 | 3-Major | tmm crash when showing connections for a CMP disabled virtual server | |
695707-3 | 3-Major | BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection | |
695109-3 | 3-Major | K15047377 | Changes to fallback persistence profiles attached to a Virtual server are not effective |
694697-3 | 3-Major | K62065305 | clusterd logs heartbeat check messages at log level info |
693910-2 | 3-Major | Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) | |
693838 | 3-Major | Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors | |
693582-3 | 3-Major | Monitor node log not rotated for icmp monitor types | |
691992 | 3-Major | MSTP: CIST bridge priority changes after adjusting the MSTI priority. | |
691806-3 | 3-Major | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state | |
691785-3 | 3-Major | The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes | |
690778-3 | 3-Major | K53531153 | Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule |
690316 | 3-Major | Software syncookies are sent for FastL4 virtual server with software syncookies disabled | |
689361-3 | 3-Major | Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor) | |
688629-3 | 3-Major | Deleting data-group in use by iRule does not trigger validation error | |
688570-3 | 3-Major | BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes | |
688553-1 | 3-Major | SASP GWM monitor may not mark member UP as expected | |
687807-3 | 3-Major | The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/ causes a GUI exception | |
687044-2 | 3-Major | tcp-half-open monitors might mark a node up in error | |
686563-3 | 3-Major | WMI monitor on invalid node never transitions to DOWN | |
686547-3 | 3-Major | WMI monitor sends logging data for credentials when no credentials specified | |
686101-3 | 3-Major | K73346501 | Creating a pool with a new node always assigns the partition of the pool to that node. |
685615-5 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
685519-3 | 3-Major | Mirrored connections ignore the handshake timeout | |
683706-1 | 3-Major | Pool member status remains 'checking' when manually forced down at creation | |
683061-2 | 3-Major | Rapid creation/update/deletion of the same external datagroup may cause core | |
681757-1 | 3-Major | K32521651 | Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' |
681673-2 | 3-Major | tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results | |
680264 | 3-Major | K18653445 | HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags |
679613-2 | 3-Major | K23531420 | i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1' |
678872-2 | 3-Major | Inconsistent behavior for virtual-address and selfip on the same ip-address | |
678450-3 | 3-Major | No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve. | |
678066 | 3-Major | LTM Policy Tcl-enabled values require 'tcl:' prefix★ | |
677666-3 | 3-Major | K60909141 | /var/tmstat/blades/scripts segment grows in size. |
677525-3 | 3-Major | K06831814 | Translucent VLAN group may use unexpected source MAC address |
677442 | 3-Major | Bulk crypto processing for SSL traffic may crash the traffic deaemon in rare cases. | |
676914-1 | 3-Major | The SSL Session Cache can grow indefinitely if the traffic group is changed. | |
676828-2 | 3-Major | K09012436 | Host IPv6 traffic is generated even when ipv6.enabled is false |
676643 | 3-Major | FTP passive monitor uses IP address from PASV (not monitor destination) | |
676355-2 | 3-Major | DTLS retransmission does not comply with RFC in certain resumed SSL session | |
674459 | 3-Major | Users are not expected to change security.commoncriteria DB variable through TMSH | |
673052-2 | 3-Major | On i-Series platforms, HTTP/2 is limited to 10 streams | |
672852 | 3-Major | FIPS card cannot be initialized | |
672312-2 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
672240 | 3-Major | K50091255 | iRuleLX (v1) plugins may cause TMM to core if originating flow is terminated before plugin work is complete |
671999-2 | 3-Major | Re-extract the the thales software everytime the installation script is run | |
671337-1 | 3-Major | NetHSM DNSSEC key creation can attempt to change the SELinux label on a file | |
670520-3 | 3-Major | FastL4 not sending keepalive at proper interval when other side gets response | |
670258-2 | 3-Major | Multicast pings not forwarded by TMM | |
668196-2 | 3-Major | Connection limit continues to be enforced with least-connections and pool member flap, member remains down | |
668006-1 | 3-Major | K12015701 | Suspended 'after' command leads to assertion if there are multiple pending events |
667707-2 | 3-Major | LTM Policy validation error causes config sync failure | |
666889-1 | 3-Major | K25769531 | Deleting virtual server may cause tmm to segfault |
666595-2 | 3-Major | Monitor node log fd leak by bigd instances not actively monitoring node | |
666127-1 | 3-Major | Flows are incorrectly processed on a standby system. | |
664000 | 3-Major | TMM restart/core possible if key/cert is modified while SSL handshakes are ongoing | |
662816-2 | 3-Major | K61902543 | Monitor node log fd leak for certain monitor types |
660807 | 3-Major | Clientside command with parking command crashes TMM | |
659519 | 3-Major | K42400554 | Non-default header-table-size setting on HTTP2 profiles may cause issues |
657883-2 | 3-Major | K34442339 | tmm cache resolver should not cache response with TTL=0 |
657626-2 | 3-Major | User with role 'Manager' cannot delete/publish LTM policy. | |
655767-3 | 3-Major | MCPD does not prevent deleting an iRule that contains in-use procedures | |
655724-3 | 3-Major | K15695 | MSRDP persistence does not work across route domains. |
654981-2 | 3-Major | Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action | |
653930-2 | 3-Major | K69713140 | Monitor with description containing backslash may fail to load. |
653228-2 | 3-Major | K34312110 | SNAT does not work properly on FTP VIP2VIP |
653137-1 | 3-Major | Virtual flaps when FQDN node and pool configured with autopopulate | |
652370-1 | 3-Major | The persist cookie insert iRule command may leak memory | |
651889-2 | 3-Major | persist record may be inconsistent after a virtual hit rate limit | |
651541-2 | 3-Major | K83955631 | Changes to the HTTP profile do not trigger validation for virtual servers using that profile |
649897 | 3-Major | Using the REST API, making a change to an FQDN pool causes the pool member availability to become unknown. | |
647071-2 | 3-Major | Stats for SNATs do not work when configured in a non-zero route domain | |
646440 | 3-Major | K52140275 | TMSH allows mirror for persistence even when no mirroring configuration exists |
645635-2 | 3-Major | Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests | |
643860-4 | 3-Major | Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly | |
643041-4 | 3-Major | K64451315 | Less than optimal interaction between OneConnect and proxy MSS |
642786-3 | 3-Major | K01833444 | TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'. |
640395-1 | 3-Major | When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly | |
637613-3 | 3-Major | K24133500 | Cluster blade being disabled immediately returns to enabled/green |
636289-2 | 3-Major | Fixed a memory issue while handling TCP::congestion iRule | |
635173-1 | 3-Major | Standby BIG-IP TMM uses unexpectedly large amount of memory | |
633691-4 | 3-Major | HTTP transaction may not finish gracefully due to TCP connection is closed by RST | |
633464-2 | 3-Major | Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual. | |
633110-2 | 3-Major | K09293022 | Literal tab character in monitor send/receive string causes config load failure, unknown property |
632824-1 | 3-Major | K00722715 | SSL TPS limit can be reached if the system clock is adjusted |
632604-1 | 3-Major | SSL::sessionid iRule command returns incorrect result | |
632553-2 | 3-Major | K14947100 | DHCP: OFFER packets from server are intermittently dropped |
630257-1 | 3-Major | Monitor send/receive strings cannot end with trailing single-backslash★ | |
625166-1 | 3-Major | Suspended iRules cannot complete on aborted flows | |
624917 | 3-Major | First few handshakes fail after chassis/appliance reboot when using HSM | |
624846-1 | 3-Major | TCP Fast Open does not work for Responses < 1 MSS | |
624044-1 | 3-Major | K42806722 | LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load★ |
623084-2 | 3-Major | mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★ | |
622870 | 3-Major | When using a Thales key, SSL handshake failed after restarting pkcs11d | |
620556-1 | 3-Major | Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule | |
620053-1 | 3-Major | Gratuitous ARPs may be transmitted by active unit going offline | |
618131-1 | 3-Major | Latency for Thales key population to the secondary slot after reboot | |
618104-1 | 3-Major | Connection Using TCP::collect iRule May Not Close | |
613618-1 | 3-Major | The TMM crashes in the websso plugin. | |
613483-2 | 3-Major | K18133264 | Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec. |
611652-3 | 3-Major | iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command. | |
611482-4 | 3-Major | Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) . | |
610682-2 | 3-Major | LTM Policy action to reset connection only works for requests | |
607410-1 | 3-Major | K81239824 | In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible |
607166-1 | 3-Major | Hidden directories and files are not synchronized to secondary blades | |
605175-1 | 3-Major | Backslashes in monitor send and receive strings | |
604838-1 | 3-Major | TCP Analytics reports incorrectly reports entities as "Aggregated" | |
601189-2 | 3-Major | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode | |
599567 | 3-Major | APM assumes snat automap, does not use snat pool | |
598707-4 | 3-Major | Path MTU does not work in self-IP flows | |
598204-3 | 3-Major | K54284420 | In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK. |
597253-1 | 3-Major | HTTP::respond tcl command may incorrectly identify parameters as ifiles | |
596278 | 3-Major | ILX workspace created by iApp made from template not deleted when iApp deleted | |
595921-1 | 3-Major | VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses. | |
595281-1 | 3-Major | TCP Analytics reports huge goodput numbers | |
594751-3 | 3-Major | K90535529 | LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN |
590156-3 | 3-Major | Connections to an APM virtual server may be reset and fail on appliance and VE platforms. | |
586660-1 | 3-Major | HTTP/2 and RAM Cache are not compatible. | |
586621-5 | 3-Major | K36008344 | SQL monitors 'count' config value does not work as expected. |
584948-5 | 3-Major | Safenet HSM integration failing after it completes. | |
584414 | 3-Major | Deleting persistence-records via tmsh may result in persistence being created to different nodes | |
582331-1 | 3-Major | Maximum connections is not accurate when TMM load is uneven | |
582234-6 | 3-Major | When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again. | |
582207-7 | 3-Major | MSS may exceed MTU when using HW syncookies | |
579252-3 | 3-Major | Traffic can be directed to a less specific virtual during virtual modification | |
578971-3 | 3-Major | When mcpd is restarted on a blade, cluster members may be temporarily marked as failed | |
575642-1 | 3-Major | rst_cause of "Internal error" | |
572234-2 | 3-Major | When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. | |
572142-2 | 3-Major | Config sync peer may fail to monitor newly added pool member after it is added via sync | |
570277-1 | 3-Major | K16044231 | SafeNet client not able to establish session to all HSMs on all blades. |
557322-1 | 3-Major | Sensitive monitor parameters recorded in bigd and monitor logs | |
542104-2 | 3-Major | K33458192 | In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades. |
537209-5 | 3-Major | Fastl4 profile sends RST packet when idle timeout value set to 'immediate' | |
516280-4 | 3-Major | bigd process uses a large percentage of CPU | |
510395-5 | 3-Major | K17485 | Disabling some events while in the event, then running some commands can cause tmm to core. |
499404-7 | 3-Major | K15457342 | FastL4 does not honor the MSS override value in the FastL4 profile with syncookies |
495443-10 | 3-Major | K16621 | ECDH negotiation failures logged as critical errors. |
486735-5 | 3-Major | Maximum connections is not accurate when TMM load is uneven | |
441079-2 | 3-Major | K55242686 | BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved |
433572-4 | 3-Major | DTLS does not work with rfcdtls cipher on the B2250 blade | |
431480-1 | 3-Major | Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message | |
405898-2 | 3-Major | If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected | |
374067-7 | 3-Major | K14098 | Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections |
369640-1 | 3-Major | K17195 | Folder path objects in iRules can have only a single context per script |
367226-4 | 3-Major | Outgoing RIP advertisements may have incorrect source port | |
251162-3 | 3-Major | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name | |
248914-4 | 3-Major | K00612197 | ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address |
713533-3 | 4-Minor | list self-ip with queries does not work | |
708249-4 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
700433-2 | 4-Minor | K10870739 | Memory leak when attaching an LTM policy to a virtual server |
699426-3 | 4-Minor | RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster. | |
699076-3 | 4-Minor | URI::path iRules command warns end and start values equal | |
697626 | 4-Minor | iRules LX: Cannot modify workspace imported by "Import From Workspace" | |
689231 | 4-Minor | MSSQL filter assumes 64-bit token done row count field | |
688557-3 | 4-Minor | K50462482 | Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull' |
688542-1 | 4-Minor | SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request | |
685467-2 | 4-Minor | K12933087 | Certain header manipulations in HTTP profile may result in losing connection. |
684319-2 | 4-Minor | iRule execution logging | |
680680-2 | 4-Minor | The POP3 monitor used to send STAT command on v10.x, but now sends LIST command | |
677270-2 | 4-Minor | K76116244 | Trailing comments in iRules are removed from the config when entered/loaded in TMSH |
675911 | 4-Minor | K13272442 | Dashboard CPU history file may contain incorrect values |
665777 | 4-Minor | TMM0 on the secondary blade sends out extra ARP replies | |
662905 | 4-Minor | Rate class configured at very low rate (under packet size per second) cannot pass traffic. | |
652577-2 | 4-Minor | Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address | |
651005-3 | 4-Minor | FTP data connection may use incorrect auto-lasthop settings. | |
646495-2 | 4-Minor | BIG-IP may send oversized TCP segments on traffic it originates | |
645729-1 | 4-Minor | SSL connection is not mirrored if ssl session cache is cleared and resume attempted | |
640704 | 4-Minor | K20418658 | A BIG-IP HA pair upgraded directly from 10.2.x to 12.1.x may lose the primary and secondary mirror IP addresses★ |
636348-3 | 4-Minor | BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset. | |
635871-1 | 4-Minor | tmsh validation of hash persistence timeout setting is incorrect | |
632901-1 | 4-Minor | K03112333 | JET documentation incorrect for RESOLV::lookup |
628016-2 | 4-Minor | MP_JOIN always fails if MPTCP never receives payload data | |
627764-2 | 4-Minor | Prevent sending a 2nd RST for a TCP connection | |
627695-2 | 4-Minor | [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational | |
622876-1 | 4-Minor | Certificate serial number is not displayed properly in OCSP Stapling logs. | |
622148-5 | 4-Minor | flow generated icmp error message need to consider which side of the proxy they are | |
621843-1 | 4-Minor | the ipother proxy is sending icmp error messages to the wrong side | |
621379-2 | 4-Minor | TCP Lossfilter not enforced after iRule changes TCP settings | |
618884-1 | 4-Minor | Behavior when using VLAN-Group and STP | |
618024-2 | 4-Minor | software switched platforms accept traffic on lacp trunks even when the trunk is down | |
604272-1 | 4-Minor | SMTPS profile connections_current stat does not reflect actual connection count. | |
603380-6 | 4-Minor | Very large number of log messages in /var/log/ltm with ICMP unreachable packets. | |
602708-2 | 4-Minor | K84837413 | Traffic may not passthrough CoS by default |
599048-1 | 4-Minor | BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option | |
594547 | 4-Minor | LTM policy TCP address selector offers only "match any of" condition | |
594064-2 | 4-Minor | K57004151 | tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. |
593396-5 | 4-Minor | Stateless virtual servers may not work correctly with route pools or ECMP routes | |
592620-1 | 4-Minor | iRule validation does not catch incorrect 'after' syntax | |
586138-1 | 4-Minor | K84112154 | Inconsistent display of route-domain information in administrative partitions. |
584772 | 4-Minor | ssldump may crash when decrypting bad records | |
564634-5 | 4-Minor | Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool | |
552988-2 | 4-Minor | Cannot enable MPTCP on some profiles in GUI. | |
539026-5 | 4-Minor | Stats refinements for reporting Unhandled Query Actions :: Drops | |
523814-2 | 4-Minor | When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections | |
522302-2 | 4-Minor | TCP Receive Window error messages are inconsistent on UI | |
495242-3 | 4-Minor | mcpd log messages: Failed to unpublish LOIPC object | |
477992-3 | 4-Minor | K07450534 | Instance-specific monitor logging fails for pool members created in iApps |
474901-1 | 4-Minor | Profiles with a large number of regexps can cause excessive memory usage. | |
222409-6 | 4-Minor | K9952 | The HTTP::path iRule command may return more information than expected |
687579 | 5-Cosmetic | TMSH incorrectly allows settings snat-translation ip-idle-timeout to zero. | |
567330-1 | 5-Cosmetic | tmsh show sys memory on secondaries will generate innocuous error |
Performance Issues
ID Number | Severity | Solution Article(s) | Description |
632838-1 | 3-Major | Deterministic NAT performance may be degraded | |
616021-1 | 4-Minor | K93089152 | Name Validation missing for some GTM objects |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Solution Article(s) | Description |
685915-1 | 2-Critical | Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured | |
714507-4 | 3-Major | [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server | |
704198-1 | 3-Major | GTM equivalent of ID663502 - replace-all-with can leave orphaned monitor_rule, monitor_rule_instance and monitor_instance | |
704176-1 | 3-Major | K22540391 | Monitor instances may not get deleted during configuration merge load |
689583-3 | 3-Major | Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption. | |
688335-3 | 3-Major | K00502202 | big3d may restart in a loop on secondary blades of a chassis system |
680069-3 | 3-Major | zxfrd core during transfer while network failure and DNS server removed from DNS zone config | |
679316-1 | 3-Major | iQuery connections reset during SSL key renegotiation | |
675539-1 | 3-Major | Inter-system communications targeted at a Management IP address might not work in some cases. | |
672491-2 | 3-Major | K10990182 | net resolver uses internal IP as source if matching wildcard forwarding virtual server |
659930-1 | 3-Major | Enterprise Manager may receive malformed data if there are multiple monitors on a pool | |
653775-3 | 3-Major | K05397641 | Ampersand (&) in GTM synchronization group name causes synchronization failure. |
643813-2 | 3-Major | K32906881 | ZoneRunner does not properly process $ORIGIN directives |
637227-4 | 3-Major | K60414305 | DNS Validating Resolver produces inconsistent results with DNS64 configurations. |
629421-1 | 3-Major | Big3d memory leak when adding/removing Wide IPs in a GTM sync pair. | |
628180-1 | 3-Major | DNS Express may fail after upgrade★ | |
609527-2 | 3-Major | DNS cache local zone not properly copying recursion desired (RD) flag in response | |
602300-1 | 3-Major | Zone Runner entries cannot be modified when sys DNS starts with IPv6 address | |
517609-3 | 3-Major | K77005041 | GTM Monitor Needs Special Escape Character Treatment |
693007-3 | 4-Minor | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC | |
688266-3 | 4-Minor | big3d and big3d_install use different logics to determine which version of big3d is newer | |
674754-2 | 4-Minor | ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact | |
669262-2 | 4-Minor | K91122850 | [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record |
666258-2 | 4-Minor | GTM/DNS manual resume pool member not saved to config when disabled | |
665117-2 | 4-Minor | K33318158 | DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping |
648806-1 | 4-Minor | Invalid "with the first highest ratio counter" logging for pool member ratio load balance | |
638170-1 | 4-Minor | K36455356 | Pagination broken or missing while viewing pool statistics for GTM wideip |
605537-5 | 4-Minor | K03997964 | Error when resetting statistics on GSLB Pool Members |
588229-1 | 5-Cosmetic | DNS protocol default profiles can be deleted after being modified. |
Application Security Manager Issues
ID Number | Severity | Solution Article(s) | Description |
636669-3 | 2-Critical | K37300224 | bd log are full of 'Can't run patterns' messages |
612584-1 | 2-Critical | K34500121 | Server side blocking/asm cookie setting may not work under some circumstances |
710327-3 | 3-Major | Remote logger message is truncated at NULL character. | |
707147-2 | 3-Major | High CPU consumed by asm_config_server_rpc_handler_async.pl | |
706845-1 | 3-Major | False positive illegal multipart violation | |
704143-2 | 3-Major | BD memory leak | |
701039 | 3-Major | Requests do not appear in local logging due to rare file descriptor exhaustion | |
700726-1 | 3-Major | Search engine list was updated | |
694934-3 | 3-Major | bd crashes on a very specific and rare scenario | |
689982-1 | 3-Major | FTP Protocol Security breaks FTP connection | |
686765-1 | 3-Major | Database cleaning failure may allow MySQL space to fill the disk entirely | |
685164-3 | 3-Major | K34646484 | In partitions with default route domain != 0 request log is not showing requests |
683241-3 | 3-Major | K70517410 | Improve CSRF token handling |
678322 | 3-Major | Missing Response Page for 'Login' is not populated upon upgrade | |
676223-2 | 3-Major | Internal parameter in order not to sign allowed cookies | |
674527-1 | 3-Major | TCL error in ltm log when server closes connection while ASM irules are running | |
670501-5 | 3-Major | K85074430 | ASM policies are either not (fully) created or not (fully) deleted on the HA peer device |
664714-1 | 3-Major | Client-side challenge is changing POST parameter value under some circumstances | |
660327-2 | 3-Major | Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded. | |
660326-2 | 3-Major | K91072177 | Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★ |
657531-2 | 3-Major | K02310615 | High memory usage when using the ICAP server |
654996-1 | 3-Major | K50345236 | Closed connections remains in memory |
653017-2 | 3-Major | Bot signatures cannot be created after upgrade with DoS profile in non-Common partition | |
650070-2 | 3-Major | K23041827 | iRule that uses ASM violation details may cause the system to reset the request |
648639-3 | 3-Major | K92201230 | TS cookie name contains NULL or other raw byte |
646800-2 | 3-Major | A part of the request is not sent to ICAP server in a specific case | |
644725-4 | 3-Major | K01914292 | Configuration changes while removing ASM from the virtual server may cause graceful ASM restart |
636412-1 | 3-Major | ASM start process fail with 'Protobuf message exceeds max defined size' on machines with thousands of ASM configuration entities | |
631715-1 | 3-Major | ASM::disable does not disable client side challenges | |
605649-3 | 3-Major | K28782793 | The cbrd daemon runs at 100% CPU utilization |
590851-4 | 3-Major | "never log" IPs are still reported to AVR | |
574113-2 | 3-Major | Block All - Session Tracking Status is not persisted across an auto-sync device group | |
569195-1 | 3-Major | A Set-Cookie for an existing ASM cookie without value change | |
706930 | 4-Minor | "Enforce Ready" button has no effect for Signatures for Inactive Policy | |
702350 | 4-Minor | FingerPrint JS might be injected although it is disabled in all ASM features, and no DoS | |
700989-2 | 4-Minor | Better detecting browser extentsions | |
699898-3 | 4-Minor | Wrong policy version time in policy created after synchronization between active and stand by machines. | |
698917 | 4-Minor | Unexpected additional policy is created while creating a policy from a template via REST | |
688833-2 | 4-Minor | Inconsistent XFF field in ASM log depending violation category | |
665470-1 | 4-Minor | Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised | |
653895 | 4-Minor | Admin user cannot edit policy | |
640751-2 | 4-Minor | No PCRE Validation Performed For Regular Expression Parameters | |
627144 | 4-Minor | Two users cannot create policies at the same time. | |
623779-2 | 4-Minor | Adding a client side challenge whitelist URL wildcard list | |
618693-3 | 4-Minor | Web Scraping session_opening_anomaly reports the wrong route domain for the source IP | |
583402-1 | 4-Minor | ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work | |
513887-8 | 4-Minor | The audit logs report that there is an unsuccessful attempt to install a mysql user on the system | |
700812-2 | 5-Cosmetic | asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview |
Application Visibility and Reporting Issues
ID Number | Severity | Solution Article(s) | Description |
713283-2 | 3-Major | Missing transaction count in = application security report under view by IP Intelligence | |
707204 | 3-Major | If the system has more than 264 analytics profiles, the upgrade fails. | |
703196-3 | 3-Major | Reports for AVR are missing data | |
702933 | 3-Major | Loading UCS with different provisioning can cause a single TMM crash | |
700035-3 | 3-Major | /var/log/avr/monpd.disk.provision not rotate | |
688813-1 | 3-Major | K23345645 | Some ASM tables can massively grow in size. |
685741 | 3-Major | DoS Overview is very slow to load data, to the point of timeout | |
683177-2 | 3-Major | Can't drilldown or filter by 'Client Countries' | |
665425-3 | 3-Major | K24182390 | AVR Max metrics shows wrong values |
654915-3 | 3-Major | Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address | |
652222-1 | 3-Major | Sending scheduled-reports will fail due to lack of backend support | |
649177-2 | 3-Major | K54018808 | Testing for connection to SMTP Server always returns "OK" |
636104-2 | 3-Major | If pool member is defined with port 0, member may not be visible on the HTTP dimension pane. | |
600634-2 | 3-Major | Schedule-reports can break the upgrade process★ | |
588626 | 3-Major | Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member). | |
493524 | 3-Major | ASM attack appear ongoing forever if restarting dosl7d during an attack | |
473755-1 | 3-Major | It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side |
Access Policy Manager Issues
ID Number | Severity | Solution Article(s) | Description |
708005-3 | 2-Critical | Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources | |
701944-2 | 2-Critical | K42284762 | machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6 |
684484 | 2-Critical | Deferenced NULL object causes core | |
668849-1 | 2-Critical | Upgrade failure for apm-log-setting objects★ | |
660826-1 | 2-Critical | BIG-IQ Deployment fails with customization-templates | |
658103 | 2-Critical | K00652162 | TMM core while adding logging action to APM SWG |
633349-3 | 2-Critical | K86613330 | localdbmgr hangs and eventually crashes |
632798-2 | 2-Critical | Double-free may occur if Access initialization fails | |
631286-1 | 2-Critical | URI cache entries should be replaced /expired for euie hash table | |
618637-1 | 2-Critical | Sometimes f5fpc cannot establish Network Access connection and incorrectly reports 'Session timed out' error | |
614364-1 | 2-Critical | Linux client NA components cannot be installed neither using sudo password nor root password | |
582440-4 | 2-Critical | Linux client does not restore route to the default GW on Ubuntu 15.10 | |
574318-3 | 2-Critical | Unable to resume session when switching to Protected Workspace | |
712924 | 3-Major | In VPE SecurID servers list are not being displayed in SecurID authentication dialogue | |
712315-1 | 3-Major | LDAP and AD Group Resource Assign are not displaying Static ACLs correctly | |
710044-1 | 3-Major | Portal Access: same-origin AJAX request may fail in some case. | |
707953-1 | 3-Major | Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page | |
706374-2 | 3-Major | [Kerberos SSO] krb5 library need to use threadsafe res_ninit, res_nsearch instead of res_init, res_search | |
704524-2 | 3-Major | [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries | |
703793-1 | 3-Major | tmm restarts when using ACCESS::perflow get' in certain events | |
695985-1 | 3-Major | Access HUD filter has URL length limit (4096 bytes) | |
687213-1 | 3-Major | When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED | |
686206-1 | 3-Major | Machine Info agent does not collect complete information on disconnected network adapters | |
682751-5 | 3-Major | Kerberos keytab file content may be visible. | |
679735-1 | 3-Major | Multidomain SSO infinite redirects from session ID parameters | |
677646-1 | 3-Major | K62171231 | System cannot boot up due to prior aborted installation★ |
676854-1 | 3-Major | CRL Authentication agent will hang waiting on unresponsive authentication server. | |
676300-5 | 3-Major | K04551025 | EPSEC binaries may fail to upgrade in some cases★ |
672221 | 3-Major | TMM cores if the certificate configured to validate message signature does not exist. | |
670456-3 | 3-Major | Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number | |
670367-2 | 3-Major | K39391280 | On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation. |
667518 | 3-Major | SSO Configurations update is failing from UI | |
658664-2 | 3-Major | VPN connection drops when 'prohibit routing table change' is enabled | |
658278-3 | 3-Major | Network Access configuration with Layered-VS does not work with Edge Client | |
656784-2 | 3-Major | K98510679 | Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM |
640924-1 | 3-Major | On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly | |
632958-2 | 3-Major | APM MIB gauges not reset on standby device | |
625165-2 | 3-Major | Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers. | |
621158-1 | 3-Major | f5vpn does not close upon closing session | |
619667-1 | 3-Major | K34751151 | Allow Local DNS Servers is not honored on Mac OS X |
617629-1 | 3-Major | Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab | |
614072-1 | 3-Major | Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session. | |
611485-1 | 3-Major | APM AAA RADIUS server address cannot be a multicast IPv6 address.★ | |
609793-1 | 3-Major | HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response. | |
605018-2 | 3-Major | K47516511 | Citrix StoreFront integration mode with pass through authentication fails for browser access |
600872-1 | 3-Major | Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms. | |
582606-1 | 3-Major | IPv6 downloads stall when NA IPv4&IPv6 is used. | |
572519-1 | 3-Major | More than one header name/value pair not accepted by ACCESS::respond | |
571503-1 | 3-Major | Windows Edge client cannot detect local LAN in some cases | |
560601-1 | 3-Major | HTML5 File API and MediaSource URLs are blocked in Portal Access | |
559402-4 | 3-Major | Client initiated form based SSO fails when username and password not replaced correctly while posting the form | |
559082-2 | 3-Major | Tunnel details are not shown for MAC Edge client | |
554504 | 3-Major | Client OS version not logged in Browser/OS Reports for iOS client devices | |
552444-1 | 3-Major | Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD | |
547692-3 | 3-Major | Firewall-blocked KPASSWD service does not cause domain join operation to fail | |
543344-3 | 3-Major | ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event | |
541622-2 | 3-Major | APD/APMD Crashes While Verifying CAPTCHA | |
535119-1 | 3-Major | APM log tables initial rotation in MySQL may be wrong | |
530092-2 | 3-Major | AD/LDAP groupmapping is overencoding group names with backslashes | |
527119-4 | 3-Major | Iframe document body could be null after iframe creation in rewritten document. | |
526519-1 | 3-Major | APM sessiondump command can produce binary data | |
525378 | 3-Major | iRule commands do not validate session scope | |
509596-1 | 3-Major | K44043455 | iFrames with 'javascript:' scheme in SRC may not work |
494135-1 | 3-Major | K43101043 | HTML Event handlers may not work if 'eval' is redefined |
482625-1 | 3-Major | Pages with utf-8 Content-Type and utf-16 META tag do not render | |
450136-3 | 3-Major | Occasionally customers see chunk boundaries as part of HTTP response | |
435419-4 | 3-Major | K10402225 | Install of partial EPSEC file causes mcpd to crash, followed by multiple cores. |
417819-2 | 3-Major | K69046914 | APM - when Edge Clients, some JS contents are different causing warning |
369407-3 | 3-Major | Access policy objects are created inconsistently depending on whether created using wizard or manually. | |
362511 | 3-Major | K52162658 | HTML entities in inline CSS style attributes may cause incorrect rewriting of URLs |
712321 | 4-Minor | Missing reference to customization-group from connectivity profile if created via network access wizard | |
708176 | 4-Minor | SNMP OIDs (NA throughput) incorrect when compression is disable | |
686718 | 4-Minor | VPN tunnel adapter stays up in some cases | |
666497-2 | 4-Minor | Some of the Korean translations in Windows Edge Client were incorrect | |
627384-1 | 4-Minor | eamtest tool fails with Segmentation fault after initialization. | |
619099 | 4-Minor | 'General Database Error' while changing the Admin UI authentication type | |
611327-1 | 4-Minor | K35559723 | Using an established app tunnel may display a Java exception error message. |
610436-3 | 4-Minor | K13222132 | DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10. |
608453-1 | 4-Minor | Shrink/Expand imgs of Webtop Section is customizable | |
607684 | 4-Minor | tmsh provides option to delete all URLs from a custom category, which is not possible | |
604050 | 4-Minor | Failed to get master key (ERR_NOT_FOUND) in apm log on first boot | |
589367-2 | 4-Minor | Some Edge Client's German translations are incorrect | |
579652-1 | 4-Minor | Multidomain SSO Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed. | |
567503-1 | 4-Minor | K03293396 | ACCESS::remove can result in confusing ERR_NOT_FOUND logs |
563651-2 | 4-Minor | Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★ | |
523158-1 | 4-Minor | In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails | |
496621-1 | 4-Minor | Portal Access incorectly rewrites expressions with JavaScript typeof operator |
WebAccelerator Issues
ID Number | Severity | Solution Article(s) | Description |
706642-3 | 2-Critical | wamd may leak memory during configuration changes and cluster events | |
701977-3 | 3-Major | Non-URL encoded links to CSS files are not stripped from the response during concatenation | |
621284-5 | 3-Major | Incorrect TMSH help text for the 'max-response' RAMCACHE attribute | |
686318 | 4-Minor | Inter TMM Caching Delay | |
674992-3 | 4-Minor | AAM traffic report's time period doesn't always apply | |
467589-4 | 4-Minor | Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error. |
Wan Optimization Manager Issues
ID Number | Severity | Solution Article(s) | Description |
674367-1 | 3-Major | K20983428 | SDD v3 symmetric deduplication may stop working indefinitely |
Service Provider Issues
ID Number | Severity | Solution Article(s) | Description |
703515-5 | 2-Critical | K44933323 | MRF SIP LB - Message corruption when using custom persistence key |
698338-2 | 2-Critical | Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection | |
689343-3 | 2-Critical | Diameter persistence entries with bi-directional flag created with 10 sec timeout | |
685708-3 | 2-Critical | Routing via iRule to a host without providing a transport from a transport-config created connection cores | |
669739-1 | 2-Critical | K71963740 | Potential core when using MRF SIP with SCTP |
659173-1 | 2-Critical | K76352741 | Diameter Message Length Limit Changed from 1024 to 4096 Bytes |
701680-1 | 3-Major | MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds | |
700571-2 | 3-Major | SIP MR profile, setting incorrect branch param for CANCEL to INVITE | |
698911 | 3-Major | Periodically SIP requests are not sent to the server | |
696049-3 | 3-Major | K55660303 | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running |
691048-3 | 3-Major | K34553736 | Support DIAMETER Experimental-Result AVP response |
688942-3 | 3-Major | K82601533 | ICAP: Chunk parser performs poorly with very large chunk |
679114-2 | 3-Major | K92585400 | Persistence record expires early if an error is returned for a BYE command |
674747-2 | 3-Major | K30837366 | sipdb cannot delete custom bidirectional persistence entries. |
673814-4 | 3-Major | K37822302 | Custom bidirectional persistence entries are not updated to the session timeout |
669978-4 | 3-Major | SIP monitor - Via header's branch parameter collision. | |
651886-1 | 3-Major | Certain FIX messages are dropped | |
647158-3 | 3-Major | K76581555 | Internal virtual server inherits CMP hash mode from parent virtual server |
642211-2 | 3-Major | Warning logged when GENERICMESSAGE::message drop iRule command used | |
640384-1 | 3-Major | New iRule options for MR::message route command | |
620759-4 | 3-Major | Persist timeout value gets truncated when added to the branch parameter. | |
620445-4 | 3-Major | New SIP::persist keyword to set the timeout without changing key | |
613023-4 | 3-Major | Update SIP::Persist to support resetting timeout value. | |
612143-2 | 3-Major | Potential tmm core when two connections add the same persistence record simultaneously. | |
583101-2 | 3-Major | ADAPT::result bypass after continue causes bad state transition | |
632658-4 | 4-Minor | Enable SIP::persist command to operate during SIP_RESPONSE event | |
617690-4 | 4-Minor | enable SIP::respond iRule command to operate during MR_FAILED event | |
600431-6 | 4-Minor | DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP |
Advanced Firewall Manager Issues
ID Number | Severity | Solution Article(s) | Description |
710755-2 | 2-Critical | K30572159 | Crash when cached route information becomes stale and the system accesses the information from it. |
697265 | 2-Critical | MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled. | |
685820-1 | 2-Critical | Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not | |
677473-1 | 2-Critical | MCPD core is generated on multiple add/remove of Mgmt-Rules | |
666221-2 | 2-Critical | tmm may crash from DoSL7 | |
632839 | 2-Critical | UDP Flood does not get detected if the vector limits are infinite | |
622204-1 | 2-Critical | K14141640 | If a virtual server's name has a "." in it then a DoS profile cannot be attached to it |
620844-1 | 2-Critical | DoS: tmm core after delete packet type from Device Sweep vector | |
703165 | 3-Major | shared memory leakage | |
698806-2 | 3-Major | Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces | |
693515 | 3-Major | A '+' character in a log profile name causes import to fail | |
677302 | 3-Major | Unable to save descriptions for firewall objects | |
666112-1 | 3-Major | TMM 'DoS Layer 7' memory leak during config load | |
663946-2 | 3-Major | K92111062 | VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments |
663770-2 | 3-Major | K04025134 | AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server |
651169-3 | 3-Major | The Dashboard does not show an alert when a power supply is unplugged | |
633454-1 | 3-Major | Older versions of Chrome get blocked when Proactive Bot Defense is enabled. | |
632723-1 | 3-Major | K05079458 | tmm core with remote logging pool in non-zero route domain |
627447 | 3-Major | Sync fails after firewall policy deletion | |
613844 | 3-Major | iApp may fail to install if AFM is provisioned | |
612086-3 | 3-Major | K32857340 | Virtual server CPU stats can be above 100% |
592819-2 | 3-Major | Enabling of whitelists on a Protected Object requires disabling DoS protection support in hardware | |
592211-1 | 3-Major | Stress CPU on BIG-IP will also take into the packets dropped by hardware. | |
591505-1 | 3-Major | Policy may become unsyncable after changing contexts | |
581668 | 3-Major | DNS/SIP whitelisted packets not reported | |
701555-3 | 4-Minor | DNS Security Logs report Drop action for unhandled rejected DNS queries | |
632246-1 | 4-Minor | Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades. | |
568458 | 5-Cosmetic | DoS vectors must be enabled in both DoS Profile and Device Configuration |
Policy Enforcement Manager Issues
ID Number | Severity | Solution Article(s) | Description |
699531-3 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
696294-3 | 2-Critical | TMM core may be seen when using Application reporting with flow filter in PEM | |
711093-2 | 3-Major | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | |
709610-1 | 3-Major | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | |
697718-3 | 3-Major | Increase PEM HSL reporting buffer size to 4K. | |
648802-3 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. | |
640548-1 | 3-Major | In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked. | |
624187-1 | 3-Major | Relocate TUC AVP to group AVP USU | |
564431-3 | 4-Minor | Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail |
Carrier-Grade NAT Issues
ID Number | Severity | Solution Article(s) | Description |
663531-1 | 2-Critical | TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel | |
708830-1 | 3-Major | Inbound or hairpin connections may get stuck consuming memory. | |
667662-1 | 3-Major | K06579313 | Autolasthop does not work for PPTP-GRE traffic. |
667295-1 | 4-Minor | K51601122 | 'RTSP::header exists' iRule command always returns True |
Fraud Protection Services Issues
ID Number | Severity | Solution Article(s) | Description |
695401 | 3-Major | QS user defined alerts may not be sent if there is no URL with qs configured on FPS profile | |
680298 | 3-Major | FPS may introduce latency even for unprotected pages | |
674297-1 | 3-Major | Custom headers are removed on cross-origin requests | |
652530 | 4-Minor | Parameter names are case sensitive in Internet Explorer 9 only |
Anomaly Detection Services Issues
ID Number | Severity | Solution Article(s) | Description |
617324-2 | 3-Major | Service health calculation creates unjustified CPU utilization | |
653573 | 4-Minor | ADMd not cleaning up child rsync processes |
Traffic Classification Engine Issues
ID Number | Severity | Solution Article(s) | Description |
649441-1 | 3-Major | Classification memory allocation | |
674795-1 | 4-Minor | tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours. |
Device Management Issues
ID Number | Severity | Solution Article(s) | Description |
625114-2 | 2-Critical | Internal sync-change conflict after update to local users table | |
676107 | 3-Major | With admin account disabled, user cannot use token-based authentication | |
667661-4 | 3-Major | K69015104 | Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath' |
627341-1 | 3-Major | TMUI loginProviderName is invalid when requesting a REST token | |
688177-2 | 4-Minor | Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade | |
619397 | 4-Minor | K04055706 | LCD shows error screen on boot or after license expires |
iApp Technology Issues
ID Number | Severity | Solution Article(s) | Description |
666505-2 | 2-Critical | Gossip between Viprion blades |
Known Issue details for BIG-IP v12.1.x
714626-1 : When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
Component: TMOS
Symptoms:
When the BIG-IP system is behind a proxy server, the licensing process does not work, despite having set the db variables for proxy.host, proxy.port, proxy.protocol, etc.
Conditions:
-- The BIG-IP system is behind a proxy server that gates internet access.
-- Attempting to license (or revoke the license of) the BIG-IP system.
Impact:
Cannot license, reactivate license, or revoke the license of the BIG-IP system.
Workaround:
Perform the following procedure:
1. Configure the proxy settings via tmsh:
tmsh modify sys db proxy.host value <proxy IP / FQDN>
tmsh modify sys db proxy.port value <proxy port>
tmsh modify sys db proxy.protocol value <http / https>
tmsh modify sys db proxy.username value <username / null>
tmsh modify sys db proxy.password value <password / null>
2. Remount /usr volume with read / write permission
/bin/mount -o remount,rw /usr
3. Create a /usr/bin/getProxy file with that retrieves the proxy values from the sys db.
-------------------------- (/usr/bin/getProxy) ---------------
#!/bin/bash
#
# getProxy: adds --proxy= using db variables for proxy.protocol, proxy.host, proxy.port, proxy.username, proxy.password
#
host=$(/usr/bin/getdb proxy.host)
if [ $host == "<null>" ]; then
exit
fi
protocol=$(/usr/bin/getdb proxy.protocol)
port=$(/usr/bin/getdb proxy.port)
username=$(/usr/bin/getdb proxy.username)
password=$(/usr/bin/getdb proxy.password)
if [ $username != "<null>" ]; then
if [ $password != "<null>" ]; then
usr_pass="${username}:${password}@"
else
usr_pass="${username}@"
fi
else
usr_pass=""
fi
echo --proxy $protocol://$usr_pass$host:$port
exit 0
---------------------------
4. Change permissions
/bin/chmod 755 /usr/bin/getProxy
5. Rename the original SOAPLicenseClient
/bin/mv /usr/local/bin/SOAPLicenseClient /usr/local/bin/SOAPLicenseClientORG
6. Create a new /usr/local/bin/SOAPLicenseClient with the following content:
-------------------------- (/usr/local/bin/SOAPLicenseClient) ---------------
#!/bin/bash
/usr/local/bin/SOAPLicenseClientORG $(getProxy) $@
exit $?
--------------------------
7. Change permissions on the newly created script.
/bin/chmod 755 /usr/local/bin/SOAPLicenseClient
8. Remount /usr as read-only
/bin/mount -o remount,ro /usr
714507-4 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool
Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.
Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
# tmsh save sys config gtm-only
Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1
714503-3 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
Component: Local Traffic Manager
Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).
Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.
Impact:
Cannot view or delete the iRule from the iRulesLX GUI.
Workaround:
Do not name rules with the .tcl extension. The system will do that for you.
714495-3 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
Component: Local Traffic Manager
Symptoms:
When using TMSH to create a new iRulesLX rule with the extension ".tcl" as part of the rule name, TMSH will append another ".tcl" at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at "Local Traffic ›› iRules : LX Workspaces ›› <workspace name>").
Conditions:
Creating a new iRulesLX iRule in TMSH.
Impact:
The user will be unable to view or delete the iRule from the iRulesLX GUI.
Workaround:
Do not name rules with the ".tcl" extension.
714384-5 : DHCP traffic may not be forwarded when BWC is configured
Component: Local Traffic Manager
Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.
Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.
Impact:
DHCP traffic may not be forwarded.
Workaround:
There is no workaround other than to remove the BWC policy.
714187-1 : Changing console Baud-rate to a supported value requires reboot
Component: TMOS
Symptoms:
Unable to modify console Baud-rate.
Conditions:
Running BIG-IP release 11.6.0 or later.
Impact:
System instability.
Workaround:
Reboot system after modification of console Baud-rate.
713951-3 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
713934-4 : Using iRule "DNS::question name" to shorten the name in DNS_REQUEST may result malformed TC response
Component: Local Traffic Manager
Symptoms:
Received malformed Truncated DNS response.
Conditions:
1. Use iRule "DNS::question name" to shorten the name.
2. DNS response is longer than 4096 UDP limit.
Impact:
DNS request could not be resolved correctly.
Workaround:
There is no workaround at this time.
713708-3 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
Component: TMOS
Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.
Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.
Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.
Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.
713533-3 : list self-ip with queries does not work
Component: Local Traffic Manager
Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.
Conditions:
list net self always returns all Self IPs
Impact:
You are unable to filter the Self IP list using a regex pattern.
713519-3 : Enabling MCP Audit logging does not produce log entry for audit logging change
Component: TMOS
Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.
Conditions:
This occurs when enabling MCP audit logging.
Impact:
The audit logging change itself is not logged in the audit logs.
Workaround:
None.
713388 : SSL handshake fails for OCSP + TLS false start + SSL hardware acceleration
Component: Local Traffic Manager
Symptoms:
SSL handshake will fail if Client initiate the handshake with TLS false start(Client SSL send the SSL record data to server before Server send out the CCS + FINISHED).
Conditions:
1. Client initiates the SSL handshake with False Start.
2. BIG-IP has SSL hardware acceleration enabled(which is default for for non-VE version).
Impact:
BIG-IP will send the RST to tear down the connection in TLS false start.
Workaround:
1. Disable TLS False Start - that needs to be done on all clients so might not be feasible;
2. Disable SSL acceleration.
3. Disable AES-GCM ciphers in clientssl profile. Without AES-GCM clients will not try to use TLS false start and still be able to use (EC)DHE.
713283-2 : Missing transaction count in = application security report under view by IP Intelligence
Component: Application Visibility and Reporting
Symptoms:
Transactions without an IP reputation threat are not listed on application security reports under viewed by IP Intelligence.
Conditions:
-- All transactions without an IP reputation threat.
-- Application security reports.
Impact:
Transaction count statistics are missing.
Workaround:
None.
713183 : Malformed JSON files may be present on vCMP host
Component: TMOS
Symptoms:
Malformed JSON files may be present on vCMP host.
Conditions:
All needed conditions are not yet defined.
- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.
Impact:
Some vCMP guests may not show up in the output of the command:
tmsh show vcmp health
In addition, there might be files present named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.
Workaround:
None.
713138 : TMUI ILX Editor inserts an unnecessary linefeed
Component: TMOS
Symptoms:
If you use the TMUI edit for ILX, the system will append a linefeed character every time you save. This is not usually apparent, but if you edit the file, then delete your changes, and then save it, it will still register as changed.
A message indicates the need to refresh the workspace, and the actual content of the file will change, but not the functionality.
Conditions:
Edit a workspace file in ILX via the TMUI editor (i.e., the GUI).
Impact:
File contents can change unexpectedly and have needless characters at the end.
Workaround:
Use TMSH or a different editor, that is not TMUI, to change those files.
713134-3 : Small tmctl memory leak when viewing stats for snapshot files
Component: TMOS
Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:
tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>
Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access
Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).
Workaround:
None.
712924 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
Component: Access Policy Manager
Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.
Conditions:
Always when adding SecureID authentication action.
Impact:
Inability to (re)configure SecureId via VPE.
Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:
tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>
712664-4 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting
Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address
Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.
Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.
712475-1 : DNS zones without servers will prevent DNS Express reading zone data
Component: Local Traffic Manager
Symptoms:
DNS Express does not return dig requests.
Conditions:
DNS Express is configured a zone without a server.
Impact:
DNS Express does not return dig requests.
Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.
712437-1 : Records containing hyphens (-) will prevent child zone from loading correctly
Solution Article: K20355559
Component: Local Traffic Manager
Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.
Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
myzone.com -- parent
foo.myzone.com -- child
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com
Impact:
DNS can not resolve records correctly.
Workaround:
None.
712321 : Missing reference to customization-group from connectivity profile if created via network access wizard
Component: Access Policy Manager
Symptoms:
Connectivity profile generated from the use of network access wizard will not contain a reference to a customization-group.
Conditions:
Use network access wizard to create configure objects.
Impact:
There is no functional impact since customization is not actually used for connectivity group.
Workaround:
Configure the connectivity profile object manually from tmui (GUI) or tmsh (command line) rather than via wizard. Replace the connectivity profile created from the virtual server within the virtual server with the manually created connectivity profile.
712315-1 : LDAP and AD Group Resource Assign are not displaying Static ACLs correctly
Component: Access Policy Manager
Symptoms:
In VPE LDAP and AD Group Resource Assign are not displaying static acls when they are configured.
Conditions:
While attempting to assign Static ACls via AD or LDAP Group Resource assign (aka Group Mapping) Static ACLs are not displayed.
Impact:
Users are not able to assign Static ACLs with AD and LDAP Group Mapping via VPE.
Workaround:
Static ACLs are assignable with TMSH.
712033-1 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
Component: TMOS
Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:
# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
"kind": "tm:ltm:pool:members:membersstats",
"generation": 3,
"selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
"entries": {
"https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {
Conditions:
When making a REST request to an object in /stats that is an association list.
Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.
Workaround:
None.
711879 : Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor.
Component: TMOS
Symptoms:
The web GUI displays an incorrect value for cert and key for a GTM monitor.
Conditions:
The GTM monitor has the same name as an LTM monitor.
Impact:
Incorrect data can be presented regarding the GTM monitor's cert and key.
Workaround:
Use TMSH to display the correct cert and key.
711683-4 : bcm56xxd crash with empty trunk in QinQ VLAN
Component: TMOS
Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.
Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.
Impact:
bcm56xxd continuously crashes.
Workaround:
Use either of the following workarounds:
-- Add members to the trunk.
-- Remove the trunk from the QinQ VLAN.
711281-3 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
711249-2 : NAS-IP-Address added to RADIUS packet unexpectedly
Component: TMOS
Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.
Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.
Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.
Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.
711093-2 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.
Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).
Impact:
PEM sessions remain in marked-for-delete state.
Workaround:
None.
710996-1 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
Component: Local Traffic Manager
Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP
Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.
Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.
Workaround:
There is no workaround at this time.
710841 : 12.1.3.3 feature refinement might be lost after upgrade
Component: TMOS
Symptoms:
If you upgrade from 12.1.3.3 (or later) to 13.1.0 or 13.1.0.1, you will lose the VE-specific 12.1.3.3 feature refinements you gained.
Conditions:
Upgrade from 12.1.3.3 (or later) to 13.1.0 or 13.1.0.1.
Impact:
Feature refinement provided in 12.1.3.3 will be lost after upgrade. Other functionality is unaffected.
Workaround:
Only upgrade from 12.1.3.3 or later to 13.1.0.2 or later.
710755-2 : Crash when cached route information becomes stale and the system accesses the information from it.
Solution Article: K30572159
Component: Advanced Firewall Manager
Symptoms:
The crash happens intermittently when the cached route information becomes stale and the system accesses the information from it.
Conditions:
Use stale cached route information.
Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access.
Workaround:
None.
710602 : iCRD commands requiring 'root' user access fixed
Component: TMOS
Symptoms:
Some of the iCRD calls that run commands on the base operating system that require elevated permissions would fail because iCRD was not correctly executing the commands in the right context.
Conditions:
Use an iCRD endpoint that requires elevated permissions to succeed.
Impact:
Only impacts iCRD endpoints which run commands that require root access.
Workaround:
There is no workaround at this time.
710564-3 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
Component: Local Traffic Manager
Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.
Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.
Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.
Workaround:
There is no workaround at this time.
710493 : Nitrox PX recovery failure will not retry as it was designed to.
Component: Local Traffic Manager
Symptoms:
The Nitrox PX encounters an error and proceeds to perform a soft reset, but if the soft reset fails, then there are no further attempts at recovery will be taken. The device will remain offline and no failsafe action will be triggered.
Conditions:
When a Nitrox PX device starts recovery and the soft reset procedure fails to complete successfully, the driver only logs the failure.
Impact:
Whenever a Nitrox PX soft reset fails, the device is left offline and remain unusable until TMM is restarted or the BIG-IP system is rebooted. No retries are attempted even though the driver is designed to retry three times before triggering the failsafe action.
Workaround:
to recover service to the Nitrox PX devices once this occurs, issue the following command to restart tmm:
bigstart restart tmm
Note: Traffic will be disrupted while tmm restarts.
710410-1 : TMM hardware accelerated compression not registering for all compression levels.
Component: TMOS
Symptoms:
DEFLATE/gzip compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.
Conditions:
-- Compression requests for DEFLATE/gzip levels other than level 1.
-- BIG-IP devices using Cave Creek SSL hardware acceleration.
Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.
Workaround:
None.
710327-3 : Remote logger message is truncated at NULL character.
Component: Application Security Manager
Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.
Impact:
Partial request is logged at the remote logger destination.
Workaround:
None.
710277-2 : IKEv2 further child_sa validity checks
Component: TMOS
Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.
Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.
Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.
Workaround:
None.
710044-1 : Portal Access: same-origin AJAX request may fail in some case.
Component: Access Policy Manager
Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.
Conditions:
- HTML page with explicit default port in base URL, for example:
<base href='https://some.com:443/path/'>
- Same-origin AJAX request from this page, for example:
var xhr = new XMLHttpRequest;
xhr.open('GET', 'some.file');
Impact:
Web application may not work correctly.
Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:
when RULE_INIT {
# hex-encoded string for 'https://some.com'
set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
# '3a343433' is hex-encoded form for ':443'
set ::pattern "/f5-w-${encoded_backend}3a343433\$"
set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
set ::remove_start [ expr {$::remove_end - 7} ]
}
when HTTP_REQUEST {
if { [HTTP::path] starts_with "$::pattern" } {
set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
HTTP::path "$path"
}
}
710039 : Merging config may not report syslog configuration errors
Component: TMOS
Symptoms:
A 'load sys config verify merge' may return successfully, but 'load sys config merge' without the 'verify' argument might fail.
Conditions:
Running the 'load sys config merge' without the 'verify' argument.
Impact:
False positive might be received in response to a successful config verify. However, the syslog system is not actually configured during a 'verify', so it does not report errors.
Workaround:
None.
709963-4 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
Component: Local Traffic Manager
Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.
Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.
Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.
Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.
709837-3 : Cookie persistence profile may be configured with invalid parameter combination.
Component: Local Traffic Manager
Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.
Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.
Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.
Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.
709610-1 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
Component: Policy Enforcement Manager
Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.
Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}
-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.
-- The time interval between steps 1 and 2 is very small (less than ~1ms).
Impact:
Subscriber session creation via PEM may fail.
Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.
709559-3 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
Component: TMOS
Symptoms:
Loading configuration fails on upgrade
Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2
Impact:
The system won't be functional
Workaround:
Delete or rename "/Common/ssh"
709334-2 : Memory leak when SSL Forward proxy is used and ssl re-negotiates
Component: Local Traffic Manager
Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.
Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening
Impact:
Eventually memory reaper will kick in.
Workaround:
There is no workaround at this time.
708968-4 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
Component: TMOS
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.
Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.
Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.
708956 : During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
Component: TMOS
Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.
Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.
Impact:
System does not come up.
Workaround:
Reboot system.
Because this condition only happens occasionally, rebooting typically corrects the issue.
708830-1 : Inbound or hairpin connections may get stuck consuming memory.
Component: Carrier-Grade NAT
Symptoms:
When inbound or hairpin connections require a remote Session DB lookup and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They will be stuck in this state until they timeout and expire. In this state UDP connections will queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets will accumulate consuming memory. If the memory consumption becomes excessive, connections may be killed and “TCP: Memory pressure activated” and “Aggressive mode activated” messages will appear in the logs.
Conditions:
A LSN pool with inbound and/or hairpin connections enabled. Lost Session DB messages due to heavy load or hardware failure. Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.
Impact:
Excessive memory consumption that leads to dropped connections.
Workaround:
There is no workaround at this time.
708803 : Remote admin user with misconfigured partition fallback to "All"
Component: TMOS
Symptoms:
When remote role groups are used to set user role and partition from the remote authentication server, and the server is configured to set a user to Administrator role with access to a particular partition, the user instead receives Administrator role on all partitions. Users with Administrator role on the BIG-IP are required to have all partition access.
Conditions:
Remote authentication with remote role groups. Remote authentication server configured to set a user to Administrator role with access to a particular partition.
Impact:
Administrator users have access to all partitions.
Workaround:
Change configuration on remote authentication server. Users with Administrator role need all partition access. Users who must be restricted to a particular partition should be given a more restrictive role.
708415 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
Component: TMOS
Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.
Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.
For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:
# modify net interface 1.1 flow-control tx-rx
# show net interface 1.1 all-properties
Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.
Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.
Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.
708249-4 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.
Conditions:
Run the nitrox_diag command.
Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.
Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0
708176 : SNMP OIDs (NA throughput) incorrect when compression is disable
Component: Access Policy Manager
Symptoms:
SNMP OIDs related to Network Access VPN tunnel or connectivity traffic are not updated if compression is not enabled. However, the definitions for connectivity traffic make it seem like they should be updated.
Conditions:
1. Create an access policy with Network Access resource (no compression enabled). Also, connectivity profile with no compression.
2. Assign this to a virtual server.
3. Establish a VPN tunnel, and download a large file.
4. Compare the SNMP OID values before and after this large file download via VPN tunnel.
Impact:
Confusion and graphs that don't seem to show the expected traffic.
Workaround:
Turn on compression to see the stats updated.
708114-3 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
Component: Local Traffic Manager
Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.
Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
708005-3 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
Component: Access Policy Manager
Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.
Conditions:
This occurs when the following conditions are met:
-- APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.
Impact:
End user cannot launch VMware View resources with View HTML5 client.
Workaround:
You can use any of the following workarounds:
-- If you are already running Horizon 7.4, use native View clients instead.
-- If you have not upgraded to Horizon 7.4, stay on an older Horizon release until this issue is resolved.
-- Add the following iRule to the virtual server that handles HTML5 client connections:
when HTTP_REQUEST {
if { ([info exists tmm_apm_view_uuid]) &&
([HTTP::method] == "GET") &&
([HTTP::uri] ends_with "/portal/webclient/sessiondata")} {
HTTP::cookie remove "sessionDataServiceId"
}
}
when HTTP_RESPONSE {
if { ([info exists tmm_apm_view_uuid]) } {
set cookieNames [HTTP::cookie names]
foreach aCookie $cookieNames {
set path [HTTP::cookie path $aCookie]
if {[string length $path] > 0} {
HTTP::cookie path $aCookie "/f5vdifwd/vmview/$tmm_apm_view_uuid$path"
}
}
}
}
Important: After applying the iRule and before attempting a connection, be sure to clear all cache and cookies from the client systems. Otherwise, the test operation may need to be executed before exhibiting successful behavior.
707953-1 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
Component: Access Policy Manager
Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.
Conditions:
Viewing APM and APM Lite licenses in the GUI.
Impact:
Cannot distinguish the difference in types of licenses.
Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).
707951 : Stalled mirrored flows on HA next-active when OneConnect and a snatpool is used.
Component: Local Traffic Manager
Symptoms:
"tmctl -d blade tmm/umem_usage_stat | grep xdata" may show increased memory usage.
"tmsh show sys connect" shows idle flows.
Conditions:
- OneConnect profile and a snat pool with minimum 2 entries is configured.
- HA mirroring is enabled.
Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.
Workaround:
Disable OneConnect or use just one entry in the SNAT pool.
707740-3 : Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination
Component: TMOS
Symptoms:
User would get "monitor is in use" when attempting to delete a GTM Monitor, even after removing that monitor from all GTM Virtual Servers
Conditions:
Attach a gtm monitor to multiple gtm virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port
Impact:
User will not be able to ever delete the un-used gtm monitor
Workaround:
There is no workaround at this time.
707691-2 : BIG-IP handles some pathmtu messages incorrectly
Component: Local Traffic Manager
Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.
Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).
Impact:
pmtu message is erroneously ignored.
Workaround:
There is no workaround at this time.
707447-2 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
Component: Local Traffic Manager
Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default NI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).
The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.
Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
707445 : Nitrox 3 compression hangs/unable to recover
Solution Article: K47025244
Component: TMOS
Symptoms:
LTM logs show the following message:
Nitrox 3, Hang Detected: compression device was reset
When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.
Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.
Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.
Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.
Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.
There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:
A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).
Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.
707391-4 : BGP may keep announcing routes after disabling route health injection
Component: TMOS
Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.
Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.
Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.
Workaround:
Workaround would be to restart the dynamic routing process.
707320-1 : Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs
Component: TMOS
Symptoms:
A pre-12.0.0 WideIP with ipv6-no-error-response enabled and a IPv4 last-resort-pool will only spawn an A-type WideIP after the upgrade
Conditions:
Pre-12.0.0 WideIP with an IPv4 last-resort-pool and ipv6-no-error-response enabled.
Impact:
Loss of the AAAA-type WideIP configuration item
Workaround:
There is no workaround at this time.
707207-2 : iRuleLx returning undefined value may cause TMM restart
Component: Local Traffic Manager
Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".
Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.
Impact:
Traffic is interrupted.
Workaround:
There is no workaround at this time.
707204 : If the system has more than 264 analytics profiles, the upgrade fails.
Component: Application Visibility and Reporting
Symptoms:
If the system is upgraded from version 11.5.4-hf2, 11.6.0-hf4 and has more then 264 analytics profiles, the upgrade will fail.
Conditions:
1. The system has more than 264 different analytics profiles.
2. Upgrade from version 11.5.4-hf2,hhf3... or from version 11.6.0-hf4,hf5...
Impact:
The upgrade will fail.
Workaround:
Delete/reduce the number of analytics profiles before the upgrade.
707147-2 : High CPU consumed by asm_config_server_rpc_handler_async.pl
Component: Application Security Manager
Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.
Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered
Impact:
A process may consume high CPU even after the high traffic period is finished.
Workaround:
Kill asm_config_server.pl (This will not affect traffic)
Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual
706930 : "Enforce Ready" button has no effect for Signatures for Inactive Policy
Component: Application Security Manager
Symptoms:
The "Enforce Ready" button has no effect for Signatures on Inactive Policies.
Conditions:
The user accesses "Enforcement Readiness" page for an Inactive Policy.
Impact:
Pressing "Enforce Ready" button has no effect.
Workaround:
Signature Staging can be disabled from "Application Security > Attack Signatures" page, or via REST.
706845-1 : False positive illegal multipart violation
Component: Application Security Manager
Symptoms:
A false positive multipart violation.
Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.
Impact:
A false positive violation, request rejected.
Workaround:
Might be workaround using an irule
706642-3 : wamd may leak memory during configuration changes and cluster events
Component: WebAccelerator
Symptoms:
wamd memory consumption increases over time.
Conditions:
AAM is provisioned so wamd is running. Leakage may occur during user-initiated configuration change and/or other internal configuration or cluster events.
Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.
Workaround:
No workaround available.
706505 : iRule table lookup command may crash tmm when used in FLOW_INIT
Component: Local Traffic Manager
Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.
Conditions:
iRule table lookup command is used in FLOW_INIT.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use table lookup in the events after the flow is constructed.
706423-2 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
Component: TMOS
Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.
Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.
A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.
Impact:
TMM restarts, disrupting traffic and causing HA failover.
Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)
706374-2 : [Kerberos SSO] krb5 library need to use threadsafe res_ninit, res_nsearch instead of res_init, res_search
Component: Access Policy Manager
Symptoms:
Kerberos library uses deprecated and non-threadsafe functions to perform DNS SRV requests.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
This might result in unpredictable behaviour such as memory corruption or core. However, the occurence is rare since it only impacts concurrent DNS SRV requests to resolve different kdcs.
Workaround:
There is no workaround.
706106-1 : PUT request sent to ltm/virtual failed because of ip-protocol property value any
Component: TMOS
Symptoms:
PUT request to ltm/virtual fails unexpectedly because ip-protocol property value any
Conditions:
When sending PUT request to ltm/virtual
Impact:
PUT request modifies properties that user includes in the request and resets the rest of property value to default.
Default ip-protocol property value could be 'any', 'ip' or 'hopopt'
Workaround:
Using PATCH request
706102-3 : SMTP monitor does not handle all multi-line banner use cases
Component: Local Traffic Manager
Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.
Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.
Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.
Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.
705037-3 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
Component: TMOS
Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.
Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.
Impact:
-- Unreliable or confusing statistics via SNMP polling.
-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.
Workaround:
None.
704764-2 : SASP monitor marks members down with non-default route domains
Component: Local Traffic Manager
Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.
Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:
ltm pool rd_test {
members {
test_1:http {
address 12.34.56.78%99
}
}
monitor my_sasp
}
Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.
Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.
The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.
Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.
704524-2 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.
Workaround:
There is no workaround at this time.
704450-2 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
Component: Local Traffic Manager
Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').
Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.
Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.
Workaround:
Reduce the load on the system.
704449-4 : Orphaned tmsh processes might eventually lead to an out-of-memory condition
Component: TMOS
Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.
An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:
/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh
If this issue occurs often enough, it can cause the BIG-IP system to run out of memory.
Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.
Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.
Workaround:
There are several workarounds for this issue:
-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.
704336-3 : Updating 3rd party device cert not copied correctly to trusted certificate store
Component: TMOS
Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.
Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.
Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.
Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.
704282-3 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
Component: TMOS
Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.
Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.
For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.
For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
F5 does not recommend running the BWC under 64Kbps.
Either decrease the number of subscribers or increase the max-rate of dynamic policy.
704247-3 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
Solution Article: K07356404
Component: TMOS
Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.
Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.
Impact:
Installation attempt of the remaining image(s) might fail.
Workaround:
Restart the lind process, so the installation can continue.
704198-1 : GTM equivalent of ID663502 - replace-all-with can leave orphaned monitor_rule, monitor_rule_instance and monitor_instance
Component: Global Traffic Manager (DNS)
Symptoms:
Orphaned monitor_instance records in mcpd;
Secondary blade restarting in a loop.
Conditions:
Modify monitor for gtm objects using tmsh with replace-all-with.
Impact:
There is an leaked/extra monitor instance;
Restarting secondary slot will result in a restart loop.
Workaround:
Restart services, but this might change primary slot:
# bigstart restart
704176-1 : Monitor instances may not get deleted during configuration merge load
Solution Article: K22540391
Component: Global Traffic Manager (DNS)
Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.
-- err mcpd[8982]: 01020036:3: The requested monitor instance (/Common/bigip 10.10.9.39 443 gtm-vs) was not found.
-- err mcpd[8982]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bigip 10.10.9.39 443 gtm-vs) was not found.... failed validation with error 16908342.
Conditions:
Merge a GTM config file to update a virtual server's monitor.
Impact:
There is a leaked/extra monitor instance. Restarting secondary slot will result in a restart loop.
Workaround:
Remove the MCPD binary database on the Primary blade and restart services:
# touch /service/mcpd/forceload
# bigstart restart
Note: This might change the primary slot.
704143-2 : BD memory leak
Component: Application Security Manager
Symptoms:
A BD memory leak.
Conditions:
websocket traffic with specific configuration
Impact:
Resident memory increases, swap getting used.
Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.
703914-1 : TMM SIGSEGV crash in poolmbr_conn_dec.
Component: Local Traffic Manager
Symptoms:
TMM cores in poolmbr_conn_dec function.
Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.
Impact:
TMM core, traffic interruption, possible failover.
Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.
703793-1 : tmm restarts when using ACCESS::perflow get' in certain events
Component: Access Policy Manager
Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.
Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).
Impact:
tmm cores and traffic flow will be interrupted while it restarts.
Workaround:
None.
703669-3 : Eventd restarts on NULL pointer access
Component: TMOS
Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.
Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.
Impact:
Causes eventd to crash.
Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.
703580 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
Component: Local Traffic Manager
Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)
Conditions:
-- Using the following platforms:
+ VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.
Impact:
TLS1.1 handshake fails on the guest.
Workaround:
Use the same software version on the vCMP host and vCMP guests.
703515-5 : MRF SIP LB - Message corruption when using custom persistence key
Solution Article: K44933323
Component: Service Provider
Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.
Conditions:
Custom persistence key is not a multiple of 3 bytes
Impact:
The SIP request message may be corrupted when the via header is inserted.
Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.
703509-1 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
Component: TMOS
Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.
...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.
Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.
Impact:
User is unable to save the configuration.
Workaround:
A user with the administrator role can save the config.
The root user can save the config.
703196-3 : Reports for AVR are missing data
Component: Application Visibility and Reporting
Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.
Conditions:
Using AVR statistics.
Impact:
Expected AVR statistics may be missing.
Workaround:
Run the following shell command on BIG-IP:
sed -i "s|\(\s\)*SET\ p_aggr_to_ts.*$|$1$(grep "SET p_aggr_to_ts" /var/avr/avr_srv_code.sql | sed 's/truncate(/CEILING/' | sed 's/,0)//')|" /var/avr/avr_srv_code.sql
703165 : shared memory leakage
Component: Advanced Firewall Manager
Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).
Conditions:
Many shmem segments allocated and used by tmm.
Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.
Workaround:
There is no workaround at this time.
702933 : Loading UCS with different provisioning can cause a single TMM crash
Component: Application Visibility and Reporting
Symptoms:
Saving a UCS file on one system and loading it on another that has different provisioning, can lead to TMM crash.
Note: The crash will take place only once and the next process of TMM that will be automatically restarted will work without problems.
Conditions:
-- Save a UCS on a system that has AVR or ASM with DoS configured.
-- Load the UCS on a system that does not have AVR nor ASM provisioned.
Impact:
When the system restarts after loading the UCS, TMM can crash but second process of TMM will work fine.
There is no actual impact, since the system is not operational anyway during UCS load, it only takes more time to bring the system to active state after loading the UCS.
Workaround:
When loading a UCS that was saved on a system that had AVR or ASM, make sure the same modules are provisioned first, and then load the UCS.
702615-1 : During reboot to another volume, the GUI login page becomes prematurely available★
Component: TMOS
Symptoms:
Less than a minute after a reboot to another volume is initiated from the GUI, the GUI reports that the reboot is complete and displays the login page. Normally, a reboot takes about 5 minutes.
Conditions:
User initiates a reboot to another volume from the GUI.
Impact:
Misleading information is shown in the GUI. The GUI reports that the reboot is completed and displays the login prompts. However this is not correct because the reboot is still in progress.
Workaround:
Check the reboot status from the console or simply wait about 5 minutes before attempting to login to the system again.
702450-4 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect
Component: Local Traffic Manager
Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:
# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.
The referenced object is not a "policy action" in this case, but is a virtual server.
Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.
Impact:
Possible confusion at the error message.
Workaround:
There is no workaround at this time.
702439-3 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
Solution Article: K04964898
Component: Local Traffic Manager
Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.
Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.
Impact:
HTTP/2 connections will be unusable.
Workaround:
Set the header table size argument back to its default.
702350 : FingerPrint JS might be injected although it is disabled in all ASM features, and no DoS
Component: Application Security Manager
Symptoms:
Fingerprinting is injected while no ASM feature using it is asking for it.
Conditions:
-- Web-scraping is configured in the policy history.
-- Policy iss configured using REST.
Impact:
FingerPrint JS is injected for each request.
Workaround:
1. Turn on Bot detection and click Save.
2. Turn off Bot detection, FP flag, and suspicious clients detection, and click Save.
3. Apply Policy.
702151-2 : HTTP/2 can garble large headers
Component: Local Traffic Manager
Symptoms:
The HTTP/2 filter may incorrectly encode large headers.
Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.
Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.
701977-3 : Non-URL encoded links to CSS files are not stripped from the response during concatenation
Component: WebAccelerator
Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.
Conditions:
White space in the URLs.
Impact:
As above.
Workaround:
No workaround at this time.
701944-2 : machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6
Solution Article: K42284762
Component: Access Policy Manager
Symptoms:
Machine certificate check crashes a Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when 'match issuer' is specified in the configuration.
Conditions:
- Machine certificate check configured for with 'match issuer' configuration.
- macOS Sierra 10.12.6 (16G29).
- BIG-IP Edge client.
- F5 EPI.
Impact:
Machine certificate check does not pass because Edge client crashes.
Workaround:
None.
701900 : DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.
Solution Article: K55938217
Component: TMOS
Symptoms:
DHCP-configured domain-name-servers (DNS) unavailable after reboot when there are more than two domain-name-servers in the lease.
Conditions:
- DHCP is enabled on the mgmt interface.
- DHCP server provides more than 2 domain-name-servers in its lease.
Impact:
Name resolution on mgmt interface fails due to misconfiguration in DNS information for mgmt interface.
Workaround:
No workaround at this time.
701722-2 : Potential mcpd memory leak for signed iRules
Component: TMOS
Symptoms:
There is an MCP memory leak that occurs when th message "Signature encryption failed" is seen in /var/log/ltm.
Conditions:
Signing of iRules must be in use. Signature encryption must be problematic.
Impact:
MCP leak memory.
Workaround:
Resolve the signature encryption issue.
701690-3 : Fragmented ICMP forwarded with incorrect icmp checksum
Solution Article: K53819652
Component: Local Traffic Manager
Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.
Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).
Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.
Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.
701680-1 : MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds
Component: Service Provider
Symptoms:
Applying rate-limiting to MBLB SIP or Diameter virtual servers might cause the virtual server to periodically stop sending packets to the pool member server for a few seconds.
Conditions:
-- MBLB SIP or Diameter virtual server.
-- Rate-limited is applied.
Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.
Workaround:
There is no workaround at this time.
701678-1 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
Component: Local Traffic Manager
Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limit is exceeded.
Conditions:
Virtual configured with rate-limit and not using TCP or FastL4.
Impact:
Rate-limit not honored; dropping valid traffic.
Workaround:
None.
701555-3 : DNS Security Logs report Drop action for unhandled rejected DNS queries
Component: Advanced Firewall Manager
Symptoms:
DNS Security Logs report Drop action for unhandled rejected DNS queries.
Conditions:
DNS profile set unhandled-query-action reject.
Impact:
Incorrect event log. This is an incorrectly logged event and doe not indicate an issue with the system
Workaround:
None.
701387-4 : qkview will not collect files greater than 2 GB
Component: TMOS
Symptoms:
Due to a limitation of the file compression library employed by qkview, it cannot collect files greater than 2 gb in size. qkview will abort when encountering such a file, and not produce a resulting qkview file.
Conditions:
A file exists in a directory that qkview normally collects.
Impact:
No qkview diagnostics file is created.
Workaround:
Remove the file greater than 2gb in size.
701341-2 : If /config/BigDB.dat is empty, mcpd continuously restarts
Solution Article: K52941103
Component: TMOS
Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system will fail to start up, and mcpd will continually restart.
Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)
701039 : Requests do not appear in local logging due to rare file descriptor exhaustion
Component: Application Security Manager
Symptoms:
In an extremely rare circumstance, requests do not appear in local logging due to file descriptor exhaustion in asmlogd.
Conditions:
-- ASM configured.
-- ASM policy with an associated 'Log all requests' logging profile.
-- Requests sent to virtual server.
-- View Request Log.
Impact:
Requests do not appear in local logging.
Workaround:
Restart ASM, or pkill -f asmlogd.
701033-1 : Tcl actions not run if conditions have overlapping IP ranges
Component: Local Traffic Manager
Symptoms:
Overlapping CIDR subnets in rule's condition cause unexpected result.
Conditions:
-- LTM policy with more than one IP-address-based condition.
-- The IP address ranges overlap.
-- An associated action that invokes a Tcl command.
Impact:
Tcl action is not run.
Workaround:
None.
700989-2 : Better detecting browser extentsions
Component: Application Security Manager
Symptoms:
Browser extensions are not always detected
Conditions:
enabling "Web Scraping -> Suspicious Clients -> Detect browsers with Scraping Extensions", and choosing disallowed extensions.
Impact:
Browsers with disallowed extensions are not blocked.
Workaround:
None.
700897-3 : sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG
Component: TMOS
Symptoms:
sod consumes excessive amount of CPU time, and the traffic-group Active and Next-Active locations do not stabilize.
Conditions:
When the number of devices in the failover device group or the number of traffic groups is large. The limit varies by platform capacity, but any Device Service Cluster with more than 4 devices or more than 32 traffic groups can experience this issue.
Impact:
If the Active location is unstable, traffic will not be processed correctly. Excessive CPU consumption and network traffic interferes with other control plane functions including the UI.
Workaround:
There is no workaround at this time.
700889-2 : Software syncookies without TCP TS improperly include TCP options that are not encoded
Solution Article: K07330445
Component: Local Traffic Manager
Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.
Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.
Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.
Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.
700827-2 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. It can be observed for example by running "tmsh show sys tmm-traffic".
Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.
Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.
Workaround:
Randomize source ports when connecting via a Big-Ip.
700812-2 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview
Component: Application Security Manager
Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.
Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.
Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.
Workaround:
n/a
700757-2 : vcmpd may crash when it is exiting
Component: TMOS
Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:
err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create
It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:
umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy
Conditions:
vCMP must be in use.
Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.
Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:
tmsh restart sys service vcmpd
700726-1 : Search engine list was updated
Component: Application Security Manager
Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily.
Conditions:
Site accessed by search engines.
Impact:
Traffic from search engines is blocked unnecessarily.
Workaround:
Manually add search engines.
700639 : The default value for the syncookie threshold is not set to the correct value
Component: Local Traffic Manager
Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.
Conditions:
This issue may be encountered when a virtual server uses syncookies.
Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.
Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000
700571-2 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE
Component: Service Provider
Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.
Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL
Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.
Workaround:
None.
700433-2 : Memory leak when attaching an LTM policy to a virtual server
Solution Article: K10870739
Component: Local Traffic Manager
Symptoms:
MCP's memory increases when deleting and adding an LTM policy attached to a virtual server.
Conditions:
-- LTM policies must be in use.
-- A policy with at least one rule. (Note: A rule with actions or conditions will leak more memory.)
-- Add the policy to a virtual server.
Impact:
MCP may run slower when memory is low. If all memory is used up, MCP will crash, which will cause a failover or outage.
Workaround:
None.
700426-2 : Switching partitions while viewing objects in GUI can result in empty list
Solution Article: K58033284
Component: TMOS
Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.
Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.
For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.
Impact:
The list of pools is empty despite the fact that there are pools available.
Workaround:
Return to the first page of objects before switching to any other partition.
700386-1 : mcpd may dump core on startup
Component: TMOS
Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.
Conditions:
This can happen only at startup.
Impact:
mcpd restarts, but resumes normal operation.
Workaround:
None.
700250-1 : qkviews for secondary blade appear to be corrupt
Solution Article: K59327012
Component: TMOS
Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.
Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.
Impact:
The system posts the following messages:
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.
Workaround:
None.
700061-3 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
Component: Local Traffic Manager
Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'
Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.
Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'
Workaround:
There is no workaround at this time.
700057-3 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
Component: Local Traffic Manager
Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.
Conditions:
Upgrade or load a .ucs with SSL keys configured.
Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.
Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config
700035-3 : /var/log/avr/monpd.disk.provision not rotate
Component: Application Visibility and Reporting
Symptoms:
the log file may fill-up /var partition
Conditions:
there is no special condition for this issue - if the log is big it won't rotate
Impact:
the log file may fill-up /var partition
Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision
699898-3 : Wrong policy version time in policy created after synchronization between active and stand by machines.
Component: Application Security Manager
Symptoms:
After synchronization, the policy version time in the policy created on the standby BIG-IP system is different from the policy version time on the original policy on the active BIG-IP system.
Conditions:
Synchronizing the new policies on the active system with new policies on the standby system.
Impact:
Policy version timestamp on standby system is not synchronized properly.
Workaround:
Run full synchronization again from active system to the group.
699531-3 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.
For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.
699426-3 : RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.
Component: Local Traffic Manager
Symptoms:
If a blade already known to statsd goes down, statsd continues to update the blade's /var/rrd/bladeXcpu file
If a new blade joins and is announced to statsd, statsd stops updating all /var/rrd/bladeXcpu files especillay if it did not have prior knowledge of the blade.
Conditions:
If statsd is restarted after the blade is disabled, or goes down, and after that the blade rejoins the cluster, the /var/rrd/bladeXcpu files stop updating (where X is the blade number).
Impact:
Data of those files is not updated. This impacts the graphs generated from these files.
Workaround:
Execute the command "bigstart restart statsd" after the new blade has joined the cluster.
699076-3 : URI::path iRules command warns end and start values equal
Component: Local Traffic Manager
Symptoms:
URI::path iRules command warns end and start values equal
Conditions:
The end and start values equal
Impact:
Warning message shows in console.
Workaround:
Ignore the warning.
698991 : CPU utilization on i850 is not a reliable indicator of system capacity
Solution Article: K64258832
Component: TMOS
Symptoms:
Unlike previous platforms, the i850 may report between 50-70% CPU utilization when at full capacity. The specific number is workload dependent, and therefore should not be used as an indicator of system headroom for sizing purposes.
Conditions:
Running BIG-IP on an i850.
Impact:
Confusion of actual capacity usage.
Workaround:
Refer to the BIG-IP stats and published capabilities to determine utilized capacity under a specific workload.
698947-1 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
Component: TMOS
Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.
Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.
Impact:
The decapsulated packets may be dropped in the BIG-IP system.
698933-3 : Setting metric-type via ospf redistribute command may not work correctly
Component: TMOS
Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.
Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"
Impact:
Metric type is not changed.
Workaround:
Change metric-type using a route-map applied to the redistribute command.
698917 : Unexpected additional policy is created while creating a policy from a template via REST
Component: Application Security Manager
Symptoms:
An unexpected additional policy is created while creating a policy from a template via REST while modifying other attributes.
Conditions:
The user creates a policy from a template via REST while modifying other attributes.
Impact:
An unexpected additional policy is created.
Workaround:
Use the import-policy task to create a new policy from a template in REST. Alternatively, if using the /policies endpoint, create the policy with just the name and template, and make any other changes as a separate update afterwards.
698916-3 : TMM crash with HTTP/2 under specific condition
Component: Local Traffic Manager
Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.
Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.
Impact:
TMM crash, leading to a failover event.
Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.
698911 : Periodically SIP requests are not sent to the server
Component: Service Provider
Symptoms:
When rate-limiting is configured on the virtual server and/or pool using a SIP profile, periodically SIP requests may not be forwarded to the server despite rate being under limit.
Conditions:
SIP profile associated with virtual server and rate-limit configured.
Impact:
SIP requests may not be forwarded to the server.
Workaround:
There is no workaround other than disabling rate-limiting.
698844 : LCD splash screen may display incorrect platform name on iSeries appliance
Component: TMOS
Symptoms:
The LCD on an iSeries appliance may show the incorrect platform name after a license is applied.
Conditions:
The platform name may be incorrect on the LCD until the first reboot.
Impact:
Display only, no functional impact
Workaround:
Use "tmsh show sys hardware" to see the correct platform name.
698806-2 : Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces
Component: Advanced Firewall Manager
Symptoms:
Egress Interfaces are not checked in the Source Translation page even if they are configured.
Conditions:
Create a source translation object with egress Interfaces set to 'Enabled on...', select Egress Interfaces from the list, and hit 'Finished'. Egress Interfaces will not be checked with the originally configured values.
Impact:
Egress Interfaces will not be checked even if they are configured.
Workaround:
Use tmsh to check if the object is actually configured with Egress Interfaces
698599 : Cave Creek Crypto HW accelerated SSL traffic may encounter errors and performance problems.
Component: TMOS
Symptoms:
Cave Creek Hardware-accelerated Secure Sockets Layer (SSL) traffic may encounter errors and performance problems.
The BIG-IP system may experience SSL connection failures or reduced performance.
Following logs show an example of errors seen:
/var/log/ltm
-- crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
-- warning tmm3[11707]: 01260009:4: Connection error: ssl_basic_rx:1015: decrypt request error (20)
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP system uses Cave Creek SSL hardware acceleration.
-- You are experiencing a high SSL traffic load.
Impact:
The BIG-IP system may experience SSL connection failures or reduced performance.
Workaround:
To work around this issue, you can increase the crypto.queue.timeout database key. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system. This procedure will mitigate future occurrences. A reboot of the BIG-IP system is required to clear a currently occurring condition.
1. Log in to the Traffic Management Shell (tmsh) as an administrative user.
2. Run the following command: modify /sys db crypto.queue.timeout value 300
3. Reboot the BIG-IP system.
698597 : BIG-IP fails to go active after cryptographic hardware has recovered from a failure
Component: TMOS
Symptoms:
A BIG-IP system might not become active after a crypto-failsafe condition even after it has recovered from a cryptographic hardware failure.
As a result of this issue, you might see output of the tmsh show sys ha-status command similar to the following example:
Feature Key Action Fail Feature Take Client Proc Timeout
crypto-failsafe qa-crypto3-3 failover yes yes yes 0 tmm3 0
The /var/log/ltm file contains messages similar to the following examples:
-- crit tmm[9184]: 01010025:2: Device error: crypto codec cn-crypto-0 queue is stuck.
-- notice sod[8874]: 01140029:5: HA crypto_failsafe_t cn-crypto-0 fails action is failover.
Conditions:
This issue occurs when all of the following conditions are met:
-- Using BIG-IP 2000/2200, 4000/4200, or i2600/i2800 platforms.
-- The crypto-failsafe action is set to failover.
-- The failsafe condition is triggered.
-- The cryptographic hardware has recovered from its failure.
Impact:
The BIG-IP system stays down, even after the cryptographic hardware has recovered. When the system is in this condition, traffic is not being processed.
Workaround:
When your BIG-IP system is in this state, you can recover by restarting the Traffic Management Microkernel (TMM) process. To do so, perform the following procedure:
Impact of workaround: Because so there is no traffic being passed, there is no traffic impact to performing this procedure.
1. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh
2. Restart TMM by running the following command:
restart /sys service tmm
Note: There is no way to easily determine whether the cryptographic hardware has recovered from the failure. Unfortunately, therefore, performing this mitigation step might not return the BIG-IP system to an active state. There are other issues with similar symptoms. If your system is experiencing one of those issues instead, this mitigation step will not produce successful results.
Here are three other Known Issues that produce almost exactly the same error messages, but involve different configurations. You might find additional assistance here::
+ K53752362: The BIG-IP system may erroneously detect a stuck crypto queue in Cave Creek devices :: https://support.f5.com/csp/article/K53752362
+ K53220379: The BIG-IP system may erroneously detect a stuck crypto queue :: https://support.f5.com/csp/article/K53220379
+ K16632: A vCMP host may stop processing SSL and HTTP compressed traffic for a vCMP guest due to a worker-lite system timeout :: https://support.f5.com/csp/article/K16632
698594 : Cave Creek Crypto hardware reports a false positive of a stuck queue state
Solution Article: K53752362
Component: TMOS
Symptoms:
In some cases, a stuck crypto queue may be erroneously detected on Cave Creek-based systems. This includes BIG-IP 2x00, 4x00, i850, i2x00, i4x00, and HRC-i2800.
The system writes messages similar to the following example to the /var/log/ltm file:
crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
warning sod[4949]: 01140029:4: HA crypto_failsafe_t qa-crypto3-3 fails action is failover.
Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses the Cave Creek encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.
Workaround:
To work around this issue, you can modify the crypto queue timeout value. To do so, perform the following procedure.
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
1. Log in to the BIG-IP system as an administrative user.
2. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh
3. To change the crypto queue timeout value, run the following command:
modify /sys db crypto.queue.timeout value 300
4. Save the change by running the following command:
save sys config
Increasing the crypto queue timeout gives the hardware enough time to process all queued request.
698429-3 : Misleading log error message: Store Read invalid store addr 0x3800, len 10
Component: TMOS
Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.
Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.
Impact:
None. These messages do not indicate an actual problem with the system.
698379-3 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
Solution Article: K61238215
Component: Local Traffic Manager
Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.
Conditions:
HTTP2 virtual server configured.
Impact:
Uploads for the HTTP2 virtual server might fail intermittently.
Workaround:
None.
698338-2 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
Component: Service Provider
Symptoms:
The system may core.
Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.
Impact:
The system cores and will restart.
Workaround:
None.
698211-3 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
Solution Article: K35504512
Component: Local Traffic Manager
Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.
Conditions:
Delete a wildcard resource record to the related DNS express zone.
Impact:
DNS returns the incorrect response.
Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.
698038 : TACACS+ system auth file descriptor leaks when servers are unreachable
Solution Article: K05730807
Component: TMOS
Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.
This might eventually lead to lack of HTTP-based access to the BIG-IP system.
Conditions:
-- Remote system authentication configured to use TACACS+.
-- Connections to one or more of the configured TACACS+ servers fails.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. -- Repeated automated access using iControl is the fastest route.
Impact:
Depending on the number of connection failures, the open files limit of the web server process might be exceeded and new connections to the web server will fail.
Administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.
Workaround:
To prevent the issue, remove unreachable TACACS+ servers from the tacacs configuration, or restart the httpd process as necessary.
To recover if logins via remotely authenticated accounts are no longer possible, restart the httpd process.
698013-4 : TACACS+ system auth and file descriptors leak
Solution Article: K27216452
Component: TMOS
Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.
This might eventually lead to lack of HTTP-based access to the BIG-IP system.
Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.
Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.
Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.
697766-3 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
Solution Article: K12431303
Component: TMOS
Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen
isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.
Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.
In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:
router isis isisrouter
is-type level-2-only
authentication mode md5
authentication key-chain keychain-isis
lsp-refresh-interval 5
max-lsp-lifetime 65535
net 49.8002.00c1.0000.0000.f523.00
Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.
Workaround:
None.
697718-3 : Increase PEM HSL reporting buffer size to 4K.
Component: Policy Enforcement Manager
Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.
Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.
Impact:
Part of PEM HSL flow reporting information will be lost.
697626 : iRules LX: Cannot modify workspace imported by "Import From Workspace"
Component: Local Traffic Manager
Symptoms:
The permissions of an iRules LX workspace copy created from the "Import..." "From Workspace" are set to 775 (drwxr-xr-x) for directories and 444 (-r--r--r--) for files including the node and tcl code files. This causes the "Could not save file: <file>" error upon modification of the code.
Conditions:
Attempting to modify imported workspace.
Impact:
Cannot save changes.
Workaround:
A. Create an "archive file" first and use it for importing.
B. After creating a copy using "From Workspace", run chmod command to add +w to the group and others: e.g., chmod -R g+w,o+w <Workspacename>.
697605 : tmrouted connection closed messages logged on shutdown
Component: TMOS
Symptoms:
/var/log/ltm contains tmrouted connection closed messages. These are a normal part of system shutdown.
Conditions:
System is shut down.
Impact:
None.
Workaround:
n/a
697424 : iControl-REST crashes on /example for firewall address-lists
Component: TMOS
Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.
Conditions:
Making a call to /example on firewall address-list.
Impact:
The icrd_child process crashes.
Workaround:
There is no workaround other than not calling /example on firewall address-lists.
697265 : MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.
Component: Advanced Firewall Manager
Symptoms:
MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.
/var/log/ltm contains messages similar to the following:
-- err clusterd[7274]: 013a0004:3: IO error on recv from mcpd - connection lost
-- info sod[7953]: 010c0009:6: Lost connection to mcpd - reestablishing.
-- notice chmand[7594]: 012a0005:5: resetting chmand services
-- err snmpd[7952]: 010e0001:3: Cannot communicate with MCPD server.
-- err mysqlhad[7596]: 014e0006:3: MCP Failure: 1.
-- err zxfrd[7962]: 0153e0f7:3: Lost connection to mcpd.
-- err tmrouted[6299]: 01910013:3: FATAL error: 6 irrecoverable MCP I/O error (Unknown error 16908291).
-- err alertd[7280]: 01100042:3: Failed with MCPD at: MCP msg receive (16908291).
-- err alertd[7280]: 01100042:3: Failed with MCPD at: Socket read (16908291).
Conditions:
-- AFM configuration.
-- Devices in a device group trust configuration.
-- Device group configured with Autosync enabled.
-- Importing a configuration with a very large number of nested address lists (for example, 12000 nested address lists).
Impact:
mcpd cores.
Workaround:
Split the configuration into smaller chunks (e.g., 1000 address lists each) and load them one at a time.
697259-1 : Different versioned vCMP guests on the same chassis may crash.
Component: Local Traffic Manager
Symptoms:
The vCMP guest TMM crashes soon after startup.
Conditions:
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running newer software (for example, v12.1.2 HF1 or later) alongside an existing or new guest running older software (for example, v12.1.2 or earlier).
Impact:
vCMP guest running older version of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.
Workaround:
None.
696732 : tmm may crash in a compression provider
Solution Article: K54431534
Component: TMOS
Symptoms:
TMM may crash with the following panic message in the log files:
panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.
Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.
Impact:
TMM crashes, Traffic disrupted while tmm restarts.
Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:
tmsh modify sys db compression.strategy value softwareonly
696731-1 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
Solution Article: K94062594
Component: TMOS
Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.
Conditions:
Administrative disabling an interface on BIG-IP
Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.
Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.
696363 : Unable to create SNMP trap in the GUI
Component: TMOS
Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.
Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.
Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.
Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.
Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.
696294-3 : TMM core may be seen when using Application reporting with flow filter in PEM
Component: Policy Enforcement Manager
Symptoms:
TMM core with flow filter when Application reporting action is enabled
Conditions:
If Application reporting is enabled along with flow filter
Impact:
TMM restart causing service interruption
696113-1 : Extra IPsec reference added per crypto operation overflows connflow refcount
Component: TMOS
Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.
Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.
Impact:
Unexpected tmm failover after refcount overflow.
Workaround:
There is no workaround at this time.
696049-3 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
Solution Article: K55660303
Component: Service Provider
Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.
Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.
Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.
Workaround:
None.
695985-1 : Access HUD filter has URL length limit (4096 bytes)
Component: Access Policy Manager
Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.
Conditions:
Any URL with a request consisting of more than 4096 bytes.
Impact:
The URL cannot be processed, and client gets a RST.
Workaround:
None.
695925-3 : tmm crash when showing connections for a CMP disabled virtual server
Component: Local Traffic Manager
Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.
Conditions:
This occurs when all of the following conditions are met:
-- There is a CMP-disabled virtual server.
-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).
-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').
Impact:
tmm crashes and restarts impacting traffic.
Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.
Avoid using tmsh show sys connection
695707-3 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
Component: Local Traffic Manager
Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.
Conditions:
Close an MPTCP connection.
Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.
Workaround:
There is no workaround at this time.
695401 : QS user defined alerts may not be sent if there is no URL with qs configured on FPS profile
Component: Fraud Protection Services
Symptoms:
when FPS signature update defines a URL with a query string, and defines a custom alert for that URL, the alert will not be sent if there is no URL with a query string configured on the FPS profile.
Conditions:
1. Custom alert for a URL with query string.
2. There are. no URLs with query string configured on FPS profile
Impact:
System does not send alert.
Workaround:
Define a URL (potentially a placeholder URL) with query string on FPS profile.
695109-3 : Changes to fallback persistence profiles attached to a Virtual server are not effective
Solution Article: K15047377
Component: Local Traffic Manager
Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.
Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.
Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.
Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.
695090 : In rare situations hardware syncookies may be sent for a L7 virtual server when hardware syncookie protection is disabled
Component: TMOS
Symptoms:
In rare situations, hardware syncookies may be sent for the traffic received on a L7 virtual server even though hardware syncookie protection is disabled on the virtual server.
Conditions:
It is unknown what triggers this error condition at this point.
Impact:
Some of the TCP options are not supported under hardware syncookie protection mode.
Workaround:
There is no workaround at this time.
694934-3 : bd crashes on a very specific and rare scenario
Component: Application Security Manager
Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.
Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.
Impact:
bd crashes.
Workaround:
None.
694897-4 : Unsupported Copper SFP can trigger a crash on i4x00 platforms.
Component: TMOS
Symptoms:
PFMAND can crash when an unsupported Proline Copper SFP is inserted in the 1G interfaces.
Conditions:
-- Using Proline CuSFP, Part number FCLF8521P2BTLTAA.
-- Inserted into 1 GB interfaces.
-- On i4x00 platforms.
Impact:
PFMAND cores.
Workaround:
Use only F5 branded Copper SFPs
694740-1 : BIG-IP reboot during a TMM core results in an incomplete core dump
Component: TMOS
Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.
694697-3 : clusterd logs heartbeat check messages at log level info
Solution Article: K62065305
Component: Local Traffic Manager
Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.
-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)
Conditions:
log.clusterd.level set to info.
Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.
Workaround:
Set log.clusterd.level to notice.
694656-3 : Routing changes may cause TMM to restart
Component: Local Traffic Manager
Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).
Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.
-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.
-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).
Impact:
TMM restarts, resulting in a failover and/or traffic outage.
Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.
If dynamic routing is in use, there is no workaround.
693996-3 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
693910-2 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
Component: Local Traffic Manager
Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.
Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.
Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.
Workaround:
None.
693884-3 : ospfd core on secondary blade during network unstability
Component: TMOS
Symptoms:
ospfd core on secondary blade while network is unstable.
Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.
Impact:
Dynamic routing process ospfd core on secondary blade.
Workaround:
None.
693838 : Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors
Component: Local Traffic Manager
Symptoms:
Member of pool is not marked down when response time exceeds hard limit.
Conditions:
Adaptive monitoring enabled for UDP monitor and server response time exceeds hard limit.
Impact:
Member remains in pool despite exceeding hard limit which may result in degraded services.
Workaround:
None.
693582-3 : Monitor node log not rotated for icmp monitor types
Component: Local Traffic Manager
Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.
Conditions:
This occurs if Monitor Logging is enabled for an LTM node or pool member and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp
Impact:
Depending on the affected BIG-IP version in use, affects may include:
1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).
2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).
3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.
Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool member(s).
If symptom #1 (from Impact section above) occurs, Monitor Logging can be re-enabled after log rotation has occurred.
To address symptom #2 or #3 (from Impact section above), Monitor Logging can be re-enabled immediately.
For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors
693563-3 : No warning when LDAP is configured with SSL but with a client certificate with no matching key★
Solution Article: K22942093
Component: TMOS
Symptoms:
When LDAP auth is configured with SSL:
- Authentication attempts fail
- Packet captures between the BIG-IP system and the LDAP server show the BIG-IP system sending FIN after TCP handshake.
Conditions:
LDAP auth is configured with SSL with client cert set but no matching key.
Impact:
LDAP auth fails. There is no warning that the auth failed.
Workaround:
Configure a key that matches the specified client certificate.
693515 : A '+' character in a log profile name causes import to fail
Component: Advanced Firewall Manager
Symptoms:
When there is a '+' character in log profile name, importing the module on BIG-IQ fails as '+' is treated as a reserved character.
Impact:
Import fails due to reserved character
Workaround:
Do not use '+' in the name.
693007-3 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC
Component: Global Traffic Manager (DNS)
Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.
Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.
Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.
Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.
692753-3 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell
Component: TMOS
Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.
Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.
Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.
Workaround:
None
692239-1 : AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds
Solution Article: K31554905
Component: TMOS
Symptoms:
When using the AOM menu to power off then on the host CPU on i5600, i5800, i7600, i7800, i10600, i10800 platforms, the AOM creates a 'Host Power Cycle Event' SEL log entry every two seconds. The SEL log will continue to grow until external power to the appliance is fully power cycled.
Conditions:
-- Running on i5600, i5800, i7600, i7800, i10600, i10800 platforms.
-- With an older version of CPLD code installed (e.g., CPLD 0x45), bring up the AOM menu using ESP shift-9, then select 'p' and '0' from the menu to power off the host CPU complex.
-- Wait a few seconds, then select 'p' and '1' to power on the host CPU complex.
Impact:
This will result in ongoing 'Host Power Cycle Event' messages to post the the SEL log ( tail /var/log/sel ) every two seconds.
The SEL log will continue to grow and wrap as this message continues to post to the SEL log every two seconds.
This results in a very large number of SEL entry fetches by the host CPU to the AOM and can places a substantial load on the AOM interface.
Workaround:
The actual fix is to install a newer version of i5600, i5800, i7600, i7800, i10600, i10800 platform CPLD code (e.g., CPLD 0x54 or CPLD 0x55).
Another workaround is to fully power cycle the appliance.
However, every time AOM menu is used to power off then on the host, this SEL log entry will re-appear.
692189-3 : errdefsd fails to generate a core file on request.
Component: TMOS
Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.
Conditions:
Forcing errdefsd to core for diagnostic purposes.
Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.
Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd
692179-3 : Potential high memory usage from errdefsd.
Component: TMOS
Symptoms:
errdefsd memory usage grows with each config-sync or config update.
Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.
Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.
Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.
692172-2 : rewrite profile causes "No available pool member" failures when connection limit reached
Component: TMOS
Symptoms:
ltm rewrite profile (with mode uri-translation) can cause connections on ltm forwarding virtual server to be terminated with reason "No available pool member".
Conditions:
Virtual server configured with ltm rewrite profile. Default pool has request queuing enabled and connection limits configured for all its nodes.
Impact:
When the connection limit is reached, further connections are terminated with "No available pool member" cause instead of being queued.
Workaround:
An iRule which selects default pool on HTTP_REQUEST:
when HTTP_REQUEST priority 1000 {
pool [LB::server pool]
}
692165-2 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
Component: TMOS
Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).
Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.
- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.
Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.
Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.
However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.
692158-2 : iCall and CLI script memory leak when saving configuration
Component: TMOS
Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device will leak memory.
Conditions:
Use of iCall or CLI scripts for saving config.
Impact:
Repeated invocation may cause the system to run out of memory causing tmm to restart disrupting traffic.
Workaround:
Do not save the configuration from iCall or CLI scripts.
691992 : MSTP: CIST bridge priority changes after adjusting the MSTI priority.
Component: Local Traffic Manager
Symptoms:
Changing the priority of a non-zero region MSTP instance results in BPDUs advertising a change to the CIST Bridge Priority, but not for the expected MSTID instance.
Conditions:
Issue a STP MSTID priority modify request.
Impact:
Changing the MSTID priority for forcing the BIG-IP system to become the root bridge, does not work as expected.
Note: F5 Networks recommends against having the BIG-IP system become the root bridge.
Workaround:
After modifying the MSTID priority, also restart the STP daemon (stpd) to have the BPDUs advertising the expected CIST/MSTID priorities.
691806-3 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.
Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.
Impact:
The BIG-IP system resets connection with RST.
Workaround:
None.
691785-3 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
Component: Local Traffic Manager
Symptoms:
The bcm570x driver will cause TMM to core with the log message:
panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.
Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.
Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
691749-3 : Delete sys connection operations cannot be part of TMSH transactions
Component: TMOS
Symptoms:
TMSH operations that delete sys connection cannot be part of transactions. Once the TMSH transaction is submitted, TMSH freezes up if a 'delete sys connection ...' command is included.
Conditions:
Include delete sys connection operations in TMSH transactions.
Impact:
TMSH freezes up and transactions do not complete.
Workaround:
Only use tmsh delete sys connection outside of TMSH transactions.
691589 : When using LDAP client auth, tamd may become stuck
Component: TMOS
Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.
Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.
Impact:
Authentication to the virtual server fails until tamd is restarted.
Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd
691491-3 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Solution Article: K13841403
Component: TMOS
Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.
Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.
Workaround:
Use OID sysInterfaceMediaActiveSpeed.
691048-3 : Support DIAMETER Experimental-Result AVP response
Solution Article: K34553736
Component: Service Provider
Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.
Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.
Impact:
The server side flow is aborted.
Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.
690890-3 : Running sod manually can cause issues/failover
Component: TMOS
Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.
Conditions:
Accidentally or intentionally executing the command 'sod'.
Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.
Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.
690819-3 : Using an iRule module after a 'session lookup' may result in crash
Component: TMOS
Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.
Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.
Impact:
The system may core, or result in undefined and/or undesired behavior.
Workaround:
Check the return value of 'session lookup' before using another iRule module.
If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.
690793-2 : TMM may crash and dump core due to improper connflow tracking
Component: TMOS
Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.
Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.
While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.
Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.
Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.
However, this does not eliminate entirely the chances of running into this issue.
690781 : VIPRION systems with B2100 or B2150 blades cannot run four 1-slot 8-core vCMP guests
Component: TMOS
Symptoms:
VIPRION systems equipped with B2100 or B2150 blades cannot run four 1-slot 8-core vCMP guests.
The system will allow all four guests to created, but the one deployed last will not work correctly.
Specifically, the guest deployed last will fail to access TMM networks.
Additionally, the hypervisor will log messages similar to the following example to the /var/log/ltm file:
info bcm56xxd[13741]: 012c0016:6: FP(unit 0) Error: Group (6) no room.
err bcm56xxd[13741]: 012c0011:3: entry create failed: SDK error No resources for operation bs_field.cpp(447)
err bcm56xxd[13741]: 012c0011:3: geteid_qualify_egress failed: SDK error No resources for operation bs_field.cpp(2009)
err bcm56xxd[13741]: 012c0011:3: program dest mod/port rule failed: SDK error No resources for operation bs_vtrunk.cpp(5353)
err bcm56xxd[13741]: 012c0011:3: vdag class L4 redirect failed: SDK error No resources for operation bs_vtrunk.cpp(3261)
Conditions:
This issue occurs when the following conditions are met:
- A C2400 VIPRION chassis is equipped with four B2100 or B2150 blades.
- A vCMP configuration consisting of four 1-slot 8-core guests was put in place (in other words, four full-blade guests).
Impact:
One guest does not function properly as it cannot access TMM networks. All traffic fails to pass.
Workaround:
This issue is caused by a hardware limitation on B2100 and B2150 blades preventing this specific vCMP configuration from instantiating correctly.
As a workaround, you must specify different vCMP guest sizes.
For instance, you could use one of the following configurations:
- Four 2-slot 4-core vCMP guests (although not the same, this yields the same total number of TMM instances as the affected vCMP configuration).
- Three 1-slot 8-core vCMP guests and two 1-slot 4-core vCMP guests (for example, you might use the smaller vCMP guests for development and staging purposes, leaving the full-blade guests for production).
690778-3 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
Solution Article: K53531153
Component: Local Traffic Manager
Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.
Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.
Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.
Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.
690316 : Software syncookies are sent for FastL4 virtual server with software syncookies disabled
Component: Local Traffic Manager
Symptoms:
If a virtual server using FastL4 is configured with software SYN cookies disabled and global hardware SYN cookies disabled using the pvasyncookies.enabled DB setting, then software SYN cookies may still be sent if a SYN flood occurs on the VIP.
This can be observed by seeing that the virtual server went into syncookie mode in the LTM logfile.
Conditions:
If the FastL4 profile has software-syn-cookie disabled, hardware-syn-cookie enabled, and the pvasyncookies.enabled db setting is set to false.
Impact:
The VIP enters SYN cookie mode.
Workaround:
Both hardware-syn-cookie and software-syn-cookie should be disabled in the FastL4 profile.
689982-1 : FTP Protocol Security breaks FTP connection
Component: Application Security Manager
Symptoms:
FTP Protocol Security breaks FTP connection.
Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.
Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.
Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.
1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.
689779 : VE HyperV packet drops under load due to interrupt distribution
Component: TMOS
Symptoms:
A small number of dropped inbound packets to the BIG-IP system while under load.
Network captures on a virtual port mirror show that the packets are making it to the BIG-IP VE, but the packets are not seen by tmm or Linux by tcpdumping on 0.0, 1.1, or eth1.
Conditions:
HyperV Virtual Edition (VE) v12.1.x or earlier.
Impact:
Performance and network degradation due to packet loss.
Workaround:
None.
689583-3 : Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.
Component: Global Traffic Manager (DNS)
Symptoms:
Running big3d from the command line with arguments other than '-v' or '-version' might cause a GTM disruption. When viewing /var/log/gtm, you might see messages similar to the following:
notice big3d[4131]: 012b0020:5: Executable /shared/bin/big3d timestamp is newer than (or the same as) /usr/sbin/big3d.
notice big3d[4137]: 012b0018:5: Respawning to run /shared/bin/big3d.
err big3d[4026]: 012b1015:3: Error 'Address already in use' attempting to bind to socket.
Conditions:
This occurs when attempting to get the big3d version and accidentally typing an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit. Here are some examples (note the double-dash in the first example):
big3d --version
big3d
big3d -xyz
big3d -d
Impact:
GTM server goes red momentarily.
Workaround:
There is no workaround other than not specifying an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit.
689567-3 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
Component: TMOS
Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.
Conditions:
You have an iSeries platform with no AAM license.
Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.
Workaround:
No workaround at this time.
689437-2 : icrd_child cores due to infinite recursion caused by incorrect group name handling
Component: TMOS
Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.
Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.
Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.
Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.
689361-3 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
Component: Local Traffic Manager
Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.
Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.
Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.
Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.
689343-3 : Diameter persistence entries with bi-directional flag created with 10 sec timeout
Component: Service Provider
Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds
Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.
Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.
Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.
689231 : MSSQL filter assumes 64-bit token done row count field
Component: Local Traffic Manager
Symptoms:
Virtual server with MSSQL profile gets tds internal error (Out of bounds) error message. This occurs when the row count of token done is not 64-bit, in which case the connection will be closed with a reset.
Conditions:
-- This occurs using the MSSQL profile for the virtual server.
-- Pool member is running Microsoft SQL Server 2016 with TDS version is 7.1 or earlier.
Impact:
Get reset cause: Packet capture RST cause: [23db241:1807] tds internal error (Out of bounds).
Unable to use TDS 7.1 or earlier with MSSQL filter.
Workaround:
Use TDS 7.2 or later. TDS 7.2 and later use 64-bit row count field for token done.
689211-2 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
Component: TMOS
Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.
Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.
Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.
Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.
Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
bigstart restart
689147-1 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
Component: TMOS
Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.
Errors similar to the following appear in /var/log/ltm:
-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition
Errors similar to the following appear in /var/log/secure:
tac_authen_pap_read: invalid reply content, incorrect key?
Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.
Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.
Workaround:
Check /var/log/ltm for more specific error messages.
689002-1 : Stackoverflow when JSON is deeply nested
Component: TMOS
Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.
Conditions:
Deeply nested JSON returned from iControl-REST.
Impact:
icrd_child process coredumps.
Workaround:
None.
688942-3 : ICAP: Chunk parser performs poorly with very large chunk
Solution Article: K82601533
Component: Service Provider
Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.
Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).
Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.
Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).
688833-2 : Inconsistent XFF field in ASM log depending violation category
Component: Application Security Manager
Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.
Conditions:
Viewing the XFF results in ASM log.
Impact:
This might cause problems with the syslog filters configured on the remote loggers.
Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.
688813-1 : Some ASM tables can massively grow in size.
Solution Article: K23345645
Component: Application Visibility and Reporting
Symptoms:
/var/lib/mysql mount point gets full.
Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).
Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.
Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.
688629-3 : Deleting data-group in use by iRule does not trigger validation error
Component: Local Traffic Manager
Symptoms:
iRule aborts due to failed commands, causing connflow aborts.
Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server
Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.
Workaround:
Don't delete data-groups in use by an iRule.
688570-3 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
Component: Local Traffic Manager
Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.
Conditions:
An MPTCP connection is closed.
Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.
Workaround:
There is no workaround at this time.
688557-3 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
Solution Article: K50462482
Component: Local Traffic Manager
Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.
Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.
Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.
Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
688553-1 : SASP GWM monitor may not mark member UP as expected
Component: Local Traffic Manager
Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.
Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).
This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).
This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).
Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.
Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.
688542-1 : SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request
Component: Local Traffic Manager
Symptoms:
The version of the SASP monitor included in affected versions of BIG-IP only requests updates from the SASP GWM (Global Workload Manager) for members whose state has changed from what the GWM last reported.
The previous version of the SASP monitor requested periodic updates for all members monitored by the GWM.
Conditions:
This behavior occurs with the current version of the SASP (Server/Application State Protocol) monitor, included in affected versions of BIG-IP.
This behavior does not occur with the previous version of the SASP monitor, included in earlier, unaffected versions of BIG-IP.
Impact:
This change in behavior from the previous SASP monitor implementation has not been confirmed to cause any observable symptoms.
Workaround:
If any symptoms are observed which are suspected to be the result of this change, a support request should be opened with F5 support for further investigation.
688406-3 : HA-Group Score showing 0
Solution Article: K14513346
Component: TMOS
Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.
Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.
Impact:
The total score is not calculated. An incorrect score value is displayed.
Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.
688335-3 : big3d may restart in a loop on secondary blades of a chassis system
Solution Article: K00502202
Component: Global Traffic Manager (DNS)
Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.
Conditions:
The following conditions are required to encounter this issue:
-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.
Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.
However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.
Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
bigstart restart big3d
To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
big3d_install -use_ssh <target IP>
688266-3 : big3d and big3d_install use different logics to determine which version of big3d is newer
Component: Global Traffic Manager (DNS)
Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.
This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.
Conditions:
A user runs the big3d_install utility.
Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.
If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.
Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.
If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.
688177-2 : Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade
Component: Device Management
Symptoms:
Following a BIG-IP software upgrade (for example, from version 11.5.4 to version 11.6.1), local users with Administrator role may be changed to Guest role.
Conditions:
The BIG-IP configuration includes one or more local accounts with Administrator role (other than the 'admin' user).
Please note that this issue does not occur on every upgrade, but has roughly a 10% probability of occurring.
Impact:
Administrator users other than 'admin' have no access after the upgrade.
The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.
Workaround:
The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.
688148-1 : IKEv1 racoon daemon SEGV during phase-two SA list iteration
Component: TMOS
Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.
Conditions:
Deleting phase-two SAs, either manually or in response to notifications.
Impact:
IKEv1 tunnel outage until the racoon daemon restarts.
Workaround:
None.
687905 : OneConnect profile causes CMP redirected connections on the HA standby
Component: TMOS
Symptoms:
When virtual server uses OneConnect profile in HA setup, it can cause Clustered Multiprocessing (CMP) redirected connections and memory leak on high availability (HA) standby systems, including high memory usage on standby units.
Conditions:
-- Virtual server uses OneConnect profile in HA.
-- BIG-IP platform that supports CMP.
Impact:
Redirected connections and memory leak on a standby device.
Workaround:
Remove OneConnect profile from the virtual server.
687807-3 : The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/ causes a GUI exception
Component: Local Traffic Manager
Symptoms:
When there is a file named *.crt.csr in folder /config/ssl/ssl.csr/, the webgui will get an exception on page: System ›› Device Certificates : Device Certificate ›› Device Certificate
A message, "An error has occurred while trying to process your request." appears.
Conditions:
The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/
Impact:
the webgui will get an exception on page: System ›› Device Certificates : Device Certificate ›› Device Certificate
A message, "An error has occurred while trying to process your request." appears.
Workaround:
rename the csr file suffix from ".crt.csr" to ".csr"
687617-3 : DHCP request-options when set to "none" are reset to defaults when loading the config.
Component: TMOS
Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.
Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".
Impact:
User configuration is reverted as a side-effect of config load.
Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.
687579 : TMSH incorrectly allows settings snat-translation ip-idle-timeout to zero.
Component: Local Traffic Manager
Symptoms:
The configuration setting ' ip-idle-timeout' on the snat-translation object allows zero as a possible value.
Conditions:
Entering the following tmsh command:
tmsh create ltm snat-translation <snat-address> ip-idle-timeout 0
Impact:
The configuration will be invalid. This may cause issues with upgrades and the BIG-IP may not pass traffic correctly or as expected.
Workaround:
Do not set the snat-translation ip-idle-timeout to 0 using tmsh.
687534-3 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
Component: TMOS
Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool
Conditions:
This issue occurs when a pool name contains .. in the name.
Impact:
Cannot add a Member to the pool using the GUI.
Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
tmsh modify ltm pool <pool name> members add { <member info> }
687343-3 : Running 'load sys config merge verify' will add new users to the PostGres database
Component: TMOS
Symptoms:
Running 'load sys config merge verify' will add new users to the PostGres database. The system posts an error similar to the following:
010719a2:3: PostgreSQL database error: ERROR: duplicate key value violates unique constraint "auth_user_pkey"
DETAIL: Key (name)=(admin1) already exists.
Conditions:
Issue occurs only under the following conditions:
-- 'load config merge verify' of configurations including user definition.
-- Attempt to create user with same name using 'load config merge', 'create user', or GUI options.
Impact:
It is not possible to use the verify argument when using 'load sys config merge' with configurations containing user definitions.
'verify' argument to 'load sys config' does not prevent or rollback side effects
Workaround:
Manually remove the user data from the PSQL database; from a bash prompt:
psql -U postgres
\c tmdb
DELETE FROM auth_user WHERE name='admin1'
DROP OWNED BY admin1
DROP ROLE admin1
DROP SCHEMA admin1 CASCADE
\q
687213-1 : When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED
Component: Access Policy Manager
Symptoms:
When access to APM is denied, Edge Client goes into ALWAYS_DISCONNECTED mode. Hence, it does not retry to establish VPN tunnel.
Conditions:
-- Edge Client installed in ALWAYS_CONNECTED mode (locked client).
-- Access to APM is denied.
Impact:
No VPN tunnel is established, even if APM becomes accessible momentarily.
Workaround:
None.
687172 : Pools do not appear as expected after deploying iApp via iWorkflow
Component: TMOS
Symptoms:
Only two of three pools are visible in the iApp view on the BIG-IP system after deploying via iWorflow 2.2, though the pool can be found as expected in the Pools view.
Conditions:
-- After deploying via iWorflow 2.2.
-- Using iApp to view configured pools.
Impact:
Unreliable query response can result in unexpected behavior.
Workaround:
Do not rely on the iApps Component View, but inspect
BIG-IP (management GUI) Local Traffic pages such as
Local Traffic :: Pools : Pool List or examine the
/config/bigip.conf file to ascertain whether a desired
BIG-IP configuration has been created.
687044-2 : tcp-half-open monitors might mark a node up in error
Component: Local Traffic Manager
Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.
Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.
Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.
Workaround:
You can use any of the following workarounds:
-- Configure bigd to run in single process mode by running the following command:
tmsh modify sys db bigd.numprocs value 1
-- Use a tcp monitor in place of the tcp-half-open monitor.
-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.
686926-3 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly
Component: TMOS
Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.
Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.
Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.
Workaround:
None.
686816-3 : Link from iApps Components page to Policy Rules invalid
Component: TMOS
Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.
Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.
Impact:
Cannot navigate to the policy rule directly from the Components page.
Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.
686765-1 : Database cleaning failure may allow MySQL space to fill the disk entirely
Component: Application Security Manager
Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.
In /var/log/ts/asm_config_server.log you might see these errors repeatedly:
Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full
Conditions:
This occurs if database cleaning failures occur.
Impact:
Disk will fill up, and you will be unable to modify ASM policies.
686718 : VPN tunnel adapter stays up in some cases
Component: Access Policy Manager
Symptoms:
In some cases, VPN tunnel adapter created by VPN client stays up even when tunnel is disconnected.
Conditions:
Application launch on VPN establishment is configured on APM and launched application is not closed
Impact:
Cosmetic. No functionality impact. Subsequent launch of VPN will create a new tunnel adapter
Workaround:
Close the launched application
686685-1 : LTM Policy internal compilation error
Component: Local Traffic Manager
Symptoms:
To enable maximum performance, LTM Policies undergo a compilation process, where they are transformed to a compact binary representation. An issue was discovered where the transformation is being done incorrectly under certain circumstances.
Conditions:
While not common, certain LTM Policy combinations will be transformed to binary representation where certain internal parameters are incorrect.
Impact:
The tmm process may experience an unexpected restart, or a policy action may not run as expected.
Workaround:
None.
686626-2 : The BIG-IP system may connect to an OCSP server using an unexpected source IP address
Component: TMOS
Symptoms:
BIG-IP systems configured to perform OCSP Stapling may connect to an OCSP server using an unexpected source IP address.
The source IP address picked by the BIG-IP system may be something that doesn't exist at all in its configuration.
Additionally, the source IP address picked by the BIG-IP system may appear corrupted or invalid to an Administrator (for example: 0.0.0.112).
Conditions:
Required configuration:
1) The BIG-IP system is running a version prior to 13.0.0.
2) The BIG-IP system is deployed as an IPv4/IPv6 multihoming device.
3) The DNS Resolver used by the OCSP Stapling configuration belongs to a non-0 route domain.
4) The virtual servers performing OCSP Stapling belong to a non-0 route domain different than the one used by the DNS Resolver.
5) Virtual servers using OCSP Stapling include both IPv4 and IPv6 destinations.
6) The OCSP server FQDN resolves to an A record.
With these conditions in place, the issue occurs when a client attempts a connection to one of the OCSP Stapling-enabled IPv6 virtual servers, and this needs to connect to an IPv4 OCSP server.
The source IP address used by the BIG-IP system will be an IPv4 address containing the last 4 bytes of an IPv6 Self-IP address configured on the BIG-IP system.
Impact:
The BIG-IP system fails to perform OCSP Stapling, and the unusual traffic may trigger alarms on your network.
The actual impact is limited, as clients who request validation of the certificate status and do not get it should be able to perform it on their own.
Workaround:
Where possible, you can work around this issue by re-configuring the BIG-IP system so that some of the conditions required for this issue to occur no longer apply.
686563-3 : WMI monitor on invalid node never transitions to DOWN
Component: Local Traffic Manager
Symptoms:
A WMI monitor configured for an invalid node defaults to 'UP', and never transitions to 'DOWN'. Upon loading a configuration, a node defaults to 'UP' as an initial probe is sent based on the monitor configuration, and the node is then marked 'DOWN' as probes timeout or monitor responses indicate an error. However, an WMI monitor probe sent to a non-existent node is not detected as an error, and that node may persist in an 'UP' state (not transitioning to 'DOWN' as expected, such as after expiration of the configured monitor timeout).
Conditions:
WMI monitor is configured for an invalid node address, or for a node address on which no WMI service is running.
Impact:
The node persists in an 'UP' state, even though no WMI service is available, or that node does not exist.
Workaround:
An additional node monitor can be created to confirm the node is available (which may be a partial solution in some configurations). Using a non-WMI monitor (such as TCP) to probe availability of the WMI service on the target node may be possible in other scenarios.
686547-3 : WMI monitor sends logging data for credentials when no credentials specified
Component: Local Traffic Manager
Symptoms:
A properly configured WMI monitor requires username and password credentials; but when these are omitted from the configuration, logging data is sent in place of the username and password (with the monitored object likely being marked 'down'). Because username/password credentials are required, the monitor should have been identified as wrongly configured before the monitor is marked down.
Conditions:
A WMI monitor is configured without including the required username/password credentials.
Impact:
The monitored object will be marked 'down'.
Workaround:
Configure the WMI monitor to include the username/password credentials.
686318 : Inter TMM Caching Delay
Component: WebAccelerator
Symptoms:
In some rare circumstances on VE instances, the transmission of updated cache information from TMM to TMM can be delayed.
Conditions:
VE instances.
Impact:
Different TMM hot content caches may serve different versions of the same document from cache.
Workaround:
None
686206-1 : Machine Info agent does not collect complete information on disconnected network adapters
Component: Access Policy Manager
Symptoms:
On Mac OS X, the BIG-IP APM Machine Info agent does not collect information for disconnected network adapters.
On Microsoft Windows, the BIG-IP APM Machine Info agent does not collect the MAC address of disconnected network adapters.
Conditions:
Machine info agent is configured in the access policy.
Impact:
Access policy evaluation may yield incorrect results if a access policy node depends on this information.
Workaround:
There is no workaround at this time.
686124-3 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
Component: TMOS
Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.
Conditions:
Events causing deletion of phase one IKE SAs.
Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.
Workaround:
None.
686101-3 : Creating a pool with a new node always assigns the partition of the pool to that node.
Solution Article: K73346501
Component: Local Traffic Manager
Symptoms:
When creating a node while creating a pool, the partition of the node is set to the one of the pool regardless of what was expected. For example, after running the command below, the new node will be assigned to differentpartition:
root@(v13)(Active)(/differentpartition)(tmos)# create ltm pool my_pool2 members add { /Common/172.16.199.33:0 }
Conditions:
Creating a node while creating a pool in a partition different from the node.
Impact:
The node is displayed in the wrong partition.
Workaround:
Create a node separately and then add it to the pool.
685915-1 : Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured
Component: Global Traffic Manager (DNS)
Symptoms:
If a DNS Express zone that has Verify Notify TSIG checked gets a notify with no TSIG at all, unsigned notifies are not processed.
Conditions:
Unigned notify is received when Verify Notify TSIG is checked.
Impact:
Unsigned notifies are not processed
Workaround:
There is no workaround at this time.
685820-1 : Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not
Component: Advanced Firewall Manager
Symptoms:
If ASM licensed and provisioned, but AFM is not licensed/provisioned, active connections are silently dropped after HA-failover.
In earlier versions, active connections were reset after HA-failover if only ASM was licensed/provisioned. When AFM is also licensed/provisioned, existing active connections were always silently dropped after HA-failover.
Conditions:
-- ASM licensed and provisioned, but AFM is not licensed/provisioned.
-- HA-failover occurs.
Impact:
ASM client connections are not reset, but are silently dropped after HA-failover event.
Workaround:
None.
685741 : DoS Overview is very slow to load data, to the point of timeout
Component: Application Visibility and Reporting
Symptoms:
When logs contains more than 1 million records, loading of attacks data is extremely slow and requires many SQL queries.
Conditions:
N/A
Impact:
DoS Overview page is unusable
Workaround:
N/A
685708-3 : Routing via iRule to a host without providing a transport from a transport-config created connection cores
Component: Service Provider
Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.
685615-5 : Incorrect source mac for TCP Reset with vlangroup for host traffic
Solution Article: K24447043
Component: Local Traffic Manager
Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.
Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.
Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.
Workaround:
Use transparent mode on the VLAN group.
685582-5 : Incorrect output of b64 unit key hash by command f5mku -f
Component: TMOS
Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.
Conditions:
Viewing output of 'f5mku -f' command.
Impact:
Inconsistent output of the b64 unit key.
Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:
f5mku -vf
For example:
# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...
685519-3 : Mirrored connections ignore the handshake timeout
Component: Local Traffic Manager
Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.
Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.
Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.
Workaround:
None.
685475-3 : Unexpected error when applying hotfix
Solution Article: K93145012
Component: TMOS
Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIGIP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.
Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.
For example, to apply 'Hotfix-BIGIP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIGIP-11.6.1.0.0.317.iso'.
Impact:
Cannot apply hotfix until the full base image is present.
Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation process again.
685467-2 : Certain header manipulations in HTTP profile may result in losing connection.
Solution Article: K12933087
Component: Local Traffic Manager
Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.
Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).
Impact:
TCP connection is reset, and no response is provided to a client.
Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.
685458-5 : merged fails merging a table when a table row has incomplete keys defined.
Component: TMOS
Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.
Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.
Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.
Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.
Workaround:
None.
685233-2 : tmctl -d blade command does not work in an SNMP custom MIB
Solution Article: K13125441
Component: TMOS
Symptoms:
tmctl -d blade commands run in an SNMP custom MIB fail.
Conditions:
-- Using an SNMP custom MIB.
-- Running tmctl -d blade commands.
Impact:
Unable to configure a custom MIB to gather data via a tmctl -d blade command.
Workaround:
Instead of tmctl -d blade, use the following command:
tmctl -d /var/tmstat/blade.
685164-3 : In partitions with default route domain != 0 request log is not showing requests
Solution Article: K34646484
Component: Application Security Manager
Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.
Conditions:
Select a partition whose default route domain is not 0 (zero).
Impact:
No requests in request log.
Workaround:
As a partial workaround, you can use [All], but it's read only.
684484 : Deferenced NULL object causes core
Component: Access Policy Manager
Symptoms:
TMM generates a core when an object inside of Category Lookup agent fails to be initialized correctly when the system is low on memory.
Conditions:
-- TMM low on memory.
-- Category Lookup agent in Access Per-Request Policy.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
684391-1 : Existing IPsec tunnels reload. tmipsecd creates a core file.
Component: TMOS
Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.
Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.
Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.
Workaround:
None.
684319-2 : iRule execution logging
Component: Local Traffic Manager
Symptoms:
iRule execution can block tmm from getting CPU cycles.
Conditions:
when executing iRule TCL with e.g. a tight while loop, tmm will miss to sent its heartbeat. This change adds additional logging around this.
Impact:
Logging shows now iRule perpetrator.
Workaround:
No workaround.
684218-3 : vADC 'live-install' Downgrade from v13.1.0 is not possible
Component: TMOS
Symptoms:
vADC v13.1.0 has a new storage format that is incompatible with earlier versions. It should be possible to use the '--format' option of 'image2disk' to downgrade a v13.1.0 vADC system, but it is not.
Conditions:
Running v13.1.0, attempt software downgrade to 11.5.4, for example:
image2disk --format=volumes --nosaveconfig 11.5.4
Impact:
request is not allowed. no changes are made.
Workaround:
deploy a new 11.5.4 software image via the hypervisor environment
684096-1 : stats self-link might include the oid twice
Component: TMOS
Symptoms:
The object ID might be erroneously embedded in the self-link twice.
Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats
Impact:
incorrect self-link returned
Workaround:
be mindful when parsing the self-link
683706-1 : Pool member status remains 'checking' when manually forced down at creation
Component: Local Traffic Manager
Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.
Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.
Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http
Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.
Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.
683631-1 : TMM crashes during stress test
Component: Local Traffic Manager
Symptoms:
During stress/load testing, with a large number of connections which triggers flow sweeping, TMM restarts.
Conditions:
A large number of connections are seen, which triggers an expansion of the connflow hash table at the same time the connflow sweeper is active.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
683454 : HTTP::header command may crash TMM on an erroneous argument
Solution Article: K99294671
Component: Local Traffic Manager
Symptoms:
An iRule command 'HTTP::header insert' or 'HTTP::header remove' allows manipulation of HTTP headers. The iRule accepts arguments that might result in an error if they have an invalid format. TMM generates an internal Tcl error for the argument but continues to process the command. This might cause TMM to crash.
Conditions:
-- iRule is associated with a virtual server.
-- The iRule contains either or both of the 'HTTP::header insert' and 'HTTP::header remove' commands.
-- An argument in the command generates a Tcl error.
Impact:
TMM crashes causing failover and possible disruption in processing traffic.
Workaround:
Sanitize arguments for the command to prevent TCL error.
683241-3 : Improve CSRF token handling
Solution Article: K70517410
Component: Application Security Manager
Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.
Conditions:
CSRF is configured.
Impact:
CSRF token handling does not follow current best practices.
Workaround:
None.
683177-2 : Can't drilldown or filter by 'Client Countries'
Component: Application Visibility and Reporting
Symptoms:
When drilling down or filtering by 'Client Countries' (Security :: Reporting : Application : Charts) there is an error in the GUI.
Conditions:
-- ASM is provisioned.
-- Attempt to drill down or filter by 'Client Countries'.
Impact:
Internal Error is displayed in the GUI.
Workaround:
1. Edit file: /etc/avr/monpd/monp_asm_entities.cfg.
2. Delete line 171: (dim_authz_filter=vip_crc).
3. Issue the command: bigstart restart monpd.
683061-2 : Rapid creation/update/deletion of the same external datagroup may cause core
Component: Local Traffic Manager
Symptoms:
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.
Conditions:
Using external datagroup, rapidly creating updating and then deleting it.
Impact:
TMM fails
Workaround:
Allow TMM enough time to finish processing external data-group before starting another operation. Depending on the size of the datagroup anywhere from 1s to 10s or more may be needed. The LTM log can be examined for the create/finished message to help determine how much wait time is required.
683029-2 : Sync of virtual address and self IP traffic groups only happens in one direction
Component: TMOS
Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.
Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)
Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.
Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.
682751-5 : Kerberos keytab file content may be visible.
Component: Access Policy Manager
Symptoms:
Kerberos keytab file content may be visible.
Conditions:
Import a Kerberos keytab file.
From the command line, check the file permissions. It is readable.
Impact:
keytab is similar to a private key file and should not be readable.
Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.
681782-4 : Unicast IP address can be configured in a failover multicast configuration
Solution Article: K30665653
Component: TMOS
Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.
Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.
Impact:
Failover multicast configuration does not work.
Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.
681757-1 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
Solution Article: K32521651
Component: Local Traffic Manager
Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.
The system records an error message similar to the following in the ltm log file:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.
Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.
Impact:
Configuration fails to load on upgrade.
Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.
681673-2 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
Component: Local Traffic Manager
Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.
Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.
Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.
Workaround:
None.
681081-3 : Running tmsh show commands may cause mcpd memory leak
Solution Article: K48366429
Component: TMOS
Symptoms:
mcpd memory utilization increases.
Conditions:
Periodically running tmsh show commands.
Impact:
Might cause mcpd memory leak, which might causes mcpd to restart, ultimately.
Workaround:
None.
680856-3 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
Component: TMOS
Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):
info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy
Conditions:
A new IPsec tunnel is configured over REST.
Impact:
The newly configured IPsec tunnel does not start.
Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.
680838-3 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
Component: TMOS
Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.
A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.
Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
680680-2 : The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
Component: Local Traffic Manager
Symptoms:
in BIG-IP version 10.x, the POP3 monitor sent STAT command (which returned a count of messages in the mailbox). Now, the monitor sends the LIST command (which returns a list of messages and their sizes).
Conditions:
POP3 monitor set up on a mailbox.
Impact:
If the polled mailbox used in the monitoring has a huge amount of messages, the STAT command might fail to return results in time.
Workaround:
1. Create a mail account that does not receive many emails.
2. Make sure that the mailbox is nearly empty all the time (copy /dev/null periodically to the mailbox file).
680298 : FPS may introduce latency even for unprotected pages
Component: Fraud Protection Services
Symptoms:
Depending on TCP profile parameters, FPS may introduce latency even for unprotected pages due to re-chunking of response.
The latency introduction may arise when re-chunking causes a small TCP segment that the BIG-IP system's TCP stack or upstream device chooses to buffer (for example, due to Nagle's algorithm)
Conditions:
1. FPS attached to virtual server.
2. TCP profile parameters (Nagle's Algorithm, MSS, etc.).
3. Chunked response from server.
Impact:
FPS unprotected pages may suffer 10's to 100's ms latency
Workaround:
Experience shows that disabling Nagle's Algorithm (for example) might overcome FPS latency, but it should be noted that this sort of mitigation should be carefully examined as it is influenced by many parameters (traffic patterns, other TCP profile parameters, SSL profile, etc.).
680264 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
Solution Article: K18653445
Component: Local Traffic Manager
Symptoms:
Intermittently, HTTP2 experiences protocol resets.
Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.
For example, the following returns the incorrect header length:
(0xFF BYTE1) next byte, http2_arbint_read.
Impact:
Unexpected loss of HTTP2 frames due to protocol resets.
Workaround:
No effective workaround.
680069-3 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd cores and restarts.
Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.
Impact:
zxfrd cores.
Workaround:
None.
679735-1 : Multidomain SSO infinite redirects from session ID parameters
Component: Access Policy Manager
Symptoms:
If an application uses a URL parameter of 'sid', 'sess', or 'S', the APM can enter an infinite redirect loop.
In a packet capture, the policy will complete on the auth virtual server. After policy completion, the client is redirected back to the resource virtual server. The resource virtual server will not be able to find the session, and will redirect back to the auth virtual server. This begins the infinite loop of redirecting between resource and auth virtual servers.
Conditions:
Application with URL paramater containing 'sid', 'sess', or 'S' while using multidomain SSO.
Impact:
Applications that use 'sid', 'sess', or 'S' parameters cannot be fronted by an APM.
Workaround:
None.
679613-2 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
Solution Article: K23531420
Component: Local Traffic Manager
Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.
Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.
Impact:
Incorrect routing/switching of traffic.
Workaround:
Use VLANs with a tag value different from '1'.
679431-3 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header
Component: TMOS
Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header
Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.
Impact:
The header is not shown.
Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief
679347-3 : ECP does not work for PFS in IKEv2 child SAs
Component: TMOS
Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).
Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.
Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.
Note: The first child SA is negotiated successfully.
Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.
Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.
679316-1 : iQuery connections reset during SSL key renegotiation
Component: Global Traffic Manager (DNS)
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
When iQuery data is sent during SSL key renegotiation.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Workaround:
None.
679114-2 : Persistence record expires early if an error is returned for a BYE command
Solution Article: K92585400
Component: Service Provider
Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.
Conditions:
An error is returned for a any SIP command.
Impact:
The persistence record will expire early when the call has not been ended.
Workaround:
None.
679027 : Rare memory corruption in tmrouted while license is being reset
Component: TMOS
Symptoms:
tmrouted core due to memory corruption while license is being reset.
Conditions:
Rarely, when license file is being reset, tmrouted could core.
Impact:
restart of tmrouted daemon
678925-4 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
Component: TMOS
Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.
Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.
Then, a connection using the tunnel may cause a TMM crash.
Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.
Impact:
The TMM crashes and traffic is disrupted.
Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.
678872-2 : Inconsistent behavior for virtual-address and selfip on the same ip-address
Component: Local Traffic Manager
Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.
Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.
Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.
Workaround:
No workaround.
678450-3 : No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.
Component: Local Traffic Manager
Symptoms:
When 'Source Port: Preserve Strict' option is configured in performance L4 virtual servers, the 'F5RST port in use' packet is not sent, and connection hangs until timeout.
Conditions:
-- Connect to client and launch:
# nc -p 8080 -v 10.10.10.40 80
-- Connect to client2 and launch:
# nc -p 8080 -v 10.10.10.40 80
-- Modify virtual server vs_web type on LTM and repeat.
When the virtual server is standard "F5RST port in use" is sent. When the virtual server is performance L4 is not.
Impact:
Connection hangs. No increase for port-in-use stats when using the following commands:
tmsh show /net rst-cause.
Workaround:
None.
678388-3 : IKEv1 racoon daemon is not restarted when killed multiple times
Solution Article: K00050055
Component: TMOS
Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.
Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.
Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.
Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd
678380-3 : Deleting an IKEv1 peer in current use could SEGV on race conditions.
Component: TMOS
Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.
Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.
Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.
Workaround:
None.
678322 : Missing Response Page for 'Login' is not populated upon upgrade
Component: Application Security Manager
Symptoms:
In a rare case, an error appears due to missing 'Login' Response Page when viewing Response Pages in ASM policy.
Conditions:
An ASM policy is missing a record for 'Login' Response Page. It's not clear how this condition was caused.
Impact:
An error appears:
Could not retrieve Login Page Response; Error: Could not get the ResponsePage 'Persistent Flow Response Page Properties', No matching record was found.
Workaround:
Missing Response Page can be added using this query:
mysql> INSERT IGNORE INTO PL_ALTERNATE_RESPONSES (policy_id, cause, response_type, alternate_response_header, alternate_response_content, redirect_url, ajax_action_type, ajax_redirect_url, ajax_popup_message, ajax_custom_content, rest_uuid) SELECT p.id as policy_id, cause, response_type, alternate_response_header, alternate_response_content, redirect_url, ajax_action_type, ajax_redirect_url, ajax_popup_message, ajax_custom_content, rp.rest_uuid
FROM PL_POLICIES p JOIN PL_ALTERNATE_RESPONSE_DEFAULTS rp where rp.flg_load_defaults = 1;
678254-2 : Error logged when restarting Tomcat
Component: TMOS
Symptoms:
An error is logged after restarting Tomcat and using the web UI.
Conditions:
Using the web UI to restart tomcat.
Impact:
An error is logged after restarting Tomcat and using the web UI.
Workaround:
There is no workaround.
678117-1 : 'Can't create a home directory' logged for remote users on secondary blades after configsync
Component: TMOS
Symptoms:
When a remotely authenticated user logs in, a new entry is created in /config/bigip/auth/userrolepartitions. During config sync operations, the secondary blade of the device receiving the config, logs the following errors:
-- err mcpd[7575]: 01070261:3: Can't create a home directory for username /home/<username> (Failed opening home directory: /home/<username> - No such file or directory)
There is no /home/<username> on the device used as the source of the config sync.
The error message is logged on the secondary blade (of the target system) but not the primary one.
Conditions:
1. Remote user username in /config/bigip/auth/userrolepartitions.
2. No home directory for the remote user in /home/.
Impact:
There is no apparent impact beyond the error message, which sounds quite serious, but has no functional impact.
Workaround:
Create local user account for remote authenticated users.
To do so using the GUI, navigate to System :: Users : User List, and click Create.
678066 : LTM Policy Tcl-enabled values require 'tcl:' prefix★
Component: Local Traffic Manager
Symptoms:
Prior to BIG-IP v12.1.0, LTM Policy implicitly allowed certain fields to contain Tcl expressions, which would be evaluated and used at runtime. Version 12.1.0 expanded the number of LTM Policy action fields that allow Tcl expressions, and also added the restriction that these fields must begin with the 4-character prefix tcl: to differentiate between a Tcl runtime expansion and a simple text string.
Conditions:
Pre-v12.1.0 LTM Policy containing an action that has a Tcl expression in one of the following actions, and does not begin with 'tcl:' prefix
http-uri - value
- path
- query string
or
http-reply - location
Impact:
The migration process, which should find this situation and automatically correct it, can miss in certain cases, leaving a configuration that may fail validation and not load.
Workaround:
Edit configuration file, manually add the 'tcl:' (without the quotes) prefix for the following actions:
http-uri plus value/path/query
http-reply plus location
677928-2 : A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.
Component: TMOS
Symptoms:
A wrong source MAC address may be used in the outgoing IPsec encapsulated packets when the BIG-IP VE system is operated in Azure.
Conditions:
The BIG-IP VE system is first deployed in Azure with a single NIC. After the first reboot and then power off, a second NIC is added to the BIG-IP system. Then, an IPsec tunnel is configured to associate with a selfip on the second NIC.
Impact:
The Azure environment or a remote device may drop the outgoing IPsec encapsulated packets from the BIG-IP system because the source MAC address of the packets is wrong.
677666-3 : /var/tmstat/blades/scripts segment grows in size.
Solution Article: K60909141
Component: Local Traffic Manager
Symptoms:
Over time the /var/tmstat/blade/scripts file size grows.
Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.
Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out of memory condition.
Workaround:
No known workarounds.
677646-1 : System cannot boot up due to prior aborted installation★
Solution Article: K62171231
Component: Access Policy Manager
Symptoms:
System stuck at boot up and never comes up.
Conditions:
Running the rpm command was aborted.
Impact:
BIG-IP system not operational.
Workaround:
Run the following command to remove the extraneous files:
rm -f /shared/lib/rpm/__db.??? && shutdown -r now
677525-3 : Translucent VLAN group may use unexpected source MAC address
Solution Article: K06831814
Component: Local Traffic Manager
Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.
Conditions:
VLAN group in translucent mode.
Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.
Workaround:
No workaround at this time.
677473-1 : MCPD core is generated on multiple add/remove of Mgmt-Rules
Component: Advanced Firewall Manager
Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.
Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).
Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.
Workaround:
None.
677442 : Bulk crypto processing for SSL traffic may crash the traffic deaemon in rare cases.
Component: Local Traffic Manager
Symptoms:
Processing bulk crypto traffic may cause the traffic daemon to crash and restart.
Conditions:
When processing bulk crypto requests handled by the Nitrox-based accelerators, a rare memory corruption condition might cause a segmentation fault and cause a core dump. Currently the circumstances that trigger the corruption is not known.
Impact:
Traffic handling is temporarily disrupted until the traffic daemon TMM is restarted.
Workaround:
None.
677302 : Unable to save descriptions for firewall objects
Component: Advanced Firewall Manager
Symptoms:
System erases Description field of Address list/Port list objects when the object is modified.
Conditions:
-- Modifying an address/port definition for Address Lists or Port Lists/
-- Object contains a defined Description.
Impact:
Save operation erases Description.
Workaround:
Use tmsh to modify objects.
677270-2 : Trailing comments in iRules are removed from the config when entered/loaded in TMSH
Solution Article: K76116244
Component: Local Traffic Manager
Symptoms:
Comments at the bottom of an iRule (outside of any event stanza) end up missing from the config.
Conditions:
-- Merging an iRule in a config file in TMSH or entering the iRule manually in TMSH.
-- iRule comments are outside of any event stanza.
Impact:
Trailing comments in iRules are lost.
Workaround:
Use one or both of the following workarounds:
-- Make sure comments are inside of an event stanza.
-- Enter the iRule using the web GUI.
676914-1 : The SSL Session Cache can grow indefinitely if the traffic group is changed.
Component: Local Traffic Manager
Symptoms:
If there are entries in the SSL Session Cache, and the traffic group is changed, the cache might grow indefinitely.
Conditions:
-- SSL is configured.
-- Session cache has a limit on the number of entries. --
After entries are made into the session cache, the traffic group is then changed.
Impact:
Eventually all memory will be consumed causing TMM to restart. Traffic disrupted while tmm restarts.
Workaround:
Disable the session cache.
As an alternative, after changing the traffic group, restart TMM.
676897-1 : IPsec keeps failing to reconnect
Solution Article: K25082113
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
676854-1 : CRL Authentication agent will hang waiting on unresponsive authentication server.
Component: Access Policy Manager
Symptoms:
Some authentication requests never complete. APMD responsiveness degrades over time and eventually restarts.
Conditions:
The CRL Authentication server must be alive enough to accept connections but busy enough to drop requests without closing connections.
Impact:
APMD responsiveness degrades over time, usually weeks, before eventually restarting.
Workaround:
Restarting the CRL Authentication server usually releases the waiting threads and restores APMD responsiveness.
Using a BIG-IP monitor for the CRL backend can detect the issue and allow recovery before the need for APMD to restart.
676828-2 : Host IPv6 traffic is generated even when ipv6.enabled is false
Solution Article: K09012436
Component: Local Traffic Manager
Symptoms:
Observing IPv6 traffic from the BIG-IP system, even when ipv6.enabled is set to false.
Conditions:
sys db ipv6.enabled is false.
Impact:
Extraneous IPv6 traffic from the the BIG-IP system.
Workaround:
None.
676721-2 : Missing check for NULL condition causes tmm crash.
Solution Article: K33325265
Component: Local Traffic Manager
Symptoms:
Missing check for NULL condition causes tmm crash.
Conditions:
One possible route involves load balancing failure, but there may be other paths leading to this crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
676643 : FTP passive monitor uses IP address from PASV (not monitor destination)
Component: Local Traffic Manager
Symptoms:
A curl-based Tcl monitor for an FTP passive monitor uses the IP address from the FTP PASV command, rather then the IP address from the monitor destination. This is different from legacy behavior, which ignored the IP address obtained in the PASV command (to always establish a data connection to the IP address defined in the monitor destination). FTP passive monitors reliant upon the legacy behavior may stop working (with the pool member always being marked 'down').
Conditions:
FTP monitor is configured for passive, where the FTP PASV command provides an IP address.
Impact:
This new behavior is correct (the FTP passive monitor should use the IP address from the PASV command). However, configurations assuming legacy behavior to ignore the IP address in the PASV command and instead rely upon the IP address in the monitor destination may stop working (with the pool member always being marked 'down').
Workaround:
This behavior is correct, but to avoid using the IP address in the PASV command, configure the FTP monitor for active mode.
676442-2 : Changes to RADIUS remote authentication may not fully sync
Solution Article: K37113440
Component: TMOS
Symptoms:
With multiple devices in a sync group, changes to remote authentication (for example, changes made using commands such as: tmsh modify auth radius system-auth servers replace-all-with { AAA_a AAA_b } ) will be effective on the device where the change was made.
And although the changes are synced to tmsh config on the other devices in the group, the changes are not effective on those devices, as may be observed by checking that the changes do not appear in /config/bigip/auth/pam.d/system-auth and /config/bigip/auth/pam.d/radius/system-auth.conf.
Conditions:
Devices in a sync group that will sync system-auth config.
Impact:
Changes to RADIUS authentication will not be effective throughout the device group.
Workaround:
After syncing RADIUS changes, run the following command on all devices:
tmsh save sys config && tmsh load sys config.
676395-1 : Syslog messages seen with error code while viewing ssl certificate detail with debug turned on.
Component: TMOS
Symptoms:
Log message starting with 'Filemap returns Error 1 for file' gets logged into syslog while viewing certificate details.
Conditions:
1. Turn on debug using the following command:
tmsh modify sys syslog daemon-from debug
2. Go to Certificate Management and navigate to view certificate details.
Impact:
No known impact other than the logged message.
Workaround:
Turn off debug using the following command:
tmsh modify sys syslog daemon-from notice
676355-2 : DTLS retransmission does not comply with RFC in certain resumed SSL session
Component: Local Traffic Manager
Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.
Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.
Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.
Workaround:
None.
676300-5 : EPSEC binaries may fail to upgrade in some cases★
Solution Article: K04551025
Component: Access Policy Manager
Symptoms:
Windows client may fail to upgrade endpoint security package in some cases. This happens due to a corrupted registration of old endpoint security components.
Conditions:
Corrupted registry entry related to endpoint security components.
Impact:
Client may not be able to upgrade to latest endpoint package hosted on APM.
Workaround:
Remove the following registry keys from the registry:
Note: Use extra care editing the registry. Only remove the following keys, and no others.
"HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_CLASSES_ROOT\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
676223-2 : Internal parameter in order not to sign allowed cookies
Component: Application Security Manager
Symptoms:
ASM TS cookies may get big (up to 4k).
Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.
Impact:
This increases web site throughput.
Workaround:
N/A
676107 : With admin account disabled, user cannot use token-based authentication
Component: Device Management
Symptoms:
To allow special characters in usernames when using remote authentication providers (LDAP, Radius, etc.) there are additional iControl REST calls during the login process to detect the authentication source type. Since there is no system account on the BIG-IP system, the operation uses the hardcoded admin account to perform that function. If the admin account is disabled, this fails, so the user cannot use token-based authentication.
Conditions:
-- admin account is disabled.
-- Remote authentication configured.
-- Logging on using iControl.
(Disabling the admin account might occur as a result of following the instructions in K15632: Disabling the admin and root accounts using the Configuration utility or tmsh :: https://support.f5.com/csp/article/K15632).
Impact:
Cannot use token-based authentication.
Workaround:
There is no workaround other than not disabling the admin user account.
676092-1 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
675911 : Dashboard CPU history file may contain incorrect values
Solution Article: K13272442
Component: Local Traffic Manager
Symptoms:
Values such as 33%, 66% and 99% may appear in the CSV file exported from the dashboard utility
Conditions:
htsplit is enabled.
Impact:
CPU history in exported CSV file does not match actual CPU usage.
Workaround:
You can obtain CPU history through various other means.
One way is to use the sar utility:
In 12.x and 13.x:
sar -f /var/log/sa6/sa
or for older data
sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.
In 11.x:
sar -f /var/log/sa/sa
or for older data
sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.
675742 : Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores
Component: TMOS
Symptoms:
Using the platform-migrate option to load a UCS from a different platform may show this error from loaddb:
01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.
The UCS loads successfully, other than the DB variables, but this error message is printed and the DB variables are not loaded.
Conditions:
-- Migrating a UCS from physical platform hardware to a Virtual Edition (VE) configuration.
-- License has an attribute limiting the maximum number of cores, and the incoming UCS has a value of the DB variable 'license.maxcores' that contradicts this.
Impact:
The UCS loads successfully, other than the DB variables, but this error message is printed and the DB variables are not loaded.
Workaround:
There is no workaround at this time.
675718-1 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
675539-1 : Inter-system communications targeted at a Management IP address might not work in some cases.
Component: Global Traffic Manager (DNS)
Symptoms:
Inter-system communications fail to connect to a BIG-IP system using the Management IP address.
Conditions:
This occurs if the device connection is configured between a Self IP address on one BIG-IP system and the Management IP address on another.
This occurs because the big3d daemon acts as a proxy, listening on the Management IP address and will send proper SSL connections (using SNI) to TMM (since TMM does not listen on the Management IP address).
This is not an issue if either of the following is true:
-- If the source of the connection is coming from the Management IP,
the connection is clear text. (Not SSL encrypted and thus does not use SNI)
-- The destination of the connection is a Self IP address, because TMM (via an iRule) will
handle the connection.
Impact:
Device sync operations do not work.
Workaround:
Do not use the Management IP address for between-device communications.
675368-2 : Unable to reorder rules when one of the rule names contain % or /
Component: TMOS
Symptoms:
Unable to reorder rules when one of the rule names contain % or /
Conditions:
One of the rule names contain % or /
Impact:
The rules cannot be reordered
Workaround:
Rename rules to make sure they don't contain % or /
675298-1 : F5 MIB value types changed to become RFC compliant
Component: TMOS
Symptoms:
In BIG-IP Version 12.1.2 several F5 MIB variables changed from 64-bit counter types to 32-bit gauge types. This change was made to make the MIBs RFC compliant. In a mixed environment, where some BIG-IPs are running 11.x and some running 12.x this can cause problems with the management station. If the management station cannot load MIBs dependent upon BIG-IP version then those variables can cause errors to be reported on the management station due to type mismatch.
Conditions:
An environment where a management station is managing BIG-IP systems with a mix of version 11.x and 12.x. The station may import a MIB version whose types do not match the MIBs on the BIG-IP system with regards to the type changes made in version 12.x.
Impact:
The management station reports errors due to type mismatch for some variables.
Workaround:
None.
674997 : It is not possible to use tmsh to change the password for 'admin' after configuring Remote-APM Based Auth on the BIG-IP system.
Component: TMOS
Symptoms:
With APM-based system authentication, using tmsh to make changes to the password for user 'admin' will apparently succeed, but the password will be unchanged.
Conditions:
-- APM-based system authentication configured.
-- Using tmsh to make changes to the password for user 'admin'.
Impact:
Unable to change password for default system account.
Workaround:
Switch to local system authentication, change the password for 'admin', then switch back to remote authentication.
674992-3 : AAM traffic report's time period doesn't always apply
Component: WebAccelerator
Symptoms:
AAM traffic report's time period doesn't always apply.
Conditions:
Select a time period on the AAM traffic report page other than last hour.
Impact:
The table and graph still display last hour data.
674957-1 : If a certificate is stored in DER format, exporting it using the GUI corrupts the output.
Component: TMOS
Symptoms:
When a certificate stored in DER format is exported, all bytes with values larger than 0x7E are replaced with 0x3F, and there is one more byte added (0x0a) at the end of the binary file.
Conditions:
Using the GUI to export a certificate stored in DER format.
Impact:
Corrupted certificate.
Workaround:
You will need to use openssl to create a copy of the certificate in .pem or .der format. For example, to export the der certificate myder.crt to a mycert.pem certificate in .pem format, run the following command:
openssl x509 -out mycert.pem -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:myder.crt_75978_1 -inform der
Note: This works for system users who can access the bash command, specifically, those with the administrator role.
674795-1 : tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.
Component: Traffic Classification Engine
Symptoms:
tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds. In fact, it is in hours.
Conditions:
-- Viewing tmsh help/man page.
-- Searching for urldb feedlist polling interval.
Impact:
Note that the interval described is in hours instead of seconds.
Workaround:
None.
674754-2 : ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact
Component: Global Traffic Manager (DNS)
Symptoms:
Changing the email address in ZoneRunner and using a '@' character does not work. System validation catches that the '@' is invalid, but the operation fails silently, and the new email address is not stored.
Note. The '@' character is invalid for the email field because it has other uses in zone files. A dot should be used instead of '@'.
Conditions:
Zone already exists in ZoneRunner.
Trying to update it with a new email address.
Impact:
Confusion as to why the GUI is ignoring the new email address they entered.
Workaround:
The '@' (at sign) character is invalid for ZoneRunner email fields because it has other uses in zone files. Use a '.' (dot, or period) character instead of '@'.
674747-2 : sipdb cannot delete custom bidirectional persistence entries.
Solution Article: K30837366
Component: Service Provider
Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.
Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.
Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.
Workaround:
None.
674527-1 : TCL error in ltm log when server closes connection while ASM irules are running
Component: Application Security Manager
Symptoms:
TCL error in ltm log, for example:
TCL error: /Common/bug <ASM_REQUEST_DONE> - plugin_tcl_command_execute: Command error. invoked from within "ASM::severity"
Conditions:
1. ASM irules are attached.
2. There was already one request passed to the web-server
3. Server closes connection.
Impact:
Error in ltm log.
674459 : Users are not expected to change security.commoncriteria DB variable through TMSH
Component: Local Traffic Manager
Symptoms:
Changing the security.commoncriteria db variable to true, and then attempting to change it back to false through TMSH causes validation errors related to SSHD configuration. Users are not expected to change this value without using the ccmode script.
Conditions:
Changing the security.commoncriteria db variable to true, and then back to false.
Impact:
Validation errors. The BIG-IP system remains stuck in Common Criteria mode when it is not desired.
Workaround:
None.
674367-1 : SDD v3 symmetric deduplication may stop working indefinitely
Solution Article: K20983428
Component: Wan Optimization Manager
Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may stop working indefinitely.
Conditions:
This issue occurs when all of the following conditions are met:
1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) Applications configured to benefit from symmetric deduplication are actively passing traffic.
4) Both BIG-IP HA pairs (the near and far sides) are failed over concurrently (although in more rare cases, even failing over a single pair is sufficient to reproduce the issue).
Impact:
Applications no longer benefit from symmetric deduplication, increasing the amount of data transmitted over the WAN.
Workaround:
Restarting the services on all BIG-IP units involved in the topology (without performing additional failovers after they return on-line) restores symmetric deduplication functionality. This will cause some downtime.
674328-3 : Multicast UDP from BIG-IP may have incorrect checksums
Component: TMOS
Symptoms:
BIG-IP may transmit UDP datagrams with a bad checksum.
Conditions:
Outgoing link-local multicast UDP traffic from the Linux host, such as RIP.
Impact:
Packets may be dropped by adjacent devices.
Workaround:
Disable checksum offloading on the virtual NIC for affected VLANS, e.g. "ethtool --offload vlan1274 rx on tx off"
674297-1 : Custom headers are removed on cross-origin requests
Component: Fraud Protection Services
Symptoms:
Custom headers are removed on cross-origin requests.
Conditions:
A cross domain FPS request uses the FPS custom header. For example: AJAX encryption from one domain to another.
Impact:
The request will be blocked, FPS functionality breaks.
Workaround:
For HOST <HOST NAME> and FPS custom header <HEADER NAME>, a variant of the following iRule can be used:
when HTTP_REQUEST {
if {[HTTP::method] equals "OPTIONS" && [HTTP::host] equals "<HOST NAME>"} {
set modify_allowed_headers 1
}
}
when HTTP_RESPONSE {
if { [info exists modify_allowed_headers] && $modify_allowed_headers equals "1"} {
if { [HTTP::header exists "Access-Control-Allow-Headers"] } {
set hdr [HTTP::header value "Access-Control-Allow-Headers"]
append hdr ", <HEADER NAME>"
HTTP::header replace Access-Control-Allow-Headers $hdr
}
}
}
674145-3 : chmand error log message missing data
Component: TMOS
Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.
Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP
The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.
Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.
Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.
674004-1 : tmm may crash when after deleting pool member in traffic
Solution Article: K34448924
Component: Local Traffic Manager
Symptoms:
tmm may crash when after deleting pool member that is processing traffic.
Conditions:
-- Two or more pools share the same node as pool member.
-- A pool member (with the shared node) is deleted while traffic is passing.
-- Connpool is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
673974-1 : agetty auto detects parity on console port incorrectly
Solution Article: K63225596
Component: TMOS
Symptoms:
With a BIG-IP system configured for a console baud rate that is different from the baud rate of the serial terminal that is plugged in to the console port, he system returns garbled characters on the screen. Changing the terminal setting to match the console baud rate has no effect after that: the BIG-IP system continues to send garbage.
Conditions:
BIG-IP system with a console at certain baud rate.
-- Plug in a serial terminal with a different baud rate.
-- Press enter several times.
Impact:
The parity detection code selects the wrong setting, leaving the console port unusable until reboot of the BIG-IP system, or after killing and restarting agetty.
Workaround:
To recover from this condition, log on to the BIG-IP system via ssh, force parity off, and kill the agetty process (assuming the console is not logged in, and is therefore running agetty).
via ssh:
# stty -F /dev/ttyS0 -parenb ; killall agetty
However, this is not an ideal workaround, as a frequent reason to use the serial console is lack of network access to the device.
In that situation, you can log on by setting the terminal to Mark parity (8 data bits, Mark parity, 1 stop bit).
Note: There is no way to mitigate the issue from the console connection itself, as agetty doesn't run while the console is logged in.
You can also reboot the BIG-IP system, reset the terminal speed on the laptop to match the console speed set on the BIG-IP system, and reconnect the laptop.
673952 : 1NIC VE in HA device-group shows 'Changes Pending' after reboot
Component: TMOS
Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:
notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all
Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.
Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of an HA device-group, then this will result in a commit id update and the units will show 'Changes pending'.
Workaround:
None.
673814-4 : Custom bidirectional persistence entries are not updated to the session timeout
Solution Article: K37822302
Component: Service Provider
Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.
Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.
Impact:
The persistence timeout will prematurely time out.
Workaround:
Set the transaction timeout to the session timeout value.
673640 : Log messages for virtual server status changes are not immediately logged.
Component: TMOS
Symptoms:
Log messages for virtual server status changes are not immediately logged.
Conditions:
-- Virtual server status due to lasthop-pool going down or coming back up.
-- Viewing associated logs.
Impact:
No status-change messages are present.
Workaround:
None.
673573 : tmsh logs boost assertion when running child process and reaches idle-timeout
Component: TMOS
Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.
The errors in /var/log/ltm begin with the following text:
'boost assertion failed'
Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.
Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.
Workaround:
None.
673095 : Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid'
Component: Local Traffic Manager
Symptoms:
Unable to load a UCS due to a VLAN validation error.
Conditions:
QinQ VLANs saved in a UCS file.
Impact:
Unable to reload the saved config.
Workaround:
Before loading the config, use tmsh to delete all VLANs. Then config will load successfully.
673052-2 : On i-Series platforms, HTTP/2 is limited to 10 streams
Component: Local Traffic Manager
Symptoms:
On i-Series platforms, HTTP/2 is limited to 10 streams by licensing.
"HTTP2 limited to 10 concurrent streams: Web Accelerator feature not licensed." appears in /var/log/ltm
Conditions:
Using an i-Series platform where WAM is unlicensable.
Impact:
HTTP/2 performance may be less than desired
672852 : FIPS card cannot be initialized
Component: Local Traffic Manager
Symptoms:
The admin is not able to initialize FIPS card, including running fipsutil -f init, fipsutil -f reset.
Conditions:
Running fipsutil -f init, fipsutil -f reset.
Impact:
FIPS card is not initialized and cannot be used in the slot.
Workaround:
You can use either of the following workarounds:
-- Initialize FIPS card on a different slot.
-- Power cycle the blade where FIPS card is located.
672491-2 : net resolver uses internal IP as source if matching wildcard forwarding virtual server
Solution Article: K10990182
Component: Global Traffic Manager (DNS)
Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.
Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.
Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.
Impact:
Failed DNS queries as a result of incorrect source IP address.
Workaround:
None.
672312-2 : IP ToS may not be forwarded to serverside with syncookie activated
Component: Local Traffic Manager
Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.
Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.
Impact:
IP ToS header is not forwarded to the serverside.
Workaround:
None.
672240 : iRuleLX (v1) plugins may cause TMM to core if originating flow is terminated before plugin work is complete
Solution Article: K50091255
Component: Local Traffic Manager
Symptoms:
- Traffic processing is affected.
- Core file may be found in /var/core.
- /var/log/ltm may include a message similar to the following:
info tmm[19357]: 01220009:6: Pending rule /Common/irule_xxx <ACCESS_POLICY_AGENT_EVENT> aborted for 192.168.104.121:29261 -> 10.40.105.180:443
Conditions:
- Traffic passing through the BIG-IP system is processed by an iRule.
- iRule makes an RPC call to the iRule LX plugin.
- Plugin takes a long time to complete the task.
- Originating connection is terminated due to timeout or other external causes.
- Plugin completes work but corresponding connection is no longer present.
Impact:
Traffic processing is interrupted. Traffic disrupted while tmm restarts.
Workaround:
- Ensure timeout settings on protocol profiles are sufficiently long to allow for longer running plugin work.
- Ensure plugin code executes within timeout limits.
672221 : TMM cores if the certificate configured to validate message signature does not exist.
Component: Access Policy Manager
Symptoms:
TMM cores if the SAML message signature verification certificate cannot be found in the configuration.
Conditions:
-- SAML is configured with an invalid certificate in the message signature validation setting.
-- The control-plane is unable to detect such misconfiguration.
Note: This is an unlikely occurrence if the usual control-plane is used to configure the SSO/SAML object. In this particular case, the certificate-key was passed in as the certificate which triggered a certificate-not-found error.
Impact:
The issue can lead to momentary service interruption. Traffic disrupted while tmm restarts.
Workaround:
Make sure the certificate configured for use with the SAML message signature verification is correctly configured and the configuration loads successfully.
671999-2 : Re-extract the the thales software everytime the installation script is run
Component: Local Traffic Manager
Symptoms:
If Thales has already been installed on the BIG-IP system, installing a new version does not overwrite the existing installed version.
Conditions:
/shared/nfast exists on the BIG-IP system before installing the Thales client software.
Impact:
The old version of the software will be used in the installation operation, instead of the expected new version of the software.
Workaround:
You can use either or both of the following workarounds before running the installation script:
-- Run the uninstallation script.
-- Delete the /shared/nfast folder.
671712 : The values returned for the ltmUserStatProfileStat table are incorrect.
Component: TMOS
Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.
Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.
Impact:
Incorrect data returned in SNMP walk of LTM profile table.
Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.
671553-2 : iCall scripts may make statistics request before the system is ready
Component: TMOS
Symptoms:
iCall scripts may make statistics requests before statsd (a necessary service for stats collection) is ready.
Conditions:
Early during startup.
Impact:
The Tcl script may generate an error and stop working.
Workaround:
Use Tcl's 'catch' command to detect and handle the error.
671447-2 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
Component: TMOS
Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.
Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)
Impact:
IS-IS adjacencies may not form.
Workaround:
None.
671372-2 : When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
Solution Article: K01930721
Component: TMOS
Symptoms:
When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
Conditions:
-- Creating a pool.
-- Modifying all of its members in a single tmsh transaction.
Impact:
The pool will be created but the members will not be modified.
Workaround:
Create a pool in one transaction; followed by modifying members in another transaction.
671337-1 : NetHSM DNSSEC key creation can attempt to change the SELinux label on a file
Component: Local Traffic Manager
Symptoms:
A log message such as type=AVC msg=audit(1498506868.354:3786): avc: denied { relabelfrom } for pid=7567 comm="mv" name="_Common_zsk_127000B6DC9454EACB50A1FD2073C5F5314F.key" dev="dm-15" ino=80012 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:mcpd_tmp_t:s0 tclass=file
can appear in the logs.
Conditions:
When a NetHSM DNSSEC key is created in a temporary directory and is trying to change the SELinux label on a file without permissions.
Impact:
SELinux error will be logged
671314-4 : BIG-IP system cores when sending SIP SCTP traffic
Solution Article: K37093335
Component: TMOS
Symptoms:
Virtual servers with an SCTP profile and a SIP message-routing profile may crash the TMM.
Conditions:
This flaw affects virtual servers that pass SCTP traffic, where the SIP message-routing profile has the record-route option enabled.
Impact:
TMM crashes and fails over, disrupting traffic processing. Traffic disrupted while TMM restarts.
Workaround:
Remove the record-route option, or change the traffic to use TCP or UDP instead of SCTP.
671261-2 : MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo
Solution Article: K32306231
Component: TMOS
Symptoms:
When selecting 'Notify Status to Virtual Address' on a virtual server, and using the 'Selective' setting of ICMP Echo for a corresponding virtual address, MCP does not recognize that this setting has changed and does not modify the ICMP echo settings of the virtual address accordingly. The previous setting will continue to take effect until another (unrelated) change is made to the virtual address.
Conditions:
The 'Selective' setting of ICMP Echo is used for a virtual address, and the user selects 'Notify Status to Virtual Address' on a virtual server associated with that address.
Impact:
The previous setting will continue to take effect, until an (unrelated) change is made to the virtual address, at which point the new setting will take effect.
Workaround:
After changing the 'Notify Status to Virtual Address' on a virtual server (where 'Selective' setting of ICMP Echo is used for the corresponding virtual address), make another change to the virtual address to cause the new setting to take effect.
671236-2 : BGP local-as command may not work when applied to peer-group
Solution Article: K27343382
Component: TMOS
Symptoms:
Using the BGP level command neighbor <peer-group> local-as <AS> might fail to apply on peers in the peer group.
Conditions:
Applying the BGP local-as command to a peer group.
For instance:
neighbor <peer-group> local-as <AS>.
Impact:
The command fails to apply, and the actual local AS sent to the peer is that of the BGP process and not the one specified in the command.
Workaround:
Apply the BGP local-as directly to the peer, not the peer-group.
671178 : Date/time change after configuring HA may impair configuration sync
Solution Article: K20274760
Component: TMOS
Symptoms:
Configuration not syncing among units in high availability (HA) group.
Conditions:
Date/time is set to an earlier date/time after HA is already configured.
Note: Changes are synced as expected when changing date/time to a later value; only setting to a earlier one results in this issue.
Impact:
-- Configuration changes are not recognized, and changes are not synced, however, system sync status incorrectly reports as 'in-sync'.
-- The 'Time Since Last Sync' displayed when running 'tmsh show /cm device-group' is negative. Note: This is only a cosmetic issue and has no effect on the system.
Workaround:
Note: Devices should be configured with NTP.
To restore consistency to the group, you can do one of the following:
-- Reset the time to be consistent with peers and make another config change.
-- Make a change on the peer device with the farthest future system time.
-- Force a sync to another device with the farthest future system time using a command similar to the following:
tmsh modify cm device-group <device group name> devices modify { <sync-to-device-name> { set-sync-leader } }.
671044-3 : FIPS certificate creation can cause failover to standby system
Solution Article: K78612407
Component: TMOS
Symptoms:
FIPS certificate creation can cause failover or outage of a system under heavy load. The certificate creation could take longer than the default timeout, causing TMOS to think the FIPS chip is locked up.
Conditions:
Creating a FIPS certificate while the system is handling a high FIPS traffic load.
Impact:
Possible failover from active to standby, or an outage if there is no standby system, or if the certificate creation causes both active and standby systems to time out.
Workaround:
Setting crypto.queue.timeout to 2000 will avoid this problem. The actual timeout needed depends on the system type and how heavily loaded the FIPS chip is. 2000 should be more than sufficient for all currently supported BIG-IP platforms under high load.
671025 : File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured
Component: TMOS
Symptoms:
devmgmtd exhausting file descriptors when state-mirroring peer-address is misconfigured:
err devmgmtd[8301]: 015a0000:3: [evConnMgr.tcc:29 evIncomingConn] Incoming connection failed: Too many open files
Conditions:
State-mirroring peer-address is misconfigured or configured to a self-ip with port lockdown misconfigured.
Impact:
devmgmtd has too many open files causing iControl issues as it is unable to communicate with devmgmtd.
Workaround:
None.
670893-1 : Sensitive monitor parameters recorded in monitor logs
Component: Local Traffic Manager
Symptoms:
When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration, including:
- user-account password
- radius/diameter secret
- snmp community string
Conditions:
This may occur under the following conditions:
1. LTM monitor type is one of the following:
ldap
mssql
mysql
nntp
oracle
postgresql
radius
radius-accounting
smb
snmp-dca
snmp-dca-base
wap
On BIG-IP versions prior to v11.6.0, the LTM monitor type is one of the above, or one of the following:
ftp
imap
pop3
smtp
2. Monitor instance logging or monitor debug logging is enabled by one of the following methods:
a. Monitor instance logging is enabled by setting the 'logging' element to 'enabled' for an LTM node or pool member using the monitor.
b. Monitor debug logging is enabled by setting the 'debug' element to 'yes' for an applicable LTM monitor.
Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors.
Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.
2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.
670804-2 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
Solution Article: K03163260
Component: Local Traffic Manager
Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.
Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Disable verified accept when used with OneConnect on a virtual server.
670691 : Unable to list ntlm profile in different root folder or partition
Solution Article: K02331705
Component: TMOS
Symptoms:
Unable to list NTLM profiles when they are in a different root folder or partition than the currently active folder or partition.
Conditions:
This occurs when attempting to list a partition that exists in another folder or partition.
For example:
-- The active folder or partition is /Common.
-- The NTLM profile 'my_ntlm' exists in the '/NTLM_Profile' folder or partition.
-- You run a command similar to the following to show details of an NTLM profile: list ltm profile ntlm /NTLM_Profile/my_ntlm.
Impact:
Unable to display NTLM profiles that reside outside of the active folder or partition. The system posts error messages similar to the following:
Error in ntlm: "/NTLM_Profile/my_ntlm" not found.
01020036:3: The requested Config Instance ( /NTLM_Profile/my_ntlm) was not found.
Workaround:
Change folders or partition before listing NTLM profiles.
670520-3 : FastL4 not sending keepalive at proper interval when other side gets response
Component: Local Traffic Manager
Symptoms:
FastL4 not sending keepalive at proper interval when other side gets response. With FastL4, when a response to an LTM-initiated keepalive is received from a device on one side is received, it is forwarded to the other.
It appears that causes a keepalive to not be sent on that other side. The keepalive interval is 20 seconds. If the LTM is scheduled to send a keepalive to the server, but receives a keepalive response on the client side, before it sends the serverside keepalive, the client side keepalive response is forwarded, but the actual keepalive is not sent to the server.
Conditions:
FastL4 and keepalive.
Impact:
Potential for failure as in FastL4: the timeout timer is not updated unless a response is returned. Since the LTM does not send the keepalive, there is not going to be a response for that interval.
Workaround:
None.
670501-5 : ASM policies are either not (fully) created or not (fully) deleted on the HA peer device
Solution Article: K85074430
Component: Application Security Manager
Symptoms:
Policies are either not (fully) created or not (fully) deleted on the peer device
Conditions:
-- Device Service Clustering configured.
-- High availability (HA) configuration with Sync-Only (no failover) device group (Auto, incremental) with ASM sync enabled.
-- Create/delete active/inactive ASM policies via TMSH/GUI.
Impact:
Policies are either not created/deleted, or not fully created/deleted.
Note: Fully created and fully deleted meaning that the following commands agree with each other:
# tmsh list asm policy one-line all-properties
# tmsh list asm policy one-line
Workaround:
Issue a forced full sync from the originating device to the device group.
670456-3 : Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number
Component: Access Policy Manager
Symptoms:
Flash AS3 mx.core::CrossDomainRSLItem() wrapper fails when being called with a number of arguments different than 7.
Conditions:
Any flash that have a call of mx.core::CrossDomainRSLItem() with a number of arguments different than 7.
Impact:
Flash application malfunction.
670367-2 : On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.
Solution Article: K39391280
Component: Access Policy Manager
Symptoms:
On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.
The limit of customization group object that the BIG-IP Virtual Edition (VE) can load is approximately 13 KB.
Conditions:
Large number of policies (thousands) and customization objects (tens of thousands).
Impact:
Unable to load configuration.
Workaround:
Turn off watchdog for mcpd via tmsh using the following command:
tmsh modify sys daemon-ha mcpd heartbeat disabled
Important! Remember to re-enable tmsh watchdog after the config loads successfully. To do so, run the following command:
tmsh modify sys daemon-ha mcpd heartbeat enabled
670258-2 : Multicast pings not forwarded by TMM
Component: Local Traffic Manager
Symptoms:
When multicast routing is configured, ICMP or ICMP6 pings are not forwarded by TMM even though UDP and other protocol traffic to the same group addresses works.
Conditions:
Multicast routing configured, VIP configured to forward ICMP traffic.
Impact:
Multicast group addresses cannot be reached with ICMP or ICMP6 echo requests.
Workaround:
n/a
669978-4 : SIP monitor - Via header's branch parameter collision.
Component: Service Provider
Symptoms:
When there is a failover in a high availability (HA) setup with SIP monitors, the SIP backend servers start flapping on both units. The reason this occurs is that after the failover, the two BIG-IP systems send SIP monitoring messages to the pool members with the same branch parameter on their Via headers. The backend server internal logic gets confused by the request coming from LB2 because it uses the same branch parameters of the request coming from LB1.
Conditions:
SIP branch hash string length is small enough that when sufficient SIP monitor messages were inundated, possible branch collision.
Impact:
This causes the backend server erroneously to send a response message to LB1 instead of LB2.
Workaround:
None.
669739-1 : Potential core when using MRF SIP with SCTP
Solution Article: K71963740
Component: Service Provider
Symptoms:
The system may core when using SCTP with MRF SIP if the outgoing connection receives more messages than it can process.
Conditions:
-- SCTP with MRF SIP configured.
-- Outgoing connection receives more messages than it can process.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
669268 : Failover in the same availability zone of AWS may fail when AWS services are intermittently available.
Component: TMOS
Symptoms:
Intermittently available AWS services may lead to failure of curl requests to AWS or ec2 tools commands, resulting in failure of failover. As a result, public EIPs (for virtual servers) might remain pointing to the standby BIG-IP system.
Conditions:
AWS services are intermittently available.
Impact:
Failure of failover. Traffic will be routed to the standby BIG-IP system and lost.
Workaround:
Manually fail the systems over till failover succeeds at the desired BIG-IP system.
669262-2 : [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record
Solution Article: K91122850
Component: Global Traffic Manager (DNS)
Symptoms:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA, resulting that zone is not treated as reverse zone.
PTR is not available from the 'Type' dropbox menu when creating new resource record for that zone:
DNS :: Zones : ZoneRunner : Resource Record List :: New Resource Record.
Conditions:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA.
Impact:
Cannot create PTR resource record for the created reverse zones.
Workaround:
Create reverse zones exactly ending with .arpa.
669241-1 : Cannot create stateless virtual servers with ip-protocol set to 'gre'.
Component: TMOS
Symptoms:
Stateless virtual servers can be used only for UDP traffic.
Conditions:
Attempt to create a stateless virtual server with ip-protocol set to 'gre'.
Impact:
Operation does not succeed. Cannot create stateless virtual servers with ip-protocol set to 'gre'.
Workaround:
None.
668964-2 : 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group
Solution Article: K81873940
Component: TMOS
Symptoms:
When running the 'bgp neighbor <peer IP> update-source <IP>' command to a single peer, the changes may be applied to all peers in peer-group, if the peer IP belongs to a peer group.
Conditions:
- Using BGP with peer-groups.
- Run 'bgp neighbor <peer IP> update-source <IP>', where <peer IP> is an IP of a peer in a peer-group.
Impact:
Changes may apply to all peers in the group.
Workaround:
Depending on the network setup, it may be possible to workaround the issue using the interface version of the command:
bgp neighbor <peer IP> update-source <vlan name>.
668849-1 : Upgrade failure for apm-log-setting objects★
Component: Access Policy Manager
Symptoms:
After upgrade to 13.1.0, the configuration will fail to load with error: 01070734:3: Configuration error: In apm log-config (/p1/f1/sso-log-setting-Critical) there can only be one instance of access log configuration
Unexpected Error: Loading configuration process failed.
Conditions:
If before upgrade, you have sso form-basedv2 object or saml sso config objects in your configuration
Impact:
mcpd will fail to start
Workaround:
manually edit the bigip.conf and remove all the sso form-basedv2 objects and saml sso config objects and then do tmsh load sys config
668196-2 : Connection limit continues to be enforced with least-connections and pool member flap, member remains down
Component: Local Traffic Manager
Symptoms:
In rare circumstances while using least-connections load balancing with a connection limit applied, if a pool member is at the connection limit and the node is stopped and restarted, the node will remain marked down.
Conditions:
This occurs under the following circumstances:
- Least Connections (node or member).
- Connection limit is set.
- Then a pool member hits the connection limit.
- The pool member is then marked down then up (e.g., manually).
Impact:
Pool member remains marked down.
Workaround:
This condition is very rare but if it occurs you can try removing the pool member or node and re-adding it.
668006-1 : Suspended 'after' command leads to assertion if there are multiple pending events
Solution Article: K12015701
Component: Local Traffic Manager
Symptoms:
TMM crashes when an iRule has multi-parking commands including command after.
Conditions:
-- iRule has multi-parking commands.
-- Command after is used multiple times in the iRule.
Note: The exact condition of crashing tmm is not definitive, but when the above situation is met, it could trigger this crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Depending on the iRule, (e.g., script that uses command after very heavily, very often), the usages can be combined:
after 100
after 200 { some script }
can be combined to after 300 { the script }
667707-2 : LTM Policy validation error causes config sync failure
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, configuration sync fails after an LTM policy is removed from a virtual server and deleted.
Conditions:
1. LTM Policy is added to a virtual server.
2. That virtual server is sync'd to a remote system.
3. The policy is detached from the virtual server.
4. The virtual server is deleted.
Impact:
Configuration fails to sync.
Workaround:
There is no workaround at this time.
667662-1 : Autolasthop does not work for PPTP-GRE traffic.
Solution Article: K06579313
Component: Carrier-Grade NAT
Symptoms:
Autolasthop does not work for PPTP-GRE traffic.
Conditions:
Autolasthop configured for client ingress VLAN, serving PPTP-ALG traffic.
Impact:
PPTP-ALG traffic through the BIG-IP system.
Workaround:
Create static routes to return PPTP-GRE traffic back to the client network.
667661-4 : Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'
Solution Article: K69015104
Component: Device Management
Symptoms:
Adding a secondary HA device to Access Group fails with error 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'.
Conditions:
Fails when adding a HA device to Access Group.
Impact:
Device cannot be added to Access Group.
Workaround:
None.
667518 : SSO Configurations update is failing from UI
Component: Access Policy Manager
Symptoms:
SSO Configurations update is failing from the GUI.
Conditions:
While creating SSO form with SSO configuration, Update is failing with UI Javascript error.
Impact:
From UI user not able to update the SSO Configurations, with SSO Form creation.
Workaround:
Create separate SSO form and assign to SSO configuration. Or use TMSH to create both.
667476 : Upgrade and config load can fail if a data group record of type string contains a tab character
Component: TMOS
Symptoms:
When a datagroup record is of type 'string' and contains a tab (\t) the record loads but when the configuration is saved the record is not save with enclosing quotes.
Conditions:
-- Data group whose type is string.
-- Record entry that contains a tab character along with other non-whitespace characters.
Note: If other whitespace characters are present the string will have enclosing quotes and this issue will occur.
Impact:
Saved config does not load when running the command: tmsh load /sys config.
Upgrade fails to load the configuration.
Workaround:
In order to either load the configuration or upgrade, you must manually edit the bigip.conf file and enclose the string in quotation marks, as shown in the following example:
Existing config
==================
ltm data-group internal /Common/sample_dg {
records {
entry1 {
data /BIG-IP BAD
...
Modified config:
ltm data-group internal /Common/sample_dg {
records {
entry1 {
data "/BIG-IP BAD"
...
667295-1 : 'RTSP::header exists' iRule command always returns True
Solution Article: K51601122
Component: Carrier-Grade NAT
Symptoms:
Using the 'RTSP::header exists' command in an iRule returns true even if the header is not present.
Conditions:
Using the 'RTSP::header exists' command in an iRule, e.g., [RTSP::header exists "Transmitting"].
Impact:
Returns 1 (TRUE) even if the header is not present. Should return 2 (ERR_NOT_FOUND) on failure.
Workaround:
None.
667257-2 : CPU Usage Reaches 100% After Traffic Flowed Into CGNAT
Component: TMOS
Symptoms:
CPU usage reaches 100% after traffic flowed Into CGNAT. Issue with re-offloading to ePVA.
Conditions:
-- CGNAT configured.
-- Most traffic is FastL4 forwarding deterministic LDNS.
-- ePVA hardware is in use.
Impact:
Default configurations may suddenly show higher CPU performance profile usage after upgrade.
Workaround:
None.
667223 : The merge option for the tmsh load sys config command removes existing nested objects
Component: TMOS
Symptoms:
Nested objects are removed when newer objects are merged in.
Configuration objects can contain nested objects. The merge option for tmsh load sys config command expects the nested-objects passed in to be merged alongside existing objects.
example:
Initial configuration
[root@plate:Active:Standalone] config # tmsh list ltm pool
ltm pool test-pool-mcconfig {
members {
test-mc1:http {
address 10.13.14.15
priority-group 1
session monitor-enabled
state checking
}
test-mc2:http {
address 10.13.14.16
priority-group 4
session monitor-enabled
state down
}
}
monitor tcp
}
Run load merge command:
[root@plate:Active:Standalone] config # tmsh -m
root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm pool test-pool-mcconfig {
members {
test-mc2:http {
priority-group 0
}
}
}
Loading configuration...
root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# ^D
New configuration, not merged:
[root@plate:Active:Standalone] config # tmsh list ltm pool
ltm pool test-pool-mcconfig {
members {
test-mc2:http {
address 10.13.14.16
session monitor-enabled
state down
}
}
monitor tcp
}
Conditions:
Execute tmsh load sys config merge from-terminal command.
The configuration contains nested objects. The configuration that is being merged in contains nested objects of the same type as the existing configuration.
Impact:
Configuration loss: Post merge the existing nested configuration objects are deleted.
Workaround:
None.
667173 : 13.1.0 cannot join a device group with 13.1.0.1
Component: TMOS
Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.
Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.
Impact:
Cannot form Device Trust.
Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.
667114-1 : TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.
Solution Article: K32622880
Component: TMOS
Symptoms:
TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.
Conditions:
-- BWC policy applied.
-- TCP traffic passes through the IP forwarding or L2 forwarding virtual server.
Impact:
Lower throughput than expected.
Workaround:
When using BWC, use a proxy virtual server instead of IP forwarding or L2 forwarding virtual servers.
667082-2 : Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.
Solution Article: K21090061
Component: TMOS
Symptoms:
Failure occurs when attempting to configure or load OSPF configurations in imish using an interface-level command similar to the following:
ip ospf <IP> message-digest-key <key index> md5 <password>.
Conditions:
This occurs when using the following command:
ip ospf <IP> message-digest-key.
Impact:
The command causes an error and cannot be used or loaded. This may cause OSPFv2 adjacencies to fail.
Workaround:
If possible, use the non-IP version of the interface-level command, similar to the following:
ip ospf message-digest-key <key index> md5 <password>.
666889-1 : Deleting virtual server may cause tmm to segfault
Solution Article: K25769531
Component: Local Traffic Manager
Symptoms:
Deleting virtual server may cause tmm to segfault.
Conditions:
-- Virtual server is rate-limited.
-- In-progress connections exist.
-- Virtual server is deleted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
666884-2 : cpcfg cannot copy a configuration on a chassis platform★
Solution Article: K27056204
Component: TMOS
Symptoms:
cpcfg fails with errors similar to:
info: Getting configuration from HD1.3
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
error: status 256 returned by command: F5_INSTALL_MODE=install F5_INSTALL_SESSION_TYPE=hotfix chroot /mnt/tm_install/23102.e3MAZU /usr/local/bin/im -force /var/local/ucs/config.ucs
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /shared: Not enough free space
info: 6144 bytes required
info: 0 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.
Conditions:
Only on a chassis platform running 13.0.x.
Impact:
You cannot use cpcfg on a chassis platform.
Workaround:
Save a UCS from the source volume, reboot to the destination volume, then load that UCS file.
666595-2 : Monitor node log fd leak by bigd instances not actively monitoring node
Component: Local Traffic Manager
Symptoms:
Each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis opens a file descriptor for each node or pool member that has monitor logging enabled. However, only one instance of bigd is actively monitoring each individual node, and actively logging health monitor events to the node log. When LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool, or pool member configuration.
Note: This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool or pool member configuration.
Conditions:
This may occur when the following conditions are met:
1. An LTM health monitor is assigned to an LTM node, pool or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool or pool member configuration while logging is still enabled ('monitor' value set to 'none').
Impact:
When this problem occurs, the instance of bigd that is actively monitoring a particular node will close its file descriptor to that node's log file (under /var/log/monitors), but other instances of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis will leak their file descriptor to the node log.
File descriptors that are opened by the bigd daemon and not closed will count against bigd's internal file descriptor limit. This may result in file descriptor exhaustion and failure of LTM health monitoring.
Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.
666505-2 : Gossip between Viprion blades
Component: iApp Technology
Symptoms:
Gossip does not appear to run between Viprion blades in a device service cluster.
Conditions:
Two BIG-IP systems running the latest build, configured with device service clustering and an HA group.
Impact:
Enabling Gossip on the non-primary Viprion blade interferes with communication between the primary and the remote peer.
Workaround:
Do not enable Gossip on the non-primary Viprion blade.
666497-2 : Some of the Korean translations in Windows Edge Client were incorrect
Component: Access Policy Manager
Symptoms:
Some of the Korean translations in Microsoft Windows Edge Client's main windows are incorrect.
Conditions:
User uses Edge Client application on Windows.
Impact:
Confusion due to inaccurate translation.
Workaround:
None.
666401-2 : Memory might become corrupted when a Standby device transitions to Active during failover
Solution Article: K03294104
Component: Local Traffic Manager
Symptoms:
When a failover event occurs with connection mirroring enabled, it is possible for memory to be corrupted when the Standby device transitions to Active.
Conditions:
-- Active-Standby high availability configuration.
-- Virtual server configured with the type set to 'Standard'.
-- Connection mirroring enabled.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
None.
666258-2 : GTM/DNS manual resume pool member not saved to config when disabled
Component: Global Traffic Manager (DNS)
Symptoms:
manual-resume disabled pool member becomes available after reboot.
Conditions:
GTM pool is configured with manual-resume enabled and its pool member was once unavailable.
Impact:
Unexpected available pool member which should be disabled.
Workaround:
After the pool member becomes disabled, manually run:
# tmsh save sys config gtm-only
666221-2 : tmm may crash from DoSL7
Component: Advanced Firewall Manager
Symptoms:
tmm crash.
Conditions:
A virtual server configured with the following:
compression profile configuration, HTTP/DoSL7 with DoSL7 iRule, RamCache.
Impact:
SIGSEGV. Traffic disrupted while tmm restarts.
Workaround:
None.
666127-1 : Flows are incorrectly processed on a standby system.
Component: Local Traffic Manager
Symptoms:
Standby system incorrectly processes flows, even if there is no other traffic group active on that system.
Conditions:
-- Spanning is enabled for a virtual address.
-- No other traffic group active on a standby system.
Impact:
Flows are incorrectly processed.
Workaround:
None.
666117-4 : Network failover without a management address causes active-active after unit1 reboot
Component: TMOS
Symptoms:
An appliance in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.
Conditions:
Device Service Cluster with only self-ips configured for the failover network.
Impact:
Unexpected failover may cause traffic interruption.
Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.
666112-1 : TMM 'DoS Layer 7' memory leak during config load
Component: Advanced Firewall Manager
Symptoms:
Degraded performance; potential eventual out-of-memory.
Note: The 'DoS Layer 7' allocations increase by 'TMM count * #domains' after each config load.
Tip: You can watch the watch the 'DoS Layer 7' allocations increase on a shell on the BIG-IP system using the following command:
# watch -n1 -- 'tmctl -s name,allocated,max_allocated,cur_allocs memory_usage_stat | grep -E "^name|---|^DoS Layer 7 "'
Conditions:
-- Provision ASM.
-- Make sure the built-in 'security dos bot-signature' are added to the config.
-- Load the config from another shell using the following command:
tmsh load sys config
Impact:
Degraded performance; potential eventual out-of-memory.
Workaround:
None.
665777 : TMM0 on the secondary blade sends out extra ARP replies
Component: Local Traffic Manager
Symptoms:
TMM0 on the secondary blade can send out more than one ARP reply when it receives an ARP request.
Conditions:
ARP request is received by TMM0 on the secondary blade.
Impact:
The BIG-IP system sends out extra ARP replies.
Workaround:
None.
665470-1 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised
Component: Application Security Manager
Symptoms:
Failed to Learn page malicious IP addresses in a specific case.
Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.
Impact:
Requests that should be learned are not.
Workaround:
Turn on logging.
665425-3 : AVR Max metrics shows wrong values
Solution Article: K24182390
Component: Application Visibility and Reporting
Symptoms:
In the AVR HTTP Page, metrics Max TPS and Max Throughput display incorrect values.
Conditions:
The root-cause is 32bit overflow, so the incorrect values are displayed when there are high volumes of traffic.
Impact:
Displayed metrics do not correctly show activity.
Workaround:
There is no workaround at this time.
665362-4 : MCPD might crash if the AOM restarts
Component: TMOS
Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.
Conditions:
This can occur while AOM is restarting.
Impact:
System goes offline for a few minutes.
Workaround:
None.
665117-2 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
Solution Article: K33318158
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Server status flapping from red-green-red.
Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.
Impact:
Server status flaps from red to green and back.
Workaround:
Check Transparent for these monitors.
664714-1 : Client-side challenge is changing POST parameter value under some circumstances
Component: Application Security Manager
Symptoms:
A parameter arrives with a different value to the server than was sent from the client. Happens while a brute force attack or web scraping challenge or web scraping session client-side mitigation is happening,
Conditions:
-- POST request with URL-decoded parameters.
-- A parameter is escaped.
-- A client-side challenge is returned for this request.
Impact:
The wrong parameter arrives to the application. In response, the application may stop working or have other errors.
Workaround:
N/A
664000 : TMM restart/core possible if key/cert is modified while SSL handshakes are ongoing
Component: Local Traffic Manager
Symptoms:
Dynamic configuration changes with live traffic may have or cause complicated issue or unpredictable behaviors. TMM might restart and generate a core file when modifying key/cert on a profile while ongoing SSL handshakes are using it. System posts messages similar to the following:
-- crit tmm3[13499]: 01010260:2: Hardware Error(Co-Processor): cn3 request queue stuck
-- warning sod[6005]: 01140029:4: HA crypto_failsafe_t cn-crypto-3 fails action is failover.
Conditions:
The key/cert on a profile is modified while ongoing SSL handshakes are holding it.
In one case, OCSP was removed from all the SSL profiles at some point after the handshake started, so the handshake picked up the new profile without refreshing or invalidating the handshake's copy of the key_cert.
Impact:
Normal functionality might be disrupted. Traffic disrupted while tmm restarts.
Note: There is no support currently for dynamic profile configuration changes while there are ongoing connections using the profile.
Workaround:
Do not try to modify key/certs on a profile while there are a lot of ongoing connections using it.
663946-2 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
Solution Article: K92111062
Component: Advanced Firewall Manager
Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.
Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).
Impact:
May result in lower than expected DNS load test results.
Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.
663911-2 : When running out of memory, MCP can report an incorrect allocation size
Component: TMOS
Symptoms:
If MCP runs out of memory, it may attempt to log how much memory it was allocating when this happened, with a message similar to the following:
Failed to allocate memory for size 260 at clone_message:952.
The memory size indicated in the message may be incorrect.
Conditions:
MCP runs out of memory while attempting an allocation.
Impact:
Misleading logs that make it more difficult to troubleshoot mcpd memory issues.
Workaround:
None.
663770-2 : AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server
Solution Article: K04025134
Component: Advanced Firewall Manager
Symptoms:
AFM rules are bypassed / not evaluated on the 'redirected' virtual server when the traffic is internally forwarded to that virtual server.
This is a regression from 12.1.x behavior.
Conditions:
Incoming traffic matches a virtual server and then gets internally redirected to another virtual server either via an iRule or a LTM local traffic policy.
Impact:
This has the effect of potentially negating firewall protections for the traffic that is being redirected to a different virtual server (application) if that virtual server has an AFM policy enabled on it.
Workaround:
There is no workaround at this time.
663531-1 : TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel
Component: Carrier-Grade NAT
Symptoms:
TMM crashes when PPTP finds a matching non-PPTP-GRE flow when checking for an existing tunnel.
Conditions:
PPTP-ALG and CGNAT on a BIG-IP system when a GRE tunnel matches a PPTP-GRE flow
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Possible mitigation by not using a forwarding virtual for non-PPTP GRE traffic.
663178-1 : tmm may crash sometimes usng VPN
Component: Local Traffic Manager
Symptoms:
tmm crash and BIG-IP fail over
Conditions:
VPN is used
Impact:
tmm crash and BIG-IP fail over. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
662905 : Rate class configured at very low rate (under packet size per second) cannot pass traffic.
Component: Local Traffic Manager
Symptoms:
When rate class is configured at very low rate (under packet size per second) it cannot pass traffic.
Note: Rate class ceiling and rate are equally divided between each core, so the minimum bandwidth to pass traffic for 4 core system is 4(2 KB * 8) = 64k and for 8 core system it is 128 KB, making each core get about 2 KB per second. If the system is expected to pass jumbo packets, then the system must be configured accordingly.
Conditions:
-- BIG-IP 2000/4000 Series platforms.
-- Rate class is configured at very low rate.
Impact:
BIG-IP does not pass traffic.
Workaround:
None.
662816-2 : Monitor node log fd leak for certain monitor types
Solution Article: K61902543
Component: Local Traffic Manager
Symptoms:
When certain types of LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool or pool member configuration.
Conditions:
This may occur when:
1. One of the below-listed LTM health monitor types is assigned to an LTM node, pool, or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool, or pool member configuration while logging is still enabled ('monitor' value set to 'none').
Affected LTM health monitor types include:
diameter, external, firepass, ftp, gateway_icmp, icmp, imap, ldap, module_score, mssql, mysql, nntp, oracle, pop3, postgresql, radius, radius_accounting, real_server, rpc, sasp, scripted, sip, smb, smtp, snmp_dca, snmp_dca_base, soap, virtual_location, wap, wmi.
This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool, or pool member configuration.
The following LTM health monitor types are not affected:
dns, http, https, inband, mqtt, tcp, tcp_echo, tcp_half_open
Impact:
When this problem occurs, each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis leaks one file descriptor for each node or pool member with monitor logging enabled.
File descriptors that are opened by the bigd daemon and not closed count against bigd's internal file descriptor limit. This can result in file descriptor exhaustion and failure of LTM health monitoring.
Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.
662372-1 : Uploading a new device certificate file via the GUI might not update the device certificate
Solution Article: K41250179
Component: TMOS
Symptoms:
After uploading a new device certificate via the 'Upload File' option in the GUI, the device certificate remains unchanged.
Conditions:
-- Upload a new device certificate file via the GUI.
-- There is already a file called /tmp/server.crt.
Impact:
The device certificate is not updated and no error is shown.
Workaround:
Use the 'Paste Text' option to import the certificate.
662296-1 : Under heavy traffic load tcpdump -i 0.0 can impact the VIPRION management cluster IP address
Component: Local Traffic Manager
Symptoms:
Management connectivity loss over the management cluster IP address. This is caused by a secondary blade temporarily taking over the cluster primary due to starvation of clusterd on the blade running tcpdump.
Conditions:
-- A multi-bladed configuration with full traffic load.
-- Run tcpdump -i 0.0.
Impact:
Loss of connectivity to the cluster floating IP address. The /var/log/ltm clusterd shows timeouts and temporary change of primaryship.
Workaround:
Mitigation:
-- Judicious use of tcpdump -i 0.0.
Workaround:
-- Kill tcpdump from the SSH session to the slot IP address directly or using the console.
-- Restart tmm to fix the issue with MPI stream connection loss.
660826-1 : BIG-IQ Deployment fails with customization-templates
Component: Access Policy Manager
Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.
Conditions:
Simulation by tmsh for what's done in BIG-IQ:
1) Add a log-on agent in your policy.
2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.
3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.
cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2
cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc
4) tmsh
5) create /cli transaction
6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }
7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }
8) submit /cli transaction
Impact:
BIG IQ operation failed with scenario involving change to customization group.
Workaround:
There is no workaround.
660807 : Clientside command with parking command crashes TMM
Component: Local Traffic Manager
Symptoms:
iRule parking command 'table lookup' inside clientside crashes TMM.
Conditions:
iRule parking command 'table lookup' inside clientside.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
If possible, move the parking command outside clientside/serverside.
660760-1 : DNS graphs fail to display in the GUI
Solution Article: K75105750
Component: TMOS
Symptoms:
Can no longer view the DNS graphs in the GUI after upgrading from an earlier release. The system reports the following error in the GUI when visiting GUI Statistic :: Performance :: DNS: Error trying to access the database.
Conditions:
This occurs when the BIG-IP system is licensed for the GTM module (mod_gtm) instead of the DNS module (mod_dnsgtm). This might occur in the case where the system is upgraded from an earlier release such as v10.2.4 (where the module was GTM) to a later release such as v12.1.1 (where the module is DNS).
Impact:
Accessing the DNS graphs in the GUI fails.
Workaround:
None.
660327-2 : Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
Component: Application Security Manager
Symptoms:
Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
This happens only if before the upgrade, there was an ASM logging profile which had both remote logging and local logging enabled on it.
In the case of a single logging profile with local-plus-remote ASM enabled on it, upon an upgrade, the logging profile is split into two profiles. One has the '_local' extension added to it. Another attempt to load the config of the pre-upgrade system will fail. This only happens when using 'load sys config' or 'load sys config file', and does not happen when using 'load sys ucs'.
Upon failure, the following error is seen on the terminal:
01070710:3: Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127
Unexpected Error: Loading configuration process failed.
And in /var/log/ltm:
err mcpd[6618]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127.
Conditions:
-- Using a configuration that contains a Log Profile with ASM enabled and both Remote Log and Local Log enabled.
-- Upgrade to 12.1.2 or later (Use roll-forward upgrade, or instead use clean install and afterwards load the saved config file).
Impact:
Config load fails. Upgrade fails.
Workaround:
Use one of the following Workarounds:
1.
Save the new configuration before editing and re-loading, using the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all
(Note: Saving the UCS also saves the configuration.)
2.
Instead of loading the full configuration directly, first load the base and then load the full configuration:
tmsh -c 'load sys config partitions all base; load sys config partitions all'
660326-2 : Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★
Solution Article: K91072177
Component: Application Security Manager
Symptoms:
Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.
Conditions:
-- Websecurity profile assigned to a virtual server.
-- ASM not provisioned.
-- Upgrade to v12.1.0 or later.
Impact:
Upgrade fails.
Note: Although this is an invalid configuration, upgrade should not fail.
Workaround:
There are two workarounds.
-- Provision ASM.
-- Remove all websecurity profiles (and LTM policies that control ASM) from all virtual servers
Note: The first workaround must be done before the update. The second can be done before the upgrade, or by editing the config files and re-loading config (first base, then all) using the following command:
tmsh -c 'load sys config partitions all base; load sys config partitions all'
659930-1 : Enterprise Manager may receive malformed data if there are multiple monitors on a pool
Component: Global Traffic Manager (DNS)
Symptoms:
Enterprise Manager (EM) may receive malformed data if there are multiple monitors on a pool. big3d returns malformed xml. Messages similar to the following appear in /var/log/em:
Could not parse xml for device.
Conditions:
-- Flapping pool monitor has more than two HTTP-type monitors.
-- iControl data returned from big3d LTM is malformed xml.
Impact:
Malformed data causes EM to not be able to gather stats from big3d.
Workaround:
None.
659709-1 : Memory leak under rare conditions
Solution Article: K80024155
Component: Local Traffic Manager
Symptoms:
Memory leak
Conditions:
-- Mirrored flow.
-- Persistence used.
-- Another error condition such as high availability (HA) channel down.
Impact:
Memory leak.
Workaround:
None.
659519 : Non-default header-table-size setting on HTTP2 profiles may cause issues
Solution Article: K42400554
Component: Local Traffic Manager
Symptoms:
HTTP2 connection sent RST_STREAM due to protocol error in response to headers frame.
Conditions:
HTTP2 profile configured with header-table-size with value exceeding 4096.
Impact:
Periodic HTTP2 connection failure to the virtual.
Workaround:
Restore the default header-table-size setting for the HTTP2 profile.
659173-1 : Diameter Message Length Limit Changed from 1024 to 4096 Bytes
Solution Article: K76352741
Component: Service Provider
Symptoms:
Diameter messages longer than 1024 might cause core dumps.
Conditions:
Using Diameter messages longer than 1024.
Impact:
Diameter MRF virtual servers.
Workaround:
Make sure messages are less than 1024 bytes.
658850 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
Component: TMOS
Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.
If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.
Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate
Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.
Workaround:
If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>
658664-2 : VPN connection drops when 'prohibit routing table change' is enabled
Component: Access Policy Manager
Symptoms:
When there is a brief network outage and 'prohibit routing table change' is enabled, VPN gets disconnected and no further attempts are made to re-establish the VPN connection.
Conditions:
-- A brief network outage occurs.
-- The 'prohibit routing table change' option is enabled.
Impact:
APM end users must click 'Connect' and re-authenticate in order to re-establish the VPN connection.
Workaround:
To re-establish the VPN connection, click 'Connect' and re-authenticate.
658298-3 : SMB monitor marks node down when file not specified
Component: TMOS
Symptoms:
The smb monitor may always mark the node down when the file is not specified in the monitor config.
Conditions:
Pool member monitored with smb monitor.
Impact:
Service impact due to node being marked down.
Workaround:
Configure monitor to fetch file (authenticated).
658278-3 : Network Access configuration with Layered-VS does not work with Edge Client
Component: Access Policy Manager
Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.
Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.
Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.
Workaround:
None.
658103 : TMM core while adding logging action to APM SWG
Solution Article: K00652162
Component: Access Policy Manager
Symptoms:
TMM core while adding logging action to APM SWG.
Conditions:
-- Use of an application lookup perflow variable (perflow.application_lookup.result.*) in an SWG per-request Logging Agent.
-- No Application Lookup Agent found prior in the chain.
For example
- The following example will crash:
start : logging : allow
- The following will succeed:
start : application lookup : logging : allow
Impact:
TMM core. Traffic disrupted while tmm restarts.
Workaround:
There are two possible workarounds:
-- Remove the applicable perflow variables from the logging agent.
-- Add an application lookup before trying to log application lookup perflow variables.
658036-2 : Honoring negotiated MSS for TCP segmentation
Solution Article: K04651090
Component: TMOS
Symptoms:
Following are the symptoms:
1. When the BIG-IP system's MTUs are larger than the smallest MTU in the end-to-end path:
-- The BIG-IP system does not mark coalesced packets larger than egress MSS but smaller than egress MTU in the BIG-IP system for segmentation. Therefore, the BIG-IP system receives 'ICMP fragmentation needed' messages from an intermediate router which drops the packets when the Don't Fragment (DF) bit is set in IP header.
2. When the BIG-IP system's MTUs are less than 1500:
-- On ingress, the BIG-IP system rejects coalesced packets larger than ingress MTU and less than 1500 and having DF bit set in IP header. the BIG-IP system sends 'ICMP fragmentation needed' message to sender.
Conditions:
* Generic Receive Offload (GRO) and Large Receive Offload (LRO) for data plane interfaces are supported and enabled (both in host and guest).
* Packets are sent with DF bit set.
* For #1:
-- FastL4 profile in use.
-- The BIG-IP system's VLAN MTUs are larger than the smallest MTU in the end-to-end path.
* For #2:
-- The BIG-IP system's MTUs are set to a value that is less than 1500.
-- The packets' DF bits are set.
Impact:
No traffic or very low throughput.
Workaround:
Disable LRO and GRO for data plane interfaces using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.
Note: For KVM virtio devices, LRO/GRO need to be turned off in host NIC.
657912-1 : PIM can be configured to use a floating self IP address
Component: TMOS
Symptoms:
Using PIM-Sparse Mode for multicast traffic with BGP for unicast routing/reverse path filtering may prevent PIM neighbor routers from switching from the RPT to the SPT.
Conditions:
-- PIM-Sparse Mode.
-- BGP.
-- Floating self IP address.
Impact:
Routers upstream and including BIG-IP will never receive PIM JOIN messages from the rendezvous point, which is required for traffic to switch from the RPT to the SPT. The sender's DR may continue to send traffic to the RP in register messages indefinitely.
Workaround:
Remove the floating self IP address from the traffic group or select a routing protocol that does not use it, such as OSPF.
657883-2 : tmm cache resolver should not cache response with TTL=0
Solution Article: K34442339
Component: Local Traffic Manager
Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.
Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.
Impact:
tmm cache resolver caches responses with TTL=0.
Workaround:
None.
657834-2 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
Solution Article: K45005512
Component: TMOS
Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.
Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.
Note: The greater the number of routes flapping, the more likely to see the condition.
Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.
However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.
Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.
657727-2 : Running tcpdump from TMSH cannot capture the local "tmm" interface
Solution Article: K39694060
Component: TMOS
Symptoms:
Cannot run tcpdump against the "tmm" interface. System posts errors similar to the following:
tcpdump: pcap_loop: Device /Common/tmm not found
tcpdump: ioctl: No such device
This occurs because the 'tmm0' interface was renamed to 'tmm' beginning in v12.1.0, but the libbigpacket conditional logic to handle "special device names" still references 'tmm0'.
Conditions:
-- When running tmsh, an environment variable ("TMOS_PATH") is set.
-- The user logs in to the CLI with a default shell of tmsh (either as configured, or with a role assigned via remote-roles), or tries to run tcpdump via tmsh.
Impact:
Cannot run tcpdump on the 'tmm' internal interface.
Workaround:
Unset the 'TMOS_PATH' environment variable before running tcpdump.
657626-2 : User with role 'Manager' cannot delete/publish LTM policy.
Component: Local Traffic Manager
Symptoms:
User with role 'Manager' cannot delete/publish LTM policy.
audit.log contains a message similar to the following:
notice icrd_child[18194]: 01420002:5: AUDIT - pid=18194 user=Manager folder=/Manager module=(tmos)# status=[01070822:3: Access Denied: User (Manager) may not delete objects in partition (Common)] cmd_data=publish ltm policy /Manager/Drafts/draft-test.
Conditions:
-- User with 'Manager' role.
-- Attempting to delete or publish an LTM policy.
Impact:
Operation does not complete, and system posts error.
Workaround:
None.
657531-2 : High memory usage when using the ICAP server
Solution Article: K02310615
Component: Application Security Manager
Symptoms:
High UMU memory when using the ICAP server.
Conditions:
-- ICAP is in use.
-- There are long requests (requests longer than 128 KB) that should get to the ICAP server.
Impact:
UMU memory goes up.
Workaround:
-- Decrease the max concurrent long requests.
-- Decrease the size for the long requests buffer size.
-- Make sure the ICAP server is up and running and responding quickly (the issue will be more visible when the ICAP server is lagging).
656898-2 : "oops" "bad transition" messages occur
Component: Local Traffic Manager
Symptoms:
The /var/log/ltm log shows many "oops" "bad transition" messages.
Conditions:
These messages occur due to internal invariant violations on full proxy TCP virtual servers. Ramcache or SSL on these virtual servers are likely causes. There may be yet unknown causes.
Impact:
Connections encountering these errors are aborted.
Workaround:
The excess logging may be stopped by setting the DB variable tmm.oops to "silent". These errors won't be reported but connections will still be aborted.
656784-2 : Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM
Solution Article: K98510679
Component: Access Policy Manager
Symptoms:
After upgrading to Windows 10 Creators Update (version 1703), when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect.
Windows 10 Version 1703 RDP client is using Negotiate HTTP authentication scheme, while APM requires NTLM scheme for RD Gateway.
Conditions:
- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature.
- You upgrade to Windows 10 Creators Update (version 1703).
Impact:
Remote desktop client is not able to authenticate and connect to the desktop.
Workaround:
Use either of the following workarounds:
-- Force the Windows RDP client to use NTLM authentication scheme (instead of Negotiate) by setting Group Policy 'User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway\Set RD Gateway authentication method' to 'Ask for credentials, use NTLM protocol'.
-- Use the following iRule to convert Negotiate to NTLM:
when HTTP_REQUEST {
set is_rdg_request [expr { [HTTP::method] starts_with "RDG_" }]
if {!$is_rdg_request} { return; }
set auth [HTTP::header Authorization]
set is_nego_auth [expr { $auth contains "Negotiate" }]
if { $is_nego_auth } {
set auth [string map {"Negotiate" "NTLM"} $auth]
HTTP::header replace Authorization $auth
}
}
when HTTP_RESPONSE_RELEASE {
if {!$is_rdg_request || !$is_nego_auth} { return; }
catch {
set auth [HTTP::header WWW-Authenticate]
if { $auth contains "NTLM" } {
set auth [string map {"NTLM" "Negotiate"} $auth]
HTTP::header replace WWW-Authenticate $auth
}
}
}
655767-3 : MCPD does not prevent deleting an iRule that contains in-use procedures
Component: Local Traffic Manager
Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.
MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:
01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).
However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.
Conditions:
Must be using iRules that call into other iRules.
Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.
Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.
655724-3 : MSRDP persistence does not work across route domains.
Solution Article: K15695
Component: Local Traffic Manager
Symptoms:
MSRDP persistence doesn't work with non-default route domains.
Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.
Impact:
MSRDP persistence does not work.
Workaround:
Implement MSRDP persistence using iRules.
655484-1 : GUI LTM Pool Statistics Page running out of memory with large number of Pools
Solution Article: K69912019
Component: TMOS
Symptoms:
When there is a large number of configured Pools, it can adversely affect Pool Statistics Page display, causing an Out of Memory error.
Conditions:
Configure 2200 or more pools, and go to the Pool Statistics page.
Impact:
The page does not display because it causes Tomcat to run out of memory and restart automatically.
Workaround:
You can increase the memory allocated to Tomcat. For more information, see K9719: Error Message: java.lang.OutOfMemoryError, available at https://support.f5.com/csp/article/K9719
654996-1 : Closed connections remains in memory
Solution Article: K50345236
Component: Application Security Manager
Symptoms:
A connection remains open, which results in memory leaks in the tmm for the connections.
The following command shows connections on traffic that was already closed: tmsh show sys conn.
Conditions:
A ASM_RESPONSE_VIOLATION iRule on the ASM-enabled virtual server.
A request with connection: close.
Impact:
Memory increase due to connections left open.
Incoming connections to the virtual server may fail and result in the BIG-IP sending a reset with a reset cause of "TCP closed".
Workaround:
If possible, remove this event from the iRule and/or add the OneConnect profile to the virtual server.
654981-2 : Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action
Component: Local Traffic Manager
Symptoms:
Local Traffic Policies configured for First Match mode may not stop executing after the first matched rule.
Conditions:
This happens when the first matched rule has no action (i.e. is set to ignore).
Impact:
This may cause Local Traffic Policies to execute an unintended action.
Workaround:
Rework the rules in your affected Local Traffic Policies so that every rule has at least one associated action.
654915-3 : Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address
Component: Application Visibility and Reporting
Symptoms:
For traffic capturing, if a pool member is assigned a special name (e.g., 'for internal activity'), the external AVR log will report the internal IP address instead of the pool member name.
Conditions:
1. Assign name to internal pool member.
2. Enable HTTP traffic capturing.
3. Allow AVR to collect HTTP statistics.
4. View pool member name in external AVR log.
Impact:
External log reports internal IP address instead of pool member name.
Workaround:
There is no workaround at this time.
653930-2 : Monitor with description containing backslash may fail to load.
Solution Article: K69713140
Component: Local Traffic Manager
Symptoms:
When a monitor description contains a \ (backslash) character, the system adds another backslash for every save-load operation. After enough saves/loads, the description eventually hits the maximum length, causing an error message: '01020057:3: The string with more than 65535 characters cannot be stored in a message' upon loading the config.
Conditions:
Monitor with description containing backslash.
Impact:
Configuration changes without human intervention. Potential load failure.
Workaround:
Don't use backslashes in monitor descriptions.
653895 : Admin user cannot edit policy
Component: Application Security Manager
Symptoms:
While logged into the active device, you are unable to edit a policy. The Save and Reconfigure buttons are grayed out. The standby device allows you to edit the policy and you can deploy the change to the active device, but you occasionally can't edit it from the active device.
Conditions:
It is not known what triggers this intermittent problem.
Impact:
Admin users are unable to edit a policy on the active device.
Workaround:
You can edit the policy on the standby device and deploy it to the active device.
653888-2 : BGP advertisement-interval attribute ignored in peer group configuration
Component: TMOS
Symptoms:
BGP peer-group advertisement-interval attribute may be ignored with default settings set on individual peers belonging to the peer-group.
Conditions:
- BGP configured with peer-groups.
- advertisement-interval configured with a non-default value
Impact:
The BGP peer will have an additional statement added indicating a default value of the advertisement-interval.
Workaround:
Manually set the advertisement-interval of the peer, instead of using the peer-group for this particular setting.
653775-3 : Ampersand (&) in GTM synchronization group name causes synchronization failure.
Solution Article: K05397641
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.
Conditions:
A GTM synchronization group name with an ampersand (&) in the name.
Impact:
GTM sync groups does not synchronize.
Workaround:
Remove ampersand from sync group name.
653573 : ADMd not cleaning up child rsync processes
Component: Anomaly Detection Services
Symptoms:
ADMd daemon on device is spinning up rsync processes and not cleaning them up properly, causing tons of this zombie processes
Conditions:
If rsync process ends via exit (in the case of some trouble)
Impact:
No technical impact, but there are many zombie processes
Workaround:
Restart admd (bigstart restart admd) to remove all existing rsync zombies.
653273 : "Unexpected Error" showing traffic-selector default-traffic-selector
Component: TMOS
Symptoms:
Running this tmsh command results in "Unexpected error":
tmsh show net ipsec ipsec-sa traffic-selector default-traffic-selector-interface
Conditions:
This occurs when running tmsh show net ipsec ipsec-sa traffic-selector default-traffic-selector-interface
Impact:
The result is not return, the only output is "unexpected error".
653228-2 : SNAT does not work properly on FTP VIP2VIP
Solution Article: K34312110
Component: Local Traffic Manager
Symptoms:
SNAT does not work properly on FTP VIP2VIP.
Conditions:
-- FTP communicates VIP2VIP to second virtual server.
-- SNAT is configured on second virtual server.
Impact:
SNAT does not work properly on FTP VIP2VIP on data channel.
Workaround:
Do not configure SNAT on second virtual server.
653137-1 : Virtual flaps when FQDN node and pool configured with autopopulate
Component: Local Traffic Manager
Symptoms:
Virtual address status flaps (RED :: BLUE :: DOWN :: UNCHECKED) when the FQDN node and pool are configured with autopopulate enabled, and the FQDN DNS response returns the same addresses.
Conditions:
-- FQDN node and pool are configured with autopopulate enabled.
-- FQDN DNS response returns the same addresses.
Impact:
The virtual server becomes unavailable, and later switches to unchecked.
Workaround:
None.
653017-2 : Bot signatures cannot be created after upgrade with DoS profile in non-Common partition
Component: Application Security Manager
Symptoms:
Bot signatures cannot be created after roll-forward upgrade of configuration with only a DoS profile in non-Common partition.
Conditions:
A DoS profile in non-Common partition has Proactive Bot Defense enabled
Impact:
Bot signatures are not created.
Workaround:
Delete DoS Profile before upgrade, and re-create after upgrade is successful.
Alternatively, another DoS Profile can be created in /Common, even if unused.
652877-3 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
Component: TMOS
Symptoms:
All services on a/all secondary blade(s) in a VIPRION chassis restart, and MCPD logs errors such as:
slot2/localhost err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
slot2/localhost err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.
In versions prior to v11.6.0, the error will say "Can't save/checkpoint DB object," rather than "Can't update_indexes/checkpoint DB object".
Conditions:
Multi-bladed VIPRION system, where the "if-index" value for VLANs differs between blades (as checked via "tmsh list net vlan all if-index" on each blade).
Impact:
MCPD restart on all secondary blades results in partial service outage.
Workaround:
Only reactivate the license on a system that is standy/offline.
652671-4 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.
Solution Article: K31326690
Component: TMOS
Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.
Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.
Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.
Workaround:
None.
652577-2 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.
Conditions:
- HA pair
- Traffic-group with a MAC set in the MAC Masquerading setting.
- Floating Self-IP using the above traffic-group
- Make a change to the MAC Masquerading MAC address on the Active unit.
- Run a config-sync from Active to Standby
Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.
Workaround:
Reboot or restart TMM.
652530 : Parameter names are case sensitive in Internet Explorer 9 only
Component: Fraud Protection Services
Symptoms:
Mis-configured parameter names with incorrect case will work as if they were configured correctly in all browsers except for Internet Explorer 9
Conditions:
Parameter names configured in the wrong case
Impact:
Encryption and data integrity features will appear to work as expected in all browsers except Internet Explorer 9.
In Internet Explorer 9, encryption and data integrity will not be activated on the misconfigured parameter.
Workaround:
Reconfigure the parameter name to use the correct case.
652523 : TMM may restart while processing timers
Component: Local Traffic Manager
Symptoms:
TMM restarts during timer processing due to post-free memory usage.
Conditions:
Full-proxy TCP functionality in use. Additional conditions are not well defined, currently.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround available.
652370-1 : The persist cookie insert iRule command may leak memory
Component: Local Traffic Manager
Symptoms:
In some situations, the persist cookie insert iRule command may leak memory.
Conditions:
The persist cookie insert iRule command is used.
Impact:
Eventually, the TMM will run out of memory due to the leak.
652223-1 : BWC: Non-TCP data going through Category can make policy active
Solution Article: K50325308
Component: TMOS
Symptoms:
When category is set at lower rate than 100% of the user rate, and traffic going through the category is non-TCP, and the amount of data is 150% of the instance rate, then that can create policy to be active, lowering the overall bandwidth.
Conditions:
This occurs when all of the following conditions are met:
-- Category rate is less than max-user-rate
-- Traffic is non-TCP data.
-- Amount of data passing is 150% of max-user-rate.
Impact:
BWC dynamic policy cannot achieve 100% of max-rate.
Workaround:
Increase the max-rate of any dynamic policy, and add an additional static policy set to the max-rate expected from the dynamic policy.
Note: There is no actual fix for this issue except for not using UDP traffic in categories, if the amount of traffic on that UDP category is expected to exceed 150%, or over to the maximum fair rate provided by the BWC instance. Note that the PEM subscriber and BWC instance have 1-1 relationship.
652222-1 : Sending scheduled-reports will fail due to lack of backend support
Component: Application Visibility and Reporting
Symptoms:
Using the scheduled report from GUI fails and causes some orphan file descriptors every time scheduled report runs.
Conditions:
Using the scheduled report from GUI.
Impact:
Scheduled-reports won't work and cause the system to have more orphan opened file-descriptors every time it tries to send the report.
Workaround:
None.
651889-2 : persist record may be inconsistent after a virtual hit rate limit
Component: Local Traffic Manager
Symptoms:
persist record may be inconsistent after a virtual hit rate limit
Conditions:
A virtual with rate limit set.
persist is enabled.
Impact:
persist behavior will be impacted.
Workaround:
disable rate limit on virtual
651886-1 : Certain FIX messages are dropped
Component: Service Provider
Symptoms:
When a FIX message is received with a length, checksum, or message type field containing leading zeros, the message may be dropped.
Conditions:
This bug affects all FIX messages having a length (tag 9), checksum (tag 10) or message type (tag 35) field that contains at least one leading zero. Certain third-party FIX protocol implementations are known to insert leading zeros in these fields.
Impact:
FIX messages from these products cannot be processed by the FIX profile in BIG-IP.
651826-2 : SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly
Component: TMOS
Symptoms:
When checking the SPI fields of an IKEv2 IPsec SA, the byte order of the displayed number is rendered incorrectly. The SPI details are seen in "tmsh show net ipsec ike-sa all-properties".
For example, the BIG-IP will render this:
Spi(local): 0x3c4742cab016098c
Spi(Remote): 0x959f0a013581e25d
When the actual SPIs viewed on the peer device are:
Local spi: 5DE28135010A9F95
Remote spi: 8C0916B0CA42473C
Conditions:
IKEv2 IPsec SAs are established or attempting to be established.
Impact:
Can confuse a BIG-IP Administrator who is attempting to verify that IPsec peers have the same SAs.
Workaround:
Rearrange the SPI numbers manually or examine the ipsec.log to see the established SA SPI numbers.
651541-2 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile
Solution Article: K83955631
Component: Local Traffic Manager
Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.
Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.
Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.
Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.
651169-3 : The Dashboard does not show an alert when a power supply is unplugged
Component: Advanced Firewall Manager
Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.
Conditions:
One of the power supplies is unplugged.
Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.
Workaround:
None.
651136-2 : ReqLog profile on FTP virtual server with default profile can result in service disruption.
Solution Article: K36893451
Component: TMOS
Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.
Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.
Impact:
Service disruption, fail-over event.
Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.
651005-3 : FTP data connection may use incorrect auto-lasthop settings.
Component: Local Traffic Manager
Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.
Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'
(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'
With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'
(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'
Impact:
FTP data connection may fail to be established.
Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.
650070-2 : iRule that uses ASM violation details may cause the system to reset the request
Solution Article: K23041827
Component: Application Security Manager
Symptoms:
When an iRule attempts to use the violation details such as attackSignature or MaliciousFingerprint, in some cases a legal request will be reset.
Conditions:
-- An ASM iRule that uses violation details is attached to the virtual server.
-- The request contains the violation
Impact:
A legal request is being reset.
Workaround:
None.
650019-2 : The commented-out sample functions in audit_forwarder.tcl are incorrect
Component: TMOS
Symptoms:
The commented-out sample "Transform" functions in audit_forwarder.tcl are not correct and should not be used.
Conditions:
Attempting to write your own Transform function in audit_forwarder.tcl using the examples.
Impact:
The Transform function may not work if the examples are followed.
Workaround:
Use the default Transform function as a starting point instead of one of the examples.
649897 : Using the REST API, making a change to an FQDN pool causes the pool member availability to become unknown.
Component: Local Traffic Manager
Symptoms:
Using iControl REST, making a change to an FQDN pool member causes the pool member availability to become 'unknown'.
Conditions:
Using iControl REST, modify an existing pool member configured with an FQDN name.
Note: This issue does not affect pool members configured to point directly at an IP address.
Impact:
The pool member status will show 'unknown'.
Workaround:
None.
649441-1 : Classification memory allocation
Component: Traffic Classification Engine
Symptoms:
Classification library ('CE') allocates an extra 2 KB of memory per flow and never used it.
Conditions:
Classification and HTTP profile attached to Virtual Server.
Impact:
High memory footprint for heavily loaded systems.
Workaround:
Install latest Classification Update Package ('IM Package').
649177-2 : Testing for connection to SMTP Server always returns "OK"
Solution Article: K54018808
Component: Application Visibility and Reporting
Symptoms:
When you click the SMTP GUI config "Test Connection" button it always gives green "OK" response, even if there is no network, or if the DNS response is NXDomain.
Conditions:
This is encountered when testing the SMTP connection using the GUI.
Impact:
Validation of SMTP server availability is incorrect
Workaround:
You can test SMTP at the command line by attempting to send a test email, as in this example (substitute user@example.com with your valid email address):
# echo "ssmtp test mail" | mail -vs "Test email" user@example.com
648873-3 : Traffic-group failover-objects cannot be retrieved via iControl REST
Solution Article: K93513131
Component: TMOS
Symptoms:
When issuing a GET you get the following error message:
List property is not implemented! Detail [cm traffic-group failover-objects {...}].
(The ... represents the data that was presented as a list property.)
Conditions:
Trying to use iControl REST for getting failover-objects associated to floating traffic-groups
Impact:
No access to list of failover-objects associated to an specific floating traffic-group via the iControl REST interface
Workaround:
Use a different user interface (tmsh or GUI).
648806-1 : Invalid "with the first highest ratio counter" logging for pool member ratio load balance
Component: Global Traffic Manager (DNS)
Symptoms:
Invalid value for "with the first highest ratio counter" for wideip load balancing decision is logged.
Conditions:
Enabled logging for wideip load balancing decision.
Impact:
Invalid value is logged for "with the first highest ratio counter".
648802-3 : Required custom AVPs are not included in an RAA when reporting an error.
Component: Policy Enforcement Manager
Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).
Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.
Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.
Workaround:
There is no workaround at this time.
648639-3 : TS cookie name contains NULL or other raw byte
Solution Article: K92201230
Component: Application Security Manager
Symptoms:
The TS cookie name may intermittently contain NULL.
Conditions:
This can occur intermittently when ASM is provisioned and has a unique combination of security policy name and the server's cookie attributes (path and domain).
Impact:
False positives triggered on modified domain cookies.
Workaround:
To resolve this, change the policy security name.
648621-1 : SCTP: Multihome connections may not expire
Component: TMOS
Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.
Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.
Impact:
The multi-homing connections won't be expired.
Workaround:
Don't manually deleted the multi-homing connections.
648316-3 : Flows using DEFLATE decompresion can generate error message during flow tear-down.
Solution Article: K10776106
Component: TMOS
Symptoms:
Repeated entries in the ltm log will show a completion-code error (comp_code=4) as in the following:
Zip engine ctx eviction (comp_code=4): ctx dropped.
Conditions:
The problem occurs when a flow that requests DEFLATE decompression is terminated when the compression engine is still in the middle of working on an incomplete DEFLATE block.
Impact:
False errors can appear:
o In fields of tmctl rst_cause_stat table, false stats counters will increment for compression and packet errors.
o Log entries with the "Zip engine... (comp_code=4)" appear in ltm log.
Monitors observing the ltm log or stats in the tmctl rst_cause_stat table will see false positives.
Workaround:
Disable hardware acceleration.
647834-4 : Failover DB variables do not correctly implement 'reset-to-default'
Component: TMOS
Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.
Conditions:
This is known to affect at least the following failover-related DB variables:
log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary
Impact:
The configuration change does not take effect.
Workaround:
Explicitly set the DB variable to the desired value.
647812-3 : /tmp/wccp.log file grows unbounded
Component: TMOS
Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.
Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.
Impact:
/tmp/wccp.log grows unbounded, filling up the disk.
647158-3 : Internal virtual server inherits CMP hash mode from parent virtual server
Solution Article: K76581555
Component: Service Provider
Symptoms:
An internal virtual server might behave in unexpected ways, such as abort a client connection before connecting to the server.
Conditions:
Virtual server with request-adapt or response-adapt profile and a vlan with 'cmp-hash' mode 'src-ip'.
Internal virtual server without a VLAN or 'cmp-hash' setting.
Impact:
The internal virtual server might sometimes abort when attempting to make a connection to the server. This occurs after a successful load-balance pick indicated by the LB_SELECTED event, but before a TCP SYN packet is sent to the server. As a result the parent virtual performs the service-down-action configured in the request-adapt or response-adapt profile.
Workaround:
If possible, do not use the cmp-hash mode 'src-ip'.
647151-1 : CPU overtemp condition threshold is 75C
Component: TMOS
Symptoms:
A CPU overtemp condition is logged when a B4450 CPU reaches 75C.
Conditions:
CPU temperature is only 75C and ambient temperature in the blade is in the normal range.
Impact:
Since the temperature threshold is set too low, the warning does not indicate an actual problem.
Workaround:
None.
647071-2 : Stats for SNATs do not work when configured in a non-zero route domain
Component: Local Traffic Manager
Symptoms:
When creating SNAT in a Route Domain different from 0, the command 'tmsh show ltm snat' does not report any statistics.
Conditions:
This occurs on all SNATs in a route domain other than 0.
Impact:
No statistics for the SNATs
Workaround:
None.
646800-2 : A part of the request is not sent to ICAP server in a specific case
Component: Application Security Manager
Symptoms:
The portion of the request that is not sent is not checked for viruses
Conditions:
ICAP is configured.
Impact:
There might be a false negative on anti-virus check
Workaround:
N/A
646495-2 : BIG-IP may send oversized TCP segments on traffic it originates
Component: Local Traffic Manager
Symptoms:
Traffic from the Linux host on BIG-IP may send TCP segments larger than the advertised TCP MSS of a remote host.
Conditions:
Received TCP MSS (plus protocol overhead) smaller than configured MTU of interface.
Linux host sending large TCP segments, such as SNMP getbulk replies.
Impact:
TMM may send traffic to a TCP host that exceeds the host's advertised MTU.
Workaround:
disable segmentation offload for the nvic
646440 : TMSH allows mirror for persistence even when no mirroring configuration exists
Solution Article: K52140275
Component: Local Traffic Manager
Symptoms:
When no mirroring is configured between the peers TMUI correctly hides the mirror option for the persistence profiles, however, TMSH allows enabling it.
Conditions:
-- Mirroring is configured.
-- Persistence profile.
-- Using TMSH.
Impact:
TMSH does not hide the mirror option for persistence profile, but TMUI correctly hides the mirror option. This might lead to a memory leak and degraded performance.
Workaround:
Use TMUI.
645729-1 : SSL connection is not mirrored if ssl session cache is cleared and resume attempted
Component: Local Traffic Manager
Symptoms:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.
Conditions:
A previous ssl session is attempting to resume the connection after the ssl session cache has been cleared.
Impact:
Connection is established but is not mirrored.
Workaround:
Could be avoided by disabling ssl session cache.
645635-2 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
Component: Local Traffic Manager
Symptoms:
VCMP clusters without configured slot-specific management-ip addresses will report 0.0.0.0 for: sFlow (Agent Address), High Speed Logging (in certain log messages), and IPFIX (domain ID).
When creating VCMP guests, the cluster's floating IP address is configured on the host using a command of the form: 'tmsh modify vcmp guest guest0 management-ip 10.1.2.3/24'; however, this will leave the slot-specific management IP address unconfigured. In this case, the affected services (sFlow, HSL, and IPFIX) will report 0.0.0.0 as their management IP address.
Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow and/or HSL and/or IPFIX configured.
Impact:
sflow, HSL, and IPFIX may incorrectly use 0.0.0.0 when identifying the BIG-IP system by management IP address. For sFlow, this is the default Agent Address. For HSL, certain log messages which identify the origin BIG-IP system by its management IP address will use this default value. For IPFIX, the domain ID will use this default value.
Workaround:
Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a VCMP guest which runs on a single slot, use a command similar to the following:
tmsh modify sys cluster default members { 1 { address 10.1.2.3 } }
645206-4 : Missing cipher suites in outgoing LDAP TLS ClientHello★
Solution Article: K23105004
Component: TMOS
Symptoms:
BIG-IP drops all SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). The same behavior is also seen for BIG-IP system auth via LDAP or AD when TLS is used.
Conditions:
You have LDAP servers requiring SHA256 and SHA384 ciphers for LDAP/TLS authentication.
Impact:
Servers requiring SHA for LDAP/TLS authentication will no longer be able to authenticate. This could suddenly break LDAP auth if you are upgrading from version 11.x where SHA256 and SHA384 existed.
Workaround:
Configure LDAP servers not to be dependent on SHA256 and SHA384 ciphers.
644979-2 : Errors not logged from hourly 1k key generation cron job
Component: TMOS
Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.
Conditions:
This occurs during hourly generation of ephemeral keys.
Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.
Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.
644725-4 : Configuration changes while removing ASM from the virtual server may cause graceful ASM restart
Solution Article: K01914292
Component: Application Security Manager
Symptoms:
Configuration changes while removing ASM from the virtual server may cause graceful ASM restart.
Conditions:
A reconfiguration / headers configuration happens while the ASM is removed from a VIP. This may happen especially in scripts that create a config or remove a config.
Impact:
ASM restarts. The system goes offline. A failover may happen.
Workaround:
Ensure that there is some time between setting a configuration to removing ASM from the VIP.
644135 : 12.1.1-hf1 does not support module tuning for Finisar 100G LR4 optics
Solution Article: K53342451
Component: TMOS
Symptoms:
12.1.1-hf1 only supports module tuning for Source Photonics 100G LR4 optics. It does not support Finisar 100G LR4 optics via f5optics.
Conditions:
This is relevant only if you are running 12.1.1-hf1, and are using Finisar 100G optics.
Impact:
FCS errors may be observed on interfaces using Finisar 100G LR4 optics.
Workaround:
The only workaround is to update the software you are running with an engineering hotfix or software version that supports module tuning for Finisar 100G LR4 optics.
Note: This issue applies only to 12.1.1-hf1. This issue is addressed in other versions using a mechanism different from 12.1.1-hf1. For version 12.1.1-hf1, there is an engineering hotfix available to support Finisar 100G LR4 optics.
643860-4 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
Component: Local Traffic Manager
Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:
-- In /var/log/tmm:
notice MCP connection expired early in startup; retrying.
In/var/log/ltm:
mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.
Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.
Impact:
The TMM processes will restart and fail to come up properly.
Workaround:
To recover, reboot the system.
Note: Do not perform file open operations on /dev/vnic. There is no need to.
643813-2 : ZoneRunner does not properly process $ORIGIN directives
Solution Article: K32906881
Component: Global Traffic Manager (DNS)
Symptoms:
During an import zone operation, ZoneRunner incorrectly associates the "@" directive with the zone name and not $ORIGIN specified.
Conditions:
If the zone file to be imported contains the $ORIGIN directive, the following "@" directives will reference the zone name, which is incorrect.
Impact:
Zones will not be imported correctly.
Workaround:
Use the named-compilezone tool to "normalize" the zone file before importing into ZoneRunner.
The syntax for this command is similar to the following:
named-compilezone -s full -o outputfilename zone_name input.file
(For information about the other available options, see the named-compilezone tool's man page.)
For example, given a zone file named example.com.file that contains the following information:
"example.com"
$TTL 3600
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
@ IN NS ns1.example.com.
ns1.example.com. IN A 1.1.1.1
$ORIGIN alpha.example.com.
@ IN A 2.2.2.2
$ORIGIN bravo.example.com.
@ IN A 3.3.3.3
The command is as follows:
named-compilezone -s full -o example.com.file.full example.com example.com.file
The contents of the new file are:
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
example.com. 3600 IN NS ns1.example.com.
alpha.example.com. 3600 IN A 2.2.2.2
bravo.example.com. 3600 IN A 3.3.3.3
ns1.example.com. 3600 IN A 1.1.1.1
Which is correct. This file can then be used to import into ZoneRunner.
643799-1 : Deleting a partition may cause a sync validation error
Component: TMOS
Symptoms:
Deleting a partition may cause the sync to peers to fail.
For example, on BIG-IP1:
tmsh delete auth partition P1
tmsh show cm sync-status
Sync Summary
Status Sync Failed
Summary A validation error occurred while syncing to a remote device
Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)
Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.
Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.
Impact:
The sync of this change may fail on peers.
Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.
643459-3 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy
Solution Article: K81809012
Component: TMOS
Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.
Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.
Impact:
You are unable to login to the Configuration Utility.
Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.
643041-4 : Less than optimal interaction between OneConnect and proxy MSS
Solution Article: K64451315
Component: Local Traffic Manager
Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.
Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.
Impact:
Decreased throughput, possible congestion due to small segments.
Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.
642923-2 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
Solution Article: K01951295
Component: TMOS
Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.
Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.
There are a number of ways that this issue may manifest.
For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).
*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.
Impact:
mcpd restarts, which causes a system to go offline and restart services.
Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:
modify sys daemon-ha mcpd heartbeat disable
Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.
Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.
To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.
642786-3 : TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.
Solution Article: K01833444
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may drop tunneled traffic destined for it, even though the corresponding tunnel is created correctly.
Conditions:
The local-address of a tunnel is resided in a non-default route-domain and the sys db variable 'connection.vlankeyed' is set to 'disable'. Note that the default setting of that sys db variable is 'enable'.
Impact:
The BIG-IP system may drop tunneled traffic.
Workaround:
None.
642422-2 : BFD may not remove dependant static routes when peer sends BFD Admin-Down
Component: TMOS
Symptoms:
As a result of a known issue, the BFD feature used in an Dynamic routing configuration, may not remove static routes when configured to be dependant on the liveliness of the BFD peer.
Conditions:
- BFD configured and up.
- Static route configured and dependant on the BFD status of the BFD peer.
- BFD peer enters maintenance mode by user configuration, setting the BFD session to admin-down.
Impact:
Static route may not be removed on BFD session configured by peer to be and traffic may still be routed.
642211-2 : Warning logged when GENERICMESSAGE::message drop iRule command used
Component: Service Provider
Symptoms:
When submitting an iRule script using GENERICMESSAGE::message drop iRule command, a warning message is returned.
Conditions:
This occurs when saving an iRule that contains GENERICMESSAGE::message drop.
Impact:
A warning message is returned.
Workaround:
NA
641869-1 : Assertion "vmem_hashlist_remove not found" failed.
Solution Article: K62744980
Component: Local Traffic Manager
Symptoms:
TMM cores with the following assertion: "vmem_hashlist_remove not found" failed.
Conditions:
It is unknown what leads to that situation directly.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
641582-1 : Rarely, an HSB transmitter failure occurs
Component: TMOS
Symptoms:
A very rare HSB transmitter failure occurs. This is indicated by the following message in the tmm logs:
panic: hsb interface 1 DMA lockup on transmitter failure.
Conditions:
Although the exact conditions for this issue are unknown, this might be related to a 5250 platform or to a configuration containing a vCMP guest.
Impact:
Reboot of the unit.
Workaround:
None.
Note: Although there is no workaround, beginning in v13.0.0, there is an internal counter that tracks occurrences of these types of HSB transmitter failures, which enables better understanding of the issue and a more thorough investigation into its cause.
641543-1 : bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled.
Component: TMOS
Symptoms:
If you have a custom bind-timeout value set for ldap system-auth, the custom value is honored for anonymous users but is ignored for explicit users.
Conditions:
ldap auth configured for remote authentication, and a custom bind timeout value is specified.
Impact:
The default timeout value of 10 seconds will be enforced for ldap auth.
Workaround:
None.
641450 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Solution Article: K30053855
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
641001 : BWC: dynamic policy category sees lower bandwidth than expected in Congested policies
Component: TMOS
Symptoms:
When BWC policy is configured with category that is configured at lower rate than max-user-rate, when the system is congested, the system might experience lower bandwidth and is not able to fill the pipe.
Conditions:
BWC dynamic policy configured with category.
The number of sessions created is greater than max-rate/max-user-rate, utilizing all the policies.
For example: max-rate=10mbps, max user rate=5mbps, cat rate=3mbps.
Impact:
Lower bandwidth is seen.
Workaround:
Configure categories at the same rate as that of max-user-rate.
640924-1 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
Component: Access Policy Manager
Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.
Conditions:
macOS Sierra (10.12.x) and Edge client application.
Impact:
This is a display issue only. There is no functional impact to the system.
Workaround:
N/A
640863-2 : Disabling partition selector in DNS Resolver's Forward Zones
Solution Article: K29231946
Component: TMOS
Symptoms:
The partition selector is enabled in DNS Resolver's Forward Zones.
Conditions:
Having Forward Zones in DNS Resolvers inside different partitions.
Impact:
Changing the partition in the Forward Zones page may error out.
Workaround:
Change the partition in the DNS Resolver List or use tmsh.
640751-2 : No PCRE Validation Performed For Regular Expression Parameters
Component: Application Security Manager
Symptoms:
If a Parameter is configured to match a specified regular expression, but the regular expression is misconfigured, there is no error presented to the user, and there is no regexp enforcement for the parameter.
The following log can be observed in bd.log
"PCRE compilation failed at offset 12: PCRE does not support \L, \l, \N, \U, or \u"
Conditions:
A non-PCRE regular expression is configured for a Parameter.
Impact:
No Regular Expression enforcement is performed.
640704 : A BIG-IP HA pair upgraded directly from 10.2.x to 12.1.x may lose the primary and secondary mirror IP addresses★
Solution Article: K20418658
Component: Local Traffic Manager
Symptoms:
When upgrading a BIG-IP HA pair directly from version 10.2.x to version 12.1.x, the devices may fail to retain their primary and secondary mirror IP addresses after the upgrade.
Conditions:
This will only occur during a direct upgrade from 10.2.x to 12.1.x. This will not occur, for instance, when upgrading to 12.0.x.
Impact:
The devices will not be performing any mirroring after the upgrade to version 12.1.x as a result of this issue.
Workaround:
You can work around this issue by either:
A) Performing an intermediate upgrade to BIG-IP version 12.0.x first.
or
B) Manually reconfiguring the mirror IP addresses after the devices have been upgraded to 12.1.x (for more information on how to do so, refer to K13478: Overview of connection and persistence mirroring (11.x - 12.x) https://support.f5.com/csp/article/K13478).
640548-1 : In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked.
Component: Policy Enforcement Manager
Symptoms:
In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked and PEM doesn't do re-try.
Conditions:
In Gy delayed binding mode, concurrent flows hits another rating group before the CCA-I for the first rating groups comes back.
Impact:
Quota management service will not be active for those concurrent flows.
640489 : iSeries LCD alerts screen returns to splash screen intermittently
Solution Article: K53571714
Component: TMOS
Symptoms:
If there is a pending alert and the LCD remains on the alerts screen for an extended period of time, when you attempt to view the alerts for a particular severity (critical, error, warning, etc), the system re-directs to the splash screen instead of to the screen with a list of alerts.
Conditions:
-- An alert is pending.
-- The LCD remains on the alerts screen for a long time (e.g., 1-2 minutes).
-- Navigate to one of the alert levels to view the pending alerts.
-- The LCD displays the splash screen instead of a list of alerts.
Impact:
The system returns to the splash screen instead of a list of alerts.
Workaround:
Navigate back to the alerts screen and select an alert severity to get a list of alerts.
640395-1 : When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly
Component: Local Traffic Manager
Symptoms:
When upgrading from 10.x to version 12.1.0 or later, a network virtual address that had ARP disabled will not have spanning automatically enabled.
Conditions:
Upgrading from 10.x to 12.1.0 or later. Must have a network virtual address configured with ARP disabled when upgrading.
Impact:
If you are not actually using the spanning feature, there is no impact.
If you are using the spanning feature, it will no longer work until it is explicitly enabled. This can result in the loss of traffic, as the upstream router will be sending packets to standby systems that will now refuse to process that traffic.
Workaround:
Upgrade to an intermediate version that implements the explicit ICMP-Echo setting for virtual addresses (e.g. 11.x) and then upgrade to the desired version.
Alternatively, you can manually set the spanning property on their virtual addresses as desired (after the upgrade).
640384-1 : New iRule options for MR::message route command
Component: Service Provider
Symptoms:
When routing a message via the MR::message route command, the connection-mode and max-connections attributes are not settable.
Conditions:
This is encountered when using the MR::message or MR::peer iRule commands and you wish to set the connection mode or max connections.
Impact:
For applications where other connection-modes are required (for example PER_CLIENT), it is not possible to implement via iRule.
Workaround:
NA
640054-1 : Selective ICMP-echo behavior is inconsistent, depending on where the virtual address is disabled
Component: TMOS
Symptoms:
When a virtual address is using selective ICMP-echo and the virtual address is disabled, it will sometimes respond to ICMP echo requests, and sometimes not.
Conditions:
The difference appears to depend on where the virtual address is disabled.
1) If the virtual address is disabled in the virtual address settings page in the GUI: [Local Traffic :: Virtual Servers : Virtual Address List :: <address>] it stops responding to pings.
2) If the virtual address is disabled on the virtual address list page in the GUI: [Local Traffic :: Virtual Servers : Virtual Address List] it responds to pings.
3) If the virtual address is disabled with TMSH: 'modify ltm virtual-address <address> enabled no' it responds to pings.
In addition, on a BIG-IP Virtual Edition (VE), case #1 also responds to pings.
Impact:
The ICMP echo behavior is different depending on where the virtual address is disabled.
Workaround:
None.
639774-5 : mysqld.err rollover log files are not collected by qkview
Solution Article: K30598276
Component: TMOS
Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.
Conditions:
This occurs when generating a qkview.
Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.
Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.
639575-5 : Using libtar with files larger than 2 GB will create an unusable tarball
Solution Article: K63042400
Component: TMOS
Symptoms:
Programs such as qkview will create a .tar file (tarball) using libtar and if any of the files collected is greater than 2 GB, the output tar file cannot be read by /bin/tar.
Conditions:
The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
Impact:
You will be unable to submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.
Workaround:
The qkview tarball can be extracted with /usr/bin/libtar, but the offending file will be a zero-length file. Alternatively, the offending file that is greater than 2 GB must be removed from the system prior to running qkview or other program that uses libtar.
638960-2 : A subset of the BIG-IP default profiles can be incorrectly deleted
Component: TMOS
Symptoms:
On the BIG-IP system, default profiles should not be deletable. However, the system incorrectly allows a subset of them to be deleted. Known affected profiles include all default persistence and http profiles.
Conditions:
The issue occurs when someone attempts to delete a susceptible profile via TMSH, iControl SOAP or iControl REST. The issue does not occur when using the WebUI (where susceptible profiles are not selectable for deletion).
Impact:
If a default profile is missing from the configuration, several issues may arise. For instance, the configuration may fail to load or save, and the WebUI may fail to display certain screens.
638893-1 : Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command
Component: TMOS
Symptoms:
Error message references solution number instead of Knowledgebase number:
err mcpd[6492]: 01071ab6:3: The requested media 100TX-FD for interface 1.0 is invalid. Valid settings are: auto, 1000T-FD. Please see SOL14556 for details.
Conditions:
Incorrectly configure net interface media, e.g.,
modify net interface 1.0 media 100TX-FD.
Impact:
Posted message references SOL14556. The Ask F5 site now uses K numbers instead of SOL numbers. At some point, the previously used SOL numbers might no longer redirect, and the information originally in that article would be lost.
Workaround:
View knowledgebase article K14556: Copper 1 Gbps modules configured with media other than the 'auto' setting may not function, https://support.f5.com/csp/article/K14556.
638170-1 : Pagination broken or missing while viewing pool statistics for GTM wideip
Solution Article: K36455356
Component: Global Traffic Manager (DNS)
Symptoms:
Error occurs while viewing pool statistics for GTM wideip if the number of pools are more than what can be displayed in a single screen.
Conditions:
When the number of pools are more than what can be displayed as specified in the System :: Preferences :: Record Per Screen setting.
Impact:
Unable to view the statistics of GTM wideip pools beyond those displayed on the screen.
Workaround:
Increase the number of Records Per Screen (System :: Preferences :: Records Per Screen) to a number larger than the number of pools in the GTM wideip.
638091-4 : Config sync after changing named pool members can cause mcpd on secondary blades to restart
Component: TMOS
Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:
01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>
Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create
Impact:
Secondary blades do not process traffic as they restart
Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).
To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.
1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.
638089-1 : LACP and CMP state simultaneous fail on A112 and A113 platform
Component: TMOS
Symptoms:
An internal traffic stoppage occurs and causes LACP ACTIVE trunk members to go down, and CMP state changes for the HOST and VCMP guests (if configured) on the impacted blade. The tmctl detailed statistics show sustained TX pause generated by HSB on one or more links and matching RX Pause received in interface_stat (on 4.1, 4.2, 4.3).
Conditions:
This happens when an internal FPGA device runs into a bad state under heavy traffic load. The root cause of that is still under investigation. It happens extreme rarely.
Impact:
Traffic no longer functions on the blade where stoppage occurs.
Workaround:
Reboot blade.
637979-1 : IPsec over isession not working
Component: TMOS
Symptoms:
User cannot send IPsec encrypted application data traffic through a secured iSession connection, just by configuring symmetric optimization to use IPsec for IP encapsulation.
Conditions:
Configure IPSec with iSession through the Quick Start screen and/or under the "Local Endpoint" configuration. Do not create any new IKE peers or traffic selectors.
Impact:
User is unable to send encrypted traffic using IPsec over the tunnel without additional configuration required for a typical IPSec setup.
Workaround:
Configuration needed for a typical IPsec setup should be made explicitly.
isession encapsulation should be set to "none", and proper IKE-peer, IPsec policy, and traffic selectors should be configured to capture isession traffic between the isession endpoints.
BIG-IP1 GUI:
[Local Endpoint]
Acceleration->Symmetric Optimization : Local Endpoint->Properties
WAN Self IP Address: <BIG-IP1-local-endpoint-ipaddress>
IP Encapsulation Type: None
[Remote Endpoint]
Acceleration > Symmetric Optimization : Remote Endpoints >New Remote Endpoint...
IP Address: <BIG-IP2-local-endpoint-ipaddress>
[IKE peer]
Network->IPsec : IKE Peers->New IKE Peer...
Remote Address: <BIG-IP2-local-endpoint-ipaddress>
Version: Version1
Presented ID Value: <BIG-IP1-local-endpoint-ipaddress>
Verified ID Value: <BIG-IP2-local-endpoint-ipaddress>
[IPsec policy]
Network->IPsec : IPsec Policies->New IPsec Policy…
Name:<isession_policy_name>
Mode: Tunnel
Tunnel Local Address: <BIG-IP1-local-endpoint-ipaddress>
Tunnel Remote Address: <BIG-IP2-local-endpoint-ipaddress>
[Traffic selector]
Network ->IPsec : Traffic Selectors ->New Traffic Selector...
IPsec Policy Name: <isession_policy_name>
Source IP Address: <BIG-IP1-local-endpoint-ipaddress>
Destination IP Address: <BIG-IP2-local-endpoint-ipaddress>
BIG-IP2 GUI: Analogous--just swap the local and remote endpoint addresses where they appear above
637613-3 : Cluster blade being disabled immediately returns to enabled/green
Solution Article: K24133500
Component: Local Traffic Manager
Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.
Conditions:
This can occur intermittently under these conditions:
- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.
Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.
Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.
637279 : Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS.
Component: TMOS
Symptoms:
Pool member discovery does not work and produces the following error: as-describe-auto-scaling-groups: Refused: The security token included in the request is invalid.
Conditions:
This occurs in the eu-central-1 region only. Does not apply for failover. Note: This error might happen even when correct IAM credentials are specified.
Impact:
Pool member discovery cannot be run in eu-central-1 region.
Workaround:
Create autoscale configuration in regions other than eu-central-1.
637227-4 : DNS Validating Resolver produces inconsistent results with DNS64 configurations.
Solution Article: K60414305
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS Validating Resolver incorrectly validates DNS responses received from A queries made as a result of a front-end AAAA query received on a profile with DNS64 configured.
A SERVFAIL response may be sent to the client unless the Validating Resolver cache has previously successfully validated a front-end A query. In this scenario where the A records already exist in the cache, the expected DNS64 AAAA records are synthesized.
Conditions:
This issue may be observed with a DNS Validating Resolver configured on a DNS profile with DNS64 configured when processing AAAA queries.
Impact:
Incorrect SERVFAIL responses for AAAA queries that should get valid responses.
Workaround:
None.
636823-3 : Node name and node address
Component: TMOS
Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.
Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1
Impact:
When you attempt to add the node to a pool, an error will occur:
Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1
Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.
636774-1 : Potential TMM crash credits to BWC token distribution logic
Component: TMOS
Symptoms:
tmm crashes at "bwc_stb_static_recharge (stb_static=0x560086f501f0) at ../net/bwc_stb.c:364"
Conditions:
Bandwidth Control (BWC) policies enabled with PEM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
636669-3 : bd log are full of 'Can't run patterns' messages
Solution Article: K37300224
Component: Application Security Manager
Symptoms:
The bd log are getting filled up with 'Can't run patterns' messages. A core might occur due to the i/o outage. General traffic disturbance/slowness might occur.
Conditions:
Configuration change that relates to attack patterns happens while there is heavy traffic.
Impact:
Potential traffic outage/slowness. 'Can't run patterns' messages filling up the bd log file.
Workaround:
None.
636412-1 : ASM start process fail with 'Protobuf message exceeds max defined size' on machines with thousands of ASM configuration entities
Component: Application Security Manager
Symptoms:
ASM start process fails on machines with thousands of ASM configuration entities.
The log file contains error messages similar to the following:
Protobuf message exceeds max defined size. Table: CONFIG_TYPE_DYNAMIC_TABLES.
Conditions:
Issue is very rarely reproducible and requires thousands of ASM policy entities on the machine.
Impact:
ASM may report legitimate request traffic as a violation.
Workaround:
There is no workaround at this time.
636348-3 : BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.
Component: Local Traffic Manager
Symptoms:
In the /var/log/ltm file you may observe an error message similar to the following example
01071837:3: The pool (/Common/http_pool) contains a reference to a gateway failsafe device (/Common/bigip1.f5.com), which does not exist on the system. Please specify a valid device for this configuration. Unexpected Error: Loading configuration process failed.
Conditions:
This issue occurs when all the following conditions are met:
-You have multiple BIG-IP systems in a High Availability (HA) configuration.
-You have configured System Gateway Failsafe
-You reset device trust
-You attempt to reload the configuration or reboot the device before recreating the device trust
Impact:
Configuration may fail to load
Workaround:
Remove Gateway Failsafe before resetting device trust
636289-2 : Fixed a memory issue while handling TCP::congestion iRule
Component: Local Traffic Manager
Symptoms:
Increased memory usage in tmm.
Conditions:
TCP::congestion highspeed iRule is executed for the TCP connection. The issue is only observed for highspeed congestion control.
Impact:
The memory allocated for congestion control is not freed.
Workaround:
If it is desired to use highspeed congestion control under some conditions, it is possible to start with highspeed by choosing highspeed congestion control in the TCP profile and switch to other desired congestion control when condition does not hold. With this workaround, once congestion control is changed to something other than highspeed, it is not possible to switch back to highspeed again.
636164 : Remote IP not working in IE 8
Component: TMOS
Symptoms:
Adding a Remote IP in System :: Logs : Configuration : Remote Logging has no effect in Microsoft Internet Explorer (IE) version 8.
Conditions:
Using IE 8.
Impact:
Remote IP does not work.
Workaround:
BIG-IP version 12.x and later do not support IE 8. Use a later version of IE, or use another browser.
636163 : Certificate Key Chain not working in IE 8
Component: TMOS
Symptoms:
Certificate Key Chain not working in Microsoft Internet Explorer (IE) version 8.
Conditions:
Using IE 8.
Impact:
Certificate Key Chain does not work.
Workaround:
BIG-IP version 12.1.0 and later do not support IE 8. Use a later version of IE, or use another browser.
636104-2 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
Component: Application Visibility and Reporting
Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.
Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.
Impact:
Not seeing the pool member under the HTTP "pool" dimension.
Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.
636031-4 : GUI LTM Monitor Configuration String adding CR for type Oracle
Solution Article: K23313837
Component: TMOS
Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.
Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.
Impact:
The /config/bigip.conf file contains CR characters in the file.
Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.
635871-1 : tmsh validation of hash persistence timeout setting is incorrect
Component: Local Traffic Manager
Symptoms:
The permitted hash persistence timeout value is a range from 1 - 4294967295. But in tmsh you can set the value to 0 without error
Conditions:
This occurs when running the following tmsh command:
tmsh modify ltm persistence hash <profile_name> timeout <number>
where <number> = 0
The GUI will report a validation error if you try to set it to 0 in the GUI.
Impact:
The value of 0 will be saved but the minimum value should be 1.
Workaround:
If you accidentally set a timeout to 0 you can set it back to the correct range using the following tmsh command:
tmsh modify ltm persistence hash <profile>name> timeout <1-4294967295>
635173-1 : Standby BIG-IP TMM uses unexpectedly large amount of memory
Component: Local Traffic Manager
Symptoms:
TMM memory usage on a BIG-IP standby device might be substantially higher than an active device, and it recovers each time when the high availability (HA) connection is lost and re-established.
Conditions:
The problem happens only on Standby device with L7 mirroring traffic in effect.
Impact:
The standby device may not be able to take over traffic when failover happens.
Workaround:
There is no workaround at this time.
634369-2 : Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes
Component: Local Traffic Manager
Symptoms:
Bigd crash (SIGABRT) while running iControl REST scripts against monitor configurations with FQDN nodes.
Conditions:
-- Bigd configured with FQDN nodes.
-- iControl REST calls are used to interact with system.
Impact:
Bigd crashes and restarts. Monitoring correctly resumes after the restart period.
Workaround:
None.
634014 : Absolute timers may fire one second early during the leap second event
Component: TMOS
Symptoms:
Absolute timers that expire at midnight UTC may fire one second early when the leap second is inserted.
Conditions:
This occurs if an absolute timer is used to trigger a task, and the leap second occurs during the timer window. For example if an absolute timer of 60 seconds is scheduled and the leap second event occurs midway through that interval, the event will appear to fire one second earlier than expected.
Impact:
Impact to applications unknown. The system stays stable, and a timer may be fired off earlier than expected
Workaround:
None.
633824-2 : Cannot add pool members containing a colon in the node name
Solution Article: K39319200
Component: TMOS
Symptoms:
You are allowed to create nodes that contain a colon in the node name. If you later try to add the named node (e.g. 10.1.20.10:80), adding the node will fail and you will get an error similar to the following:
0107003a:3: Pool member node (/Common/10.1.20.10) and existing node (/Common/10.1.20.10:80) cannot use the same IP Address (10.1.20.10).
Conditions:
This occurs when attempting to add a node to a pool where the node name contains a colon in it
Impact:
You are unable to add the node to the pool and will get a validation error.
Workaround:
First rename the node to not contain a colon in it, then you can add the node to the pool without error.
633691-4 : HTTP transaction may not finish gracefully due to TCP connection is closed by RST
Component: Local Traffic Manager
Symptoms:
HTTP or other higher layer protocol transactions may not finish gracefully due to TCP connection is closed by RST.
Conditions:
1. There is ClientSSL or ServerSSL configured on the Virtual Server.
2. HTTP or other higher layer protocol has not finished the translations yet.
3. Client or Server sends out the TCP FIN packet.
Impact:
Application-level responses may not be received at all by the client.
Workaround:
No Workaround.
633568 : Pool statistics page doesn't show all pool members in IE8 with compatibility view
Component: TMOS
Symptoms:
While accessing the pool statistics page with IE8 with compatibility view mode, pool member expand/collapse icons do not work properly. Specifically, one of the pool members is displayed as blank.
Conditions:
This occurs when accessing the BIG-IP GUI using IE8; navigate to Statistics :: Module Statistics : Local Traffic. Select "Pool" and press "collapse (plus)" icon to expand pool members.
Impact:
You will see that one pool member will displayed as blank row.
633495 : Cannot switch between partitions in Local Traffic :: Policies
Component: TMOS
Symptoms:
When you are in the Local Traffic :: Policies page, you are unable to change partitions.
Conditions:
This occurs when multiple admin partitions exist and there are policies in each partition, and you wish to change partitions.
Impact:
You are unable to change partitions from the Local Traffic :: Policies page.
Workaround:
Change to another page in the GUI and change the partition, then visit the Policies page again.
633464-2 : Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.
Component: Local Traffic Manager
Symptoms:
Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.
Conditions:
HTTP/2 profile is attached to the virtual. Content-length header is sent by the server.
Impact:
If a client application requires the content length for HTTP/2, the application does not function as expected.
Workaround:
None.
633454-1 : Older versions of Chrome get blocked when Proactive Bot Defense is enabled.
Component: Advanced Firewall Manager
Symptoms:
Older versions of Chrome get blocked when Proactive Bot Defense is enabled.
Conditions:
-- Versions of Chrome older than version 53.
-- Proactive Bot Defense is enabled.
Impact:
Browser gets blocked.
Workaround:
Use one of the following workarounds:
-- Use a version of Chrome that is version 53 or later.
-- Use a different browser.
633349-3 : localdbmgr hangs and eventually crashes
Solution Article: K86613330
Component: Access Policy Manager
Symptoms:
localdbmgr hangs, consumes a lot of CPU and eventually crashes due to a rare condition where the program's execution halts, upon logging configuration changes.
Conditions:
Rare condition upon changing log settings configuration, or when localdbmgr process loads existing log config settings upon start / restart.
Impact:
localdbmgr hangs, consume a lot of CPU and will eventually crash.
Workaround:
localdbmgr should restart and recover from this crash. If it doesn't, perform a "bigstart restart localdbmgr"
633172 : External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command
Solution Article: K12473201
Component: TMOS
Symptoms:
The REST call to install a key from a local file fails when the user is external (e.g., LDAP), even when its role is Administrator.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is configured to allow access to external LDAP users.
-- The external LDAP user is assigned an Administrator role.
-- The external LDAP user uses the tm/sys/crypto/key iControl REST command to import a key from a local file.
For example, you use the tm/sys/crypto/key iControl REST command with external LDAP user f5user that is assigned with the Administrator role, as follows:
restcurl -u f5user:f5user -X POST https://localhost/tm/sys/crypto/key -d '{"command":"install","name":"/Common/my-key.key","from-local-file":"/var/config/rest/downloads/my_key.key"}'
Impact:
Key install operation fails.
Workaround:
To work around this issue, you can use the sys/file/ssl-key iControl REST command to import a key file instead. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
Log in to the command line on the system from which you want to import the key file.
Note: The system must be able to support the command line version of the curl command.
Import the key file using the following command syntax:
curl -k -u <username:password> -H "Content-Type: application/json" -X POST https://<BIG-IP device>/tm/sys/file/ssl-key/ -d '{"name":"<key file name>","source-path":"<full path to key file>"}'
For example:
curl -k -u f5user:f5user -H "Content-Type: application/json" -X POST https://localhost/tm/sys/file/ssl-key/ -d '{"name":"f5user1.key","source-path":"file:///shared/my_key.key"}'
Note: Ensure that the key file name includes the file suffix, as the tm/sys/file/ssl-key iControl REST command does not automatically append .key in the key name.
633110-2 : Literal tab character in monitor send/receive string causes config load failure, unknown property
Solution Article: K09293022
Component: Local Traffic Manager
Symptoms:
BIG-IP allows you to paste in monitor send or receive strings that contains tabs, but the tabs do not get quoted when it gets saved to the configuration. This will cause the configuration load to fail, with this error signature:
Loading configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
Syntax Error:(/config/bigip.conf at line: <line>) "<text>" unknown property
Conditions:
This can occur if you copy/paste a monitor send or receive string and paste it into the send/recv string field in tmsh or the GUI.
Impact:
The monitor will not work as expected, and subsequent config loads will fail on unknown property.
Workaround:
Since you are still able to use the BIG-IP GUI, you can update the monitor send or receive string using \t to represent the tab, and save the changes.
632958-2 : APM MIB gauges not reset on standby device
Component: Access Policy Manager
Symptoms:
The following MIB gauges are not reset after the device transitions from active to standby:
F5-BIG-IP-APM-MIB::apmAccessStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmAccessStatCurrentEndedSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentPendingSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentCompletedSessions
Conditions:
After failover happens
Impact:
Since these gauges represent current session counts, administrator may not be able to identify the active device by looking at these gauges.
632901-1 : JET documentation incorrect for RESOLV::lookup
Solution Article: K03112333
Component: Local Traffic Manager
Symptoms:
JET documentation for the iRule command RESOLV::lookup contains a description of a bug where PTR records are not being cached. The documentation includes a workaround for this bug. However, the bug no longer exists.
Conditions:
tmsh help ltm rule command RESOLV::lookup | grep "Note: The results" -A6
Impact:
Jet documentation mentions a resolution to a bug that no longer exists.
Workaround:
None. This is a cosmetic issue that you can safely ignore.
632839 : UDP Flood does not get detected if the vector limits are infinite
Component: Advanced Firewall Manager
Symptoms:
If the UDP_flood AFM DoS vector is configured as 'infinite' for both detection-threshold-pps and default-internal-rate-limit then it will not get detected. Even per-virtual server and Sweep/Flood will not detect UDP_Flood. If they are not infinite, they should work as expected, and the default value for detection-threshold-pps is 400000.
Conditions:
-- Settings of 'infinite' for UDP_flood device-dos vector.
-- Running v12.1.1, 12.1.2, or 12.1.3.
Impact:
You might expect UDP_flood vector to be detected at the per-virtual server and Sweep/Flood level, but if it is configured at infinite at the global device level, then it will not be detected at any level at all.
Workaround:
To enable the system to detect UDP_Flood at the various levels, set the global device-dos level for UDP_flood to be 4294967294 (1 less than MAX_UINT32).
Note: With this workaround, the system still cannot detect UDP_flood vector still at the global device-level because the number is too high.
632838-1 : Deterministic NAT performance may be degraded
Component: Performance
Symptoms:
Deterministic NAT performance may be degraded compared to performance in 12.1.x.
Conditions:
Deterministic NAT configuration in use in version 13.0.
Impact:
CPU utilization will be higher, and the system may pass traffic with less speed.
Workaround:
Enable the db variable pva.fwdaccel to see DNAT performance improve with a fastL4 profile.
632825-5 : bcm56xxd crash following 'silent' port-mirror configuration failure
Component: TMOS
Symptoms:
A port-mirror configuration can fail 'silently', that is, no error from MCPD yet the following is logged in /var/log/ltm:
err bcm56xxd: 012c0011:3: Trunk port trouble with bcm_mirror_port_set() Entry exists bs_mirror.c(598).
err bcm56xxd: 012c0010:3: Trouble committing mirror settings to hardware: 0:21 bs_mirror.c(671).
err bcm56xxd: 012c0010:3: Trouble setting port mirror from 2.1 to 2.6 bsx.c(5173).
Once this happens, any subsequent port-mirror configuration will result in a deadlock condition and SOD will restart bcm56xxd.
If the port-mirror interfaces are part of a trunk, any trunk configuration will cause this condition. For example, adding a vCMP guest.
Conditions:
Prior 'silent' port-mirror configuration error followed by a subsequent port-mirror configuration command.
Impact:
bcm56xxd continuously restarts until the bad port-mirror configuration is removed.
Workaround:
None.
632824-1 : SSL TPS limit can be reached if the system clock is adjusted
Solution Article: K00722715
Component: Local Traffic Manager
Symptoms:
If you adjust the system clock you will occasionally get error messages of the form "SSL transaction (TPS) rate limit reached". (For the intended feature of this message, see K7747: Error Message: SSL transaction (TPS) rate limit reached https://support.f5.com/csp/article/K7747.)
Conditions:
Occurs when you adjust the system clock.
Impact:
When the message occurs, the connection and often several subsequent connections are dropped.
Workaround:
None.
632798-2 : Double-free may occur if Access initialization fails
Component: Access Policy Manager
Symptoms:
Double-free may occur if Access initialization fails.
Conditions:
Access initialization failure occurs, possibly due to license issues.
Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.
Workaround:
None.
632723-1 : tmm core with remote logging pool in non-zero route domain
Solution Article: K05079458
Component: Advanced Firewall Manager
Symptoms:
tmm cores every minute with a security log profile set to send log messages to pool members in a different route domain.
Conditions:
Remote logging pool configured, and the pool members are in a non-zero route domain that is different than that of the forwarding virtual.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the logging pool members are in the zero route domain.
632658-4 : Enable SIP::persist command to operate during SIP_RESPONSE event
Component: Service Provider
Symptoms:
Without this change, it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.
Conditions:
It is not possible to change the timeout of a SIP persistence entry during SIP response message processing.
Impact:
it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.
Workaround:
NA
632604-1 : SSL::sessionid iRule command returns incorrect result
Component: Local Traffic Manager
Symptoms:
SSL::sessionid iRule command returns incorrect result
Conditions:
An iRule is used to retrieve the session ID.
Impact:
The session ID might not be reliable.
Workaround:
None.
632553-2 : DHCP: OFFER packets from server are intermittently dropped
Solution Article: K14947100
Component: Local Traffic Manager
Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP.
Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.
Impact:
Client machines joining the network do not receive DHCP OFFER messages.
Workaround:
You may be able to work around this condition by issuing the following tmsh command:
tmsh delete sys connection cs-server-addr 255.255.255.255 cs-server-port 67
632246-1 : Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades.
Component: Advanced Firewall Manager
Symptoms:
pvasyncookies db variable does not disable/enable HW syn-cookies on secondary blades, and does not persist across MCPD restart/reboot.
Conditions:
Non-default setting for the pvasyncookies db variable.
Impact:
Setting does not persist across MCPD restart/reboot.
Workaround:
None.
631715-1 : ASM::disable does not disable client side challenges
Component: Application Security Manager
Symptoms:
ASM::disable command was run but a challenge was still sent.
Conditions:
irule with ASM::disable. CS or DID challenge is configured.
Impact:
An unexpected JS challenge arrives
Workaround:
N/A
631334-4 : TMSH does not preserve \? for config save/load operations
Component: TMOS
Symptoms:
TMSH strips the escape characters for literal strings '\?' to be '?' or '\[' to be '[' in ltm monitor send/recv strings.
Conditions:
This condition manifests whenever the send/recv string in LTM monitor contains '\?' (backslash-question mark) or '\[' (backslash-open square bracket).
Impact:
This might cause the BIG-IP system to load incorrect monitor send/recv strings.
Workaround:
Use [] (open square bracket-close square bracket) in these cases, for example:
[?] [[]
Or simply avoid using '\' (backslash) in front of '?' (question mark) or in front of '[' (open square bracket) to indicate a literal string.
631286-1 : URI cache entries should be replaced /expired for euie hash table
Component: Access Policy Manager
Symptoms:
Tmctl stats for "access_uri_info" gradually grows and can lead to TMM memory exhaustion.
Conditions:
APM or SWG use case.
Impact:
TMM memory exhaustion.
Workaround:
Restart tmm.
631046 : Unable to generate a FIPS key using the GUI
Component: TMOS
Symptoms:
While generating a FIPS key from the BIG-IP GUI, you get the following error:
Key management library returned bad status: -4, FIPS security is not licensed, FIPS key security type is not allowed.
Generating a FIPS key from tmsh works properly.
Conditions:
This occurs on FIPS-licensed 12.1.1 HF1 and HF2, when using the GUI to generate the FIPS key.
Impact:
Unable to generate a FIPS key using the GUI.
Workaround:
Use the following tmsh command to generate a FIPS key:
tmsh create sys crypto key <key_object_name> security-type fips.
630795-1 : No guestagentd entry in merged.conf
Component: TMOS
Symptoms:
There is no entry in guestagentd in merged.conf. This results in this error in the ltm log whenever merged starts up:
"Process managed by runsv is not in /config/merged.conf: guestagentd"
Conditions:
This is encountered whenever merged starts.
Impact:
In addition, for stats purposes, the proc_stat and plane_proc_stat tables are affected. If the pid changes (for whatever reason) BIG-IP will not have the assignments to the right process information.
Workaround:
Add guestagentd entry to merged.conf
630257-1 : Monitor send/receive strings cannot end with trailing single-backslash★
Component: Local Traffic Manager
Symptoms:
A monitor with a 'send' or 'receive' string is not supported with a single trailing backslash, such as "GET /\r\n\" (note the single-trailing backslash that "escapes" the trailing double-quotes).
Conditions:
A monitor 'send' or 'receive' string ends with a single trailing backslash; and the configuration is saved, and then a load is attempted.
Impact:
When configuration is saved and then loaded, the single-trailing backslash will escape the trailing double-quotes and the configuration will fail to load.
Workaround:
A double-trailing backslash is supported, where the trailing double-quotes will not be escaped, for example:
"GET /\\r\\n"
629834-4 : istatsd high CPU utilization with large number of entries
Component: TMOS
Symptoms:
With a large number of istats entries, statsd uses a large amount of CPU time to process istats.
Conditions:
This occurs when there is a large number of istats entries in iRules.
Impact:
istats processing is slow. CPU utilization by istatsd is high.
Workaround:
Reduce the number of istats entries. Periodically purge the the istats entries if possible.
629421-1 : Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.
Component: Global Traffic Manager (DNS)
Symptoms:
The memory consumption of Big3d will slowly increase if a lot of Wide IPs are being created or deleted.
Conditions:
Adding or removing Wide IPs on a GTM sync pair.
Impact:
A few bytes of memory will be leaked by Big3d on sync.
Workaround:
there is no workaround at this time.
628402-4 : Operator users receive 'can't get object count from mcpd' error in response to certain commands
Solution Article: K79213220
Component: TMOS
Symptoms:
Operator users receive the following error in response to certain commands:
Unexpected Error: Can't display all items, can't get object count from mcpd.
Conditions:
-- The user is 'Operator' level.
-- The command is a top-level list or show command, such as the 'show running-config' command.
Impact:
Operator-level users are unable to issue 'show' and 'list' commands on top-level objects, but can 'show' and 'list' specific configuration objects.
Workaround:
Issue commands for specific configuration objects.
628180-1 : DNS Express may fail after upgrade★
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may not answer DNSX zones without TMM restart / DNSX zone refresh on upgrade.
Conditions:
Upgrading from previous version.
Impact:
DNS Express may fail after TMM.
Workaround:
Restart TMM, or force TMM to reload the DNS express database by running "tmsh load ltm dns dns-express-db".
628016-2 : MP_JOIN always fails if MPTCP never receives payload data
Component: Local Traffic Manager
Symptoms:
MP_JOIN during an MPTCP connection always fails if the BIG-IP never receives payload data.
Conditions:
A virtual server is configured with a TCP profile attached and "Multipath TCP" is enabled.
An MPTCP connection is established where payload data is never sent to the BIG-IP.
Impact:
Unidirectional data connections receiving data from the BIG-IP (like with FTP) cannot join additional subflows.
Workaround:
There is no workaround at this time.
627764-2 : Prevent sending a 2nd RST for a TCP connection
Component: Local Traffic Manager
Symptoms:
After a specific sequence of packets resulting in sending a RST packet, TCP connection was kept alive and sent another RST when connection expired.
Conditions:
A specific sequence of packets (a second SYN segment within the TCP window) is received by a TCP connection.
Impact:
2 RST segments is sent to the client instead of 1. In addition, the TCP connection was kept alive until the sweeper cleaned it.
Workaround:
There is no workaround at this time.
627760-3 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
Component: TMOS
Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.
Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.
Impact:
No DNSSEC key of that name is present on FIPS card.
Workaround:
None.
627695-2 : [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational
Component: Local Traffic Manager
Symptoms:
'Yes' and 'No' options to proceed or cancel the uninstall operation are not operational.
Conditions:
Issue happens when running safenet-sync.sh -u.
Impact:
No impact.
Workaround:
None.
627447 : Sync fails after firewall policy deletion
Component: Advanced Firewall Manager
Symptoms:
When deleting a firewall policy and then creating a new one, sync to standby fails.
Conditions:
Delete firewall policy then create a new one. Sync to Standby.
Impact:
Sync fails.
Workaround:
None.
627384-1 : eamtest tool fails with Segmentation fault after initialization.
Component: Access Policy Manager
Symptoms:
Tests done with eamtest tool fail with Segmentation fault after initialization.
Conditions:
Run eamtest tool.
Impact:
eamtest tool fails, which affects troubleshooting using the tool.
Workaround:
Run eamtest with LD_PRELOAD=libeam_asdk_preload.so prefix.
627341-1 : TMUI loginProviderName is invalid when requesting a REST token
Component: Device Management
Symptoms:
Requests for X-F5-Auth-Token fail when a TMUI view is loaded that requires a X-F5-Auth-Token used for REST requests.
Conditions:
On startup if the tmos login provider takes too long to become available it will cause the login provider to be unavailable, and requests for auth tokens will fail. This is a race condition and happens intermittently. Typically on lower end devices.
Impact:
GUI cannot retrieve F5-Auth-Token for REST requests
Workaround:
bigstart restart restjavad
627144 : Two users cannot create policies at the same time.
Component: Application Security Manager
Symptoms:
Two users cannot create policies at the same time.
Conditions:
-- Two users with admin authority are logged onto the GUI.
-- Both begin creating separate ASM policies with distinct options.
For instance:
- User 'wafadmin1' logs in first.
- User 'wafadmin2' logs in second.
- Both are creating policies.
- When wafadmin2 submits the policy, it's being overwritten by policy details given by wafadmin1.
- Only user wafadmin1 can de-activate a policy; for other users the option itself is grayed out.
Impact:
Policy from one user can overwrite another's. Can also affect who can de-activate a policy.
Workaround:
None.
626861-2 : Ensure unique IKEv2 sequence numbers
Solution Article: K31220138
Component: TMOS
Symptoms:
Although BIG-IP generates random sequence numbers for use in protocol negotiation, it is possible to allocate a new number already in use by a phase-one ike-SA or a phase-two child-SA.
Conditions:
When a sufficiently large number of tunnels are in use (e.g., numbering in thousands), odds of generating a duplicate sequence number is relatively high, given the number of random bits used to generate the number. More tunnels makes it more likely to occur.
Impact:
On sequence number collision, this might confuse an old SA, and probably never complete negotiation of a new SA. In addition, the system might crash if updating an old SA happened in a state where update is not expected.
Workaround:
None.
626589-6 : iControl-SOAP prints beyond log buffer
Solution Article: K73230273
Component: TMOS
Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.
Conditions:
Logging for iControl SOAP is turned on with trace level.
Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.
Workaround:
Do not enable logging with trace level, which is not turned on by default.
626279-1 : After reboot LCD reports "unit going standby" even if it has gone active.
Component: TMOS
Symptoms:
After a reboot, the LCD and the tmsh show sys alert command reports "unit going standby" even though the device has become active.
Conditions:
This can occur intermittently on system startup.
Impact:
LCD and tmsh show sys alert erroneously report "unit going standby". The /var/log/ltm log will have messages from sod indicating that it has become active.
625428-1 : SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
Component: TMOS
Symptoms:
The F5 BIG-IP local mib has the wrong value definitions for
F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
allowed(0),disallowed(1)
instead of
disabled(0),enabled(1)
Conditions:
This occurs on any platform that supports this MIB field and has LTM Pool configurations.
Impact:
Information mismatch
625166-1 : Suspended iRules cannot complete on aborted flows
Component: Local Traffic Manager
Symptoms:
An suspended iRule does not resume if the connection aborts in the interim.
Conditions:
an iRule suspends, connection aborts.
Impact:
Not all business logic may execute.
Workaround:
None
625165-2 : Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.
Component: Access Policy Manager
Symptoms:
-Routes to local DNS that get added due to 'allow local DNS' option in Network Access config do not get removed once network changes after VPN is established.
Conditions:
- 'Allow local DNS' option is selected in Network Access config.
- BIG-IP administrator changes the network configuration after VPN is connected.
Impact:
If the BIG-IP administrator changes the network after a VPN is connected, and if DNS servers have changed, then routes to old DNS servers (which may or may not be reachable) will be left in the routing table.
Workaround:
None.
625114-2 : Internal sync-change conflict after update to local users table
Component: Device Management
Symptoms:
User sync is initiated unexpectedly and automatically by the REST framework. To the internal sync system, this will appear as if the same change is being made manually on all devices, causing a change conflict. In other words, 'show cm sync-status' will return output similar to the following:
-------------------------------------------------------------------------------------------------
CM::Sync Status
-------------------------------------------------------------------------------------------------
Color red
Status Changes Pending
Mode high-availability
Summary There is a possible change conflict between device1 and device2.
Details
device1: connected
mydg (Changes Pending): There is a possible change conflict between device1 and device2.
- Recommended action: Synchronize device2 to group mydg
In addition, users that were synchronized by the REST framework may not have the correct role and/or partition assigned to them.
Conditions:
A sync-failover device group exists.
In addition, the REST framework's 'gossip' mechanism must be set up correctly. This should happen automatically, but might not be ready yet. You can confirm that this is the case by running 'restcurl shared/resolver/device-groups/tm-shared-all-big-ips/devices'. The output must show all your devices, and show that they all have the same 'version' and the same 'restFrameworkVersion'.
Impact:
An unexpected change conflict between your devices.
In some cases, high CPU utilization by restjavad may be observed.
Workaround:
When you have the change conflict, force a sync to the device group from the device where the user was originally created.
The high CPU utilisation by restjavad may persisting after a full sync.
Recommendation is to restart the restjavad service: restart sys service restjavad
624917 : First few handshakes fail after chassis/appliance reboot when using HSM
Component: Local Traffic Manager
Symptoms:
After rebooting with an HSM configured, you notice the first few handshakes fail, with the following error signature in /var/log/ltm:
warning tmm3[13085]: 01260009:4: Connection error: info tmm3[13085]: 01260013:6: ssl_hs_vfy_sign_srvkeyxchg:9921: sign_srvkeyxchg (80)
1260013:6: SSL Handshake failed for TCP <src> -> <dest>
Conditions:
This occurs on the first few connections after reboot when an HSM is configured, and seems to occur if the device does not immediately pass traffic after reboot.
Impact:
The initial SSL connections will fail, then normal operation will resume.
Workaround:
None.
624909-2 : Static route create validation is less stringent than static route delete validation
Component: TMOS
Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.
Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.
Impact:
Unable to delete certain self-IPs.
Workaround:
In order to delete the self-IPs you can either:
1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.
624846-1 : TCP Fast Open does not work for Responses < 1 MSS
Component: Local Traffic Manager
Symptoms:
BIG-IP does not send the data until receiving the first client ACK.
Conditions:
TCP Fast Open requests an object of less than 1 MSS in size.
Fast open and delayed acks enabled.
Impact:
Delayed completion of the connection.
Workaround:
Disable delayed acks.
624626-3 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
Component: TMOS
Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:
01020036:3: The requested Certificate File (/Common/example.crt) was not found
Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.
Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.
Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:
tmsh delete sys crypto cert example
tmsh delete sys crypto key example
624484-2 : Timestamps not available in bash history on non-login interactive shells
Solution Article: K09023677
Component: TMOS
Symptoms:
There are no timestamps in bash history when bash is initiated from tmsh.
Conditions:
This issue arises when an Administrator or Resource Administrator with tmsh as the default shell runs bash from tmsh and then runs the 'history' command.
Impact:
Running 'history' in bash will not include timestamps of commands.
Workaround:
Timestamps can be added to bash history by running the following command in bash: export HISTTIMEFORMAT="%Y-%m-%d %T ".
624187-1 : Relocate TUC AVP to group AVP USU
Component: Policy Enforcement Manager
Symptoms:
Current implementation sends Traffic Change Usage (TCU) in MSCC at the same level as USU.
Conditions:
Anytime there is a TCU.
Impact:
Interoperability with ZTE OCS, which requires it as a child USU (Used-Service-Unit)
624044-1 : LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load★
Solution Article: K42806722
Component: Local Traffic Manager
Symptoms:
If LTM monitor configuration parameters have custom strings that end with backslash, the saved configuration will fail to load.
Conditions:
Any of the "recv", "send", or "recv-disable" parameters having a backslash at the end, and the configuration is saved.
Impact:
The new configuration fails upon reload.
Workaround:
Do not end custom strings with backslashes.
623779-2 : Adding a client side challenge whitelist URL wildcard list
Component: Application Security Manager
Symptoms:
There is no way to tell that a URL wildcard is always qualified for client side challenges. Thus dynamic URLs system can't use the CS defense to dos attack or the proactive bot defense.
Conditions:
dynamic URLs are running in a dos attack and the system has cs mitigation enabled.
Impact:
the cs mitigation is not effective and the dos mitigation moves to the rate limit.
Workaround:
N/A
623536-2 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
Component: TMOS
Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.
Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable
Impact:
snmp traps are not sent
Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:
alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode \(all VIP\/SNAT\/Proxy connections disabled\)" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}
623488-4 : Custom adaptive reaper settings may be lost at upgrade time★
Component: TMOS
Symptoms:
Beginning in 11.6.0, the adaptive-reaper was changed to use the default-eviction policy. The configuration migration script does not migrate the adaptive-reaper settings, so after upgrade the reaper settings are reset to their default.
Conditions:
Upgrade from 10.x to 11.6.0 or later.
Impact:
Settings may be unexpectedly changed as part of upgrade.
Workaround:
Inspect the values after upgrade and reconfigure them.
623371-1 : After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed
Component: TMOS
Symptoms:
When attempting to ssh in as a nonexistent user using SSH keypair, the connection closes.
Conditions:
1. Configure SSH keypair for passwordless login.
2. Set auth source to a remote type such as RADIUS, TACACS+, LDAP, Active Directory.
3. Set auth source back to local.
4. Attempt to ssh to BIG-IP using keypair as a user that does not exist in the BIG-IP local user directory.
Impact:
User does not see expected password prompt.
This can be used to check which usernames are valid on the BIG-IP system, but it requires SSH keys.
Workaround:
None known.
623367-1 : When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.
Solution Article: K57879554
Component: TMOS
Symptoms:
Able to login to BIG-IP using root's keypair as a user which does not exist on either the BIG-IP or the RADIUS server.
Conditions:
1. Configure SSH keypair for passwordless login on the BIG-IP system.
2. Enable RADIUS auth on the BIG-IP system.
3. Attempt to ssh in to the BIG-IP as a user which does not exist on either the BIG-IP or the RADIUS server, using the keypair.
Impact:
With root SSH keys, can login as nonexistent user.
Workaround:
Set the default remote role to something other than admin.
623313 : After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default.★
Component: TMOS
Symptoms:
After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default. For example, in response to the 'tmsh list sys snmp' command, output in 10.2.x contains the following strings:
community-name public
source default
in 12.1.x, the output does not contain the string 'source default', only the string 'community-name public'.
Conditions:
Upgrade from 10.2.x.
Impact:
Cannot determine the SNMP community name if it is the default.
Workaround:
None.
623265-4 : UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★
Solution Article: K15645547
Component: TMOS
Symptoms:
Inconsistent CA certificate chain creation, or certificate validation/verification when verification occurs against /config/ssl/ssl.crt/ca-bundle.crt.
Conditions:
A system is upgraded from v10.x to v11.x/v12.x, or a v10.x UCS is restored onto a v11.x/v12.x system.
Impact:
Inconsistent ca-bundle.crt upgrade/UCS load handling can lead to odd / non-deterministic behavior between devices, even an HA pair / cluster of devices. Non-determinism increases because ca-bundle.crt does not ConfigSync (and appears not to sync across blades in a chassis).
For example, on one device, the BIG-IP system might construct and send a full certificate chain in an SSL Server Hello, when ca-bundle.crt is specified as a Client SSL profile's 'chain', but on its peer, if the peer is using an older/inconsistent ca-bundle, the peer might be unable to construct a full certificate chain.
Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:
1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
2. Reboot the system and clear the MCPD binary database. Refer to AskF5 article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030), but essentially:
touch /service/mcpd/forceload && reboot
3. After reboot, verify that the two files match (they should have the same checksum):
md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
623084-2 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★
Component: Local Traffic Manager
Symptoms:
mcpd fails to load the configuration if a pre-11.6.0 configuration has a DHCP virtual server configured using any profile that is not /Common/udp.
The following messages appears in /var/log/ltm:
01070095:3: Virtual server /Common/dhcp_relay-p-rd101 lists incompatible profiles.
This is because the profile in this case is /Common/fastL4 and is not 'converted' to a DHCP profile.
Conditions:
-- A pre 11.6.0.
-- DHCP-type virtual server configured with a profile other than /Common/udp.
-- Upgrade to 11.6.0 or later.
Impact:
mcpd fails to load the configuration. The BIG-IP system will not be operational until the configuration is changed and loaded.
Workaround:
Before the upgrade, change the profile to /Common/udp.
If you have already upgraded, manually change the bigip.conf file and load the config using the following command: tmsh load /sys config
622876-1 : Certificate serial number is not displayed properly in OCSP Stapling logs.
Component: Local Traffic Manager
Symptoms:
The certificate serial number is not displayed properly in OCSP Stapling logs.
Conditions:
These logs are seen when there are any errors when fetching and validating an OCSP response, and/or when SSL debug logs are enabled.
Impact:
Certificate serial number is not displayed properly.
Workaround:
None.
622870 : When using a Thales key, SSL handshake failed after restarting pkcs11d
Component: Local Traffic Manager
Symptoms:
With a Thales key, SSL handshake failed after restarting pkcs11d daemon.
Conditions:
Thales netHSM is used and pkcs11d daemon is restarted.
Impact:
SSL traffic is failed.
Workaround:
bigstart restart tmm
after
bigstart restart pkcs11d
622204-1 : If a virtual server's name has a "." in it then a DoS profile cannot be attached to it
Solution Article: K14141640
Component: Advanced Firewall Manager
Symptoms:
For virtual servers with a . (dot, or period) in the name and a DoS profile attached, a crash might occur when attacks are detected/stopped.
Conditions:
Virtual server with a name that includes a . and an attached DoS profile, and then a DoS attack is detected.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove the . in the virtual server name.
622148-5 : flow generated icmp error message need to consider which side of the proxy they are
Component: Local Traffic Manager
Symptoms:
when generating an error message from a flow, the icmp6 code does not check which side the messages needs to be crafted for.
Conditions:
error handling
Impact:
As a result generated ICMP error message might contain the wrong addressing
Workaround:
no workaround
621843-1 : the ipother proxy is sending icmp error messages to the wrong side
Component: Local Traffic Manager
Symptoms:
the ipother proxy error handling sends ICMP error messages down the wrong side of the proxy. when a client-side error occurs, the error message is being sent to the server side
Conditions:
error handling of the ipother proxy
Impact:
ICMP error messages show up on the wrong side
Workaround:
no workaround
621379-2 : TCP Lossfilter not enforced after iRule changes TCP settings
Component: Local Traffic Manager
Symptoms:
TCP Lossfilter function doesn't work properly, although the first few losses will be properly ignored.
Conditions:
TCP profile has ALL of the following settings:
mptcp disabled; rate-pace disabled; tail-loss-probe disabled; fast-open disabled; cmetrics-cache-timeout = 0; congestion ctrl is reno, new-reno, high-speed, or scalable; nagle enabled or disabled; rtx_thresh = 3; loss-filter settings are both > 0.
an iRule changes any of the above settings except loss-filter.
Impact:
Sending rate declines due to packet losses improperly interpreted as congestion.
Workaround:
Change any of the conditions above.
621314-6 : SCTP virtual server with mirroring may cause excessive memory use on standby device
Solution Article: K55358710
Component: TMOS
Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.
Conditions:
SCTP virtual server has mirroring enabled.
Impact:
TMMs will have high memory usage on standby device.
Workaround:
Disable mirroring on the SCTP virtual server.
621284-5 : Incorrect TMSH help text for the 'max-response' RAMCACHE attribute
Component: WebAccelerator
Symptoms:
The TMSH help text for the 'max-response' RAMCACHE attribute incorrectly states that for the default value of 0 (zero) unlimited cache entries are allowed. In reality the number of cache entries is limited to 10.
Conditions:
Invoking the TMSH man/help page on RAMCACHE.
Impact:
Incorrect TMSH help text
Workaround:
N/A
621158-1 : f5vpn does not close upon closing session
Component: Access Policy Manager
Symptoms:
f5vpn does not close upon closing session.
Conditions:
-- With Network Access started and connected to BIG-IP using browser.
-- Clicking 'Logout' button on webtop.
Impact:
Session closes. Network Access window does not close, but instead remains in disconnected state.
Workaround:
None.
620969-3 : iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
Component: TMOS
Symptoms:
Using the get_valid_key_sizes() for querying the valid key sizes, 1024 is returned, which is not valid when the FIPS firmware is version 2.2 or above.
Conditions:
FIPS firmware is version 2.2 or above.
Impact:
Unsupported key-size is returned.
620954-3 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
Component: TMOS
Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.
Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.
Impact:
This intermittent authentication failure results in users not being able to login.
Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.
620844-1 : DoS: tmm core after delete packet type from Device Sweep vector
Component: Advanced Firewall Manager
Symptoms:
During the config change of Sweep vector, when all tmm threads delete the rate tracker, a race condition might occur that could prevent the tracker from being deleted. As a result, some tmm threads might see the new instance, which causes the tmm thread to abort.
Conditions:
This potential race condition occurs after delete packet type from Device Sweep vector.
Impact:
tmm thread might abort if a race condition occurs. Traffic disrupted while tmm restarts.
Workaround:
None.
620759-4 : Persist timeout value gets truncated when added to the branch parameter.
Component: Service Provider
Symptoms:
Persist timeout value gets truncated when added to the branch parameter due to difference in storage type.
Conditions:
If the persist timeout value was higher that 65535 then the value gets truncated.
Impact:
Incorrect persist timeout get into affect for the call other than the value set in the config.
Workaround:
None.
620556-1 : Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule
Component: Local Traffic Manager
Symptoms:
Fragmented packets may be transmited to clone pool members of virtual server, which is also forwarding its traffic to another virtual server.
Conditions:
One virtual server should be configured to forward traffic to another one using iRule, i. e.
when CLIENT_ACCEPTED {
virtual another_virtual
}
This forwarding virtual should also have clone pool configured.
Impact:
Fragmented packet are transmitted to pool members, which affects performance and may trigger some intrusion detection systems.
620445-4 : New SIP::persist keyword to set the timeout without changing key
Component: Service Provider
Symptoms:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout> disables bidirectional persistence.
Conditions:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout>.
Impact:
Disables bidirectional persistence. Persistence entry only records destination (not source) of the session.
Workaround:
None.
620311-1 : GUI Failover Unicast Address information incorrect
Component: TMOS
Symptoms:
In the GUI, the Failover Unicast Address information for the peer device shows the Management IP of the local device, instead of the peer's Management address.
Conditions:
Failover Device group with failover unicast addresses configured with management addresses.
Impact:
GUI displays incorrect address. *Mgmt addresses listed incorrectly show local mgmt addresses in the following locations:
-- Device management :: Devices :: <peer device>
-- Device Connectivity: Failover Unicast Configuration
Workaround:
None.
620053-1 : Gratuitous ARPs may be transmitted by active unit going offline
Component: Local Traffic Manager
Symptoms:
When cluster's active goes offline, the non-primary blades may send gratuitous ARPs.
Conditions:
Cluster's active goes offline.
Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.
Workaround:
Failover the cluster before forcing offline or configure mac masquerading.
619706-1 : tmsh appears to allow password change for internal lcd admin user
Component: TMOS
Symptoms:
The 'tmsh modify auth password' command appears to allow the password to be changed for the f5hubblelcdadmin user.
Conditions:
Using the 'modify auth password' command under tmsh, and manually specifying the 'f5hubblelcdadmin' user (which does not appear among the list of available users, such as via tab-completion).
Impact:
This operation appears to succeed, but has no actual effect on BIG-IP operations.
This is an internal user account which provides the context for communication with the lcd front panel display on newer BIG-IP appliances. Changing the stored password for this user account does not affect these operations.
619667-1 : Allow Local DNS Servers is not honored on Mac OS X
Solution Article: K34751151
Component: Access Policy Manager
Symptoms:
In some cases of split tunnel local DNS resolution on client does not work.
Its "emulated" full tunnel mode i.e. split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0 and don't allow local subnet access.
Conditions:
Configure Allow Local DNS Servers is not honored on Mac OS X.
Configure split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0.
Disable local subnet access.
System has only one physical adapter (ethernet or wifi) available for networking.
Impact:
DNS resolution fails for some split tunnel deployment cases.
Workaround:
Specify "*" in DNS included address space to forward all DNS traffic over the tunnel.
619419 : Workaround for Software Installation Failures in TMUI★
Component: TMOS
Symptoms:
A software installation fails for one of several reasons (unsupported software versions, lack of disk space, etc). This failure leaves the software volume in a state where future installations cannot be completed.
Conditions:
Software installation fails.
Impact:
You cannot install software on the failed volume. You will see "Previous installation not complete" message if you attempt to install software on this failed volume.
Workaround:
1. Installation fails.
2. Navigate to System >> Disk Management. Click on HD1 (for example)
3. Under Contained Software Volumes, you can see the reason for failure on the failed volume.
4. Select the failed volume and click Delete. Confirm you want to delete the failed volume.
5. Once the volume is deleted successfully, return to System >> Software Management : Image List
6. Select a valid image and click the Install button.
7. Under Volume Set Name enter a valid name and click the Install button.
619397 : LCD shows error screen on boot or after license expires
Solution Article: K04055706
Component: Device Management
Symptoms:
The LCD on BIG-IP iSeries appliances may display an error screen.
Conditions:
This occurs if the appliance has just finished booting, or if the license has just expired.
Impact:
This may cause an unexpected error and subsequent navigation back to the LCD splash page.
Workaround:
Wait one minute and try to navigate the LCD screens again. If the system has already been licensed and is in the 'Active' state, subsequent attempts should work.
619099 : 'General Database Error' while changing the Admin UI authentication type
Component: Access Policy Manager
Symptoms:
Failed to choose Authentication type from Local to other BIG-IP-supported authentication type.
Conditions:
-- User Directory is Remote - APM Based.
-- Authentication Type is RADIUS, AD, LDAP or TACACS+.
-- All needed information about the AAA Server is specified.
Impact:
GUI error: 'General Database Error'.
Workaround:
None.
618982-1 : IPSEC + chassis behavior for case secondary blades on-off switch.
Component: TMOS
Symptoms:
After cmp_state change (secondary blade restart), some flows will fail
Conditions:
Adding-removing blades causes DAG flow redistribution and redistribution IKE/IPSEC SA's and IPSEC data flows between existing blades. It makes some flows interrupted and IPSEC peer disconnect.
Impact:
Some users may lose their connections and have difficulty restoring them.
Workaround:
None
618889-1 : Clicking the policies list tab does not refresh the policies list on click.
Component: TMOS
Symptoms:
Clicking the policies list tab does not refresh the policies list on click.
Conditions:
This occurs on the policy list page
Impact:
If the policy list changed, the updates will not be displayed.
Workaround:
Refresh the browser or click the menu Local Traffic > Policy List in order to refresh the page
618884-1 : Behavior when using VLAN-Group and STP
Component: Local Traffic Manager
Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.
Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.
Note: This issue is a constraint to soft switched platforms.
Impact:
May not see ICMP response traffic.
Workaround:
None.
618693-3 : Web Scraping session_opening_anomaly reports the wrong route domain for the source IP
Component: Application Security Manager
Symptoms:
When generating a web scraping attack of session opening anomaly type, there is an attack start/end event shown in the /var/log/asm and GUI: Security :: Event Logs : Application : Web Scraping Statistics. The event has a "source ip" field which should come along with the route domain. In the case of "session opening anomaly" the route domain is always zero. (For example: 127.0.0.1%0). Even there is a non-zero route domain configured.
Conditions:
Route domain is configured and a web scraping attack event triggers.
Impact:
Incorrect route domain field is shown in the GUI and /var/log/asm.
Workaround:
None. This is a cosmetic error. The system uses the correct route domain
618637-1 : Sometimes f5fpc cannot establish Network Access connection and incorrectly reports 'Session timed out' error
Component: Access Policy Manager
Symptoms:
Sometimes f5fpc cannot establish Network Access connection. Successfully established Network Access connection and subsequent login retries will fail with 'Session timed out' error.
Conditions:
This intermittent issue might occur after there has been a successfully established Network Access connection, and a user retries to login once or multiple times.
Impact:
Network Access cannot be established and 'Session timed out' error is presented to the user.
Workaround:
1) Find all processes with regex f5std, svpn and manually kill them.
2) Restart host OS.
618463-2 : artificial low route mtu can cause SIGSEV core from monitor traffic
Component: Local Traffic Manager
Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.
Conditions:
see above
Impact:
Traffic disrupted while tmm restarts.
Workaround:
configure correct MTU
618319-5 : HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked
Solution Article: K58255321
Component: TMOS
Symptoms:
All members of a Sync/Failover Device Group report 'Active' for all traffic-groups, and 'Offline' for all peers. Configuration sync works appropriately.
Conditions:
This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026).
If this port is blocked, the devices cannot exchange failover status information.
Impact:
When devices cannot reach the failover address of their peer devices, failover traffic is not processed correctly and the device become active for all traffic groups. This results in duplicate IP addresses on the network for the objects in the traffic groups, which causes a disruption of service.
Workaround:
Ensure that the 'allow-service' parameter for the self-IP address includes the configured network-failover port.
Normally this is done with 'allow-service { default }' if using the default default-list, or an explicit entry can be used with 'allow-service { udp:1026 }'.
618131-1 : Latency for Thales key population to the secondary slot after reboot
Component: Local Traffic Manager
Symptoms:
It may take a significant amount of time for the Thales key to populate from the primary slot to the secondary slot after a reboot. The latency can be a few minutes.
Conditions:
This occurs for Thales netHSM installed on Chassis.
Impact:
The key can't be found at secondary slot and the ssl traffic may fail.
Workaround:
If SSL handshakes fail on secondary blades for newly created Thales keys, you may check secondary blades with
nfkminfo -l
to see if the file is there. If not the file can be synchronized with rfs-sync --U.
618106-1 : bigd core due to memory leak, especially with FQDN nodes
Solution Article: K74714343
Component: Local Traffic Manager
Symptoms:
The bigd daemon may core due to excessive memory consumption caused by a slow memory leak that occurs when creating or updating an LTM node or pool member.
This memory leak occurs much more quickly on BIG-IP v12.1.3.2 and earlier when using FQDN nodes/pool members with the 'autopopulate' feature enabled.
Conditions:
The bigd memory leak occurs slowly with non-FQDN nodes/pool members, but much more quickly on BIG-IP v12.1.3.2 and earlier when using FQDN nodes/pool members with the 'autopopulate' feature enabled.
On BIG-IP v12.1.3.2 and earlier, an additional leak occurs each time an FQDN name is resolved for an FQDN node or pool member. The rate of the leak in this case is determined by the number of FQDN nodes/pool members configured with the 'autopopulate' feature enabled, and the FQDN name resolution interval (determined by the 'interval' setting of the 'fqdn' configuration for the FQDN node).
Impact:
The bigd daemon may core due to excessive memory consumption.
Workaround:
It is possible to work around this issue by one of the following methods:
1. Restart the bigd daemon before memory consumption becomes excessive. (Note that this may interrupt traffic to configured pool members.)
On BIG-IP v12.1.3.2 and earlier:
2. Configure a longer 'interval' value in the 'fqdn' configuration for configured FQDN nodes.
3. Configure FQDN nodes/pool members without the 'autopopulate' setting enabled.
618104-1 : Connection Using TCP::collect iRule May Not Close
Component: Local Traffic Manager
Symptoms:
The BIG-IP never sends a TCP FIN in response to a client FIN.
Conditions:
A finite TCP::collect iRule is in progress.
This is repeatable in the debug kernel; in the default kernel, there has to be execution delay in a CLIENT_DATA iRule.
Impact:
The connection does not close until the sweeper causes a RST.
Workaround:
Adding a TCP::close command to a CLIENT_DATA iRule may work.
618024-2 : software switched platforms accept traffic on lacp trunks even when the trunk is down
Component: Local Traffic Manager
Symptoms:
On software switched platforms tmm owned LCAP trunks still accept traffic even though the trunk is down from the control plane ( LACP status down).
Conditions:
LACP trunk with status down
Impact:
VLAN failsafe timers are erroneous reset, VLAN failsafe is broken.
Workaround:
no workaround
617865-1 : Missing health monitor information for FQDN members
Component: TMOS
Symptoms:
Health monitor information and status are both missing for FQDN nodes and pool members.
Conditions:
FQDN nodes and pool members configured.
Impact:
GUI does not show health monitors info/status in node properties page, pool member properties page, or monitor instances page. Difficulty checking health monitor info/status for FQDN members.
Workaround:
Check logs for this info.
617690-4 : enable SIP::respond iRule command to operate during MR_FAILED event
Component: Service Provider
Symptoms:
When an message fails to route, it is not possible to return an error status back to the client.
Conditions:
When a message fails to route, the MR_FAILED event is raised for the message.
Impact:
Without this change, it is not possible for the script author to generate a response message to the client based on the routing failure.
Workaround:
NA
617643-1 : iControl.ForceSessions enabled results in GUI error on certain pages
Component: TMOS
Symptoms:
GUI pages display "An error has occurred while trying to process your request."
Conditions:
Visiting pages related to PKI (cert/key), SNMP, AFM or licensing tasks when iControl.ForceSessions is enabled.
Impact:
Unable to use GUI for certain tasks when iControl.ForceSessions is enabled.
Workaround:
Use shell for related administrative tasks or if feature is not used, disable with the following command:
tmsh# modify sys db icontrol.forcesessions value disable
617629-1 : Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab
Component: Access Policy Manager
Symptoms:
If you click on the "export csv" button and then switch to another report, the same csv file will be download again when you click on the tab of another report.
Conditions:
Creating multiple reports in Access Report page and clicking on the "export csv" button in one report.
Impact:
Same file will be downloaded repeatedly.
Workaround:
Refresh the page before switching to another report.
617578-2 : Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware
Component: TMOS
Symptoms:
On a BIG-IP provisioned with LTM only, the radius profile called radiusLB-subscriber-aware displays inconsistent information between tmsh and configuration utility
Conditions:
This occurs when looking at the radiusLB-subscriber-aware profile in both tmsh and the GUI.
Impact:
On a device that does not have PEM licensed:
root@(v12)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list ltm profile radius radiusLB-subscriber-aware
ltm profile radius radiusLB-subscriber-aware {
app-service none
defaults-from radiusLB
}
However, viewing the profile in the configuration utility Local Traffic :: Profiles : Services : RADIUS : radiusLB-subscriber-aware
Settings field Custom checkbox
Persist Attribute disabled
Subscriber Discovery enabled
Client Spec disabled
Protocol Profile(_sys_radius_proto_imsi) enabled
On a device which does not PEM licensed, the Protocol profile should be set to None but shows as enabled.
617324-2 : Service health calculation creates unjustified CPU utilization
Component: Anomaly Detection Services
Symptoms:
When ASM provisioned service health is calculated and published to all VSs with security profile, even if stress-based detection is not configured
Conditions:
AFM provisioned and configured hundreds of VSs with security profile
Impact:
High CPU utilization
Workaround:
No
617161-1 : Cosmetic: duplicated partition names in the "Resource Management" window when assigning iRules to Virtual Servers.
Component: TMOS
Symptoms:
There is a cosmetic issue that results in duplicated partition names in the "Resource Management" window when assigning iRules to Virtual Servers (in Local Traffic ›› Virtual Servers : Virtual Server List ›› Virtual_Server_name).
Conditions:
1) Go to Local Traffic :: Virtual Servers : Virtual Server List :: Virtual_Server_name --: Resources --: Manage iRules).
2) Move any 2 available iRules (created in Common partition) left to the "Enabled" column.
3) Select the bottom iRule from the "Enabled" column and click the "Up" button.
4) Add an additional iRule (created in Common partition) to the "Enabled" column.
Impact:
Instead of showing all iRules under one partition name (Common), the system is duplicating the partition name.
Workaround:
None. This is cosmetic.
616021-1 : Name Validation missing for some GTM objects
Solution Article: K93089152
Component: Performance
Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, the BIG-IP system fails to load GTM configurations where objects containing control characters are referenced by other objects.
The following GTM objects are susceptible to this control character issue:
gtm datacenter
gtm prober-pool
gtm device
gtm application
gtm region entry
gtm virtual server
gtm server
gtm link
gtm pool
Conditions:
-- A GTM object with a control character in the name.
-- That object is referenced by another object.
Note: This has been reproduced only with the ^M character within quotation marks, as shown in the following example:
create gtm datacenter "start^Mend"
create gtm server test datacenter "start^Mend" address add { 1.2.3.4 }
save sys config gtm-only
load sys config gtm-only
Impact:
Causes the config to fail to load.
Workaround:
Remove control characters prior to creating GTM objects.
615303-2 : bigd crash with Tcl monitors
Solution Article: K47381511
Component: Local Traffic Manager
Symptoms:
bigd crashes after logging an error similar to the following:
emerg bigd: PID: 38611 Received invalid magic '1213486160' in the stream
Conditions:
-- Tcl Monitors: FTP, SMTP, POP3, IMAP.
-- This issue might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.
-- May be particularly likely if the monitor is configured with an interval value of 1 second.
Note: Although less frequent, this issue might still occur with proper monitor configurations (timeout: 3*interval + 1).
Impact:
bigd crashes and error messages.
Possible interruption of monitoring status, pool members going down, interruption of traffic.
Workaround:
For the case where a Tcl monitor is configured with a 1-second interval value, increase the interval value to 2 seconds. Also increase the timeout value to 7 seconds (3*interval + 1). This reduces the chances of this issue occurring but does not eliminate it entirely.
614493-1 : BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.
Component: TMOS
Symptoms:
Reset sent by BIG-IP system on ePVA accelerated active flows might contain stale sequence number and ACK number, which might be out of the receiver's valid RST window.
Conditions:
For example, server side pool member down events lead to BIG-IP reset of all client flows on the pool member. If these flows are actively offloaded in ePVA with heavy traffic at the time of pool member down and reset sending out time, the SEQ/ACK number for the sending RST by BIG-IP SW might not be recent, and therefore a RST with most SW aware SEQ/ACK will be encoded.
Impact:
These RST might be ignored by the receiver if it is out of the valid window. The receiver must rely on the idle or alive timeout to clean this up. Although the receiver must rely on its TCP alive or idle timeout to activate in order to clean up these connections, this is the standard TCP stack behavior.
Workaround:
None.
614364-1 : Linux client NA components cannot be installed neither using sudo password nor root password
Component: Access Policy Manager
Symptoms:
Linux client Network Access components cannot be installed neither using sudo password nor root password on firefox browser. Issue occurs because version reported is incorrect and post installation version on the machine still doesn't match with version reported by the server.
Conditions:
Firefox web browser, NPAPI plugins, Network Access on Linux distributions
Impact:
Installation and update of web browser plugin for network access fails
614072-1 : Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session.
Component: Access Policy Manager
Symptoms:
All SWG session maps to SNAT pool IP and many requests will get stuck.
Conditions:
SWG virtual with Source Address Translation to SNAT pool, create session and send traffic for expired session
Impact:
Request will get stuck in ACCESS filter and browser will keep looping..
Workaround:
Change source address translation to AUTOMAP instead of SNAT Pool.
613844 : iApp may fail to install if AFM is provisioned
Component: Advanced Firewall Manager
Symptoms:
When you try to deploy the f5.microsoft_sharepoint_2016.v1.0.0rc1 iApp from the GUI, the install may fail when AFM is provisioned. A similar error occurs when deploying f5.http iApp. The failure to deploy might not be related to a specific iApp.
Conditions:
-- AFM provisioned.
-- Using the GUI to deploy the iApp, f5.microsoft_sharepoint_2016.v1.0.0rc1, f5.http, and others.
Impact:
Deployment fails.
Workaround:
None.
613618-1 : The TMM crashes in the websso plugin.
Component: Local Traffic Manager
Symptoms:
The TMM core and plugins operate asynchronously. A connection may abort and the TMM may deallocate connection context before the plugin has finished processing asynchronous events. The TMM crashes when a plugin accesses deallocated connection context.
Conditions:
Events raised during normal use of the sessiondb store may be processed after the connection context has been deallocated.
Impact:
Traffic disrupted while tmm restarts.
613542-2 : tmm core while running the iRule STATS:: command
Solution Article: K81463390
Component: TMOS
Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.
Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED
613524-3 : TMM crash when call HTTP::respond twice in LB_FAILED
Component: Local Traffic Manager
Symptoms:
TMM core-dumps when these conditions are met:
- LB_FAILED event
- irule script must use a "delay" (parked) statement together with two HTTP::respond statements.
Conditions:
- LB_FAILED event must be triggered by good IP address and bad port so that the serverside connflow is establish. you will not see this bug if no pool member is used or invalid IP address is used.
- irule script must use a "delay" (parked) statement. the delay together with http response creates the right timing for the client side connflow to go away while proxy is pushing Abort event down to both clientside and serverside.
Impact:
Traffic disrupted while tmm restarts.
613509-1 : 2000/4000 platforms reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
Solution Article: K49101035
Component: TMOS
Symptoms:
The BIG-IP system attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.
Conditions:
This issue occurs when all of the following conditions are met:
-- You are running on a BIG-IP 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.
Impact:
Traffic throughput may be degraded.
Workaround:
Set source-port to change.
613483-2 : Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec.
Solution Article: K18133264
Component: Local Traffic Manager
Symptoms:
For PKCS#1, the SHA256 header should be:
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20.
However, there might also be this alternate header:
30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20,
Some implementation use the alternate. According to PKCS#1, the first one is used when producing signature, but both should be accepted when verifying signatures.
In BIG-IP, SSL uses the 1st header: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20, whereas crypto uses the 2nd header format for some cert verification: 30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20, which causes the inconsistent and signature verification fail.
Conditions:
For some particular certificates, crypto uses alternative SHA prefix for verification.
Impact:
SSL handshake fails because of certificate verification failure.
Workaround:
None.
613023-4 : Update SIP::Persist to support resetting timeout value.
Component: Service Provider
Symptoms:
SIP::persist needs improvement to support long-lived SIP sessions. Having a long timeout for persistence entries globally does not seem efficient for resource usage.
Conditions:
Efficiently using long-lived SIP sessions.
Impact:
Smaller persist timeouts will result in messages being delivered to the wrong entity in the case of supporting long lived SIP sessions.
Workaround:
Set a higher persist timeout value globally.
Note: This workaround might result in memory issues, depending on the BIG-IP system setup and traffic.
612584-1 : Server side blocking/asm cookie setting may not work under some circumstances
Solution Article: K34500121
Component: Application Security Manager
Symptoms:
ASM Cookies are not set, blocking doesn't happen due to server side violation (such as HTTP status or attack signature in response), or data guard masking/blocking doesn't happen.
Conditions:
CSRF or web scraping is configured.
Impact:
False negative - missing blocking.
False positives due to possible missing cookies.
Workaround:
Add the following iRule to the web server:
when HTTP_REQUEST {
if { [HTTP::uri] contains "TSbd"} {
HTTP::header remove "Connection"
HTTP::header insert "connection" "close"
}
}
612143-2 : Potential tmm core when two connections add the same persistence record simultaneously.
Component: Service Provider
Symptoms:
If two messages processed on different connections with the same persistence key add a persistence record at the same time, one add operation is returned a non-fatal error, stating the 'a' record exists. The error might cause the message to be sent to both the destination and the originator, which fails.
Conditions:
Two messages processed on different connections with the same persistence key add a persistence record at the same time.
Impact:
A potential core occurs. The error might cause the message to be sent to both the destination and the originator, which fails. Traffic disrupted while tmm restarts.
Workaround:
None.
612086-3 : Virtual server CPU stats can be above 100%
Solution Article: K32857340
Component: Advanced Firewall Manager
Symptoms:
The CPU usage is reported as above 100%.
Conditions:
It is not known exactly what triggers this.
Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.
Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.
612083 : Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors.
Component: TMOS
Symptoms:
One or more of the following messages appear in the system event log:
CPU0 HW Correctable Error
CPU 0 Corrected Error: Port 1a PCIe* logical port has detected an error.
CPU 0 PCI/DMI Error B:D:F 0x8: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x8: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: multiple_correctable_error_received
CPU 0 Corrected Error: DMI Error Status
CPU 0 PCI/DMI Error B:D:F 0x0: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x0: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: multiple_correctable_error_received
Conditions:
The error messages may appear following an AC power cycle of the BIG-IP i-Series platforms: i2000, i2800 and i4000.
Impact:
The system detected an error on an internal bus and was able to correct it. There is no data loss or functional impact.
Workaround:
There is no mitigation or workaround for this.
611652-3 : iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.
Component: Local Traffic Manager
Symptoms:
While saving an iRule containing HTTP::cookie without the value parameter, you get a validation warning: 'warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. 'unexpected end of arguments;expected argument spec:COOKIE_NAME"160 25][HTTP::cookie $cookie_name]'.
The offending iRule command looks similar to this:
[HTTP::cookie $cookie_name]
Conditions:
iRules containing HTTP::cookie, but missing the optional value parameter, e.g. [HTTP::cookie $cookie_name].
Impact:
Validation warning incorrectly occurs if the optional 'value' parameter is left off. Note that the iRule is still loaded into the configuration.
Workaround:
Use the 'value' parameter in the HTTP::cookie command:
[HTTP::cookie value $cookie_name].
611485-1 : APM AAA RADIUS server address cannot be a multicast IPv6 address.★
Component: Access Policy Manager
Symptoms:
In the 13.0.0 release, support for AAA RADIUS direct IPv6 is added. However, validation will prevent using a multicast address for AAA radius IPv6 address. If you upgrade from a previous version to this version, you will see a validation error when the configuration loads.
Conditions:
The validation error occurs if APM AAA RADIUS address is an IPv6 multicast address on BIG-IP version 13.0.0 and beyond.
Impact:
Support for AAA RADIUS direct IPV6 is added in BIG-IP version 13.0.0. And the new validation affects only IPv6 multicast address. So any working IPv4 configuration will not be affected by this validation.
Workaround:
Multicast IPv6 addresses are not supported for direct IPv6 RADIUS, ensure you are using unicast addresses.
611482-4 : Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
Component: Local Traffic Manager
Symptoms:
Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule).
Conditions:
Universal persistence is configured. A loop of HTTP request is sent to tmm which doesn't own the record. Persistence lookup is performed, but finally the pool command is used for load-balancing pick.
Impact:
Discrepancy between persistence records.
Workaround:
Use persist, not pool command, to bind persistence record to a flow.
611327-1 : Using an established app tunnel may display a Java exception error message.
Solution Article: K35559723
Component: Access Policy Manager
Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:
When users attempt to use the established access session app tunnel, their Mac OS X device displays a Java exception error message similar to the following example:
An uncaught exception was raised. Choose "Continue" to continue running in an inconsistent state. Choose "Crash" to halt the application and file a bug with Crash Reporter. Choosing "Crash" will result in the loss of all unsaved data.
When the user selects Continue, the exception error message is immediately displayed again (loop).
When the user selects Crash, the established app tunnel is terminated.
Though the Java exception error message is displayed, the app tunnel functions as expected.
Conditions:
This issue occurs when all of the following conditions are met:
-- The local user device is running Mac OS X 10.12 (Sierra).
-- The BIG-IP APM system is configured with an app tunnel that is Java Tunnel-enabled.
-- The user established an access session using the Safari 10 web browser.
-- The user launches an app tunnel session.
-- The user attempts to use the established app tunnel.
Impact:
Cannot use Safari 10 web browser for an app tunnel that is Java Tunnel-enabled.
Workaround:
To work around this issue, you can use an alternate browser, or Apple Safari browser, or ignore the system generated error message while using the app tunnel.
611054-1 : Network failover "enable" setting is sometimes ignored on chassis systems
Component: TMOS
Symptoms:
The failover device group network-failover attribute has an effect on chassis systems. The high availability subsystem will continue to send network failover packets, and continue to operate normally, even if this is set to "disable".
Conditions:
This only affects chassis systems. On appliances, the setting takes effect, causing all devices to become Active simultaneously.
Impact:
System appears to failover normally even when the configuration is incorrect; however, if the system contains more than one traffic-group, the next-active calculation and other failover features do not function correctly.
Workaround:
Enable network-failover in the sync-failover device-group.
610682-2 : LTM Policy action to reset connection only works for requests
Component: Local Traffic Manager
Symptoms:
The LTM Policy forwarding action 'reset', which forcibly terminates the client connection, works for requests, but gives an error when used with a response event.
Conditions:
Issue occurs in an LTM Policy rule where one or more of the conditions is associated with HTTP response. For example, checking the HTTP status code in the response from a backend server.
Impact:
System posts error message similar to the following: “transaction failed:010716e2:3: Policy '/Common/Drafts/mypolicy', rule 'rule-1'; an action precedes its conditions.
Workaround:
None.
610449-2 : restarting mcpd on guest makes block-device-images disappear
Component: TMOS
Symptoms:
tmsh list sys software block-device-images typically shows available BIG-IP images saved on the platform which are available for install via tmsh install sys software ...
When running BIG-IP on a vcmp guest, GuestAgentDaemon is responsible for fetching from the host these available images and displaying them to the user.
When mcpd goes down, GuestAgentDaemon loses the connection required to fetch and display this information.
If mcpd has gone down since GuestAgentDaemon came up, running "(tmos)# show sys software block-device-image" a second time will no longer display the BIG-IP images available for install.
Restarting GuestAgentDaemon when mcpd restart ensures that GuestAgentDaemon will reestablish the required connection. With this fix, GuestAgentDaemon will restart only in response to mcpd going down and subsequently coming back up. Once both daemons are up and running again, the command '(tmos)# list sys software block-device-image' will again function as designed.
Conditions:
vCMP is provisioned to level dedicated.
One or more guests is provisioned and deployed.
The user is operating inside a deployed guest.
The user attempts to use a block-device-image,
but mcpd has restarted since GuestAgentDaemon began execution.
No block-device-images are shown by GuestAgentDaemon
Impact:
tmsh list sys software block-device-images returns nothing from inside the guest.
Workaround:
Restart GuestAgentDaemon in response to mcpd successfully restarting.
610436-3 : DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.
Solution Article: K13222132
Component: Access Policy Manager
Symptoms:
DNS resolution does not work in a particular case of DNS Relay Proxy Service, when two adapters have the same DNS Server address on Microsoft Windows version 10.
Conditions:
* Windows 10.
* Client system is connected to two networks.
* Both networks have the same DNS server address.
* Before VPN establishment interface with lower index is disconnected.
* After VPN establishment interface with lower index is reconnected.
Impact:
DNS resolution completely stops working on client systems until the VPN is disconnected.
Workaround:
<p>To work around this issue, add the following registry key:</p>
<p><userinput>HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient</userinput></p> with DWORD <varname>EnableMultiHomedRouteConflicts</varname> set to <userinput>0</userinput>. <p>This reverts the Windows DNS client behavior to pre-Windows 10 behavior, so the DNS relay proxy creates listeners on loopback for incoming requests, and the driver redirects DNS requests to the listener on the loopback.</p>
<note type="important">Use extreme care when editing Windows registry keys. Incorrect modification of keys might cause unexpected behavior.</note>
609793-1 : HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response.
Component: Access Policy Manager
Symptoms:
HTTP Header Modify agent skips execution if it believes it is in the serverside chain, as the check is based on receipt of HUDEVT_REQ_DONE, which can be true on the clientside chain, causing HTTP header modify agent operations to log out with an error message.
Conditions:
Receipt of HUDEVT_REQ_DONE before execution of HTTP Header Modify agent.
Impact:
HTTP header modify agent cannot perform modification of headers/cookies.
Workaround:
None.
609527-2 : DNS cache local zone not properly copying recursion desired (RD) flag in response
Component: Global Traffic Manager (DNS)
Symptoms:
When a DNS query sets the RD flag, that setting is supposed to be copied to the response. When a DNS query is handled by a cache local zone, the RD flag is not set properly.
Conditions:
A DNS cache local zone must be configured and a DNS query with the RD flag set must be handled by this local zone.
Impact:
The flag is not set properly in the DNS response. This most likely will only be noticed by protocol validation tools as standard DNS clients generally do not check this bit.
Workaround:
Use an equivalent DNS Express configuration instead of the local zone.
609200-2 : Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★
Component: TMOS
Symptoms:
Hotfix installation fails using certain version 11.x software to host incremental hotfix application of version 12.x software.
Conditions:
This issue occurs when the following conditions are met:
-- Active software is v11.x.
-- Target software is v12.x.
-- This is the first attempt install a hotfix to the installation target.
Impact:
Cannot install hotfix.
Workaround:
Delete the target location, and perform the hotfix installation again.
Subsequent attempts to install the hotfix will automatically install the base release first, which includes the needed DB hash type, and the hotfix will succeed.
609186-5 : TMM or MCP might core while getting connections via iControl.
Component: TMOS
Symptoms:
When getting the connections list over iControl using System.Connections.get_list(), TMM or MCP cores or exits.
Conditions:
Using iControl to view all connections, and there is a very large number of connections (1 million or more) in the list.
Impact:
TMM or MCP may core or exit. Traffic disrupted while tmm restarts.
Workaround:
None.
608453-1 : Shrink/Expand imgs of Webtop Section is customizable
Component: Access Policy Manager
Symptoms:
Changing images for Shrink/Expand of Webtop Section in Webtop Customization does not actually change images on client; users see default images instead
Conditions:
This is encountered when using Webtop Customization.
Impact:
The default image is displayed instead of the customized image.
Workaround:
None.
608348-4 : Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system
Component: TMOS
Symptoms:
After deleting an iApp build from the f5.citrix_vdi.v2.3.0 template then running a config sync, the system that received the sync could have a tunnel object left over which should have been deleted.
Running 'tmsh load sys config verify' after this sync would give the following error.
01070734:3: Configuration error: The object (Tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect) is owned by a non-existent application (/Common/test-citrix-app-svc.app/test-citrix-app-svc).
Unexpected Error: Validating configuration process failed.
Conditions:
This occurs when the iApp has been deployed in a sync group, then the iApp is deleted, then a config sync is initiated.
Impact:
Config validation fails, and you must delete the tunnel manually.
Workaround:
On the system that received the sync, edit /config/BIG-IP_base.conf to remove the following objects (replace "test-citrix-app-svc" with the name of the deleted iApp):
a. vlan from net route-domain: /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
b. net fdb tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
c. net tunnels tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
607684 : tmsh provides option to delete all URLs from a custom category, which is not possible
Component: Access Policy Manager
Symptoms:
tmsh provides a command option for admin to delete all URLs from a custom category. However, this is not a valid option, and an error will be displayed. The system presents the following error:
Configuration error: Cannot delete url (http://www.example.com*). This occurs because because url-category (/Common/ex) is a custom category. A custom category must have at least one URL.
Conditions:
Running the following command:
tmsh modify sys url-db url-category pattern urls delete { all }
Impact:
No URLs are deleted. Each URL must be deleted individually.
Workaround:
Delete URLs individually.
607410-1 : In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible
Solution Article: K81239824
Component: Local Traffic Manager
Symptoms:
When using an iRule to output X509 Certificate's subject and issuer, the display is not OpenSSL compatible.
Conditions:
Using iRule command 'X509::subject' and 'X509::issuer' to get the Cert's subject and issuer, and then using log to display them.
Impact:
The iRule output of X509 Certificate's subject and issuer is not OpenSSL compatible which might cause confusion.
Workaround:
None.
607166-1 : Hidden directories and files are not synchronized to secondary blades
Component: Local Traffic Manager
Symptoms:
Hidden directories and files (those whose filenames start with '.') that are created on primary blade are not synced to secondary blades.
Existing hidden files that are edited on the primary blade are not synced to secondaries.
Conditions:
Multi-bladed system.
Impact:
The most common uses of hidden files are per-user shell configuration and history.
Workaround:
Manually copy configuration files onto other blades.
606799-1 : GUI total number of records not correctly initialized with search string on several pages.
Solution Article: K16703796
Component: TMOS
Symptoms:
GUI total number of records not correctly initialized with search string on several pages.
Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.
Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.
Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.
606330-4 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
Component: TMOS
Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.
Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.
Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.
Workaround:
Clear the BGP neighbor after changing the configuration.
606035-1 : csyncd crash
Component: Local Traffic Manager
Symptoms:
csyncd crashes and dumps core under certain conditions. You might see messages such as the following: emerg logger: Re-starting csyncd.
Conditions:
csyncd handles filenames that contain certain exotic characters or symbols, or files with very long filenames.
Impact:
csyncd will crash and dump core. csyncd retarts continuously.
Workaround:
None.
605891-3 : Enable ASM option disappears from L7 policy actions
Component: TMOS
Symptoms:
ASM cannot be enabled if 'Application Security Manager' is used in the license string instead of 'ASM'.
Conditions:
'Application Security Manager' is used in the license string instead of 'ASM'.
Impact:
The ASM module cannot be enabled using the GUI under certain licenses where ASM is licensed.
Workaround:
Enable ASM using tmsh instead of the GUI.
605840-5 : HSB receive failure lockup due to unreceived loopback packets
Component: TMOS
Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***
Conditions:
Unknown.
Impact:
The unit is rebooted.
Workaround:
None.
605800-3 : Web GUI submits changes to multiple pool members as separate transactions
Component: TMOS
Symptoms:
You notice an unusually high amount of sync traffic when changing many pool members at once. In extreme cases, mcpd may run out of memory and crash.
Conditions:
When looking at a list of pool members, it is possible to choose to view many pool members at once, and you can then select them all and enable or disable them with one press of a button. Rather than sending all of the operations in a single transaction, the GUI code updates each pool member one by one. When there are a lot of pool members and auto-sync is being used, this can cause race conditions that can generate a large number of transactions going from the local machine to the remote machine.
Impact:
This can cause an unusually high amount of sync traffic to occur between devices in the sync group with auto-sync enabled. In extreme cases this can cause mcpd to crash and traffic is disrupted while mcpd restarts.
Workaround:
If you frequently need to enable/disable many pool members at once, there are a couple of options:
1. You can switch to manual sync during this operation.
2. You can minimize the number of pool members that are altered at once. The issue was observed when changing over 300 pool members at once.
605649-3 : The cbrd daemon runs at 100% CPU utilization
Solution Article: K28782793
Component: Application Security Manager
Symptoms:
The cbrd daemon runs at 100% CPU utilization.
You may notice this issue while inspecting:
- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.
Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.
Conditions:
This is a rarely occurring event whose cause is not known.
Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).
Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd
As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.
605537-5 : Error when resetting statistics on GSLB Pool Members
Solution Article: K03997964
Component: Global Traffic Manager (DNS)
Symptoms:
GUI error: "An error has occurred while trying to process your request." when attempting to reset the GSLB stats for DNS Pool Members.
Conditions:
-- In the GUI on the Statistics :: Module Statistics : DNS : GSLB :: Pool Members page.
-- Attempting to reset statistics.
Note: This occurs only on Pool Members Statistics. Other Types are unaffected.
Impact:
Inability to reset stats for BID-IP DNS Pool Members statistics from the GUI.
Workaround:
You can attempt to reset using a command line command similar to the following:
$ tmsh reset-stats gtm pool <record> <pool> members { <server_obj>:<member> }.
For example:
$ tmsh reset-stats gtm pool a myPool1 members { LTM107:/Common/myFastL4VS }.
605270-5 : On some platforms the SYN-Cookie status report is not accurate
Component: TMOS
Symptoms:
On a vCMP guest, after a ePVA-enabled virtual server enters SYN Cookie mode, the FPGA will never leave SYN Cookie mode even though BIG-IP has returned to normal mode.
Conditions:
This occurs intermittently on virtual servers with ePVA enabled on a vCMP instance where SYN Protection is triggered.
Impact:
Since this occurs very intermittently, the entire impact is not known. Initially this is an incorrect SYN Cookie status reporting issue for LTM Virtual statistics, but it is possible that if SYN Cookie mode is triggered again, hardware SYN might not be enabled properly.
Workaround:
Upgrade with new fixes for this.
605175-1 : Backslashes in monitor send and receive strings
Component: Local Traffic Manager
Symptoms:
After creating a monitor using the GUI containing a recv parameter with a backslash such as '\* OK', loading the configuration generates a validation error:
01070753:3: Monitor /Common/test recv parameter contains an invalid regular expression (Invalid preceding regular expression).
Unexpected Error: Loading configuration process failed.
Attempting to configure the same monitor via tmsh throws the validation error before creating the monitor, but the GUI allows the single backslash. Two backslashes are required in this case.
Conditions:
Using the GUI to configure a monitor, whose receive string needs to look for a backslash, and only a single backslash is entered in the GUI.
Impact:
Configuration fails to load after it is successfully created via the GUI. The GUI accepts this when it should throw a validation error: two backslashes are required.
Workaround:
When configuring the monitor via the GUI, use two backslashes instead of one.
605018-2 : Citrix StoreFront integration mode with pass through authentication fails for browser access
Solution Article: K47516511
Component: Access Policy Manager
Symptoms:
Citrix StoreFront integration mode with pass through authentication fails for browser access. After providing the credentials, browser access continuously asks for 'Can not complete the request', press 'OK'.
Conditions:
This occurs when the following conditions are met:
- APM is configured in integration mode with StoreFront.
- External access virtual server IP is used in Citrix gateway configuration 'Subnet IP address' column.
- (Request Header Insert) :: [X-Citrix-Via-Vip:10.10.10.10], 10.10.10.10 is the virtual server IP address. Request Header Insert is configured on the HTTP profile of the same virtual server.
Impact:
No browser access to StoreFront.
Workaround:
StoreFront combines multiple headers of the same name and cannot use the resulting value. You can workaround this issue by stripping multiple headers of type x-citrix-via-vip.
Make 10.10.10.10 the corresponding External access virtual IP address.
when HTTP_REQUEST {
if { [HTTP::header count "X-Citrix-Via-Vip"] >= 2 } {
HTTP::header remove "X-Citrix-Via-Vip"
HTTP::header insert "X-Citrix-Via-Vip" "10.10.10.10"
}
}
604838-1 : TCP Analytics reports incorrectly reports entities as "Aggregated"
Component: Local Traffic Manager
Symptoms:
Although the user has configured TCP Analytics to store statistics for a certain entity, it reports data for that entity in a single "Aggregated" row.
Conditions:
ALL of these conditions must be true:
The TCP Analytics profile is attached to a virtual with both clientside or serverside collection turned off in the profile.
TCP profile has mptcp, rate-pace, tail-loss-probe, fast-open, AND enhanced-loss-recovery all disabled. Also, Nagle, send-buffer, receive-window, proxy-buffer are not in AUTO mode. Finally, rexmt-thresh is 3 and the congestion control algorithm is not delay-based (NewReno, HighSpeed, Cubic). Regrettably, this matches the default TCP profile.
An iRule enables TCP-Analytics when disabled by default in the tcp-analytics profile.
Impact:
Defect eliminates nearly all data granularity for TCP Analytics.
Workaround:
Change the TCP profile on the virtual to violate any of the conditions listed above. The easiest is probably to enable rate pace or mptcp. For all affected versions, this will result in a noticeable CPU performance penalty.
604272-1 : SMTPS profile connections_current stat does not reflect actual connection count.
Component: Local Traffic Manager
Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.
Conditions:
This occurs if you have an SMTPS virtual server configured.
Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.
604050 : Failed to get master key (ERR_NOT_FOUND) in apm log on first boot
Component: Access Policy Manager
Symptoms:
After booting a new platform for the first time, you may see the following log entry in /var/log/apm:
err tmm1[17340]: 01490563:3: (null):Common:00000000: Access stats encountered error: Failed to get master key (ERR_NOT_FOUND)
Conditions:
Viewing /var/log/ltm after first boot
Impact:
This is a residual log entry and is benign and can be safely ignored
603772-1 : Floating tunnels with names more than 15 characters may cause issues during config-sync.
Component: TMOS
Symptoms:
Floating tunnels with names more than 15 characters may cause issues in config-sync, because such a long name is truncated when creating a corresponding Linux tunnel interface.
Conditions:
The BIG-IP system consists of both floating and non-floating tunnels and their names are longer than 15 characters.
Impact:
When the config-sync happens, the following error may occur:
Caught configuration exception (0), Cannot create tunnel 'g123456789abc~1' in rd0 - ioctl failed: File exists.
Workaround:
Some workarounds are available:
- Make sure that tunnel names are less than 16 characters; or
- Make sure that the names of floating and non-floating tunnels do not share a common prefix in the first 15 characters; or
- Make sure that the BIG-IP system does not have a mixture of floating and non-floating tunnels.
603690-2 : CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.
Solution Article: K82210057
Component: Local Traffic Manager
Symptoms:
CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.
Conditions:
APM Edge Client over VPN tunnel. The issue tends to occur when CPR Saver is configured on the Edge Client on devices where hardware compression cannot perform the specific type of compression/decompression being requested.
Impact:
Edge Client shows the VPN tunnel as 'Connected' but no traffic flow. This is an intermittent issue.
Workaround:
You can use either of the following workarounds:
-- Enable CPU Saver in the secure connectivity profile.
+ To do so in the GUI:
1. Navigate to GUI: Access Policy :: Secure Connectivity :: profile_name :: Compression Settings :: Network Access.
2. Check the CPU Saver checkbox.
+ To do so in tmsh, run the following command:
tmsh modify apm profile connectivity dummy compress-cpu-saver true
-- Configure compression strategy to 'speed' (from 'latency'). To do so, run the following command:
tmsh modify sys db compression.strategy value "speed".
603380-6 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
Component: Local Traffic Manager
Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.
Conditions:
You have a DNS virtual server with DNS resolver cache configured. The virtual server receives ICMP unreachable in response to the DNS query.
Impact:
You will see messages similar to the following in /var/log/ltm.
err tmm[5021]: comm_point_tmm_recv_from failed: Software caused connection abort
Workaround:
None.
603093 : AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system
Component: TMOS
Symptoms:
The BIG-IP i-Series platform (i2600, i2800, i4600, i4800) 250W AC power supply PWR-0334-01 and PWR-0334-02 will show differences in their LED behavior when hot swap or hot plug or whenever power is removed from the supply. This includes redundant systems and systems with a single supply.
Conditions:
PWR-0334-01
When the input ramps below 80Vac, the input LED Green Blinking, output LED Amber Blinking.
When the input ramps below 72VAC, the input LED OFF, output LED Amber Blinking.
If the AC cord is removed with 1 or 2 supplies in the system the input LED OFF, output OFF.
PWR-0334-02
When the input ramps below 75VAC + 1VAC, the input LED Green Blinking, output LED Amber Blinking
When the input ramps below 70VAC + 1VAC, the input LED OFF, output LED OFF immediately
Impact:
LED behavior may be inconsistent between revisions of power supply on early platform shipments with PWR-0334-02
Workaround:
N/A
603092-5 : "displayservicenames" does not apply to show ltm pool members
Component: TMOS
Symptoms:
The db variable bigpipe.displayservicenames does not apply to the 'show ltm pool members' tmsh command.
Conditions:
This occurs when running tmsh show ltm pool members with bigpipe.displayservicenames enabled.
Impact:
The the IP address but not the service name is displayed.
602708-2 : Traffic may not passthrough CoS by default
Solution Article: K84837413
Component: Local Traffic Manager
Symptoms:
As a result of a known issue traffic being forwarded by TMM may not passthrough the CoS received.
Conditions:
IP forwarding Virtual server.
Traffic received with priority other than 3.
Impact:
Traffic is set to priority 3 and may cause issues on other networking devices.
Workaround:
Create a default Class of Service configuration or apply QoS settings in the FastL4 profile.
602566-5 : sod daemon may crash during start-up
Component: TMOS
Symptoms:
sod daemon produces core file during start-up
Conditions:
sod encounters an error during start-up and attempts to recover.
Impact:
sod restarts
602390-2 : Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
Solution Article: K87506901
Component: TMOS
Symptoms:
Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
Conditions:
Customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
Impact:
Can use only English language characters to customize these fields.
Workaround:
None.
602300-1 : Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
Component: Global Traffic Manager (DNS)
Symptoms:
Zone Runner entries cannot be modified if an IPv6 DNS name server is listed first. This can happen when a user runs the tmsh command
tmsh modify sys dns name-servers add { <IPv6> }
as the first dns name-server.
This will show in the /etc/resolv.conf file (an example)
nameserver 2001::1
nameserver 192.168.100.1
Conditions:
When an IPv6 nameserver is the first server defined.
Impact:
ZoneRunner records cannot be modified.
Workaround:
Do not use DNS server with IPv6 address or add IPv4 server at top of the list.
602193-4 : iControl REST call to get certificate fails if
Component: TMOS
Symptoms:
While using the iControl REST API, a call to /mgmt/tm/sys/crypto/cert results in a 400 or 500 error. The call to /mgmt/tm/sys/crypto/key works.
Conditions:
This can occur if any of the certificates contain non utf-8 characters.
Impact:
iControl REST API call will fail.
Workaround:
If possible, generate the certificate to only contain utf-8 characters.
601414-5 : Combined use of session and table irule commands can result in intermittent session lookup failures
Component: TMOS
Symptoms:
[session lookup] commands do not return the expected result.
Conditions:
An iRule which combines use of [table] and [session lookup] commands.
Impact:
Intermittent session functionality.
Workaround:
If possible, use table commands in lieu of session commands.
601189-2 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.
Conditions:
-- Fastl4 VS.
-- syncookie mode.
Impact:
TCP packet are sent out of order.
Workaround:
None.
600944-1 : tmsh does not reset route domain to 0 after cd /Common and loading bash
Component: TMOS
Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common
Conditions:
Attempting to see the route table from the /Common partition after leaving another parition
Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.
Workaround:
Quit tmsh and restart.
600872-1 : Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.
Component: Access Policy Manager
Symptoms:
APM end user sessions start successfully, but end within a few minutes and they are forced to logon again.
The default timeout is 900 seconds.
Conditions:
- An HTTP/2-capable browser is in use on a Microsoft Windows platform.
- APM and HTTP/2 are enabled on the same virtual server.
Impact:
APM sessions time out at the configured inactivity timeout (default is 900 seconds) regardless of activity, and APM end users must restart their sessions.
Workaround:
Remove HTTP/2 profile from the affected virtual server.
600634-2 : Schedule-reports can break the upgrade process★
Component: Application Visibility and Reporting
Symptoms:
A scheduled report (of predefined type) that is created via GUI can cause validation error on upgrade and thus might cause the upgrade process to fail. You may see this error in /var/log/ltm:
Syntax Error:(/config/bigip.conf at line: 86) "predefined-report-name" may not be specified with "multi-leveled-report.time-diff"
Conditions:
Creating predefined-scheduled-report from GUI
Impact:
Upgrade process can fail
Workaround:
If the config load fails, you can get the configuration to load by manually removing the scheduled report(s).
Impact of mitigation: this will remove scheduled reports from the configuration.
Edit bigip.conf, and look for analytics objects that have the scheduled-report in the declaration:
analytics application-security scheduled-report /Common/... {
Remove the object and the configuration will load.
600431-6 : DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP
Component: Service Provider
Symptoms:
TCL error in /var/log/ltm that looks like 'error Buffer error invoked from within "DIAMETER::avp data get 257 ip4 index 0"'
Conditions:
iRule that extracts ip address from a diameter avp.
Impact:
The iRule ends with an error.
Workaround:
Instead of
set data [DIAMETER::avp data get 257 ip4]
use an iRule such as
if { [DIAMETER::avp count 257] > 0 } {
set data [DIAMETER::avp data get 257]
binary scan $data S family
switch $family {
1 {
# ipv4 should contains 4 bytes
set ip [IP::addr parse -ipv4 $data 2]
log local0. "ip = $ip"
}
2 {
# ipv6 should contains 16 bytes
set ip [IP::addr parse -ipv6 $data 2]
log local0. "ip = $ip"
}
default {
log local0.alert "address family $family is not supported"
}
}
}
599567 : APM assumes snat automap, does not use snat pool
Component: Local Traffic Manager
Symptoms:
With a virtual configured to use a snat pool is also associated with APM (for example when configured as a RDP gateway), the snat pool setting is not honored.
Also snat configuration of "None" does not work. It always works as if it is configured with Automap
Conditions:
Snat pool configured, APM configured (one example is deploying Horizon View iApp for ApM).
Impact:
The VLAN Self IP address is used instead of the snat pool addresses.
599543-3 : Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile
Component: TMOS
Symptoms:
When PKCS#12 cert and key are in use by SSL profiles, importing key/cert fails with the below error message:
Import Failed: Exception caught in Management::urn:iControl:Management/KeyCertificate::pkcs12_import_from_file_v2()
0107160f:3: Profile /Common/z-cssl's SSL forward proxy CA key and certificate do not match
Conditions:
1. When the cert and key are in the PKCS#12 format.
2. When the cert and key are in use by SSL profiles.
Impact:
When PKCS#12 cert and key are in use by SSL profiles, they can not be directly updated (overwritten) using key/cert import.
Workaround:
Use tmsh to install the PKCS#12 key. For example, suppose the key/cert to be replaced is called orig.key and orig.crt, it can be overwritten using the below command:
tmsh install sys crypto pkcs12 orig from-local-file /shared/eee.pfx
599223-1 : Prevent static destructors in tmipsecd daemon
Component: TMOS
Symptoms:
The tmipsecd daemon can leave a core when it exits main().
Conditions:
When tmipsecd exits deliberately, say in response to an exception, this can crash during program cleanup, despite the cleanup not being necessary. What begins as a clean termination turns into a messy crash.
Impact:
Generation of a distracting core, using disk space and attracting user attention unnecessarily. (Since tmipsecd was restarting anyway, the restart is not extra impact.)
Workaround:
there is no workaround.
599048-1 : BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option
Component: Local Traffic Manager
Symptoms:
As part of the OCSP Stapling feature, the BIG-IP periodically connects to an OCSP server to certify to its clients that an SSL certificate has not been revoked. It was discovered that these side connections to OCSP servers incorrectly do not use the TCP TIMESTAMPS option.
Conditions:
Use of the OCSP Stapling feature.
Impact:
Usage of the TCP TIMESTAMPS option can help reduce the time a previously used tuple remains in TIME_WAIT on the OCSP server. Therefore, this can help ensure a new connection from the BIG-IP system to the OCSP server re-using a recent tuple is not rejected by the OCSP server. Note that there is little impact even if sporadically a single connection to the OCSP server fails. The BIG-IP will quickly try again, and clients that receive non-stapled SSL SERVER HELLO messages can perform their own validation of the returned SSL certificate.
Workaround:
None
598707-4 : Path MTU does not work in self-IP flows
Component: Local Traffic Manager
Symptoms:
While performing an Update Check, the network connection fails. Path MTU is not working in self-IP initiated flows.
Conditions:
Network flows initiated by the Self IP address (in this case it was encountered while running Update Check)
Impact:
If the downstream router sends ICMP Path MTU messages back to the Self IP, the messages will be ignored and MTU will not be adjusted.
598650-1 : apache-ssl-cert objects do not support certificate bundles
Component: TMOS
Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.
Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.
Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.
598289-4 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
Component: TMOS
Symptoms:
In TMSH, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, TMSH gives an error. It also corrupts bigip.conf.
Conditions:
-- Use TM Shell to load configuration.
-- ltm pools have members that have names in the format of <ipv4>:<number>:<service port>
Impact:
TMSH fails to load system configuration file
Workaround:
None.
598204-3 : In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
Solution Article: K54284420
Component: Local Traffic Manager
Symptoms:
In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
Conditions:
This occurs when the following conditions are met:
-- TCP profile.
-- syncookie mode.
Impact:
A TCP virtual server might use bigger MSS in syncookie mode and not honor the MSS specified in the profile. Some configurations require a smaller MSS for certain virtual servers, rather than using the VLAN's MTU to calculate the MSS.
Workaround:
None.
597818-2 : Unable to configure IPsec NAT-T to "force"
Component: TMOS
Symptoms:
When configuring IPsec NAT traversal to "Force", the behavior is as if the setting is "Off".
Conditions:
Configuring IPsec NAT Traversal to Force
Impact:
NAT-T does not work
Workaround:
Configure NAT-T to On instead.
597564-3 : 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items
Component: TMOS
Symptoms:
The 'tmsh load sys config' command incorrectly allows users to manually remove the 'app-service' statement from configuration items. For example, if a user is manually editing the bigip.conf file, and they remove the 'app-service' statement from a virtual server, 'tmsh load sys config' will not fail to load the config, which is incorrect.
Conditions:
A user manually edits a BIG-IP configuration file and improperly removes the 'app-service' statement from an object.
Impact:
The lack of the 'app-service' statement effectively disassociates the object from its Application Service. This can lead to further issues down the line. For example, if the object is then updated on a multi-blade VIPRION system, secondary blades will restart with an error similar to the following example:
May 6 08:18:27 slot2/VIP2400-R16-S10 err mcpd[32420]: 01070734:3: Configuration error: Configuration from primary failed validation: 010715bd:3: The parent folder is owned by application service (/Common/dummy.app/dummy), the object ownership cannot be changed to ().... failed validation with error 17241533.
Workaround:
Exercise caution when manually editing BIG-IP configuration files.
597253-1 : HTTP::respond tcl command may incorrectly identify parameters as ifiles
Component: Local Traffic Manager
Symptoms:
The HTTP::respond iRule command may incorrectly identify parameters as an iFile parameter when attaching the iRule to a Virtual Server.
Conditions:
HTTP::respond command making use of a variable as a header name. For instance:
HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"
Configure a HTTP/TCP virtual server and attach the iRule.
Impact:
1070151:3: Rule [/Common/example_rule] error: Unable to find ifile (header_value_text) referenced at line 3: [HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"]
Workaround:
Ensure the offending header name and value are either both literal strings or variables.
596826-5 : Don't set the mirroring address to a floating self IP address
Component: TMOS
Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address
It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address. The tmsh command will complete without error.
Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.
Impact:
Mirroring does not work in this case. If you configured it this way using tmsh, the GUI will show the primary and secondary mirroring address as "None".
Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.
For more information about mirroring, see K13478: Overview of connection and persistence mirroring at https://support.f5.com/csp/#/article/K13478
596815-1 : System DNS nameserver and search order configuration does not always sync to peers
Component: TMOS
Symptoms:
Modifying the System DNS nameserver and search order configuration does not always sync during an incremental sync if modified in the GUI or tmsh modify sys db.
Conditions:
The device is in a failover device group with incremental sync turned on.
In the GUI, modify the DNS Lookup Server List or the DNS Search Domain List fields under System >> Configuration : Device : DNS.
In tmsh, tmsh modify sys db dns.nameserver (or dns.domainname), and in some cases tmsh modify sys dns name-servers (or search)
Impact:
Modifications will not change the sync status nor sync the change to peers.
Workaround:
Perform a full sync or use 'tmsh modify sys dns name-servers replace-all-with' or 'tmsh modify sys dns search replace-all-with'.
Optionally, to get this setting to sync, modify the file /config/BigDB.dat to set realm=common for [DNS.NameServers] and [DNS.DomainName] and restart mcpd on all devices in the failover device group. However, this file may get overridden on a hotfix or upgrade.
596278 : ILX workspace created by iApp made from template not deleted when iApp deleted
Component: Local Traffic Manager
Symptoms:
Any ILX workspace created by an iApp from a template (and possibly otherwise) remains even after the iApp is deleted.
You can check for them under tmsh's ltm/ilx/workspace, on the file system in /var/ilx/workspaces, or in the GUI at Local Traffic :: iRules : LX Workspace.
Conditions:
This occurs when using iApps which create ILX workspaces.
Impact:
Configuration which was supposed to be deleted stays on the box.
Workaround:
Delete the left over workspace manually.
596020-3 : Devices in a device-group may report out-of-sync after one of the devices is rebooted
Component: TMOS
Symptoms:
Devices in a device-group may report out-of-sync after one of the devices is rebooted.
As a result of this issue, you may encounter the following symptoms:
- After the reboot, the config-sync originator reports 'Not All Devices Synced'.
- After the reboot, the other devices in the device-group report 'Changes Pending'.
Conditions:
This issue occurs when all of the following conditions are met:
- You have a Sync or Sync-Failover device-group with multiple devices in it.
- On a device (the config-sync originator, you modify the configuration, triggering the devices to become out of synchronization.
- Using the Overwrite Configuration option in the GUI, you manually initiate a synchronization of the configuration from the device where the configuration was modified, to the device-group.
- The devices in the device-group display that they are in the synchronized state.
- You reboot the config-sync originator device.
Impact:
After the reboot, the devices report out-of-sync.
Note: This issue is purely cosmetic; no configuration is lost as result of this issue.
Workaround:
You can work around this issue by not using the Overwrite Configuration option in the Configuration utility if you know you will have to reboot the device soon.
Also note that once the issue occurs, you can restore normal config-sync status on the devices by performing a new config-sync operation.
595921-1 : VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
Component: Local Traffic Manager
Symptoms:
VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
Conditions:
Configuration of a virtual server on a VLAN group that does not have a Self-IP configured.
Impact:
Traffic destined for the virtual server might be rejected with an ICMP unreachable sourced from a loopback address.
Workaround:
Use a Self IP address on the VLAN group.
595868-1 : HSB TX HGM lockup on 3900, 8900, and 10000-series platforms.
Component: TMOS
Symptoms:
HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. Tmm cores with the following error message in /var/log/ltm: notice panic: hsb interface 2 DMA lockup on transmitter failure.
Conditions:
It is not known what triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
595617-1 : Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.
Solution Article: K40420553
Component: TMOS
Symptoms:
When modifying the ipsec-tunnel-profile, the BIG-IP system deletes the IKEv1 phase 2 SAs locally, but does not inform the remote IPsec peer.
Conditions:
- Configuration uses both IPsec 'interface' mode tunnel(s) and IKEv1.
- A user modifies ipsec-tunnel-profile. Namely found here:
-- web UI 'Network : Tunnels : Profiles : IPsec Interface : ipsec-tunnel-profile'.
-- tmsh 'net tunnels ipsec ipsec-tunnel-profile'.
Impact:
A traffic outage on one tunnel when the remote IPsec peer is generally plays the role of Initiator. The remote system, will not attempt to establish a new tunnel because it believes that a valid SA exists.
Workaround:
Delete the defunct IPsec SA from the remote peer. If the remote IPsec peer is also a BIG-IP system, then restarting tmipsecd can be employed, however this will cause all IPsec tunnels to restart.
595317-4 : Forwarding address for Type 7 in ospfv3 is not updated in the database
Component: TMOS
Symptoms:
The ospf nssa-external database is not updated when the global address on an interface that is used as a forwarding address is changed
Conditions:
remove the global address on the forwarding interface
Impact:
the packets will be sent to an incorrect interface.
Workaround:
clear ipv6 ospf process
595281-1 : TCP Analytics reports huge goodput numbers
Component: Local Traffic Manager
Symptoms:
TCP Analytics reports that 2^32 bytes have been delivered, rather than 0.
Conditions:
When the serverside connection attempt fails.
Impact:
TCP Analytics stats are inaccurate.
594751-3 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN
Solution Article: K90535529
Component: Local Traffic Manager
Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.
Conditions:
1. LLDP is enabled globally and per interface.
2. Interfaces are added to a trunk after it has already been assigned to a VLAN.
For instance, assume the following protocol were followed for creating an LLDP trunk:
tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }
The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.
Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.
Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.
If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
bigstart restart lldpd
594547 : LTM policy TCP address selector offers only "match any of" condition
Component: Local Traffic Manager
Symptoms:
In the graphical UI, the user can create a condition on a TCP address where a list of user-specified addresses are considered for a match. But the negated version is not available.
Conditions:
Using only the GUI, it is not possible to create an LTM policy condition which checks for addresses that do not match the user-specified list.
Impact:
Users my not use the GUI to specify conditions in a policy where the TCP address does-not-match a list of specified addresses.
Workaround:
Using tmsh it is possible to create or modify a policy to negate a condition on tcp address.
For example, in tmsh:
root@(mybigip# modify ltm policy my_policy rules modify { my_rule { conditions replace-all-with { 0 { tcp address not matches values { 10.10.4.0/0 } } } } }
594366-1 : Occasional crash of icrd_child when BIG-IP restarts
Solution Article: K21271097
Component: TMOS
Symptoms:
When BIG-IP restarts (bigstart restart), or when restjavad restarts (bigstart restart restjavad), there is an occasional crash of the icrd_child thread.
Conditions:
When BIG-IP restarts (bigstart restart), or when restjavad restarts. No other specific conditions.
Impact:
Occasional crash/SEGV exception.
Workaround:
Restart BIG-IP system again.
594064-2 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
Solution Article: K57004151
Component: Local Traffic Manager
Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.
Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.
Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>
Typical examples of missing packets include:
-- Serverside syn and syn-ack from FastL4 TCP traffic.
-- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.
Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').
593845-3 : VE interface limit
Solution Article: K24093205
Component: TMOS
Symptoms:
TMM fails to bootup successfully.
Conditions:
More than 10 interfaces assigned to Virtual Edition (VE).
Impact:
BIG-IP fails to pass traffic as TMM fails to load successfully.
Workaround:
Make sure VE is assigned 10 or fewer interfaces.
593396-5 : Stateless virtual servers may not work correctly with route pools or ECMP routes
Component: Local Traffic Manager
Symptoms:
Stateless virtual servers might not work correctly if the configured poolmember is reachable via a route pool or via several ECMP routes learned via dynamic routing.
Conditions:
- Stateless virtual server.
- Pool reachable via route pool or via ECMP routes.
Impact:
Traffic might be dropped.
Workaround:
Use other virtual server types to process this traffic.
593361-1 : The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.
Component: TMOS
Symptoms:
The target platform implementation need to be ensure that it is update to date with draft and additionally tested with other open sources and commercial implementations to deem stable. If not a stable and production version as in case below, sender packets can be with a dummy MAC which is not recognized by BIG-IP.
Conditions:
Target platforms which may be unstable and untested in VXLAN-GPE.
Impact:
BIG-IP drop packets since it does not recognize inner pkt MAC.
Workaround:
Ensure target platform is stable, tested and production version wrt VXLAN-GPE and NSH.
592819-2 : Enabling of whitelists on a Protected Object requires disabling DoS protection support in hardware
Component: Advanced Firewall Manager
Symptoms:
On the 5250 platform, DDoS protection support in hardware prevents configuration of a whitelist for a protected object.
Conditions:
Configuration of a Whitelist on a Protected object on a hardware platform (such as the 5250).
Impact:
Cannot configure whitelist on a Protected Object.
Workaround:
Disable hardware support for DDoS protection from the command line using the command:
modify sys db dos.forceswdos value true.
Note that disabling DDoS hardware support may impact the performance of the device because then all DDoS protection mechanisms are managed in software.
592620-1 : iRule validation does not catch incorrect 'after' syntax
Component: Local Traffic Manager
Symptoms:
iRule validation does not catch iRule with incorrect 'after' syntax, allowing an invalid iRule to be saved.
Conditions:
iRule with incorrect 'after' syntax. For example "after 5000 periodic" should be "after 5000 -periodic" (with a hyphen)
Impact:
Traffic handled by the iRule fails, generating the Tcl error 'invalid command name 'periodic' while executing 'periodic LB::reselect''.
Workaround:
Correct the syntax error.
592211-1 : Stress CPU on BIG-IP will also take into the packets dropped by hardware.
Component: Advanced Firewall Manager
Symptoms:
Rate limit is directly proportional to CPU stress seen by the BIG-IP system. DoS will rate-limit traffic in hardware (HW) when the BIG-IP system is under stress (CPU is high), then if packets are dropped by HW and CPU of the system will come down and hence DOS will stop rate-limiting. SO this kind of behavior could result in toggling of DOS rate-limit state.
Conditions:
-- DoS in HW starts rate-limit in HW.
-- DoS has autodos enabled.
Impact:
The BIG-IP system may see that one second, DoS is rate-limiting packets and next second, it is allowing packets, and then next second it starts rate-limiting again, and so on. So there will be toggling of DoS vector mitigation state.
Workaround:
The workaround is to disable autodosd for that vector.
591732-2 : Local password policy not enforced when auth source is set to a remote type.
Component: TMOS
Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.
Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.
2) The auth source is set to a remote source, such as LDAP, AD, TACACS.
Impact:
The system does not enforce any of the non-default local password policy options.
For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.
Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).
Workaround:
None.
591505-1 : Policy may become unsyncable after changing contexts
Component: Advanced Firewall Manager
Symptoms:
This is a known issue due to internal framework in MCPD which marks configurable objects as either synced and non-synced. If the user applies the policy to a non-syncing context (non-floating self-IP), then that policy won't be synced across HA devices anymore.
Conditions:
A config with standalone firewall policy applied to synced and non synced context.
Impact:
A policy that is assigned to otherwise non-syncing context, e.g. non-floating self-IP, the attached policy will no longer be synced even if attached to a syncing object later.
Workaround:
Create a "local" policy for non-floating self-IP only.
591305 : Audit log messages with "user unknown" appear on install
Component: TMOS
Symptoms:
Multiple log entries in /var/log/audit similar to
May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]
Conditions:
This happens on initial install, it is not yet known what triggers it.
Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.
590851-4 : "never log" IPs are still reported to AVR
Component: Application Security Manager
Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag
Conditions:
Always
Impact:
Extra, unwanted logging for IP addresses flagged as "never log"
Workaround:
N/A
590415-1 : Partition can be removed when remote role info entries refer to it
Component: TMOS
Symptoms:
If you have a partition, and a remote-role info that mentions the partition, then you can delete the partition and the role info will not be modified. Once this configuration is saved, future loads will fail with an error like the following:
01070829:5: Input error: Invalid partition ID request, partition does not exist (your-partition-name)
Conditions:
A partition has been deleted, but the remote role configuration still names the partition.
Impact:
Load will fail.
Workaround:
Before removing a partition, ensure that any role-info entries mentioning the partition are also removed.
If you already have encountered a failure to load such a configuration, edit /config/bigip.conf to remove the offending entries in "auth remote-role".
590399-1 : Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.
Solution Article: K11304001
Component: TMOS
Symptoms:
Unnecessary logging during startup: err errdefsd[5106]: 01940019:3: Unable to connect to MCPD, will try again in 30 seconds. err errdefsd[5106]: 0194001d:3: Errdefsd is starting. Old shared memory arena is now deprecated.
Conditions:
This occurs during system startup.
Impact:
No to low impact. This message is benign, and you can safely ignore it.
Workaround:
None needed.
590156-3 : Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
Component: Local Traffic Manager
Symptoms:
APM connections failing when mac masquerade is in use and source-port preserve-strict is enabled on the APM virtual server.
Conditions:
The traffic-group has mac-masquerade configured and source-port preserve-strict is in use on the APM virtual server
Impact:
Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
Workaround:
Disable either mac-masquerade or source-port preserve-strict (or both)
589862-6 : HA Grioup percent-up display value is truncated, not rounded
Component: TMOS
Symptoms:
The value displayed in "show sys ha-group detail" and "list sys ha-group" is shown as only the integer portion of the actual percent-up value.
Conditions:
When the number of "up" members in an HA Group results in a percent-up value that is not a whole number, the displayed value is truncated, not rounded.
Impact:
Incorrect display of the percent-up value. The score contribution is correct, and displayed rounded properly.
589856-2 : iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients
Component: TMOS
Symptoms:
When 2 iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction id. This completely messes up both the client code execution.
Conditions:
Client requests to create transaction are close to each other in time.
Impact:
Transaction semantics are not followed, and unintended errors may occur
589367-2 : Some Edge Client's German translations are incorrect
Component: Access Policy Manager
Symptoms:
Some Edge Client's German translations are incorrect.
Conditions:
APM end-user's system using German locale.
Impact:
Conversion results in confusing text.
Workaround:
None.
588929-2 : SCTP emits 'address conflict detected' log messages during failover
Component: TMOS
Symptoms:
The system may advertise, on the client-side, SCTP alternate addresses that are in a route-domain different from that of the virtual server.
Conditions:
Configuring an SCTP virtual server with alternate-addresses that are not in the correct route domain.
Impact:
No impact to traffic processing. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.
Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.
588794-2 : Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements
Component: TMOS
Symptoms:
SCTP alternate addresses may be advertised on the server-side that are in a route-domain that is different from that of the virtual server.
Conditions:
Alternate-addresses are configured on an SCTP virtual server that aren't in the correct route domain.
Impact:
There is no impact to traffic processing. Alternate-addresses will be advertised even though they are not in the correct domain. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.
Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.
588771-2 : SCTP needs traffic-group validation for server-side client alternate addresses
Component: TMOS
Symptoms:
Addresses may be advertised in an SCTP INIT chunk even though they are not usable by the BIG-IP.
Conditions:
When an SCTP virtual server has server-side-multihoming enabled and the snatpool used by the virtual server contains addresses from other traffic groups, it will advertise all of the addresses from the snatpool in the INIT chunk.
Impact:
Some of the paths advertised in the SCTP association establishment creation process will be unusable. A conformant SCTP implementation on the server-side should test and disregard these paths, causing no impact to traffic.
588646-1 : Use of Standard access list remarks in imish may causes later entries to fail on add
Component: TMOS
Symptoms:
The use of remarks in standard access lists in dynamic routing shell causes subsequent filters in the same ACL to fail to load.
Conditions:
Create a standard access list with a remark.
Add to the same list another entry to permit or deny a IP/range.
Impact:
The ACL does not load and error is returned.
Workaround:
No not use remarks in standard access lists or use an access list in the extended or named ranges.
588626 : Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member).
Component: Application Visibility and Reporting
Symptoms:
While configuring an alert for Maximum TPS on an Analytics profile, you get an error: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member)
Conditions:
This occurs when attempting to add an Analytics alert that triggers on Max TPS, and the alert is configured to run against a pool member or an application (the default is Virtual Server, not pool member or application).
Impact:
You cannot configure Max TPS alerts at the pool member level. The GUI appears to allow you to do this, but validation rules will prevent you from adding the alert.
The full list of alerts that cannot be configured at the pool or application level include all rules with the word Maximum in them:
- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput
588229-1 : DNS protocol default profiles can be deleted after being modified.
Component: Global Traffic Manager (DNS)
Symptoms:
A protocol default profile can be deleted in some cases.
Conditions:
The protocol default profile is not a parent to any other profile and has been modified.
Impact:
Default protocol profile can be deleted. If a default profile has been deleted, the config might get into an invalid state, and a config reload might be necessary.
Workaround:
Do not attempt to delete a protocol default profile.
588028-1 : Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up
Component: TMOS
Symptoms:
If the LCD visible alerts are cleared using the LCD menu while the Host is down, then when the host is brought back up the LCD will re-display any alerts that were generated after the host went down.
Alerts generated after a the Host is down are persistent and when the host comes up it will harvest those alerts and re-display them on the LCD. Alarm LED may be re-initialized to an unexpected state.
Conditions:
Alerts generated while the host is down and alerts are cleared using the LCD menu interface.
Impact:
Alerts are re-displayed on the LCD when the host comes back up. And the alarm LED may indicate an alarm that was thought previously cleared.
Workaround:
Do not clear the alerts from the LCD interface while the host is down.
587821-5 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
Solution Article: K91818030
Component: TMOS
Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.
In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.
Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.
Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.
Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.
Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
587804-1 : Symmetric Unit Key decrypt failure on base load
Component: TMOS
Symptoms:
On initial boot of VIPRION blade, before the blade is licensed, you may see the following error message in /var/log/ltm:
err mcpd[5015]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Conditions:
It is not yet known what the conditions are that trigger this error.
Impact:
This occurs on initial boot of the VIPRION blade, prior to licensing the device. After licensing, this error does not occur.
Workaround:
None. If this error is reported on first boot, but can otherwise be licensed, it can be safely ignored. If this occurred after loading a ucs file, see SOL13132: Backing up and restoring BIG-IP configuration files at https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13132.html for more information on this error.
586938-1 : Standby device will respond to the ARP of the SCTP multihoming alternate address
Solution Article: K57360106
Component: TMOS
Symptoms:
When there is a SCTP connection established, the router will request the ARP for the client-side multi-homing alternate address, but the standby device will reply to the ARP request as well.
Conditions:
When an SCTP profile has at least one alternate-address configured, and is used in an high availability (HA) scenario, this issue will manifest.
Impact:
Traffic for the alternate-addresses may be directed to the wrong device in an HA group. The multi-homing function will fail as the alternate connection cannot established on the standby device.
Workaround:
Do not use a VLAN address as an alternate address. Use only routed addresses, and route those addresses to the floating Self-IP address of the BIG-IP system.
586862-2 : Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule.
Solution Article: K30859144
Component: Local Traffic Manager
Symptoms:
Tcl expression evaluations (outside of an iRule) can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule. A couple of examples where Tcl expressions are evaluated outside the context of an iRule include the tcl-setvar action of LTM Policy and the Request Header Insert feature of the HTTP profile.
Conditions:
Issue has been found on a virtual server with both an attached iRule and LTM Policy. The iRule calls TCP::collect when connection is accepted, and calls TCP::release at the CLIENT_DATA event. The LTM Policy has a single action to set a tcl set-variable expression.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
586660-1 : HTTP/2 and RAM Cache are not compatible.
Component: Local Traffic Manager
Symptoms:
A virtual server fails some requests where the response is served from cache.
Conditions:
This might occur in any of the following circumstances:
1.
-- Virtual server has either SPDY or HTTP/2 enabled
-- Requests that would normally served from RAM cache.
2.
-- HTTP virtual server has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event.
-- Tcl commands attempt to access the response headers.
3.
Certain filters and plugins that require access to the response headers.
Impact:
Errors in certain Tcl commands or failed requests. These correlate to Conditions as follows:
1. If a virtual server has either SPDY or HTTP/2 enabled, it might fail requests that would normally be served from RAM cache.
2. An HTTP virtual server that has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event might give errors to Tcl commands that attempt to access the response headers.
3. Certain filters and plugins that require access to the response headers might also fail in unexpected ways.
Workaround:
Disable CACHE via an iRule:
when HTTP_REQUEST {
if {[HTTP2::active]} {
CACHE::disable
}
}
586621-5 : SQL monitors 'count' config value does not work as expected.
Solution Article: K36008344
Component: Local Traffic Manager
Symptoms:
SQL monitors 'count' config value does not work as expected.
Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.
Impact:
SQL monitor might use a 'count' value that is incorrect.
Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.
586587-1 : RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.
Component: Local Traffic Manager
Symptoms:
RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. That results in sending data at higher rates than specified Max Rate.
Conditions:
RTT is less than 6ms.
Impact:
Packet loss might happen (queue overflow) due to sending at higher data rate than the specified max rate.
Workaround:
None.
586348-1 : Network Map Pool Member Parent Node Name display and Pool Member hyperlink
Component: TMOS
Symptoms:
The Network Map was not displaying the correct node name and the link was taking you to an incorrect pool member.
Conditions:
Create a pool and pool member from a FQDN node. Add that pool to a virtual server. From the Network Map page the pool member link does not show the FQDN making it hard to tell what pool member it is. When you click on the pool member hyperlink it takes you to the incorrect pool member.
Impact:
This causes confusion because the pool members are difficult to identify without the FQDN and the link takes you to the incorrect pool member.
586138-1 : Inconsistent display of route-domain information in administrative partitions.
Solution Article: K84112154
Component: Local Traffic Manager
Symptoms:
When IpAddress is displayed in GUI and TMSH, there exists some inconsistencies on how the route-domain of the address is displayed. This occurs for virtual servers and pool members.
Conditions:
IpAddresses configured for virtual servers and pool members outside the default-route-domain of the administrative partition.
Impact:
Although this is only a cosmetic issue, there might be confusion associated with the display inconsistencies.
Workaround:
None.
584948-5 : Safenet HSM integration failing after it completes.
Component: Local Traffic Manager
Symptoms:
tmm cannot load the Safenet library, and the following log entry is found in /var/log/auditd/audit.log:
denied { read } for pid=4936 comm="tmm" name="libCryptoki2_64.so" dev=dm-1 ino=1441838 scontext=system_u:system_r:tmm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file.
Conditions:
This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory.
The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions.
Impact:
Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM.
Workaround:
Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly.
For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so.
584788-1 : Directed failover of HA pair using only hardwire failover will fail
Component: TMOS
Symptoms:
Units configured in a HA pair using only hardwire failover will not be able to use a targeted failover.
Conditions:
HA pair configured without network failover but with a hardwire failover.
Failover is attempted using one of the 2 following methods:
Via GUI
Device Management -> Traffic Groups
check <traffic group>
click "force to standby"
again click "force to standby"
via tmsh
tmsh run sys failover standby device <peer device> traffic-group <traffic group name>
Impact:
Failover may fail with the following logs in /var/log/ltm
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c0044:5: Command: go standby <traffic group name> <device name> GUI.
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c002b:5: Traffic group <traffic group name> received a targeted failover command for <peer mgmt IP>.
Mar 15 10:28:00 <hostname> notice sod[8214]: 010c004b:5: Target device <traffic group name> is not responding, cannot failover.
Workaround:
Use an alternative failover method:
- Device Management > Devices > Force to Standby
- Device Management > Traffic Groups > [traffic Group name] > Force to Standby
- tmsh run sys failover standby # without device
584772 : ssldump may crash when decrypting bad records
Component: Local Traffic Manager
Symptoms:
ssldump crashes while decrypting.
Conditions:
Using ssldump to decrypt SSL which contains bad records.
Impact:
ssldump crashes making it difficult to decrypt SSL data.
584504-2 : Allowing non-English characters on login screen
Solution Article: K36912228
Component: TMOS
Symptoms:
Passwords can contain non-English characters but it fails when logging in.
Conditions:
Passwords contain non-English characters.
Impact:
Users entering these characters on the login screen are unable to log in.
Workaround:
Make sure passwords contain only English characters.
584414 : Deleting persistence-records via tmsh may result in persistence being created to different nodes
Component: Local Traffic Manager
Symptoms:
After deleting the persistence records, a connection may use persistent records to two different nodes breaking persistence.
Conditions:
Deleting persistence records when there is high concurrency for particular persistence records (e.g., load testing).
Impact:
Client fails to persist to a particular node.
Workaround:
Avoid removing persistence records from tmsh or use iRules to remove persistence records.
584041 : forward slash '/' is used in the description field, admin user will be demoted to guest.
Component: TMOS
Symptoms:
When creating a new admin user, if a forward slash '/' is used in the description field, the user will be demoted to guest.
Conditions:
Creating a new admin user with a forward slash in the description text.
Impact:
mcp user's admin group demotion to guest.
Workaround:
Do not use forward slashes in the users description.
583777-5 : [TMSH] sys crypto cert missing tab completion function
Solution Article: K33230520
Component: TMOS
Symptoms:
When pressing the tab key for the tmsh command "sys crypto cert", it does not display existing certificate names. You must manually type the certificate name that you want to operate.
Conditions:
This occurs in tmsh:
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
Impact:
Not possible to select a certificate using tab complete.
Workaround:
Manually type the certificate name.
583402-1 : ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work
Component: Application Security Manager
Symptoms:
The 'Overridden Characters in Value' and 'Overridden Attack Signatures' filter options on the Parameters List screen doesn't work correctly. These filter options appear after you set 'Parameter Value Type' to 'User-input value' and 'Data Type' to 'Alpha-Numeric'.
Conditions:
Attempting to filter parameters by settings the 'Value Type' to 'User-input value', 'Data Type' to 'Alpha-Numeric', and searching for 'At least one' signature override.
Impact:
Search fails.
Workaround:
None.
583101-2 : ADAPT::result bypass after continue causes bad state transition
Component: Service Provider
Symptoms:
Tcl command 'ADAPT::result bypass' does not work in ADAPT_REQUEST_RESULT when the ICAP server has previously returned 100-continue.
Conditions:
iRules exist on a VS with an adapt profile, containing:
when ADAPT_REQUEST_RESULT {
ADAPT::result bypass
}
or
when ADAPT_RESPONSE_RESULT {
ADAPT::result bypass
}
Impact:
ADAPT logs an unexpected state transition and resets the connection, making it impossible for iRules to replace the ICAP response.
Workaround:
Avoid 'ADAPT::result bypass' commands in cases where there is no preview (either configured for no preview, or after the preview has been dropped due to a 100-continue or 200-ok ICAP response).
583084-5 : iControl produces 404 error while creating records successfully
Solution Article: K15101680
Component: TMOS
Symptoms:
iControl produces 404 error while creating gtm topology record successfully.
Conditions:
Creating gtm topology record without using full path via iControl.
Impact:
Result code/information is not compatible with actual result.
Workaround:
Use full path while creating gtm topology record using iControl.
582606-1 : IPv6 downloads stall when NA IPv4&IPv6 is used.
Component: Access Policy Manager
Symptoms:
When downloading large files through network access, downloads can appear to stall for a period of time and then resume.
Conditions:
This occurs when Network Access is configured with an IPv4&IPv6 resource
Impact:
Downloads occasionally stall with download speed going to 0, and then they resume.
Workaround:
It is possible that disabling large receive offload will work as a mitigation. To do so, run the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.
582595-2 : default-node-monitor is reset to none for HA configuration.
Solution Article: K52029952
Component: TMOS
Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.
Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
* ltm node with a monitor.
* ltm default-node-monitor with a different monitor.
Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.
Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.
Workaround:
Reconfigure a default-node-monitor.
582440-4 : Linux client does not restore route to the default GW on Ubuntu 15.10
Component: Access Policy Manager
Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.
Conditions:
Ubuntu 15.10, network access tunnel connect and then disconnect
Impact:
User will not be able to reach internet after disconnecting from network access.
Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.
582331-1 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
582234-6 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
Component: Local Traffic Manager
Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it
Impact:
Monitoring does not resume when pool member is re-enabled via config merge.
Workaround:
You can re-enable monitoring by running the following commands:
tmsh save sys config
tmsh load sys config
582207-7 : MSS may exceed MTU when using HW syncookies
Component: Local Traffic Manager
Symptoms:
Packets larger than the interface's MTU can be transmitted.
Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.
Impact:
Potential packet loss.
Workaround:
Disable HW syncookie mode.
582127-1 : VE OVA logrotate max-file-size too big for /var/log partition size
Solution Article: K55138704
Component: TMOS
Symptoms:
Virtual Edition (VE) OVA logrotate max-file-size is too big for the /var/log partition size.
Conditions:
This occurs on 11.5.0 and later, where the partition size was reduced from 6 GB to 500 MB, to better manage disk space.
This can also happen on Micro instance on a fixed version
Impact:
The BIG-IP VE system runs out of disk space due to increased logging. In this instance, logrotate should run and potentially free up space by rotating and compressing the actively written logs. With the current setting for max-file-size, however, that cannot happen, thus leading to increased likelihood of running out of space in /var/log.
Workaround:
You can extend the disk space for logs by performing the following procedure. (From K14952: Extending disk space on BIG-IP Virtual Edition, available here: https://support.f5.com/csp/article/K14952#proc3.)
Impact of procedure: You need to shut down the BIG-IP VE system during the disk provisioning steps, and the system will not be available for traffic processing. You should perform this procedure during a suitable maintenance window. Increasing the disk size on the VE system is irreversible, since F5 does not support disk shrinking.
1. Log in to the command line on the BIG-IP VE system.
2. Shut down the system by typing the following command:
shutdown -h now
3. Provision the desired disk space for the VE system on the hypervisor. For information about disk provisioning on the hypervisor, refer to the documentation from your hypervisor vendor.
4. Start up the BIG-IP VE guest instance on your hypervisor. For information about starting a guest instance on the hypervisor, refer to the documentation from your hypervisor vendor.
5. When the BIG-IP VE system is up, log in to the command line on the VE system.
6. Extend the /var/log directory by using the following command syntax:
tmsh modify /sys disk directory /var/log new-size <desired value in KB>.
--For example you would type the following command to extend the /var/log directory to 10 GB:
tmsh modify /sys disk directory /var/log new-size 10485760.
7. Save the configuration by typing the following command:
tmsh save /sys config.
8. Reboot the VE system by typing the following command:
reboot.
9. When the BIG-IP VE system is up, log in to the command line on the VE system.
10. Verify that the /var/log directory is successfully extended to the size you have specified in step 6 by typing the following command:
tmsh show /sys disk directory.
581865-2 : 6900, 8900, 8950, or 11050 platforms missing swap storage★
Solution Article: K11053914
Component: TMOS
Symptoms:
No swap is available; observable via 'cat /proc/swaps'.
Conditions:
A 6900, 8900, 8950, or 11050 platform with RAID LVM, directly upgraded from a pre-10.2.4 version to version 11.x/12.x.
Impact:
No swap space is created during upgrade. Multiple unexpected issues might occur because there is no swap space available.
Workaround:
Newer systems have the swap storage created during initial format. You might also be able to first upgrade to version 10.2.4. Then, when upgrading to version 11.x/12.x, the process creates the swap during upgrade.
581851-2 : mcpd restarts due to interleaving of messages / folder contexts from primary to secondary blade
Solution Article: K16234725
Component: TMOS
Symptoms:
MCPD on secondary blades restarts with a configuration error.
Conditions:
This issue affects clustered systems only (VIPRION or vCMP guest).
The issue occurs when the system interleaves commands from different contexts. For example, this might occur when one system requests continual persistence records resets, and another requests continual TCP statistics resets.
Impact:
Secondary blades restart services, resulting in performance degradation or failover.
Workaround:
None.
581668 : DNS/SIP whitelisted packets not reported
Component: Advanced Firewall Manager
Symptoms:
If a DNS/SIP packet hits DOS whitelist then this packet is not being reported to AVR.
Conditions:
The packet has to be DNS or SIP packet and has to hit the whitelist.
Impact:
There is no functional impact but AVR tables will not have the whitelisted packets in their count.
580602-1 : Configuration containing LTM nodes with IPv6 link-local addresses fail to load.
Component: TMOS
Symptoms:
As a result of a known issue a configuration containing LTM nodes with IPv6 link-local addresses may fail to load.
Conditions:
Attempt to load a configuration containing a LTM node with a IPv6 link-local address.
Impact:
Configuration fails to load.
Workaround:
Use IPv6 global addresses instead.
580499-2 : Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled.
Solution Article: K34082034
Component: TMOS
Symptoms:
Configuring alternate admin user fails on multi-blade VIPRION chassis and will prevent newly added blades from being available to process traffic. If default admin on primary is disabled and you are on a chassis with at least two blades. After disabling the default admin on the primary and configuring an alternate, mcpd on secondary blades goes into a restart loop, and posts error messages similar to the following in /var/log/ltm:
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-primary2.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary1.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary2.
err mcpd[26012]: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.
err mcpd[26012]: 01070734:3: Configuration error: Configuration from primary failed validation: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.... failed validation with error 17242343.
In this example, admin-primary1 is the default admin user set in the GUI under System :: Platform :: Admin Account, admin-primary2, admin-secondary1 and admin-secondary2 are other admin users on the device, but they are not configured as the default admin user.
Conditions:
Chassis with multiple blades; alternate primary admin is set on the primary blade.
Impact:
mcpd in a restart loop on secondaries.
Workaround:
There is no workaround that will allow you to use a different primary admin user on BIG-IP software versions affected by this issue. To stop secondary blades from restarting in a loop, issue the following commands on your primary blade, which should be stable at this time:
# tmsh modify sys db systemauth.primaryadminuser value admin
# tmsh save sys config
579652-1 : Multidomain SSO Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.
Component: Access Policy Manager
Symptoms:
When URLs from multiple browser tabs start an access policy, the session is created with the landing URL from the first tab that started the session, not with URL the second tab that continued and finished establishing the access session.
For example, an end user opens browser and sends GET to /first_url resource. Access initiates session, and renders logon page. Then end user opens another tab, and sends GET to /second_url resource. Access returns an error message "Access policy evaluation is already in progress for your current session." with a link to start new session. If the end user selects the "click here", the new session will start with /first_url, and not with /second_url as would be expected.
Conditions:
Using Multidomain SSO, and accessing two different resources before the access policy has been created. This causes the access policy to run from two different landing URLs
Impact:
This may cause BIG-IP as SAML SP unable to establish a session with IdP. In the case of LTM and APM, the user is always redirected to the URL from first tab after policy execution finishes.
Workaround:
None.
579252-3 : Traffic can be directed to a less specific virtual during virtual modification
Component: Local Traffic Manager
Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.
Conditions:
net self external-ipv4 {
address 10.124.0.19/16
traffic-group traffic-group-local-only
vlan external
}
net self internal-ipv4 {
address 10.125.0.19/16
traffic-group traffic-group-local-only
vlan internal
}
ltm pool redirect-echo {
members { 10.125.0.17:7 }
}
ltm virtual fw {
description "less-specific virtual"
destination 10.125.0.0:any
ip-forward
mask 255.255.255.0
profiles { fastL4 }
translate-address disabled
translate-port disabled
vlans-disabled
}
ltm virtual redirect-echo {
description "enable/disable this one"
destination 10.125.0.20:echo
ip-protocol udp
mask 255.255.255.255
pool redirect-echo
profiles { udp }
vlans { external }
vlans-enabled
}
Impact:
Traffic can be directed to less specific virtual server
Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.
579035-5 : Config sync error when a key with passphrase is converted into FIPS.
Solution Article: K46145454
Component: TMOS
Symptoms:
When a key with passphrase is converted to a FIPS key (that is, imported into the FIPS card) and a config sync is done, sync fails with an error saying that passphrase is specified but the key is not passphrase protected.
Conditions:
Converting a private key with a passphrase to FIPS key and then performing a config-sync.
Impact:
Config sync will fail.
Workaround:
Ensure that you only import FIPS keys that are not encrypted with a passphrase. For more information, see K15720: Certain tasks related to the management of SSL certificates do not support encrypted private keys (11.x) at https://support.f5.com/csp/#/article/K15720
578971-3 : When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
Component: Local Traffic Manager
Symptoms:
When mcpd is restarted on a blade, the clusterd process on that blade may become blocked for some time. This may result in cluster member heartbeat timeouts, which are seen in the /var/log/ltm log file with messages that include:
"Slot 1 suffered heartbeat timeout ..."
This causes cluster members to be marked failed. The condition resolves itself within one minute, and the cluster fully recovers on its own.
Conditions:
Mcpd is restarted on a blade.
Impact:
Though all blades recover on their own, the cluster members being marked fail may result in a failover.
Workaround:
There is no workaround for this issue. It is recommended to avoid restarting mcpd on any blade belonging to the active unit of an HA group. The issue resolves itself within about a minute, and all cluster members will be marked as up again.
575919-2 : Running concurrent TMSH instances can result in error in access to history file
Component: TMOS
Symptoms:
TMSH writes to the ~/.tmsh-history-username file whenever a command is issued. Running concurrent instances of TMSH can result in a race condition in writing this file.
Conditions:
Running multiple instances can cause one instance of TMSH to lock the history file while the other is trying to access it, resulting in an error.
Impact:
Updating the history file fails, so the file does not reflect the actual history of the commands that have been issued.
Workaround:
Only run a single instance of TMSH.
575642-1 : rst_cause of "Internal error"
Component: Local Traffic Manager
Symptoms:
The rst_cause may be logged as "Internal Error". rst_cause of "Internal error" does not give a narrow reason for the reset. It means that one of the other reset causes was not matched but the exact issue cannot be determined from this generic error.
Conditions:
Heavy/normal production network usage.
Impact:
System problem diagnosis is more difficult.
Workaround:
N/A
575372 : BIG-IQ Discovery may fail due to an invalid passphrase.
Component: TMOS
Symptoms:
BIG-IQ Local Traffic & Management discovery may fail due to an invalid passphrase. Log messages might include the error: Failed to transform secure field value.
Conditions:
-- The BIG-IP systems are configured in a DSC configuration.
-- There is one or more profiles configured with a passphrase.
Impact:
As a result, the LTM service cannot be managed for that BIG-IP system.
Workaround:
Run the following command on the BIG-IP system:
bigstart restart restjavad
575368-5 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
Component: TMOS
Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.
Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.
Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.
Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.
574318-3 : Unable to resume session when switching to Protected Workspace
Component: Access Policy Manager
Symptoms:
Clients logging into Protected Workspace are unable to view the page. The client's log file may have the following signature: HandlePwsCmd, detoured.dll signature validation error
Conditions:
This occurs infrequently on certain Windows clients logging into Protected Workspace
Impact:
Client browser cannot render the protected workspace
574113-2 : Block All - Session Tracking Status is not persisted across an auto-sync device group
Component: Application Security Manager
Symptoms:
Users, IP addresses, and Sessions that are meant to be blocked due to their traffic patterns, are not being synchronized to the peer device in an auto-sync device group with ASM sync enabled.
This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.
Conditions:
1) Devices are in an auto-sync device group with ASM sync enabled.
2) Session Tracking is enabled.
Impact:
This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.
Workaround:
Force a full sync to propagate the session tracking information.
573031-1 : qkview may not collect certain configuration files in their entirety
Component: TMOS
Symptoms:
If the following files exceed 5M in size, they will be truncated when collected by qkview:
/config/partitions/*/bigip.conf
/config/partitions/*/BIG-IP_base.conf
/config/BIG-IP_gtm.conf
Conditions:
Any of the listed files exceeds 5 Mbytes.
Impact:
Fault diagnosis may be affected.
Workaround:
Create a qkview, and examine the qkview_run.data file. If this file indicates that any of the listed files has been truncated, manually copy that file from the BIG-IP device.
572519-1 : More than one header name/value pair not accepted by ACCESS::respond
Component: Access Policy Manager
Symptoms:
An error is seen when ACCESS::respond command is used, for example, in an iRule with multiple header name/value pairs.
Conditions:
When ACCESS::respond command is used with multiple header name/value pairs.
Impact:
An error is generated when the command is used.
Workaround:
Let the command take only one name/value pair.
572234-2 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
Component: Local Traffic Manager
Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.
Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.
The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.
The return route is a pool route.
The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.
Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.
Workaround:
Increase the lasthop module's TCP idle timeout.
echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp
572142-2 : Config sync peer may fail to monitor newly added pool member after it is added via sync
Component: Local Traffic Manager
Symptoms:
If a pool member in a sync group is removed and another member added and then synced to the peer, the monitor state on the peer may be erroneous.
Conditions:
2 or more devices in a device group
A pool member is deleted, and another is added, then a full config sync is performed
Impact:
Monitoring does not happen. If the pool member should be marked down by the monitor, it may indicate as being up. You may need to do a system restart to get monitoring to resume properly.
Workaround:
Suggested workaround:
Here’s a way that should avoid any possible downtime:
1. Do the node replacement on box A. Do not sync.
2. Do the node replacement on box B. Do not sync.
3. This will cause a sync conflict, and its resolution will require a full load. This is intentional. Force a sync.
The result of that final sync will be that mcpd sends no changes to the relevant nodes on the receiving device.
571727-1 : 'force-full-load-push' is not tab expandable
Solution Article: K52707821
Component: TMOS
Symptoms:
The 'force-full-load-push' option for 'run cm config-sync' is not tab expandable unless it's the first option given.
Conditions:
This is encountered when trying to use tab complete in tmsh for the 'run cm config-sync' command.
Impact:
The keyword 'force-full-load-push' has to be typed out in full or used as the first option.
Workaround:
Use 'force-full-load-push' as the first option, or type it out in full.
571634-1 : tmstat CPU values can be incorrect
Component: TMOS
Symptoms:
The CPU values returned by blades in a chassis may not be sorted correctly and so the returned values might appear confusing or invalid.
Conditions:
Retrieving values for a chassis using the following command: tmstat cpu.
Impact:
Incorrect reporting of TMM CPU utilization using tmstat command.
Workaround:
No workaround.
571503-1 : Windows Edge client cannot detect local LAN in some cases
Component: Access Policy Manager
Symptoms:
If Edge client is configured in Always Connected mode with option to "Allow Traffic" without VPN, it will continue to establish VPN even when location awareness is configured.
Conditions:
1) Edge client was installed using a package that was created without setting DNS suffix list in connectivity profile
2) DNS suffix list to identify enterprise LAN was set in the connectivity profile after client package was created.
Impact:
Edge client will fail to detect Enterprise LAN and continue to establish VPN even when machine is connected to enterprise LAN.
571333-8 : fastL4 TCP handshake timeout not honored for offloaded flows
Solution Article: K36155089
Component: TMOS
Symptoms:
When a virtual server is configured with a fastl4 profile that enables full acceleration and offload state set to 'embryonic', and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the 'idle timeout' value of the fastl4 profile, but it should be set to the 'tcp handshake timeout' instead.
Conditions:
-- Virtual server is configured with a fastl4 profile that enables full acceleration and offload state of 'embryonic'.
-- A flow is offloaded for hardware acceleration.
Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.
Workaround:
Set the offload state to 'established'.
571017-1 : Extra log messages seen on optics removal.
Component: TMOS
Symptoms:
Following message may appear in /var/log/ltm when optics are removed:
soc_phy_i2c_read_devtype - eeprom soc_phy_i2c_read_bytes failed port(28)
Conditions:
Optics removal.
Impact:
This is a cosmetic message and does not indicate a problem with the system.
Workaround:
None needed.
570277-1 : SafeNet client not able to establish session to all HSMs on all blades.
Solution Article: K16044231
Component: Local Traffic Manager
Symptoms:
SafeNet client not able to establish session to all HSMs on all blades.
Conditions:
When the BIG-IP chassis is used with SafeNet HSM high availability (HA), and when BIG-IP tmm interface is used.
Impact:
SafeNet HSM HA is not being used at its maximal capacity.
Workaround:
Restart pkcs11d to mitigate this issue.
570013 : TCP Analytics Profile section in virtual server UI has erroneous caption
Component: TMOS
Symptoms:
In TMUI: Local Traffic: Virtual Server:: Create: advanced, TCP Analytics profile section has a erroneous caption for HTTP Analytics profile.
Conditions:
This occurs when creating a TCP Analytics profile in the GUI when AVR is not provisioned.
Impact:
The screen posts a warning similar to the following: Warning: The Application Visibility and Reporting (AVR) module is not provisioned. Assigning an HTTP Analytics profile is not recommended.
However, it should be TCP Analytics profile.
Workaround:
None. The message is correct the AVR is not provisioned. However, the warning should reference the TCP Analytics profile instead of the HTTP Analytics profile.
569968 : snmpd core during startup
Component: TMOS
Symptoms:
sod reanimates (with core dump) snmpd due to heartbeat timeout during BIG-IP system startup and configuration load.
Conditions:
During startup and configuration load, snmpd sometimes blocks while waiting for certain system resources to become available. If snmpd blocks longer than its configured heartbeat timeout, sod reanimates it (with a core dump).
Impact:
Only impact is the generation of a core file.
Workaround:
Increase the snmpd heartbeat timeout to 300 seconds or more.
The 11.5.1 default timeout of 60 seconds might be too short for certain platforms and configurations. The default timeout for later releases is 300 seconds.
569331-3 : Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP
Component: TMOS
Symptoms:
Traffic will not pass to virtual servers of a traffic group
Conditions:
BIG-IP AWS
High Availability
AWS network outage
Impact:
Some of virtual addresses end up associated with the standby BIG-IP; traffic will not pass to their virtual servers.
Workaround:
If the desired BIG-IP is standby, failover to the BIG-IP.
If the desired BIG-IP is already active, failover from this BIG-IP and then failover back to this BIG-IP.
569281-6 : L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot
Solution Article: K33242855
Component: TMOS
Symptoms:
Several 'kernel: BUG: soft lockup' messages from kernel leading to TMM. Eventual blade reboot
Conditions:
-- Using vCMP.
-- Network to which the BIG-IP management port is connected has a Layer 2 loop.
Impact:
The BIG-IP system is unusable and eventually reboots.
Workaround:
Avoid L2 loops in the network to which the BIG-IP management port is connected.
569195-1 : A Set-Cookie for an existing ASM cookie without value change
Component: Application Security Manager
Symptoms:
A Set-Cookie command appears for an ASM cookie (TS cookie) where the value hasn't change and the set-cookie command is not needed.
Conditions:
The policy building is automatic or manual mode.
Additional features may also cause TS cookie setting, but usually these will also include cookie changes.
Impact:
The unneeded cookie may disturb caching and cause additional unnecessary bandwidth consumption.
Workaround:
If possible turn off the policy builder.
568458 : DoS vectors must be enabled in both DoS Profile and Device Configuration
Component: Advanced Firewall Manager
Symptoms:
In order for a DoS vector in a DoS Profile to detect a you must enable that same vector in the DoS Device Configuration.
Conditions:
DoS vector configured at the per-virtual server level, but not at the device level.
Impact:
Might result in false negatives.
Workaround:
You can use the following workaround:
1. Enable the vector in Security : DoS Protection : DoS Profiles.
To do so, click Network Protection, click Enabled, and enable the DoS Vector for the DoS Profile.
2. Enable the vector in the Device Configuration.
To do so, go to Security : Dos Protection : Device Configuration, select the vector, and then configure the vector either manually, or with the auto-configuration option.
567503-1 : ACCESS::remove can result in confusing ERR_NOT_FOUND logs
Solution Article: K03293396
Component: Access Policy Manager
Symptoms:
When using the iRule command ACCESS::remove, ERR_NOT_FOUND messages may appear in /var/log/apm. Theses are not real errors. ACCESS is trying to insert a session variable, but it is not able to find the session because the iRule already deleted the session.
The logs in /var/log/apm look something like this:
err tmm1[15932]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_save_init_req_to_sessiondb, Line: 14823.
Conditions:
An iRule using the command ACCESS::remove, and the end-user does a POST.
Impact:
No functional impact, the iRule correctly deletes the session, and BIG-IP does not send a reset. But the log messages can be alarming or confusing.
Workaround:
None.
567490-2 : db.proxy.__iter__ value is overwritten if it's manually set
Component: TMOS
Symptoms:
When setting the "BIND Forwarder Server List" on the "Configuration : Device : DNS" page, the system stores the values in the sysdb variable db.proxy.__iter__. When changing the value using tmsh or iControl, the db.proxy.__iter__ value is overwritten when subsequently viewing the value in the GUI.
Conditions:
When setting these values in sysdb via tmsh or REST, the values are set, but then upon re-visiting Configuration : Device : DNS in the GUI, the values in the sysdb variable are reset to their former values.
Impact:
BIND Forwarder Server List values do not persist.
Workaround:
Use the GUI to change the BIND Forwarder Server List values.
567330-1 : tmsh show sys memory on secondaries will generate innocuous error
Component: Local Traffic Manager
Symptoms:
The ltm log file contains these errors: err mcpd[9011]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).
Conditions:
This occurs when logged into secondary member of a cluster (VIPRION blade or vCMP guest) and running the command: tmsh show sys memory.
Impact:
The error indicates that the secondary member cannot display information that is only presented on a primary. This is a spurious error, and you can safely ignore it.
Workaround:
Ignore the specific error with this signature:
0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).
565755 : Dashboard does not work when custom port is used for management port.
Component: TMOS
Symptoms:
BIG-IP v12.0.0 introduced the ability to change the management port, but the dashboard was not changed to support that. Dashboard does not work when a port is used for management port other than the default port 443.
Conditions:
Using the dashboard when the management address is configured to use a port other than port 443.
Impact:
The dashboard reports a connection error and asks you to log back in.
Workaround:
None.
564634-5 : Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool
Component: Local Traffic Manager
Symptoms:
Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool.
Conditions:
Remove a monitor from a pool using tmsh edit commands.
Impact:
bigd still monitors the pool.
Workaround:
None.
564431-3 : Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail
Component: Policy Enforcement Manager
Symptoms:
Subscriber lines terminated with an EOL that occur before the line without an EOL are loaded.
Conditions:
At least one line in the static subscriber file is not terminated with an EOL character.
Impact:
Impact to support staff in diagnosing the root cause for failure while importing a subscriber file.
Workaround:
Save the file in unix format that appends EOL characters to the each line.
While editing the file make sure lines are terminated with an EOL character.
563905-2 : vCMP guest fails to go Active after the host system is rebooted
Solution Article: K62975642
Component: TMOS
Symptoms:
A vCMP guest fails to go Active after the host system is rebooted. When this occurs, the system posts the following message: confpp[9184]: rollback FAILED for 'unix_config_syslog'
Conditions:
The host of a vCMP guest is rebooted.
Impact:
The guest will not become active.
Workaround:
None.
563651-2 : Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★
Component: Access Policy Manager
Symptoms:
Web application does not work/works intermittently via Portal Access after BIG-IP upgrading to any new software version.
Conditions:
-- Web application via Portal Access.
-- any modern browser like Chrome, Firefox, Safari or MS Edge.
-- After upgrading of BIG-IP.
Impact:
Various unexpected behaviors. For example, a custom intranet application link might experience intermittent failures through rewrite. This occurs because Portal Access does not support Storage areas (localStorage, sessionStorage). This might impact web-applications with content previously populated in Storage areas.
Workaround:
Possible workaround:
-- Clear browser cache manually after upgrading.
560601-1 : HTML5 File API and MediaSource URLs are blocked in Portal Access
Component: Access Policy Manager
Symptoms:
Web Application is not working and a message similar to following is logged to the developer tools console in the browser:
"Refused to load media from 'blob:https://...' because it violates the following Content Security Policy directive: ..."
Conditions:
This occurs on web applications that are using the HTML5 file API
Impact:
Applications with usage of HTML5 File API could stop working when accessed via APM Portal Access.
Workaround:
when HTTP_RESPONSE_RELEASE {
if { [HTTP::header exists Content-Security-Policy] } {
HTTP::header replace Content-Security-Policy \
[string map {"data:" "data: blob: mediasource: mediastream:"} [HTTP::header Content-Security-Policy]]
}
}
559402-4 : Client initiated form based SSO fails when username and password not replaced correctly while posting the form
Component: Access Policy Manager
Symptoms:
Client initiated form based SSO fails when the username and password are not replaced correctly in post request. The reason for this is that client initiated form based SSO and browser urlencode special character in username/password differently. and the case sensitive comparison fails to find match between both these urlencoded values. So sso module adds the username password to the token again. This results in password attribute/value pair appears twice with both the f5-sso-token and the real password and so it fails
Conditions:
When the password contains special charaters like [ or ]
Impact:
SSO fails with password attribute/value pair appears twice with both the f5-sso-token and the real password in the token and so it fails
Workaround:
No workaround
559082-2 : Tunnel details are not shown for MAC Edge client
Component: Access Policy Manager
Symptoms:
Tunnel details are not shown for MAC Edge client.
Tunnel details are located in Edge client :: View details :: Connection :: Tunnel details
Conditions:
MAC Edge client and established network access connection.
Impact:
Minor. Only diagnostic information is missing, otherwise tunnel works fine.
Workaround:
None.
557322-1 : Sensitive monitor parameters recorded in bigd and monitor logs
Component: Local Traffic Manager
Symptoms:
When bigd debug logging is enabled, the resulting bigd debug log may contain sensitive parameters from the monitor configuration.
When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration.
In each case, the monitor parameters logged may include:
- user-account password
- radius/diameter secret
- snmp community string
Conditions:
This may occur under either of the following conditions:
1. bigd debug logging is enabled:
tmsh modify sys db bigd.debug value enabled
2. Monitor instance logging is enabled for one of the following LTM monitor types:
ftp
imap
pop3
smtp
Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the bigd debug log (/var/log/bigdlog) or in the monitor instance logs under /var/log/monitors.
Workaround:
1. Do not enable bigd debug logging.
2. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.
3. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.
554504 : Client OS version not logged in Browser/OS Reports for iOS client devices
Component: Access Policy Manager
Symptoms:
When an iOS device is used to login with APM, the client OS version is not logged and is not correctly reported in the Browser/OS Report.
Conditions:
Client device must run iOS.
Impact:
Devices running different versions of iOS are not differentiated in the Browser/OS Report.
Workaround:
None.
552988-2 : Cannot enable MPTCP on some profiles in GUI.
Component: Local Traffic Manager
Symptoms:
Version 12.1 Cannot enable MPTCP on some profiles in GUI. Get error message: 01070734:3: Configuration error: In profile /Common/proxy-client to enable MPTCP, Hardware SYN Cookie must be disabled.
Conditions:
Version 12.1 Enabling MPTCP on some profiles in GUI.
Impact:
Version 12.1 Cannot enable MPTCP.
Workaround:
Use tmsh to enable MPTCP on some profiles.
552444-1 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
Component: Access Policy Manager
Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.
Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"
Impact:
Dynamic drive mapping may not function.
Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.
homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]
547692-3 : Firewall-blocked KPASSWD service does not cause domain join operation to fail
Component: Access Policy Manager
Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.
As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.
However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.
Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.
Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.
Workaround:
Allow KPASSWD to reach ActiveDirectory server
544568-5 : Flows for a FastL4 profile that are forwarded may now be accelerated.
Component: TMOS
Symptoms:
Forwarded FastL4 profiles are not accelerated.
Conditions:
This occurs when any of the following conditions is met:
-- Using a preserve-strict setting on a virtual server.
-- Using the "snat" command in an iRule.
-- Using CGNAT with few available endpoints.
Impact:
Forwarded FastL4 flows are not accelerated.
Workaround:
None.
543344-3 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in these ways: either the session ID is embedded in the request, or the connection has been processed by ACCESS previously. When neither condition is satisfied, then current ACCESS iRule cannot find the associated session ID.
Conditions:
ACCESS iRule such as ACCESS::session data get/set, ACCESS::session exists, session ID is not provided by the caller, and caller expects the session ID to be resolved internally.
Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.
Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.
542347-2 : Denied message in audit log on first time boot
Component: TMOS
Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:
type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.
Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.
Impact:
This error message is benign and can be ignored.
Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.
542104-2 : In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
Solution Article: K33458192
Component: Local Traffic Manager
Symptoms:
In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
TCP monitors may fail because the server fails to respond to the initial TCP SYN.
TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN.
Conditions:
A server with tcp_tw_recycle enabled.
A multi-blade BIG-IP chassis.
Impact:
Monitor failures or traffic disruption.
Workaround:
After confirming that the time is properly synchronized across the chassis, reboot the chassis.
Alternatively, if your servers do not require tcp_tw_recycle to be enabled, it is recommended that you disable this setting on your servers.
541622-2 : APD/APMD Crashes While Verifying CAPTCHA
Component: Access Policy Manager
Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA
Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.
Impact:
Authentication service will be disrupted until APD/APMD is up again.
539026-5 : Stats refinements for reporting Unhandled Query Actions :: Drops
Component: Local Traffic Manager
Symptoms:
There are five drop down sections for Unhandled Query Actions:
Allow
Drop
Reject
Hint
No Error
but in statistics page, there are only four Unhandled Query Actions:
Drops
Rejects
Hints
No Errors
Drops refers to the dropped packets for the system, not specifically for Unhandled Query Actions. It would be more clear if there were one dropped packets stats for the system, and another specifically for Unhandled. And also add stats for Allow packets under Unhandled.
Conditions:
Statistics pages for Unhandled Query Actions :: Drops.
Impact:
May be confusing to determine what the statistics mean.
Workaround:
None.
538046-2 : The iControl response to adding a device to a device trust may time out
Component: TMOS
Symptoms:
When using iControl to add a device to a device trust, it may appear that the iControl command has failed due to timeout of the response. However, the device has been added to the trust; it is the response to the iControl command that has timed out.
Conditions:
Using iControl to add a device to a device trust.
Impact:
The operation returns an error message even though the device was properly added to the trust.
Workaround:
None.
537209-5 : Fastl4 profile sends RST packet when idle timeout value set to 'immediate'
Component: Local Traffic Manager
Symptoms:
When a virtual is configured with a Fastl4 profile and the idle timeout value is set to 'immediate', traffic is handled improperly and a RST is issued.
Conditions:
A virtual is processing traffic that contains a Fastl4 profile with idle timeout set to 'immediate'.
Impact:
Traffic is Reset on a virtual where it should properly handle the traffic.
Workaround:
Avoid using the 'immediate' setting for the idle timeout value on a Fastl4 profile.
535122-8 : [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects
Component: TMOS
Symptoms:
iCRD with 'sys crypto' would always fail without this fix and GUI was not working with SSL file objects name created without extensions using tmsh 'sys file' commands.
Conditions:
Creating SSL certificates/keys/CRL/CSR objects using iCRD with 'sys crypto' and using tmsh 'sys file'.
Impact:
iCRD with 'sys crypto' fails and the BIG-IP GUI will inconsistently not be able to manage the files properly, or may return errors (e.g., 'An error has occurred while trying to process your request.' or 'No certificate.'), or may confuse two objects (e.g., 'web-server' and 'web-server.crt').
The GUI will not be able to create an archive (System :: File Management : SSL Certificate List :: Archive) containing one of these files, and may report an error such as 'Key management library returned bad status: -2, Not Found'.
Workaround:
When creating SSL-related file objects via tmsh 'sys file' or iCRD with 'sys crypto', include the appropriate file extension (.crt, .csr, .key, .crl) in the object name.
535119-1 : APM log tables initial rotation in MySQL may be wrong
Component: Access Policy Manager
Symptoms:
APM uses local MySQL to store logs and automatically rotate the log tables when the log table size exceeds a limit, which removes the oldest log table and make room for a new current log table.
However, the initial timestamps of those log tables may be very close--or the same in 1-second granularity of MySQL timestamps--right after the installation that initially creates those log tables. Due to the timestamp granularity, it may be wrong for APM to choose the oldest log table to remove in the first round of rotation, resulting in removal of log data that are not the oldest.
After the first rotation, the log table rotation should work as normal.
Conditions:
The first round of log table rotation after installation
Impact:
Log data that are not the oldest may be removed at the first round of log table rotation.
530092-2 : AD/LDAP groupmapping is overencoding group names with backslashes
Component: Access Policy Manager
Symptoms:
Adding a group value that contains space(s) manually in AD/LDAP Group Resource Assign actions will result in the space(s) being escaped and thus invalidating match attempts. For example, adding group 'Foo Bar' (without the quotes) will result in an expression found in bigip.conf as follows:
expression "expr { [mcget -decode {session.ldap.last.attr.memberOf}] contains \"CN=Foo\\\\ Bar\" }"
The value '\"CN=Foo\\\\ Bar\"' will not match a memberOf group returned that contains 'CN=Foo Bar,...'.
Conditions:
Spaces are encoded with backslashes.
Impact:
Matching for memberOf group will not working.
Workaround:
N/A
528295-7 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
Solution Article: K40735404
Component: TMOS
Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.
Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.
Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.
Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.
527119-4 : Iframe document body could be null after iframe creation in rewritten document.
Component: Access Policy Manager
Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.
Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
iframe.contentDocument.write(html);
iframe.contentDocument.close();
<any operation with iframe.contentDocument.body>
One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.
526519-1 : APM sessiondump command can produce binary data
Component: Access Policy Manager
Symptoms:
New session variable "session.access.scope" includes a null character after the value. This will result in piped grep commands from sessiondump such as:
sessiondump <args> | grep <search value>
returning the text:
Binary file (standard input) matches
instead of the expected output.
Note that this problem exists in APM version 12.
Conditions:
Using sessiondump command with pipe to grep.
Impact:
Administrator cannot use "grep" command with sessiondump.
Workaround:
Use "-a" option with grep. For example:
sessiondump <args> | grep -a <search value>
525580-1 : tmsh load sys config merge file filename.scf base command does not work as expected
Solution Article: K51013874
Component: TMOS
Symptoms:
The presence of base option indicates that only the base objects in the configuration should be considered for the save operation. The non-base objects in the configuration should be ignored.
However, this is not true for the following command:
tmsh load sys config merge file filename.scf base.
Conditions:
Running the command: tmsh load sys config merge file filename.scf base.
Impact:
This command ignores the base option. When specified with the merge option the base option is ignored. It merges the non-base configuration objects. It does not load only the base config objects as specified in the command.
Workaround:
None.
525378 : iRule commands do not validate session scope
Component: Access Policy Manager
Symptoms:
Assume that a user establishes a session on one virtual server. If the user learns his session ID, he may attempt to reuse that session ID to gain access to resources guarded by a different virtual server. When this happens, the iRule access session commands like [ACCESS::session sid] and [ACCESS::session exists] do not validate the scope of the session. The iRules consider sessions from other virtual servers to be valid, which can cause unintended results and potentially lead to end-users gaining higher privileges than administrators intended.
Conditions:
There may be multiple access profiles assigned to multiple virtual servers, but the iRule session commands will treat all sessions the same.
Impact:
If the administrator is not careful with how the iRule session commands are used, it can result in a user bypassing the access policy and receiving higher privileges than the administrator intended.
Workaround:
Care must be used to ensure that iRules using the session commands do not result in unintended behavior. An iRule similar to one below can be used to restrict a session to the virtual server on which it was created:
when ACCESS_ACL_ALLOWED {
set sessionlistener [ACCESS::session data get "session.server.listener.name"]
set virtualname [virtual name]
if { [HTTP::cookie MRHSession] != "" } {
if { not ($sessionlistener equals $virtualname) } {
# enter whatever command you wish to use to prevent the connection
reject
}
}
}
524193-5 : Multiple Source addresses are not allowed on a TMSH SNMP community
Component: TMOS
Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.
Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.
Impact:
The command is accepted, but only the first address will be allowed snmp access.
Workaround:
Add an additional source address to another snmp community object that has the same community string.
524123-1 : iRule ISTATS::remove does not work
Component: TMOS
Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.
Conditions:
Invoking the ISTATS::remove command from an iRule.
Impact:
The value of the iStat remains defined.
Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.
523814-2 : When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
Component: Local Traffic Manager
Symptoms:
An HTTP virtual server with OneConnect and RAM Cache will not consistently keep server-side connections alive and idle (for reuse), depending on the HTTP version that the client uses.
Clients that use HTTP/1.1 will result in fewer serverside connections being reused.
Conditions:
HTTP virtual server with HTTP cache enabled (in RAM cache mode, not AAM mode) and OneConnect profile.
Alternately, an iRule that down-steps the HTTP request version to HTTP/1.0
Impact:
Increased server utilization and number of ports in use / timewait / finwait as a result of OneConnect and RAM Cache closing serverside connections more frequently than expected.
Inconsistent behavior as a result of client HTTP version.
Workaround:
An iRule can work around this issue by inserting a Connection: Keep-Alive header.
523797-2 : Upgrade: file path failure for process name attribute in snmp.★
Component: TMOS
Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.
Conditions:
Upgrade from 10.x. to 11.5.1 or later.
Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.
Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.
523158-1 : In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails
Component: Access Policy Manager
Symptoms:
In rare case when dn is returned with cn= in lower case VPE is failing to match groupnames
Conditions:
Server that returns cn in low case
Impact:
Group mapping doesn't work
Workaround:
No workaround.
522302-2 : TCP Receive Window error messages are inconsistent on UI
Component: Local Traffic Manager
Symptoms:
Different invalid inputs for Receive Window resulted in inconsistent error messages in TMUI.
Conditions:
Input invalid options (e.g, -1 and 0) for TCP Receive Window in TMUI.
Impact:
User is presented with two different input ranges whereas for both invalid options one correct input range should have been present.
Workaround:
There is no workaround at this time.
520877-1 : Alerts sent by the lcdwarn utility are not shown in tmsh
Component: TMOS
Symptoms:
Beginning in BIG-IP version 12.1.0, the 'tmsh show sys alert lcd' command displays the list of alerts sent to the LCD front panel display.
The command-line utility lcdwarn can be used to send alert messages to the LCD front panel display.
Alert messages sent to the LCD front panel display by the lcdwarn utility are not included in the list of alerts shown by the 'tmsh show sys alert lcd' command.
Conditions:
This occurs when using the lcdwarn utility to send alert messages to the LCD front panel display. Such messages are typically sent for testing purposes.
This problem occurs on affected BIG-IP software versions running on all BIG-IP and VIPRION hardware platforms.
Impact:
The 'tmsh show sys alert lcd' command may not include all alert messages sent to the LCD front panel display. Messages sent by the lcdwarn utility are not shown.
Workaround:
None. This is a cosmetic issue.
517609-3 : GTM Monitor Needs Special Escape Character Treatment
Solution Article: K77005041
Component: Global Traffic Manager (DNS)
Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.
Conditions:
Any running GTM monitor.
Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.
Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.
For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.
516280-4 : bigd process uses a large percentage of CPU
Component: Local Traffic Manager
Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.
Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.
Impact:
bigd process uses a large percentage of CPU.
Workaround:
None.
516167-2 : TMSH listing with wildcards prevents the child object from being displayed
Solution Article: K21382264
Component: TMOS
Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.
For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.
Conditions:
tmsh list with a wildcard character specified for parent object.
Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier
Workaround:
None.
514703-1 : gtm listener cannot be listed across partitions
Component: TMOS
Symptoms:
Unable to reference (perform operations: list, create, modify ...) gtm listeners across partitions.
Conditions:
-- In one partition.
-- Listener in another partition.
-- Attempt to perform operations on the listener in the other partition.
For example, the current partition is /Common, and a listener exists in /DifferentPartition, and you try to perform operations on the listener under /DifferentPartition.
Impact:
Cannot perform any operations on that listener. The listener will be listed as non-existent.
Workaround:
Change to the partition where the listener exists before performing any operations on it.
513887-8 : The audit logs report that there is an unsuccessful attempt to install a mysql user on the system
Component: Application Security Manager
Symptoms:
There are "/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'
Conditions:
Provisioning AFM and/or APM after ASM is already provisioned.
Impact:
"/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'
no other impact
Workaround:
none
513310-1 : TMM might core when a profile is changed.
Component: Local Traffic Manager
Symptoms:
TMM might core when a profile is changed.
Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.
Impact:
TMM might core. Traffic disrupted while tmm restarts.
Workaround:
None.
510395-5 : Disabling some events while in the event, then running some commands can cause tmm to core.
Solution Article: K17485
Component: Local Traffic Manager
Symptoms:
If an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed, TMM can core.
Conditions:
An event is disabled from inside the event, and then a parking command is issued.
Example:
when HTTP_REQUEST {
if { $a == $b } {
event disable HTTP_REQUEST
}
after 100
log local0. "foo"
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable events as the last command before exiting the event. For example:
when HTTP_REQUEST {
if { $a == $b } {
event disable HTTP_REQUEST
return
}
}
509596-1 : iFrames with 'javascript:' scheme in SRC may not work
Solution Article: K44043455
Component: Access Policy Manager
Symptoms:
Some applications do not work with Portal Access, resulting in an error 'F5_Invoke_write is not defined' on JavaScript Console.
Conditions:
Web application that uses IFrames with 'javascript:' scheme in SRC attribute runs through Portal Access.
Impact:
Web application does not work through Portal Access.
Workaround:
There is no workaround at this time.
509497-1 : VCMP guests on a specific host may be restarted when that host system experiences large date/time changes
Component: TMOS
Symptoms:
After a large (> 7 months) change in system date/time, either manually or via NTPD, VCMP guests may be killed and restarted.
Impact:
Temporary loss of service of data path elements, until killed guests are restarted.
Workaround:
Avoid large changes in system time during critical hours of operation.
It may be better to bring down guests administratively, make the date/time change, and then bring the guest back up rather than allowing them to be killed/restarted automatically due to heartbeat timer expiration.
501258-2 : Unable to modify 'gtm region region-members' via iControl REST
Component: TMOS
Symptoms:
Unable to modify 'gtm region region-members' via iControl REST. The system posts error 400 Invalid region type messages.
Conditions:
Attempt to modify gtm region region-members via iControl REST.
Impact:
Unable to use iControl REST to configure this portion of the GTM/DNS configuration.
Workaround:
Use tmsh to modify GTM Regions.
499404-7 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
Solution Article: K15457342
Component: Local Traffic Manager
Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.
Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.
Impact:
The wrong MSS value is advertised during 3WHS.
Workaround:
None.
499348-5 : System statistics may fail to update, or report negative deltas due to delayed stats merging
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:
-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).
-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue has two workarounds:
1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:
-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.
2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge.
496621-1 : Portal Access incorectly rewrites expressions with JavaScript typeof operator
Component: Access Policy Manager
Symptoms:
The Portal Access module transforms intranet web application code to make it accessible via an APM virtual server. One of these transformations might incorrectly rewrite expressions with 'typeof' operator, though you might not see any immediate visible effect.
Conditions:
The issue affects expressions like 'typeof something' where 'something' is expected to be transformed by Portal Access.
For example, with the original code similar to 'var l = window.location; if (typeof l.href) {...}' unrewritten typeof argument causes condition to fail.
Impact:
When Portal Access accesses the intranet application containing such code, expressions with typeof operator may have wrong value, leading application to incorrect code paths. As a result, the application might fail with a very obscure and difficult to diagnose errors.
Workaround:
Use an iRule for each specific case. There is no global workaround.
495443-10 : ECDH negotiation failures logged as critical errors.
Solution Article: K16621
Component: Local Traffic Manager
Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.
Conditions:
An SSL negotiation failure involving ECDH key agreement.
Impact:
Spurious critical error logs.
Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.
495242-3 : mcpd log messages: Failed to unpublish LOIPC object
Component: Local Traffic Manager
Symptoms:
The system posts the following message in the mcpd log: Failed to unpublish LOIPC object.
Conditions:
This is an intermittent issue that occurs on standby systems in High Availability configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either it has already been removed or it was not created.
Impact:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory). This is a benign error that can be safely ignored.
Workaround:
None.
494135-1 : HTML Event handlers may not work if 'eval' is redefined
Solution Article: K43101043
Component: Access Policy Manager
Symptoms:
If 'eval' JavaScript call is redefined in HTML page, event handlers may not work correctly.
Conditions:
There may be many ways to re-define 'eval'. For example:
<form>
<button name=eval onclick="someFunction();">Button</button>
</form>
In this case 'onclick' event handler will not work through Portal Access.
Impact:
Web application may not work correctly. In the worst case scenario, the browser (Internet Explorer 9 or later) may crash.
Workaround:
There is no workaround at this time.
493524 : ASM attack appear ongoing forever if restarting dosl7d during an attack
Component: Application Visibility and Reporting
Symptoms:
If dosl7d is restarted during an attack it doesn't write the "end attack" event to logdb.
Conditions:
Restarting dosl7d in the middle of an ASM attack (including actions that implicitly cause dosl7d restart like tmm restart or reboot).
Impact:
Attack appears ongoing in Dos Overview page (even though it should be marked "ended").
Workaround:
No workaround.
489499-3 : chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd
Component: TMOS
Symptoms:
chmand fails to register for unsolicited LOP events, meaning that asynchronous alerts from lopd will not seen or reported by chmand. A message is seen in /var/log/ltm that contains the phrase, "failed to register for LOP at <address>"
Conditions:
Occurs when chmand has been re-started after it has already synchronized once with lopd.
Impact:
Asynchronous events from lopd will not be reported or handled, such as fan tray removal/insertion and PSU removal/insertion. Alerts that are driven by system_check through polling sensor values and comparing them to specified limits, however, will still be operational.
Workaround:
Re-start lopd:
# bigstart restart lopd
486735-5 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
482625-1 : Pages with utf-8 Content-Type and utf-16 META tag do not render
Component: Access Policy Manager
Symptoms:
Some pages cannot be displayed. A page has a Content-type header with charset utf-8. The payload has a META tag with charset utf-16. Actual data appears to be utf-8. Rewriting the page inserts a utf-16 BOM in the response, causing the page to not load.
Conditions:
Pages that contain utf-8 Content-Type headers but utf-16 META tags
Impact:
Web-application cannot display some pages.
Workaround:
An iRule can be used to fix the META charset and allow the page to load.
479471-1 : CPU statistics reported by the tmstat command may spike or go negative
Solution Article: K00342205
Component: TMOS
Symptoms:
On bladed systems, the results from the 'tmstat' and 'tmstat cpu' commands may spike high or go negative due to a issue with how per-blade statistics are collected.
Conditions:
Error in the timing of statistics collection such that display is incorrect.
Impact:
Incorrect display of CPU statistics.
Workaround:
There is no workaround.
479262-4 : 'readPowerSupplyRegister error' in LTM log
Component: TMOS
Symptoms:
The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power.
Conditions:
When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power.
Impact:
The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages.
Workaround:
None. You can safely ignore this error message in this case.
477992-3 : Instance-specific monitor logging fails for pool members created in iApps
Solution Article: K07450534
Component: Local Traffic Manager
Symptoms:
Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp.
Conditions:
Create pool members via an iApp, and attempt to enable logging on the pool member.
Impact:
Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened.
Workaround:
If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.
476544-2 : mcpd core during sync
Component: TMOS
Symptoms:
mcpd can run out of memory and core when a device in a sync group is sending an extremely high volume of sync messages.
Conditions:
The exact cause of this is unknown, and it has been seen very rarely with a large sync in a sync group. Large incremental syncs could be a symptom of other things happening between the devices which could trigger the core.
Impact:
mcpd cores and restarts if it runs out or memory. Only through inspection of the core file can this condition be detected.
Workaround:
None.
474901-1 : Profiles with a large number of regexps can cause excessive memory usage.
Component: Local Traffic Manager
Symptoms:
tmm crashes on out of memory.
Conditions:
This can occur if you are using a lot of profiles that rely on regular expressions, such as compression or deflate.
Impact:
Traffic disrupted while tmm restarts.
473755-1 : It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side
Component: Application Visibility and Reporting
Symptoms:
It's possible to open a connection to monpd's Thrift server and if the client does not actively close it, the connection will persist indefinitely (even if it's idle). As a result of this issue, you might experience the following symptoms: -- Cannot access event logs or reports.
-- Cannot run tmsh analytics commands.
Conditions:
Client system opens a connection to monpd's Thrift server (port 9090 or 9091), and does not close it.
Impact:
If the number of allowed connections to monpd's Thrift server is reached, monpd will not receive new connections. Since the idle connections can persist indefinitely this will deny service from monpd.
Workaround:
No workaround (except for manually killing open idle connections).
469366-3 : ConfigSync might fail with modified system-supplied profiles
Solution Article: K16237
Component: TMOS
Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.
Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.
Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'
Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.
467589-4 : Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.
Component: WebAccelerator
Symptoms:
The /usr/share/mysql/purge_mysql_logs.pl script that ships with the new install (and is run hourly via cron) throws an error. The script is meant to be exited if AAM, ASM and PSM are not provisioned, but the check is not done appropriately and it continues execution, failing later.
Conditions:
BIG-IP system with no AAM, ASM, and PSM provisioned, when running the script /etc/cron.hourly/purge_mysql_logs.pl (linked to /usr/share/mysql/purge_mysql_logs.pl)
Impact:
The script gives false output and attempts to execute invalid actions. The system posts the following error: Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27.
Workaround:
Provision AAM, ASM, or PSM. Or modify the script using the following procedure:
Remount /usr partition as RW:
# mount -o remount -rw /usr
Edit /usr/share/mysql/purge_mysql_logs.pl and change the original check:
unless( $provisioned_am || $provisioned_asm || $provisioned_psm ) {
exit 0;
}
to:
unless( $provisioned_am == 1 || $provisioned_asm == 1 || $provisioned_psm == 1 ) {
exit 0;
}
464650-4 : Failure of mcpd with invalid authentication context.
Component: TMOS
Symptoms:
MCPd cores.
Conditions:
It is not known what triggers this core.
Impact:
Mcpd restarts
Workaround:
None.
455066-2 : Read-only account can save system config
Component: TMOS
Symptoms:
A read-only user can run the tmsh save sys config command, which saves the configuration including changes made by other read/write users.
Conditions:
This occurs when logged in as a read-only user and running save sys config in tmsh.
Impact:
Read-only users are able to run save sys config in tmsh.
Workaround:
None.
450136-3 : Occasionally customers see chunk boundaries as part of HTTP response
Component: Access Policy Manager
Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.
Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.
Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.
Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.
441079-2 : BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
Solution Article: K55242686
Component: Local Traffic Manager
Symptoms:
The BIG-IP system is modifying the source port on NAT connections.
Conditions:
This occurs when NAT is configured on the BIG-IP system. This occurs on BIG-IP 2000/4000 hardware platforms.
Impact:
This impacts any applications where the source port is expected to be preserved.
Workaround:
None.
440620-2 : New connections may be reset when a client reuses the same port as it used for a recently closed connection
Component: Local Traffic Manager
Symptoms:
If a client reuses the same port that it used for a recently closed connection, the new connection may receive a RST in response to the client's SYN.
Conditions:
A client reuses the same port that it used for a recently closed connection. The 4-tuple of local address, local port, remote address, and remote port must be the same to trigger this issue.
Impact:
New connections reusing a 4-tuple may be reset for a brief period following a connection close.
Workaround:
Lowering the "Close Wait" and "Fin Wait 1" timeouts in the TCP profile will shorten the amount of time that a particular 4-tuple remains unusable.
438574-1 : Web UI: iSession Profile properties page displays incorrect parent profile name.
Component: TMOS
Symptoms:
Local Traffic :: Profiles :: iSession Profile properties page displays incorrect parent profile name.
Conditions:
-- Viewing parent profile for an iSession profile.
-- 'iSession' is set as parent profile .
-- Another profile exists with name beginning from 'a' to 'h'.
Impact:
Incorrect information is displayed on the GUI even though the database has the correct information.
Workaround:
View the properties of iSession profile from tmsh.
436116-1 : The tcpdump utility may fail to capture packets
Solution Article: K43726131
Component: TMOS
Symptoms:
Although packets are flowing correctly through the BIG-IP system, the tcpdump utility may capture no packets when certain command options are used.
Conditions:
This issue occurs when all of the following conditions are met:
- You configure tcpdump to listen for packets on a physical interface (e.g., -i 1.1).
- You configure tcpdump to save the packets to a file in binary format (e.g., -w /var/tmp/example.pcap).
- You configure tcpdump to produce verbose output while capturing packets (e.g., -v, -vv or -vvv).
Impact:
The tcpdump utility does not capture any packets, which may create confusion for a BIG-IP Administrator performing troubleshooting on the system. This issue does not affect the traffic-passing abilities of the system, however.
Workaround:
You can work around this issue by starting the tcpdump utility without the -v, -vv or -vvv verbose output options.
435419-4 : Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
Solution Article: K10402225
Component: Access Policy Manager
Symptoms:
Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
Conditions:
-- Attempt to upload a current EPSEC file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.
Impact:
mcpd crashes, followed by multiple cores.
Workaround:
Upload the EPSEC file completely, and try the installation again.
433572-4 : DTLS does not work with rfcdtls cipher on the B2250 blade
Component: Local Traffic Manager
Symptoms:
DTLS does not work with rfcdtls cipher on the B2250 blade.
Conditions:
This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP.
Impact:
DTLS does not work with rfcdtls cipher on the B2250 blade
Workaround:
None.
431480-1 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
Component: Local Traffic Manager
Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.
Conditions:
The exact conditions that result in this error are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time, but the system recovers without any user action.
417819-2 : APM - when Edge Clients, some JS contents are different causing warning
Solution Article: K69046914
Component: Access Policy Manager
Symptoms:
Intermittent JS Error in sesstimeout.js during access to full webtop by Edge Clients.
Conditions:
-- At least two different Edge Clients with User Agent strings based on Internet Explorer version 11 (IE11).
-- A version of IE earlier that IE11 is used to access full webtop resource.
Impact:
If 'Display notification about all script errors' is enabled in IE (Internet Options :: Advanced tab) IE displays JS error messages. One client might encounter a JS Syntax error, depending on TMM count and APM RAMCACHE content.
Note: There is no impact on product functionality, because Edge Clients do not call JS code from sesstimeout.js. The error is cosmetic only and can be ignored.
Workaround:
Special APM resource assignment branch for standalone Edge Clients can be configured in VPE to access 'webtop-type network', (NA_only_webtop resource does not include /vdesk/sesstimeout.js and /vdesk/hometab.js).
405898-2 : If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected
Component: Local Traffic Manager
Symptoms:
If the maximum transmission unit (MTU) for a network running OSPF is different from ZebOS, or if its neighbor router has configured for its interface MTU, OSPF adjacencies may not form, or some datagrams may be rejected.
Conditions:
TMM has cached a reduced path MTU for a network that is smaller than the configured MTU of the interface. OSPF running on that interface.
Impact:
OSPF adjacencies never fully form and routes are not exchanged.
Workaround:
Restarting TMM clears the cached maximum transmission unit (MTU), and allowing all interface MTUs to function with default values should prevent a mismatch.
396273-2 : Error message in dmesg and kern.log: vpd r/w failed
Component: TMOS
Symptoms:
When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update.
This error can be seen in /var/log/kern.log as well.
Conditions:
This can occur whenever 'lspci -vv' (or 'lspci -vvv', e.g., during qkview generation) is executed.
Impact:
This is a benign firmware message, and you can safely ignore it.
Workaround:
There is no workaround, but this is not a functional issue.
375434-6 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
Component: TMOS
Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.
Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.
Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.
Workaround:
None.
374067-7 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections
Solution Article: K14098
Component: Local Traffic Manager
Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.
Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.
Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.
Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.
369640-1 : Folder path objects in iRules can have only a single context per script
Solution Article: K17195
Component: Local Traffic Manager
Symptoms:
If an iRule is assigned to two different virtual servers in different contexts, the first time the rule runs any internal object conversions/lookups will be performed in the first context. When the second virtual runs the same rule, it will assume that the objects that have been looked up are correct, and point to the wrong members.
Conditions:
Two virtual servers in different folder paths use short names for objects like pools, procs, nodes and virtual servers.
Impact:
iRule can point to objects outside the current folder path.
Workaround:
Give each virtual servers its own copy of the iRule (it is not necessary to provide complete folder paths).
369407-3 : Access policy objects are created inconsistently depending on whether created using wizard or manually.
Component: Access Policy Manager
Symptoms:
Network Access (NA) wizard policy incorrectly labels 'Advanced Resource Assign' as 'Resource Assign' in VPE.
Conditions:
This is evident when viewing the label following completion of the NA wizard.
Impact:
The label in the VPE is 'Resource Assign', where it should be 'Advanced Resource Assign'.
Workaround:
None.
367226-4 : Outgoing RIP advertisements may have incorrect source port
Component: Local Traffic Manager
Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.
If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.
Conditions:
Multiple TMM instances, RIP routing configured.
Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.
362511 : HTML entities in inline CSS style attributes may cause incorrect rewriting of URLs
Solution Article: K52162658
Component: Access Policy Manager
Symptoms:
Portal Access can incorrectly rewrite CSS in HTML style attributes if it contains HTML entities.
Conditions:
Inline CSS style attributes contains HTML entities.
For example,
<div style="background:url('image.jpg')">
becomes
<div style="background:url('?F5CH=I;image.jpg')">
which cannot be interpreted correctly by a browser. As a result, the image won't be displayed.
Impact:
Some images on the page accessed through Portal Access may fail to load.
Workaround:
Before rewriting, use an iRule to substitute HTML entities in positions significant for parser (i.e., keywords, attribute names, quotes, brackets, colons, etc.) with the corresponding characters.
251162-3 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
Component: Local Traffic Manager
Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.
For example:
tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)
Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.
Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.
Workaround:
None.
248914-4 : ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
Solution Article: K00612197
Component: Local Traffic Manager
Symptoms:
When self IP or virtual addresses are configured on a vlangroup, ARP replies for that address will have the locally administered bit set in the ARP payload, but the source MAC of the frame will have this bit clear.
Conditions:
vlangroup in translucent mode with self IP and/or virtual addresses configured.
Impact:
This may cause destination lookup failures on the layer 2 network.
Workaround:
Use transparent mode instead of translucent mode on the vlangroup.
247527-2 : Mgmt interface cannot be disabled via tmsh
Solution Article: K14890
Component: TMOS
Symptoms:
Issuing a tmsh command to disable the management interface of a blade or appliance appears to succeed, but the management interface is not actually disabled.
Conditions:
This problem occurs on the following hardware platforms:
BIG-IP 1500, 3400, 3410, 6400, 6800, 8400, and 8800 appliances.
This problem does not occur on the following hardware platforms:
BIG-IP 1600, 3600, 3900, 6900, 8900-series and 11000-series appliances.
Impact:
After using the tmsh utility to set the mgmt interface to a disabled state, the tmsh utility will show the mgmt interface as disabled. However, the mgmt interface still responds to network traffic, including ping and ssh.
Workaround:
There are three possible ways to work around this issue:
1) Unplug the management interface if it is not intended to be used.
2) Bring down the switch interface to which the management port connects.
3) Disable the management interface using the following information below.
Important: This workaround might cause unintended consequences. Only use this option as a last resort, as disabling the management interface may remove the ability for the Linux host to communicate with several of the BIG-IP subsystems. As a result of this loss of communication, certain BIG-IP features may not function as expected or at all.
For platforms that expose a 'mgmt' interface via ifconfig, run the command: ifconfig mgmt down. To bring the 'mgmt' interface back up, run the command ifconfig mgmt up.
For platforms that do not expose a 'mgmt' interface via ifconfig, run the command: ifconfig eth0 down. To bring 'eth0' interface back up, run the command ifconfig eth0 up.
224665-2 : Proxy Exclusion List setting is not aware of administrative partitions
Solution Article: K12711
Component: TMOS
Symptoms:
The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group.
Conditions:
Using VLAN groups and proxy exclusion.
Impact:
Results in issues for the VLAN group.
Workaround:
None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here: http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12711.html.
222409-6 : The HTTP::path iRule command may return more information than expected
Solution Article: K9952
Component: Local Traffic Manager
Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.
The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:
GET /dir1/dir2/file.ext HTTP/1.1
In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.
Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:
GET http://www.example.org:80/dir1/dir2/file.ext
In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.
Impact:
The HTTP::path iRule command should return the following path value for both requests:
/dir1/dir2/file.ext
However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:
www.example.org:80/dir1/duir2/file.ext
Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.
Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.
Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:
when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::uri]][URI::basename [HTTP::uri]]"
}
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/