BIG-IP 12.1.3.6 Fixes and Known Issues

Supplemental Document : BIG-IP 12.1.3.6 Fixes and Known Issues

Applies To:

Show Versions

BIG-IP AAM

12.1.3

BIG-IP APM

12.1.3

BIG-IP Analytics

12.1.3

BIG-IP Link Controller

12.1.3

BIG-IP LTM

12.1.3

BIG-IP PEM

12.1.3

BIG-IP AFM

12.1.3

BIG-IP DNS

12.1.3

BIG-IP ASM

12.1.3

Original Publication Date: 07/26/2018 Updated Date: 06/22/2020

ID Number	CVE	Solution Article(s)	Description
709972-4	CVE-2017-12613	K52319810	CVE-2017-12613: APR Vulnerability
709688-5	CVE-2017-3144 CVE-2018-5732 CVE-2018-5733	K08306700	dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
710705-3	CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421	K34035645	Multiple Wireshark vulnerabilities
710148-4	CVE-2017-1000111 CVE-2017-1000112	K60250153	CVE-2017-1000111 & CVE-2017-1000112
673165	CVE-2017-7895	K15004519	CVE-2017-7895: Linux Kernel Vulnerability
693744-3	CVE-2018-5531	K64721111	High CPU Usage by the TMM Can Cause SOD to Kill vCMP Guests
710244-1	CVE-2018-5536	K27391542	Memory Leak of access policy execution objects
716992-3	CVE-2018-5539	K75432956	The ASM bd process may crash
703940-3	CVE-2018-5530	K45611803	Malformed HTTP/2 frame consumes excessive system resources
698813-3	CVE-2018-5538	K45435121	When processing DNSX transfers ZoneRunner does not enforce best practices
672124-3	CVE-2018-5541	K12403422	Excessive resource usage when BD is processing requests

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
671999-2	3-Major		Re-extract the the thales software everytime the installation script is run
643034-1	3-Major		Turn off TCP Proxy ICMP forwarding by default
620445-4	3-Major		New SIP::persist keyword to set the timeout without changing key
613023-4	3-Major		Update SIP::Persist to support resetting timeout value.
441079-2	3-Major	K55242686	BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
693007-3	4-Minor		Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
700315-3	1-Blocking	K26130444	Ctrl+C does not terminate TShark
636774-1	1-Blocking		Potential TMM crash credits to BWC token distribution logic
710314-2	2-Critical		TMM may crash while processing HTML traffic
706423-2	2-Critical		tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
705476-4	2-Critical		Appliance Mode does not follow design best practices
696113-1	2-Critical		Extra IPsec reference added per crypto operation overflows connflow refcount
692158-2	2-Critical		iCall and CLI script memory leak when saving configuration
690819-3	2-Critical		Using an iRule module after a 'session lookup' may result in crash
671314-4	2-Critical	K37093335	BIG-IP system cores when sending SIP SCTP traffic
665362-4	2-Critical		MCPD might crash if the AOM restarts
663197-3	2-Critical		Security hardening of files to prevent sensitive configuration from being stored in qkview.
626861-2	2-Critical		Ensure unique IKEv2 sequence numbers
599223-1	2-Critical		Prevent static destructors in tmipsecd daemon
581851-2	2-Critical		mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
508113-3	2-Critical		tmsh load sys config base merge file <filename> fails
720880	3-Major		Attempts to license/re-license the BIG-IP system fail.
720756	3-Major		SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
720104	3-Major		BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
714848	3-Major		OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled
710827-4	3-Major		TMUI dashboard daemon stability issue
710602	3-Major		iCRD commands requiring 'root' user access fixed
707445	3-Major	K47025244	Nitrox 3 compression hangs/unable to recover
704336-3	3-Major		Updating 3rd party device cert not copied correctly to trusted certificate store
704282-3	3-Major		TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
701900	3-Major	K55938217	DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.
698947-1	3-Major		BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
694740-1	3-Major		BIG-IP reboot during a TMM core results in an incomplete core dump
693106-2	3-Major		IKEv1 newest established phase-one SAs should be found first in a search
692179-3	3-Major		Potential high memory usage from errdefsd.
687905	3-Major		OneConnect profile causes CMP redirected connections on the HA standby
687534-3	3-Major		If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
686926-3	3-Major		IPsec: responder N(cookie) in SA_INIT response handled incorrectly
684391-1	3-Major		Existing IPsec tunnels reload. tmipsecd creates a core file.
680838-3	3-Major		IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
679347-3	3-Major		ECP does not work for PFS in IKEv2 child SAs
678925-4	3-Major		Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
677928-2	3-Major		A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.
677088-4	3-Major		Qkview does not follow current best practices
676897-1	3-Major	K25082113	IPsec keeps failing to reconnect
676092-1	3-Major		IPsec keeps failing to reconnect
675718-1	3-Major		IPsec keeps failing to reconnect
669268	3-Major		Failover in the same availability zone of AWS may fail when AWS services are intermittently available.
667223	3-Major		The merge option for the tmsh load sys config command removes existing nested objects
666035-1	3-Major		Obscuring secrets in files collected by qkview
621314-6	3-Major	K55358710	SCTP virtual server with mirroring may cause excessive memory use on standby device
617865-1	3-Major		Missing health monitor information for FQDN members
605270-5	3-Major		On some platforms the SYN-Cookie status report is not accurate
588929-2	3-Major		SCTP emits 'address conflict detected' log messages during failover
588794-2	3-Major		Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements
588771-2	3-Major		SCTP needs traffic-group validation for server-side client alternate addresses
586938-1	3-Major	K57360106	Standby device will respond to the ARP of the SCTP multihoming alternate address
525580-1	3-Major	K51013874	tmsh load sys config merge file filename.scf base command does not work as expected
685475-3	4-Minor	K93145012	Unexpected error when applying hotfix
680856-3	4-Minor		IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
679135-3	4-Minor		IKEv1 and IKEv2 cannot share common local address in tunnels
678388-3	4-Minor	K00050055	IKEv1 racoon daemon is not restarted when killed multiple times
658298-3	4-Minor		SMB monitor marks node down when file not specified
624484-2	4-Minor	K09023677	Timestamps not available in bash history on non-login interactive shells
573031-1	4-Minor		qkview may not collect certain configuration files in their entirety
720391-1	5-Cosmetic		BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
713491-1	5-Cosmetic		IKEv1 logging shows spi of deleted SA with opposite endianess
651826-2	5-Cosmetic		SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
718071-3	2-Critical		HTTP2 with ASM policy not passing traffic
715923-3	2-Critical		When processing TLS traffic TMM may reset connections
709334-2	2-Critical		Memory leak when SSL Forward proxy is used and ssl re-negotiates
708114-3	2-Critical	K33319853	TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
707447-2	2-Critical		Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
707207-2	2-Critical		iRuleLx returning undefined value may cause TMM restart
703914-1	2-Critical		TMM SIGSEGV crash in poolmbr_conn_dec.
686685-1	2-Critical		LTM Policy internal compilation error
683631-1	2-Critical		TMM crashes during stress test
678722-2	2-Critical		In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources
676721-2	2-Critical	K33325265	Missing check for NULL condition causes tmm crash.
674004-1	2-Critical	K34448924	tmm may crash when after deleting pool member in traffic
670804-2	2-Critical	K03163260	Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
656898-2	2-Critical		"oops" "bad transition" messages occur
613524-3	2-Critical		TMM crash when call HTTP::respond twice in LB_FAILED
598110-1	2-Critical		pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic.
586587-1	2-Critical		RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.
571651-3	2-Critical	K66544028	Reset crypto accelerator queue if it becomes stuck.
440620-2	2-Critical		New connections may be reset when a client reuses the same port as it used for a recently closed connection
713951-3	3-Major		tmm core files produced by nitrox_diag may be missing data
713934-4	3-Major		Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
712475-1	3-Major	K56479945	DNS zones without servers will prevent DNS Express reading zone data
712464-1	3-Major		Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
712437-1	3-Major	K20355559	Records containing hyphens (-) will prevent child zone from loading correctly
711281-3	3-Major		nitrox_diag may run out of space on /shared
708653-3	3-Major		TMM may crash while processing TCP traffic
707951	3-Major		Stalled mirrored flows on HA next-active when OneConnect is used.
704381-3	3-Major		SSL/TLS handshake failures and terminations are logged at too low a level
703580	3-Major		TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
702151-2	3-Major		HTTP/2 can garble large headers
700889-2	3-Major		Software syncookies without TCP TS improperly include TCP options that are not encoded
700061-3	3-Major		Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
700057-3	3-Major		LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
698916-3	3-Major		TMM crash with HTTP/2 under specific condition
698379-3	3-Major	K61238215	HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
693838	3-Major		Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors
691806-3	3-Major	K61815412	RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
688553-1	3-Major		SASP GWM monitor may not mark member UP as expected
685615-5	3-Major	K24447043	Incorrect source mac for TCP Reset with vlangroup for host traffic
681757-1	3-Major	K32521651	Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
678872-2	3-Major		Inconsistent behavior for virtual-address and selfip on the same ip-address
677525-3	3-Major		Translucent VLAN group may use unexpected source MAC address
676914-1	3-Major		The SSL Session Cache can grow indefinitely if the traffic group is changed.
676828-2	3-Major	K09012436	Host IPv6 traffic is generated even when ipv6.enabled is false
676355-2	3-Major		DTLS retransmission does not comply with RFC in certain resumed SSL session
675212-3	3-Major		The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication
673052-2	3-Major		On i-Series platforms, HTTP/2 is limited to 10 streams
671337-1	3-Major		NetHSM DNSSEC key creation can attempt to change the SELinux label on a file
668196-2	3-Major		Connection limit continues to be enforced with least-connections and pool member flap, member remains down
668006-1	3-Major	K12015701	Suspended 'after' command leads to assertion if there are multiple pending events
667707-2	3-Major		LTM policy associations with virtual servers are not ConfigSynced correctly
659519-1	3-Major	K42400554	Non-default header-table-size setting on HTTP2 profiles may cause issues
657883-2	3-Major	K34442339	tmm cache resolver should not cache response with TTL=0
657626-2	3-Major		User with role 'Manager' cannot delete/publish LTM policy.
651541-2	3-Major	K83955631	Changes to the HTTP profile do not trigger validation for virtual servers using that profile
636289-2	3-Major		Fixed a memory issue while handling TCP::congestion iRule
633691-4	3-Major		HTTP transaction may not finish gracefully due to TCP connection is closed by RST
624846-1	3-Major		TCP Fast Open does not work for Responses < 1 MSS
604838-1	3-Major		TCP Analytics reports incorrectly reports entities as "Aggregated"
595281-1	3-Major		TCP Analytics reports huge goodput numbers
570277-1	3-Major	K16044231	SafeNet client not able to establish session to all HSMs on all blades.
367226-4	3-Major		Outgoing RIP advertisements may have incorrect source port
251162-3	3-Major		The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
248914-4	3-Major		ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
713533-3	4-Minor		list self-ip with queries does not work
708249-4	4-Minor		nitrox_diag utility generates QKView files with 5 MB maximum file size limit
700433-2	4-Minor	K10870739	Memory leak when attaching an LTM policy to a virtual server
685467-2	4-Minor	K12933087	Certain header manipulations in HTTP profile may result in losing connection.
678801-2	4-Minor		WS::enabled returned empty string
677958-2	4-Minor		WS::frame prepend and WS::frame append do not insert string in the right place.
645729-1	4-Minor		SSL connection is not mirrored if ssl session cache is cleared and resume attempted
639970-3	4-Minor		GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error
627764-2	4-Minor		Prevent sending a 2nd RST for a TCP connection
627695-2	4-Minor		[netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational
621379-2	4-Minor		TCP Lossfilter not enforced after iRule changes TCP settings
618024-2	4-Minor		software switched platforms accept traffic on lacp trunks even when the trunk is down
604272-1	4-Minor		SMTPS profile connections_current stat does not reflect actual connection count.
523814-3	4-Minor		When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
522302-2	4-Minor		TCP Receive Window error messages are inconsistent on UI
495242-3	4-Minor		mcpd log messages: Failed to unpublish LOIPC object

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
713066-3	2-Critical	K10620131	Connection failure during DNS lookup to disabled nameserver can crash TMM
707310-1	2-Critical		DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
706128-1	3-Major		DNSSEC Signed Zone Transfers Can Leak Memory
705503-1	3-Major		Context leaked from iRule DNS lookup
680069-3	3-Major	K81834254	zxfrd core during transfer while network failure and DNS server removed from DNS zone config★
675539-1	3-Major		Inter-system communications targeted at a Management IP address might not work in some cases.
672491-2	3-Major	K10990182	net resolver uses internal IP as source if matching wildcard forwarding virtual server
660263-4	3-Major		DNS transparent cache message and RR set activity counters not incrementing
653775-3	3-Major	K05397641	Ampersand (&) in GTM synchronization group name causes synchronization failure.
643813-2	3-Major	K32906881	ZoneRunner does not properly process $ORIGIN directives
637227-4	3-Major	K60414305	DNS Validating Resolver produces inconsistent results with DNS64 configurations.
629421-1	3-Major		Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.
609527-2	3-Major		DNS cache local zone not properly copying recursion desired (RD) flag in response
602300-1	3-Major		Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
669262-2	4-Minor	K91122850	[GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record
638170-1	4-Minor	K36455356	Pagination broken or missing while viewing pool statistics for GTM wideip
605537-5	4-Minor	K03997964	Error when resetting statistics on GSLB Pool Members

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
639767-2	2-Critical		Policy with Session Awareness Statuses may fail to export
606983-3	2-Critical		ASM errors during policy import
580862-1	2-Critical		Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes
712362-1	3-Major		ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
710327-3	3-Major		Remote logger message is truncated at NULL character.
707888	3-Major		Some ASM operations delayed due to scheduled ASU update
707147-2	3-Major		High CPU consumed by asm_config_server_rpc_handler_async.pl
706845-1	3-Major		False positive illegal multipart violation
704143-2	3-Major		BD memory leak
700726-1	3-Major		Search engine list was updated
691897-1	3-Major		Names of the modified cookies do not appear in the event log
687759-2	3-Major		bd crash
686765-1	3-Major		Database cleaning failure may allow MySQL space to fill the disk entirely
683241-3	3-Major	K70517410	Improve CSRF token handling
674527-1	3-Major		TCL error in ltm log when server closes connection while ASM irules are running
663396-1	3-Major		Requests using GET method are illegal after upgrade from 11.6.2
654996-1	3-Major	K50345236	Closed connections remains in memory
665470-1	4-Minor		Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised
700812-2	5-Cosmetic		asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
716747-4	2-Critical		TMM core with SWG Transparent
715250-2	2-Critical		TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
714879-1	2-Critical		APM CRLDP Auth passes all certs
681850-1	2-Critical		APMD process may fail to initialize on start either after upgrade or after adding certain configurations
671373-2	2-Critical		urldb core seen
632798-2	2-Critical		Double-free may occur if Access initialization fails
720695-2	3-Major		Export then import of Profile/Policy with advanced customization is failing
720030-3	3-Major		Enable EDNS flag for internal Kerberos DNS SRV queries
718208-1	3-Major		Unable to install Network Access plugin on Linux Ubuntu 16.04 w/ Firefox v52 ESR using SUDO
715207-2	3-Major		coapi errors while modifying per-request policy in VPE
714542-1	3-Major		'Always Connected Mode' text is missing in EdgeClient tray
712924	3-Major		In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
712857-1	3-Major		SWG-Explicit rejects large POST bodies during policy evaluation
706374-2	3-Major		[Kerberos SSO] krb5 library need to use threadsafe res_ninit, res_nsearch instead of res_init, res_search
704524-2	3-Major		[Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
684937-6	3-Major		[KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-6	3-Major		[KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
658664-3	3-Major	K21390304	VPN connection drops when 'prohibit routing table change' is enabled
609793-1	3-Major		HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response.
602429-1	3-Major		DNS suffix is not restored after disconnecting Network Access
543344-3	3-Major		ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
516736-1	3-Major		URLs with backslashes in the path may not be handled correctly in Portal Access

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
703515-5	2-Critical	K44933323	MRF SIP LB - Message corruption when using custom persistence key
698338-2	2-Critical		Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
685708-3	2-Critical		Routing via iRule to a host without providing a transport from a transport-config created connection cores
669739-1	2-Critical	K71963740	Potential core when using MRF SIP with SCTP
659173-1	2-Critical	K76352741	Diameter Message Length Limit Changed from 1024 to 4096 Bytes
700571-2	3-Major		SIP MR profile, setting incorrect branch param for CANCEL to INVITE
696049-3	3-Major	K55660303	High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
688942-3	3-Major	K82601533	ICAP: Chunk parser performs poorly with very large chunk
679114-2	3-Major	K92585400	Persistence record expires early if an error is returned for a BYE command
674747-2	3-Major	K30837366	sipdb cannot delete custom bidirectional persistence entries.
673814-4	3-Major	K37822302	Custom bidirectional persistence entries are not updated to the session timeout
642298-3	3-Major		Unable to create a bidirectional custom persistence record in MRF SIP
640384-3	3-Major		New iRule options for MR::message route command
620759-4	3-Major		Persist timeout value gets truncated when added to the branch parameter.
632658-4	4-Minor		Enable SIP::persist command to operate during SIP_RESPONSE event
617690-4	4-Minor		enable SIP::respond iRule command to operate during MR_FAILED event

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
677473-1	2-Critical		MCPD core is generated on multiple add/remove of Mgmt-Rules
666112-1	3-Major	K53708490	TMM 'DoS Layer 7' memory leak during config load
663770-2	3-Major	K04025134	AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
699531-3	2-Critical		Potential TMM crash due to incorrect number of attributes in a PEM iRule command
696294-3	2-Critical		TMM core may be seen when using Application reporting with flow filter in PEM
715090	3-Major		PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers
711570-1	3-Major		PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
711093-2	3-Major		PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709610-1	3-Major		Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
697718-3	3-Major		Increase PEM HSL reporting buffer size to 4K.
648802-3	3-Major		Required custom AVPs are not included in an RAA when reporting an error.

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
667662-1	3-Major	K06579313	Autolasthop does not work for PPTP-GRE traffic.

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
625114-2	2-Critical	K08062851	Internal sync-change conflict after update to local users table

Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
708956	1-Blocking		During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
696732	2-Critical	K54431534	tmm may crash in a compression provider
689730-2	3-Major		Software installations from v13.1.0 might fail★
674455-7	3-Major		Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
680388-2	4-Minor		f5optics should not show function name in non-debug log messages
653759-2	4-Minor		Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
662078-1	2-Critical		Occasionally connections are dropped in response to timing errors
694778-2	3-Major		Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
686631-1	3-Major		Deselect a compression provider at the end of a job and reselect a provider for a new job
679494-2	3-Major		Change the default compression strategy to speed
632824-1	3-Major	K00722715	SSL TPS limit can be reached if the system clock is adjusted
495443-10	3-Major		ECDH negotiation failures logged as critical errors.
679496-1	4-Minor		Add 'comp_req' to the output of 'tmctl compress'

Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
695901-2	CVE-2018-5513	K46940010	TMM may crash when processing ProxySSL data
693312-2	CVE-2018-5518	K03165684	vCMPd may crash when processing bridged network traffic
688516-2	CVE-2018-5518	K03165684	vCMPd may crash when processing bridged network traffic
701359-2	CVE-2017-3145	K08613310	BIND vulnerability CVE-2017-3145
688009-5	CVE-2018-5519	K46121888	Appliance Mode TMSH hardening
615269-1	CVE-2016-2183	K13167034	CVE-2016-2183: AFM SSH Proxy Vulnerability

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
680850-1	3-Major		Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
570570-5	3-Major		Default crypto failure action is now 'go-offline-downlinks'.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
711547	1-Blocking		Update cipher support for Common Criteria compliance
708054-3	2-Critical		Web Acceleration: TMM may crash on very large HTML files with conditional comments
706305-2	2-Critical		bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
703761-1	2-Critical		Disable DSA keys for public-key and host-based authentication in Common Criteria mode
677937-1	2-Critical	K41517253	APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
673484-1	2-Critical	K85405312	IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO
664549-2	2-Critical	K55105132	TMM restart while processing rewrite filter
599423-1	2-Critical	K24584925	merged cores and restarts
583111-1	2-Critical		BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured
701626-1	3-Major		GUI resets custom Certificate Key Chain in child client SSL profile
686029-1	3-Major		A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
664737-2	3-Major		Do not reboot on ctrl-alt-del
655005-1	3-Major	K23355841	"Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync
646890-1	3-Major	K12068427	IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512
635703-1	3-Major	K14508857	Interface description may cause some interface level commands to be removed
614486-1	3-Major		BGP community lower bytes of zero is not allowed to be set in route-map
612721-4	3-Major		FIPS: .exp keys cannot be imported when the local source directory contains .key file
609967-2	3-Major	K55424912	qkview missing some HugePage memory data
586412-2	3-Major		BGP peer-group members address-family configuration not saved to configuration
583108-1	3-Major		Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.
581101-1	3-Major		non-admin user running list cmd: can't get object count
557155-8	3-Major	K33044393	BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
421797-3	3-Major		ePVA continues to accelerate IP Forwarding VS traffic even in Standby
651413-2	4-Minor	K34042229	tmsh list ltm node does not return an error when node does not exist
598437-1	4-Minor		SNMP process monitoring is incorrect for tmm and bigd

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
706631	2-Critical		A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
705611-1	2-Critical		The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
704666-2	2-Critical		memory corruption can occur when using certain certificates
701202-1	2-Critical	K35023432	SSL memory corruption
700862-2	2-Critical	K15130240	tmm SIGFPE 'valid node'
700393-2	2-Critical		Under certain circumstances a stale http2 stream can cause a tmm crash
685254-1	2-Critical	K14013100	RAM Cache Exceeding Watchdog Timeout in Header Field Search
678416-2	2-Critical		Some tmm/umem_usage_stat counters may be incorrect under memory pressure.
676028-2	2-Critical	K09689143	SSL forward proxy bypass may fail to release memory used for ssl_hs instances
673951-4	2-Critical	K56466330	Memory leak when using HTTP2 profile
670814-2	2-Critical		Wrong SE Linux label breaks nethsm DNSSEC keys
665185-1	2-Critical	K20994524	SSL handshake reference is not dropped if forward proxy certificate lookup failed
657463-2	2-Critical		SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
648320-3	2-Critical		Downloading via APM tunnels could experience performance downgrade.
647757-2	2-Critical	K96395052	RATE-SHAPER:Fred not properly initialized may halt traffic
636096-1	2-Critical		Nitrox PX chips may temporarily fail
613088-3	2-Critical		pkcs11d thread has session initialization problem.
452283-2	2-Critical		An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
705794-1	3-Major		Under certain circumstances a stale http2 stream can cause a tmm crash
690042-3	3-Major	K43412307	Potential Tcl leak during iRule suspend operation
689449-3	3-Major		Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
687205-3	3-Major		Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
686972-1	3-Major		The change of APM log settings will reset the SSL session cache.
686395	3-Major		With DTLS version1, when client hello uses version1.2, handshake shall proceed
683697-3	3-Major	K00647240	SASP monitor may use the same UID for multiple HA device group members
677962-3	3-Major		Invalid use of SETTINGS_MAX_FRAME_SIZE
677457	3-Major	K13036194	HTTP/2 Gateway appends semicolon when a request has one or more cookies
677400-3	3-Major	K82502883	pimd daemon may exit on failover
673399-1	3-Major		HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
665652-2	3-Major	K41193475	Multicast traffic not forwarded to members of VLAN group
664528-1	3-Major	K53282793	SSL record can be larger than maximum fragment size (16384 bytes)
663551-1	3-Major	K14942957	SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event
662911-2	3-Major	K93119070	SASP monitor uses same UID for all vCMP guests in a chassis or appliance
654368-7	3-Major		ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
654086-3	3-Major		Incorrect handling of HTTP2 data frames larger than minimal frame size
653976-2	3-Major		SSL handshake fails if server certificate contains multiple CommonNames
651901-2	3-Major		Removed unnecessary ASSERTs in MPTCP code
640369-2	3-Major		TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
633333-3	3-Major		During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent
619844-2	3-Major		Packet leak if reject command is used in FLOW_INIT rule
611691-5	3-Major		Packet payload ignored when DSS option contains DATA_FIN
608991-7	3-Major		BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed
605480-4	3-Major		BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection
604880-4	3-Major		tmm assert "valid pcb" in tcp.c
604549-7	3-Major		MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data
592731-1	3-Major	K34220124	Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.
653746-2	4-Minor	K83324551	Unable to display detailed CPU graphs if the number of CPU is too large
569814-2	4-Minor	K30240351	iRule "nexthop IP_ADDR" rejected by validator

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
710424-3	2-Critical	K00874337	Possible SIGSEGV in GTMD when GTM persistence is enabled.
699135-2	2-Critical		tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
691287-3	2-Critical		tmm crashes on iRule with GTM pool command
682335-3	2-Critical		TMM can establish multiple connections to the same gtmd
699339-1	3-Major	K24634702	Geolocation upgrade files fail to replicate to secondary blades
696808-3	3-Major	K35353213	Disabling a single pool member removes all GTM persistence records
687128-3	3-Major		gtm::host iRule validation for ipv4 and ipv6 addresses
679149-2	3-Major		TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
663310-3	3-Major		named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
619158-1	3-Major		iRule DNS request with trailing dot times out with empty response
595293-4	3-Major		Deleting GTM links could cause gtm_add to fail on new devices.
603758-1	4-Minor		Big3D security hardening

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
679221-1	1-Blocking		APMD may generate core file or appears locked up after APM configuration changed
702278-3	2-Critical		Potential XSS security exposure on APM logon page.
678715-1	2-Critical		Large volume of query result update to SessionDB fails and locks down ApmD
712315-1	3-Major		LDAP and AD Group Resource Assign are not displaying Static ACLs correctly
710211	3-Major		Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.
704580-3	3-Major		apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
702490-4	3-Major		Windows Credential Reuse feature may not work
702487-1	3-Major		AD/LDAP admins with spaces in names are not supported
700780-4	3-Major		F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses
699267-1	3-Major		LDAP Query may fail to resolve nested groups
681415-1	3-Major		Copying of profile with advanced customization or images might fail
675775-2	3-Major		TMM crashes inside dynamic ACL building session db callback
672250-1	3-Major		SessionDB update from ApmD with large volume fails
671149-3	3-Major		Captive portal login page is not rendered until it is refreshed
669459-2	3-Major		Efect of bad connection handle between APMD and memcachd
639283-4	3-Major		Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
569542-1	3-Major		After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★
667237-3	4-Minor		Edge Client logs the routing and IP tables repeatedly

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
673463-2	2-Critical	K68275280	SDD v3 symmetric deduplication may start performing poorly after a failover event
685693	3-Major		APM AppTunnels memory leak

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
702738	3-Major	K32181540	Tmm might crash activating new blob when changing firewall rules
528499-3	4-Minor		AFM address lists are not sorted while trying to create a new rule.

Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
706086-1	CVE-2018-5515	K62750376	PAM RADIUS authentication subsystem hardening
704490	CVE-2017-5754	K91229003	CVE-2017-5754 (Meltdown)
704483	CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176	K91229003	CVE-2017-5753 (Spectre Variant 1)

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
707226-2	1-Blocking		DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
704804-2	3-Major		The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-2	3-Major		NAS-IP-Address will be sent with the bytes backwards
703869-1	3-Major		Waagent updated to 2.2.21
701249-2	3-Major		RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
699147	3-Major		Hourly billed cloud images are now pre-licensed
687098	3-Major		IPv6 RADIUS servers not supported for remote authentication
674288-2	3-Major	K62223225	FQDN nodes - monitor attribute doesn't reliably show in GUI
649465-1	3-Major		SELinux warning messages regarding nsm daemon

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
695117	2-Critical	K30081842	bigd cores and sends corrupted MCP messages with many FQDN nodes
668883	2-Critical		FQDN pool member status may become out-of-sync when enabled/disabled through GUI
707675	3-Major		FQDN nodes or pool members flap when DNS response received
701609	3-Major		Static member of pool with FQDN members may revert to user-disabled after being re-enabled
685344-2	3-Major		Monitor 'min 1 of' not working as expected with FQDN nodes/members
673075-1	3-Major		Reduced Issues for Monitors configured with FQDN
671228-1	3-Major		Multiple FQDN ephemeral nodes may be created with autopopulate disabled
667560-3	3-Major	K69205908	FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed
573602-1	3-Major		FQDN pool members not shown by tmsh show ltm monitor
573302-1	3-Major		FQDN pool member remains in disabled state after removing monitor
571095-1	3-Major		Monitor probing to pool member stops after FQDN pool member with same IP address is deleted
467709-1	4-Minor		FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN
699262-2	5-Cosmetic		FQDN pool member status remains in 'checking' state after full config sync

Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
700556-2	CVE-2018-5504	K11718033	TMM may crash when processing WebSockets data
698080-1	CVE-2018-5503	K54562183	TMM may consume excessive resources when processing with PEM
691504-3	CVE-2018-5503	K54562183	PEM content insertion in a compressed response may cause a crash.
677193-2	CVE-2017-6154	K38243073	ASM BD Daemon Crash.
674189	CVE-2016-0718	K52320548	iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
673078-1	CVE-2017-6150	K62712037	TMM may crash when processing FastL4 traffic
670822-3	CVE-2017-6148	K55225440	TMM may crash when processing SOCKS data
668501-2	CVE-2017-6151	K07369970	HTTP2 does not handle some URIs correctly
630446-1	CVE-2016-0718	K52320548	Expat vulnerability CVE-2016-0718
621233-1	CVE-2018-5509	K49440608	FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm
699455-3	CVE-2018-5523	K50254952	SAML export does not follow best practices
699346-2	CVE-2018-5524	K53931245	NetHSM capacity reduces when handling errors
694274-2	CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798	K23565223	[RHSA-2017:3195-01] Important: httpd security update - EL6.7
688625-2	CVE-2017-11628	K75543432	PHP Vulnerability CVE-2017-11628
688011-5	CVE-2018-5520	K02043709	Dig utility does not apply best practices
676457-3	CVE-2017-6153	K52167636	TMM may consume excessive resource when processing compressed data
671638-4	CVE-2018-5500	K33211839	TMM crash when load-balancing mptcp traffic
670405-4	CVE-2017-1000366	K20486351	K20486351: glibc vulnerability CVE-2017-1000366:
662850-2	CVE-2015-2716	K50459349	Expat XML library vulnerability CVE-2015-2716
662663-6	CVE-2018-5507	K52521791	Decryption failure Nitrox platforms in vCMP mode
652848-2	CVE-2018-5501	K44200194	TCP DNS profile may impact performance
643375-1	CVE-2018-5508	K10329515	TMM may crash when processing compressed data
631204-1	CVE-2018-5521	K23124150	GeoIP lookups incorrectly parse IP addresses
617273-7	CVE-2016-5300	K70938105	Expat XML library vulnerability CVE-2016-5300
593139-9	CVE-2014-9761	K31211252	glibc vulnerability CVE-2014-9761
572272-5	CVE-2018-5506	K65355492	BIG-IP - Anonymous Certificate ID Enumeration
673607-2	CVE-2017-3169	K83043359	Apache CVE-2017-3169
672667-4	CVE-2017-7679	K75429050	CVE-2017-7679: Apache vulnerability
605579-8	CVE-2012-6702	K65460334	iControl-SOAP expat client library is subjected to entropy attack
578983-4	CVE-2015-8778	K51079478	glibc: Integer overflow in hcreate and hcreate_r
684033-1	CVE-2017-9798	K70084351	CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
686389-3	3-Major		APM does not honor per-farm HTML5 client disabling at the View Connection Server
685020-1	3-Major		Enhancement to SessionDB provides timeout
653772-2	3-Major		fastL4 fails to evict flows from the ePVA
639505-3	3-Major		BGP may not send all configured aggregate routes
587107-3	3-Major		Allow iQuery to negotiate up to version TLS1.2

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
667148-1	1-Blocking	K02500042	Config load or upgrade can fail when loading GTM objects from a non-/Common partition
689577-1	2-Critical	K45800333	ospf6d may crash when processing specific LSAs
678833	2-Critical		IPv6 prefix SPDAG causes packet drop
676203-1	2-Critical		Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
667405-2	2-Critical	K61251939	Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.
667404-2	2-Critical	K77576404	Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts
651362	2-Critical		eventd crashes during boot
631700-1	2-Critical	K72453283	sod may kill bcm56xxd under heavy load
617733-1	2-Critical		Error message: subscriber id response; Subscription not found
580753-1	2-Critical	K82583534	eventd might core on transition to secondary.
563661-2	2-Critical		Datastor may crash
694696-3	3-Major		On multiblade Viprion, creating a new traffic-group causes the device to go Offline
687658-2	3-Major		Monitor operations in transaction will cause it to stay unchecked
687353-3	3-Major	K35595105	Qkview truncates tmstat snapshot files
682213-3	3-Major	K31623549	TLS v1.2 support in IP reputation daemon
679480-1	3-Major		User able to create node when an ephemeral with the same IP already exists
674320-2	3-Major	K11357182	Syncing a large number of folders can prevent the configuration getting saved on the peer systems
672815-2	3-Major		Incorrect disaggregation on VIPRION B4200 blades
671082-1	3-Major	K85168072	snmpd constantly restarting
669888-2	3-Major		No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96
669462-1	3-Major		Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
669415-1	3-Major		Flow eviction for hardware-accelerated flow might fail
664894-1	3-Major	K11070206	PEM sessions lost when new blade is inserted in chassis
664057-2	3-Major		Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached
664017-3	3-Major		OCSP may reject valid responses
652968-2	3-Major	K88825548	IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys
645723-2	3-Major	K74371937	Dynamic routing update can delete admin ip route from the kernel
632366-1	3-Major		Prevent a spurious Broadcom switch driver failure.
631316	3-Major	K62532020	Unable to load config with client-SSL profile error★
626990-1	3-Major	K64915164	restjavad logs flooded with messages from ChildWrapper
624362-1	3-Major		VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file
623803-2	3-Major	K12921801	General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'
610122-1	3-Major		Hotfix installation fails: can't create /service/snmpd/run★
598724-1	3-Major		Abandoned indefinite lifetime SessionDB entries on STANDBY devices.
586887-2	3-Major	K25883308	SCTP tmm crash with virtual server destination.
579760-3	3-Major	K55703840	HSL::send may fail to resume after log server pool member goes down/up
471237-2	3-Major	K12155235	BIG-IP VE instances do not work with an encrypted disk in AWS.
699281	4-Minor		Version format of hypervisor bundle matches Version format of ISO
669255-2	4-Minor	K20100613	An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
660239-3	4-Minor		When accessing the dashboard, invalid HTTP headers may be present
655085-2	4-Minor		While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors
613275-2	4-Minor	K62581339	SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up
601168-1	4-Minor		Incorrect virtual server CPU utilization may be observed.
509980-1	4-Minor		Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
692970-3	2-Critical		Using UDP port 67 for purposes other than DHCP might cause TMM to crash
687603-1	2-Critical	K36243347	tmsh query for dns records may cause tmm to crash
686228-3	2-Critical	K23243525	TMM may crash in some circumstances with VLAN failsafe
682682-3	2-Critical		tmm asserts on a virtual server-to-virtual server connection
681175-1	2-Critical	K32153360	TMM may crash during routing updates
676982-2	2-Critical	K21958352	Active connection count increases over time, long after connections expire
674576-4	2-Critical		Outage may occur with VIP-VIP configurations
665924-1	2-Critical	K24847056	The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
665732-2	2-Critical		FastHTTP may crash when receiving a fragmented IP packet
664461-3	2-Critical	K16804728	Replacing HTTP payload can cause tmm restart
658989-2	2-Critical		Memory leak when connection terminates in iRule process
639039-4	2-Critical	K33754014	Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
614702-1	2-Critical	K24172560	Race condition when using SSL Orchestrator can cause TMM to core
704073-3	3-Major	K24233427	Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
698000-1	3-Major	K04473510	Connections may stop passing traffic after a route update
689089-3	3-Major		VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
686307-1	3-Major	K10665315	Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686305-2	3-Major		TMM may crash while processing SSL forward proxy traffic
686065-1	3-Major		RESOLV::lookup iRule command can trigger crash with slow resolver
685955	3-Major		TMM hud_message_ctx leak
685110-3	3-Major		With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
683683-1	3-Major		ASN1::encode returns wrong binary data
682104-1	3-Major		HTTP PSM leaks memory when looking up evasion descriptions
680755-1	3-Major	K27015502	max-request enforcement no longer works outside of OneConnect
673621-2	3-Major		Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
670816-2	3-Major	K44519487	HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
669974-1	3-Major	K90395411	Encoding binary data using ASN1::encode may truncate result
668522-1	3-Major		bigd might try to read from a file descriptor that is not ready for read
668419-1	3-Major	K53322151	ClientHello sent in multiple packets results in TCP connection close
666315	3-Major		Global SNAT sets TTL to 255 instead of decrementing
666160-1	3-Major	K63132146	L7 Policy reconfiguration causes a slow memory leak
665022-1	3-Major		Rateshaper stalls when TSO packet length exceeds max ceiling.
664769-1	3-Major		TMM may restart when using SOCKS profile and an iRule
663821-3	3-Major	K41344010	SNAT Stats may not include port FTP traffic
661881-2	3-Major		Memory and performance issues when using certain ASN.1 decoding formats in iRules
659648-2	3-Major		LTM Policy rule name migration doesn't properly handle whitespace
657795-1	3-Major	K51498984	Possible performance impact on some SSL connections
655432-7	3-Major	K85522235	SSL renegotiation failed intermittently with AES-GCM cipher
651681-4	3-Major		Orphaned bigd instances may exist (within multi-process bigd)
651135-4	3-Major	K41685444	LTM Policy error when rule names contain slash (/) character★
645220-2	3-Major		bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs
645197-3	3-Major		Monitors receiving unique HTTP "success" response codes may stop monitoring after status change
640565-1	3-Major	K11564859	Incorrect packet size sent to clone pool member
636149-3	3-Major		Multiple monitor response codes to single monitor probe failure
628721-1	3-Major		In rare conditions, DNS cache resolver outbound TCP connections fail to expire.
627926-1	3-Major	K21211001	Retrieving a server-side SSL session ID in iRules does not work
584865-1	3-Major		Primary slot mismatch after primary cluster member leaves and then rejoins the cluster
582487-2	3-Major	K22210514	'merged.method' set to 'slow_merge,' does not update system stats
574526-1	3-Major	K55542554	HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter
573366-4	3-Major		parking command used in the nesting script of clientside and serverside command can cause tmm core
692095-3	4-Minor	K65311501	bigd logs monitor status unknown for FQDN Node/Pool Member
625892-2	4-Minor		Nagle Algorithm Not Fully Enforced with TSO
530877-7	4-Minor	K13887095	TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
692941-3	2-Critical		GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
678861-3	2-Critical	K00426059	DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
580537-1	2-Critical		The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
562921-4	2-Critical		Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
700527-1	3-Major		cmp-hash change can hang iRule DNS lookup
691498-1	3-Major		Connection failure during iRule DNS lookup can crash TMM
690166-3	3-Major		ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
671326-2	3-Major	K81052338	DNS Cache debug logging might cause tmm to crash.
667469-1	3-Major	K35324588	Higher than expected CPU usage when using DNS Cache
665347-2	3-Major	K17060443	GTM listener object cannot be created via tmsh while in non-Common partition
636853-2	3-Major		Under some conditions, a change in the order of GTM topology records does not take effect.
621374-1	3-Major		"abbrev" argument in "whereis" iRule returns nothing
487144-2	3-Major		tmm intermittently reports that it cannot find FIPS key

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
701327-1	2-Critical		failed configuration deletion may cause unwanted bd exit
699720-3	2-Critical		ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
691670-3	2-Critical		Rare BD crash in a specific scenario
684312-2	2-Critical		During Apply Policy action, bd agent crashes, causing the machine to go Offline
681109-2	2-Critical	K46212485	BD crash in a specific scenario
679603-2	2-Critical	K15460886	bd core upon request, when profile has sensitive element configured.
678462-2	2-Critical		after chassis failover: asmlogd CPU 100% on secondary
678228-1	2-Critical	K27568142	Repeated Errors in ASM Sync
672301-2	2-Critical		ASM crashes when using a logout object configuration in ASM policy
662281-2	2-Critical		Inconsistencies in Automatic sync ASM Device Group
637252-1	2-Critical	K73107660	Rest worker becomes unreliable after processing a call that generated an error
633070-1	2-Critical		Sync Inconsistencies when using Autosync ASM Group between Chassis devices
631609-1	2-Critical		ASM Centralized Management Infrastructure Sync issues
614441-4	2-Critical	K04950182	False Positive for illegal method (GET)
611154-1	2-Critical		BD crash
599221-1	2-Critical		ASM Policy cannot be created in non-default partition via the Import Policy Task
576123-3	2-Critical	K23221623	ASM policies are created as inactive policies on the peer device
702946-2	3-Major		Added option to reset staging period for signatures
701841-1	3-Major		Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
700564-2	3-Major		JavaScript errors shown when debugging a mobile device with ASM deviceID enabled
700330	3-Major		AJAX blocking page isn't shown when a webpage uses jQuery framework.
700143-1	3-Major		ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
698919-1	3-Major		Anti virus false positive detection on long XML uploads
697303-3	3-Major		BD crash
696265-3	3-Major		BD crash
694922-4	3-Major		ASM Auto-Sync Device Group Does Not Sync
691477-1	3-Major		ASM standby unit showing future date and high version count for ASM Device Group
685743-3	3-Major		When changing internal parameter 'request_buffer_size' in large request violations might not be reported
685207-2	3-Major		DoS client side challenge does not encode the Referer header.
683508-3	3-Major		WebSockets: umu memory leak of binary frames when remote logger is configured
682612	3-Major		Event Correlation is disabled on vCMP even though all the prerequisites are met.
679384-1	3-Major	K85153939	The policy builder is not getting updates about the newly added signatures.
678293-1	3-Major	K25066531	Uncleaned policy history files cause /var disk exhaustion
676416-2	3-Major		BD restart when switching FTP profiles
675232-3	3-Major		Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
674494-1	3-Major	K77993010	BD memory leak on specific configuration and specific traffic
671675-1	3-Major		Centralized Management Infrastructure: asm_config_server restart on device group change
668184-1	3-Major		Huge values are shown in the AVR statistics for ASM violations
668181-2	3-Major		Policy automatic learning mode changes to manual after failover
667922	3-Major	K44692860	Alternative unicode encoding in JSON objects not being parsed correctly
666986-2	3-Major	K50320144	Filter by Support ID is not working in Request Log
663535-1	3-Major		Sending ASM cookies with "secure" attribute even without client-ssl profile
654925-1	3-Major	K25952033	Memory Leak in ASM Sync Listener Process
654873-2	3-Major		ASM Auto-Sync Device Group
619516-1	3-Major		Inconsistencies in Automatic sync ASM Device Group
605982-1	3-Major		Policy settings change during export/import
434821-1	3-Major		Remote logging of staged signatures and staged sets
694073-1	4-Minor		All signature update details are shown in 'View update history from previous BIG-IP versions' popup
655159-1	4-Minor	K84550544	Wrong XML profile name Request Log details for XML violation

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
658343-2	3-Major	K33043439	AVR tcp-analytics: per-host RTT average may show incorrect values
648242	3-Major	K73521040	Administrator users unable to access all partition via TMSH for AVR reports
582029-4	3-Major		AVR might report incorrect statistics when used together with other modules.
682105	4-Minor		Adding widget in Analytics Overview can cause measures list to empty out on Page change
649161-1	4-Minor	K42340304	AVR caching mechanism not working properly

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
693739-3	2-Critical		VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
660711-1	2-Critical	K05265457	MCPd might crash when user trying to import a access policy
649234-3	2-Critical	K64131101	TMM crash from a possible memory corruption.
639929-2	2-Critical		Session variable replace with value containing these characters ' " & < > = may case tmm crash
632178-1	2-Critical		LDAP Query agent creates only two session variables when required attributes list is empty
703984-2	3-Major		Machine Cert agent improperly matches hostname with CN and SAN
703429-1	3-Major		Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
700783-3	3-Major		Machine certificate check does not check against all FQDN hostnames
692307-1	3-Major		User with 'operator' role may not be able to view some session variables
689826-2	3-Major		Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
686282-1	3-Major		APMD intermittently crash when processing access policies
684325-3	3-Major		APMD Memory leak when applying a specific access profile
683389-1	3-Major		Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
682500-1	3-Major	K03903649	VDI Profile and Storefront Portal Access resource do not work together
680112-1	3-Major	K18131781	SWG-Explicit rejects large POST bodies during policy evaluation
678851-1	3-Major		Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
676690-3	3-Major		Windows Edge Client sometimes crashes when user signs out from Windows
675866-1	3-Major		WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
675399-3	3-Major	K14304639	Network Access does not work when empty variables are assigned for WINS and DNS
674593-1	3-Major		APM configuration snapshot takes a long time to create
674410-3	3-Major	K59281892	AD auth failures due to invalid Kerberos tickets
673748-1	3-Major	K19534801	ng_export, ng_import might leave security.configpassword in invalid state
672868-1	3-Major		Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly
672040-3	3-Major		Access Policy Causing Duplicate iRule Event Execution
671597-1	3-Major		Import, export, copy and delete is taking too long on 1000 entries policy
670910-2	3-Major		Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
669510-2	3-Major		When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
669154-1	3-Major	K25342114	Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.
668623-5	3-Major	K85991425	macOS Edge client fails to detect correct system language for regions other than USA
668503-3	3-Major		Edge Client fails to reconnect to virtual server after disabling Network Adapter
668129-1	3-Major		BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.
666689-1	3-Major		Occasional "profile not found" errors following activate access policy
666058-2	3-Major	K86091857	XenApp 6.5 published icons are not displayed on APM Webtop
665416-3	3-Major	K02016491	Old versions of APM configuration snapshots need to be reaped more aggressively if not used
665330-1	3-Major		MSIE 11 should avoid compatibility mode
664507-3	3-Major		When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
663127-1	3-Major		Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.
655364-1	3-Major		Portal access rewriting window.opener causes JS exception
655146-2	3-Major		APM Profile access stats are not updated correctly
654508-2	3-Major		SharePoint MS-OFBA browser window displays Javascript errors
654046-1	3-Major	K22121533	BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.
653771-2	3-Major		tmm crash after per-request policy error
653324-3	3-Major	K87979026	On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
651910-2	3-Major		Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later
649613-3	3-Major		Multiple UDP/TCP packets packed into one DTLS Record
632646-4	3-Major		APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629921-4	3-Major		[[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
621682-1	3-Major		Portal Access: problem with specific JavaScript code
616104-2	3-Major		VMware View connections to pool hit matching BIG-IP virtuals
613373-2	3-Major		Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page
610582-2	3-Major		Device Guard prevents Edge Client connections
601420-3	3-Major		Possible SAML authentication loop with IE and multi-domain SSO.
596083-1	3-Major		Error running custom APM Reports with "session creation time" on Viprion Platform
590992-3	3-Major		If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working
578413-1	3-Major		Missing reference to customization-group from connectivity profile if created via portal access wizard
575444-1	3-Major		Wininfo agent incorrectly reports OS version on Windows 10 in some cases
563135-3	3-Major		SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
466068-1	3-Major		Allow setting of the AAA Radius server timeout value larger than 60 seconds
447565-5	3-Major	K33692321	Renewing machine-account password does not update the serviceId for associated ntlm-auth.
691017-1	4-Minor		Preventing ng_export hangs
684414-1	4-Minor		Retrieving too many groups is causing out of memory errors in TMUI and VPE
673717-1	4-Minor		VPE loading times can be very long
671627-1	4-Minor	K06424790	HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
667304-1	4-Minor	K68108551	Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled
561892-2	4-Minor	K08121752	Kerberos cache is not cleared when Administrator password is changed in AAA AD Server

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
662844	2-Critical	K87735013	TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.
643785-3	2-Critical		diadb crashes if it cannot find pool name
699431	3-Major		Possible memory leak in MRF under low memory

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
456376-4	1-Blocking	K53153545	BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
671052-3	2-Critical	K50324413	AFM NAT security RST the traffic with (FW NAT) dst_trans failed
664708-2	2-Critical		TMM memory leak when DoS profile is attached to VS
644822-2	2-Critical	K19245372	FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
564058-1	2-Critical	K91467162	AutoDoS daemon aborts intermittently after it's being up for several days
620543-1	3-Major		Security Address Lists and Port Lists can't change Description field

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
696383-2	2-Critical		PEM Diameter incomplete flow crashes when sweeped
694717-3	2-Critical		Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008-3	2-Critical	K23164003	TMM core may be seen when using an HSL format script for HSL reporting in PEM
696789-2	3-Major		PEM Diameter incomplete flow crashes when TCL resumed
695968-3	3-Major		Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319-3	3-Major		CCA without a request type AVP cannot be tracked in PEM.
694318-3	3-Major		PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
684333-3	3-Major		PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820-2	3-Major		Potential memory leak if PEM Diameter sessions are not created successfully.
678714-3	3-Major		After HA failover, subscriber data has stale session ID information
660187-3	3-Major		TMM core after intra-chassis failover for some instances of subscriber creation
642068-1	3-Major		PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
638594-3	3-Major		TMM crash when handling unknown Gx messages.
627616-3	3-Major		CCR-U missing upon VALIDITY TIMER expiry when quota is zero
624231-5	3-Major		No flow control when using content-insertion with compression
680729-3	4-Minor	K64307999	DHCP Trace log incorrectly marked as an Error log.
678822-3	4-Minor		Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
663333-1	2-Critical		TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high
615432-1	2-Critical		Multiple TFTP data transfers cannot be initiated in a single session
663974-2	3-Major		TMM crash when using LSN inbound connections

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
692123-2	3-Major		GET parameter is grayed out if MobileSafe is not licensed
667892-2	3-Major		FPS: BLFN inheritance won't take effect until GUI refresh

Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
681710-4	CVE-2017-6155	K10930474	Malformed HTTP/2 requests may cause TMM to crash
673595-2	CVE-2017-3167 CVE-2017-3169	K34125394	Apache CVE-2017-3167
648786-5	CVE-2017-6169	K31404801	TMM crashes when categorizing long URLs

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
673129	3-Major		New feature: revoke license

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
682837	1-Blocking		Compression watchdog period too brief.
675921	1-Blocking		Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
696468	2-Critical		Active compression requests can become starved from too many queued requests.
667173	2-Critical		13.1.0 cannot join a device group with 13.1.0.1
665656-1	2-Critical		BWC with iSession may memory leak
663366-3	2-Critical		SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
621386-1	2-Critical	K91988084	restjavad spawns too many icrd_child instances
679959-1	3-Major		Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000
672988-2	3-Major	K03433341	MCP memory leak when performing incremental ConfigSync
669288-3	3-Major	K76152943	Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.
668352-2	3-Major		High Speed Logging unbalance in log distribution for multiple pool destination.
668048-1	3-Major	K02551403	TMM memory leak when manually enabling/disabling pool member used as HSL destination
663063-2	3-Major		Disabling pool member used in busy HSL TCP destination can result service disruption.
659057-1	3-Major		BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD
658636-2	3-Major	K51355172	When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
652691-1	3-Major		Installation fails if only .iso.384.sig (new format signature file) is present★
652689-2	3-Major	K14243280	Displaying 100G interfaces
642952	3-Major		platform_check doesn't run PCI check on i11800
640636-3	3-Major		F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade
638881-1	3-Major		Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances
628739-1	3-Major		BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD
628735-1	3-Major		Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles
604547-1	3-Major	K21551422	Unix daemon configuration may lost or not be updated upon reboot
674515	4-Minor		New revoke license feature for VE only implemented
663580-1	4-Minor	K31981624	logrotate does not automatically run when /var/log reaches 90% usage
644723-1	4-Minor		cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
507206-1	4-Minor		Multicast Out stats always zero for management interface.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
463097-3	3-Major	K09247330	Clock advanced messages with large amount of data maintained in DNS Express zones

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
672504-1	2-Critical	K52325625	Deleting zones from large databases can take excessive amounts of time.
614788-1	2-Critical		zxfrd crash due to lack of disk space
655233-1	3-Major	K93338593	DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-1	3-Major	K57853542	DNS Express responses missing SOA record in NoData responses if CNAMEs present
645615-2	3-Major	K70543226	zxfrd may fail and restart after multiple failovers between blades in a chassis.
433678-2	3-Major	K32401561	A monitor removed from GTM link cannot be deleted: 'monitor is in use'
646615-1	4-Minor		Improved default storage size for DNS Express database

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
652796-1	1-Blocking		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
652792-1	2-Critical		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
678976-2	3-Major	K24756214	Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
677058-3	3-Major		Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
679440-2	2-Critical	K14120433	MCPD Cores with SIGABRT
591828-4	3-Major		For unmatched connection, TCP RST may not be sent for data packet

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
668252-2	2-Critical	K22784428	TMM crash in PEM_DIAMETER component
628311-3	2-Critical	K87863112	Potential TMM crash due to duplicate installed PEM policies by the PCRF
675928-2	3-Major		Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
674686-2	3-Major		Periodic content insertion of new flows fails, if an outstanding flow is a long flow
673683-2	3-Major		Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
673678-2	3-Major		Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
673472-2	3-Major		After classification rule is updated, first periodic Insert content action fails for existing subscriber
639486-4	3-Major		TMM crash due to PEM usage reporting after a CMP state change.
634015-3	3-Major	K49315364	Potential TMM crash due to a PEM policy content triggered buffer overflow
572568-2	3-Major		Gy CCR-i requests are not being re-sent after initial configured re-transmits

Cumulative fixes from BIG-IP v12.1.3 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
684879-2	CVE-2017-6164	K02714910	Malformed TLS1.2 records may result in TMM segmentation fault.
662022-5	CVE-2017-6138	K34514540	The URI normalization functionality within the TMM may mishandle some malformed URIs.
653993-3	CVE-2017-6132	K12044607	A specific sequence of packets to the HA listener may cause tmm to produce a core file
653880	CVE-2017-6214	K81211720	Kernel Vulnerability: CVE-2017-6214
652539	CVE-2016-0634 CVE-2016-7543 CVE-2016-9401	K73705133	Multiple Bash Vulnerabilities
652516	CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576	K31603170	Multiple Linux Kernel Vulnerabilities
651221-2	CVE-2017-6133	K25033460	Parsing certain URIs may cause the TMM to produce a core file.
650286-2	CVE-2017-6167	K24465120	REST asynchronous tasks permissions issues
650059-1	CVE-2017-6129	K20087443	TMM may crash when processing VPN traffic
649907-2	CVE-2017-3137	K30164784	BIND vulnerability CVE-2017-3137
649904-2	CVE-2017-3136	K23598445	BIND vulnerability CVE-2017-3136
644904-5	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486	K55129614	tcpdump 4.9
644693-3	CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241	K15518610	Fix for multiple CVE for openjdk-1.7.0
638556-2	CVE-2016-10045	K73926196	PHP Vulnerability: CVE-2016-10045
634779-1	CVE-2017-6147	K43945001	TMM may crash will processing SSL Forward Proxy traffic
625860-2	CVE-2017-6140	K55102452	Improved handling of crypto hardware decrypt failures on B4450 platform.
624903-6	CVE-2017-6140	K55102452	Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
600069-6	CVE-2017-0301	K54358225	Portal Access: Requests handled incorrectly
659791-2	CVE-2017-6136	K81137982	TFO and TLP could produce a core file under specific circumstances
655059-3	CVE-2017-6134	K37404773	TMM Crash
653224-1	CVE-2016-8610 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337	K59836191	Multiple GnuTLS Vulnerabilities
653217-2	CVE-2016-2125 CVE-2016-2126	K03644631	Multiple Samba Vulnerabilities
645480-3	CVE-2017-6139	K45432295	Unexpected APM response
645101-2	CVE-2017-3731, CVE-2017-3732	K44512851	OpenSSL vulnerability CVE-2017-3732
642659-2	CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540	K34527393	Multiple LibTIFF Vulnerabilities
640768	CVE-2016-10088 CVE-2016-9576	K05513373	Kernel vulnerability: CVE-2016-10088
639729-2	CVE-2017-0304	K39428424	Request validation failure in AFM UI Policy Editor
637666-2	CVE-2016-10033	K74977440	PHP Vulnerability: CVE-2016-10033
635314-5	CVE-2016-1248	K22183127	vim Vulnerability: CVE-2016-1248
622178-1	CVE-2017-6158	K19361245	Improve flow handling when Autolasthop is disabled
597176-1	CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE	K01837042	Multiple Wireshark (tshark) vulnerabilities
583678-1	CVE-2016-3115	K93532943	SSHD session.c vulnerability CVE-2016-3115
567233-1	CVE-2015-5252, CVE-2015-5296, CVE-2015-5299	K92616530	Multiple samba vulnerabilities
353229-2	CVE-2018-5522	K54130510	Buffer overflows in DIAMETER
656912-4	CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458	K32262483	Various NTP vulnerabilities
632875-3	CVE-2018-5516	K37442533	Non-Administrator TMSH users no longer allowed to run dig
615226-5	CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300	K13074505	Libarchive vulnerabilities: CVE-2016-8687 and others
590840-2	CVE-2015-8325	K20911042	OpenSSH vulnerability CVE-2015-8325
655021-2	CVE-2017-3138	K23598445	BIND vulnerability CVE-2017-3138
652638-2	CVE-2016-10167	K23731034	php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
627203-1	CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597	K63427774	Multiple Oracle Java SE vulnerabilities

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
654549-1	2-Critical		PVA support for uncommon protocols DoS vector
653729-2	2-Critical		Support IP Uncommon Protocol
653234	2-Critical		Many objects must be reconfigured before use when loading a UCS from another device.★
652094-2	2-Critical	K49190243	Improve traffic disaggregation for uncommon IP protocols
643210-2	2-Critical	K45444280	Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
643054-2	2-Critical		ARP and NDP packets should be CoS marked by the swtich on ingress
663521-2	3-Major		Intermittent dropping of multicast packets on certain BIG-IP platforms
651772-3	3-Major		IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
643143-2	3-Major		ARP and NDP packets should be QoS/DSCP marked on egress
610710-2	3-Major		Pass IP TOS bits from incoming connection to outgoing connection
584545-2	3-Major		Failure to stabilize internal HiGig link will not trigger failover event
567177-1	4-Minor		Log all attempts of key export in ltm log
650074-1	5-Cosmetic		Changed Format of RAM Cache REST Status output.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
642703-2	1-Blocking		Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★
619097	1-Blocking		iControl REST slow performace on GET request for virtual servers
539093-1	1-Blocking	K26104530	VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.
697878	2-Critical		High crypto request completion time under some workload patterns
666790-2	2-Critical	K06619044	Use HSB HiGig MAC reset to recover both FCS errors and link instability
665354-2	2-Critical	K31190471	Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
658574-2	2-Critical	K61847644	An accelerated flow transmits packets to a stale (incorrect) destination MAC address.
655357-2	2-Critical	K06245820	Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
653376-5	2-Critical		bgpd may crash on receiving a BGP update with >= 32 extended communities
649866-1	2-Critical		fsck should not run during first boot on public clouds
638997-2	2-Critical		Reboot required after disk size modification in a running BIG-IP VE instance.
625456-5	2-Critical		Pending sector utility may write repaired sector incorrectly
624826-2	2-Critical		mgmt bridge takes HWADDR of guest vm's tap interface
613415-2	2-Critical	K22750357	Memory leak in ospfd when distribute-list is used
609335-1	2-Critical		IPsec tmm devbuf memory leak.
604011-1	2-Critical		Sync fails when iRule or policy is in use★
595783	2-Critical		Changing console baud rate for B2100, B2150 and B2250 blades does not work
593137-1	2-Critical		userDefined property for bot signatures is not shown in REST
579210-3	2-Critical	K11418051	VIPRION B4400N blades might fail to go Active under rare conditions.
471860-10	2-Critical	K16209	Disabling interface keeps DISABLED state even after enabling
412817-3	2-Critical		BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
671920-1	3-Major		Accessing SNMP over IPv6 on non-default route domains
669818-2	3-Major		Higher CPU usage for syslog-ng when a syslog server is down
667278-3	3-Major		DSC connections between BIG-IP units may fail to establish
667138-1	3-Major		LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★
664829-1	3-Major		BIG-IP sometimes performs unnecessary reboot on first boot
662331-1	3-Major	K24331010	BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
661764-2	3-Major	K53762147	It is possible to configure a number of CPUs that exceeds the licensed throughput
660532-2	3-Major	K21050223	Cannot specify the event parameter for redirects on the policy rule screen.
655671-1	3-Major		Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
655649-2	3-Major	K88627152	BGP last update timer incorrectly resets to 0
654011-2	3-Major	K33210520	Pool member's health monitors set to Member Specific does not display the active monitors
651155-1	3-Major		HSB continually logs 'loopback ring 0 tx not active'
650349	3-Major		Creation or reconfiguration of iApps fails if high speed logging is configured
650002-1	3-Major		tzdata bug fix and enhancement update
649949-1	3-Major		Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★
647988-3	3-Major	K15331432	HSL Balanced distribution to Two-member pool may not be balanced correctly.
647944-2	3-Major		MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
645179-6	3-Major		Traffic group becomes active on more than one BIG-IP after a long uptime
644404-1	3-Major		Extracting SSD from system leads to Emergency LCD alert★
644184-4	3-Major	K36427438	ZebOS daemons hang while AgentX SNMP daemon is waiting.
643294	3-Major		IGMP and PIM not in self-allow default list when upgrading from 10.2.x★
643121-1	3-Major		Failed installation volumes cannot be deleted in the GUI.
643013	3-Major		DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3
642982-3	3-Major	K23241518	tmrouted may continually restart after upgrade, adding or renaming an interface★
642314-2	3-Major	K24276198	CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★
638825-2	3-Major		SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
637561-1	3-Major		Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
636744-1	3-Major	K16918340	IKEv1 phase 2 SAs not deleted
631866-2	3-Major		Cannot access LTM policy rules in the web UI when the name contains certain characters
631172-4	3-Major	K54071336	GUI user logged off when idle for 30 minutes, even when longer timeout is set
624692-3	3-Major		Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
623391-5	3-Major		cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★
622619-5	3-Major		BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
622133-1	3-Major		VCMP guests may incorrectly obtain incorrect MAC addresses
621259-3	3-Major		Config save takes long time if there is a large number of data groups
619060	3-Major		Reduction in boot time in BIG-IP Virtual Edition platforms
617875-1	3-Major		vCMP guest may fail to start due to not enough hugepages
612752-1	3-Major		UCS load or upgrade may fail under certain conditions.★
610442-2	3-Major	K75051412	vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★
607961-1	3-Major		Secondary blades restart when modifying a virtual server's route domain in a different partition.
605792-1	3-Major		Installing a new version changes the ownership of administrative users' files★
601709-2	3-Major	K02314881	I2C error recovery for BIG-IP 4340N/4300 blades
590938-3	3-Major		The CMI rsync daemon may fail to start
583475-1	3-Major		The BIG-IP may core while recompiling LTM policies
577474-3	3-Major	K35208043	Users with auditor role are unable to use tmsh list sys crypto cert
569100-1	3-Major		Virtual server using NTLM profile results in benign Tcl error
544906-2	3-Major	K07388310	Issues when using remote authentication when users have different partition access on different devices
507240-4	3-Major	K13811263	ICMP traffic cannot be disaggregated based on IP addresses
480983-4	3-Major		tmrouted daemon may core due to daemon_heartbeat
471029-2	3-Major		If the configuration contains a filename with the $ character, then saving the UCS fails.
656900-1	4-Minor		Blade family migration may fail
655314	4-Minor		When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★
653225-1	4-Minor		coreutils security and bug fix update
645717	4-Minor		UCS load does not set directory owner
644975-4	4-Minor	K09554025	/var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
644799-1	4-Minor	K42882011	TMM may crash when the BIG-IP system processes CGNAT traffic.
642723-3	4-Minor		Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect
634371-2	4-Minor		Cisco ethernet NIC driver
530927-8	4-Minor		Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
530530-6	4-Minor		tmsh sys log filter is displayed in UTC time
527720-1	4-Minor		Rare 'No LopCmd reply match found' error in getLopReg
448409-1	4-Minor	K15491	'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
626596	5-Cosmetic		Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670011-2	1-Blocking		SSL forward proxy does not create the server certchain when ignoring server certificates
621452-1	1-Blocking	K58146172	Connections can stall with TCP::collect iRule
659899-1	2-Critical	K10589537	Rare, intermittent system instability observed in dynamic load-balancing modes
657713-5	2-Critical	K05052273	Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
655628-1	2-Critical		TCP analytics does not release resources under specific sequence of packets
655211-1	2-Critical		bigd crash (SIGSEGV) when running FQDN node monitors
650317-3	2-Critical		The TMM on the next-active panics with message: "Missing oneconnect HA context"
649171-4	2-Critical		tmm core in iRule with unreachable remote address
648037-2	2-Critical		LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
646643-2	2-Critical	K43005132	HA standby virtual server with non-default lasthop settings may crash.
646604-5	2-Critical	K21005334	Client connection may hang when NTLM and OneConnect profiles used together
645663	2-Critical		Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.
644112-2	2-Critical	K56150996	Permanent connections may be expired when endpoint becomes unreachable
643631	2-Critical	K70938130	Serverside connections on virtual servers using VDI may become zombies.
635274-1	2-Critical	K21514205	SSL::sessionid command may return invalid values
634265-2	2-Critical	K34688632	Using route pools whose members aren't directly connected may crash the TMM.
632552-2	2-Critical	K08634156	tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event
629178-1	2-Critical	K42206046	Incorrect initial size of connection flow-control window
611704-5	2-Critical		tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
605983-1	2-Critical		tmrouted may crash when being restarted in debug mode
604926-3	2-Critical	K50041125	The TMM may become unresponsive when using SessionDB data larger than ~400K
604223-2	2-Critical		pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"
583700-3	2-Critical		tmm core on out of memory
583355-1	2-Critical		The TMM may crash when changing profiles associated with plugins
566071-5	2-Critical		network-HSM may not be operational on secondary slots of a standby chassis.
559030-1	2-Critical	K65244513	TMM may core during ILX RPC activity if a connflow closes before the RPC returns
687193-1	3-Major		TMM may leak memory when processing SSL Forward Proxy traffic
677119	3-Major		HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
672008-1	3-Major	K22122208	NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
671935-2	3-Major	K64461712	Possible ephemeral port reuse.
669025-1	3-Major	K11425420	Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
668521-2	3-Major		Bigd might stall while waiting for an external monitor process to exit
666032-3	3-Major	K05145506	Secure renegotiation is set while data is not available.
663326-2	3-Major		Thales HSM: "fipskey.nethsm --export" fails to make stub keys
662881-2	3-Major	K10443875	L7 mirrored packets from standby to active might cause tmm core when it goes active.
662085-1	3-Major		iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
658214-2	3-Major	K20228504	TCP connection fail intermittently for mirrored fastl4 virtual server
655793-1	3-Major	K04178391	SSL persistence parsing issues due to SSL / TCP boundary mismatch
654109-2	3-Major	K01102467	Configuration loading may fail when iRules calling procs in other iRules are deleted
653511-2	3-Major		Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
652535-1	3-Major	K54443700	HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
652445-2	3-Major	K87541959	SAN with uppercase names result in case-sensitive match or will not match
651651-3	3-Major	K54604320	bigd can crash when a DNS response does not match the expected value
650292-2	3-Major		DNS transparent cache can return non-recursive results for recursive queries
650152-1	3-Major		Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms
648954-5	3-Major	K01102467	Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
647137	3-Major		bigd/tmm con vCMP guests
646443-1	3-Major	K54432535	Ephemeral Node may be errantly created in bigd, causing crash
645058-3	3-Major		Modifying SSL profiles in GUI may fail when key is protected by passphrase
645036-3	3-Major	K85772089	Removing pool from virtual server does not update its status
644873-2	3-Major	K97237310	ssldump can fail to decrypt captures with certain TCP segmenting
644851-2	3-Major		Websockets closes connection on receiving a close frame from one of the peers
644418-2	3-Major		Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
643777-2	3-Major	K27629542	LTM policies with more than one IP address in TCP address match may fail
643582-2	3-Major		Config load with large ssl profile configuration may cause tmm restart
641491-2	3-Major	K37551222	TMM core while running iRule LB::status pool poolname member ip port
640376-3	3-Major		STPD leaks memory on 2000/4000/i2000/i4000 series
638715-3	3-Major	K77010072	Multiple Diameter monitors to same server ip/port may race on PID file
632001-1	3-Major		For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
627574-1	3-Major		After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.
626434-6	3-Major	K65283203	tmm may be killed by sod when a hardware accelerator does not work
624805-1	3-Major		ILX node.js process may be restarted if a single operation takes more than 15 seconds
623940-3	3-Major		SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
622017-8	3-Major	K54106058	Performance graph data may become permanently lost after corruption.
621736-6	3-Major		statsd does not handle SIGCHLD properly in all cases
620788-1	3-Major	K05232247	FQDN pool created with existing FQDN node has RED status
618161-1	3-Major		SSL handshake fails when clientssl uses softcard-protected key-certs.
618121	3-Major		"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★
607246-10	3-Major		Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
603609-2	3-Major		Policy unable to match initial path segment when request-URI starts with "//"
602040-3	3-Major		Truncated support ID for HTTP protocol security logging profile
600614-5	3-Major		External crypto offload fails when SSL connection is renegotiated
596433-3	3-Major		Virtual with lasthop configured rejects request with no route to client.
596242-1	3-Major	K17065223	[zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record
595275-5	3-Major		Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
593390-4	3-Major		Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
589006-5	3-Major		SSL does not cancel pending sign request before the handshake times out or is canceled.
587705-5	3-Major	K98547701	Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
578573-1	3-Major		SSL Forward Proxy Forged Certificate Signature Algorithm
563933-4	3-Major		[DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
536563-7	3-Major		Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
484542-1	3-Major		QinQ tag-mode can be set on unsupported platforms
668802-3	4-Minor	K83392557	GTM link graphs fail to display in the GUI
667318-3	4-Minor		BIG-IP DNS/GTM link graphs fail to display in the GUI.
584210-1	4-Minor		TMM may core when running two simultaneous WebSocket collect commands
578415-2	4-Minor		Support for hardware accelerated bulk crypto SHA256 missing
513288-7	4-Minor		Management traffic from nodes being health monitored might cause health monitors to fail.
462043-2	4-Minor		DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
620903-1	2-Critical		Decreased performance of ICMP attack mitigation.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
636541-3	1-Blocking		DNS Rapid Response filters large datagrams
667028-1	2-Critical		DNS Express does not run on i11000 platforms with htsplit disabled.
649564-2	2-Critical		Crash related to GTM monitors with long RECV strings
663073-1	3-Major		GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
659912-1	3-Major		GSLB Pool Member Manage page display issues and error message
655807-5	3-Major	K40341291	With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
655445-2	3-Major		Provide the ability to globally specifiy a DSCP value.
654599-1	3-Major	K74132601	The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
648286-2	3-Major		GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
644447-2	3-Major		sync_zones script increasingly consumes memory when there is network connectivity failure
626141-3	3-Major		DNSX Performance Graphs are not displaying Requests/sec"
615222-1	3-Major		GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★
605260-1	3-Major		[GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
659969-1	4-Minor		tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
644220-3	4-Minor		Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
604371-1	4-Minor		Pagination controls missing for GSLB pool members
582773-5	4-Minor		DNS server for child zone can continue to resolve domain names after revoked from parent

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
653014-1	2-Critical		Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
652200-1	2-Critical	K81349220	Failure to update ASM enforcer about account change.
638629-2	2-Critical		Bot can be classified as human
619110-1	2-Critical		Slow to delete URLs, CPU spikes with Automatic Policy Builder
672695-1	3-Major		Internal perl process listening on all interfaces when ASM enabled
665905	3-Major	K83305000	Signature System corruption from specific ASU prevents ASU load after upgrade
664930-2	3-Major		Policy automatic learning mode changes to manual after failover
655617-1	3-Major	K36442669	Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge
631444-2	3-Major		Bot Name for ASM Search Engines is case sensitive
606521-1	3-Major		Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade
605616-1	3-Major		Creating 256 Fundamental Security policies will result in an out of memory error
602975-1	3-Major		Unable to update the HTTP URL's "Header-Based Content Profiles" values
596685-1	3-Major	K76841626	Request Log failure on request with XML format violation
595900-4	3-Major	K11833633	Cookie Signature overrides may be ignored after Signature Update
563727-1	3-Major		Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'
534247-1	3-Major		Issue a Body in Get sub violation for GET request with content type header

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
604191-1	2-Critical		AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★
629573-1	3-Major	K66001885	No drill-down filter for virtual-servers is mentioned on exported reports when using partition
603875-2	3-Major		The statistic ASM memory Utilization - bd swap size: stats are wrong
601536-1	3-Major		Analytics load error stops load of configuration★
639395-2	4-Minor	K91614278	AVR does not display 'Max read latency' units.

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
647108-1	1-Blocking		Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
679235-5	2-Critical		Inspection Host NPAPI Plugin for Safari can not be installed
669341	2-Critical		Category Lookup by Subject.CN will result in a reset
666454-2	2-Critical	K05520115	Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
663506-7	2-Critical	K30533350	apmd crash during ldap cache initialization
652004-2	2-Critical	K45320415	Show /apm access-info all-properties causes memory leaks in tmm
662639-2	3-Major		Policy Sync fails when policy object include FIPS key
659371-2	3-Major	K54310201	apmd crashes executing iRule policy evaluate
658852-5	3-Major		Empty User-Agent in iSessions requests from APM client on Windows
654513-6	3-Major	K11003951	APM daemon crashes when the LDAP query agent returns empty in its search results.
649929-1	3-Major		saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
648053-1	3-Major	K94477320	Rewrite plugin may crash on some JavaScript files
646928-1	3-Major		Landing URI incorrect when changing URI
645684-2	3-Major		Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
618957-1	3-Major		Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
601919-2	3-Major		Custom categories and custom url filter assignment must be specific to partition instead of global lookup
583272-2	3-Major		"Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
580567-1	3-Major		LDAP Query agent failed to resolve nested group membership
551795-1	3-Major		Portal Access: corrections to CORS support for XMLHttpRequest
550547-2	3-Major		URL including a "token" query fails results in a connection reset

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
664535-1	2-Critical		Diameter failure: load balancing fails when all pool members use same IP Address
640407-1	2-Critical		Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
568545-2	2-Critical	K17124802	iRules commands that refer to a transport-config will fail validation
559953-1	2-Critical		tmm core on long DIAMETER::host value
662364-2	3-Major		MRF DIAMETER: IP ToS not passing through with DIAMETER
644946-2	3-Major	K05053251	Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation
644565-1	3-Major		MRF Message metadata lost when routing message to a connection on a different TMM
634078-2	3-Major		MRF: Routing using a virtual with SNAT set to none may select a source port of zero
624155-2	3-Major		MRF Per-Client mode connections unable to return responses if used by another client connection
620929-4	3-Major		New iRule command, MR::ignore_peer_port
651640-3	4-Minor		queue full dropped messages incorrectly counted as responses

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670400-3	2-Critical		SSH Proxy public key authentication can be circumvented in some cases
655470	2-Critical	K79924625	IP Intelligence logging publisher removal can cause tmm crash
651001-1	2-Critical		massive prints in tmm log: "could not find conf for profile crc"
650081-1	3-Major	K53010710	FP feature causes the blank page/delay on IE11
648617	3-Major		JavaScript challenge repeating in loop when URL has path parameters
644855-2	3-Major		irules with commands which may suspend processing cannot be used with proactive bot defense
630356-1	3-Major		JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge
628351-1	3-Major		Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled
618902-4	3-Major		PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation
618656-2	3-Major		JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters
519612-1	3-Major		JavaScript challenge fails when coming within iframe with different domain than main page

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
658261-2	2-Critical	K12253471	TMM core after HA during GY reporting
658148-2	2-Critical	K23150504	TMM core after intra-chassis failover for some instances of subscriber creation
657632-4	2-Critical		Rarely if a subscriber delete is performed following HA switchover, tmm may crash
653285-1	2-Critical		PEM rule deletion with HSL reporting may cause tmm coredump
652973-2	2-Critical		Coredump observed at system bootup time when many DHCP packets arrive
650422-2	2-Critical		TMM core after a switchover involving GY quota reporting
659567-1	3-Major	K94685557	iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
652052-3	3-Major		PEM:sessions iRule made the order of parameters strict
635257-2	3-Major	K41151808	Inconsistencies in Gx usage record creation.
623037-2	3-Major		delete of pem session attribute does not work after a update

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
676808-2	2-Critical		FPS: tmm may crash on response with large payload from server
669364-1	2-Critical		TMM core when server responds fast with server responses such as 404.
669359	2-Critical		WebSafe might cause connections to hang
674931	3-Major		FPS modified responses/injections might result in a corrupted response
674909-3	3-Major		Application CSS injection might break when connection is congested
667872-1	3-Major		Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
658321-2	3-Major		Websafe features might break in IE8
657502-2	3-Major		JS error when leaving page opened for several minutes
644694	3-Major		FPS security update check ends up with an empty page when error occurs.
618185-1	3-Major		Mismatch in URL CRC32 calculation
643602-2	4-Minor		'Select All' checkbox selects items on hidden pages

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
605123-1	2-Critical		IAppLX objects fail to sync after establishing HA in auto-sync mode★

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
606316-4	1-Blocking		HTTPS request to F5 licensing server fails
665778-1	2-Critical	K34503519	Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
599424-2	2-Critical		iApps LX fails to sync★
632060-1	4-Minor		restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
693211-3	CVE-2017-6168	K21905460	CVE-2017-6168

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
664063-1	2-Critical	K03203976	Azure displays failure for deployment of BIG-IP from a Resource Manager template

Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
652151-1	CVE-2017-6131	K61757346	Azure VE: Initialization improvement
623885-4	CVE-2016-9251	K41107914	Internal authentication improvements
621371-2	CVE-2016-9257	K43523962	Output Errors in APM Event Log
648865-2	CVE-2017-6074	K82508682	Linux kernel vulnerability: CVE-2017-6074
643187-2	CVE-2017-3135	K80533167	BIND vulnerability CVE-2017-3135
641445-1	CVE-2017-6145	K22317030	iControl improvements
641360-2	CVE-2017-0303	K30201296	SOCKS proxy protocol error
641256-1	CVE-2016-9257	K43523962	APM access reports display error
636702-3	CVE-2016-9444	K40181790	BIND vulnerability CVE-2016-9444
636699-5	CVE-2016-9131	K86272821	BIND vulnerability CVE-2016-9131
631582	CVE-2016-9250	K55792317	Administrative interface enhancement
630475-5	CVE-2017-6162	K13421245	TMM Crash
628836-4	CVE-2016-9245	K22216037	TMM crash during request normalization
626360	CVE-2017-6163	K22541983	TMM may crash when processing HTTP2 traffic
624570-1	CVE-2016-8864	K35322517	BIND vulnerability CVE-2016-8864
624526-3	CVE-2017-6159	K10002335	TMM core in mptcp
624457-5	CVE-2016-5195	K10558632	Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
623093-1	CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320	K38871451	TIFF vulnerability CVE-2015-7554
620400-1	CVE-2017-6141	K21154730	TMM crash during TLS processing
610255-1	CVE-2017-6161	K62279530	CMI improvement
596340-8	CVE-2016-9244	K05121675	F5 TLS vulnerability CVE-2016-9244
580026-5	CVE-2017-6165	K74759095	HSM logging error
648879-2	CVE-2016-6136 CVE-2016-9555	K90803619	Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
641612-2	CVE-2017-0302	K87141725	APM crash
638137	CVE-2016-7117 CVE-2016-4998 CVE-2016-6828	K51201255	CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
635412	CVE-2017-6137	K82851041	Invalid mss with fast flow forwarding and software syn cookies
635252-1	CVE-2016-9256	K47284724	CVE-2016-9256
631688-7	CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433	K55405388 K87922456 K63326092 K51444934 K80996302	Multiple NTP vulnerabilities
630150-1	CVE-2016-9253	K51351360	Websockets processing error
627916-1	CVE-2017-6144	K81601350	Improve cURL Usage
627907-1	CVE-2017-6143	K11464209	Improve cURL usage
627747-1	CVE-2017-6142	K20682450	Improve cURL Usage
625372-5	CVE-2016-2179	K23512141	OpenSSL vulnerability CVE-2016-2179
623119	CVE-2016-4470	K55672042	Linux kernel vulnerability CVE-2016-4470
622496	CVE-2016-5829	K28056114	Linux kernel vulnerability CVE-2016-5829
622126-1	CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127	K54308010	PHP vulnerability CVE-2016-7124
621337-6	CVE-2016-7469	K97285349	XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
618261-6	CVE-2016-2182	K01276005	OpenSSL vulnerability CVE-2016-2182
615267-2	CVE-2016-2183	K13167034	OpenSSL vulnerability CVE-2016-2183
613225-7	CVE-2016-2180, CVE-2016-6306, CVE-2016-6302	K90492697	OpenSSL vulnerability CVE-2016-6306
606710-10	CVE-2016-2834 CVE-2016-5285 CVE-2016-8635	K15479471	Mozilla NSS vulnerability CVE-2016-2834
605420-5	CVE-2016-5387, CVE-2007-6750	K80513384	httpd security update - CVE-2016-5387
600232-9	CVE-2016-2177	K23873366	OpenSSL vulnerability CVE-2016-2177
600223-2	CVE-2016-2177	K23873366	OpenSSL vulnerability CVE-2016-2177
599858-7	CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240	K68785753	ImageMagick vulnerability CVE-2015-8898
635933-3	CVE-2004-0790	K23440942	The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
628832-4	CVE-2016-6161	K71581599	libgd vulnerability CVE-2016-6161
622662-7	CVE-2016-6306	K90492697	OpenSSL vulnerability CVE-2016-6306
617901-1	CVE-2018-5525	K00363258	GUI to handle file path manipulation to prevent GUI instability.
609691-1	CVE-2014-4617	K21284031	GnuPG vulnerability CVE-2014-4617
600205-9	CVE-2016-2178	K53084033	OpenSSL Vulnerability: CVE-2016-2178
600198-2	CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216	K53084033	OpenSSL vulnerability CVE-2016-2178
599285-2	CVE-2016-5094 CVE-2016-5095 CVE-2016-5096	K51390683	PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
598002-10	CVE-2016-2178	K53084033	OpenSSL vulnerability CVE-2016-2178
621937-1	CVE-2016-6304	K54211024	OpenSSL vulnerability CVE-2016-6304
621935-6	CVE-2016-6304	K54211024	OpenSSL vulnerability CVE-2016-6304
606771-2	CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297	K35799130	Multiple PHP vulnerabilities
601268-5	CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094	K43267483	PHP vulnerability CVE-2016-5766

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
653453	2-Critical		ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
628972-2	2-Critical		BMC version 2.51.7 for iSeries appliances
624831-2	2-Critical		BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
616918-1	2-Critical		BMC version 2.50.3 for iSeries appliances
633723-3	3-Major		New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
633391-1	3-Major		GUI Error trying to modify IP Data-Group
609614-3	3-Major		Yafuflash 4.25 for iSeries appliances
597797-4	3-Major	K78449695	Allow users to disable enforcement of RFC 7057
581840-5	3-Major	K46576869	Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
564876-2	3-Major		New DB variable log.lsn.comma changes CGNAT logs to CSV format
609084-2	4-Minor	K03808942	Max number of chunks not configurable above 1000 chunks
597270-2	4-Minor		tcpdump support missing for VXLAN-GPE NSH

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
655500	1-Blocking		Rekey SSH sessions after one hour
642058-1	1-Blocking		CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
641390-5	1-Blocking	K00216423	Backslash removal in LTM monitors after upgrade
627433-1	1-Blocking		HSB transmitter failure on i2x00 and i4x00 platforms
602830-1	1-Blocking		BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode
648056-2	2-Critical	K16503454	bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
645805	2-Critical	K92637255	LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses
641248	2-Critical		IPsec-related tmm segfault
641013-5	2-Critical		GRE tunnel traffic pinned to one TMM
638935-3	2-Critical		Monitor with send/receive string containing double-quote may cause upgrade to fail.★
636918-2	2-Critical		Fix for crash when multiple tunnels use the same traffic selector
636290	2-Critical		vCMP support for B4450 blade
627898-2	2-Critical		TMM leaks memory in the ECM subsystem
625824-1	2-Critical		iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
624263-4	2-Critical		iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
618779-1	2-Critical		Route updates during IPsec tunnel setup can cause tmm to restart
616059-1	2-Critical	K19545861	Modifying license.maxcores Not Allowed Error
614296-1	2-Critical		Dynamic routing process ripd may core
613536-5	2-Critical		tmm core while running the iRule STATS:: command
610295-1	2-Critical	K32305923	TMM may crash due to internal backplane inconsistency after reprovisioning
583516-2	2-Critical		tmm ASSERT's "valid node" on Active, after timer fire..
567457-2	2-Critical		TMM may crash when changing the IKE peer config.
652484-2	3-Major		tmsh show net f5optics shows information for only 1 chassis slot in a cluster
649617-2	3-Major		qkview improvement for OVSDB management
648544-5	3-Major	K75510491	HSB transmitter failure may occur when global COS queues enabled
646760	3-Major		Common Criteria Mode Disrupts Administrative SSH Access
644490-1	3-Major		Finisar 100G LR4 values need to be revised in f5optics
637559-1	3-Major		Modifying iRule online could cause TMM to be killed by SIGABRT
636535	3-Major	K24844444	HSB lockup in vCMP guest doesn't generate core file
635961-1	3-Major		gzipped and truncated files may be saved in qkview
635129	3-Major		Chassis systems in HA configuration become Active/Active during upgrade★
635116-1	3-Major	K34100550	Memory leak when using replicated remote high-speed logging.
634115-1	3-Major		Not all topology records may sync.
633879-1	3-Major	K52833014	Fix IKEv1 md5 phase1 hash algorithm so config takes effect
633512-1	3-Major		HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
633413-1	3-Major		IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
631627-4	3-Major		Applying BWC over route domain sometimes results in tmm not becoming ready on system start
630622-1	3-Major		tmm crash possible if high-speed logging pool member is deleted and reused
630610-5	3-Major	K43762031	BFD session interface configuration may not be stored on unit state transition
630546-1	3-Major		Very large core files may cause corrupted qkviews
629499-9	3-Major		tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
629085-1	3-Major	K55278069	Any CSS content truncated at a quoted value leads to a segfault
628202-4	3-Major		Audit-forwarder can take up an excessive amount of memory during a high volume of logging
628164-3	3-Major	K20766432	OSPF with multiple processes may incorrectly redistribute routes
628009-1	3-Major		f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800
627961-3	3-Major	K15130343	nic_failsafe reboot doesn't trigger if HSB fails to disable interface
627914-1	3-Major		Unbundled 40GbE optics reporting as Unsupported Optic
627214-3	3-Major		BGP ECMP recursive default route not redistributed to TMM
626839	3-Major		sys-icheck error for /var/lib/waagent in Azure.
626721-5	3-Major		"reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
625703-2	3-Major		SELinux: snmpd is denied access to tmstat files
625085	3-Major		lasthop rmmod causes kernel panic
624361-1	3-Major		Responses to some of the challenge JS are not zipped.
623930-3	3-Major		vCMP guests with vlangroups may loop packets internally
623401-1	3-Major		Intermittent OCSP request failures due to non-optimal default TCP profile setting
623336-4	3-Major		After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
623055-1	3-Major		Kernel panic during unic initialization
622183-5	3-Major		The alert daemon should remove old log files but it does not.
621909-4	3-Major	K23562314	Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
621273-1	3-Major		DSR tunnels with transparent monitors may cause TMM crash.
620659-3	3-Major		The BIG-IP system may unecessarily run provisioning on successive reboots
620366-4	3-Major		Alertd can not open UDP socket upon restart
617628-1	3-Major		SNMP reports incorrect value for sysBladeTempTemperature OID
615934-1	3-Major		Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
615107-1	3-Major		Cannot SSH from AOM/SCCP to host without password (host-based authentication).
613765-3	3-Major		Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
612809-1	3-Major		Bootup script fails to run on on a vCMP guest due to a missing reference file.
611658-3	3-Major		"less" utility logs an error for remotely authenticated users using the tmsh shell
611512-1	3-Major		AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
611487-3	3-Major		vCMP: VLAN failsafe does not trigger on guest
610417-1	3-Major	K54511423	Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
609119-7	3-Major		Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
608320-3	3-Major		iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604727-1	3-Major		Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★
604237-3	3-Major		Vlan allowed mismatch found error in VCMP guest
604061-2	3-Major		Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
602376-1	3-Major		qkview excludes files
598498-7	3-Major		Cannot remove Self IP when an unrelated static ARP entry exists.
598134-1	3-Major		Stats query may generate an error when tmm on secondary is down
596067-2	3-Major		GUI on VIPRION hangs on secondary blade reboot
590211-2	3-Major		jitterentropy-rngd quietly fails to start
583754-7	3-Major		When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
575027-1	3-Major		Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
562928-2	3-Major		Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
559080-5	3-Major		High Speed Logging to specific destinations stops from individual TMMs
557471-3	3-Major		LTM Policy statistics showing zeros in GUI
543208-1	3-Major		Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★
534520-1	3-Major		qkview may exclude certain log files from /var/log
424542-5	3-Major		tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
418349-2	3-Major		Update/overwrite of FIPS keys error
643404-2	4-Minor	K30014507	'tmsh system software status' does not display properly in a specific cc-mode situation★
636520-3	4-Minor	K88813435	Detail missing from power supply 'Bad' status log messages
633181-1	4-Minor		A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
632668-5	4-Minor		When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
632069-3	4-Minor		Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
621957-2	4-Minor		Timezone data on AOM not syncing with host
609107-1	4-Minor		mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
599191-2	4-Minor		One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
589379-2	4-Minor	K20937139	ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
585097-1	4-Minor		Traffic Group score formula does not result in unique values.
541550-3	4-Minor		Defining more than 10 remote-role groups can result in authentication failure
541320-10	4-Minor	K50973424	Sync of tunnels might cause restore of deleted tunnels.
500452-8	4-Minor	K28520025	PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
642015-2	5-Cosmetic		SSD Manufacturer "unavailable"
524277-2	5-Cosmetic		Missing power supplies issue warning message that should be just a notice message.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
651476	2-Critical		bigd may core on non-primary bigd when FQDN in use
648715-2	2-Critical		BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
643396-2	2-Critical	K34553627	Using FLOW_INIT iRule may lead to TMM memory leak or crash
642400-2	2-Critical		Path MTU discovery occasionally fails
640352-2	2-Critical	K01000259	Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
639744-1	2-Critical	K84228882	Memory leak in STREAM::expression iRule
637181-4	2-Critical		VIP-on-VIP traffic may stall after routing updates
632685	2-Critical		bigd memory leak for FQDN nodes on non-primary bigd instance
630306-1	2-Critical		TMM crash in DNS processing on UDP virtual server with no available pool members
629145-1	2-Critical		External datagroups with no metadata can crash tmm
628890-1	2-Critical		Memory leak when modifying large datagroups
627403-2	2-Critical		HTTP2 can can crash tmm when stats is updated on aborting of a new connection
626311-2	2-Critical	K75419237	Potential failure of DHCP relay functionality credits to incorrect route lookup.
625198-1	2-Critical		TMM might crash when TCP DSACK is enabled
622856-1	2-Critical		BIG-IP may enter SYN cookie mode later than expected
621870-2	2-Critical		Outage may occur with VIP-VIP configurations
619663-3	2-Critical	K49220140	Terminating of HTTP2 connection may cause a TMM crash
619528-4	2-Critical		TMM may accumulate internal events resulting in TMM restart
619071-3	2-Critical		OneConnect with verified accept issues
614509-1	2-Critical		iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
609027-1	2-Critical		TMM crashes when SSL forward proxy is enabled.
608304-1	2-Critical	K55292305	TMM crash on memory corruption
603667-2	2-Critical		TMM may leak or corrupt memory when configuration changes occur with plugins in use
603082-3	2-Critical		Ephemeral pool members are getting deleted/created over and over again.
602136-5	2-Critical		iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
601828-1	2-Critical	K13338433	An untrusted certificate can cause tmm to crash.
600982-5	2-Critical		TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
599720-2	2-Critical		TMM may crash in bigtcp due to null pointer dereference
597828-1	2-Critical		SSL forward proxy crashes in some cases
596450-1	2-Critical		TMM may produce a core file after updating SSL session ticket key
594642-3	2-Critical		Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
581746-1	2-Critical	K42175594	MPTCP or SSL traffic handling may cause a BIG-IP outage
557358-5	2-Critical		TMM SIGSEGV and crash when memory allocation fails.
423629-3	2-Critical	K08454006	bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
653201	3-Major		Update the default CA certificate bundle file to the latest version and remove expiring certificates from it
651106	3-Major		memory leak on non-primary bigd with changing node IPs
649571-1	3-Major		Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
648990	3-Major		Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
641512-4	3-Major	K51064420	DNSSEC key generations fail with lots of invalid SSL traffic
632324-2	3-Major		PVA stats does not show correct connection number
629412-3	3-Major		BIG-IP closes a connection when a maximum size window is attempted
627246-1	3-Major	K09336400	TMM memory leak when ASM policy configured on virtual server
626386-1	3-Major	K28505256	SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
626106-3	3-Major		LTM Policy with illegal rule name loses its conditions and actions during upgrade★
625106-2	3-Major		Policy Sync can fail over a lossy network
624616-1	3-Major		Safenet uninstall is unable to remove libgem.so
620625-2	3-Major	K38094257	Changes to the Connection.VlanKeyed DB key may not immediately apply
620079-3	3-Major		Removing route-domain may cause monitors to fail
619849-4	3-Major		In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
618430-2	3-Major		iRules LX data not included in qkview
618428	3-Major		iRules LX - Debug mode does not function in dedicated mode
618254-4	3-Major		Non-zero Route domain is not always used in HTTP explicit proxy
617858-2	3-Major		bigd core when using Tcl monitors
616022-2	3-Major	K46530223	The BIG-IP monitor process fails to process timeout conditions
613326-1	3-Major		SASP monitor improvements
612694-5	3-Major		TCP::close with no pool member results in zombie flows
610429-5	3-Major		X509::cert_fields iRule command may memory with subpubkey argument
610302-1	3-Major		Link throughput graphs might be incorrect.
609244-4	3-Major		tmsh show ltm persistence persist-records leaks memory
608551-3	3-Major		Half-closed congested SSL connections with unclean shutdown might stall.
607152-1	3-Major		Large Websocket frames corrupted
604496-4	3-Major		SQL (Oracle) monitor daemon might hang.
603979-4	3-Major		Data transfer from the BIG-IP system self IP might be slow
603723-2	3-Major		TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
603550-1	3-Major	K63164073	Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
600827-8	3-Major	K21220807	Stuck Nitrox crypto queue can erroneously be reported
600593-1	3-Major		Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
600052-1	3-Major		GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
599121-2	3-Major	K24036315	Under heavy load, hardware crypto queues may become unavailable.
592871-3	3-Major		Cavium Nitrox PX/III stuck queue diagnostics missing.
591666-3	3-Major		TMM crash in DNS processing on TCP virtual with no available pool members
589400-1	3-Major		With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
586738-4	3-Major		The tmm might crash with a segfault.
584471-1	3-Major		Priority order of clientssl profile selection of virtual server.
584310-1	3-Major	K83393638	TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-6	3-Major		Fragmented packets may cause tmm to core under heavy load
582769-1	3-Major	K99405272	WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
579926-1	3-Major		HTTP starts dropping traffic for a half-closed connection when in passthrough mode
568543-4	3-Major		Syncookie mode is activated on wildcard virtuals
562267-3	3-Major		FQDN nodes do not support monitor alias destinations.
517756-6	3-Major		Existing connections can choose incorrect route when crossing non-strict route-domains
509858-5	3-Major	K36300805	BIG-IP FastL4 profile vulnerability
419741-3	3-Major		Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
352957-4	3-Major	K03005026	Route lookup after change in route table on established flow ignores pool members
660170-1	4-Minor	K28505910	tmm may crash at ~75% of VLAN failsafe timeout expiration
631862-1	4-Minor	K32107573	Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
618517-1	4-Minor	K61255401	bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
611161-3	4-Minor	K28540353	VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
587966-1	4-Minor	K77283304	LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
583943-1	4-Minor	K27491104	Forward proxy does not work when netHSM is configured on TMM interfaces
574020-5	4-Minor		Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
621115-1	2-Critical		IP/IPv6 TTL/hoplimit may not be preserved for host traffic

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
642039-2	2-Critical		TMM core when persist is enabled for wideip with certain iRule commands triggered.
584374-2	2-Critical	K67622400	iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
642330-2	3-Major		GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
640903-1	3-Major		Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
632423-4	3-Major		DNS::query can cause tmm crash if AXFR/IXFR types specified.
629530-2	3-Major	K53675033	Under certain conditions, monitors do not time out.
628897-1	3-Major		Add Hyperlink to gslb server and vs on the Pool Member List Page
625671-4	3-Major		The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
624876-1	3-Major		Response Policy Zones can trigger even after entry removed from zone
624193-2	3-Major		Topology load balancing not working as expected
623023-1	3-Major		Unable to set DNS Topology Continent to Unknown via GUI
621239-2	3-Major		Certain DNS queries bypass DNS Cache RPZ filter.
620215-5	3-Major		TMM out of memory causes core in DNS cache
619398-7	3-Major		TMM out of memory causes core in DNS cache
612769-1	3-Major	K33842313	Hard to use search capabilities on the Pool Members Manage page.
601180-2	3-Major	K73505027	Link Controller base license does not allow DNS namespace iRule commands.★
567743-2	3-Major	K70663134	Possible gtmd crash under certain conditions.
557434-4	3-Major		After setting a Last Resort Pool on a Wide IP, cannot reset back to None
366695-1	5-Cosmetic		Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
646511-1	2-Critical		BD crashes repeatedly after interrupted roll-forward upgrade★
636397-1	2-Critical		bd cores when persistent storage configuration and under some memory conditions.
634001-2	2-Critical		ASM restarts after deleting a VS that has an ASM security policy assigned to it
627117-1	2-Critical		crash with wrong ceritifcate in WSS
625783-1	2-Critical		Chassis sync fails intermittently due to sync file backlog
618771-1	2-Critical		Some Social Security Numbers are not being masked
601378-2	2-Critical		Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
584082-3	2-Critical		BD daemon crashes unexpectedly
540928-1	2-Critical		Memory leak due to unnecessary logging profile configuration updates.
640824-1	3-Major	K20770267	Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
635754-1	3-Major	K65531575	Wildcard URL pattern match works inncorectly in Traffic Learning
632344-2	3-Major		POP DIRECTIONAL FORMATTING causes false positive
632326-2	3-Major	K52814351	relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
631737-1	3-Major	K61367823	ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
630929-1	3-Major	K69767100	Attack signature exception list upload times-out and fails
627360-1	3-Major		Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
625832-4	3-Major		A false positive modified domain cookie violation
622913-2	3-Major		Audit Log filled with constant change messages
621524-2	3-Major		Processing Timeout When Viewing a Request with 300+ Violations
620635-2	3-Major		Request having upper case JSON login parameter is not detected as a failed login attempt
611151-2	3-Major		An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
608245	3-Major		Reporting missing parameter details when attack signature is matched against parameter value
581406-1	3-Major		SQL Error on Peer Device After Receiving ASM Sync in a Device Group
580168-4	3-Major		Information missing from ASM event logs after a switchboot and switchboot back
576591-6	3-Major		Support for some future credit card number ranges
572885-1	3-Major		Policy automatic learning mode changes to manual after failover
392121-3	3-Major		TMSH Command to retrieve the memory consumption of the bd process
642874-1	4-Minor	K15329152	Ready to be Enforced filter for Policy Signatures returns too many signatures

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
634215-1	2-Critical		False detection of attack after restarting dosl7d
573764-1	2-Critical		In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
642221-2	3-Major		Incorrect entity is used when exporting TCP analytics from GUI
641574	3-Major	K06503033	AVR doesn't report on virtual and client IP in DNS statistics
635561-1	3-Major		Heavy URLs statistics are not shown after upgrade.
631722	3-Major		Some HTTP statistics not displayed after upgrade
631131-3	3-Major		Some tmstat-adapters based reports stats are incorrect
605010-1	3-Major		Thrift::TException error
560114-6	3-Major		Monpd is being affected by an I/O issue which makes some of its threads freeze

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
645339-2	1-Blocking		TMM may crash when processing APM data
637308-8	2-Critical	K41542530	apmd may crash when HTTP Auth agent is used in an Access Policy
632005-1	2-Critical		BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes
622244-2	2-Critical		Edge client can fail to upgrade when always connected is selected
617310-2	2-Critical		Edge client can fail to upgrade when Always Connected is selected★
614322-1	2-Critical	K31063537	TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
608424-2	2-Critical		Dynamic ACL agent error log message contains garbage data
608408-2	2-Critical		TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
593078-1	2-Critical		CATEGORY::filetype command may cause tmm to crash and restart
643547-1	3-Major	K43036745	APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
638799-1	3-Major		Per-request policy branch expression evaluation fails
638780-3	3-Major		Handle 302 redirects for VMware Horizon View HTML5 client
636044-1	3-Major	K68018520	Large number of glob patterns affects custom category lookup performance
634576	3-Major	K48181045	TMM core in per-request policy
634252	3-Major	K99114539	TMM crash with per-request policy in SWG explicit
632504-1	3-Major	K31277424	APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
632499-1	3-Major	K70551821	APM Policy Sync: Resources under webtop section are not sync'ed automatically
632472-1	3-Major		Frequently logged "Silent flag set - fail" messages
632386-1	3-Major		EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
630571-1	3-Major	K35254214	Edge Client on Mac OSX Sierra stuck in a reconnect loop
629801-2	3-Major		Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
629698-1	3-Major		Edge client stuck on "Initializing" state
629069-2	3-Major		Portal Access may delete scripts from HTML page in some cases
628687-2	3-Major		Edge Client reconnection issues with captive portal
628685-2	3-Major	K79361498	Edge Client shows several security warnings after roaming to a network with Captive Portal
627972-2	3-Major	K11327511	Unable to save advanced customization when using Exchange iApp
627059-1	3-Major		In some rare cases TMM may crash while handling VMware View client connection
626910-1	3-Major		Policy with assigned SAML Resource is exported with error
625474-1	3-Major		POST request body is not saved in session variable by access when request is sent using edge client
625159-1	3-Major		Policy sync status not shown on standby device in HA case
624966-2	3-Major		Edge client starts new APM session when Captive portal session expire
623562-3	3-Major		Large POSTs rejected after policy already completed
622790-1	3-Major		EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
621976-4	3-Major		OneDrive for Business thick client shows javascript errors when rendering APM logon page
621974-4	3-Major		Skype For Business thick client shows javascript errors when rendering APM logon page
621447-1	3-Major		In some rare cases, VDI may crash
621210-2	3-Major		Policy sync shows as aborted even if it is completed
621126-2	3-Major		Import of config with saml idp connector with reuse causes certificate not found error
620829-2	3-Major		Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
620801-3	3-Major		Access Policy is not able to check device posture for Android 7 devices
620614-4	3-Major		Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-1	3-Major		HTTP iRule commands could lead to WEBSSO plugin being invoked
619811-2	3-Major		Machine Cert OCSP check fails with multiple Issuer CA
619486-3	3-Major		Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
619473-2	3-Major		Browser may hang at APM session logout
618170-3	3-Major		Some URL unwrapping functions can behave bad
617063-1	3-Major		After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
617002-1	3-Major		SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838-3	3-Major		Citrix Remote desktop resource custom parameter name does not accept hyphen character
615970-1	3-Major		SSO logging level may cause failover
615254-2	3-Major		Network Access Launch Application item fails to launch in some cases
612419-1	3-Major		APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
611968-3	3-Major		JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
611669-4	3-Major		Mac Edge Client customization is not applied on macOS 10.12 Sierra
610180-2	3-Major		SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
597214-5	3-Major		Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
595819-1	3-Major		Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595272-1	3-Major		Edge client may show a windows displaying plain text in some cases
591246-1	3-Major		Unable to launch View HTML5 connections in non-zero route domain virtual servers
584582-1	3-Major		JavaScript: 'baseURI' property may be handled incorrectly
570217-2	3-Major		BIG-IP APM now uses Airwatch v2 API to retreive device posture information
533956-3	3-Major	K30515450	Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
503842-4	3-Major		Microsoft WebService HTML component does not work after rewriting
640521-1	4-Minor		EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
636254-2	4-Minor		Cannot reinitiate a sync on a target device when sync is completed
618404-1	4-Minor		Access Profile copying might end up in invalid way if series of names.
606257-3	4-Minor	K56716107	TCP FIN sent with Connection: Keep-Alive header for webtop page resources

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
630661-2	3-Major	K30241432	WAM may leak memory when a WAM policy node has multiple variation header rules

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
644970-1	2-Critical		Editing a virtual server config loses SSL encryption on iSession connections
644489-1	3-Major	K14899014	Unencrypted iSession connection established even though data-encrypt configured in profile

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
639236-1	2-Critical	K66947004	Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
624023-3	2-Critical		TMM cores in iRule when accessing a SIP header that has no value
569316-1	2-Critical		Core occurs on standby in MRF when routing to a route using a transport config
649933-1	3-Major		Fragmented RADIUS messages may be dropped
629663-1	3-Major	K23210890	CGNAT SIP ALG will drop SIP INVITE
625542-1	3-Major		SIP ALG with Translation fails for REGISTER refresh.
625098-3	3-Major		SCTP::local_port iRule not supported in MRF events
601255-4	3-Major		RTSP response to SETUP request has incorrect client_port attribute

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
632731-2	2-Critical	K21964367	specific external logging configuration can cause TMM service restart
628623-1	2-Critical		tmm core with AFM provisioned
639193-1	3-Major	K03453591	BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.
631025-1	3-Major		500 internal error on inline rule editor for certain firewall policies
626438-1	3-Major		Frame is not showing in the browser and/ or an error appears
614563-3	3-Major		AVR TPS calculation is inaccurate
610129-3	3-Major	K43320840	Config load failure when cluster management IP is not defined, but instead uses address-list.
592113-5	3-Major		tmm core on the standby unit with dos vectors configured
590805-4	3-Major		Active Rules page displays a different time zone.
583024-1	3-Major		TMM restart rarely during startup
431840-3	3-Major		Cannot add vlans to whitelist if they contain a hyphen

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
627257-2	2-Critical		Potential PEM crash during a Gx operation
626851-2	2-Critical	K37665112	Potential crash in a multi-blade chassis during CMP state changes.
624744-1	2-Critical		Potential crash in a multi-blade chassis during CMP state changes.
624733-1	2-Critical		Potential crash in a multi-blade chassis during CMP state changes.
624228-1	2-Critical		Memory leak when using insert action in pem rule and flow gets aborted
623922-5	2-Critical	K64388805	TMM failure in PEM while processing Service-Provider Disaggregation
641482-2	3-Major		Subscriber remains in delete pending state until CCR-t ack has success as result code is received
640510-3	3-Major		BWC policy category attachment may fail during a PEM policy update for a subscriber.
640457-2	3-Major		Session Creation failure after HA
635233-3	3-Major	K80902149	Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
630611-1	3-Major	K84324392	PEM module crash when subscriber not fund
627798-3	3-Major		Buffer length check for quota bucket objects
627279-2	3-Major		Potential crash in a multi-blade chassis during CMP state changes.
623927-2	3-Major	K41337253	Flow entry memory leaked after DHCP DORA process
564281-3	3-Major		TMM (debug) assert seen during Failover with Gy
628869-4	4-Minor		Unconditional logs seen due to the presence of a PEM iRule.

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
609788	2-Critical		PCP may pick an endpoint outside the deterministic mapping
642284	3-Major		Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.
629871-2	3-Major		FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
639750-1	2-Critical		username aliases are not supported
636370	3-Major		Application Layer Encryption AJAX support
629627-1	3-Major		FPS Log Publisher is not grouped nor filtered by partition
629127-1	3-Major		Parent profiles cannot be saved using FPS GUI
628348-1	3-Major		Cannot configure any Mobile Security list having 11 records or more via the GUI
628337-1	3-Major		Forcing a single injected tag configuration is restrictive
625275-1	3-Major		Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
624198-1	3-Major		Unable to add multiple User-Defined alerts with the same search category
623518-1	3-Major		Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
594127-2	3-Major		Pages using Angular may hang when Websafe is enabled
635541	4-Minor		"Application CSS Locations" is not inherited if changing parent profile

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
625172-1	2-Critical		tmm crashes when classification is enabled and ftp traffic is flowing trough the box
631472-1	3-Major		Reseting classification signatures to default may result in non-working configuration

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
606518-3	2-Critical		iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.
642983-1	3-Major	K94534313	Update to max message size limit doesn't work sometimes
629845-2	3-Major		Disallowing TLSv1 connections to HTTP causes iControl/REST issues
626542-2	3-Major		Unable to set maxMessageBodySize in iControl REST after upgrade★

Cumulative fixes from BIG-IP v12.1.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
618306-2	CVE-2016-9247	K33500120	TMM vulnerability CVE-2016-9247
616864-1	CVE-2016-2776	K18829561	BIND vulnerability CVE-2016-2776
613282-2	CVE-2016-2086, CVE-2016-2216, CVE-2016-1669	K15311661	NodeJS vulnerability CVE-2016-2086
611469-3	CVE-2016-7467	K95444512	Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-2	CVE-2016-9252	K46535047	Improper handling of IP options
591328-7	CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109	K36488941	OpenSSL vulnerability CVE-2016-2106
591325-8	CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109	K75152412	OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-17	CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109	K23230229	OpenSSL vulnerabilities
560109-7	CVE-2017-6160	K19430431	Client capabilities failure
618549-1	CVE-2016-9249	K71282001	Fast Open can cause TMM crash CVE-2016-9249
618263-1	CVE-2016-2182	K01276005	OpenSSL vulnerability CVE-2016-2182
614147-1	CVE-2017-6157	K02692210	SOCKS proxy defect resolution
614097-1	CVE-2017-6157	K02692210	HTTP Explicit proxy defect resolution
607314-1	CVE-2016-3500 CVE-2016-3508	K25075696	Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
605039-3	CVE-2016-2775	K92991044	lwresd and bind vulnerability CVE-2016-2775
601059-6	CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449	K14614344	libxml2 vulnerability CVE-2016-1840
599536-1	CVE-2017-6156	K05263202	IPsec peer with wildcard selector brings up wrong phase2 SAs
597023-1	CVE-2016-4954	K82644737	NTP vulnerability CVE-2016-4954
595242-1	CVE-2016-3705	K54225343	libxml2 vulnerabilities CVE-2016-3705
595231-1	CVE-2016-3627	K54225343	libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
594496-1	CVE-2016-4539	K35240323	PHP Vulnerability CVE-2016-4539
593447-1	CVE-2016-5024	K92859602	BIG-IP TMM iRules vulnerability CVE-2016-5024
592485	CVE-2015-5157 CVE-2015-8767	K17326	Linux kernel vulnerability CVE-2015-5157
592001-1	CVE-2016-4071 CVE-2016-4073	K64412100	CVE-2016-4073 PHP vulnerabilities
591455-7	CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518	K24613253	NTP vulnerability CVE-2016-2516
591447-1	CVE-2016-4070	K42065024	PHP vulnerability CVE-2016-4070
591358-1	CVE-2016-3425 CVE-2016-0695 CVE-2016-3427	K81223200	Oracle Java SE vulnerability CVE-2016-3425
585424-1	CVE-2016-1979	K20145801	Mozilla NSS vulnerability CVE-2016-1979
580747-1	CVE-2016-0739	K57255643	libssh vulnerability CVE-2016-0739
557190-3	CVE-2017-6166	K65615624	'packet_free: double free!' tmm core
597010-1	CVE-2016-4955	K03331206	NTP vulnerability CVE-2016-4955
596997-1	CVE-2016-4956	K64505405	NTP vulnerability CVE-2016-4956
591767-8	CVE-2016-1547	K11251130	NTP vulnerability CVE-2016-1547
591438-7	CVE-2015-8865	K54924436	PHP vulnerability CVE-2015-8865
575629-3	CVE-2015-8139	K00329831	NTP vulnerability: CVE-2015-8139
573343-1	CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158	K01324833	NTP vulnerability CVE-2015-8158

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
615377-3	3-Major		Unexpected rate limiting of unreachable and ICMP messages for some addresses.
590122-2	3-Major		Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
581438-2	3-Major		Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
561348-7	3-Major		krb5.conf file is not synchronized between blades and not backed up
541549-2	3-Major		AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-3	3-Major		OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
246726-1	3-Major	K8940	System continues to process virtual server traffic after disabling virtual address
599839-3	4-Minor		Add new keyords to SIP::persist command to specify how Persistence table is updated
591733-4	4-Minor	K83175883	Save on Auto-Sync is missing from the configuration utility.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
625784	1-Blocking		TMM crash on i4x00 and i2x00 platforms with large ASM configuration.
617622	1-Blocking		In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure
621422	2-Critical		i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
620056-1	2-Critical		Assert on deletion of paired in-and-out IPsec traffic selectors
617935	2-Critical		IKEv2 VPN tunnels fail to establish
617481-1	2-Critical		TMM can crash when HTML minification is configured
614865-5	2-Critical		Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
610354-1	2-Critical		TMM crash on invalid memory access to loopback interface stats object
605476-3	2-Critical		statsd can core when reading corrupt stats files.
601527-4	2-Critical		mcpd memory leak and core
600894-1	2-Critical		In certain situations, the MCPD process can leak memory
598748	2-Critical		IPsec AES-GCM IVs are now based on a monotonically increasing counter
598697-1	2-Critical		vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★
595712-1	2-Critical		Not able to add remote user locally
591495-2	2-Critical		VCMP guests sflow agent can crash due to duplicate vlan interface indices
591104-1	2-Critical		ospfd cores due to an incorrect debug statement.
588686	2-Critical		High-speed logging to remote logging node stops sending logs after all logging nodes go down
587698-3	2-Critical		bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
585745-2	2-Critical		sod core during upgrade from 10.x to 12.x.
583936-5	2-Critical		Removing ECMP route from BGP does not clear route from NSM
557680-4	2-Critical		Fast successive MTU changes to IPsec tunnel interface crashes TMM
355806-7	2-Critical		Starting mcpd manually at the command line interferes with running mcpd
622877-1	3-Major		i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
622199	3-Major		sys-icheck reports error with /var/lib/waagent
622194	3-Major		sys-icheck reports error with ssh_host_rsa_key
621423	3-Major		sys-icheck reports error with /config/ssh/ssh_host_dsa_key
621242-1	3-Major		Reserve enough space in the image for future upgrades.
621225	3-Major		LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
620782	3-Major		Azure cloud now supports hourly billing
619410-1	3-Major		TMM hardware accelerated compression not registering for all compression levels.
617986-2	3-Major		Memory leak in snmpd
617229-1	3-Major	K54245014	Local policy rule descriptions disappear when policy is re-saved
616242-3	3-Major	K39944245	basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
614530-2	3-Major		Dynamic ECMP routes missing from Linux host
614180-1	3-Major		ASM is not available in LTM policy when ASM is licensed as the main active module
610441-3	3-Major		When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
610352-1	3-Major		sys-icheck reports error with /etc/sysconfig/modules/unic.modules
610350-1	3-Major		sys-icheck reports error with /config/bigpipe/defaults.scf
610273-3	3-Major		Not possible to do targeted failover with HA Group configured
605894-3	3-Major		Remote authentication for BIG-IP users can fail
603149-2	3-Major		Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
602854-8	3-Major		Missing ASM control option from LTM policy rule screen in the Configuration utility
602502-2	3-Major		Unable to view the SSL Cert list from the GUI
601989-3	3-Major	K88516119	Remote LDAP system authenticated username is case sensitive★
601893-2	3-Major		TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
601502-4	3-Major		Excessive OCSP traffic
600558-5	3-Major		Errors logged after deleting user in GUI
599816-2	3-Major		Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
598443-1	3-Major		Temporary files from TMSH not being cleaned up intermittently.
598039-6	3-Major		MCP memory may leak when performing a wildcard query
597729-5	3-Major		Errors logged after deleting user in GUI
596104-1	3-Major	K84539934	HA trunk unavailable for vCMP guest★
595773-4	3-Major		Cancellation requests for chunked stats queries do not propagate to secondary blades
594426-2	3-Major		Audit forwarding Radius packets may be rejected by Radius server
592870-2	3-Major		Fast successive MTU changes to IPsec tunnel interface crashes TMM
592320-5	3-Major		ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
589083-2	3-Major	K46205123	TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
586878-4	3-Major		During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
585833-3	3-Major		Qkview will abort if /shared partition has less than 2GB free space
585547-1	3-Major	K58243048	NTP configuration items are no longer collected by qkview★
585485-3	3-Major		inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system
584583-3	3-Major	K18410170	Timeout error when using the REST API to retrieve large amount of data
583285-5	3-Major	K24331010	BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
582084-1	3-Major		BWC policy in device sync groups.
580500-1	3-Major		/etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
578551-5	3-Major		bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
576305-7	3-Major		Potential MCPd leak in IPSEC SPD stats query code
575649-5	3-Major		MCPd might leak memory in IPFIX destination stats query
575591-6	3-Major		Potential MCPd leak in IKE message stats query code
575589-5	3-Major		Potential MCPd leak in IKE event stats query code
575587-7	3-Major		Potential MCPd leak in BWC policy class stats query code
575176-1	3-Major		Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
575066-1	3-Major		Management DHCP settings do not take effect
570818-4	3-Major		Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
568672-1	3-Major		Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
566507-4	3-Major		Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
553795-7	3-Major		Differing certificate/key after successful config-sync
547479-5	3-Major		Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
546145-1	3-Major		Creating local user for previously remote user results in incomplete user definition.
540872-1	3-Major		Config sync fails after creating a partition.
527206-5	3-Major		Management interface may flap due to LOP sync error
393270-1	3-Major		Configuration utility may become non-responsive or fail to load.
618421	4-Minor		Some mass storage is left un-used
617124	4-Minor		Cannot map hardware type (12) to HardwareType enumeration
581835-1	4-Minor		Command failing: tmsh show ltm virtual vs_name detail.
567546-1	4-Minor		Files with file names larger than 100 characters are omitted from qkview
564771-1	4-Minor		cron sends purge_mysql_logs.pl email error on LTM-only device
564522-2	4-Minor	K40547220	cron is configured with MAILTO=root but mailhost defaults to 'mail'
559837-4	4-Minor		Misleading error message in catalina.out when listing certificates.
551349-5	4-Minor	K80203854	Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
460833-5	4-Minor		MCPD sync errors and restart after multiple modifications to file object in chassis
572133-5	5-Cosmetic		tmsh save /sys ucs command sends status messages to stderr
442231-4	5-Cosmetic		Pendsect log entries have an unexpected severity

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
618905-1	1-Blocking		tmm core while installing Safenet 6.2 client
616215-4	2-Critical		TMM can core when using LB::detach and TCP::notify commands in an iRule
615388-1	2-Critical		L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
612229-1	2-Critical		TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
609628-2	2-Critical		CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
609199-6	2-Critical		Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
608555-1	2-Critical		Configuring asymmetric routing with a VE rate limited license will result in tmm crash
607724-2	2-Critical	K25713491	TMM may crash when in Fallback state.
607524-2	2-Critical		Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
607360-5	2-Critical		Safenet 6.2 library missing after upgrade★
606573-3	2-Critical		FTP traffic does not work through SNAT when configured without Virtual Server★
605865-4	2-Critical		Debug TMM produces core on certain ICMP PMTUD packets
604133-2	2-Critical		Ramcache may leave the HTTP Cookie Cache in an inconsistent state
603032-1	2-Critical		clientssl profiles with sni-default enabled may leak X509 objects
602326-1	2-Critical		Intermittent pkcs11d core when installing Safenet 6.2 software
599135-2	2-Critical		B2250 blades may suffer from high TMM CPU utilisation with tcpdump
588959-2	2-Critical	K34453301	TMM may crash or behave abnormally on a Standby BIG-IP unit
588351-5	2-Critical		IPv6 fragments are dropped when packet filtering is enabled.
586449-1	2-Critical		Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
584213-1	2-Critical		Transparent HTTP profiles cannot have iRules configured
575011-1	2-Critical	K21137299	Memory leak. Nitrox3 Hang Detected.
574880-3	2-Critical		Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
549329-3	2-Critical	K02020031	L7 mirrored ACK from standby to active box can cause tmm core on active
545810-3	2-Critical	K14304373	TMM halts and restarts
459671-4	2-Critical		iRules source different procs from different partitions and executes the incorrect proc.
617862-2	3-Major		Fastl4 handshake timeout is absolute instead of relative
617824-3	3-Major		"SSL::disable/enable serverside" + oneconnect reuse is broken
615143-1	3-Major		VDI plugin-initiated connections may select inappropriate SNAT address
613429-2	3-Major		Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
613369-4	3-Major		Half-Open TCP Connections Not Discoverable
613079-4	3-Major		Diameter monitor watchdog timeout fires after only 3 seconds
613065-1	3-Major		User can't generate netHSM key with Safenet 6.2 client using GUI
612040-4	3-Major		Statistics added for all crypto queues
611320-3	3-Major		Mirrored connection on Active unit of HA pair may be unexpectedly torndown
610609-3	3-Major		Total connections in bigtop, SNMP are incorrect
608024-3	3-Major		Unnecessary DTLS retransmissions occur during handshake.
607803-3	3-Major	K33954223	DTLS client (serverssl profile) fails to complete resumed handshake.
607304-5	3-Major		TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606940-3	3-Major		Clustered Multiprocessing (CMP) peer connection may not be removed
606575-6	3-Major		Request-oriented OneConnect load balancing ends when the server returns an error status code.
606565-2	3-Major	K52231531	TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
604977-2	3-Major	K08905542	Wrong alert when DTLS cookie size is 32
603236-1	3-Major		1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
602385-1	3-Major		Add zLib compression
602366-1	3-Major		Safenet 6.2 HA performance
602358-5	3-Major		BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
601496-4	3-Major		iRules and OCSP Stapling
601178-6	3-Major		HTTP cookie persistence 'preferred' encryption
598874-2	3-Major		GTM Resolver sends FIN after SYN retransmission timeout
597978-2	3-Major		GARPs may be transmitted by active going offline
597879-1	3-Major		CDG Congestion Control can lead to instability
597532-1	3-Major		iRule: RADIUS avp command returns a signed integer
597089-8	3-Major		Connections are terminated after 5 seconds when using ePVA full acceleration
593530-6	3-Major		In rare cases, connections may fail to expire
592784-2	3-Major		Compression stalls, does not recover, and compression facilities cease.
592497-1	3-Major		Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591659-5	3-Major	K47203554	Server shutdown is propagated to client after X-Cnection: close transformation.
591476-7	3-Major	K53220379	Stuck crypto queue can erroneously be reported
591343-5	3-Major	K03842525	SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
589223-1	3-Major		TMM crash and core dump when processing SSL protocol alert.
588115-1	3-Major		TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
588089-3	3-Major		SSL resumed connections may fail during mirroring
587016-3	3-Major		SIP monitor in TLS mode marks pool member down after positive response.
585813-3	3-Major		SIP monitor with TLS mode fails to find cert and key files.
585412-4	3-Major		SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
583957-6	3-Major		The TMM may hang handling pipelined HTTP requests with certain iRule commands.
582465-1	3-Major		Cannot generate key after SafeNet HSM is rebooted
580303-5	3-Major		When going from active to offline, tmm might send a GARP for a floating address.
579843-1	3-Major		tmrouted may not re-announce routes after a specific succession of failover states
579371-4	3-Major	K70126130	BIG-IP may generate ARPs after transition to standby
578951-2	3-Major		TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
572281-5	3-Major		Variable value in the nesting script of foreach command get reset when there is parking command in the script
570057-2	3-Major		Can't install more than 16 SafeNet HSMs in its HA group
569288-6	3-Major		Different LACP key may be used in different blades in a chassis system causing trunking failures
565799-4	3-Major		CPU Usage increases when using masquerade addresses
551208-6	3-Major		Nokia alarms are not deleted due to the outdated alert_nokia.conf.
550161-4	3-Major		Networking devices might block a packet that has a TTL value higher than 230.
545796-5	3-Major		[iRule] [Stats] iRule is not generating any stats for executed iRules.
545450-5	3-Major		Log activation/deactivation of TM.TCPMemoryPressure
537553-8	3-Major		tmm might crash after modifying virtual server SSL profiles in SNI configuration
534457-4	3-Major		Dynamically discovered routes might fail to remirror connections.
530266-7	3-Major		Rate limit configured on a node can be exceeded
506543-5	3-Major		Disabled ephemeral pool members continue to receive new connections
483953-1	3-Major		Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
472571-7	3-Major		Memory leak with multiple client SSL profiles.
464801-3	3-Major		Intermittent tmm core
423392-6	3-Major		tcl_platform is no longer in the static:: namespace
371164-1	3-Major		BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
225634-1	3-Major	K12947	The rate class feature does not honor the Burst Size setting.
598860-4	4-Minor		IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
587676-2	4-Minor		SMB monitor fails due to internal configuration issue
560471-1	4-Minor		Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
544033-5	4-Minor	K30404012	ICMP fragmentation request is ignored by BIG-IP
222034-4	4-Minor		HTTP::respond in LB_FAILED with large header/body might result in truncated response

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
510631-1	3-Major		B4450 L4 No ePVA or L7 throughput lower than expected

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
603598-3	2-Critical		big3d memory under extreme load conditions
587656-2	2-Critical		GTM auto discovery problem with EHF for ID574052
587617-1	2-Critical		While adding GTM server, failure to configure new IP on existing server leads to gtmd core
615338-2	3-Major		The value returned by "matchregion" in an iRule is inconsistent in some cases.
613576-1	3-Major		QOS load balancing links display as gray
613045-7	3-Major		Interaction between GTM and 10.x LTM results in some virtual servers marked down
607658-1	3-Major		GUI becomes unresponsive when managing GSLB Pool
589256-1	3-Major	K71283501	DNSSEC NSEC3 records with different type bitmap for same name.
588289-1	3-Major		GTM is Re-ordering pools when adding pool including order designation
584623-2	3-Major		Response to -list iRules command gets truncated when dealing with MX type wide IP
574052-4	3-Major		GTM autoconf can cause high CPU usage for gtmd
370131-4	3-Major		Loading UCS with low GTM Autoconf Delay drops pool Members from config

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
609499-1	2-Critical		Compiled signature collections use more memory than prior versions
603945-2	2-Critical		BD config update should be considered as config addition in case of update failure
588087-1	2-Critical		Attack prevention isn't escalating under some conditions in session opening mitigation
587629-2	2-Critical		IP exceptions may have issues with route domain
575133-1	2-Critical		asm_config_server_rpc_handler_async.pl SIGSEGV and core
622386-1	3-Major		Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
616169	3-Major		ASM Policy Export returns HTML error file
613396-1	3-Major		Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
611385-1	3-Major		"Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
609496-2	3-Major		Improved diagnostics in BD config update (bd_agent) added
608509-1	3-Major		Policy learning is slow under high load
604923-5	3-Major		REST id for Signatures change after update
604612-1	3-Major	K20323120	Modified ASM cookie violation happens after upgrade to 12.1.x★
602221-2	3-Major		Wrong parsing of redirect Domain
584642-1	3-Major		Apply Policy Failure
584103-2	3-Major		FPS periodic updates (cron) write errors to log
582683-2	3-Major		xpath parser doesn't reset a namespace hash value between each and every scan
582133-1	3-Major		Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
581315-1	3-Major		Selenium detection not blocked
579917-1	3-Major		User-defined signature set cannot be created/updated with Signature Type = "All"
579495-1	3-Major		Error when loading Upgrade UCS★
521204-2	3-Major		Include default values in XML Policy Export

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
602654-2	2-Critical		TMM crash when using AVR lookups
602434-1	2-Critical		Tmm crash with compressed response
601056	2-Critical		TCP-Analytics, error message not using rate-limit mechanism can halt TMM
622735	3-Major		TCP Analytics statistics does not list all virtual servers
618944-1	3-Major		AVR statistic is not save during the upgrade process
601035	3-Major		TCP-Analytics can fail to collect all the activity

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
618506	2-Critical		TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
618324-1	2-Critical		Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
592868-3	2-Critical		Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-3	2-Critical		APM ACL construction may cause TMM to core if TMM is out of memory
569563-3	2-Critical		Sockets resource leak after loading complex policy
619250-1	3-Major		Returning to main menu from "RSS Feed" breaks ribbon
617187-1	3-Major		APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
614891-2	3-Major		Routing table doesn't get updated when EDGE client roams among wireless networks
613613-2	3-Major		Incorrect handling of form that contains a tag with id=action
611922-1	3-Major		Policy sync fails with policy that includes custom CA Bundle.
611240-3	3-Major		Import of config with securid might fail
610224-3	3-Major		APM client may fetch expired certificate when a valid and an expired certificate co-exist
608941-1	3-Major		AAA RADIUS system authentication fails on IPv6 network
604767-1	3-Major		Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601905-1	3-Major		POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600119-3	3-Major		DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
598981-3	3-Major	K06913155	APM ACL does not get enforced all the time under certain conditions
598211-1	3-Major		Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-2	3-Major		VPN establishment may fail when computer wakes up from sleep
596116-3	3-Major		LDAP Query does not resolve group membership, when required attribute(s) specified
595227-1	3-Major		SWG Custom Category: unable to have a URL in multiple custom categories
594288-1	3-Major		Access profile configured with SWG Transparent results in memory leak.
592414-4	3-Major		IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
591840-1	3-Major		encryption_key in access config is NULL in whitelist
591590-1	3-Major		APM policy sync results are not persisted on target devices
591268-1	3-Major		VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
590820-3	3-Major		Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
588888-3	3-Major	K80124134	Empty URI rewriting is not done as required by browser.
586718-1	3-Major		Session variable substitutions are logged
586006-1	3-Major		Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-3	3-Major		VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
583113-1	3-Major		NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-3	3-Major		Macrocall could be topologically not connected with the rest of policy.★
582526-3	3-Major		Unable to display and edit huge policies (more than 4000 elements)
580893-2	3-Major	K08731969	Support for Single FQDN usage with Citrix Storefront Integration mode
573643-3	3-Major		flash.utils.Proxy functionality is not negotiated
572558-1	3-Major		Internet Explorer: incorrect handling of document.write() to closed document
569309-3	3-Major		Clientside HTML parser does not recognize HTML event attributes without value
562636-2	3-Major	K05489319	Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
525429-11	3-Major		DTLS renegotiation sequence number compatibility
455975-1	3-Major		Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
389484-6	3-Major		OAM reporting Access Server down with JDK version 1.6.0_27 or later
386517-1	3-Major		Multidomain SSO requires a default pool be configured
238444-3	3-Major	K14219	An L4 ACL has no effect when a layered virtual server is used.
605627	4-Minor		Selinux denial seen for apmd when it is being shutdown.
584373-2	4-Minor		AD/LDAP resource group mapping table controls are not accessible sometimes
573611-1	4-Minor		Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
557411-1	4-Minor		Full Webtop resources appear overlapping in IE11 compatibility mode

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
619757-1	2-Critical		iSession causes routing entry to be prematurely freed

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
613297-3	2-Critical		Default generic message routing profile settings may core
612135-3	2-Critical		Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
603397-2	2-Critical		tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
596631-2	2-Critical		SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
609575-5	3-Major		BIG-IP drops ACKs containing no max-forwards header
609328-3	3-Major	K53447441	SIP Parser incorrectly parsers empty header
607713-3	3-Major		SIP Parser fails header with multiple sequential separators inside quoted string.
603019-3	3-Major		Inserted SIP VIA branch parameter not unique between INVITE and ACK
599521-5	3-Major		Persistence entries not added if message is routed via an iRule
598854-3	3-Major		sipdb tool incorrectly displays persistence records without a pool name
598700-6	3-Major		MRF SIP Bidirectional Persistence does not work with multiple virtual servers
597835-3	3-Major	K12228503	Branch parameter in inserted VIA header not consistent as per spec
583010-4	3-Major		Sending a SIP invite with 'tel' URI fails with a reset
578564-4	3-Major		ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-4	3-Major		ADAPT recursive loop when handling successive iRule events
566576-6	3-Major		ICAP/OneConnect reuses connection while previous response is in progress
401815-1	3-Major		BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic
585807-2	4-Minor		'ICAP::method <method>' iRule is documented but is read-only
561500-4	4-Minor		ICAP Parsing improvement

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
612874-1	2-Critical		iRule with FLOW_INIT stage execution can cause TMM restart
609095-1	2-Critical		mcpd memory grows when updating firewall rules
622281-1	3-Major		Network DoS logging configuration change can cause TMM crash
621808-1	3-Major		Proactive Bot Defense failing in IE11 with Compatibility View enabled
614284-2	3-Major		Performance fix to not reset a data structure in the packet receive hotpath.
613459-1	3-Major		Non-common browsers blocked by Proactive Bot Defense
610857-1	3-Major		DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
610830-1	3-Major		FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
608566-1	3-Major		The reference count of NW dos log profile in tmm log is incorrect
606875-1	3-Major		DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
605427-1	3-Major		TMM may crash when adding and removing virtual servers with security log profiles
601924-1	3-Major		Selenium detection by ports scanning doesn't work even if the ports are opened
596502-1	3-Major		Unable to force Bot Defense action to Allow in iRule
594869-4	3-Major		AFM can log DoS attack against the internal mpi interface and not the actual interface
594075-2	3-Major		Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
586070	3-Major		'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
585823-1	3-Major		FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)
501892-1	3-Major		Selenium is not detected by headless mechanism when using client version without server

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
609005-2	1-Blocking		Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
611467-3	2-Critical		TMM coredump at dhcpv4_server_set_flow_key().
608009-1	2-Critical		Crash: Tmm crashing when active system connections are deleted from cli
603825-2	2-Critical		Crash when a Gy update message is received by a debug TMM
593070-2	2-Critical		TMM may crash with multiple IP addresses per session
472860-5	2-Critical		RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
623491-2	3-Major		After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
622220-2	3-Major		Disruption during manipulation of PEM data with suspected flow irregularity
618657-4	3-Major		Bogus ICMP unreachable messages in PEM with ipother profile in use
617014-3	3-Major		tmm core using PEM
608742-2	3-Major	K48561135	DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.
608591-1	3-Major		Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
592070-5	3-Major		DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
588456-3	3-Major	K60250444	PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
577863-5	3-Major	K56504204	DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
606066-2	2-Critical		LSN_DELETE messages may be lost after HA failover
605525-1	2-Critical		Deterministic NAT combined with NAT64 may cause a TMM core
587106-1	2-Critical		Inbound connections are reset prematurely when zombie timeout is configured.
602171-1	3-Major		TMM may core when remote LSN operations time out

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
617648	2-Critical		Surfing with IE8 sometimes results with script error
603234-3	2-Critical		Performance Improvements
597471	2-Critical		Some Alerts are sent with outdated username value
617688	3-Major		Encryption is not activated unless "real-time encryption" is selected
613671-2	3-Major		Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation
610897-2	3-Major		FPS generated request failure throw "unspecified error" error in old IE.
609098-1	3-Major		Improve details of ajax failure
604885-1	3-Major		Redirect/Route action doesn't work if there is an alert logging iRule
601083-1	3-Major		FPS Globally Forbidden Words lists freeze in IE 11
588058-3	3-Major		False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
609114-1	4-Minor		Add the ability to control dropping of alerts by before-load-function
605125-2	4-Minor		Sometimes, passwords fields are readonly
592274-3	4-Minor		RAT-Detection alerts sent with incorrect duration details

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
588405-1	3-Major		BADOS - BIG-IP Self-protection during (D)DOS attack
608826-1	4-Minor		Greylist (bad actors list) is not cleaned when attack ends

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
624370-1	2-Critical		tmm crash during classification hitless upgrade if virtual server configuration is modified

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
621401	3-Major		When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
615824-1	3-Major		REST API calls to invalid REST endpoint log level change

Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
613127-3	CVE-2016-5696	K46514822	Linux TCP Stack vulnerability CVE-2016-5696

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
612564	1-Blocking		mysql does not start
618382-4	2-Critical		qkview may cause tmm to restart or may take 30 or more minutes to run
614766-1	3-Major		lsusb uses unknown ioctl and spams kernel logs
612952-1	3-Major		PSU FW revision not displayed correctly
611352	3-Major	K68092141	Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms
610307	3-Major		Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
609325	3-Major		Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
606807-1	3-Major		i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
604459-1	3-Major		On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
597309-2	3-Major		Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
561444-1	3-Major		LCD might display incorrect output.
521270-1	3-Major		Hypervisor might replace vCMP guest SYN-Cookie secrets
434573-6	3-Major	K25051022	Tmsh 'show sys hardware' displays Platform ID instead of platform name
609677-1	4-Minor		Dossier warning 14
607857-1	4-Minor		Some information displayed in "list net interface" will be stale for interfaces that change bundle state
607200-1	4-Minor		Switch interfaces may seem up after bcm56xxd goes down
602061	4-Minor		i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
601309	4-Minor		Locator LED no longer persists across reboots
592716-1	4-Minor		BMC timezone value was not being synchronized by BIG-IP

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
597708-4	3-Major		Stats are unavailable and vCMP state and status are incorrect

Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
598294-1	CVE-2016-7472	K17119920	BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
601938-2	CVE-2016-7474	K52180214	MCPD stores certain data incorrectly

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
542097-4	2-Critical		Update to RHEL6 kernel
601927-1	4-Minor	K52180214	Security hardening of control plane

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
602653-1	2-Critical		TMM may crash after updating bot-signatures
599769	2-Critical		TMM may crash when managing APM clients.
605682-2	3-Major		With forward proxy enabled, sometimes the client connection will not complete.
599054-2	3-Major		LTM policies may incorrectly use those of another virtual server

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
585120-1	2-Critical		Memory leak in bd under rare scenario

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
596674-2	2-Critical		High memory usage when using CS features with gzip HTML responses.
575170-2	2-Critical		Analytics reports may not identify virtual servers correctly
590074-1	3-Major		Wrong value for TCP connections closed measure

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
603997	2-Critical		Plugin should not inject nonce to CSP header with unsafe-inline
594910-1	3-Major		FPS flags no cookie when length check fails
590608-1	3-Major		Alert is not redirected to alert server when unseal fails
590578-4	3-Major		False positive "URL error" alerts on URLs with GET parameters
593355	4-Minor		FPS may erroneously flag missing cookie
589318-1	4-Minor		Clicking 'Customize All' checkbox does not work.

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
603605-1	2-Critical		Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
608373-2	3-Major		Some iApp LX packages will not be saved during upgrade or UCS save/restore

Cumulative fixes from BIG-IP v12.1.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
596488-1	CVE-2016-5118	K82747025	GraphicsMagick vulnerability CVE-2016-5118.
579955-6	CVE-2016-7475	K01587042	BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
587077-1	CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118	K37603172	Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
579220-1	CVE-2016-1950	K91100352	Mozilla NSS vulnerability CVE-2016-1950
570697-1	CVE-2015-8138	K71245322	NTP vulnerability CVE-2015-8138
580340-1	CVE-2016-2842	K52349521	OpenSSL vulnerability CVE-2016-2842
580313-1	CVE-2016-0799	K22334603	OpenSSL vulnerability CVE-2016-0799
579829-7	CVE-2016-0702	K79215841	OpenSSL vulnerability CVE-2016-0702
579085-6	CVE-2016-0797	K40524634	OpenSSL vulnerability CVE-2016-0797
578570-1	CVE-2016-0705	K93122894	OpenSSL Vulnerability CVE-2016-0705
569355-1	CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494	K50118123	Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
565895-1	CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210	K17235	Multiple PCRE Vulnerabilities
570667-2	CVE-2016-0701 CVE-2015-3197	K64009378	OpenSSL vulnerabilities

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
600811-2	3-Major		CATEGORY::lookup command change in behaviour★

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
606509-4	2-Critical		Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★
595605	2-Critical		Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★
591119	2-Critical		OOM with session messaging may result in TMM crash
601076	3-Major		Fix watchdog event for accelerated compression request overflow
597303	3-Major		"tmsh create net trunk" may fail
595693	3-Major		Incorrect PVA indication on B4450 blade
591261	3-Major		BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
590904-1	3-Major		New HA Pair created using serial cable failover only will remain Active/Active
589661	3-Major		PS2 power supply status incorrect after removal
588327	3-Major		Observe "err bcm56xxd' liked log from /var/log/ltm
587735	3-Major		False alarm on LCD indicating bad fan
587668	3-Major		LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
585332	3-Major		Virtual Edition network settings aren't pinned correctly on startup★
584670	3-Major		Output of tmsh show sys crypto master-key
584661	3-Major		Last good master key
584655	3-Major		platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
583177	3-Major		LCD text truncated by heartbeat icon on VIPRION
581945-2	3-Major		Device-group 'datasync-global-dg' becomes out-of-sync every hour
581811	3-Major		The blade alarm LED may not reflect the warning that non F5 optics is used.
579529	3-Major		Stats file descriptors kept open in spawned child processes
578064	3-Major		tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
578036-1	3-Major		incorrect crontab can cause large number of email alerts
573584	3-Major		CPLD update success logs at the same error level as an update failure
563592	3-Major		Content diagnostics and LCD
559655	3-Major		Post RMA, system does not display correct platform name regardless of license
555039-4	3-Major	K24458124	VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
539360	3-Major		Firmware update that includes might take over 15 minutes. Do not turn off device.
526708	3-Major		system_check shows fan=good on removed PSU of 4000 platform
433357	3-Major		Management NIC speed reported as 'none'
400778	3-Major		Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
400550	3-Major		LCD listener error during shutdown
587780	4-Minor		warning: HSBe2 XLMAC initial recovery failed after 11 retries.
478986	4-Minor		Powered down DC PSU is treated as not-present
418009	5-Cosmetic		Hardware data display inaccuracies

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
603700	2-Critical		tmm core on multiple SSL::disable calls
598052-1	2-Critical		SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
591139	2-Critical		TMM QAT segfault after zlib/QAT compression conflation.
585654	2-Critical		Enhanced implementation of AES in Common Criteria mode
579953	2-Critical		Updated the list of Common Criteria ciphersuites
584926-1	3-Major		Accelerated compression segfault when devices are all in error state.
566342	3-Major		Cannot set 10T-FD or 10T-HD on management port

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
599803	1-Blocking		TMM accelerated compression incorrectly destroying in-flight contexts.
588879-2	2-Critical		apmd crash under rare conditions with LDAP

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
581824-2	3-Major		"Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
588049-1	2-Critical		Improve detection of browser capabilities
585352-2	2-Critical		bruteForce record selfLink gets corrupted by change to brute force settings in GUI
585054-1	2-Critical		BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
583686-2	3-Major		High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
581991-1	3-Major		Logging filter for remote loggers doesn't work correctly with more than one logging profile
521370-1	3-Major		Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
518201-4	3-Major		ASM policy creation fails with after upgrading

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
587419-1	3-Major		TMM may restart when SAML SLO is performed after APM session is closed
585442-2	3-Major		Provisioning APM to "none" creates a core file

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
596809-1	3-Major		It is possible to create ssh rules with blank space for auth-info
593925-1	3-Major		ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
593696-1	3-Major		Sync fails when deleting an ssh profile

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
584921-1	2-Critical		Inbound connections fail to keep port block alive

Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
600662-9	CVE-2016-5745	K64743453	NAT64 vulnerability CVE-2016-5745
599168-7	CVE-2016-5700	K35520031	BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-7	CVE-2016-5700	K35520031	BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-1	CVE-2013-0169 CVE-2016-6907	K14190 K39508724	TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
604211-1	2-Critical	K72931250	License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★
600859-2	2-Critical		Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★
599033-5	2-Critical		Traffic directed to incorrect instance after network partition is resolved
595394-3	2-Critical		Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★
606110-2	3-Major		BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
596814-4	3-Major		HA Failover fails in certain valid AWS configurations
596603-2	3-Major		AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
600357-2	3-Major		bd crash when asm policy is removed from virtual during specific configuration change

Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
569467-5	CVE-2016-2084	K11772107	BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
591806-8	CVE-2016-3714	K03151140	ImageMagick vulnerability CVE-2016-3714
591918-2	CVE-2016-3718	K61974123	ImageMagick vulnerability CVE-2016-3718
591908-2	CVE-2016-3717	K29154575	ImageMagick vulnerability CVE-2016-3717
591894-2	CVE-2016-3715	K10550253	ImageMagick vulnerability CVE-2016-3715
591881-1	CVE-2016-3716	K25102203	ImageMagick vulnerability CVE-2016-3716

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
583631-2	1-Blocking		ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
590993	3-Major		Unable to load configs from /usr/libexec/aws/.
576478	3-Major		Enable support for the Purpose-Built DDoS Hybrid Defender Platform
544477	3-Major		New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
591039	2-Critical		DHCP lease is saved on the Custom AMI used for auto-scaling VE
590779	2-Critical		Rest API - log profile in json return does not include the partition but needs to
588140	2-Critical		Pool licensing fails in some KVM/OpenStack environments
587791-1	2-Critical		Set execute permission on /var/lib/waagent
565137	2-Critical	K12372003	Pool licensing fails in some KVM/OpenStack environments.
554713-2	2-Critical		Deployment failed: Failed submitting iControl REST transaction
592363	3-Major		Remove debug output during first boot of VE
592354	3-Major		Raw sockets are not enabled on Cloud platforms

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
592699-3	2-Critical		IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
594302-1	3-Major		Connection hangs when processing large compressed responses from server
592854-1	3-Major		Protocol version set incorrectly on serverssl renegotiation
592682-1	3-Major		TCP: connections may stall or be dropped
531979-6	3-Major		SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
582629-1	2-Critical		User Sessions lookups are not cleared, session stats show marked as invalid

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
590601-2	3-Major		BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
590428-1	3-Major		The "ACCESS::session create" iRule command does not work
590345-1	3-Major		ACCESS policy running iRule event agent intermittently hangs
585905-1	3-Major		Citrix Storefront integration mode with pass-through authentication fails
581834-5	3-Major		Firefox signed plugin for VPN, Endpoint Check, etc

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
588399-1	3-Major		BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
582374-1	3-Major		Multiple 'Loading state for virtual server' messages in admd.log
569121-1	3-Major		Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
547053-1	4-Minor		Bad actor quarantining

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
590795-1	2-Critical		tmm crash when loading default signatures or updating classification signature★

Cumulative fix details for BIG-IP v12.1.3.6 that are included in this release

720880 : Attempts to license/re-license the BIG-IP system fail.

Component: TMOS

Symptoms:
Attempts to activate or reactivate the license on the BIG-IP system results in failure messages.

Conditions:
No specific configurations are associated with this issue, but license activation/reactivation requests that include add-ons are more likely to fail.

This occurs under random conditions.

Impact:
The system is either unusable or very difficult to activate.

Workaround:
Because the conditions under which this issue occurs are random, additional licensing attempts might succeed.

Fix:
The source of the underlying problem has been corrected. No additional logs, error message, or user-interaction is involved.

720756 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS

Component: TMOS

Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.

Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.

Impact:
Cannot tell the actual platform name in the SNMP query.

Workaround:
There is no workaround at this time.

Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.

720695-2 : Export then import of Profile/Policy with advanced customization is failing

Component: Access Policy Manager

Symptoms:
An exported policy containing advanced customization fails to import.

Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.

Impact:
Import fails.

Workaround:
None.

Fix:
Import of exported policy containing advanced customization now succeeds.

720391-1 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.

Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.

Impact:
System is reported as i7008-D, when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.

Workaround:
None.

Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.

720104 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.

Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.

Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.

Workaround:
There is no workaround at this time.

Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.

720030-3 : Enable EDNS flag for internal Kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.

Conditions:
APM end users using Kerberos SSO to access backend resources.

Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.

Workaround:
For BIG-IP software v12.x and later,

Edit the /etc/resolv.conf file to add an EDNS0 option.

There is no workaround if you are running a version earlier than 12.x.

Fix:
Kerberos DNS SRV requests now support EDNS0, so that UDP responses greater than 512 bytes can be received correctly, eliminating the need to re-send the request on TCP while communicating to the internal DNS server (dnscached).

718208-1 : Unable to install Network Access plugin on Linux Ubuntu 16.04 w/ Firefox v52 ESR using SUDO

Component: Access Policy Manager

Symptoms:
SVPN client installation process loops on the prompt to enter SU or SUDO credentials.

Conditions:
Use Firefox v52 ESR to install SVPN client.

Impact:
User can't install SVPN client using Firefox v52 ESR browser

Workaround:
Delete the NPAPI plugin from the browser
Install SVPN client manually.
Use Firefox v52 ESR to connect to APM

Fix:
Now user can install SVPN client using SUDO.

718071-3 : HTTP2 with ASM policy not passing traffic

Component: Local Traffic Manager

Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.

Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.

Impact:
Traffic does not pass.

Workaround:
No workaround.

Fix:
HTTP2 and ASM now work correctly together.

716992-3 : The ASM bd process may crash

Solution Article: K75432956

716747-4 : TMM core with SWG Transparent

Component: Access Policy Manager

Symptoms:
TMM core when running an SWG-Transparent. There will be a log message in /var/log/apm near the time of crash with this:

err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.

Conditions:
Forward proxy with an access profile of type SWG-Transparent.

Happens every time with an On-Demand Cert Auth agent in the access policy. Is sometimes seen in other situations, but much less frequently.

Impact:
TMM core. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer cores with SWG Transparent.

715923-3 : When processing TLS traffic TMM may reset connections

Component: Local Traffic Manager

Symptoms:
Under certain conditions TMM may reset TLS connections with a BAD_RECORD_MAC alert.

Conditions:
TLS profile active.

Impact:
BIG-IP sends a BAD_RECORD_MAC alert and terminates the SSL connection.

Workaround:
None.

Fix:
TMM now processes TLS traffic as expected.

715250-2 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED

Component: Access Policy Manager

Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.

Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.

Impact:
System instability, failover, traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

715207-2 : coapi errors while modifying per-request policy in VPE

Component: Access Policy Manager

Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).

err coapi: PHP: requested conversion of uninitialized member.

Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.

Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.

Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.

Fix:
The underlying coapi errors have been resolved, which should also resolve the associated impacts.

715090 : PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers

Component: Policy Enforcement Manager

Symptoms:
Policy and Charging Rules Function (PCRF) policy actions will have no effect on the subscribers' traffic.

Conditions:
PEM creates a traffic generated subscriber that has PCRF-provided policies associated with it.

Impact:
Potential loss of service depending on the policy actions that do not take effect.

Workaround:
There is no workaround at this time.

Fix:
This issue has been fixed.

714879-1 : APM CRLDP Auth passes all certs

Component: Access Policy Manager

Symptoms:
In some situations, a failure to download a new CRL may result in the CRLDP Auth agent treating revoked certs as valid.

Conditions:
Non-zero value for the update-interval in the CRLDP AAA object, and a download failure occurs while trying to update the CRL.

Impact:
Revoked users may regain access.

Workaround:
None.

Fix:
Failure to download a CRL will now revert to the cached CRL, if that CRL is still valid under its nextUpdate time. If there is no valid cached CRL, APM reverts to the action specified in the AAA CRLDP setting of 'Null CRL Allowed'.

714848 : OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled

Component: TMOS

Symptoms:
DDM transmit power too low warning continually appear in /var/log/ltm, and in SNMP traps. Messages appear similar to the following:
DDM interface:3/1.0 transmit power too low warning. Transmit power(mWatts) 0.0001 0.0001 0.0001 0.0001

A single warning message is expected, not repeating messages.

Conditions:
This occurs when all of the following conditions are met:
-- The interface is disabled.
-- DDM is enabled.
-- OPT-0031 or OPT-0036.

Impact:
There are multiple messages in /var/log/ltm, and SNMP DDM traps. There is no impact on traffic.

Workaround:
There is no workaround other than to enable the interface or disable DDM.

Fix:
DDM errors no longer continually appear on disabled interfaces containing OPT-0031 or OPT-0036.

714542-1 : 'Always Connected Mode' text is missing in EdgeClient tray

Component: Access Policy Manager

Symptoms:
When right-clicking the EdgeClient tray icon, the pop-up menu shows a grey box instead of the 'Always Connected Mode' text.

Conditions:
EdgeClient installed in 'Always Connected Mode' with 'Allow' traffic when VPN is disconnected.

Impact:
No functional impact. Previously, the message appeared only for blocked mode.

Workaround:
None.

Fix:
Now, when a user right-clicks the Edge Client tray icon in Always Connected mode, the <uicontrol>Always Connected Mode</uicontrol> text is displayed on the tray icon pop-up menu.

713951-3 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.

713934-4 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

Component: Local Traffic Manager

Symptoms:
Received malformed Truncated DNS response.

Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.

Impact:
DNS request might not be resolved correctly.

Workaround:
There is no workaround at this time.

Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.

713533-3 : list self-ip with queries does not work

Component: Local Traffic Manager

Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.

Conditions:
list net self always returns all Self IPs

Impact:
You are unable to filter the Self IP list using a regex pattern.

Fix:
You can now use pattern matching to list Self IPs

713491-1 : IKEv1 logging shows spi of deleted SA with opposite endianess

Component: TMOS

Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).

Conditions:
When an SA is deleted.

Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.

Workaround:
There is no workaround at this time.

Fix:
The spi values are shown in the correct endianness now.

713066-3 : Connection failure during DNS lookup to disabled nameserver can crash TMM

Solution Article: K10620131

Component: Global Traffic Manager (DNS)

Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.

Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.

This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Verify connectivity to nameserver.

As an alternative, refrain from using RESOLV::lookup in iRules.

Fix:
This issue is now fixed.

712924 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue

Component: Access Policy Manager

Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.

Conditions:
Always when adding SecureID authentication action.

Impact:
Inability to (re)configure SecureId via VPE.

Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:

tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>

712857-1 : SWG-Explicit rejects large POST bodies during policy evaluation

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 128 KB limit on POST bodies while the policy is being evaluated.

The system posts an error message similar to the following in /var/log/apm:
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during policy evaluation. After the policy has been set to 'Allow', there is no limit to the POST body.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.

Fix:
This release introduces a db variable 'tmm.access.maxrequestbodysize'. You can now avoid this issue by setting a value larger than the 128 KB POST body size. The maximum supported value is 25000000 (25 MB).

712475-1 : DNS zones without servers will prevent DNS Express reading zone data

Solution Article: K56479945

Component: Local Traffic Manager

Symptoms:
DNS Express does not return dig requests.

Conditions:
DNS Express is configured a zone without a server.

Impact:
DNS Express does not return dig requests.

Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.

Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.

712464-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.

Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs is usually in the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.

Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.

Impact:
Clients cannot access the web server due to SSL handshake failure.

Workaround:
There is no workaround at this time.

Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.

712437-1 : Records containing hyphens (-) will prevent child zone from loading correctly

Solution Article: K20355559

Component: Local Traffic Manager

Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.

Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
myzone.com -- parent
foo.myzone.com -- child

-- In myzone.com, you have a record of the following form:
foo-record.myzone.com

Impact:
DNS can not resolve records correctly.

Workaround:
None.

Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.

712362-1 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

Component: Application Security Manager

Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.

The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.

Impact:
WebSocket frames stalls.

Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:

HTTP/1.1 101 Switching Protocols

#2 Use an irRule:
when SERVER_CONNECTED {
    TCP::collect 15
}
when SERVER_DATA {
    if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
        TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
    }
}

Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.

712315-1 : LDAP and AD Group Resource Assign are not displaying Static ACLs correctly

Component: Access Policy Manager

Symptoms:
In VPE LDAP and AD Group Resource Assign are not displaying static acls when they are configured.

Conditions:
While attempting to assign Static ACls via AD or LDAP Group Resource assign (aka Group Mapping) Static ACLs are not displayed.

Impact:
Users are not able to assign Static ACLs with AD and LDAP Group Mapping via VPE.

Workaround:
Static ACLs are assignable with TMSH.

Fix:
Functionality is restored and Static ACLs are being displayed in AD and Ldap Group Resource Assign aka Group Mapping

use:
tmsh modify apm policy agent resource-assign

711570-1 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies

Component: Policy Enforcement Manager

Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names

Conditions:
PEM iRule using subscriber ID to get policy name.

Impact:
Subscriber policy names are not returned.

Workaround:
Use PEM::subscriber config policy get <IP address> instead.

Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.

711547 : Update cipher support for Common Criteria compliance

Component: TMOS

Symptoms:
Default cipher selection may not be compliant with Common Criteria requirements. Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Conditions:
Common Criteria mode active

Impact:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Workaround:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Fix:
Improved Common Criteria compliance in default cipher strings.

711281-3 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.

Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.

711093-2 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.

Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).

Impact:
PEM sessions remain in marked-for-delete state.

Workaround:
None.

Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete

710827-4 : TMUI dashboard daemon stability issue

Component: TMOS

Symptoms:
Some dashboard requests may cause a crash of TMUI dashboard daemons, affecting the TMUI dashboard.

Conditions:
Request sent to BIG-IP dashboard.

Impact:
Only the TMUI dashboard goes offline. Other TMUI functionality is not affected by this issue.

Workaround:
None available.

Fix:
Setup a correct exception handling prevented TMUI dashboard service failure.

710705-3 : Multiple Wireshark vulnerabilities

Solution Article: K34035645

710602 : iCRD commands requiring 'root' user access fixed

Component: TMOS

Symptoms:
Some of the iCRD calls that run commands on the base operating system that require elevated permissions would fail because iCRD was not correctly executing the commands in the right context.

Conditions:
Use an iCRD endpoint that requires elevated permissions to succeed.

Impact:
Only impacts iCRD endpoints which run commands that require root access.

Workaround:
There is no workaround at this time.

Fix:
This fix resolves this issue by running the commands with the correct user context.

710424-3 : Possible SIGSEGV in GTMD when GTM persistence is enabled.

Solution Article: K00874337

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.

Conditions:
GTM persistence is enabled.

Impact:
GTMD may occasionally restart.

Workaround:
Disable GTM persistence.

Fix:
GTMD will no longer crash and restart when persistence is enabled.

710327-3 : Remote logger message is truncated at NULL character.

Component: Application Security Manager

Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.

Impact:
Partial request is logged at the remote logger destination.

Workaround:
None.

Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.

710314-2 : TMM may crash while processing HTML traffic

Component: TMOS

Symptoms:
Under certain conditions, TMM may crash while processing HTML traffic

Conditions:
HTML profile enabled

Impact:
TMM may crash, leading to a failover event

Fix:
TMM now processes HTML traffic as expected

710244-1 : Memory Leak of access policy execution objects

Solution Article: K27391542

710211 : Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.

Component: Access Policy Manager

Symptoms:
Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. The system posts a message similar to the following:

Unable to execute transaction because of: 01071203:3: Caption (XYZ1) of the rule in macrocall (/Common/abc_macro) must be identical to the caption (XYZ2) of terminalout.

Conditions:
-- Using Access Policy.
-- Policy includes one or more macros.
-- There is a macrocall on one of the macros.
-- You attempt to add a new terminal to that macro.

Impact:
Cannot edit macro terminals.

Workaround:
None.

Fix:
Can now edit Terminals of Macro if one or more Macrocalls point to a given Macro.

710148-4 : CVE-2017-1000111 & CVE-2017-1000112

Solution Article: K60250153

709972-4 : CVE-2017-12613: APR Vulnerability

Solution Article: K52319810

709688-5 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733

Solution Article: K08306700

709610-1 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

Component: Policy Enforcement Manager

Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.

Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}

-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.

-- The time interval between steps 1 and 2 is very small (less than ~1ms).

Impact:
Subscriber session creation via PEM may fail.

Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.

Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.

709334-2 : Memory leak when SSL Forward proxy is used and ssl re-negotiates

Component: Local Traffic Manager

Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.

Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening

Impact:
Eventually memory reaper will kick in.

Workaround:
There is no workaround at this time.

Fix:
ssl_compat now properly releases connections on re-negotiation.

708956 : During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

Component: TMOS

Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.

Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.

Impact:
System does not come up.

Workaround:
Reboot system.

Because this condition only happens occasionally, rebooting typically corrects the issue.

Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.

708653-3 : TMM may crash while processing TCP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing TCP traffic

Conditions:
TCP profile enabled

Impact:
TMM crash leading to a failover event

Fix:
TMM processes TCP traffic as expected

708249-4 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0

Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.

708114-3 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed

Solution Article: K33319853

Component: Local Traffic Manager

Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.

Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.

708054-3 : Web Acceleration: TMM may crash on very large HTML files with conditional comments

Component: TMOS

Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.

Conditions:
- HTML file with conditional comments inside:


- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.

Impact:
TMM crash interrupts all active sessions.

Workaround:
There is no workaround at this time.

Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.

707951 : Stalled mirrored flows on HA next-active when OneConnect is used.

Component: Local Traffic Manager

Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.

Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.

Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.

Workaround:
Disable OneConnect.

Fix:
Stalled mirrored flows no longer appear when OneConnect is used.

707888 : Some ASM operations delayed due to scheduled ASU update

Component: Application Security Manager

Symptoms:
Some ASM operations (such as Apply Policy) are delayed while a scheduled ASU update is in progress. This issue affects only 12.1.3.x from 12.1.3.2 and later.

Conditions:
A scheduled ASM update is in progress on systems running v12.1.3.x.

Impact:
Some ASM operations, such as Apply Policy, are delayed.

Workaround:
There is no workaround at this time.

Fix:
Other ASM operations are no longer blocked by scheduled ASU update.

707675 : FQDN nodes or pool members flap when DNS response received

Component: Local Traffic Manager

Symptoms:
When an LTM pool is configured with FQDN nodes or pool members, the LTM pool and associated virtual server(s) may transition from an UP to DOWN state and back over a period of a few seconds.

Such an event is accompanied by log messages similar to the following:

-- notice mcpd[#]: 01071682:5: SNMP_TRAP: Virtual /Common/vs_test has become unavailable
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from GREEN to RED.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from UP to DOWN.
-- err mcpd[#]: 01020066:3: The requested Pool Member (/Common/Test_Pool /Common/test-dummy.com-12.34.56.78 443) already exists in partition Common.
-- notice bigd[##]: 01060144:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 session status enabled by monitor
-- notice bigd[##]: 01060145:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 monitor status up. [ /Common/mon_test_https: UP ] [ was checking for 0hr:0min:2sec ]
-- notice mcpd[#]: 01071681:5: SNMP_TRAP: Virtual /Common/vs_test has become available
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from RED to GREEN.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from DOWN to UP.

This symptom repeats each time a DNS query is performed to resolve the FQDN node/pool-member name to its IP addresses, based on the 'interval' value configured for the FQDN node.

This symptom occurs only when the 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.

Conditions:
-- LTM pool is configured with FQDN nodes or pool members.
-- The 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.

Impact:
LTM pool and virtual server are briefly and periodically marked DOWN. Traffic may be impacted.

Workaround:
Either of the following methods can be used to work around this issue:

-- Configure static IP addresses instead of FQDN nodes/pool-members.

-- Set the 'autopopulate' value to 'disabled' for the FQDN node/pool-member, if possible (that is, if only one IP address is required/expected to be returned for the FQDN name, which means that the 'autopopulate' feature of FQDN nodes/pool-members is not required).

Fix:
FQDN node/pool-member and corresponding pool and virtual server are no longer briefly marked DOWN when the DNS server is queried to resolve the FQDN name, with the 'autopopulate' feature enabled for the FQDN node/pool-member. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

707447-2 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.

Component: Local Traffic Manager

Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default NI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).

The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.

Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.

707445 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.

Fix:
Compression device reset recovery made more robust for some compression failures.

707310-1 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.

Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.

Workaround:
There is no workaround at this time.

Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.

707226-2 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Component: TMOS

Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

707207-2 : iRuleLx returning undefined value may cause TMM restart

Component: Local Traffic Manager

Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".

Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.

Impact:
Traffic is interrupted.

Workaround:
There is no workaround at this time.

Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.

707147-2 : High CPU consumed by asm_config_server_rpc_handler_async.pl

Component: Application Security Manager

Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.

Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered

Impact:
A process may consume high CPU even after the high traffic period is finished.

Workaround:
Kill asm_config_server.pl (This will not affect traffic)

Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual

706845-1 : False positive illegal multipart violation

Component: Application Security Manager

Symptoms:
A false positive multipart violation.

Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.

Impact:
A false positive violation, request rejected.

Workaround:
Might be workaround using an irule

Fix:
Corrected ASM multipart parsing.

706631 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.

Component: Local Traffic Manager

Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.

Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.

-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.

-- Common Criteria mode licensed and configured.

Impact:
A TLS connection succeeds which should fail.

Workaround:
There is no workaround at this time.

Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.

706423-2 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Component: TMOS

Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.

A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Impact:
TMM restarts, disrupting traffic and causing HA failover.

Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)

Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.

Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.

706374-2 : [Kerberos SSO] krb5 library need to use threadsafe res_ninit, res_nsearch instead of res_init, res_search

Component: Access Policy Manager

Symptoms:
Kerberos library uses deprecated and non-threadsafe functions to perform DNS SRV requests.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
This might result in unpredictable behaviour such as memory corruption or core. However, the occurence is rare since it only impacts concurrent DNS SRV requests to resolve different kdcs.

Workaround:
There is no workaround.

Fix:
Kerberos library now uses thread-safe functions to perform DNS SRV requests.

706305-2 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled

Component: TMOS

Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.

Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.

Impact:
Inability for the unit to use BGP

Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.

Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled

706128-1 : DNSSEC Signed Zone Transfers Can Leak Memory

Component: Global Traffic Manager (DNS)

Symptoms:
TMM might leak memory when performing DNSSEC signed zone transfers. You can detect this issue by examining system memory before and after performing zone transfers.

For example:

tmsh show sys memory raw | grep dnssec

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc) or from DNS Express.

Impact:
TMM leaks memory related to the signed zone transfer.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer leaks DNSSEC zone transfer related memory.

706086-1 : PAM RADIUS authentication subsystem hardening

Solution Article: K62750376

705794-1 : Under certain circumstances a stale http2 stream can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
A HTTP2 stream is getting overlooked when cleaning up a HTTP2 flow.

Conditions:
Currently only known is that the closing_stream is not empty. Exact entrance conditions not clear.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
HTTP2 flows are properly cleaned up to prevent a tmm crash.

705611-1 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used

Component: Local Traffic Manager

Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.

Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.

Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.

705503-1 : Context leaked from iRule DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
The memory usage increases, and stats are inaccurate.

Conditions:
Call RESOLV::lookup from an iRule.

Impact:
Memory leak that accumulates over time and inaccurate stats.

Workaround:
There is no workaround other than not using RESOLV::lookup in an iRule.

Fix:
Memory leak no longer occurs.

705476-4 : Appliance Mode does not follow design best practices

Component: TMOS

Symptoms:
Appliance Mode does not follow design best practices

Conditions:
Appliance Mode does not follow design best practices

Impact:
Appliance Mode does not follow design best practices

Fix:
Appliance Mode now follows design best practices

704804-2 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.

704733-2 : NAS-IP-Address will be sent with the bytes backwards

Component: TMOS

Symptoms:
The NAS-IP-Address will have the address of the local device sent with the bytes backwards (78.56.30.172 where 172.30.56.78 would be expected).

Conditions:
This affects IPv4 addresses only.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.

Fix:
This has been corrected.

704666-2 : memory corruption can occur when using certain certificates

Component: Local Traffic Manager

Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.

Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.

Impact:
TMM could crash.

Workaround:
Do not use certificates with extremely long common names

Fix:
A length check has been added to avoid corruption when using extremely long common names.

704580-3 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP

Component: Access Policy Manager

Symptoms:
Under certain conditions apmd service may restart when processing response from SAML IdP.

Conditions:
BIG-IP is configured as SAML SP. BIG-IP is processing SAML message from IdP

Impact:
Temporarily users will not be able to authenticate agains BIG-IP
until apmd service starts up.

Workaround:
There is no workaround at this time.

Fix:
apmd service will no longer restart when processing messages from IdP.

704524-2 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.

Workaround:
There is no workaround at this time.

Fix:
Kerberos DNS SRV requests now support EDNS0 so that UDP responses greater than 512 bytes can be received correctly, eliminating the need to re-send the request on TCP.

704490 : CVE-2017-5754 (Meltdown)

Solution Article: K91229003

704483 : CVE-2017-5753 (Spectre Variant 1)

Solution Article: K91229003

704381-3 : SSL/TLS handshake failures and terminations are logged at too low a level

Component: Local Traffic Manager

Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).

Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.

Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.

Workaround:
There is no workaround.

Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).

704336-3 : Updating 3rd party device cert not copied correctly to trusted certificate store

Component: TMOS

Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.

Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.

Fix:
The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.

704282-3 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy

Component: TMOS

Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.

Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.

For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.

For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
F5 does not recommend running the BWC under 64Kbps.

Either decrease the number of subscribers or increase the max-rate of dynamic policy.

Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.

704143-2 : BD memory leak

Component: Application Security Manager

Symptoms:
A BD memory leak.

Conditions:
websocket traffic with specific configuration

Impact:
Resident memory increases, swap getting used.

Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.

704073-3 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm

Solution Article: K24233427

Component: Local Traffic Manager

Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.

Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.

Impact:
Log pollution and potential for performance degradation.

Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent

Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.

703984-2 : Machine Cert agent improperly matches hostname with CN and SAN

Component: Access Policy Manager

Symptoms:
Machine certificate agent will match configured host name with actual host name if configured name matches beginning of the actual hostname.

Conditions:
MacOS APM client.

Impact:
Hostname match may be incorrect in these cases.

Workaround:
There is no workaround at this time.

Fix:
In the previous release, the macOS machine cert agent checked only the beginning of the client hostname and certificate common name. The machine cert agent now checks the entire strings.

703940-3 : Malformed HTTP/2 frame consumes excessive system resources

Solution Article: K45611803

703914-1 : TMM SIGSEGV crash in poolmbr_conn_dec.

Component: Local Traffic Manager

Symptoms:
TMM cores in poolmbr_conn_dec function.

Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.

Impact:
TMM core, traffic interruption, possible failover.

Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.

Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.

703869-1 : Waagent updated to 2.2.21

Component: TMOS

Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.

Conditions:
Using Microsoft Azure.

Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.

Workaround:
None.

Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.

703761-1 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode

Component: TMOS

Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.

Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.

Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.

Workaround:
There is no workaround at this time.

Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.

703580 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.

Component: Local Traffic Manager

Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)

Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.

Impact:
TLS1.1 handshake fails on the guest.

Workaround:
Use the same software version on the vCMP host and vCMP guests.

Fix:
TLS1.1 handshake no longer fails running v12.x/v13.x vCMP guest with earlier BIG-IP software version on vCMP host.

703515-5 : MRF SIP LB - Message corruption when using custom persistence key

Solution Article: K44933323

Component: Service Provider

Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.

Conditions:
Custom persistence key is not a multiple of 3 bytes

Impact:
The SIP request message may be corrupted when the via header is inserted.

Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.

Fix:
All persistence key lengths work as expected.

703429-1 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.

Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.

Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.

Workaround:
None.

Fix:
System now provides valid data to Citrix Receiver for Android client.

702946-2 : Added option to reset staging period for signatures

Component: Application Security Manager

Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.

Conditions:
Staging enabled for signatures in policy.

Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.

Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.

Note: Apply policy is required between actions.

Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.

702738 : Tmm might crash activating new blob when changing firewall rules

Solution Article: K32181540

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.

Conditions:
Updating, removing, or adding firewall rules.

Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.

Impact:
Data traffic processing stops.

Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).

Option B
Modify all the rules simultaneously.

For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }

4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.

Fix:
TMM no longer crashes when changing firewall rules.

702490-4 : Windows Credential Reuse feature may not work

Component: Access Policy Manager

Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).

The logterminal.txt file contains messages similar to the following:

<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted

Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.

Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.

Workaround:
There is no workaround at this time.

Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.

702487-1 : AD/LDAP admins with spaces in names are not supported

Component: Access Policy Manager

Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.

Note: Names containing spaces are not supported on BIG-IP systems.

Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.

Impact:
VPE, import/export/copy/delete do not work.

Workaround:
There is no workaround other than to not use admin names containing spaces.

Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.

702278-3 : Potential XSS security exposure on APM logon page.

Component: Access Policy Manager

Symptoms:
Potential XSS security exposure on APM logon page.

Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.

Impact:
Potential XSS security exposure.

Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:

369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----

Fix:
Potential security exposure has been removed from APM logon page.

702151-2 : HTTP/2 can garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.

Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.

Fix:
The HTTP/2 filter correctly encodes large HTTP headers.

701900 : DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.

Solution Article: K55938217

Component: TMOS

Symptoms:
DHCP-configured domain-name-servers (DNS) unavailable after reboot when there are more than two domain-name-servers in the lease.

Conditions:
- DHCP is enabled on the mgmt interface.
- DHCP server provides more than 2 domain-name-servers in its lease.

Impact:
Name resolution on mgmt interface fails due to misconfiguration in DNS information for mgmt interface.

Workaround:
No workaround at this time.

Fix:
This release corrects the handling of multiple DNS name-servers.

701841-1 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space

Component: Application Security Manager

Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.

Conditions:
UCS file is saved.

Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.

Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.

Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.

701626-1 : GUI resets custom Certificate Key Chain in child client SSL profile

Component: TMOS

Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).

Conditions:
This happens in the following scenario:

1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.

Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.

Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.

You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.

701609 : Static member of pool with FQDN members may revert to user-disabled after being re-enabled

Component: Local Traffic Manager

Symptoms:
Within an LTM pool containing both FQDN members and members configured with static IP addresses; a statically-configured member that had been disabled (session = user-disabled) and then re-enabled (session = user-enabled) may become disabled again after making other changes affecting the state of other FQDN members of the pool.

Conditions:
This may occur under the following conditions:
- An LTM pool containing a mix of FQDN and statically-configured members.
- A statically-configured pool member is disabled (session = user-disabled) and then re-enabled (session = user-enabled).
- Other changes occur which affect the availability of FQDN pool members.
For example, if a route to an FQDN pool member is deleted and recreated, a previously-disabled statically-configured member may revert to a disabled state.

Depending on circumstances, the issue may only occur once after BIG-IP, TMM, bigd, or a related daemon restarts.

Impact:
A pool member may be unexpectedly disabled after being re-enabled, and thus would not receive traffic.

Workaround:
It may be possible to work around this issue by disabling and re-enabling the statically-configured pool member again.

Fix:
Statically-configured pool members of a pool that also contains FQDN members remain enabled after being manually disabled then re-enabled. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

701359-2 : BIND vulnerability CVE-2017-3145

Solution Article: K08613310

701327-1 : failed configuration deletion may cause unwanted bd exit

Component: Application Security Manager

Symptoms:
Immediately after the deletion of a configuration fails, bd exists.

Conditions:
When deleting a configuration fails.

Impact:
Unwanted bd restart.

Workaround:
None.

Fix:
bd will exit upon a failed configuration only when configured to exit on failure.

701249-2 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.

701202-1 : SSL memory corruption

Solution Article: K35023432

Component: Local Traffic Manager

Symptoms:
In some instances random memory can be corrupted causing TMM core.

Conditions:
SSL is configured (either client-ssl or server-ssl) and SNI is used to select a non-default profile.

Impact:
TMM crash, disrupting traffic.

Workaround:
There is no workaround at this time.

Fix:
The memory corruption issue has been fixed.

700889-2 : Software syncookies without TCP TS improperly include TCP options that are not encoded

Component: Local Traffic Manager

Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.

Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.

Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.

Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.

Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.

700862-2 : tmm SIGFPE 'valid node'

Solution Article: K15130240

Component: Local Traffic Manager

Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.

Conditions:
The host is unreachable.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when the host is unreachable.

700812-2 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Component: Application Security Manager

Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.

Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.

Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.

Workaround:
n/a

Fix:
asmrepro now handles the version number properly.

700783-3 : Machine certificate check does not check against all FQDN hostnames

Component: Access Policy Manager

Symptoms:
macOS machine can be on multiple networks simultaneously, so it might have multiple hostnames. Machine certificate check does not check against all FQDN hostnames. This causes failure in certain scenarios.

Conditions:
-- macOS configuration with multiple hostnames.
-- The 'match FQDN with subject alt name' option is specified for machine certificate check.

Impact:
Machine cert check might fail.

Workaround:
No workaround at this time.

Fix:
Previously, with a macOS system that had multiple hostnames, the machine certificate check could not check against all hostnames, causing failures in some scenarios. Now, the machine certificate check compares all hostnames on macOS devices.

700780-4 : F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses

Component: Access Policy Manager

Symptoms:
F5 DNS Relay Proxy service does not support DNS-over-TCP requests, so if, in some configuration, the client resolver decides to use TCP for DNS resolution, this packet is not re-routed/proxied by the DNS Relay Proxy service, and may be causing DNS to be resolved using an incorrect DNS server (where the system decides to send it).

Typically, if a client receives DNS response with the TC flag set, it retries using TCP. Clearing the TC flag makes client resolver not use TCP at all, preventing DNS packets leakage.

Conditions:
-- DNS server responds with TC flag set in DNS response packet.
-- Windows only is affected.

Impact:
DNS resolution may not work as designed, as the system might send a packet to an incorrect DNS server.

Workaround:
None.

Fix:
Now F5 DNS Relay Proxy service clears TC flag in all proxied packets, preventing client DNS resolvers from using TCP. An appropriate log entry is printed into the service's log.

700726-1 : Search engine list was updated

Component: Application Security Manager

Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily.

Conditions:
Site accessed by search engines.

Impact:
Traffic from search engines is blocked unnecessarily.

Workaround:
Manually add search engines.

Fix:
Search engine list has been updated to reflect current common search engine usage.

700571-2 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE

Component: Service Provider

Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.

Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL

Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.

Workaround:
None.

Fix:
The branch parameter value calculation now remains consistent throughout the connection.

700564-2 : JavaScript errors shown when debugging a mobile device with ASM deviceID enabled

Component: Application Security Manager

Symptoms:
When debugging a mobile device with ASM Device ID enabled, the Google Chrome browser console log contains JavaScript errors similar to the following: net::ERR_UNKNOWN_URL_SCHEME.

Note: In order to view the Chrome browser console log, you must use BrowserStack from a developer's console, or physically connect the phone by cable, enable 'usb debug',
enable 'device discovery' on Chrome on the desktop, and view the console from there.

Conditions:
-- ASM policy is attached on a virtual server with deviceID enabled.
-- Device ID collection request has been sent from a mobile device.
-- Chrome browser console log is opened.

Impact:
Mobile device app developers might be concerned about the errors, potentially asking about why the ASM JavaScript code attempts to access UNKNOWN_URL_SCHEME in a mobile device.

The errors occur because Device ID enabled on an ASM policy uses the JavaScript request URI argument 'chrome-extension' to detect the existence of malicious browser extension. However, Chrome on Android/iOS does not support 'chrome-extension'.

Workaround:
Disable Device ID in ASM policy.

Fix:
The system now avoids checking Chrome extensions on mobile devices, so no UNKNOWN_URL_SCHEME errors occur.

700556-2 : TMM may crash when processing WebSockets data

Solution Article: K11718033

700527-1 : cmp-hash change can hang iRule DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.

Conditions:
An iRule must be in the middle of a call to RESOLV::lookup when a vlan cmp-hash configuration is changed.

Impact:
The iRule call can hang repeatedly.

Workaround:
Restart the TMM. This will interrupt client traffic.

Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.

700433-2 : Memory leak when attaching an LTM policy to a virtual server

Solution Article: K10870739

Component: Local Traffic Manager

Symptoms:
MCP's memory increases when deleting and adding an LTM policy attached to a virtual server.

Conditions:
-- LTM policies must be in use.
-- A policy with at least one rule. (Note: A rule with actions or conditions will leak more memory.)
-- Add the policy to a virtual server.

Impact:
MCP may run slower when memory is low. If all memory is used up, MCP will crash, which will cause a failover or outage.

Workaround:
None.

Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.

700393-2 : Under certain circumstances a stale http2 stream can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
Tmm may crash due to a stale/stalled HTTP2 stream.

Conditions:
http2 profile in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.

700330 : AJAX blocking page isn't shown when a webpage uses jQuery framework.

Component: Application Security Manager

Symptoms:
Request is blocked by an ASM policy, but the ASM end user does not see the blocking page with a unique support id for the blocked request.

Conditions:
1. ASM policy Asynchronous JavaScript and XML (AJAX) blocking page enabled.
2. ASM policy is working in blocking mode.
3. ASM policy attached to a virtual server.
4. AJAX request has been sent and blocked.

Impact:
ASM end user has no visual indication that there has been a blocked AJAX request.

Workaround:
None.

Fix:
The system now handles Ajax requests being sent via the JQuery framework.

700315-3 : Ctrl+C does not terminate TShark

Solution Article: K26130444

Component: TMOS

Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.

Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.

Impact:
TShark does not exit as expected when pressing CTRL+C.

Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'

Fix:
Ctrl+C now terminates TShark as expected.

700143-1 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages

Component: Application Security Manager

Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.

Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.

Impact:
Only the latest 10,000 events are deleted.

Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.

Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.

700061-3 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file

Component: Local Traffic Manager

Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'

Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.

Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'

Workaround:
There is no workaround at this time.

Fix:
Fix made sure restart of service MCPD and reboot of device does not change key files Unix read permissions from '-rw-r-----' to
'-rw-r--r--'

700057-3 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved

Component: Local Traffic Manager

Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.

Conditions:
Upgrade or load a .ucs with SSL keys configured.

Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.

Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config

Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.

699720-3 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all

Component: Application Security Manager

Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.

Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.

Impact:
ASM crash; system goes offline.

Workaround:
Use either of the following workarounds:

-- Remove remote logger.
-- Have response logging for illegal requests only.

Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.

699531-3 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.

For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.

Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.

699455-3 : SAML export does not follow best practices

Solution Article: K50254952

699431 : Possible memory leak in MRF under low memory

Component: Service Provider

Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Impact:
The table entry will be remain until the box resets.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.

699346-2 : NetHSM capacity reduces when handling errors

Solution Article: K53931245

699339-1 : Geolocation upgrade files fail to replicate to secondary blades

Solution Article: K24634702

Component: Global Traffic Manager (DNS)

Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.

Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.

Impact:
Geoip database is not updated to match primary blade.

Workaround:
Use either of the following workarounds:

-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.

-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.

To edit /etc/csyncd.conf:

Merge the following two terms:
monitor dir /shared/GeoIP {...)
monitor dir /shared/GeoIP/v2 {...}

into one term, as follows:
monitor dir /shared/GeoIP {
        queue geoip
        pull pri2sec
        recurse yes
        defer no
        lnksync yes
        md5 no
        post "/usr/local/bin/geoip_reload_data"
}

Fix:
Geolocation upgrade files now correctly replicate to secondary blades.

699281 : Version format of hypervisor bundle matches Version format of ISO

Component: TMOS

Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.

Conditions:
Applies to hypervisor bundles (for example ova files for vmware).

Impact:
Version format in names of hypervisor bundles matches version format of ISO file

Workaround:
Version format in names of hypervisor bundles matches version format of ISO file

Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).

699267-1 : LDAP Query may fail to resolve nested groups

Component: Access Policy Manager

Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).

Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled

Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.

Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups

699262-2 : FQDN pool member status remains in 'checking' state after full config sync

Component: Local Traffic Manager

Symptoms:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) shows FQDN pool members stuck in the 'checking' state.

Conditions:
This occurs after a full config sync is forced between peers using FQDN pool members:

tmsh modify cm device-group <dg_name> devices modify { <local_member> { set-sync-leader } }

Impact:
Affected pools show an Availability state of 'unknown', although pool members are available and can pass traffic.

Workaround:
Restart bigd on the affected peer after the config sync.

Fix:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) no longer shows FQDN pool members stuck in the 'checking' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

699147 : Hourly billed cloud images are now pre-licensed

Component: TMOS

Symptoms:
Hourly billed images in cloud environments require outbound internet access to the F5 public license server in order to retrieve a license. This causes some sites with strict network access policies to fail to license.

Conditions:
Using hourly billing.

Impact:
Hourly instances do not receive licenses and thus could not pass traffic without outbound internet access.

Workaround:
Enable outbound internet access when the guest instance is created to allow it to license, then revoke it.

Fix:
Hourly billed cloud images are now pre-licensed and so do not require internet access to receive a license.

699135-2 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.

Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.

Impact:
tmm cores.

Workaround:
Don't use host command for non type A/AAAA wideips.

698947-1 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.

Component: TMOS

Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.

Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.

Impact:
The decapsulated packets may be dropped in the BIG-IP system.

Fix:
The BIG-IP system correctly processes decapsulated packets from a GRE point-to-point tunnel.

698919-1 : Anti virus false positive detection on long XML uploads

Component: Application Security Manager

Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.

Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.

Impact:
Violation is detected where no violation has occurred (false positive violation).

Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.

Note: This workaround will affect the amount of logged data from ASM.

Fix:
Fixed a false positive virus-detected violation related to long XML uploads.

698916-3 : TMM crash with HTTP/2 under specific condition

Component: Local Traffic Manager

Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.

Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.

Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.

698813-3 : When processing DNSX transfers ZoneRunner does not enforce best practices

Solution Article: K45435121

698379-3 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(

Solution Article: K61238215

Component: Local Traffic Manager

Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.

Conditions:
HTTP2 virtual server configured.

Impact:
Uploads for the HTTP2 virtual server might fail intermittently.

Workaround:
None.

Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.

698338-2 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection

Component: Service Provider

Symptoms:
The system may core.

Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.

Impact:
The system cores and will restart.

Workaround:
None.

Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.

698080-1 : TMM may consume excessive resources when processing with PEM

Solution Article: K54562183

698000-1 : Connections may stop passing traffic after a route update

Solution Article: K04473510

Component: Local Traffic Manager

Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.

Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.

Impact:
Connections may fail after routing updates. New connections will not be affected.

Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.

Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.

697878 : High crypto request completion time under some workload patterns

Component: TMOS

Symptoms:
The tmctl tmm/crypto table shows heavily loaded bulk crypto queues backed up into associated waiting queue. The crypto requests continue to complete, but are significantly delayed.

Conditions:
High crypto usage often in conjunction with high compression usage.

Impact:
Crypto requests can be delayed as long as 1.5 seconds.

Workaround:
Disable hardware crypto by setting the "crypto.hwacceleration" DB key to "disable":
tmsh modify sys db crypto.hwacceleration value disable

Fix:
Improve accelerated crypto poll-timing calculation.

697718-3 : Increase PEM HSL reporting buffer size to 4K.

Component: Policy Enforcement Manager

Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.

Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.

Impact:
Part of PEM HSL flow reporting information will be lost.

Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.

697303-3 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.

696808-3 : Disabling a single pool member removes all GTM persistence records

Solution Article: K35353213

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a single pool member removes all GTM persistence records.

Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.

Impact:
All GTM persistence records are accidently cleared.

Workaround:
Set drain-persistent-requests yes.

Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.

696789-2 : PEM Diameter incomplete flow crashes when TCL resumed

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.

Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.

Impact:
The tmm will restart and all flows will reset.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.

696732 : tmm may crash in a compression provider

Solution Article: K54431534

Component: TMOS

Symptoms:
TMM may crash with the following panic message in the log files:

panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.

Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.

Impact:
TMM crashes, Traffic disrupted while tmm restarts.

Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:

tmsh modify sys db compression.strategy value softwareonly

696468 : Active compression requests can become starved from too many queued requests.

Component: TMOS

Symptoms:
From the "tmctl compress" table: the cur_ctx value for QAT is equal or higher than 512, and the cur_active remains at zero.

CPU utilization per tmm in this condition may be quite high.

Conditions:
At least 512 contexts with no traffic wait in the compression queue and prevent new requests from getting compression service.

Impact:
Compression on a per-tmm basis can stop servicing new requests.

Workaround:
Switch to software compression.

Fix:
Soften the restriction so that accumulated contexts with no traffic cannot not prevent busy contexts from getting compression time.

696383-2 : PEM Diameter incomplete flow crashes when sweeped

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.

Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.

Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.

696294-3 : TMM core may be seen when using Application reporting with flow filter in PEM

Component: Policy Enforcement Manager

Symptoms:
TMM core with flow filter when Application reporting action is enabled

Conditions:
If Application reporting is enabled along with flow filter

Impact:
TMM restart causing service interruption

Fix:
Initialize the application start buffer so as to prevent the TMM core

696265-3 : BD crash

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.

696113-1 : Extra IPsec reference added per crypto operation overflows connflow refcount

Component: TMOS

Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.

Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.

Impact:
Unexpected tmm failover after refcount overflow.

Workaround:
There is no workaround at this time.

Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.

696049-3 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Solution Article: K55660303

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.

695968-3 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in a potential OOM scenario.

Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM

Impact:
Potential loss of service.

Workaround:
There is no workaround at this time.

Fix:
Freed Diameter messages appropriately.

695901-2 : TMM may crash when processing ProxySSL data

Solution Article: K46940010

695117 : bigd cores and sends corrupted MCP messages with many FQDN nodes

Solution Article: K30081842

Component: Local Traffic Manager

Symptoms:
When configured to monitor large numbers of nodes and/or pool members including FQDN nodes and/or pool members, the following symptoms may occur:
- bigd may core (aborted by sod due to missed heartbeat).
- bigd may produce corrupted MCP messages.
- FQDN nodes and/or pool members may remain in a Checking state indefinitely.

Conditions:
These symptoms may occur on affected versions of BIG-IP when a large number of nodes and/or pool members including FQDN nodes and/or pool members are configured. Depending on the capabilities of the platform in use, approximately one thousand (1,000) or more total nodes and/or pool members may be required to produce these symptoms.

FQDN nodes and/or pool members generate a more significant workload for the bigd daemon than nodes and/or pool members with statically-configured IP addresses. This additional load contributes to high CPU usage and the other observed symptoms.

Impact:
This issue produces the following impacts:
- bigd may core.
- nodes and/or pool members may remain in a Checking state indefinitely.
- bigd may produce corrupted MCP messages, which generate error messages in the LTM log of the following form:

... err mcpd[####]: 01070712:3: Caught configuration exception (0), Can't parse MCP message, ...

Examination of the corrupted MCP message shows objects at the point of corruption that have no hierarchical relationship with the objects referenced at the beginning of the message.

Workaround:
To work around this issue, use the following approaches singly or in combination:
1. Reduce the number of nodes and/or pool members configured for a given BIG-IP system.
2. Configure nodes and/or pool members with statically-configured IP addresses.

Fix:
bigd no longer produces corrupted MCP messages, resulting in nodes and/or pool members remaining in a 'checking' state, with up to 2,000 nodes and/or pool members including FQDN nodes and/or pool members configured. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

694922-4 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state

694778-2 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size

Component: Local Traffic Manager

Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).

Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.

Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).

Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.

694740-1 : BIG-IP reboot during a TMM core results in an incomplete core dump

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.

Fix:
Reboot is delayed until TMM core file is completed.

694717-3 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes

Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.

694696-3 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline

Component: TMOS

Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.

Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.

Impact:
Traffic to all other traffic-groups is disrupted for several seconds.

Workaround:
There is no workaround at this time.

Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.

694319-3 : CCA without a request type AVP cannot be tracked in PEM.

Component: Policy Enforcement Manager

Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.

Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP

Impact:
May hamper effective diagnostics.

Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.

Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type

694318-3 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.

Component: Policy Enforcement Manager

Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.

Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.

Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.

Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.

Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.

694274-2 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7

Solution Article: K23565223

694073-1 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

Fix:
Signature updates are now shown correctly for all versions.

693838 : Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors

Component: Local Traffic Manager

Symptoms:
Member of pool is not marked down when response time exceeds hard limit.

Conditions:
Adaptive monitoring enabled for UDP monitor and server response time exceeds hard limit.

Impact:
Member remains in pool despite exceeding hard limit which may result in degraded services.

Workaround:
None.

693744-3 : High CPU Usage by the TMM Can Cause SOD to Kill vCMP Guests

Solution Article: K64721111

693739-3 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled

Component: Access Policy Manager

Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.

Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.

Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.

Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.

Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.

693312-2 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684

693211-3 : CVE-2017-6168

Solution Article: K21905460

693106-2 : IKEv1 newest established phase-one SAs should be found first in a search

Component: TMOS

Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.

If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.

Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.

If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.

Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.

Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.

Fix:
At the momenet a new IKE-SA is established, we now move that SA to the head of the hashmap bucket searched for that remote peer in the future. This makes us more likely to use the newest SA from the perspective of a remote peer, the next time we initiate another phase two negotiation ourselves.

693007-3 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

Component: Global Traffic Manager (DNS)

Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.

Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.

Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.

Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.

Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.

Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.

692970-3 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

Component: Local Traffic Manager

Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.

Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.

Impact:
TMM restart causes traffic interruption or failover.

Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.

Fix:
TMM no longer crashes with DHCP flow validation.

692941-3 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.

692307-1 : User with 'operator' role may not be able to view some session variables

Component: Access Policy Manager

Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.

Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.

Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.

Workaround:
Find this data via clicking on the session ID.

Fix:
User with 'operator' role can now view all expected session variables

692179-3 : Potential high memory usage from errdefsd.

Component: TMOS

Symptoms:
errdefsd memory usage grows with each config-sync or config update.

Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.

Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.

Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.

Fix:
The changes in this bug force errdefsd to check for config changes once every second in addition to checking whenever management-port destination logs come in.

692158-2 : iCall and CLI script memory leak when saving configuration

Component: TMOS

Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device will leak memory.

Conditions:
Use of iCall or CLI scripts for saving config.

Impact:
Repeated invocation may cause the system to run out of memory causing tmm to restart disrupting traffic.

Workaround:
Do not save the configuration from iCall or CLI scripts.

692123-2 : GET parameter is grayed out if MobileSafe is not licensed

Component: Fraud Protection Services

Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.

Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.

Impact:
In FPS Parameter's list, the GET method is always grayed out.

Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.

Fix:
The GET method is not grayed out if MobileSafe is not licensed.

692095-3 : bigd logs monitor status unknown for FQDN Node/Pool Member

Solution Article: K65311501

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.

Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.

691897-1 : Names of the modified cookies do not appear in the event log

Component: Application Security Manager

Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.

Conditions:
A modified domain cookies violation happens.

Note: This can happen only if there are also non-modified or staged cookies.

Impact:
Expected violation details are not displayed.

Workaround:
There is no workaround at this time.

Fix:
Issue with modified domain cookie violation details is now fixed.

691806-3 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state

Solution Article: K61815412

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.

Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.

Impact:
The BIG-IP system resets connection with RST.

Workaround:
None.

Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.

691670-3 : Rare BD crash in a specific scenario

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.

A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.

691504-3 : PEM content insertion in a compressed response may cause a crash.

Solution Article: K54562183

691498-1 : Connection failure during iRule DNS lookup can crash TMM

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes in the DNS response cache periodic sweep.

Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.

Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.

Workaround:
No known workaround.

Fix:
The reference counting of the resolver connection was fixed.

691477-1 : ASM standby unit showing future date and high version count for ASM Device Group

Component: Application Security Manager

Symptoms:
Policy builder is changing configuration of standby unit.

Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).

Impact:
Unexpected changes are made to the policy on standby device (CID increment).

Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):

killall -s SIGHUP pabnagd

Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.

691287-3 : tmm crashes on iRule with GTM pool command

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes with a SIGSEGV when a GTM iRule executes a 'pool' command against Tcl variables that have internal string representations, which can occur when a value is a result of (some) string commands (e.g., 'string tolower') or if the value comes from a built-in iRules command (such as 'class').

For example:

when DNS_REQUEST {
pool [string tolower "Test.com"]
}

or:

when DNS_REQUEST {
pool [class lookup pool-dg key-value]
}

Conditions:
GTM iRule executes a 'pool' command against Tcl variables that have internal string representations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Pass the 'pool' argument through 'string trim'. For instance:

when DNS_REQUEST {
pool [string trim [class lookup pool-dg key-value]]
}

Fix:
tmm no longer crashes on GTM iRules that use the 'pool' command.

691017-1 : Preventing ng_export hangs

Component: Access Policy Manager

Symptoms:
Sometimes ng_export is stuck while reading tmsh thru the pipe because of buffer issues. Export is trying to read more data from tmsh while data is lost in the middle of the read operation.

Conditions:
-- ng_export receives tmsh replies through buffer of constant size x.
-- During the read operation, tmsh returns a buffer size of x minus k, where k is very small random number (less than 50).

Note: K is very small random number, which makes this issue difficult to describe.

Impact:
The export operation hangs.

Workaround:
None.

Fix:
ng_export is now using non-blocking socket and loops to wait for data or terminate gracefully

690819-3 : Using an iRule module after a 'session lookup' may result in crash

Component: TMOS

Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.

Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.

Impact:
The system may core, or result in undefined and/or undesired behavior.

Workaround:
Check the return value of 'session lookup' before using another iRule module.

If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.

690166-3 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains

Component: Global Traffic Manager (DNS)

Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.

Conditions:
Creating SRV wideip with three more layers than existing zone.

Impact:
Unnecessary stub zones created.

690042-3 : Potential Tcl leak during iRule suspend operation

Solution Article: K43412307

Component: Local Traffic Manager

Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.

Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.

Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer leaks memory.

689826-2 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)

Component: Access Policy Manager

Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.

Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.

Impact:
Proxy settings are not applied on client side after VPN is established.

Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.

Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:

1. Set the custom variable name to the following value:
    config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
    Note: <network access resource name> is the name of the network access resource.

2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
    return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
    Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.

3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.

Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.

689730-2 : Software installations from v13.1.0 might fail★

Component: TMOS

Symptoms:
Installation terminates with the following final log messages:

info: updating shared filesystem directories...
progress: 10/100
error: mkdir /mnt/tm_install/3543.JENFeQ/core failed - File exists
Terminal error: Failed to install.

Conditions:
-- BIG-IP Virtual Editions, or the following appliances:
   + i2600
   + i2800
   + i4600
   + i4800
   + i5600
   + i5800
   + i5820
   + i7600
   + i7800
   + i7820
   + i10600
   + i10800
   + i11600
   + i11800

-- Running BIG-IP software v13.1.0 or earlier.
-- Installing BIG-IP software with --instslot option.

Impact:
Installation of new software cannot proceed.

Workaround:
Remove the '/shared/core' symlink, the restart the installation.

Fix:
The installer now properly detects the symlink and proceeds without error.

689577-1 : ospf6d may crash when processing specific LSAs

Solution Article: K45800333

Component: TMOS

Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.

Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.

Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.

Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.

Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.

689449-3 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.

Conditions:
- VIP configured with spdy/http2 and http with fallback-host.

Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.

Workaround:
No workaround at this time.

Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.

689089-3 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot

Component: Local Traffic Manager

Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.

Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:

"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"

Where "N" is the number of physical slots in the chassis (2, 4, or 8).

Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.

Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.

Fix:
The configuration file update logic has been changed to prevent file corruption during update.

688942-3 : ICAP: Chunk parser performs poorly with very large chunk

Solution Article: K82601533

Component: Service Provider

Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.

Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).

Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.

Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).

Fix:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system streams content back to the HTTP client or server as it arrives, without undue memory use or performance impact.

688625-2 : PHP Vulnerability CVE-2017-11628

Solution Article: K75543432

688553-1 : SASP GWM monitor may not mark member UP as expected

Component: Local Traffic Manager

Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.

Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).

This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).

This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).

Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.

Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.

688516-2 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684

688011-5 : Dig utility does not apply best practices

Solution Article: K02043709

688009-5 : Appliance Mode TMSH hardening

Solution Article: K46121888

687905 : OneConnect profile causes CMP redirected connections on the HA standby

Component: TMOS

Symptoms:
When virtual server uses OneConnect profile in HA setup, it can cause Clustered Multiprocessing (CMP) redirected connections and memory leak on high availability (HA) standby systems, including high memory usage on standby units.

Conditions:
-- Virtual server uses OneConnect profile in HA configuration.
-- Mirroring is enabled.
-- BIG-IP platform supports CMP.

Impact:
Redirected connections and memory leak on a standby device.

Workaround:
Remove OneConnect profile from the virtual server.

687759-2 : bd crash

Component: Application Security Manager

Symptoms:
A bd crash.

Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).

Impact:
bd crashes; system fails over; traffic disturbance occurs.

Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache

687658-2 : Monitor operations in transaction will cause it to stay unchecked

Component: TMOS

Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.

Conditions:
This only happens within transactions.

Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.

Impact:
Monitor state never returns to its correct value.

Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.

687603-1 : tmsh query for dns records may cause tmm to crash

Solution Article: K36243347

Component: Local Traffic Manager

Symptoms:
tmm experiences segmentation fault.

Conditions:
Run 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

Impact:
Core file / system outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm experiences segmentation fault when running the 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

687534-3 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page

Component: TMOS

Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool

Conditions:
This issue occurs when a pool name contains .. in the name.

Impact:
Cannot add a Member to the pool using the GUI.

Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
tmsh modify ltm pool <pool name> members add { <member info> }

Fix:
For pools with '..' in the name, it is now possible to add members after pool creation using the GUI Local Traffic :: Pools : Member List page.

687353-3 : Qkview truncates tmstat snapshot files

Solution Article: K35595105

Component: TMOS

Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.

Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).

Note: 5 MiB is qkview utility's default maximum file size value.

Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.

Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0

687205-3 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart

Component: Local Traffic Manager

Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.

Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.

Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.

Workaround:
None.

687193-1 : TMM may leak memory when processing SSL Forward Proxy traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may leak memory when processing SSL Forward Proxy traffic.

Conditions:
SSL forward proxy enabled.

Impact:
Increasing memory consumption over time, potentially leading to a TMM crash and failover event.

Workaround:
None.

Fix:
TMM no longer leaks memory when processing SSL Forward Proxy traffic

687128-3 : gtm::host iRule validation for ipv4 and ipv6 addresses

Component: Global Traffic Manager (DNS)

Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.

Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.

Impact:
Incorrect host information was being returned.

Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.

Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.

687098 : IPv6 RADIUS servers not supported for remote authentication

Component: TMOS

Symptoms:
Authenticating against an IPv6 RADIUS server is not supported, only an IPv4 server.

Conditions:
This applies to remote authentication to log on to the BIG-IP system for management purposes.

Impact:
Logon operation will time out, as if the server did not respond.

Workaround:
Use an IPv4 server. If you have an IPv6 management IP, then you will need to have the IPv4 server reachable over a dataplane VLAN.

Fix:
Support for IPv6 RADIUS servers has been added.

686972-1 : The change of APM log settings will reset the SSL session cache.

Component: Local Traffic Manager

Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.

Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.

Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.

Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.

Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.

686926-3 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly

Component: TMOS

Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.

Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.

Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.

Workaround:
None.

Fix:
The BIG-IP system now correctly tracks a need to receive a SECOND response with message_id zero, to finish the SA_INIT exchange, whenever the first SA_INIT response caused the BIG-IP system to resend the first request with the cookie included.

686765-1 : Database cleaning failure may allow MySQL space to fill the disk entirely

Component: Application Security Manager

Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.

In /var/log/ts/asm_config_server.log you might see these errors repeatedly:

Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full

Conditions:
This occurs if database cleaning failures occur.

Impact:
Disk will fill up, and you will be unable to modify ASM policies.

686685-1 : LTM Policy internal compilation error

Component: Local Traffic Manager

Symptoms:
To enable maximum performance, LTM Policies undergo a compilation process, where they are transformed to a compact binary representation. An issue was discovered where the transformation is being done incorrectly under certain circumstances.

Conditions:
While not common, certain LTM Policy combinations will be transformed to binary representation where certain internal parameters are incorrect.

Impact:
The tmm process may experience an unexpected restart, or a policy action may not run as expected.

Workaround:
None.

Fix:
LTM Policies are correctly transformed to their high-performance, compact binary representations.

686631-1 : Deselect a compression provider at the end of a job and reselect a provider for a new job

Component: Local Traffic Manager

Symptoms:
The system might potentially retain a compression context, even though there is no data to be compressed or decompressed. This can affect the calculation of the load of the compression provider.

Conditions:
-- A connection is up.
-- Compression context is active.
-- There is no data for the compression provider.

Impact:
It affects the compression provider selection.

Workaround:
None.

Fix:
The system now deselects a provider at the end of a compression/decompression operation, and reselects a provider at the beginning of another compression/decompression operation.

686395 : With DTLS version1, when client hello uses version1.2, handshake shall proceed

Component: Local Traffic Manager

Symptoms:
With DTLS version1, when client hello uses version1.2, handshake fails with error of :unsupported version".

Conditions:
DTLS version1 handshake:
Handshake version 1.0 . (0xfeff)
Client hello version 1.2(0xfefd)

Impact:
DTLS functionalities.

Workaround:
N/A

Fix:
In this case, we shall still proceed to perform handshake instead of bailing out with "unsupported version" error.

686389-3 : APM does not honor per-farm HTML5 client disabling at the View Connection Server

Component: Access Policy Manager

Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.

With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.

Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.

Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.

Workaround:
There is no workaround at this time.

Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.

Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.

686307-1 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later

Solution Article: K10665315

Component: Local Traffic Manager

Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.

Note: Without LTM policies in the configuration, monitors upgrade without problem.

Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.

Impact:
Monitors may not work after upgrade.

Workaround:
No workaround at this time.

Fix:
This release addresses the underlying problem so the issue no longer occurs.

686305-2 : TMM may crash while processing SSL forward proxy traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing SSL forward proxy traffic

Conditions:
SSL forward proxy enabled

Impact:
TMM crash leading to a failover event

Workaround:
None.

Fix:
TMM now correctly processes SSL forward proxy traffic

686282-1 : APMD intermittently crash when processing access policies

Component: Access Policy Manager

Symptoms:
APMD process may crash intermittently (rare) when processing access policies.

Conditions:
This rarely encountered issue occurs when any one of the following conditions exist:

-- iRule is configured with 'ACCESS::policy evaluate'.
-- NTLM authentication configured and ECA plugin is involved (for example VDI RDG).
-- Kerberos authentication is configured with RBA enabled.

Impact:
APM end users cannot pass access policy, cannot login.

Workaround:
None.

Fix:
APMD no longer intermittently crashes when processing access policies.

686228-3 : TMM may crash in some circumstances with VLAN failsafe

Solution Article: K23243525

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.

686065-1 : RESOLV::lookup iRule command can trigger crash with slow resolver

Component: Local Traffic Manager

Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.

Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove RESOLV::lookup from the workflow if it is not required.

Fix:
The scenario now works as expected and no longer results in a crash.

686029-1 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces

Component: TMOS

Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.

Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.

Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.

Workaround:
None.

Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.

685955 : TMM hud_message_ctx leak

Component: Local Traffic Manager

Symptoms:
There is a TMM memory issue caused by leaked hud_message_ctx objects, each holding a websockets_frame.

Conditions:
Running WebSocket traffic that needs to be processed by a plugin like ASM.

Impact:
Increasing TMM memory usage leading to eventual service outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The memory leak in TMM has been fixed.

685743-3 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported

Component: Application Security Manager

Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.

Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.

Impact:
Requests might be blocked, and no reason is reported.

Workaround:
Reset internal 'request_buffer_size' to default.

Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.

685708-3 : Routing via iRule to a host without providing a transport from a transport-config created connection cores

Component: Service Provider

Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.

Fix:
The system will no longer core.

685693 : APM AppTunnels memory leak

Component: Wan Optimization Manager

Symptoms:
Using APM AppTunnels causes a slow memory leak.

Conditions:
Use of APM AppTunnels.

Impact:
The slow memory leak exhaust tmm memory over time. Traffic disrupted when tmm restarts.

Workaround:
None.

Fix:
The memory leak has been corrected.

685615-5 : Incorrect source mac for TCP Reset with vlangroup for host traffic

Solution Article: K24447043

Component: Local Traffic Manager

Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.

Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.

Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.

Workaround:
Use transparent mode on the VLAN group.

Fix:
source-mac-address for host traffic is correctly set.

685475-3 : Unexpected error when applying hotfix

Solution Article: K93145012

Component: TMOS

Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIGIP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.

Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.

For example, to apply 'Hotfix-BIGIP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIGIP-11.6.1.0.0.317.iso'.

Impact:
Cannot apply hotfix until the full base image is present.

Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation process again.

Fix:
Issuing a 'install hotfix' command when the base image is not available sends the system into a 'wait' state. The process status is 'waiting for base image', which should make clear what needs to be done. When the base image becomes available (in the images directory), the hotfix installation proceeds.

685467-2 : Certain header manipulations in HTTP profile may result in losing connection.

Solution Article: K12933087

Component: Local Traffic Manager

Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.

Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).

Impact:
TCP connection is reset, and no response is provided to a client.

Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.

Fix:
An issue of a resetting connections due to configuration options 'Insert X-Forwarded-For' and 'Request Header Erase' in HTTP profile no longer happens.

685344-2 : Monitor 'min 1 of' not working as expected with FQDN nodes/members

Component: Local Traffic Manager

Symptoms:
A pool with a monitor configured as 'min 1 of {...}' may be unavailable when one or more members configured with FQDN are down, rather than remain available as long as at least one pool member remains up.

Conditions:
-- Pool nodes/members are configured with FQDN.
-- At least one associated monitor is defined with the 'min 1 of {...}' feature.

Impact:
The pool may be seen as 'offline' when one or more members are down, rather than remaining available as long as a single pool member is 'UP'.

Workaround:
To configure a pool with 'min 1 of{...}', specify static pool members, do not use FQDN to configure pool members.

Fix:
A pool with FQDN configured nodes/members and specified with a monitor of 'min 1 of {...}' remains available as long as a single pool member remains up.
This issue is resolved by the FQDNv2 feature re-implementation.

685254-1 : RAM Cache Exceeding Watchdog Timeout in Header Field Search

Solution Article: K14013100

Component: Local Traffic Manager

Symptoms:
SOD halts TMM while RAM cache is processing a header.

Conditions:
When RAM cache is attempting to match an ETag and fails to find it in the header field.

Impact:
The search continues until a match is found in memory, or a NUL byte is encountered. If the search takes too long, sod kills RAM cache on a watchdog timeout violation.

Workaround:
No workaround at this time.

Fix:
SOD no longer halts TMM while RAM cache is processing a header.

685207-2 : DoS client side challenge does not encode the Referer header.

Component: Application Security Manager

Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.

Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.

Impact:
The XSS reflection occurs after triggering the DoS attack.

Workaround:
None.

Fix:
DoS client side challenge now encodes the Referer header.

685110-3 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.

Component: Local Traffic Manager

Symptoms:
1. FQDN Node/pools fails to populate with members.

2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:

err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.

Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.

Impact:
Unable to use FDQN nodes/pool members with non-LTM license.

Workaround:
None.

Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.

685020-1 : Enhancement to SessionDB provides timeout

Component: TMOS

Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.

Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.

Impact:
Calls made to SessionDB never return from the remote TMM.

Workaround:
None.

Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT.

A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|

Behavior Change:
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|

684937-6 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.

Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.

684879-2 : Malformed TLS1.2 records may result in TMM segmentation fault.

Solution Article: K02714910

684414-1 : Retrieving too many groups is causing out of memory errors in TMUI and VPE

Component: Access Policy Manager

Symptoms:
Retrieving too many groups might cause out-of-memory errors in TMUI and VPE. TMUI might end up with HTTP 502 and VPE fails with HTTP 500

Conditions:
LDAP/AD server with over 20,000 groups.

Impact:
It's hard to perform LDAP/AD group mapping because there are no group names in the dialog box, which complicates work on such a large number of groups.

Workaround:
The only solution is to remove /shared/tmp/gmcache folder and use manual groupmapping.

Fix:
Retrieving too many groups no longer results in memory errors in TMUI and VPE, even on LDAP/AD servers with over 20,000 groups.

684391-1 : Existing IPsec tunnels reload. tmipsecd creates a core file.

Component: TMOS

Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.

Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.

Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.

Workaround:
None.

Fix:
Exception handling in tmipsecd has been improved so that tmipsecd will not reload when encountering some unusual conditions.

684333-3 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.

Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.

Impact:
PEM session created using Gx may get deleted.

Workaround:
Initiate failover using alternate commands, such as the following:
tmm big start restart.

684325-3 : APMD Memory leak when applying a specific access profile

Component: Access Policy Manager

Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.

Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.

Impact:
APMD process stops after repeated application of the script.

Workaround:
None.

Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.

684312-2 : During Apply Policy action, bd agent crashes, causing the machine to go Offline

Component: Application Security Manager

Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------

Causing bd and bd_agent processes restart, and causing the machine to go Offline.

Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.

Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..

Workaround:
None.

Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.

684033-1 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Solution Article: K70084351

683697-3 : SASP monitor may use the same UID for multiple HA device group members

Solution Article: K00647240

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.

The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.

Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.

It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).

Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.

Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.

It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.

Fix:
The SASP monitor reliably uses a unique UID across HA group members, allowing all HA group members to successfully connect to the SASP GWM.

683683-1 : ASN1::encode returns wrong binary data

Component: Local Traffic Manager

Symptoms:
ASN1::encode returns incorrect data for certain integer values. For example, for integer 49280, ASN1::encode returns 02030000.

Conditions:
The problem happens in an implicit UTF encoding/decoding, and it is not obvious what data triggers the error.

This is because it implicitly converts the Tcl object type from byte array to string and later back to byte array, but because of the UTF de-coding algorithm, certain bytes get changed.

Impact:
The returned binary is wrong.

Workaround:
Use binary scan for the value that is incorrectly encoded by the command.

Fix:
ASN1::encode ENCODE mode now works so that it avoids the implicit type-conversion byte array to string back to byte array, which gets the original byte array changed during UTF-8 decoding.

683631-1 : TMM crashes during stress test

Component: Local Traffic Manager

Symptoms:
During stress/load testing, with a large number of connections which triggers flow sweeping, TMM restarts.

Conditions:
A large number of connections are seen, which triggers an expansion of the connflow hash table at the same time the connflow sweeper is active.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Connflow removal from the internal hash table is deferred until the entire bucket is processed.

683508-3 : WebSockets: umu memory leak of binary frames when remote logger is configured

Component: Application Security Manager

Symptoms:
ASM out of memory error messages in /var/log/asm.

Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.

Impact:
ASM out of memory, memory leak.

Workaround:
Remove ASM remote logging profile from a virtual server.

Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.

683389-1 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.

Conditions:
Attempt to create local SharedObject.

Impact:
Affected Flash applications are not working when accessed through Portal Access.

Workaround:
None.

Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.

683241-3 : Improve CSRF token handling

Solution Article: K70517410

Component: Application Security Manager

Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.

Conditions:
CSRF is configured.

Impact:
CSRF token handling does not follow current best practices.

Workaround:
None.

Fix:
CSRF token handling now follows current best practices.

683113-6 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.

Websso CPU usage is very high.

The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.

Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.

682837 : Compression watchdog period too brief.

Component: TMOS

Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.

Conditions:
Very high sustained system-wide compression request traffic.

Impact:
Accelerated compression throughput can drop significantly; some flows dropped.

Workaround:
Switch to software compression.

Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.

682682-3 : tmm asserts on a virtual server-to-virtual server connection

Component: Local Traffic Manager

Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.

Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.

Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.

Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.

682612 : Event Correlation is disabled on vCMP even though all the prerequisites are met.

Component: Application Security Manager

Symptoms:
In GUI screen,

Security ›› Event Logs : Application : Event Correlation

It shows "Event Correlation is not supported on this platform.".

Conditions:
Multi bladed vCMP guest, running on a BIG-IP with SSD drives, having only one available Slot (other Slots appear offline/unavailable).

Impact:
Multi bladed vCMP guest, running on a BIG-IP with SSD drives, having only one available Slot have Event Correlation disabled.

Workaround:
The following workaround does not survive ASM restart.
Thus, it has to be executed after every restart of ASM:
------------------------
# perl -MF5::ASMReady -MF5::Cfg -e 'while (! F5::ASMReady::is_asm_ready()) { print "Waiting for ASM to be ready.\n"; sleep 5; }; print "ASM is ready, patching Event Correlation cfg file\n"; F5::Cfg::cfg_set_config_item(qw{/etc/ts/correlation/correlation.cfg}, qw{General}, qw{Idle}, 0)'

# pkill -f correlation
------------------------

Event Correlation should start with in ~15 seconds, after the execution of this workaround:
------------------------
# ps -elf | grep correlation

0 S root ... /usr/share/ts/bin/correlation
------------------------

682500-1 : VDI Profile and Storefront Portal Access resource do not work together

Solution Article: K03903649

Component: Access Policy Manager

Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.

Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.

Impact:
Citrix Storefront portal access resource cannot be used to launch applications.

Workaround:
None.

Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.

682335-3 : TMM can establish multiple connections to the same gtmd

Component: Global Traffic Manager (DNS)

Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.

Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed, if there is an existing connflow, don't start another connection.

682213-3 : TLS v1.2 support in IP reputation daemon

Solution Article: K31623549

Component: TMOS

Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.

Conditions:
This occurs when using IP reputation.

Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.

Workaround:
None.

Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.

In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.

682105 : Adding widget in Analytics Overview can cause measures list to empty out on Page change

Component: Application Visibility and Reporting

Symptoms:
When adding a new widget on Analytics Overview page with multiple modules (e.g., vCMP, Security), it is possible to reach a state in which the list of available measures is empty.

Conditions:
-- All 'available measurements' is selected (moved left).
-- A page should be changed.

Impact:
In some cases (like in vCMP when changing from Network to SynCookies), the list of available measurements will remain empty. Unable to select measures to display in new widget.

Workaround:
To reset the list of measures so that all measures are visible again, switch to another page and return to the previous one right away.

682104-1 : HTTP PSM leaks memory when looking up evasion descriptions

Component: Local Traffic Manager

Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.

Conditions:
When PSM looks up evasion descriptions.

Impact:
Memory leaked each time might eventually cause out of memory to the TMM.

Workaround:
None.

Fix:
This fix will stop the memory leakage.

681850-1 : APMD process may fail to initialize on start either after upgrade or after adding certain configurations

Component: Access Policy Manager

Symptoms:
APMD process may fail at initialization time with errors similar to the following:

-- createAgent - initInstance() failed for agent xxx_saml_auth_ag type (46)
-- Exiting due to failure in loading access policy objects

Conditions:
-- BIG-IP system is configured as SAML SP.
-- Certificate used by configured SAML Agent was imported onto BIG-IP system in DER format.

Impact:
APMD service may become unresponsive, dropping all traffic protected by APM access policies.

Workaround:
Convert DER encoded certificate used by SAML SP agent into PEM format.

Fix:
DER certificate no longer cause APMD process errors at initialization time.

681757-1 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'

Solution Article: K32521651

Component: Local Traffic Manager

Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.

The system records an error message similar to the following in the ltm log file:

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.

Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.

Impact:
Configuration fails to load on upgrade.

Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.

Fix:
Upon upgrade to v12.1.0 or later, policies that perform the action 'forward - select - member' will be automatically changed to 'forward - select - node', and configuration will load successfully.

681710-4 : Malformed HTTP/2 requests may cause TMM to crash

Solution Article: K10930474

681415-1 : Copying of profile with advanced customization or images might fail

Component: Access Policy Manager

Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar

Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.

Impact:
Unable to copy policy.

Workaround:
None.

Fix:
Copying of profile with advanced customization or images now succeeds as expected.

681175-1 : TMM may crash during routing updates

Solution Article: K32153360

Component: Local Traffic Manager

Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.

Conditions:
-- Dynamic routing.
-- ECMP routes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.

Fix:
TMM no longer crashes on routing updates when ECMP is in use.

681109-2 : BD crash in a specific scenario

Solution Article: K46212485

Component: Application Security Manager

Symptoms:
BD crash occurs.

Conditions:
A specific, non-default configuration with specific traffic.

The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.

For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
Content-Type :: *xml* :: form-data

This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.

Impact:
Failover, traffic disturbance.

Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.

A correctly configured header-based-content-profile property on URLs appears as follows:

In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
Content-Type :: *form* :: Form Data
Content-Type :: *json* :: JSON
Content-Type :: *xml* :: XML

Fix:
Added a check to prevent a crash in a specific scenario.

680856-3 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector

Component: TMOS

Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):

info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy

Conditions:
A new IPsec tunnel is configured over REST.

Impact:
The newly configured IPsec tunnel does not start.

Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.

Fix:
A traffic selector can no longer use a deleted policy by name, and if recreated after deletion, the policy is correctly constructed.

680850-1 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.

Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug

Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.

Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.

Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.

This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.

With this fix, setting log.zxfrd.level debug no longer outputs this information.

Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

680838-3 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator

Component: TMOS

Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.

A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.

Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM will no longer restart due to assertion failure.

680755-1 : max-request enforcement no longer works outside of OneConnect

Solution Article: K27015502

Component: Local Traffic Manager

Symptoms:
max-request enforcement does not work when OneConnect is not configured.

Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.

Impact:
max-request enforcement does not work.

Workaround:
Always use OneConnect.

Fix:
max-request enforcement now works when OneConnect is not configured.

680729-3 : DHCP Trace log incorrectly marked as an Error log.

Solution Article: K64307999

Component: Policy Enforcement Manager

Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.

<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.

Impact:
Possible clutter in the TMM logs.

Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical

Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

680388-2 : f5optics should not show function name in non-debug log messages

Component: TMOS

Symptoms:
For logging thresholds other than debug, the function name appears in log messages created by f5optics.

Conditions:
-- BIG-IP is running.
-- Logging thresholds is set to a value other than debug.

Impact:
Log files contain unexpected data.

Workaround:
There is no workaround at this time.

Fix:
With the fix, f5optics is not displaying function names in non-debug logging messages.

680112-1 : SWG-Explicit rejects large POST bodies during policy evaluation

Solution Article: K18131781

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 64 KB limit on POST bodies while the policy is being evaluated.

==> /var/log/apm <==
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during the policy evaluation. After the policy has been set to 'Allow', there is no limit.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.

Fix:
Modify the db variable 'tmm.access.maxrequestbodysize' with a value larger than the maximum post body size you would like to support. The maximum supported value is 25000000 (25 MB).

680069-3 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config★

Solution Article: K81834254

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd cores and restarts.

Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.

Impact:
zxfrd cores.

Workaround:
None.

Fix:
zxfrd no longer cores during transfer while network failure and DNS server removed from DNS zone config.

679959-1 : Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000

Component: TMOS

Symptoms:
Unable to the ping self IP of VCMP guests configured on i5000, i7000, or i10000.

Conditions:
Running TMOS v12.1.3 and VCMP guests configured on i5000, i7000 or i10000.

Impact:
Unable to process client traffic.

Workaround:
No workaround at this time.

Fix:
This issue is fixed.

679603-2 : bd core upon request, when profile has sensitive element configured.

Solution Article: K15460886

Component: Application Security Manager

Symptoms:
bd crash, system goes offline.

Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.

Impact:
System goes offline/fails over.

Workaround:
Remove sensitive elements from the json profile in the ASM policy.

Fix:
ASM now handles this condition so the crash no longer occurs.

679496-1 : Add 'comp_req' to the output of 'tmctl compress'

Component: Local Traffic Manager

Symptoms:
The output of 'tmctl compress' displays the total numbers of requests (tot_req), but does not distinguish between deflate (compression) requests and inflate (decompression) requests.

Conditions:
Viewing the output of the 'tmctl compress' command.

Impact:
Cannot determine the different types of requests.

Workaround:
There is no workaround at this time.

Fix:
This release now distinguishes between deflate (compression) requests and inflate (decompression) requests, as follows: there is an indicator, 'comp_req', for compression requests. The number of decompression request is tot_req - comp_req.

679494-2 : Change the default compression strategy to speed

Component: Local Traffic Manager

Symptoms:
The current default compression.strategy is 'latency', which does not perform properly, i.e., the provider selection algorithm does not react to load change fast enough.

Conditions:
Using compression.strategy to distribute workload among hardware and software compression providers.

Impact:
The work load may not be distributed evenly among hardware and software compression providers when compression.strategy is 'latency'.

Workaround:
Modify the tmsh sys db variable compression.strategy to 'speed'.

Fix:
The default compression strategy is now set to 'speed'.

679480-1 : User able to create node when an ephemeral with the same IP already exists

Component: TMOS

Symptoms:
If an FQDN ephemeral node exists for a given IP address, the user is still able to create a real node for the same IP address.

Conditions:
This can only be done by the GUI, not by tmsh or iControl REST.

Impact:
This should be prevented, but is allowed.

Workaround:
Avoid creating such a node.

Fix:
Validation now prevents this from happening.

679440-2 : MCPD Cores with SIGABRT

Solution Article: K14120433

Component: Advanced Firewall Manager

Symptoms:
MCPD cores with SIGABRT.

Conditions:
This occurs while the dynamic white/black daemon (dwbld) processes auto-blacklisted IP addresses.

Impact:
MCPD core.

Workaround:
Run the following command:
tmsh modify sys db debug.afm.shun.notify_peers value disable

Fix:
MCPD no longer cores with SIGABRT if the auto-blacklisting feature is enabled.

679384-1 : The policy builder is not getting updates about the newly added signatures.

Solution Article: K85153939

Component: Application Security Manager

Symptoms:
The policy builder is not getting updates about the newly added signatures.

Conditions:
When ASU is installed or user-defined signatures are added/updated.

Impact:
No learning suggestions for some of the newly added signatures.

Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
killall -s SIGHUP pabnagd

-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).

Fix:
After the fix, Policy Builder will be aware of all newly added signatures.

679347-3 : ECP does not work for PFS in IKEv2 child SAs

Component: TMOS

Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).

Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.

Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.

Note: The first child SA is negotiated successfully.

Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.

Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.

Fix:
Full support for ECP as PFS has now been added, so a new child-SA negotiated in a IKEV2EXCH_CREATE_CHILD_SA exchange works as expected for ecp256, ecp384, and ecp512.

679235-5 : Inspection Host NPAPI Plugin for Safari can not be installed

Component: Access Policy Manager

Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.

Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.

Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.

Workaround:
There is no workaround at this time.

Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.

679221-1 : APMD may generate core file or appears locked up after APM configuration changed

Component: Access Policy Manager

Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.

Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.

Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.

Workaround:
None.

Fix:
APMD now processes the configuration changes correctly during 'modify apm profile access <profile name> generation-action increment' (TMSH) or 'Apply Access Policy' (GUI), and no service interruption occurs.

679149-2 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash or LB::server returns unexpected result.

Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.

Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
GTM rule command LB::server is now executed at the correct time, so TMM does not crash and LB::server returns expected results.

679135-3 : IKEv1 and IKEv2 cannot share common local address in tunnels

Component: TMOS

Symptoms:
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish.

Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.

Conditions:
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2.
-- Try to create competing listeners.

Impact:
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.

Workaround:
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate.

Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.

Fix:
Logging in /var/log/ltm now reveals failure to establish listener, along with a suggestion to avoid sharing one local address across IKEv1 and IKEv2 tunnels.

679114-2 : Persistence record expires early if an error is returned for a BYE command

Solution Article: K92585400

Component: Service Provider

Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.

Conditions:
An error is returned for a any SIP command.

Impact:
The persistence record will expire early when the call has not been ended.

Workaround:
None.

Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.

678976-2 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.

Solution Article: K24756214

Component: Access Policy Manager

Symptoms:
VDI debug logs print user credentials to /var/log/apm.

Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.

Impact:
User credentials are written to /var/log/apm.

Workaround:
Set VDI debug level to Notice.

Fix:
The system no longer prints user credentials to VDI debug logs.

678925-4 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.

Component: TMOS

Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.

Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.

Then, a connection using the tunnel may cause a TMM crash.

Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.

Impact:
The TMM crashes and traffic is disrupted.

Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.

Fix:
The TMM no longer crashes.

678872-2 : Inconsistent behavior for virtual-address and selfip on the same ip-address

Component: Local Traffic Manager

Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.

Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.

Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.

Workaround:
No workaround.

Fix:
This implements the initialization-order-independent set of rules of whether particular IP address should have ARP/ICMP enabled for multiple maching vaddrs. The lookup is performed from the most fine netmask to the most coarse netmask. If for particular netmask there is no maching vaddr then more coarse netmask is lookedup. Otherwise if any machnig vaddr for particular netmask have ARP/ICMP enabled then IP address will have ARP/ICMP enabled. If none of matching vaddrs for particular netmask have ARP/ICMP enabled the then IP address will have ARP/ICMP disabled.

The rule above have one exception, due to the performance optimizations. If the vaddr have both ARP and ICMP disabled then the vaddr is considered deleted.

678861-3 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★

Solution Article: K00426059

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade fails with a message similar to the following.

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.

Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.

Impact:
Upgrade fails.

Workaround:
Remove DNS:: commands from procs before upgrade.

Or use AFM instead of iRules.

678851-1 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()

Component: Access Policy Manager

Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.

Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool

Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().

Impact:
Affected Java applets cannot be started through Portal Access.

Workaround:
None.

Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.

678833 : IPv6 prefix SPDAG causes packet drop

Component: TMOS

Symptoms:
If IPv6 prefix SPDAG is turned on, on systems running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3, it can cause packet drops.

Conditions:
Turn on IPv6 prefix DAG.
-- Assign a value other than 128 to sys db tmm.pem.session.ipv6.prefix.len.
-- Running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3.

Impact:
Packet drops.

Workaround:
Turn off IPv6 prefix SPDAG.

678822-3 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed

Component: Policy Enforcement Manager

Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.

Conditions:
If the route to PCRF/OCS is missing or not reachable.

Impact:
Non-Zero stats for provision pending sessions

Workaround:
Disable the Gx/Gy profile if not required or configure the route.

Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.

678820-2 : Potential memory leak if PEM Diameter sessions are not created successfully.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in reduction in available memory.

Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.

Impact:
Loss of service

Workaround:
There is no workaround at this time.

Fix:
Diameter context is freed in case of a failed Diameter session creation.

678801-2 : WS::enabled returned empty string

Component: Local Traffic Manager

Symptoms:
WS::enabled command returned empty string instead of 0 or 1 for status.

Conditions:
-- WS::enabled command is used to query the status of WebSocket processing.
-- WebSocket and HTTP profiles are configured on the virtual server.

Impact:
Unable to determine the status of WebSocket processing using iRule commands.

Workaround:
There is no workaround at this time.

Fix:
Invoke appropriate method via WebSocket Tcl code.

678722-2 : In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources

Component: Local Traffic Manager

Symptoms:
in SSL-O, due to race condition, TMM may core when SSL forward proxy tries to free up memory usage by releasing certificate resources.

Conditions:
This only happens in SSL-O with SSL forward proxy configured.

Impact:
TMM may restart due to using the wrong free function. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores under these conditions.

678715-1 : Large volume of query result update to SessionDB fails and locks down ApmD

Component: Access Policy Manager

Symptoms:
While writing large query results from AD server to sessionDB using memcache API, write operation fails with partial write.

Conditions:
Large volumes of AD query (with Required 'All Attributes') results from AD server while writing to SessionDB.

Impact:
Operation fails with partial write. All worker threads performing authentication eventually gets locks down. Session watchdog thread eventually make a forced abort to recover from the situation. Apmd restarts in this situation.

Workaround:
Make query for specific attributes not the option 'All Attributes'.

Fix:
Partial write failure has been fixed, by writing remaining parts of the query results in several iterations, till the entire result is written.

678714-3 : After HA failover, subscriber data has stale session ID information

Component: Policy Enforcement Manager

Symptoms:
After a failover in a high availability (HA) configuration, subscriber local data is populated with stale session id information

Conditions:
-- HA failover.
-- PEM subscriber.

Impact:
Subscriber data with stale session ID information might cause invalid reference to incorrect subscriber data.

Workaround:
None.

Fix:
Subscriber local data is now populated with new, generated session ID information.

678462-2 : after chassis failover: asmlogd CPU 100% on secondary

Component: Application Security Manager

Symptoms:
After a failover in a chassis:

- asmlogd CPU 0% on primary slot (which was secondary before the failover).

- asmlogd CPU 100% on secondary (which was primary before the failover).

Without traffic running through the chassis.

Conditions:
-- ASM provisioned.
-- Chassis with at least two active slots.
-- Chassis failover after some traffic was passed through the chassis.

Impact:
asmlogd CPU shows 100% on secondary (which was primary before the failover), and vice versa.

Workaround:
There is no workaround at this time.

Fix:
The asmlogd process now better handles chassis failovers during which the chassis slots change roles (primary/secondary), so this issue no longer occurs.

678416-2 : Some tmm/umem_usage_stat counters may be incorrect under memory pressure.

Component: Local Traffic Manager

Symptoms:
After the BIG-IP system experiences severe memory pressure, the 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table incorrectly show extremely high values.

Conditions:
The BIG-IP system experiences enough memory pressure that slabs are transferred between threads.

Impact:
The 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table do not reflect actual values. However, there is no functionality issue as a result. This is a cosmetic issue only.

Workaround:
None.

Fix:
The system now manages better under memory pressure so that the tmm/umem_usage_stat counters correctly reflect actual values.

678388-3 : IKEv1 racoon daemon is not restarted when killed multiple times

Solution Article: K00050055

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.

Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.

Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.

Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd

Fix:
Fixed tmipsecd so it correctly tracks whether the IKEv1 racoon daemon is still running or needs a restart. This also covers odd timing, such as killing racoon right after it starts.

678293-1 : Uncleaned policy history files cause /var disk exhaustion

Solution Article: K25066531

Component: Application Security Manager

Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.

Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.

Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.

Impact:
/var disk usage is high.

Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:

----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------

Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.

In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.

678228-1 : Repeated Errors in ASM Sync

Solution Article: K27568142

Component: Application Security Manager

Symptoms:
If an error is encountered when building a full sync file for an ASM enabled Device Group, any future attempts at building a sync file will continue to fail.

Conditions:
An error such as a full disk or out of memory occurs when attempting to build a sync file for an ASM enabled Device Group

Impact:
Any future attempts at building a sync file will continue to fail.

Workaround:
Restart the ASM Config processes, or clear out /ts/var/sync.

Fix:
Remnants of failed sync files are now correctly cleaned up before building a new one.

677962-3 : Invalid use of SETTINGS_MAX_FRAME_SIZE

Component: Local Traffic Manager

Symptoms:
When BIG-IP negotiates settings over HTTP/2 connection, it adopts a value of peer's SETTINGS_MAX_FRAME_SIZE parameter as its own.

Conditions:
A virtual is configured with HTTP/2 profile.

Impact:
BIG-IP may accept a DATA frame with size above 16,384 bytes violating RFC.

Workaround:
There is no workaround at this time.

Fix:
BIG-IP no longer accepts DATA frames with sizes exceeding a default value of 16,384 bytes.

677958-2 : WS::frame prepend and WS::frame append do not insert string in the right place.

Component: Local Traffic Manager

Symptoms:
When WS::frame prepend and WS::frame append are used together in the same event, the strings are not inserted in the right place.

Conditions:
-- Both WS::frame prepend and WS::frame append commands are present in the same iRule event.
-- WebSocket and HTTP profile are configured on the virtual.
-- Client/server send and receive WebSocket frames.

Impact:
The user-supplied string is not inserted in the right place when sent to the end-point.

Workaround:
None.

Fix:
Separate buffers were now used for append and prepend, instead of reusing the same buffer.

677937-1 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Solution Article: K41517253

Component: TMOS

Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.

Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).

Impact:
No connectivity between the client and the server.

Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)

Fix:
APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.

677928-2 : A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.

Component: TMOS

Symptoms:
A wrong source MAC address may be used in the outgoing IPsec encapsulated packets when the BIG-IP VE system is operated in Azure.

Conditions:
The BIG-IP VE system is first deployed in Azure with a single NIC. After the first reboot and then power off, a second NIC is added to the BIG-IP system. Then, an IPsec tunnel is configured to associate with a selfip on the second NIC.

Impact:
The Azure environment or a remote device may drop the outgoing IPsec encapsulated packets from the BIG-IP system because the source MAC address of the packets is wrong.

Fix:
The source MAC address of the outgoing IPsec encapsulated packets from the BIG-IP system is set correctly.

677525-3 : Translucent VLAN group may use unexpected source MAC address

Component: Local Traffic Manager

Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.

Conditions:
VLAN group in translucent mode.

Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.

Workaround:
No workaround at this time.

Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.

677473-1 : MCPD core is generated on multiple add/remove of Mgmt-Rules

Component: Advanced Firewall Manager

Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.

Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).

Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
MCP no longer crashes, and other dependent daemons no longer restart. The BIG-IP system remains operational in both control-plane (tmsh/GUI) and data traffic processing.

677457 : HTTP/2 Gateway appends semicolon when a request has one or more cookies

Solution Article: K13036194

Component: Local Traffic Manager

Symptoms:
With an HTTP/2 profile, a virtual server on a BIG-IP system receives requests and handles cookies converting those into a cookie-string. The BIG-IP system concatenates the cookie pairs with semicolon (%3B) and a space (%20) in the cookie-string. This delimiters pair also is appended to the last cookie pair.

Conditions:
HTTP/2 profile is configured on a virtual server and a request contains one or more cookies.

Impact:
The request forwarded to a backend server contains an extra semicolon at the end of cookie-string.

Workaround:
Use an iRule to remove an extra delimiter if it negatively impacts backend server performance.

For example:

when HTTP_REQUEST {
if {[HTTP::header value "Cookie"] contains ";"}
{
set new_header [string range [HTTP::header "Cookie"] 0 end-2]
log local0.notice "$new_header"
HTTP::header replace "Cookie" $new_header
}
}

Fix:
Virtual server with HTTP/2 profile no longer appends extra delimiter to a cookie-string when it forwards the request to HTTP/1.x backend server.

677400-3 : pimd daemon may exit on failover

Solution Article: K82502883

Component: Local Traffic Manager

Symptoms:
When multicast traffic is passing on a high availability (HA) pair, the pimd daemon on the unit that transitions to standby may exit and drop a core file.

Conditions:
-- Multicast routing configured.
-- PIM-Sparse Mode configured.
-- HA failover configuration.

Impact:
None. The system that goes active will reconverge, and multicast traffic will resume.

Workaround:
No workaround required.

Fix:
The pimd daemon no longer exits when an HA failover occurs.

677193-2 : ASM BD Daemon Crash.

Solution Article: K38243073

677119 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE

Component: Local Traffic Manager

Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. BIG-IP incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.

Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.

Impact:
BIG-IP doesn't accept the value and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.

Fix:
BIG-IP no longer generates an error due to this issue and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.

677088-4 : Qkview does not follow current best practices

Component: TMOS

Symptoms:
Qkview does not follow current best practices

Conditions:
Qkview does not follow current best practices

Impact:
Qkview does not follow current best practices

Fix:
Qkview now follows current best practices

677058-3 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Component: Access Policy Manager

Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.

Conditions:
This occurs when following conditions are met:

- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.

Impact:
APM logs plain text password when debug logging is turned on for access policy.

Workaround:
None.

Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.

676982-2 : Active connection count increases over time, long after connections expire

Solution Article: K21958352

Component: Local Traffic Manager

Symptoms:
- Number of active connections is increasing over time.
- Memory used by TMM increases over time.
- Potential TMM restart is possible.

Conditions:
This issue arises only when all the following conditions occur:
- Hardware is chassis type.
- There is more than one blade in service.
- A fastL4 profile is configured (e.g., using bigproto).
- SessionDB is used either by iRules or by native profile
functionality.

Impact:
- Service may be impacted after a period.
- TMM instances may restart.

Workaround:
None.

Fix:
SessionDB-related accesses initiated via iRules are now properly cleaned up and no longer hang.

676914-1 : The SSL Session Cache can grow indefinitely if the traffic group is changed.

Component: Local Traffic Manager

Symptoms:
If there are entries in the SSL Session Cache, and the traffic group is changed, the cache might grow indefinitely.

Conditions:
-- SSL is configured.
-- Session cache has a limit on the number of entries. --
After entries are made into the session cache, the traffic group is then changed.

Impact:
Eventually all memory will be consumed causing TMM to restart. Traffic disrupted while tmm restarts.

Workaround:
Disable the session cache.

As an alternative, after changing the traffic group, restart TMM.

Fix:
Changing the traffic group no longer causes the session cache to grow.

676897-1 : IPsec keeps failing to reconnect

Solution Article: K25082113

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
This release corrects this issue.

676828-2 : Host IPv6 traffic is generated even when ipv6.enabled is false

Solution Article: K09012436

Component: Local Traffic Manager

Symptoms:
Observing IPv6 traffic from the BIG-IP system, even when ipv6.enabled is set to false.

Conditions:
sys db ipv6.enabled is false.

Impact:
Extraneous IPv6 traffic from the the BIG-IP system.

Workaround:
None.

Fix:
IPv6 traffic now properly observes the ipv6.enabled sys db variable.

676808-2 : FPS: tmm may crash on response with large payload from server

Component: Fraud Protection Services

Symptoms:
A request to a unprotected FPS URL may cause tmm crash if response payload is large and the URL was configured via live update.

Conditions:
1. Page is not protected.
2. Large response payload (e.g.,50 KB).
3. FPS registered for response event (this will happen if a global URL (configured via live update) was matched).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
FPS will check for fast response situation and will act accordingly.

676721-2 : Missing check for NULL condition causes tmm crash.

Solution Article: K33325265

Component: Local Traffic Manager

Symptoms:
Missing check for NULL condition causes tmm crash.

Conditions:
One possible route involves load balancing failure, but there may be other paths leading to this crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM correctly checks for NULL condition to prevent the crash.

676690-3 : Windows Edge Client sometimes crashes when user signs out from Windows

Component: Access Policy Manager

Symptoms:
In rare cases Windows Edge Client may crash when user signs out from Windows

Conditions:
User signs out from Windows or restarts Windows while EdgeClient is running and VPN is established

Impact:
No functional impact, user see a message box with error block sign out process. When the user closes the message box, sign out process continues.

Fix:
Previously, in some instances, the Edge Client on Windows would crash when the user signed out of Windows. This has been fixed.

676457-3 : TMM may consume excessive resource when processing compressed data

Solution Article: K52167636

676416-2 : BD restart when switching FTP profiles

Component: Application Security Manager

Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.

Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.

Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.

Workaround:
There is no workaround at this time.

Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.

676355-2 : DTLS retransmission does not comply with RFC in certain resumed SSL session

Component: Local Traffic Manager

Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.

Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.

Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.

Workaround:
None.

Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.

676203-1 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.

Component: TMOS

Symptoms:
TMM memory usage suddenly increases rapidly.

Conditions:
The inter-blade mpi connection fails and does not recover.

Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.

Workaround:
None.

Fix:
Inter-blade mpi connection now continues as expected, without memory issues.

676092-1 : IPsec keeps failing to reconnect

Component: TMOS

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
The system now correctly handles these conditions so the issue no longer occurs.

676028-2 : SSL forward proxy bypass may fail to release memory used for ssl_hs instances

Solution Article: K09689143

Component: Local Traffic Manager

Symptoms:
TMM leaks memory used for ssl_hs instances when using SSL forward proxy when bypass is enabled.

Conditions:
The leak can be triggered by iRules, where a duplicate forward proxy lookup is initiated and interferes with the initial asynchronous lookup.

Impact:
TMM will core after running out of memory, which impacts availability.

Workaround:
None.

Fix:
Resolved by preventing duplicate forward proxy lookup.

675928-2 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding

Component: Policy Enforcement Manager

Symptoms:
Multiple flows of the same subscriber could get insert content enabled frequently, if the requests from those flows are outstanding

Conditions:
If the http request from the subscriber is outstanding when the new flow is triggered

Impact:
PEM insert content pem_acton will be enabled on multiple flows till the first response is received

Fix:
Throttle insert content action on new flows only to periodic interval if the transaction is outstanding.

675921 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running

Component: TMOS

Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status or 'running'.

Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.

Impact:
5th guest and beyond result in an error.

Workaround:
None.

Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.

675866-1 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO

Component: Access Policy Manager

Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.

Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.

Impact:
Cannot access the Kerberos-protected resources.

Workaround:
None.

Fix:
Tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.

675775-2 : TMM crashes inside dynamic ACL building session db callback

Component: Access Policy Manager

Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.

Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Guard against NULL pointer dereference for dynamic ACL build.

675718-1 : IPsec keeps failing to reconnect

Component: TMOS

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
Corrected an environmental problem with the racoon daemon.

675539-1 : Inter-system communications targeted at a Management IP address might not work in some cases.

Component: Global Traffic Manager (DNS)

Symptoms:
Inter-system communications fail to connect to a BIG-IP system using the Management IP address.

Conditions:
This occurs if the device connection is configured between a Self IP address on one BIG-IP system and the Management IP address on another.

This occurs because the big3d daemon acts as a proxy, listening on the Management IP address and will send proper SSL connections (using SNI) to TMM (since TMM does not listen on the Management IP address).

This is not an issue if either of the following is true:

-- If the source of the connection is coming from the Management IP,
the connection is clear text. (Not SSL encrypted and thus does not use SNI)

-- The destination of the connection is a Self IP address, because TMM (via an iRule) will
handle the connection.

Impact:
Device sync operations do not work.

Workaround:
Do not use the Management IP address for between-device communications.

Fix:
The big3d proxy properly handles SSL SNI connections on the Management IP address.

675399-3 : Network Access does not work when empty variables are assigned for WINS and DNS

Solution Article: K14304639

Component: Access Policy Manager

Symptoms:
Network Access does not work when empty variables are assigned for WINS and DNS.

Conditions:
If the admin configures empty values for WINS or DNS in the Variable Assign agent in the VPE.

Impact:
The system does not parse the XML tags correctly. Users may not be able establish VPN tunnel.

Workaround:
Do not leave the DNS or WINS values empty in the Variable assign Agent.

Fix:
APM now correctly handles the condition where an empty string is assigned for WINS and/or DNS in the Variable Assign policy agent.

675232-3 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction

Component: Application Security Manager

Symptoms:
Errors encountered -

In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.

Impact:
The policy is created but the modify action cannot find the policy.

Workaround:
iApps are built to work with ASM Policy Templates.

A new ASM Policy Template can be created from the desired ASM Policy.

That can be done via GUI and starting from from v13.0 via REST as well.

Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------

Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.

675212-3 : The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication

Component: Local Traffic Manager

Symptoms:
Under specific conditions, the BIG-IP system allows clients through (that otherwise should be rejected) as part of SSL Client Certificate Authentication.

Conditions:
This issue occurs when the Trusted Certificate Authority specified in the Client-SSL profile is expired.

Note: The client's certificate must be valid and trusted for the SSL handshake to continue.

This issue purely deals with how the BIG-IP system treats the validity period of the signing Certificate Authority.

Impact:
F5 has reviewed this issue and has not classified it as a Vulnerability. However, F5 recognizes this issue may have a Security Exposure depending on how the BIG-IP system is utilized.

Please observe that the issue here is not validation of the expiration time in the client's certificate. The issue here is handling of the expiration field in the certificate the BIG-IP system explicitly trusts, the so-called 'trust anchor'. In most cases, the trust anchor is a self-signed certificate.

It is important to understand that the expiration field in trust anchors has no clear meaning, and even utilities such as OpenSSL historically treated this field in different ways.

After completing its review, F5 has decided the correct and best behavior for the BIG-IP system is to reject the SSL handshake when the Trusted Certificate Authority has expired.

The impact of this issue will vary greatly based on your deployment and type of business. In most cases, continuing to allow clients through past the validity of the Certificate Authority may be the behavior you expect or one that carries no negative consequences.

However, if you obtained the Certificate Authority from a third party and expected the client certificates signed by that authority to stop working when its validity period expires, this will not happen because of this issue.

Workaround:
F5 recommends that you renew (or obtain renewed copies of) Certificate Authorities that are about to expire and that you want the BIG-IP system to continue trusting.

F5 recommends that you remove from the BIG-IP system Certificate Authorities that are about to expire and that you do not plan to renew or continue trusting.

This will ensure the BIG-IP system behaves optimally on versions affected by this issue.

Fix:
The BIG-IP system now correctly handles the validity period of Trusted Certificate Authorities used for SSL Client Certificate Authentication.

674931 : FPS modified responses/injections might result in a corrupted response

Component: Fraud Protection Services

Symptoms:
in case a connection was congested and FPS tries to send additional egress (modifying the response, e.g. injections) the order of the response sending might break if this send is successful (i.e congestion just ended). instead of sending the buffered data first (response part that was buffered due to congestion), FPS tries to send the new data first and only than will send the buffered data.

Conditions:
- congested connection
- FPS sends modified response (e.g. injections)
- sending egress succeeded (congestion ended)

Impact:
response is corrupted - order of data has erroneously changed

Workaround:
N/A

Fix:
FPS will handle this case correctly, first sending buffered data then sending the new egress.

674909-3 : Application CSS injection might break when connection is congested

Component: Fraud Protection Services

Symptoms:
Large CSS files configured for phishing protection injection in FPS (not fictive websafe CSS files) may be truncated upon response to client.

Conditions:
Inject into Application CSS enabled in Anti-Fraud Profile » Advanced » Phishing Detection

Large CSS file such as bootstrap files configured for Application CSS Locations.

Network congestion engaging TMM flow control.

Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. May break application functionality.

Workaround:
1) Remove affected large files from Application CSS Locations.

or

2) Disable Inject into Application CSS entirely.

Fix:
FPS now handles the case where injecting to application css was interrupted by congestion.

674747-2 : sipdb cannot delete custom bidirectional persistence entries.

Solution Article: K30837366

Component: Service Provider

Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.

Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.

Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.

Workaround:
None.

Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.

674686-2 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow

Component: Policy Enforcement Manager

Symptoms:
If an outstanding flow with periodic insertion pem_action is very long, it prevents new flow matching the same rule from adding inert content pem_action even for a new periodic interval

Conditions:
If the outstanding flow with insert content pem_action spans multiple periodic interval.

Impact:
No content insertion during the time the long flow is outstanding for new flows matching the same rule as the long flow.

Workaround:
Long flows and short flows need to have separate rule configured

Fix:
New flows will add content insertion, if the new flow request falls in the new periodic interval.

674593-1 : APM configuration snapshot takes a long time to create

Component: Access Policy Manager

Symptoms:
It takes a long time to create the configuration snapshot for a file. This may be accompanied by MEMCACHED related log message, as shown below.

notice apmd[12928]: 0149016a:5: Initiating snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 0149016f:5: Waiting for MEMCACHED to be ready
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1273 Msg: Unable to connect to tmm (sessiondb). Trying again...
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1280 Msg: Successfully connected to tmm (sessiondb)...
notice apmd[12928]: 0149016b:5: Completed snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 01490171:5: MEMCACHED is up

Conditions:
The issue happens if an access profile contains many resources, the resulting configuration
snapshot will have even more configuration variables.

Impact:
TMM will run out of memory If the issue persists. User will not be able to log in due to profile not found error similar to the following:

err apmd[13681]: 01490114:3: /Common/workspace-acess2:Common:a6b495ce: process_request(): Profile '/Common/workspace-acess2' was not found

Workaround:
None.

Fix:
APM policy configuration snapshot generation performance for very large configurations has been improved.

674576-4 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.

Conditions:
VIP-VIP configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer produces a core with a 'no trailing data' assert.

674527-1 : TCL error in ltm log when server closes connection while ASM irules are running

Component: Application Security Manager

Symptoms:
TCL error in ltm log, for example:
TCL error: /Common/bug <ASM_REQUEST_DONE> - plugin_tcl_command_execute: Command error. invoked from within "ASM::severity"

Conditions:
1. ASM irules are attached.
2. There was already one request passed to the web-server
3. Server closes connection.

Impact:
Error in ltm log.

674515 : New revoke license feature for VE only implemented

Component: TMOS

Symptoms:
Prior to this version, the license revoke feature was not implemented/available.

Conditions:
With out revoke implemented, the feature is simply not available.

Impact:
Licenses cannot be revoked and hence re-used.

Fix:
With this feature implemented, VE licenses can be revoked and then re-used on different VE.

674494-1 : BD memory leak on specific configuration and specific traffic

Solution Article: K77993010

Component: Application Security Manager

Symptoms:
RSS memory of the bd grows.

Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.

Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.

Workaround:
None.

Fix:
Freeing up the remote loggers data when deciding not to log remotly.

674455-7 : Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS

Component: TMOS

Symptoms:
When booted into the Maintenance OS image from the grub boot menu, running tmidiag -r drops the serial console from the grub kernel line, which causes a loss of communication on the serial console after rebooting.

Conditions:
-- Booted into Maintenance OS.
-- Running the command: tmidiag -r

Impact:
Serial console baud rate settings are incorrect. Uses the bios baud rate on the console.

Workaround:
When booting, edit the grub kernel line to include console=ttyS0.

Note: The value is "tty", an uppercase "S" character, and zero, so ttyS0.

Fix:
tmidiag has been fixed to not strip out console=ttyS0.

674410-3 : AD auth failures due to invalid Kerberos tickets

Solution Article: K59281892

Component: Access Policy Manager

Symptoms:
User can not login.

Conditions:
- AAA AD server is configured on BIG-IP.
- AD Auth/Query agent is used in Access Policy.
- Cached Kerberos ticket is invalid or backend AD server is not reachable for some reason

Impact:
AD Auth/Query fails. APM end user won't be able to take successful branch in Access Policy.

Workaround:
None.

Fix:
Invalid Kerberos tickets for AD Query are now automatically renegotiated by APM.

674320-2 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems

Solution Article: K11357182

Component: TMOS

Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:

notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59

Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)

Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).

Impact:
Configuration on peer systems in a device group does not get saved after a sync.

Workaround:
Manually save the configuration on peer systems after a sync.

Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.

674288-2 : FQDN nodes - monitor attribute doesn't reliably show in GUI

Solution Article: K62223225

Component: TMOS

Symptoms:
When creating more than one node with FQDN configured with monitors, monitors are not displayed in the GUI properly.

Conditions:
Create more than one node with FQDN configured.

Impact:
The previously created FQDN node does not display monitors in the GUI. However, the subsequently created FQDN node does display the correct monitors.

Workaround:
Use tmsh to view monitors for Nodes with FQDN configured.

Fix:
Node page now displays the correct monitors for nodes configured with FQDN.

674189 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0

Solution Article: K52320548

674004-1 : tmm may crash when after deleting pool member in traffic

Solution Article: K34448924

Component: Local Traffic Manager

Symptoms:
tmm may crash when after deleting pool member that is processing traffic.

Conditions:
-- Two or more pools share the same node as pool member.
-- A pool member (with the shared node) is deleted while traffic is passing.
-- Connpool is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes when after deleting pool member while traffic is passing.

673951-4 : Memory leak when using HTTP2 profile

Solution Article: K56466330

Component: Local Traffic Manager

Symptoms:
Memory continues to grow despite reduced volume of traffic. Large number of spdy_frame and xdata allocated.

Conditions:
Virtual server configured with HTTP2 profile.

Impact:
Memory leak, which might eventually trigger aggressive sweeper and potential crash, resulting in failover.

Workaround:
None.

Fix:
Virtual server configured with HTTP2 profile no longer leaks memory.

673814-4 : Custom bidirectional persistence entries are not updated to the session timeout

Solution Article: K37822302

Component: Service Provider

Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.

Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.

Impact:
The persistence timeout will prematurely time out.

Workaround:
Set the transaction timeout to the session timeout value.

Fix:
The persistence timeout is correctly updated to the session timeout value when a successful response message is received.

673748-1 : ng_export, ng_import might leave security.configpassword in invalid state

Solution Article: K19534801

Component: Access Policy Manager

Symptoms:
If import/export of Access Profile or Access Policy results in an error, security.configpassword may retain temporary not <null> state, which can cause problems when the config is saved or loaded using the sys save config or sys load config commands.

Conditions:
Import or export of Access Profile or Access Policy fails with an error.

Impact:
Passwords in .conf might get mangled.

Workaround:
Set the security.configpassword db variable using the following command:
modify sys db security.configpassword value "<null>"

673717-1 : VPE loading times can be very long

Component: Access Policy Manager

Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.

Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.

Impact:
Policies with thousands of entries can take tens of seconds or more to load.

Workaround:
None.

Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.

673683-2 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if pem and classification profiles are detached and re-attached to the Listener, periodic insertion may fail to insert the content. This happens when more than one subscriber is using the same policy rule and the listener.

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the right session id storage associated with the subscriber

673678-2 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if the request/response for that http transaction get interleaved by another subscriber request. This happens when more than one subscriber is using the same policy rule

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the correct session id storage associated with the subscriber.

673621-2 : Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.

Component: Local Traffic Manager

Symptoms:
Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.

Conditions:
Set ca-file to 'none' in the clientssl profile.

Impact:
Chain is still sent.

Workaround:
None.

Fix:
Chain certificate is no longer sent to the client when both ca-file and chain certificate are removed from the clientssl profile.

673607-2 : Apache CVE-2017-3169

Solution Article: K83043359

673595-2 : Apache CVE-2017-3167

Solution Article: K34125394

673484-1 : IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO

Solution Article: K85405312

Component: TMOS

Symptoms:
IPsec IKEv2 tunnels cannot be established when the remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child Security Association (SA) establishment. This parameter is commonly sent by ASA devices.

Conditions:
-- IPsec IKEv2 with ASA peer.
-- Remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child SA establishment.

Impact:
IKEv2 IPsec tunnels cannot be established with ASA peer.

Workaround:
Use IKEv1.

Fix:
During IPsec IKEv2 child SA establishment, the BIG-IP will ignore the NON_FIRST_FRAGMENTS_ALSO notification and will continue to establish the SA.

673472-2 : After classification rule is updated, first periodic Insert content action fails for existing subscriber

Component: Policy Enforcement Manager

Symptoms:
Immediately after the classification rule associated with a static subscriber is updated and if the action list has Insert content, the first periodic insert content action fails for the subscribers. Subsequent Insert content action will proceed as expected

Conditions:
Update of the classification rule associated with the subscribers.

Impact:
First periodic Insert content action, immediately succeeding after the update of the classification rule will fail.

Workaround:
bigstart restart tmm, after updating the classification rule with insert content action will fix the issue

Fix:
Update the record count associated with the subscriber during eval.

673463-2 : SDD v3 symmetric deduplication may start performing poorly after a failover event

Solution Article: K68275280

Component: Wan Optimization Manager

Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may start performing poorly for some file transfers.

Conditions:
This issue occurs when all of the following conditions are met:

1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) The far side BIG-IP HA configuration (from the perspective of the client performing the download) is failed over.
4) Clients attempt to download files that had previously been transferred through the BIG-IP units.

Impact:
Symmetric deduplication is severely impacted (virtually no hits) for files that had previously been transferred through the units. This causes the amount of data transmitted over the WAN to increase. Files that were not transferred previously through the units are not affected by this issue.

Workaround:
To eliminate the impacted symmetric deduplication condition, restart the receiving (i.e., the near) side.

Fix:
SDD v3 symmetric deduplication no longer performs poorly after a failover event.

673399-1 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.

Component: Local Traffic Manager

Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.

Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.

Impact:
Connection is reset.

Workaround:
Disable Websockets profile on the virtual server.

Fix:
We now check whether the Websockets filter is on the virtual server before attempting an insert.

673165 : CVE-2017-7895: Linux Kernel Vulnerability

Solution Article: K15004519

673129 : New feature: revoke license

Component: TMOS

Symptoms:
A different license is required for each Virtual Edition (VE) instance.

Conditions:
Creating new instances of VE.

Impact:
Cannot reuse an existing VE license.

Workaround:
None.

Fix:
For Virtual Edition (VE) BIG-IP systems, licenses can now reused by other VE instances by revoking an active license on one and installing it on another.

Behavior Change:
Revoke license is a new feature so that licenses can be reused for other virtual edition configurations.

To revoke a license using tmsh, run the following command:
tmsh revoke sys license registration-key <reg-key-number>

The system responds with the following confirmation prompt:
Revoking the license will return this BIG-IP to an unlicensed state. It will stop processing traffic. Are you sure? Y/N:

When you type y, the system revokes the license and returns a response similar to the following:
License successfully revoked
[root@bigip11:LICENSE INOPERATIVE:Standalone] config # Jul 17 12:04:28 bigip11 emerg mcpd[5144]: 01070608:0: License is not operational (expired or digital signature does not match contents).

673078-1 : TMM may crash when processing FastL4 traffic

Solution Article: K62712037

673075-1 : Reduced Issues for Monitors configured with FQDN

Component: Local Traffic Manager

Symptoms:
Monitors configured using FQDN might experience several edge cases in some deployment environments. For example, you might experience issues with FQDN-configured monitors when used in environments with volatile/unstable DNS servers, or when network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'. In such cases, the monitor may experiences delay in rotating to the next available DNS server. This is due to complex edge cases that exist within the initial FQDN monitor implementation, where anomalous behavior is aggravated through some network configurations.

Conditions:
Monitors are configured using FQDN, and one-or-more environment conditions exist such as: Unstable DNS servers (i.e., 'flapping' DNS), or the network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'.

Impact:
The monitor will not be updated with information from the (new) DNS server when the previous DNS server becomes unavailable. Other monitor behavior will continue to function normally.

Workaround:
In some cases network configuration can be changed to avoid these edge cases, such as: Ensuring stable DNS servers with only periodic rollovers to backup DNS servers; ensure network ICMP packets are routable back to 'bigd'. Alternatively, monitors may be configured without using FQDN.

Fix:
Monitors configured using FQDN behave as expected in volatile environments, such as those with flapping DNS servers and where ICMP packets for unreachable DNS servers are non-routable back to 'bigd'.

673052-2 : On i-Series platforms, HTTP/2 is limited to 10 streams

Component: Local Traffic Manager

Symptoms:
On i-Series platforms, HTTP/2 is limited to 10 streams by licensing.

"HTTP2 limited to 10 concurrent streams: Web Accelerator feature not licensed." appears in /var/log/ltm

Conditions:
Using an i-Series platform where WAM is unlicensable.

Impact:
HTTP/2 performance may be less than desired

Fix:
It is possible to configure HTTP/2 with more than 10 streams on i-Series platforms.

672988-2 : MCP memory leak when performing incremental ConfigSync

Solution Article: K03433341

Component: TMOS

Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.

This leak occurs on the device that is sending the configuration.

Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.

Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.

Workaround:
None.

Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.

672868-1 : Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly

Component: Access Policy Manager

Symptoms:
Portal Access server-side JavaScript parser may work incorrectly if JavaScript code includes non-whitespace control characters inside text constants.

Conditions:
JavaScript code with non-whitespace control characters (0x00..0x08, 0x0E..0x1B, 0x7F..0x9F) inside text constants.

Impact:
Web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now JavaScript code with non-whitespace control characters can be processed by Portal Access.

672815-2 : Incorrect disaggregation on VIPRION B4200 blades

Component: TMOS

Symptoms:
During startup of the bcm56xxd daemon, the LTM log shows BCM SDK errors containing the string 'SDK error Invalid parameter'. IP fragments fail to be reassembled. The reassembly time out triggers and the flow is killed.

Conditions:
-- After startup as long as the SDK errors occur.
-- Running on VIPRION B4200 blades.

Impact:
TCP connections and UDP datagrams which have fragmented packets are killed or dropped.

Workaround:
There is no workaround that will process fragments correctly.

Fix:
Incorrect disaggregation on VIPRION B4200 blades has been corrected.

672695-1 : Internal perl process listening on all interfaces when ASM enabled

Component: Application Security Manager

Symptoms:
ASM configuration processes are available on unprotected network interfaces.

Conditions:
ASM provisioned

Impact:
Connections to the ASM configuration processes may interfere with normal ASM operations, leading to reduced performance

Workaround:
None

Fix:
ASM-config Event Dispatcher now listens only on protected interfaces

672667-4 : CVE-2017-7679: Apache vulnerability

Solution Article: K75429050

672504-1 : Deleting zones from large databases can take excessive amounts of time.

Solution Article: K52325625

Component: Global Traffic Manager (DNS)

Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.

Conditions:
With a significantly sized database, deletes might be very time-intensive.

Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests

Workaround:
None.

Fix:
Dramatically improved algorithm, to remove significant delay in deletions.

672491-2 : net resolver uses internal IP as source if matching wildcard forwarding virtual server

Solution Article: K10990182

Component: Global Traffic Manager (DNS)

Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.

Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.

Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.

Impact:
Failed DNS queries as a result of incorrect source IP address.

Workaround:
None.

Fix:
This issue was resolved by ensuring listener lookup only matches the exact IP addresses, no-wildcards.

672301-2 : ASM crashes when using a logout object configuration in ASM policy

Component: Application Security Manager

Symptoms:
bd daemon crash and writes a core file in the /shared/core directory.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Logout object configured in the policy.
-- System receives a POST request.

Impact:
System goes offline for a few seconds, failover occurs.

Workaround:
Remove logout object configuration from ASM policy.

Fix:
The system now handles this condition.

672250-1 : SessionDB update from ApmD with large volume fails

Component: Access Policy Manager

Symptoms:
While writing large amounts of data to sessionDB using memcache API, the write operation fails with partial write.

Conditions:
Large volumes data writing to SessionDB via memcache API.

Impact:
All worker threads performing authentication eventually get locked down. Session watchdog thread eventually makes a forced abort to recover from the situation. ApmD restarts in this situation.

Workaround:
Control write to sessionDB with a smaller data size.

Fix:
Partial write failure has been fixed, by writing remaining part(s) of query results in several iteration(s), until entire result is written.

672124-3 : Excessive resource usage when BD is processing requests

Solution Article: K12403422

672040-3 : Access Policy Causing Duplicate iRule Event Execution

Component: Access Policy Manager

Symptoms:
iRule event gets triggered twice in clientless mode when access policy is executed.

Conditions:
This only occurs when using iRule in clientless-mode.

Impact:
HTTP_REQUEST event is logged twice in /var/log/ltm.

See below example:

when HTTP_REQUEST {
  HTTP::header insert {clientless-mode} 1
  set myCount [expr {$myCount + 1}]
  log local0. "Count is $myCount"
}

LTM logs:
-----------

Jul 3 12:29:35 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 1
Jul 3 12:29:36 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 2

When this iRule is used, you will see duplicate HTTP_REQUEST with increased count in logs. If this count is used in further calculation, it gives you incorrect result.

Fix:
HTTP_REQUEST iRule event is no longer executed multiple times when using APM clientless-mode.

672008-1 : NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds

Solution Article: K22122208

Component: Local Traffic Manager

Symptoms:
Remote syslog logging destinations configured for RFC5424 format might receive malformed timestamp values if the log message is sent when clock rolls over to 1,000,000 microseconds exactly. The resulting log message will have a NUL character appended to the microseconds value in the log's timestamp field.

Example:
Correct timestamp: 2003-08-24T05:14:15.000000-07:00
Malformed timestamp: 2003-08-24T05:14:14.100000\00-07:00

Conditions:
-- syslog destination configured for RFC5424 format.
-- Sending log message when clock rolls over to 1,000,000 microseconds.

Impact:
Some syslog collectors may fail to parse the message, resulting in incorrect log entry or warning.

Workaround:
Change syslog destination format to use RFC3164, which does not include microsecond resolution in timestamp fields.

Fix:
The timestamp field is now formatted correctly for microseconds and seconds values. Seconds now correctly increment when microseconds equal 1,000,000.

671999-2 : Re-extract the the thales software everytime the installation script is run

Component: Local Traffic Manager

Symptoms:
If Thales has already been installed on the BIG-IP system, installing a new version does not overwrite the existing installed version.

Conditions:
/shared/nfast exists on the BIG-IP system before installing the Thales client software.

Impact:
The old version of the software will be used in the installation operation, instead of the expected new version of the software.

Workaround:
You can use either or both of the following workarounds before running the installation script:

-- Run the uninstallation script.
-- Delete the /shared/nfast folder.

Fix:
The Thales installation script now always extracts the Thales software in /shared/thales_install and overwrites the /shared/nfast directory.

Behavior Change:
Thales HSM installation script always overwrites the /shared/nfast directory.

671935-2 : Possible ephemeral port reuse.

Solution Article: K64461712

Component: Local Traffic Manager

Symptoms:
When selecting server-side source ports, the BIG-IP system favors ephemeral ports in the upper range.

Conditions:
Source ports, different from the client side, may be reselected. This is always the case when the virtual server's 'source-port change' option is enabled.

Impact:
If server connections are in the TIME_WAIT state and connection recycling is not configured, the server might reset the connection, reusing ports.

Workaround:
Disable the virtual server's 'source-port change' option to use the same source port as the connecting client.

Fix:
Now, even when the virtual server's 'source-port change' option is enabled, the system uses the same source port as the connecting client.

671920-1 : Accessing SNMP over IPv6 on non-default route domains

Component: TMOS

Symptoms:
The SNMP daemon cannot send traps to a non-default route domain destination. However, it can respond to SNMP requests over from a client that is accessed through a non-default route domain path for IPv4. For IPv6 this does not work.

Conditions:
SNMP access over IPv6 on a client accessed through a non-default route domain does not work.

Impact:
Access to SNMP must be through default route domain for IPv6.

Fix:
With this bug fix you can access SNMP from an IPv6 client on a non-default route domain. There is no plan to allow traps to be delivered to destinations on a non-default route domain.

671675-1 : Centralized Management Infrastructure: asm_config_server restart on device group change

Component: Application Security Manager

Symptoms:
If device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group the ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group

Conditions:
A device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group.

Impact:
ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group

Workaround:
Wait 30 seconds between leaving an ASM enabled device group before joining a different one.

Fix:
Successive changes to ASM sync enabled device group are handled correctly.

671638-4 : TMM crash when load-balancing mptcp traffic

Solution Article: K33211839

671627-1 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.

Solution Article: K06424790

Component: Access Policy Manager

Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.

Conditions:
HTTP response without body processed by Portal Access

Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.

Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.

Fix:
Now Portal Access does not add invalid 'Transfer-Encoding' header and/or body to responses which have no body.

671597-1 : Import, export, copy and delete is taking too long on 1000 entries policy

Component: Access Policy Manager

Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.

Conditions:
When access policy has 1000+ entires.

Impact:
Import, export and copy are abandoned or fail due to out of memory condition.

Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.

Fix:
ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation

ng_export is still should be used from the console.

671373-2 : urldb core seen

Component: Access Policy Manager

Symptoms:
Due to having multiple threads, terminating and destroying the database can cause the crash. The main thread does not wait for others to exit before trying to destroy the database.

Conditions:
SWG is provisioned and re-provisioned after the config has loaded.

Note: This core is very rare (it is intermittent and timing-dependent).

Impact:
urldb cores. Since it was in the process of being shut down for the re-provisioning anyway, this has little to no impact.

Workaround:
There is no workaround at this time.

Fix:
urldb no longer cores SWG is provisioned and re-provisioned after the config has loaded.

671337-1 : NetHSM DNSSEC key creation can attempt to change the SELinux label on a file

Component: Local Traffic Manager

Symptoms:
A log message such as type=AVC msg=audit(1498506868.354:3786): avc: denied { relabelfrom } for pid=7567 comm="mv" name="_Common_zsk_127000B6DC9454EACB50A1FD2073C5F5314F.key" dev="dm-15" ino=80012 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:mcpd_tmp_t:s0 tclass=file
can appear in the logs.

Conditions:
When a NetHSM DNSSEC key is created in a temporary directory and is trying to change the SELinux label on a file without permissions.

Impact:
SELinux error will be logged

Fix:
Allow netHSM script via MCPd to relabel files

671326-2 : DNS Cache debug logging might cause tmm to crash.

Solution Article: K81052338

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache debug logging might cause tmm to crash.

Conditions:
This occurs when the following conditions are met:

-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.

Fix:
DNS Cache debug logging no longer causes tmm to crash.

671314-4 : BIG-IP system cores when sending SIP SCTP traffic

Solution Article: K37093335

Component: TMOS

Symptoms:
Virtual servers with an SCTP profile and a SIP message-routing profile may crash the TMM.

Conditions:
This flaw affects virtual servers that pass SCTP traffic, where the SIP message-routing profile has the record-route option enabled.

Impact:
TMM crashes and fails over, disrupting traffic processing. Traffic disrupted while TMM restarts.

Workaround:
Remove the record-route option, or change the traffic to use TCP or UDP instead of SCTP.

Fix:
This crash has been fixed.

671228-1 : Multiple FQDN ephemeral nodes may be created with autopopulate disabled

Component: Local Traffic Manager

Symptoms:
Multiple FQDN ephemeral nodes may be created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records for the FQDN, and bigd is restarted.

Conditions:
This may occur when:
1. An FQDN node is configured with autopopulate disabled.
2. The DNS server returns multiple address records for the FQDN.
3. There is a pool configured to use the FQDN node.
4. bigd is restarted (such as when the system goes offline or tmm restarts).

Impact:
Multiple FQDN ephemeral nodes may be created unexpectedly.

Workaround:
Configure the FQDN node with autopopulate enabled.

Fix:
Multiple FQDN ephemeral nodes are no longer created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records, and bigd is restarted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

671149-3 : Captive portal login page is not rendered until it is refreshed

Component: Access Policy Manager

Symptoms:
Sometimes Edge Client shows an error page for captive portal-redirected URLs.

Conditions:
Some captive portal pages use cloud-based authentication and network management. Such captive portals rely on several HTTP redirects and/or HTML (auto-refresh). Sometimes Edge Client fails to download the page/content from the redirected URL. In such scenarios, a full browser re-attempts and successfully downloads and displays the page, but Edge Client does not re-attempt and shows an error page.

Impact:
For the locked client, an APM end user has no access to the internet until captive portal authentication is performed and the Network Access (VPN) tunnel is created.

Workaround:
None.

Fix:
Edge Client now has a retry mechanism to access and display captive portal login pages in case the first attempt fails.

671082-1 : snmpd constantly restarting

Solution Article: K85168072

Component: TMOS

Symptoms:
sod is restarting snmpd, which also produces a core.
SNMP clients are unable to walk the ifTable.

Conditions:
snmpd takes too long processing a request for the ifTable because there are a large amount of VLANs or VLAN groups configured.

Impact:
SNMP requests will not receive replies while snmpd is restarting.
SNMP clients are not able to walk the ifTable.

Workaround:
None.

Fix:
Significantly reduced the time it takes snmpd to process requests for the ifTable when the number of VLANs or VLAN groups is high.

671052-3 : AFM NAT security RST the traffic with (FW NAT) dst_trans failed

Solution Article: K50324413

Component: Advanced Firewall Manager

Symptoms:
In certain cases, destination translation fails with the following message: reset cause '(FW NAT) dst_trans failed'.

Conditions:
This issue may be seen with Source/Destination translation.

Impact:
Destination translation failure. In most of the cases, TMM restart resolves the issue. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fix addresses a case where one of the fields was not initialized.

670910-2 : Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined

Component: Access Policy Manager

Symptoms:
Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined.

Conditions:
This might occur when using the following definition:

<?xml version="1.0" encoding="utf-8"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
<-->xmlns:s="library://ns.adobe.com/flex/spark"
<-->width="100%" height="100%"
<-->minWidth="256" minHeight="64"
<-->creationComplete="initApp()">
<--><s:VGroup width="100%" height="100%" verticalAlign="middle" horizontalAlign="center">
<--><--><s:TextInput id="f_output" text="..." width="100%" />
<--><--><fx:Script><![CDATA[
<--><--><-->import flash.external.ExternalInterface;
<--><--><-->private function initApp():void {
<--><--><--><-->f_output.text = ExternalInterface.call("function(v){window.alert(/a\\dc/.toString());return '\\\\Done: '+v+' URL: '+location.href;}", "\\\\Ok?");
<--><--><-->}
<--><-->]]></fx:Script>
<--></s:VGroup>
</s:Application>

Impact:
Flash application malfunction.

Workaround:
None.

Fix:
APM Portal Access Rewrite now correctly handles flash.external.ExternalInterface.call() when the loaderInfo object is not defined.

670822-3 : TMM may crash when processing SOCKS data

Solution Article: K55225440

670816-2 : HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters

Solution Article: K44519487

Component: Local Traffic Manager

Symptoms:
An HTTP/HTTPS/TCP monitor response code may contain extraneous trailing characters, such as: 'Response Code: 200 (OKxxx)' where the server response code 'OK' is appended with unrelated characters 'xxx', when the server does not include a carriage-return/line-feed after the response status line.

Conditions:
An HTTP/HTTPS/TCP monitor is configured with a receive string, and the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.

Impact:
The monitor status code displays the correct server response code, but with extraneous trailing characters appended. The monitor continues to function and respond to status changes as expected.

Workaround:
Configure HTTP/HTTPS/TCP servers to return a response that includes a carriage-return/line-feed after the response status line and before the receive string.

Fix:
HTTP/HTTPS/TCP monitor response code for 'last fail reason' no longer contains extraneous trailing characters when the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.

670814-2 : Wrong SE Linux label breaks nethsm DNSSEC keys

Component: Local Traffic Manager

Symptoms:
In /var/log/ltm:

(_Common_thales_key) create failed, retry attempt 1 [nfgk_new: Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied mv: cannot stat `/shared/tmp/_Common_thales_key': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_req': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_selfcert': No such file or directory str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=1024 embedsavefile="_Common_thales_key" plainname="_Common_thales_key" digest=sha256] rfs-sync: error from NFastApp_Connect `(null)': Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied No updates. Update done. Create key pair done. ].

or the output of the following command:

ausearch -m AVC,SELINUX_ERR -ts recent

time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.574:24190): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffd059e2720 a2=6e a3=7ffd059e2470 items=0 ppid=3310 pid=3311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="generatekey" exe="/shared/nfast/tcl/bin/generatekey" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.574:24190): avc: denied { write } for pid=3311 comm="generatekey" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----
time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.600:24191): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffd9dbc33a0 a2=6e a3=7ffd9dbc30f0 items=0 ppid=3313 pid=3316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rfs-sync" exe="/shared/nfast/bin/rfs-sync" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.600:24191): avc: denied { write } for pid=3316 comm="rfs-sync" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----

Conditions:
trying to use a thales nethsm for DNSSEC

Impact:
cannot create DNSSEC keys protected by a thales nethsm

Workaround:
chcon -R --reference=/var/run/rd0.sock /shared/nfast/sockets/

NB: you should also apply the workaround for BZ671337 as well. It's almost certain that if this bug exists, that bug also exists.

Fix:
SE LInux labels no longer prevent the creation of thales-protected nethsm DNSSEC keys

670804-2 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP

Solution Article: K03163260

Component: Local Traffic Manager

Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.

Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Disable verified accept when used with OneConnect on a virtual server.

Fix:
Verified accept, OneConnect, and hardware syncookies now work together correctly.

670405-4 : K20486351: glibc vulnerability CVE-2017-1000366:

Solution Article: K20486351

670400-3 : SSH Proxy public key authentication can be circumvented in some cases

Component: Advanced Firewall Manager

Symptoms:
SSH Proxy public key authentication might be circumvented in some cases, allowing a user without the appropriate private key in to the back-end end SSH server.

Conditions:
Public key authentication is being used to authenticate users.

Note: This issue affects only public key authentication, so if additional forms of authentication are being used, the additional security that they provide will not be impacted.

Impact:
Unauthorized access.

Workaround:
A suggested workaround is to configure the back-end SSH server to require 2-factor authentication, or 3-factor authentication. This can be done by adding both publickey+password and publickey+keyboard-interactive as Required Authentications in the configuration file for the back-end SSH server.

See the list below of supported client method orders. Also, keep in mind that the back-end server must support all 3 authentication methods (public-key, password, and keyboard-interactive), as an existing constraint of the current SSH proxy functionality.

One cosmetic item to note is that, when multi-factor authentication is used, regardless of the result of the validity check of the public-key, the SSH proxy will report a 'failed' authentication to the client. However, the returned 'failed' code is merely cosmetic: the actual result of the validity check is what is used to determine whether or not the authentication succeeded.

-------
Supported client method orders:

publickey,keyboard-interactive
publickey,password
publickey,keyboard-interactive,password
publickey,password,keyboard-interactive

Any other combination of authentication methods will fail.

Fix:
Implemented stricter error handling in authentication checking.

670011-2 : SSL forward proxy does not create the server certchain when ignoring server certificates

Component: Local Traffic Manager

Symptoms:
Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.

Conditions:
-- SSL forward proxy or SSL intercept is configured.
-- Ignore server certificate configured in the server SSL profile.

Impact:
Client cannot establish SSL connection with server due to SSL handshake always timing out.

Workaround:
None.

Fix:
The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.

669974-1 : Encoding binary data using ASN1::encode may truncate result

Solution Article: K90395411

Component: Local Traffic Manager

Symptoms:
When using ASN1::encode to encode one or more values, and where the encoding of any of these values results in a representation containing a NUL ('\x0') byte, the overall result that is presented to the iRule does not include the entire set of encoded values and is truncated at the first NUL byte.

Conditions:
-- Using ASN1::encode with binary values (e.g., INTEGER).
-- Encoded results contain a NUL ('\x0') byte.

Impact:
Encoding results in the wrong/truncated value.

Workaround:
It is possible to encode the problematic values using an alternative method.

Fix:
ASN1::encode now correctly encodes binary values.

669888-2 : No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96

Component: TMOS

Symptoms:
The BIG-IP does not differentiate between IPv4 addresses (such as 1.2.3.4) and IPv6 addresses in the prefix ::ffff:0:0/96 (such as ::ffff:102:304, also written ::ffff:1.2.3.4). If you enter such an IPv6 address, the equivalent IPv4 address will be rendered and used.

Conditions:
Any attempt to use an IPv6 address in that subnet.

Impact:
The BIG-IP system will operate as if you entered the IPv4 address.

Workaround:
No workaround at this time.

Fix:
The differing addresses now are handled correctly. For most modules, this does not change the functionality at all. AFM is one exception; IPv6 traffic in the ::ffff:0:0/96 subnet will be treated differently than IPv4 traffic.

669818-2 : Higher CPU usage for syslog-ng when a syslog server is down

Component: TMOS

Symptoms:
Higher CPU usage for syslog-ng when a syslog server is down.

Conditions:
A remote log server is added but it is not available.

Impact:
Potentially higher than expected CPU usage.

Workaround:
To mitigate this issue, use either of the following:
-- Ensure that the remote log server is available.
-- Remove the remote log server from the configuration.

669739-1 : Potential core when using MRF SIP with SCTP

Solution Article: K71963740

Component: Service Provider

Symptoms:
The system may core when using SCTP with MRF SIP if the outgoing connection receives more messages than it can process.

Conditions:
-- SCTP with MRF SIP configured.
-- Outgoing connection receives more messages than it can process.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
With SCTP with MRF SIP, the system better handles conditions when the outgoing connection receives more messages than it can process, so the system does not core and restart.

669510-2 : When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.

Component: Access Policy Manager

Symptoms:
- When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.

Conditions:
- Allow local DNS servers' option is enabled in Network Access configuration.
- Prohibit routing table changes during Network Access connection option is enabled in Network Access configuration.
- Network changes after VPN is established.

Impact:
- Network access tunnel is dropped due to routing table changes.

Workaround:
User needs to connect to VPN again.

669462-1 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition

Component: TMOS

Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/

Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool

Impact:
Unable to use pool-members from /Common/ when outside of /Common/

Workaround:
No workaround at this time.

Fix:
Fixed issue preventing users from using GTM pool-members within /Common/ on GTM Pools outside of /Common/

669459-2 : Efect of bad connection handle between APMD and memcachd

Component: Access Policy Manager

Symptoms:
When a connection handle (fd) between apmd and memcachd gets bad (someone else is using or already closed by memcachd), all worker threads gets locked out. A cleaner thread then restart APMD with an assert.

Conditions:
This is difficult to reproduce. It happens if one or more connection handle between apmd worker thread and memcachd gets misused.

Impact:
APMD gets locked down , eventually restart with a core.

Workaround:
None.

Fix:
Communication between APMD and TMM has been improved to be more tolerant of error conditions.

669415-1 : Flow eviction for hardware-accelerated flow might fail

Component: TMOS

Symptoms:
In rare cases, evicting a hardware-accelerated ePVA flow might fail. Under normal conditions, this flow eventually idles out of the ePVA, but if traffic happens to be generated over the flow, then it can stay in the ePVA indefinitely, even if there is no software connection context for this connection.

Conditions:
A virtual server using a FastL4 profile.

Impact:
A connection becomes stuck in the ePVA. Traffic might be disrupted if tmm restarts.

Workaround:
Disable hardware acceleration.

Fix:
This release has updated the process for evicting a connection from the ePVA.

669364-1 : TMM core when server responds fast with server responses such as 404.

Component: Fraud Protection Services

Symptoms:
TMM core when server responds fast with server responses such as 404.

Conditions:
-- FPS gets a request with a WebSafe URL (usually global URL - declared by signatures update).
-- Server response is fast (based on URL/headers).
-- FPS need to take some action on response.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles these conditions without a tmm crash.

669359 : WebSafe might cause connections to hang

Component: Fraud Protection Services

Symptoms:
In a loaded environment, FPS might free a connection context without cleaning up the state.

Conditions:
This occurs in a loaded environment (xoff events present).

Impact:
A connection might stall until abandoned by client.

Workaround:
None.

Fix:
when freeing a connection context, FPS will clear internal egress state.

669341 : Category Lookup by Subject.CN will result in a reset

Component: Access Policy Manager

Symptoms:
Category Lookup Agent is unable to find the Subject.CN, so it initiates an SSL Handshake failure.

==> /var/log/apm <==
crit tmm[11181]: 01790602:2: [C] 10.20.100.1:11980 -> 10.11.10.101:443: (ERR_NOT_FOUND) Error processing URL Classification query from CatEngine

Conditions:
Category Lookup agent configured to use Subject.CN. May also apply if a Category Lookup agent is configured to use SNI, but the client does not send an SNI, resulting in the agent trying to use the Subject.CN.

Impact:
Cannot use Subject.CN as a data source for category lookup agent.

Workaround:
None.

Fix:
The category lookup agent is now able to find the Subject.CN.

669288-3 : Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.

Solution Article: K76152943

Component: TMOS

Symptoms:
From tmsh, running util unix-ls /var/log fails with the following error:

exception: (Failed to canonicalize "/shared/f5optics/images") (util/RealpathHelper.cpp, line 49), continuing...
Data Input Error: /var/log is not an accessible directory for the current mode.

Conditions:
-- A BIG-IP system configured for Appliance mode.
-- Upgrading from a pre-v12.x to v12.x or later.
-- Using a platform that does not have a /shared/f5optics/images directory.

These include the following BIG-IP blades and appliances:
B4400, i4x00, i10x00, i2x00, i7x00, i5x00

Impact:
There is no shell access to the file system when the BIG-IP system is in Appliance mode. This is the intended purpose of Appliance mode. Therefore, unix-* commands are the only way to list directories, and perform other operations specific to the operating system.

Workaround:
To work around this issue, create the /shared/f5optics/images directory. To do so, do the following:

1. Boot the BIG-IP system into single-user mode.

2. Create the directory /shared/f5optics/images with the following command:
mkdir -m 777 -p /shared/f5optics/images.

3. Reboot the BIG-IP system, and allow it to start up normally.

Fix:
The reported exception does not occur, and unix-* commands commands issued in Appliance mode run as expected.

669268 : Failover in the same availability zone of AWS may fail when AWS services are intermittently available.

Component: TMOS

Symptoms:
Intermittently available AWS services may lead to failure of curl requests to AWS or ec2 tools commands, resulting in failure of failover. As a result, public EIPs (for virtual servers) might remain pointing to the standby BIG-IP system.

Conditions:
AWS services are intermittently available.

Impact:
Failure of failover. Traffic will be routed to the standby BIG-IP system and lost.

Workaround:
Manually fail the systems over till failover succeeds at the desired BIG-IP system.

669262-2 : [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record

Solution Article: K91122850

Component: Global Traffic Manager (DNS)

Symptoms:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA, resulting that zone is not treated as reverse zone.

PTR is not available from the 'Type' dropbox menu when creating new resource record for that zone:
DNS :: Zones : ZoneRunner : Resource Record List :: New Resource Record.

Conditions:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA.

Impact:
Cannot create PTR resource record for the created reverse zones.

Workaround:
Create reverse zones exactly ending with .arpa.

669255-2 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms

Solution Article: K20100613

Component: TMOS

Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:

- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.

Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:

- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade

Impact:
The BIG-IP system operates at a suboptimal performance level.

Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.

Fix:
Performance is no longer degraded on certain platforms when the configuration includes enabled sFlow receivers.

669154-1 : Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.

Solution Article: K25342114

Component: Access Policy Manager

Symptoms:
Adding new SAML IdP configuration object containing empty attribute values via tmsh may cause tmm to restart.

Conditions:
New SSO SAML configuration contains one or more attribute values containing a session variable, following by another empty value "", for example:

multi-values { "%{session.ad.last.attr.name}" "" }

Note: This is not a valid configuration: empty values must not be provided in the list of SAML attributes.

Impact:
TMM may restart when new configuration is added. Traffic disrupted while tmm restarts.

Workaround:
Remove empty attribute values from configuration.

Fix:
SAML object validation has been improved so that empty SAML SSO object attribute values will no longer be accepted.

669025-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

Solution Article: K11425420

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.

Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs usually is are the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.

Impact:
Clients cannot access the web server due to SSL handshake failure.

Workaround:
There is no workaround at this time.

Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.

668883 : FQDN pool member status may become out-of-sync when enabled/disabled through GUI

Component: Local Traffic Manager

Symptoms:
After toggling enable/disable on an FQDN pool member through the GUI, an FQDN pool member status may become 'out-of-sync', and the pool member might process connections opposite to its status. Specifically: 'disabled' might accept connections, and 'enabled' might not accept connections. In this state, the FQDN pool member appears to be exactly 'one-message-behind' for an enable/disable status change made in the GUI.

The FQDN pool member status for enabled/disabled is always correctly displayed in the GUI and in tmsh, and behavior is correctly restored after a system reboot. Other pool members are unaffected.

Conditions:
-- BIG-IP systems configured for high availability (HA).
-- At least three members within an FQDN pool.
-- Use the GUI to toggle enable/disable state on a FQDN pool member.

Impact:
The FQDN pool member does not correctly participate in receiving connections to the pool when in this error state. Other pool members remain unaffected.

Workaround:
Change FQDN pool to statically assign members.

Fix:
Toggling FQDN pool member between 'enable/disable' correctly changes that member's participation for accepting connections within its parent pool. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

668802-3 : GTM link graphs fail to display in the GUI

Solution Article: K83392557

Component: Local Traffic Manager

Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.

statsd reports an error in /var/log/ltm

err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
-- Trying to view the GTM link graphs in the GUI.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
The GTM graphs are available as expected.

668623-5 : macOS Edge client fails to detect correct system language for regions other than USA

Solution Article: K85991425

Component: Access Policy Manager

Symptoms:
macOS Edge client fails to detect correct system language for regions other than USA.

Conditions:
-- macOS Sierra.
-- Non-English language (e.g., Korean with different regions).

Impact:
Incorrect customization of Edge client for certain items, such as: logo, banner color, banner text color, and tray icon type.

Workaround:
Run one of the following command on the Terminal and re-launch Edge client:

For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"

For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"

For Japanese:
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"

For French:
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"

For Spanish:
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"

For Chinese traditional:
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"

For Chinese simplified:
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"

Fix:
Customization of the following items for Edge client now correctly reflect the region's language selection.

-- Edge client logo.
-- Banner color.
-- Banner text color.
-- Tray icon.

668522-1 : bigd might try to read from a file descriptor that is not ready for read

Component: Local Traffic Manager

Symptoms:
The bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.).

Impact:
The bigd process might consume excessive CPU resources for for various amounts of time.

Single monitor probes might fail. Depending upon the timing of these failures, it might be possible to see monitor flapping when multiple probes for a specific monitored object happen to fail.

Workaround:
None.

Fix:
An issue was resolved where the bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.

668521-2 : Bigd might stall while waiting for an external monitor process to exit

Component: Local Traffic Manager

Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)

High system load makes this more likely to occur.

Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.

Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.

Fix:
bigd no longer stalls while waiting for an external monitor process to exit.

668503-3 : Edge Client fails to reconnect to virtual server after disabling Network Adapter

Component: Access Policy Manager

Symptoms:
1. Connect to an APM Virtual Server.
2. Disable Network Adapter.
3. Enable the Network Adapter.

Edge Client fails to reconnect.

Conditions:
Network Adapter is disabled and re-enabled.

Impact:
Edge Client does not re-establish VPN when Network Adapter is re-enabled.

Workaround:
Disconnect and Connect Edge Client.

Fix:
Edge Client now successfully reconnects to virtual server after disabling and enabling Network Adapter.

668501-2 : HTTP2 does not handle some URIs correctly

Solution Article: K07369970

668419-1 : ClientHello sent in multiple packets results in TCP connection close

Solution Article: K53322151

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system receives ClientHello messages in multiple fragments, and the first fragment length is smaller than 8 bytes, SSL might process it as a non-SSL packet.

Conditions:
-- The system receives ClientHello messages in multiple fragments.
-- The first fragment length is smaller than 8 bytes.

Impact:
SSL might process the first fragment as a non-SSL packet, and discard it, and then tear down the TCP connection.

Workaround:
None.

Fix:
Now, if the system receives the ClientHello message in multiple fragments, and the first fragment is smaller than 8 bytes, the system waits for the whole SSL packet to arrive before processing it.

668352-2 : High Speed Logging unbalance in log distribution for multiple pool destination.

Component: TMOS

Symptoms:
Remote High Speed Logging may send logs in an imbalance when configured to use multiple logging pools.
The imbalance may occur if the logging destination remained idle for a while (no logs sent) after initial configuration.

Conditions:
-- Remote High Speed Logging destination configured with multiple pools.
-- The logging destination idle after initial configuration for more than 5 seconds.

Impact:
-- Log distribution imbalance.

Workaround:
There is no workaround at this time.

Fix:
Logs distributed equally on destination pools.

668252-2 : TMM crash in PEM_DIAMETER component

Solution Article: K22784428

Component: Policy Enforcement Manager

Symptoms:
TMM crashes when the route to PCRF is lost.

Conditions:
-- PEM establishes connection with the diameter endpoint (Gx / Gy).
-- The route to the diameter endpoint is lost (interface down / route deleted).

Impact:
TMM diameter module tries to communicate, does not handle the error, and crashes. Module reboot. Traffic disrupted while tmm restarts.

Workaround:
Mitigation: Ensure that the network interface configuration routing diameter packet is not manually brought down.

No workaround for externally triggered failures.

Fix:
The system now handles connections established with the diameter endpoint when the route to PCRF is lost.

668196-2 : Connection limit continues to be enforced with least-connections and pool member flap, member remains down

Component: Local Traffic Manager

Symptoms:
In rare circumstances while using least-connections load balancing with a connection limit applied, if a pool member is at the connection limit and the node is stopped and restarted, the node will remain marked down.

Conditions:
This occurs under the following circumstances:
- Least Connections (node or member).
- Connection limit is set.
- Then a pool member hits the connection limit.
- The pool member is then marked down then up (e.g., manually).

Impact:
Pool member remains marked down.

Workaround:
This condition is very rare but if it occurs you can try removing the pool member or node and re-adding it.

Fix:
Connection limit is now correctly enforced with least-connections and pool member flap, so the member no longer incorrectly remains down.

668184-1 : Huge values are shown in the AVR statistics for ASM violations

Component: Application Security Manager

Symptoms:
Huge values are shown in the AVR statistics for ASM violations.

Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.

Impact:
ASM violation numbers are incorrectly reported.

Workaround:
None.

Fix:
An issue with bd sending wrong numbers to AVR was fixed.

668181-2 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.

668129-1 : BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.

Component: Access Policy Manager

Symptoms:
Certain SAML implementations support configuration of multiple signing certificates to be used for signing SAML messages. In these deployments different signing certificates could be used when certificate rotation takes place. Until now BIG-IP as SP only supported single signing certificate from external IdPs.
When certificate rotation happens on external IdP, BIG-IP signing verification certificates have to be updated.

Conditions:
External IdP advertises multiple signing certificates in SAML metadata.

Impact:
When external IdP starts using new signing certificate previously advertised in metadata, authentication on BIG-IP as SAML SP will fail until administrator adjusts configuration to specify new signature validation certificate on appropriate SAML IdP connector object.

Workaround:
Signing certificates on BIG-IP as SAML SP can be reconfigured manually.

Fix:
BIG-IP as SP now supports multiple signing certificates advertised by external identity providers.

668048-1 : TMM memory leak when manually enabling/disabling pool member used as HSL destination

Solution Article: K02551403

Component: TMOS

Symptoms:
High Speed Logging fails to free an allocated cache memory resulting in memory leak. A small linear increase in mds_btree_nodes memory utilization may occur.

Conditions:
- Remote High Speed Logging configured.
- Server-side connections dropped or closed. OR
- High Speed Logging pool members removed.

Impact:
Increase in mds_btree_nodes memory utilization.

Workaround:
There is no workaround at this time.

Fix:
High Speed Logging frees allocated memory correctly.

668006-1 : Suspended 'after' command leads to assertion if there are multiple pending events

Solution Article: K12015701

Component: Local Traffic Manager

Symptoms:
TMM crashes when an iRule has multi-parking commands including command after.

Conditions:
-- iRule has multi-parking commands.
-- Command after is used multiple times in the iRule.

Note: The exact condition of crashing tmm is not definitive, but when the above situation is met, it could trigger this crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Depending on the iRule, (e.g., script that uses command after very heavily, very often), the usages can be combined:

after 100
after 200 { some script }

can be combined to after 300 { the script }

Fix:
Suspended 'after' command no longer leads to assertion if there are multiple pending events

667922 : Alternative unicode encoding in JSON objects not being parsed correctly

Solution Article: K44692860

Component: Application Security Manager

Symptoms:
JSON content might be blocked when unicode encoding is used in one of the JSON nodes.

Conditions:
Configured ASM Policy with JSON profile.

Impact:
False positive blocked request.

Workaround:
Disable metachars checks in JSON profile.

Fix:
The JSON parser now handles unicode sequences correctly.

667892-2 : FPS: BLFN inheritance won't take effect until GUI refresh

Component: Fraud Protection Services

Symptoms:
1. Create fps profile with a "Additional function to be run before JavaScript load" (BLFN) configured.
2. Clone this profile.
3. In the cloned profile choose another profile to defaults from (where there is no BLFN).
4. Save configuration.

Conditions:
- Current profile has a BLFN configured.
- New parent profile has no BLFN.

Impact:
The original BLFN is still configured on the profile (should have inherited the empty BLFN from parent profile).

Workaround:
1. Use tmsh.
2. Refresh before save.

Fix:
Correct BLFN inheritance logic in GUI.

667872-1 : Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports

Component: Fraud Protection Services

Symptoms:
'Apply cookies to base domain' feature doesn't work for non standard ports.

Conditions:
'Apply cookies to base domain' is enabled and
connection is over non-standard ports (not 80, 443, etc.).

Impact:
Cookies won't be applied to base domain, thus WebSafe functionality will be broken and missing cookie alerts will be sent.

Workaround:
Use only standard ports.

Fix:
FPS now correctly parses base-domain, including port (if exists).

667707-2 : LTM policy associations with virtual servers are not ConfigSynced correctly

Component: Local Traffic Manager

Symptoms:
The association of Local Traffic Policies to virtual servers do not synchronize properly.

This can result in configuration sync failures with error messages including:

-- 01070635:3: The policy (/Common/asm_auto_l7_policy__vs_27) is referenced by one or more virtuals.
-- Configuration error: The bot-defense-asm profile /Common/asm_policy_1 was added to virtual server /Common/vs1 but it does not match the asm-controlling policy. The bot-defense-asm profile is added to the virtual server automatically.
-- 010716fd:3: Virtual Server '/Common/vs' cannot contain policies with conflicting controls.

In other circumstances, BIG-IP systems report themselves as 'in sync' despite a virtual server having different local traffic policies associated.

Under certain circumstances, configuration sync fails after an LTM policy is removed from a virtual server and deleted.

Conditions:
This occurs under the following conditions:

-- Full sync operations (e.g., 'full-load-on-sync' or 'force-full-load-push').

And either of the following:
-- Configuration changes made where local traffic policies are removed or added from a virtual server.

-- Configuration changes made where a local traffic policy is removed from a virtual server, and then the virtual server is deleted.

Impact:
Configuration fails to sync, or devices report 'In Sync' but have different LTM policies associated with virtual servers.

Workaround:
There is no workaround at this time.

Fix:
Configuration sync is successful.

667662-1 : Autolasthop does not work for PPTP-GRE traffic.

Solution Article: K06579313

Component: Carrier-Grade NAT

Symptoms:
Autolasthop does not work for PPTP-GRE traffic.

Conditions:
Autolasthop configured for client ingress VLAN, serving PPTP-ALG traffic.

Impact:
PPTP-ALG traffic through the BIG-IP system.

Workaround:
Create static routes to return PPTP-GRE traffic back to the client network.

Fix:
Autolasthop setting works correctly for PPTP-GRE traffic.

667560-3 : FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed

Solution Article: K69205908

Component: Local Traffic Manager

Symptoms:
A pool member configured through an FQDN node and which has multiple associated monitors may become unknown (blue) after a monitor rule change to one of its associated monitors. The expected behavior is that the node should remain 'green' if monitoring is successful with the new rule, but the node may become unknown (blue) until bigd is restarted.

Conditions:
A pool member is configured through an FQDN node, and has multiple associated monitors, and a monitor rule change is made to one of the associated monitors.

Impact:
The pool member status correctly reflects whether monitoring is successful (green) or the pool member is unknown (blue), but the changed monitor rule may not take effect until bigd is restarted.

Workaround:
When making changes to a monitor rule associated with a pool member configured through FQDN, verify the node remains monitored (green or checking), or restart bigd. Alternatively, change monitor rules within the configuration file, and reload the configuration.

Fix:
Pool members configured through FQDN nodes and with multiple associated monitors continue to be monitored after a monitor rule change to one of the associated monitors. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

667469-1 : Higher than expected CPU usage when using DNS Cache

Solution Article: K35324588

Component: Global Traffic Manager (DNS)

Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.

Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.

Impact:
Higher than expected CPU usage.

Workaround:
No workaround at this time.

Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.

667405-2 : Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.

Solution Article: K61251939

Component: TMOS

Symptoms:
When the BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets, memory leaks may occur in the TMM.

Conditions:
The BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets.

Impact:
Memory leak in the TMM.

Workaround:
None.

Fix:
No memory leak in the TMM.

667404-2 : Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts

Solution Article: K77576404

Component: TMOS

Symptoms:
If fragmented IP packets match an IPsec policy, then get forwarded to another tmm for actual processing, the flow lookup might accidentally grab a stale flow_key for another connflow, including internal MCP flows. When that happens, if IPsec does tunnel those flows, internal MCP heartbeats later miss and cause tmm restarts.

Conditions:
-- Packet fragmentation.
-- Packets are serviced by IPsec due to a matching policy for those packets.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
You can prevent this using either of the following methods:
-- If you can, arrange that fragmented packets are re-assembled before reaching IPsec policy handling.
-- Modify MTU configuration so fragmentation does not happen.

Note: There is no mitigation when fragmented packets reach IPsec and need forwarding from one tmm to another.

Fix:
Now fragmented packets are handled correctly, and other flows cannot experience interference.

667318-3 : BIG-IP DNS/GTM link graphs fail to display in the GUI.

Component: Local Traffic Manager

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
BIG-IP DNS/GTM link graphs are now available in the GUI.

667304-1 : Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled

Solution Article: K68108551

Component: Access Policy Manager

Symptoms:
'Save Password' checkbox is shown even if the feature is not enabled.

Conditions:
-- APM end user tries to authenticate to APM/BIG-IP Server.
-- 'Save Password' is not enabled.

Impact:
APM end user receives the login page with 'Save Password' checkbox. Checking the box has no effect unless 'Save Password' is enabled.

Workaround:
None.

Fix:
'Save Password' checkbox is not shown unless the feature is enabled.

667278-3 : DSC connections between BIG-IP units may fail to establish

Component: TMOS

Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:

-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).

While the unit at the other end of the connection will log messages similar to the following example:

-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed

Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).

Impact:
Config-Sync and device discovery operations will fail between affected units.

Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).

Fix:
Config-Sync and device discovery operations no longer fail.

667237-3 : Edge Client logs the routing and IP tables repeatedly

Component: Access Policy Manager

Symptoms:
Edge Client logs the routing and IP tables repeatedly - in each reconnecting attempt.

Conditions:
Edge Client is in reconnecting state and gateway is reachable. However, APM server is not reachable/responding.

Impact:
It fills up the log file with information that is not useful.

Workaround:
There is no workaround at this time.

Fix:
When Edge Client is in re-connection state and the APM server is not reachable/responding, skip logging the Routing/IP tables in each reconnecting attempts.

667223 : The merge option for the tmsh load sys config command removes existing nested objects

Component: TMOS

Symptoms:
Nested objects are removed when newer objects are merged in.

Configuration objects can contain nested objects. The merge option for tmsh load sys config command expects the nested-objects passed in to be merged alongside existing objects.

example:

Initial configuration

[root@plate:Active:Standalone] config # tmsh list ltm pool
    ltm pool test-pool-mcconfig {
        members {
            test-mc1:http {
                address 10.13.14.15
                priority-group 1
                session monitor-enabled
                state checking
            }
            test-mc2:http {
                address 10.13.14.16
                priority-group 4
                session monitor-enabled
                state down
            }
        }
        monitor tcp
    }

Run load merge command:

    [root@plate:Active:Standalone] config # tmsh -m
    root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config merge from-terminal
    Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
    ltm pool test-pool-mcconfig {
     members {
      test-mc2:http {
       priority-group 0
      }
     }
    }
    Loading configuration...
    root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# ^D

New configuration, not merged:

    [root@plate:Active:Standalone] config # tmsh list ltm pool
    ltm pool test-pool-mcconfig {
        members {
            test-mc2:http {
                address 10.13.14.16
                session monitor-enabled
                state down
            }
        }
        monitor tcp
    }

Conditions:
Execute tmsh load sys config merge from-terminal command.

The configuration contains nested objects. The configuration that is being merged in contains nested objects of the same type as the existing configuration.

Impact:
Configuration loss: Post merge the existing nested configuration objects are deleted.

Workaround:
None.

Fix:
The behavior for the merge option of tmsh load sys config is corrected. The nested objects in the existing configuration are not deleted.

667173 : 13.1.0 cannot join a device group with 13.1.0.1

Component: TMOS

Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.

Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.

Impact:
Cannot form Device Trust.

Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.

Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.

667148-1 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition

Solution Article: K02500042

Component: TMOS

Symptoms:
GTM configuration fails to load.

Conditions:
GTM config referencing non-/Common partition objects from /Common.

Impact:
GTM configuration fails to load, which may keep a system from becoming active

Workaround:
No workaround.

Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.

667138-1 : LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★

Component: TMOS

Symptoms:
After upgrade from 10.2.4 to 12.1.2, full config load fails.

Conditions:
The pre-upgrade version must be 10.2.4 and the pre-upgrade config must have user-defined partitions.

Impact:
After upgrade, if changes are made to the running config (in memory; not on disk), then the config files on disk from upgrade cannot be restored.

Workaround:
10.2.4 config on upgrade is stored at /config/bigpipe/. So, a workaround is to load defaults, then merge the original config using bigpipe.

/usr/libexec/bigpipe merge /config/bigpipe/*.conf

Fix:
Full load after upgrade from 10.2.4 now succeeds.

667028-1 : DNS Express does not run on i11000 platforms with htsplit disabled.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm processes enter a restart loop when trying to run DNS Express (DNSX) on i11000 platforms with htsplit disabled.

Conditions:
-- i11000 platform.
-- htsplit disabled (sys db scheduler.splitplanes.ltm set to false).
-- Trying to run DNSX.

Impact:
tmm processes enter a restart loop. In this condition, DNSX does not run, though other DNS functions are unaffected.

Workaround:
Enable htsplit using the following command:

modify sys db scheduler.splitplanes.ltm value true

Fix:
tmm no longer cores under these conditions. However, you cannot use DNSX with htsplit disabled; htsplit must be enabled.

Note: DNSX works as expected with htsplit enabled, both before and after the fix.

666986-2 : Filter by Support ID is not working in Request Log

Solution Article: K50320144

Component: Application Security Manager

Symptoms:
In some cases the Support ID of a request might be shorter than 19 digits. In this case filter by Support ID does not work in Request Logs.

Conditions:
-- Support ID is shorter than 19 digits.
-- Trying to filter by Support ID.

Impact:
Filter by Support ID is not displayed in filter bar and does not affect the list.

Workaround:
You can try to filter by last 4 digits of Support ID. Although that does not replace filter by Support ID functionality, it might help.

Fix:
Filter by Support ID works for any length but 4 digits (in this case search uses the last 4 digits; also a 4-digit Support ID is not a realistic occurrence).

666790-2 : Use HSB HiGig MAC reset to recover both FCS errors and link instability

Solution Article: K06619044

Component: TMOS

Symptoms:
In addition to HiGig Link instability, FCS errors can be seen on internal switch and HSB Higig link. This is likely some PHY-related issues and can cause instability in communication links.

One symptom associated with this might be that a blade cannot become active and join the cluster.

Conditions:
FCS errors reported in tmm/hsbe2_internal_lbb_hgm. Traffic failure observed on some VIPs or self IPs.

Impact:
Link unstable, frame loss.
TMOS MPI and CDP packet loss and internal blade communication issues.

HSB lockup and accumulated FCS errors observed from stats and log.

Workaround:
A switch port reset might be used to recover this failure. Note, however: that procedure might cause potential HSB lockups.

Fix:
FCS errors and link instability no longer occur.

666689-1 : Occasional "profile not found" errors following activate access policy

Component: Access Policy Manager

Symptoms:
Immediately following the applying of a modified access policy it is possible for some profiles to disappear.
It is transient and within a minute or two the profiles are available again.

Conditions:
Clicking "apply access policy" in the GUI or using tmsh to increment snapshot ids will clear the list of profiles and policies and then rebuild those lists. Authentication requests using profiles or policies not yet rebuilt returned the "profile not found" error.

Impact:
Some authentication attempts fail while the lists get rebuilt.
Retrying the authentication a minute or two later succeeds.

Workaround:
Retry the authentication.

Fix:
Applying Access Policies in APM is improved to avoid a short dead time between when the old policies are removed and the new policies are activated.

666454-2 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update

Solution Article: K05520115

Component: Access Policy Manager

Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.

Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.

Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.

Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.

Impact:
VPN connection will fail.

Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.

666315 : Global SNAT sets TTL to 255 instead of decrementing

Component: Local Traffic Manager

Symptoms:
Global SNAT sets the TTL to 255 instead of decrementing.

Conditions:
Global SNAT configured.

Impact:
Possible routing loop.

Workaround:
No workaround.

Fix:
TTL for global SNAT now gets decremented.

666160-1 : L7 Policy reconfiguration causes a slow memory leak

Solution Article: K63132146

Component: Local Traffic Manager

Symptoms:
When a virtual server with a L7 policy is reconfigured, a small amount of memory is leaked.

Conditions:
A virtual server with L7 policies has a configuration change.

Impact:
The memory leak will reduce the amount of resources for the TMM.

Workaround:
None.

Fix:
L7 Policies no longer leak memory when a virtual server using them is reconfigured.

666112-1 : TMM 'DoS Layer 7' memory leak during config load

Solution Article: K53708490

Component: Advanced Firewall Manager

Symptoms:
Degraded performance; potential eventual out-of-memory.

Note: The 'DoS Layer 7' allocations increase by 'TMM count * #domains' after each config load.

Tip: You can watch the watch the 'DoS Layer 7' allocations increase on a shell on the BIG-IP system using the following command:
# watch -n1 -- 'tmctl -s name,allocated,max_allocated,cur_allocs memory_usage_stat | grep -E "^name|---|^DoS Layer 7 "'

Conditions:
-- Provision ASM.
-- Make sure the built-in 'security dos bot-signature' are added to the config.
-- Load the config from another shell using the following command:
tmsh load sys config

Impact:
Degraded performance; potential eventual out-of-memory.

Workaround:
None.

Fix:
Fix memory leak after each config load.

666058-2 : XenApp 6.5 published icons are not displayed on APM Webtop

Solution Article: K86091857

Component: Access Policy Manager

Symptoms:
While publishing XenApp 6.5 resources through APM Webtop, some applications are not displaying the icons correctly.

VDI Error logs are seen as follows:
failed to handle '/f5vdi/citrix/icon/': Incorrect bitmap size.

Conditions:
-- XenApp 6.5 is used with their rollup hotfix 6 or 7.
-- Some of the third-party applications more icon bitmap information than expected.

Impact:
Icons are not displayed on the APM Webtop

Workaround:
None.

Fix:
Now APM Webtop correctly displays Citrix XenApp icons correctly regardless of the size of the bitmap data.

666035-1 : Obscuring secrets in files collected by qkview

Component: TMOS

Symptoms:
Some config files collected by qkview may have clear text secrets.

Conditions:
Run qkview and extract to see files with cleartext secrets

Impact:
Plaintext secrets are uploaded to iHealth.

Workaround:
To workaround this issue, follow this procedure:
1. Untar qkview file.
2. Obfuscate secrets from the affected file.
3. Recreate qkview file to upload.

For more information, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.

Qkview obfuscation
==================
-- Specific information from text files collected by qkview can be replaced/obscured.
-- Configuration file is in JSON format and it requires regex search pattern and replacement text for given files.

  Config file
  ===========
  /etc/qkview_obfuscate.conf

  Config Template
  ===============
  {
    "filename_regex1":
       {
           "search_regex11": "replace_text11",
           "search_regex12": "replace_text12",
           "search_regex13": "replace_text13" <= No comma after the last element.
       },
    "filename_regex2":
       {
           "search_regex21": "replace_text21",
           "search_regex22": "replace_text22",
           "search_regex23": "replace_text23"
       } <= No comma after the last node.
  }

Notes
=====
-- Search-and-replace rules are applied to the files that match the filename regex.

-- Filename and search_pattern are the regex. JSON special characters need to be escaped in the regex. (JSON special chars list :: http://json.org/.)

   Example:
       search_pattern "bindpw\s+(\S+)" should be "bindpw\\s+(\\S+)".
       ('\' is escaped by '\\'.)

-- If a filename matches multiple filename regexes, all rules of those files' regexes are applied to that file.

   Example:
        {
            "abc123\\.conf": {
                "password\\s+(\\S+)": "password ####",
                "passphrase\\s+(\\S+)": "passphrase ####"
            },
            "abc\\w+\\.conf": {
                "bindpw\\s+(\\S+)": "bindpw dummypasswd"
            }
        }

     Because abc123.conf matches both filename regexes, all three rules are applied to abc123.conf.

-- Obfuscation works only on text files. Compressed files are ignored.

-- The qkview command fails if the config file is syntactically incorrect.

Sample config
=============
  {
      "abc123\\.conf": {
          "password\\s+(\\S+)": "password ####",
          "passphrase\\s+(\\S+)": "passphrase ####"
      },
      "myapp?\\w+\\.conf": {
          "bindpw\\s+(\\S+)": "bindpw dummypasswd"
      }
  }

  "abc123\\.conf" - matches abc123.conf
  "myapp?\\w+\\.conf - matches myapp*.conf

666032-3 : Secure renegotiation is set while data is not available.

Solution Article: K05145506

Component: Local Traffic Manager

Symptoms:
Secure renegotiation is set while data is not available, which causes a crash in certain connections.

Conditions:
This occurs when handling SSL secure renegotiation in certain connections.

Impact:
Crashes happen to certain SSL connections.

Workaround:
None.

Fix:
Secure renegotiation is set while data is not available no longer causes a crash in certain connections.

665924-1 : The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios

Solution Article: K24847056

Component: Local Traffic Manager

Symptoms:
A TMM crash caused by a double-free of memory within the HTTP2 and SPDY filters. This crash could occur in other TMM sub-systems unrelated to HTTP2 or SPDY.

Conditions:
The HTTP2 or SPDY filter is used, together with many other TMM modules. This situation is difficult to trigger.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP2 and SPDY filters will no longer double-free memory in rare situations.

665905 : Signature System corruption from specific ASU prevents ASU load after upgrade

Solution Article: K83305000

Component: Application Security Manager

Symptoms:
After loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im" on 11.5.4 HF2 (or later) and upgrading to certain software versions, attempts to perform Signature Update fail.

Conditions:
-- Loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im".
-- Using v11.5.4 HF2 (or later).
-- Upgrading the device to 11.6.1, 12.1.0, 12.1.1, or 12.1.2.

Impact:
Attempts to perform Signature Update fail.

Workaround:
The mistaken Signature System can be deleted using the following SQL:

----------------------------------------------------------------------
UPDATE PLC.NEGSIG_SIGNATURE_SYSTEMS set system_id = 14 where system_id = (select system_id FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache');
DELETE FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache';
----------------------------------------------------------------------

Fix:
Database corruption introduced by loading Attack Signature Update 'ASM-SignatureFile_20170403_145743.im' is now corrected upon upgrade.

665778-1 : Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

Solution Article: K34503519

Component: iApp Technology

Symptoms:
Non-admin BIG-IP users cannot view deployed iApps, so they cannot redeploy the iApp. The system presents an error and does not allow access to the component view or the reconfiguration view. The error shown is 'An error has occurred while trying to process your request.'

Conditions:
-- Login to the BIG-IP system as a non-admin.
-- Try to view components or reconfigure iApps.

Impact:
Cannot view/re-deploy iApps.

Workaround:
Use TMSH to view/re-deploy iApps.

There are two TMUI workarounds to view/re-deploy iApps. Once you employ one of the workarounds, a Manager user can reconfigure the iApp successfully.

Note: After successful submission, the system posts the error described, and the Manager still cannot access the Component list or iApps editing screens.

-- Click on 'app_name' link anywhere in the system where iApp-related objects are listed. For example, if the iApp created a virtual server, click the Application column link on the 'Local Traffic :: Virtual Servers : Virtual Server List' page.

-- Have an Admin user provide the direct link to app. To do so, perform the following procedure:
1. Login as Admin to the BIG-IP system.
2. Navigate to iApps :: Application Services : Applications :: <app_name>.
3. Get the direct link to the app reconfigure page by hovering over the Settings icon and then clicking 'Direct link to this page'. Note: This link will work as long as 'app_name' and template name have not been modified. The URL appears similar to the following:
https://10.10.10.10/tmui/Control/jspmap/tmui/application/reenter.jsp?mode=app&name=/ptn1/abcd.app/abcd&template_name=/Common/f5.microsoft_exchange_2010_2013_cas.v1.6.1
4. Logout as Admin and login as Manager.
5. Paste the app direct link in the browser's address bar and press Enter.

Fix:
Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

665732-2 : FastHTTP may crash when receiving a fragmented IP packet

Component: Local Traffic Manager

Symptoms:
A virtual server configured to use FastHTTP may cause a TMM core if fragmented IP packets are received by the virtual. This can be observed by the following TMM log statement: panic: Assertion 'l4hdr set' failed.

Conditions:
A virtual server configured with a FastHTTP profile receiving fragmented IP packets.

Impact:
Intermittent TMM core, resulting in a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Use a different profile than FastHTTP, such as a full proxy with TCP/HTTP filters.

Fix:
Force packet reassembly before packet is forwarded to a FastHTTP virtual.

665656-1 : BWC with iSession may memory leak

Component: TMOS

Symptoms:
A memory leak may occur when BWC is configured with iSession.

Conditions:
-- BWC is configured with iSession.
-- The BWC policy is removed or reset.

Impact:
A memory leak.

Workaround:
None.

Fix:
The memory leak is prevented when BWC and iSession are configured together and a BWC policy is removed or reset.

665652-2 : Multicast traffic not forwarded to members of VLAN group

Solution Article: K41193475

Component: Local Traffic Manager

Symptoms:
Multicast traffic traversing through the BIG-IP system through a VLAN that is member of a VLAN group does not get forwarded to other members of the VLAN group.

Conditions:
Multicast traffic ingress from a VLAN in a VLAN group.

Impact:
Traffic is not forwarded to the other members of the VLAN group.

Workaround:
None.

Fix:
Multicast traffic is now correctly forwarded to members of VLAN group.

665470-1 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised

Component: Application Security Manager

Symptoms:
Failed to Learn page malicious IP addresses in a specific case.

Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.

Impact:
Requests that should be learned are not.

Workaround:
Turn on logging.

Fix:
The system now Learns page malicious IP addresses when IP intelligence is turn on and logging is turned off.

665416-3 : Old versions of APM configuration snapshots need to be reaped more aggressively if not used

Solution Article: K02016491

Component: Access Policy Manager

Symptoms:
Currently, it takes 24 hrs for old versions of APM config snapshots that are not being used to time out and to release the memory. If access profiles are complex and are updated frequently within 24 hrs, memory resource is likely to be exhausted.

Conditions:
If access profiles are updated frequently within 24 hrs and each version of the configuration snapshot contains many variables.

Impact:
TMM may run out of memory and crash, causing service interruption.

Workaround:
None.

Fix:
Per-session access policy snapshots are now deleted after 60 minutes instead of 24 hours.

665362-4 : MCPD might crash if the AOM restarts

Component: TMOS

Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.

Conditions:
This can occur while AOM is restarting.

Impact:
System goes offline for a few minutes.

Workaround:
None.

Fix:
Added error handling to prevent crash. If this error occurs in the future it will not crash, but a restart of mcpd is required.

665354-2 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

Solution Article: K31190471

Component: TMOS

Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.

Those two messages together indicate this known issue.

Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.

Impact:
The unit intermittently reboots.

Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.

If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.

Important: A device Return Materials Authorization (RMA) will not prevent this issue.

Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.

665347-2 : GTM listener object cannot be created via tmsh while in non-Common partition

Solution Article: K17060443

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use tmsh to create a GTM listener in a non-Common partition.

Conditions:
-- In a non-Common partition.
-- Create a listener using a command similar to the following:
(/Common/newpart)(tmos)# create gtm listener new address 10.2.2.2

Impact:
The listener will not be created. The system outputs an error similar to the following:
01020036:3: The requested profile (/Common/newpart/udp_gtm_dns) was not found.

Workaround:
None.

Fix:
GTM Listener parser now correctly handles validation and selections of profiles for GTM listeners.

665330-1 : MSIE 11 should avoid compatibility mode

Component: Access Policy Manager

Symptoms:
MSIE 11 in compatibility mode is causing JS errors because MSIE 7-9 are not good in javascript.

Conditions:
APM Client and MSIE 11 forced to compartibility mode.

Impact:
Certain pages on client UI are not being rendered or being rendered with errors.

Workaround:
Don't push MSIE 11 to compatibility mode with APM
Use browsers that are good with javascript.

Fix:
We've added meta that sets MSIE in native mode. Although group policy in domain still can overwrite it, for most use cases it's enough.

665185-1 : SSL handshake reference is not dropped if forward proxy certificate lookup failed

Solution Article: K20994524

Component: Local Traffic Manager

Symptoms:
In rare cases, when forward-proxy certificate-lookup fails, the SSL handshake reference is not dropped, which can consume memory that is no longer needed.

Conditions:
Forward-proxy certificate-lookup fails; specifically, input string size is larger than maximum allowed.

Impact:
tmm memory use grows.

Workaround:
None.

Fix:
The system now drops the SSL handshake reference when when forward-proxy certificate-lookup fails. This is correct behavior.

665022-1 : Rateshaper stalls when TSO packet length exceeds max ceiling.

Component: Local Traffic Manager

Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.

Conditions:
Packet length exceeds rateshaper's configured max ceiling.

Impact:
The flow stalls.

Workaround:
Increase the configured rateshaper's max ceiling value to be larger than the largest packet length.

Fix:
Rateshaper no longer stalls when TSO packet length exceeds max ceiling.

664930-2 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.

664894-1 : PEM sessions lost when new blade is inserted in chassis

Solution Article: K11070206

Component: TMOS

Symptoms:
Inserting a blade into a chassis that is using high availability (HA) is configured for 'between clusters' can cause data loss in the SessionDB. This includes iRule table command as well as entries stored in the SessionDB from modules.

Conditions:
HA in use 'between clusters'.

Impact:
Data loss of some SessionDB entries.

Workaround:
In order to cleanly add a blade, put the setting from 'between clusters' to 'within cluster'; then add the new blade(s) to both clusters. Wait 60 seconds, then restore the HA connection to 'between clusters'

Fix:
PEM sessions are now retained when new blade is inserted in chassis when using 'between clusters'.

664829-1 : BIG-IP sometimes performs unnecessary reboot on first boot

Component: TMOS

Symptoms:
Some versions of the BIG-IP Virtual Edition (VE) software incorrectly determine that the size of its disk has changed, and re-sizes the partition table and causes a reboot to occur. This is likely to occur only on VE guests.

Conditions:
-- First boot of VE.
-- Software version that exhibits this issue.

Note: A specific software version for a specific cloud environment either always exhibit this, or never does.

Impact:
Additional, unnecessary minor filesystem size adjustment and additional time for a reboot to occur.

Workaround:
None.

Fix:
An additional, unnecessary reboot of a BIG-IP Virtual Edition during its first boot-up should no longer occur.

664769-1 : TMM may restart when using SOCKS profile and an iRule

Component: Local Traffic Manager

Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.

Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.

Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.

Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.

664737-2 : Do not reboot on ctrl-alt-del

Component: TMOS

Symptoms:
BIG-IP reboots on ctrl-alt-del keys

Conditions:
VE with ctrl-alt-del keys in the video console.

Impact:
BIG-IP reboots.

Fix:
prevent reboot on ctrl-alt-del

664708-2 : TMM memory leak when DoS profile is attached to VS

Component: Advanced Firewall Manager

Symptoms:
TMM memory leak when DoS profile is attached to VS

Conditions:
1. have DoS profile
2. traffic from search engine is coming to this VS
3. DNS resolver is configured

Impact:
TMM memory use increases over time.

Workaround:
There is no workaround at this time.

Fix:
Free memory periodically.

664549-2 : TMM restart while processing rewrite filter

Solution Article: K55105132

Component: TMOS

Symptoms:
TMM restart and failover occurs while processing rewrite filter.

Conditions:
-- Virtual server with rewrite-uri-translation profile.
-- Serverside attempts to get data from clientside when connection flow does not exist.

Impact:
TMM restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM restart and failover no longer occurs while processing rewrite filter.

664535-1 : Diameter failure: load balancing fails when all pool members use same IP Address

Component: Service Provider

Symptoms:
Case1: Run 2 Servers with same IP but different ports. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server. Same result when use-local-connection is disabled.

Case2: Run 2 Servers with same IP but different ports but this time use MR::message route iRule command to route messages between hosts. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server.

Conditions:
Load balancing scenario with single client and two pool members. The servers use same IP, different ports.

Impact:
All the requests from the same client are delivered to 1 server only.

Workaround:
Use different IP address in the pool member. Or use different IP address as the client request.

Fix:
Load balancing scenario with single client and two pool members now completes successfully even when all pool members use same IP Address.

664528-1 : SSL record can be larger than maximum fragment size (16384 bytes)

Solution Article: K53282793

Component: Local Traffic Manager

Symptoms:
SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.

Conditions:
This usually happen when a large certificate or certificate chain is configured for server or client authentication.

Impact:
SSL handshake will fail with client or server that properly checks the record size.

Workaround:
Use a certificate that is smaller in size.

Fix:
Properly fragment handshake data.

664507-3 : When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration

Component: Access Policy Manager

Symptoms:
IdP-connector automation removes certificate reference when update to metadata file is detected, and metadata file contains multiple signing certificates

Conditions:
- BIG-IP is used as SAML SP with configured IdP-connector automation via remotely published metadata.
- Remotely published SAML metadata contains multiple signing certificates.
- Remotely published SAML metadata is periodically updated.

Impact:
Certificate reference to remotely published metadata is removed from local configuration (saml-idp-connector object). As a result, assertions generated by external IdP will not be accepted until proper certificate is configured on saml-idp-connector object again.

Workaround:
When remote metadata is changed, manually update certificate reference on saml-idp-connector object.

Fix:
When changes to remotely published SAML metadata are detected by IdP-connector automation, certificate is no longer removed from saml-idp-connector object.

664461-3 : Replacing HTTP payload can cause tmm restart

Solution Article: K16804728

Component: Local Traffic Manager

Symptoms:
Under certain conditions, using the [ HTTP::payload replace ... ] iRule can result in the tmm restarting.

Conditions:
Occurs when server response is non-chunked, does not contain a Content-Length header, an iRule adds a Content-Length header and performs an HTTP::payload replace command where the length is shorter than the original body length.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP::payload replace command no longer causes tmm restarts under certain conditions.

664063-1 : Azure displays failure for deployment of BIG-IP from a Resource Manager template

Solution Article: K03203976

Component: TMOS

Symptoms:
When deploying BIG-IP images through Azure Resource Manager or Marketplace Solution templates, the Azure portal will never display success. A timeout will eventually occur and the deployment will appear to have failed.

Conditions:
Deployment from an Azure Resource Manager or Solution template, including the BIG-IP WAF Solution from the Azure Security Center.

Impact:
A successful deployment will appear to have failed when monitoring the status in the Azure portal.

Workaround:
None.

Fix:
Deployments of BIG-IP from Azure Resource Manager or Marketplace Solution templates, or the BIG-IP WAF Solution from the Azure Security Center, now show the correct deployment status.

664057-2 : Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached

Component: TMOS

Symptoms:
Upgrades from pre-12.0.0 to 12.0.0 or beyond would delete WideIPs without pools attached even if they had an iRule attached.

Conditions:
Pre-12.0.0 configuration with an WideIP without any pools, but with an iRule.

Impact:
Some or all of a post-upgrade "GSLB-typed" wideip would be lost during the upgrade process.

Workaround:
Manually add missing WideIPs after upgrade.

Fix:
Fixed issue that could delete certain types of GTM WideIPs after an upgrade from a pre-12.0.0 version to a post 12.0.0 version.

664017-3 : OCSP may reject valid responses

Component: TMOS

Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:

OCSP response: got EOF

Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.

Impact:
Valid OCSP responses may be rejected.

Workaround:
None.

Fix:
These responses are now accepted.

663974-2 : TMM crash when using LSN inbound connections

Component: Carrier-Grade NAT

Symptoms:
TMM might crash when using an LSN pool with inbound connections.

Conditions:
LSN inbound connections configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when using an LSN pool with inbound connections.

663821-3 : SNAT Stats may not include port FTP traffic

Solution Article: K41344010

Component: Local Traffic Manager

Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).

Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.

Impact:
Stats are not incremented in tmsh or GUI

Workaround:
None.

Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.

663770-2 : AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server

Solution Article: K04025134

Component: Advanced Firewall Manager

Symptoms:
AFM rules are bypassed / not evaluated on the 'redirected' virtual server when the traffic is internally forwarded to that virtual server.

This is a regression from 12.1.x behavior.

Conditions:
Incoming traffic matches a virtual server and then gets internally redirected to another virtual server either via an iRule or a LTM local traffic policy.

Impact:
This has the effect of potentially negating firewall protections for the traffic that is being redirected to a different virtual server (application) if that virtual server has an AFM policy enabled on it.

Workaround:
There is no workaround at this time.

Fix:
Cause of the regression is fixed and now AFM policy is applied to traffic that is internally redirected to another virtual server (either via iRule or LTM traffic policy).

663580-1 : logrotate does not automatically run when /var/log reaches 90% usage

Solution Article: K31981624

Component: TMOS

Symptoms:
The alertd daemon does not run logrotate when the diskmonitor utility detects that /var/log has less than 10% free space.

Conditions:
/var/log has less than 10% free space.

Impact:
The /var/log filesystem might become completely full, preventing new log messages from being written.

Note: K8865: Overview of the diskmonitor utility (https://support.f5.com/csp/article/K8865) provides a desription for expected behavior.

Workaround:
None.

Fix:
The alertd daemon now correctly recognizes the log message from diskmonitor to initiate logrotate.

663551-1 : SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event

Solution Article: K14942957

Component: Local Traffic Manager

Symptoms:
If an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE event, the expected result is that the SERVERSSL_DATA event will be raised when the serverside receives the SSL data. Then, the decrypted SSL data can be examined and manipulated.
*****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
when SERVERSSL_DATA {
    log local0. "ServerSSL Data"
    log local0. [SSL::payload]
    SSL::release
}
*****************************

The issue is that SERVERSSL_DATA is not raised, even when the serverside receives the SSL data when the iRule calls the [SSL::collect] in the SERVERSSL_HANDSHAKE:
****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
****************************

Conditions:
Calling the [SSL::collect] in the SERVERSSL_HANDSHAKE event.
****************************
when SERVERSSL_HANDSHAKE {
SSL::collect
}
****************************

Impact:
SERVERSSL_DATA event is not raised.

Workaround:
Add the [SSL::release] command in the SERVERSSL_HANDSHAKE event.
**********************************
when SERVERSSL_HANDSHAKE {
SSL::collect
SSL::release
}

Fix:
SERVERSSL_DATA event is now raised when an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE.

663535-1 : Sending ASM cookies with "secure" attribute even without client-ssl profile

Component: Application Security Manager

Symptoms:
ASM cookies can be set with "secure" attribute on when BIG-IP works on SSL profile.

Conditions:
Enabling ASM, network to BIG-IP without client-ssl.

Impact:
When working with encrypted network in the client side but clear network in the ASM virtual, cookies cannot be set with "secure" attributes.

Workaround:
There is no workaround at this time.

Fix:
Added an internal parameter "assume_https", to decide always setting the "secure" attribute, even when the BIG-IP network is clear.

663521-2 : Intermittent dropping of multicast packets on certain BIG-IP platforms

Component: TMOS

Symptoms:
The switch device on the VIPRION B2250 and B4300 blades and the BIG-IP 10x00, i10x00, i7x00 and i5x00 platforms might drop multicast packets under certain high traffic conditions.

Conditions:
-- Certain high-traffic conditions.
-- Running on the specified blades/platforms.

Note: These dropped packets are counted under the 'drop_out' column from 'show net interface all-properties'.

Impact:
Dropped multicast packets, possibly impacting multicast protocols.

Workaround:
None.

Behavior Change:
Under certain high traffic conditions, multicast and broadcast packets will no longer be dropped.

663506-7 : apmd crash during ldap cache initialization

Solution Article: K30533350

Component: Access Policy Manager

Symptoms:
apmd crashes.

Conditions:
- LDAP module is in use in an access policy,
- APM end-users are logging in, while administrator modifies AAA LDAP Server or LDAP Agent,
- Cache update takes a while (too many groups in domain and/or slow network).

Impact:
BIG-IP cannot process user logon request, until apmd is restarted and LDAP cache is updated

Workaround:
The best practice is to update policy/AAA LDAP Server when BIG-IP is not under load. Then make one logon manually. apmd updates caches on first APM end-user's logon. Once caches update, all the further logons should happen much faster and should not cause any problems

Fix:
APMD now handles the generation of LDAP Query / AD Query nested group cache correctly during high authentication load.

663396-1 : Requests using GET method are illegal after upgrade from 11.6.2

Component: Application Security Manager

Symptoms:
In a rare circumstance, requests using GET method are illegal after upgrade from 11.6.2.

Conditions:
-- Upgrade configuration from 11.6.2.
-- ASM provisioned.

Impact:
GET requests are blocked.

Workaround:
Make a spurious change to any policy and click 'Apply Policy'.

Fix:
Requests using GET method are handled correctly after upgrade from 11.6.2.

663366-3 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.

Component: TMOS

Symptoms:
On the i4x00 and i2x00 platforms, TMM can encounter a second SEGV fault while crashing from an initial 'panic'.

Conditions:
-- i4x00 and i2x00 platforms.
-- TMM encounters a second SEGV fault while crashing from an initial 'panic'.

Impact:
TMM is crashing due to a 'panic'. No additional impact, as traffic is already disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the driver shutdown code to prevent SEGV during TMM panic.

663333-1 : TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high

Component: Carrier-Grade NAT

Symptoms:
TMM may core while trying to allocate a new block

Conditions:
If LSN pool is under provisioned OR if the utilization is high, TMM may need to send MPI messages to other TMMs to search for other blocks. The TMM may core if these operations time out

Impact:
Traffic disrupted while tmm restarts.

663326-2 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys

Component: Local Traffic Manager

Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.

Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.

Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.

Workaround:
This can be worked around by directly using the Thales command, for example:

[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
[default sha1] >

Fix:
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.

663310-3 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★

Component: Global Traffic Manager (DNS)

Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.

Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.

Impact:
Zones cannot be loaded.

Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;

Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".

On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".

663197-3 : Security hardening of files to prevent sensitive configuration from being stored in qkview.

Component: TMOS

Symptoms:
Sensitive configuration information, such as auth-related passwords, is being stored in cleartext in qkview files.

Conditions:
Run qkview and extract to see files with cleartext configuration information.

Impact:
Cleartext configuration information is uploaded to iHealth

Workaround:
None.

Fix:
Security hardening of files to prevent sensitive configuration from being stored in qkview. Cleartext passwords will be replaced with **** in all of the following config files while collecting in qkview:

/config/bigip/auth/pam.d/cert-ldap/system-auth.conf
/config/bigip/auth/pam.d/ldap/system-auth.conf
/config/bigip/auth/pam.d/radius/system-auth.conf
/config/bigip/auth/pam.d/tacacs/system-auth
/config/bigip/auth/pam.d/ocsp/*
/config/bigip/auth/pam.d/cc_ldap/*

663127-1 : Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.

Component: Access Policy Manager

Symptoms:
Symptom will show as an error log in /var/log/apm similar to the one below:

Internal error processing sso config /Common/idp_obj_name
sso_tmconf_string_parse_list

When this error message is logged, subsequent authentication attempt using this BIG-IP as IdP object will fail.

Conditions:
SAML Identity Provider configuration is invalid: attribute contains empty value(s), for example:

apm sso saml /Common/idp_obj {
    attributes {
        {
            multi-values { "" user@f5.com }
            name User.Email
        }
    }

Impact:
Authentication will fail for users using affected SAML IdP object.

Workaround:
Manually edit bigip.conf configuration fail and remove empty value(s) in SAML attribute, e.g.:

apm sso saml /Common/idp_obj {
    attributes {
        {
            multi-values { user@f5.com }
            name User.Email
        }
    }

Fix:
Empty values in SAML attributes will no longer be accepted by validation logic.

663073-1 : GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Component: Global Traffic Manager (DNS)

Symptoms:
GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Conditions:
When adding a pool member via the combo box, if you click the arrow to expand the dropdown list and select a member by clicking on it, that member name is added to the text box.

If you then mouse over other members in the dropdown list, and then click the Add button, the system adds the selected member to the list, but also removes the wrong member from the combo box: more specifically, it removes the member that was last highlighted by the mouse over.

Impact:
Available pool members might be potentially lost from the combo box until a page reload.

Note: The pool members are not gone from the system; they are still present, just not displayed.

Workaround:
Either use TMSH or place the mouse cursor away from the combo box, and use the text box to narrow down the content in the dropdown list. Then use the arrow keys and the Enter key to select the desired pool member.

Fix:
Changed the behavior of the combo box when a member is selected by clicking on it in the dropdown list. Adding a selected pool member as described above will cause the combo box to correctly remove that pool member from the combo box.

663063-2 : Disabling pool member used in busy HSL TCP destination can result service disruption.

Component: TMOS

Symptoms:
Manually disabling an otherwise available pool member from a pool used as HSL TCP destination can result in tmm crash and service disruption.

This is more likely to occur when HSL destination is using 'balanced' distribution.

Conditions:
-- Busy HSL destination configured with TCP protocol, balanced distribution, and using pool.
-- Manually disabling a pool member.

Impact:
Service disruption while tmm recovers. HA fail-over event. Traffic disrupted while tmm restarts.

Workaround:
You can avoid the issue in either of these ways:
-- Do not manually disable busy pool members that can still respond to TCP handshake.
-- Disable the service on the pool member first.

Fix:
TMM crash no longer occurs when HSL TCP pool member with pending connection is manually disabled.

662911-2 : SASP monitor uses same UID for all vCMP guests in a chassis or appliance

Solution Article: K93119070

Component: Local Traffic Manager

Symptoms:
The SASP GWM monitor generates the LB UID from the chassis serial number of the platform on which BIG-IP is running. All vCMP guests running on the platform attempt to use the same UID.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only one vCMP guest running on each BIG-IP appliance or VIPRION chassis is able to successfully use the SASP monitor.
- The SASP monitor running on the first vCMP guest can successfully connect to the SASP GWM.
- Subsequent SASP monitor instances running on other vCMP guests will fail to connect to the SASP GWM.

Conditions:
This occurs when multiple vCMP guests are running on a single BIG-IP appliance or VIPRION chassis, each using a SASP monitor connecting to the same SASP GWM to monitor pool member availability.

Impact:
The SASP monitor is unable to monitor pool member availability on more than one vCMP guest running on a single BIG-IP appliance or VIPRION chassis.

Workaround:
None.

Fix:
The SASP monitor can be used to monitor pool member availability on multiple vCMP guests running on a single BIG-IP appliance or VIPRION chassis.

662881-2 : L7 mirrored packets from standby to active might cause tmm core when it goes active.

Solution Article: K10443875

Component: Local Traffic Manager

Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.

Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.

662850-2 : Expat XML library vulnerability CVE-2015-2716

Solution Article: K50459349

662844 : TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.

Solution Article: K87735013

Component: Service Provider

Symptoms:
Mirroring for Diameter MRF was not implemented in v12.x.x. However, there is a option that allows the user to enable it. When enabled, tmm crashes.

Conditions:
-- Connection mirroring is enabled for Diameter MRF virtual server's router profile.
-- Using v12.x.x.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Note: Mirroring for Diameter MRF was implemented in v13.0.0. The presence of the option to enable the unimplemented functionality is erroneous.

Workaround:
Do not enable Diameter MRF router profile's connection mirroring setting for v12.x.x.

Fix:
Diameter MRF mirroring for Diameter MR has been implemented beginning with v13.0.0. Enabling this option in v12.x.x results in a tmm crash.

662663-6 : Decryption failure Nitrox platforms in vCMP mode

Solution Article: K52521791

662639-2 : Policy Sync fails when policy object include FIPS key

Component: Access Policy Manager

Symptoms:
Policy sync failed with a vague error:

err mcpd[5597]: 01071600:3: APM PSync: Atom attribute (fips_exported_key) data type (blob) in class (certificate_key_file_object) object name (/Common/fips1.key) blob value is not empty - no handler for blob Object dump: **certificate_key_file_object:/Common/fips1.key ...

Conditions:
-- Sync-only device group configuration.
-- FIPS cards in use.
-- On one device:
   + Create FIPS key and certificate:
     1. Go to System::Certificate Management::Traffic Certificate Management::SSL Certificate List::Create.
     2. For 'Security Type' field of 'Key Properties' section, select 'FIPS'.
   + Create a rewrite profile:
     1. Go to Access Policy :: Portal Access :: Rewrite :: Create New Profile.
     2. Under 'JavaPatcher Settings' select 'Signer' and 'Signer Key' to the one created above (e.g., 'fips1.crt' and 'fips1.key', respectively).
   + Create an access profile.
   + Create a virtual server and attach the access profile and rewrite profile to it.
     (Note: You must also include other dependent settings, such as a connectivity profile.)
3. Start a policy sync from the device.

Impact:
Feature failure for specific configurations.

Workaround:
None.

Fix:
Now APM policy sync succeeds even when policy includes FIPS key.

662364-2 : MRF DIAMETER: IP ToS not passing through with DIAMETER

Component: Service Provider

Symptoms:
IP layer's ToS is not passing through MRF Diameter.

Conditions:
-- The IP ToS bit is received in the clientside connection.
-- ip-tos-to-client is set as pass-through.

Impact:
The ToS from the client does not reach the server.

Workaround:
Use an iRule to preserve the ToS from the client and set it to serverside's connection.

Fix:
The ToS bit that arrives from the clientside connection is able to pass-through with Diameter MRF.

662331-1 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Solution Article: K24331010

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.

Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.

Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.

662281-2 : Inconsistencies in Automatic sync ASM Device Group

Component: Application Security Manager

Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.

This can cause any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices

Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.

Impact:
Any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices

Workaround:
Disable automatic sync on the device group, and periodically push changes manually.

Fix:
Calls are correctly propagated across Automatic sync Device Groups

662085-1 : iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages

Component: Local Traffic Manager

Symptoms:
Using Node.js package manager (NPM) to install a large Node.js package in the TMUI results in truncated contents in the workspace.

Conditions:
Installing large Node.js packages using the TMUI.

Impact:
The workspace contents will be truncated. Some of the package contents will be missing, or boilerplate F5 elements (f5-nodejs, package.json, etc.) will not be shown.

Workaround:
None.

Note: TMSH recognizes the entire file structure of node_modules (e.g., package.json and module folders of f5-nodejs and async), but TMUI does not.

Fix:
All contents from the workspace filesystem are now shown and are editable from the TMUI.

662078-1 : Occasionally connections are dropped in response to timing errors

Component: Local Traffic Manager

Symptoms:
Occasionally connections are dropped and the following message is posted, even when TPS is set to UNLIMITED: SSL transaction (TPS) rate limit reached.

Conditions:
-- SSL traffic is received.
-- A certain timing condition is encountered.

Impact:
Connection is dropped. This is an occasional, timing-related issue.

Workaround:
There is no workaround at this time.

Fix:
Timing error no longer occurs when SSL traffic is received, so connections are not dropped.

662022-5 : The URI normalization functionality within the TMM may mishandle some malformed URIs.

Solution Article: K34514540

661881-2 : Memory and performance issues when using certain ASN.1 decoding formats in iRules

Component: Local Traffic Manager

Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.

Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.

Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.

Workaround:
None.

Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.

Fix:
Prevented memory leak when using calls to ASN1::decode with "a" or "B" characters in the format string.

661764-2 : It is possible to configure a number of CPUs that exceeds the licensed throughput

Solution Article: K53762147

Component: TMOS

Symptoms:
The system does not prevent you from selecting a number of CPUs that exceeds the license's throughput limit.

Conditions:
Configure a number of CPUs that exceeds the licensed throughput, for example, configuring 4 CPUs on a 2Mbps license on a VE system.

Impact:
Depending on the operations performed, it is possible for tmm to core.

Workaround:
None, other than configuring only the available number of CPUs.

Fix:
The system now detects when a configuration invalid for the license is in use and fails gracefully, presenting an error message explaining the failure.

660711-1 : MCPd might crash when user trying to import a access policy

Solution Article: K05265457

Component: Access Policy Manager

Symptoms:
MCPd restarts during importing an access policy; other daemon might also restart because of MCPd restart.

Conditions:
This occurs when an access policy uses the same agent more than once.
Importing that access policy causes MCPd to crash.

this can happen when you don’t use GUI/VPE to manage access policy but directly modify the config file in exported access policy.

Only use the GUI/VPE to manage access policies.

You should not modify the config file for an exported access policy.

Impact:
MCPd and some other daemons restart. GUI unresponsive for a while.

Workaround:
Only use the GUI/VPE to manage access policies.

You should not modify the config file for an exported access policy.

Fix:
MCP now applies appropriate validation to avoid importing invalid access policies.

660532-2 : Cannot specify the event parameter for redirects on the policy rule screen.

Solution Article: K21050223

Component: TMOS

Symptoms:
Cannot specify the event parameter for redirects on the policy rule screen.

System presents the following error: An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/test', rule 'test-rule3'; an action precedes its conditions.

Conditions:
This occurs when setting a policy rule action's "event" parameter in the GUI when configuring redirects.

Impact:
Cannot specify the event parameter.

Workaround:
None.

Fix:
This release has an option for choosing event for redirect action.

660263-4 : DNS transparent cache message and RR set activity counters not incrementing

Component: Global Traffic Manager (DNS)

Symptoms:
The message and Resource Record (RR) set counters for transparent caches do not increment to reflect traffic.

Conditions:
The cache is of type transparent.
-- Viewing statistics counters.

Impact:
The statistics counters stay zero.

Workaround:
There is no workaround.

Fix:
The system now enables the code that increments these counters for transparent caches similar to other type caches.

660239-3 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

You may see such errors in the http error logs

Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf

Workaround:
There is no workaround at this time.

Fix:
Eliminated invalid header data.

660187-3 : TMM core after intra-chassis failover for some instances of subscriber creation

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.

Conditions:
-- The chassis is loaded with many blades.
-- The high availability (HA) configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.

Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Verify the validity of the AVPs before copying the attributes

660170-1 : tmm may crash at ~75% of VLAN failsafe timeout expiration

Solution Article: K28505910

Component: Local Traffic Manager

Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.

Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.

Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).

Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)

Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
tmsh modify failover.vlanfailsafe.resettimeronanyframe enable

This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.

2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.

Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.

Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:

- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).

659969-1 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with

Component: Global Traffic Manager (DNS)

Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.

Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.

Impact:
Command does not complete successfully. This is an internal validation issue.

Workaround:
None.

659912-1 : GSLB Pool Member Manage page display issues and error message

Component: Global Traffic Manager (DNS)

Symptoms:
The GSLB Pool Member Manage page displays an error message 'Entry could not be matched against existing objects' when using the static-target checkbox to add a member that does not exist on the BIG-IP config.

Also when editing a pool member, the pool member's name will not be auto-selected in the combo box.

Conditions:
-- GSLB pool configured.
-- Members available for addition to the pool.

Note: This issue can happen when creating a pool in the members section as well as on the pool members manage page.

Impact:
Degraded usability.

Workaround:
Use TMSH to add a static-target and to edit pool members.

Fix:
Fixed issue with the edit button and issue that prevented adding as a static-target a GSLB pool member that was not part of the GTM config. Now, if static target is enabled, you can type the name of the target without the target being configured on the system.

659899-1 : Rare, intermittent system instability observed in dynamic load-balancing modes

Solution Article: K10589537

Component: Local Traffic Manager

Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.

Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.

Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.

659791-2 : TFO and TLP could produce a core file under specific circumstances

Solution Article: K81137982

659648-2 : LTM Policy rule name migration doesn't properly handle whitespace

Component: Local Traffic Manager

Symptoms:
LTM Policy validation does not allow rule names to begin or end with whitespace characters. When migrating configuration to the next version, the migration process attempts to trim off any leading and trailing whitespace. However, this process does not handle leading and trailing whitespace when such characters occur within a double quoted string.

Conditions:
LTM policy with a rule name that contains leading and/or trailing whitespace characters. These will typically occur within a double-quoted string. Here is an example that one might find in bigip.conf:

ltm policy example1 {
    rules {
        " leading and trailing spaces " {
            ...
        }
        ...
    }

Impact:
Policy rules are migrated incorrectly, then fail validation because there of remaining leading and/or trailing whitespace characters.

Workaround:
Prior to migration, LTM Policy rule name can be renamed to remove leading and trailing whitespace. After a failed migration, bigip.conf can be manually edited to remove offending characters and then the configuration can be manually loaded.

Fix:
LTM Policy migration properly handles whitespace in rule names in a quoted string.

659567-1 : iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions

Solution Article: K94685557

Component: Policy Enforcement Manager

Symptoms:
When the RADIUS discovery virtual server and the traffic listener virtual server sit in two different route domains, the iRule command 'PEM::session info $sub subscriber-id' may not be able to fetch the subscriber-id.

Conditions:
-- Running v12.1.x or v13.0.0.
-- RADIUS server.
-- Use of iRule command PEM::session.

Impact:
'PEM::session info state/subscriber-id' commands might not return the expected session info.

Workaround:
None.

Fix:
iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions. The commands now consider route domains.

659519-1 : Non-default header-table-size setting on HTTP2 profiles may cause issues

Solution Article: K42400554

Component: Local Traffic Manager

Symptoms:
HTTP2 connection sent RST_STREAM due to protocol error in response to headers frame.

Conditions:
HTTP2 profile configured with header-table-size with value exceeding 4096.

Impact:
Periodic HTTP2 connection failure to the virtual.

Workaround:
Restore the default header-table-size setting for the HTTP2 profile.

659371-2 : apmd crashes executing iRule policy evaluate

Solution Article: K54310201

Component: Access Policy Manager

Symptoms:
Following a restart, if apmd executes an iRule policy evaluate before its reinitialization is complete, apmd can crash.

Conditions:
If apmd restarts due to a crash or explicit restart command but tmm remains active, then iRule policy evaluate commands can reach apmd before it completes initialization and it will crash.

Impact:
apmd crashes and restarts, preventing end users from logging in.

Workaround:
NOne.

Fix:
Now APMD has a more robust initialization process to ensure that it does not execute access policies from iRule commands before it is ready.

659173-1 : Diameter Message Length Limit Changed from 1024 to 4096 Bytes

Solution Article: K76352741

Component: Service Provider

Symptoms:
Diameter messages longer than 1024 might cause core dumps.

Conditions:
Using Diameter messages longer than 1024.

Impact:
Diameter MRF virtual servers.

Workaround:
Make sure messages are less than 1024 bytes.

Fix:
Messages of 4096 or fewer bytes now pass, and longer messages no longer cause core dumps.

659057-1 : BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD

Component: TMOS

Symptoms:
The LCD on BIG-IP iSeries appliances must detect whether the system is in IPv4 or IPv6 context before retrieving the gateway from the Host via REST. If two gateways are configured (IPv4 and IPv6) only whichever is first in the list is returned via REST and will be set on the Host.

Conditions:
If two gateways are configured (IPv4 and IPv6).

Impact:
Incorrect gateway retrieval can create bad configs which would impact traffic resulting in failed ping attempts, destination unreachable errors, request timeouts, etc.

Workaround:
No workaround at this time.

Fix:
LCD code now retrieves the correct gateway when switching between IPV4 and IPV6 context.

658989-2 : Memory leak when connection terminates in iRule process

Component: Local Traffic Manager

Symptoms:
Memory leak eventually leading to alloc failure and TMM crash.

Conditions:
Connection is aborted/terminated when iRule processing is suspended for the current connection.

Impact:
Memory leak and eventual TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid suspend/park commands in iRule processing.

Fix:
Memory no longer leaks when connection is aborted/terminated when iRule processing is suspended.

658852-5 : Empty User-Agent in iSessions requests from APM client on Windows

Component: Access Policy Manager

Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.

Conditions:
'/isession' requests from APM client on Windows.

Impact:
Failure to establish a VPN tunnel.

Workaround:
None.

Fix:
Now all connections from Windows APM VPN client contain 'User-Agent' headers, as expected.

658664-3 : VPN connection drops when 'prohibit routing table change' is enabled

Solution Article: K21390304

Component: Access Policy Manager

Symptoms:
When there is a brief network outage and 'prohibit routing table change' is enabled, VPN gets disconnected and no further attempts are made to re-establish the VPN connection.

Conditions:
-- A brief network outage occurs.
-- The 'prohibit routing table change' option is enabled.

Impact:
APM end users must click 'Connect' and re-authenticate in order to re-establish the VPN connection.

Workaround:
To re-establish the VPN connection, click 'Connect' and re-authenticate.

Fix:
Now the Windows Edge Client VPN connection stays active during a brief network outage, regardless of the state of the 'prohibit routing table changes' option.

658636-2 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.

Solution Article: K51355172

Component: TMOS

Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,

Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:

create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon

The system creates the following monitor:

gtm monitor http one_test_mon {
    defaults-from http
    destination *:*
    interval 30
    probe-timeout 5
    recv 200
    send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"

Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.

Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.

Fix:
When creating LTM or DNS monitors through batch/transaction mode newlines are now properly escaped.

658574-2 : An accelerated flow transmits packets to a stale (incorrect) destination MAC address.

Solution Article: K61847644

Component: TMOS

Symptoms:
An accelerated flow can send to a stale destination MAC address after the ARP packet with the updated MAC address is received.

Warning: disabling auto-lasthop is not enough when they want BIG-IP to use updated destination MAC address.

Conditions:
A flow is accelerated with a destination MAC address that changes while the flow is accelerated.

Impact:
The BIG-IP system sends packets to a stale (incorrect) destination MAC address. In this case, the new MAC address is not updated for the accelerated flow and the flow will continue to send traffic using the original MAC address.

Workaround:
Disable HW acceleration. Prevent the downstream destination MAC address from changing. For example, if the downstream unit is a BIG-IP active/standby configuration, then use MAC masquerading to prevent the MAC address from changing.

658343-2 : AVR tcp-analytics: per-host RTT average may show incorrect values

Solution Article: K33043439

Component: Application Visibility and Reporting

Symptoms:
When viewing the Statistics :: Analytics :: TCP :: RTT, then selecting (in the table below the graph), View By: "Remote Host IP Address", the values presented RTT Avg (ms) may be incorrect (they could even be larger than the RTT Max column).

As values are aggregated through the data tables, the reported rtt average value becomes larger and larger.

Conditions:
AVR is provisioned, and a tcp-analytics profile is attached to a virtual server.

Impact:
The values reported in the RTT Avg column when viewing by Remote Host IP Address may be incorrect.

Workaround:
None.

Fix:
The rtt_count, rtt_max, rtt_avg, rtt_sum metrics after day aggregation and week aggregations are now correct in the day, week, month reports. The rtt_sum is now aggregated with correct value (exceed max int), as expected.

658321-2 : Websafe features might break in IE8

Component: Fraud Protection Services

Symptoms:
IE8 transform all custom HTTP headers names to lowercase
in case header name configured with upper-case characters, WebSafe feature might break.

Conditions:
custom HTTP header configured with upper case characters
client is IE8.

Impact:
FPS plugin will not find the header, as it received lower-case but configured with upper-case characters
as a result, WebSafe functionality is broken (functionality which involve the custom HTTP header, e.g. ajax username header)

Workaround:
Set custom HTTP header name to lower case only.

Fix:
FPS now performs case-insensitive matches for custom HTTP headers.

658298-3 : SMB monitor marks node down when file not specified

Component: TMOS

Symptoms:
The smb monitor may always mark the node down when the file is not specified in the monitor config.

Conditions:
Pool member monitored with smb monitor.

Impact:
Service impact due to node being marked down.

Workaround:
Configure monitor to fetch file (authenticated).

658261-2 : TMM core after HA during GY reporting

Solution Article: K12253471

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of GY reporting

Conditions:
-- Failover is triggered,
-- The daglib hash redistributes the subscriber DATA to different slots.
-- Existing flows continue on the slots that were allocated using the old hash of daglib.

Note: This is a rarely encountered issue that occurred in a setup with 8 slots and 750 thousand subscribers.

Impact:
Slot reboots. May trigger more hash rearrangement. Traffic disrupted while tmm restarts.

Workaround:
None.

658214-2 : TCP connection fail intermittently for mirrored fastl4 virtual server

Solution Article: K20228504

Component: Local Traffic Manager

Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.

Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.

Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.

Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.

Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.

Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.

658148-2 : TMM core after intra-chassis failover for some instances of subscriber creation

Solution Article: K23150504

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.

Conditions:
-- The chassis is loaded with many blades.
-- The HA configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.

Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If intra-chassis failover is triggered in a loaded chassis, the tmm no longer crashes in some cases of subscriber creation.

657883-2 : tmm cache resolver should not cache response with TTL=0

Solution Article: K34442339

Component: Local Traffic Manager

Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.

Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.

Impact:
tmm cache resolver caches responses with TTL=0.

Workaround:
None.

Fix:
The system no longer caches ttl=0 response for tmm cache resolver. This is correct behavior.

657795-1 : Possible performance impact on some SSL connections

Solution Article: K51498984

Component: Local Traffic Manager

Symptoms:
Some SSL connections may be delayed by almost exactly 5 seconds. The delay occurs between the SSL client hello and the server hello response from the BIG-IP system.

Conditions:
-- SSL configured on a Virtual Server. Affects VIPRION/vCMP Guests.

-- Client connects with an SSL session ID that is not in the cache, and in a very specific format that causes tmm to associate the session ID to a blade that does not exist.

Impact:
Performance may be impacted on those SSL connections.

Workaround:
Disable SSL session cache by setting cache-size to zero in the clientssl profile.

Fix:
This release fixes an issue that might cause performance impact on certain SSL connections.

657713-5 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.

Solution Article: K05052273

Component: Local Traffic Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:

notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- The gateway pool is configured with Action On Service Down = Reject.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- A connection is rejected by the gateway pool.

Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.

Workaround:
Set service-down-action to none or reselect.

Fix:
Gateway pool action no longer triggers TMM to produce a core file and restart.

657632-4 : Rarely if a subscriber delete is performed following HA switchover, tmm may crash

Component: Policy Enforcement Manager

Symptoms:
If a subscriber delete is performed following a HA switchover, tmm may coredump. The probability of this scenario is rare, where a subscriber may have been freed during switchover and a subsequent forced delete command quickly follows.

Conditions:
-- A subscriber delete command followed by a HA switchover.
-- During the switchover, the subscriber was freed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now removes the subscriber index from the table if present in these cases.

657626-2 : User with role 'Manager' cannot delete/publish LTM policy.

Component: Local Traffic Manager

Symptoms:
User with role 'Manager' cannot delete/publish LTM policy.

audit.log contains a message similar to the following:
notice icrd_child[18194]: 01420002:5: AUDIT - pid=18194 user=Manager folder=/Manager module=(tmos)# status=[01070822:3: Access Denied: User (Manager) may not delete objects in partition (Common)] cmd_data=publish ltm policy /Manager/Drafts/draft-test.

Conditions:
-- User with 'Manager' role.
-- Attempting to delete or publish an LTM policy.

Impact:
Operation does not complete, and system posts error.

Workaround:
None.

657502-2 : JS error when leaving page opened for several minutes

Component: Fraud Protection Services

Symptoms:
Google Chrome delays JS execution when the tab is not active.
Therefore anti-debug module acts as if someone is trying to debug JS code.

Conditions:
-- JS runs in hidden tab in Google Chrome.
-- Anti-debug functionality is active.
-- Page is left open for several minutes.

Impact:
Errors in console and JS logic is incorrectly executed.

Workaround:
Identify hidden tab and pause anti-debug functionality.

Fix:
The system now correctly handles JS code running in a hidden tab and pauses anti-debug check.

657463-2 : SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.

Component: Local Traffic Manager

Symptoms:
SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.

Conditions:
SSL sends HUDEVT_SENT to TCP in wrong state.

Impact:
Then HTTP disconnects the handshake

Fix:
Don't allow SSL send HUDEVT_SENT event in the wrong state.

656912-4 : Various NTP vulnerabilities

Solution Article: K32262483

656900-1 : Blade family migration may fail

Component: TMOS

Symptoms:
Migrating the configuration from a B2100 blade to a newer variant, as documented in the "Migrating the Configuration on B2000 Series Blades" page in the "VIPRION Systems: Blade Migration" manual, may show output indicating a failure.

Conditions:
All such blade upgrades.

Impact:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

Workaround:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

656898-2 : "oops" "bad transition" messages occur

Component: Local Traffic Manager

Symptoms:
The /var/log/ltm log shows many "oops" "bad transition" messages.

Conditions:
These messages occur due to internal invariant violations on full proxy TCP virtual servers. Ramcache or SSL on these virtual servers are likely causes. There may be yet unknown causes.

Impact:
Connections encountering these errors are aborted.

Workaround:
The excess logging may be stopped by setting the DB variable tmm.oops to "silent". These errors won't be reported but connections will still be aborted.

655807-5 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score

Solution Article: K40341291

Component: Global Traffic Manager (DNS)

Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.

Conditions:
QoS load balance.

Impact:
Load balance decision is mostly impacted by packet rate.

Workaround:
None.

Fix:
Corrected a calculation error for QoS score involving packet rate.

655793-1 : SSL persistence parsing issues due to SSL / TCP boundary mismatch

Solution Article: K04178391

Component: Local Traffic Manager

Symptoms:
When the SSL client or server system is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled.

So, any SSL record spanning over multiple TCP segments (in this case it's ServerHello, Certificate, and ServerHelloDone) triggers the issue with the SSID error RST cause.

This can also result from a message size exceeding the maximum configured size (default is 32K).

Conditions:
[1] SSL persistence is enabled.
[2a] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds.
[2b] The message size is greater than the maximum configured size (default 32k).

Impact:
When the parsing fails, the SSL client or server hangs and times out. In other words, SSL traffic is affected.

The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.

Workaround:
Disable SSL persistence.

Fix:
The system now switches the state of the SSL persistence to pass through all remaining messages, since no further parsing is needed.

655671-1 : Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced

Component: TMOS

Symptoms:
On platforms that run the bcm56xxd daemon, the polling time that the system waits for I2C bus transactions to complete runs too long. On systems with I2C bus issues, this can lead to bcm56xxd core files, because the bcm56xxd daemon doesn't reset the watchdog so the watchdog timer kills the process.

Conditions:
This is an issue only when there is a stuck I2C bus, which occurs rarely.

Impact:
bcm56xxd process may core and restart. That typically resets the I2C bus, which resolves any issues.

Workaround:
None. Typically, the issue resolves itself.

Fix:
The number of times the bcm56xxd process polls for an I2C bus transaction to complete is reduced to prevent bcm56xxd core files.

655649-2 : BGP last update timer incorrectly resets to 0

Solution Article: K88627152

Component: TMOS

Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.

Output from 'sh ip route':

4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
               [20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
               [20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
               [20/0] via 10.10.1.6, eno33554952, 00:00:00

Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.

Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.

Workaround:
None.

Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.

655628-1 : TCP analytics does not release resources under specific sequence of packets

Component: Local Traffic Manager

Symptoms:
TCP analytics does not release memory when a specific sequence of packets is observed, and memory usage increases as more such flows occur.

Conditions:
-- A TCP analytics profile is configured to collect clientside/serverside analytics data.
-- AVR is provisioned.
-- FastL4 and HTTP profiles are configured.
-- A specific sequence of packets (on the serverside) occurs.

Impact:
Main memory occupied by TCP analytics is not released which might lead to memory exhaustion on the BIG-IP system.

Workaround:
Turn off collecting TCP analytics data for the virtual server.

Fix:
TCP analytics now releases resources properly.

655617-1 : Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge

Solution Article: K36442669

Component: Application Security Manager

Symptoms:
When running Safari or Firefox in incognito mode on iOS devices, browser gets TCP RST and will not be able to pass client-side challenge. The system posts the following error in tmm log: failed parsing header 3.

Conditions:
1. Web scraping is configured.
2. Persistent client identification is enabled.
3. Using Safari or Firefox on iOS devices.

Impact:
Browser cannot access the site.

Workaround:
Turn off persistent client identification.

Fix:
Safari, Firefox in incognito mode on iOS device can now pass persistent client identification challenge.

655500 : Rekey SSH sessions after one hour

Component: TMOS

Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour

Conditions:
SSH connections to or from the BIG-IP system.

Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time

Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'

Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.

Fix:
SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.

655470 : IP Intelligence logging publisher removal can cause tmm crash

Solution Article: K79924625

Component: Advanced Firewall Manager

Symptoms:
TMM restart immediately after removing global ip-intelligence logging publisher.

Conditions:
1) Global IP Intelligence logging enabled.
2) While new incoming connections are handled by the system, delete the global logging publisher using the following command:
modify security log profile global-network ip-intelligence { log-publisher none }

Impact:
Traffic disrupted while tmm restarts. This is an intermittent, timing-related issue.

Note: Because deleting the global ip-intelligence logging configuration publisher is uncommon, and might occur once, at setup, this issue is unlikely to manifest.

Workaround:
There is no workaround, other than to not delete the ip-intelligence global logging publisher when heavy traffic is being handled.

Fix:
Error handling now checks for NULL publisher and prevents the TMM restart.

655445-2 : Provide the ability to globally specifiy a DSCP value.

Component: Global Traffic Manager (DNS)

Symptoms:
The DSCP value is not configurable for some types of traffic, which can lead to dropped traffic during adverse network conditions.

Conditions:
Under adverse network conditions, monitor traffic can be dropped by the network.

Impact:
BIG-IP DNS incorrectly reports resources as unavailable because monitor traffic is dropped by the network due to congestion with unrelated traffic.

Workaround:
None.

Fix:
Setting the new db variable tm.egressdscp to a value other than the default value of 0, results in the system setting the DSCP value for outgoing traffic to the configured value.

655432-7 : SSL renegotiation failed intermittently with AES-GCM cipher

Solution Article: K85522235

Component: Local Traffic Manager

Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.

Conditions:
This failure is more likely to occur during mutual authentication.

Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.

Workaround:
Disable AES-GCM cipher.

Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.

655364-1 : Portal access rewriting window.opener causes JS exception

Component: Access Policy Manager

Symptoms:
Portal access engine rewriting window.opener causes JavaScript exception error.

Conditions:
When rewriting window.opener.

Impact:
JavaScript exception error generated.

Workaround:
None.

Fix:
The rewriting window.opener operation now completes with Message 'null', which is correct behavior. No JavaScript exception error is generated.

655357-2 : Corrupted L2 FDB entries on B4450 blades might result in dropped traffic

Solution Article: K06245820

Component: TMOS

Symptoms:
ARP replies reach front panel port of B4450 blades but fail to reach TMMs.

This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.

Conditions:
-- An L2 FDB entry is learned on Higig trunk.
-- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Delete the corrupted L2 FDB entries and cause the switch to re-learn them.

To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
A db variable switchboard.l2.mitigation was introduced to configure this feature.

-- A value of "enable" allows packets to be forwarded in the case of corrupted L2 FDB entries. Packets will be hashed on source and destination addresses. Enabling forwarding this way is only a temporary measure.

-- A value of "monitor" does not forward packets but will count packets which were affected by corrupted L2 FDB entries. The stat table switch/l2_mitgation, updated every 11 seconds, reports packet counts. Differences in packet counts are logged to /var/log/ltm.

-- A value of "disable" disables both forwarding and packet counting. Packet counts are reset.

655314 : When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★

Component: TMOS

Symptoms:
The platform-migrate option to the UCS load command is supposed to reject UCS archives generated on BIG-IP software v10.x. It does this; however, the hostname of the BIG-IP system changes to the one in the UCS.

Conditions:
You are trying to do a platform-migrate load to 12.1.2 or 13.0.0 of a UCS originating on a system running v10.x.

Impact:
The hostname is changed, but no other configuration is modified.

Workaround:
Set the hostname back to its old value.

Fix:
The hostname is now left unmodified.

655233-1 : DNS Express using wrong TTL for SOA RRSIG record in NoData response

Solution Article: K93338593

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.

Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.

Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.

Workaround:
There is no workaround.

Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.

655211-1 : bigd crash (SIGSEGV) when running FQDN node monitors

Component: Local Traffic Manager

Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.

Conditions:
bigd is configured for FQDN node monitors.

Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.

Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.

Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.

655159-1 : Wrong XML profile name Request Log details for XML violation

Solution Article: K84550544

Component: Application Security Manager

Symptoms:
After system upgrade, Request Log details for XML violation show XML profile name as 'N/A'.

Conditions:
System upgrade.
Request Log details for XML violation.

Impact:
System upgrade does not synchronize properly between policy and already existing XML profiles. System functions properly on existing XML profiles, but violation report reference to the XML profile is wrong.

Workaround:
No workaround for already existing violation records.

For new violation reports, run apply policy.

Fix:
The system now uses the correct XML profile name in the Request Log details for XML violation.

655146-2 : APM Profile access stats are not updated correctly

Component: Access Policy Manager

Symptoms:
The active and established sessions counts in the output of 'tmsh show apm profile access' command are not getting updated as sessions are established and terminated. At the same time, the following errors are showing up in the APM log:

err tmm1[19902]: 01490574:3: (null):Common:00000000: Could not find tmstat. (/Common/Google_vsstats_key)

Conditions:
-- When session is established and terminated.
-- Running the command: tmsh show apm profile access to view stats.

Impact:
APM profile access stats are not accurate.

Workaround:
None.

Fix:
Now the tmsh command "tmsh show apm profile access" displays the correct profile access stats.

655085-2 : While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors

Component: TMOS

Symptoms:
Message of the form

"notice sod[nnnn]: 010c006e:5: All devices in traffic group traffic-group-1(1 of 2) should have a HA group."

is logged on peer devices when a Viprion chassis is being rebooted.

Conditions:
Multiple Viprion chassis are configured in a sync-failover device group, using HA Group scores.

Impact:
Log message indicates a configuration error that does not exist.

Workaround:
If these messages occur during a peer reboot, they should be ignored.

Fix:
Viprion chassis does not report HA Group configuration errors during peer reboot.

655059-3 : TMM Crash

Solution Article: K37404773

655021-2 : BIND vulnerability CVE-2017-3138

Solution Article: K23598445

655005-1 : "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync

Solution Article: K23355841

Component: TMOS

Symptoms:
The "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync.

Conditions:
Changing the "Inherit traffic group from current partition / path" setting and syncing to a peer unit using incremental sync.

Impact:
Peers in a Device Group will get out of sync.

Workaround:
Use a full sync instead.

Fix:
The "Inherit traffic group from current partition / path" virtual-address setting is now synchronized during an incremental sync.

654996-1 : Closed connections remains in memory

Solution Article: K50345236

Component: Application Security Manager

Symptoms:
A connection remains open, which results in memory leaks in the tmm for the connections.
The following command shows connections on traffic that was already closed: tmsh show sys conn.

Conditions:
A ASM_RESPONSE_VIOLATION iRule on the ASM-enabled virtual server.
A request with connection: close.

Impact:
Memory increase due to connections left open.

Incoming connections to the virtual server may fail and result in the BIG-IP sending a reset with a reset cause of "TCP closed".

Workaround:
If possible, remove this event from the iRule and/or add the OneConnect profile to the virtual server.

654925-1 : Memory Leak in ASM Sync Listener Process

Solution Article: K25952033

Component: Application Security Manager

Symptoms:
Following several sync errors, a memory leak occurs in the ASM sync listener process (asm_config_server.pl).

Conditions:
-- asm-sync is enabled on an auto-sync Device Group.

-- Errors occur during attempts to sync, either due to full disk or in response to one or more of the following uses in GUI or REST API:
+ Creating/importing/deleting policies.
+ Accepting many suggestions at once.
+ Adjusting Policy Building Settings.

Impact:
RAM is increasing consumed leading to swap usage until the device reaches a panic state.

Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl

Fix:
Hard limits for memory size are now enforced for ASM processes. The sync listener process now shuts down and restarts after an hour of failed repeated attempts to synchronize the device group state.

654873-2 : ASM Auto-Sync Device Group

Component: Application Security Manager

Symptoms:
Some messages that were meant to be sent to peers in a device group are not successfully sent.

Conditions:
A mix of the following uses in GUI or REST API:
1) Creating/importing/deleting policies.
2) Accepting many suggestions at once.
3) Adjusting Policy Building Settings.

Impact:
1) Overuse of full sync between devices.
2) Possible inconsistencies between devices.
3) Possibility of memory leak in rare cases.

Workaround:
Use manual sync groups for ASM sync.

Fix:
Communication for auto-sync groups repaired.

654599-1 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed

Solution Article: K74132601

Component: Global Traffic Manager (DNS)

Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.

Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.

Impact:
The "Finished" button on that page does not save the changes made on that page.

Workaround:
Use TMSH.

Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.

654549-1 : PVA support for uncommon protocols DoS vector

Component: TMOS

Symptoms:
A new HSB bitstream for VIPRION B4450 blades is needed to support IP uncommon protocols for DoS Vector.

Conditions:
Using the B4450 blade.

Impact:
No support for IP uncommon protocols for DoS Vector.

Workaround:
None.

Fix:
HSB v3.2.13.0 bitsteam for VIPRION B4450 blades now provides support for IP uncommon protocols for DoS Vector.

Behavior Change:
This bitstream now supports IP uncommon protocols for DoS Vector. Any number of protocols with values between 0-255 can be simultaneously enabled.

654513-6 : APM daemon crashes when the LDAP query agent returns empty in its search results.

Solution Article: K11003951

Component: Access Policy Manager

Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP access profile access policy is configured with an AD Auth agent.
-- The access policy is configured with an LDAP query agent.
-- A user successfully authenticates to the access profile.
-- The LDAP query agent returns no query results.

Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.

Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.

Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.

Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.

654508-2 : SharePoint MS-OFBA browser window displays Javascript errors

Component: Access Policy Manager

Symptoms:
SharePoint MS-OFBA browser window displays Javascript errors while doing authentication.

Conditions:
-- SharePoint Access through LTM and APM.
-- MS-OFBA iRule is used.

Impact:
JavaScript errors shown on the MS-OFBA browser window

Workaround:
None.

Fix:
Now the SharePoint MS-OFBA browser window no longer displays Javascript errors while doing authentication from Microsoft applications.

654368-7 : ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require

Component: Local Traffic Manager

Symptoms:
Error is not reported if the profile is associated with an invalid Certificate Revocation List (CRL) that is not signed by trusted CAs, if the CRL issuer has the same subject name as one of the certs in trusted CA.

Conditions:
This occurs when associating CRLs with virtual servers.

Impact:
Error is not reported for invalid CRL.

Workaround:
OpenSSL command can be used to check if the CRL is signed by trusted CA.

Fix:
Error is reported in TMM logs if the CRL is not signed by trusted CA.

654109-2 : Configuration loading may fail when iRules calling procs in other iRules are deleted

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:

01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).

Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Fix:
Configuration loading no longer fails when iRules calling procs in other iRules are deleted.

654086-3 : Incorrect handling of HTTP2 data frames larger than minimal frame size

Component: Local Traffic Manager

Symptoms:
HTTP2 can vary frame size between 16K bytes (included) and 16 Mbytes (not included).

When a client sends a data frame spawning more than one TCP segment, the BIG-IP system incorrectly decrements the frame size twice from the receive window.

If the proxy flow control is disabled, this just creates an additional window update frame. If the proxy is in flow control, this causes a flow control error.

Conditions:
-- HTTP2 profile is configured on a virtual server.
-- Client sends a data frame larger than 16384 bytes, violating RFC. Note: The receiving maximum frame size of the BIG-IP is permanently set at 16384 bytes.

Impact:
HTTP2 resets the stream with FLOW_CONTROL_ERROR.

Workaround:
There is no workaround at this time.

Fix:
When a client sends HTTP2 a data frame exceeding a negotiated maximum frame size, the BIG-IP system correctly resets the stream.

654046-1 : BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.

Solution Article: K22121533

Component: Access Policy Manager

Symptoms:
When an external Service Provider (SP) canonicalizes authentication requests with the use of inclusive namespaces, a BIG-IP system used as SAML IdP may fail to process such requests. User's SSO will fail with following errors contained in /var/log/tmm:

err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Digest from SAML message is invalid
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Error(12) Signature verification failed for SAML Authentication

Conditions:
- BIG-IP is used as SAML IdP.
- User performs SP-initiated SAML SSO.
- External SAML SP sends signed authentication request, in which canonicalization was done with use of inclusive namespaces.

Impact:
Users are unable to perform SAML SSO with certain external service providers.

Workaround:
None.

Fix:
Now BIG-IP APM as IdP SAML canonicalized authentication requests containing inclusive namespaces can be processed successfully.

654011-2 : Pool member's health monitors set to Member Specific does not display the active monitors

Solution Article: K33210520

Component: TMOS

Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.

Conditions:
Have a pool member with Health Monitors set to Member Specific.

Impact:
The specified active monitors will be saved but won't be displayed as active.

Workaround:
Use tmsh to view a pool member's active monitors.

Fix:
Pool member's Health Monitors set to Member Specific now display active monitors.

653993-3 : A specific sequence of packets to the HA listener may cause tmm to produce a core file

Solution Article: K12044607

653976-2 : SSL handshake fails if server certificate contains multiple CommonNames

Component: Local Traffic Manager

Symptoms:
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.

Conditions:
This issue occurs when both of the following conditions are met:
-- The external server certificate's Subject field contains multiple CommonNames.
-- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).

Impact:
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.

Workaround:
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake.

The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.

Fix:
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.

653880 : Kernel Vulnerability: CVE-2017-6214

Solution Article: K81211720

653775-3 : Ampersand (&) in GTM synchronization group name causes synchronization failure.

Solution Article: K05397641

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.

Conditions:
A GTM synchronization group name with an ampersand (&) in the name.

Impact:
GTM sync groups does not synchronize.

Workaround:
Remove ampersand from sync group name.

Fix:
Fixed issue that prevented GTM sync groups with an ampersand (&) in the GTM synchronization-group-name from syncing.

653772-2 : fastL4 fails to evict flows from the ePVA

Component: TMOS

Symptoms:
An accelerated flow is in the ePVA with no corresponding software connection.

Conditions:
-- FastL4.
-- ePVA.
-- The other conditions under which this occurs are not well defined.

Impact:
ePVA can continuously send a packet. This might eventually result in a network outage.

Workaround:
Disable HW acceleration.

Fix:
There are now no unknown accelerated flows.

Behavior Change:
The default behavior is to ignore unknown HW accelerated flows (connections). This change will proactively evict unknown HW accelerated flows from the HW (ePVA).

653771-2 : tmm crash after per-request policy error

Component: Access Policy Manager

Symptoms:
TMM core is seen when reject ending in per-request policy encounters error.

Conditions:
The conditions which trigger this are unknown at this time, it was seen once on a per-request policy error.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer cores when reject ending encounters error in per-request policy

653759-2 : Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★

Component: TMOS

Symptoms:
No Chassis Variant number is not specified when checking the log file /var/log/ltm, for example:

#grep queryFDD /var/log/ltm
...debug chmand[12982]: 012a0007:7: queryFDD returned 1 items for: update|F100|||NONE|NONE|NONE|0x0

This should contain the Variant number 400-0028-04, as follows:
...debug chmand[32663]: 012a0007:7: queryFDD returned 1 items for: update|F100|400-0028-04||NONE|NONE|NONE|0x0

Conditions:
-- B2100/B2150/B2200 blade in C2200/C2400 chassis.
-- Checking for the Chassis Variant number.

Impact:
This has no impact, since there are no Variants currently defined for the C2200/C2400 chassis.

Workaround:
There is no workaround at this time.

Fix:
Chassis Variant number is printed out as expected in the log file.

653746-2 : Unable to display detailed CPU graphs if the number of CPU is too large

Solution Article: K83324551

Component: Local Traffic Manager

Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.

Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.

Impact:
Administrator is unable to view the detail CPU graphs.

Workaround:
None.

Fix:
The GUI can now display detailed CPU graphs for 1024 cores with the default of 4 lines per graph.

653729-2 : Support IP Uncommon Protocol

Component: Advanced Firewall Manager

Symptoms:
A BIG-IP system can have CPU usage be non-uniformly distributed across the datapath (tmm) threads, such that the overall CPU usage is low, but individual datapath threads may show high usage of a subset of the CPUs on the system. This can be observed by viewing the per-CPU usage, and can manifest as spuriously dropped packets/flows.

Conditions:
A BIG-IP system receives packets that have uncommon IP protocols – those not parsed by the BIG-IP system.

Impact:
The packets are eventually dropped but may drive a subset of the CPUs in the system to very high usage. As CPU increases, potentially reaching 100%, then the BIG-IP system will start dropping packets and the system might eventually fail.

Workaround:
None.

Fix:
The system now supports packets that have uncommon IP protocols.

Behavior Change:
This change adds the capability of specifying various IP protocols as 'uncommon' protocols. Using this list of uncommon protocols can have the system mitigate an attack from uncommon protocols.

To do so, perform the following procedure:
1. Set the sys db tunable dos.uncommon.replace.illegal to true (it is false by default).
2. Set the 8 sys db tunables dos.uncommon.protocols[0-7] to specify which protocols should be considered uncommon (by default all protocols except TCP/UDP/ICMPv4/ICMPv6/SCTP - bits 1/6/17/58/132 are uncommon).
- dos.uncommon.protocols0 represents bits 31:0 of a 256-bit vector
- dos.uncommon.protocols1 represents bits 63:32 of a 256-bit vector
- dos.uncommon.protocols2 represents bits 95:64 of a 256-bit vector
- dos.uncommon.protocols3 represents bits 127:96 of a 256-bit vector
- dos.uncommon.protocols4 represents bits 159:128 of a 256-bit vector
- dos.uncommon.protocols5 represents bits 191:160 of a 256-bit vector
- dos.uncommon.protocols6 represents bits 223:192 of a 256-bit vector
- dos.uncommon.protocols7 represents bits 255:224 of a 256-bit vector

Setting the specific bit to '1' means that the specified protocol is considered 'uncommon', and setting the specific bit to '0' means that the specified protocol is not considered 'uncommon'.

Then the DoS vector IP Unknown Protocol can be used to mitigate an attack from the above-specified 'Uncommon Protocols'.

653511-2 : Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve

Component: Local Traffic Manager

Symptoms:
Connections can fail intermittently when multiple clients use the same ephemeral port to connect to BIG-IP and are SNATted to the same address.

Conditions:
When SNAT/Automap is configured with SP-DAG and virtual server source-port setting is "preserve".

Impact:
Service interruption due to intermittent connection failures.

Workaround:
None.

Fix:
Connections no longer fail intermittently with SNAT/automap, SP-DAG and virtual server source-port=preserve.

653453 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.

Component: TMOS

Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 defect in the Broadcom Trident2+ switch B4450 blade uses.

Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
Resolved an issue on Broadcom Trident2+ switch B4450 blades use in which ARP replies reached the front panel port, but failed to reach TMMs.

Behavior Change:
A new BigDB variable is added to control in which mode the l2xmsg module in Broadcom SDK should run.

bcm56xxd.l2xmsg.mode: poll/fifo (default)

The BIG-IP system used to always run l2xmsg module in poll mode. Now, the BIG-IP system will run l2xmsg mode in fifo by default.

653376-5 : bgpd may crash on receiving a BGP update with >= 32 extended communities

Component: TMOS

Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities

Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.

Impact:
bgpd may crash causing the BGP peering to reset

Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.

Fix:
bgpd no longer crashes on receiving a BGP update with >= 32 extended communities

653324-3 : On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly

Solution Article: K87979026

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly; it appears very small.

Conditions:
On macOS Sierra (10.12), edge client, customized icon of size 48x48 pixels.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
Use a custom logo image with the pixel dimensions of 100x121 pixels.

Fix:
On macOS Sierra (10.12), Edge client now shows the customized icon of size 48x48 pixels that is now scaled correctly.

653285-1 : PEM rule deletion with HSL reporting may cause tmm coredump

Component: Policy Enforcement Manager

Symptoms:
tmm coredump caused by deletion of a PEM policy rule with HSL reporting configured and passing active traffic. tmm crash.

Conditions:
PEM policy rule with HSL reporting is deleted while passing subscriber traffic.

Impact:
tmm coredump causes traffic disruption and restart of tmm.

Workaround:
None.

Fix:
PEM rule deletion with HSL reporting no longer causes tmm coredump.

653234 : Many objects must be reconfigured before use when loading a UCS from another device.★

Component: TMOS

Symptoms:
Many objects are ignored by the platform-migrate option, and must be reconfigured before use when loading a UCS from another device.

Conditions:
UCS is being loaded from another device, using the platform-migrate option.

Impact:
Risk of configuration load failures.

Workaround:
None, other than reconfiguring for the destination device.

Fix:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.

Behavior Change:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.

653225-1 : coreutils security and bug fix update

Component: TMOS

Symptoms:
A race condition was found in the way su handled the management of child processes.

Impact:
A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616)

Workaround:
install latest hotfix

Fix:
fixed in coreutils-8.4-46.el6

653224-1 : Multiple GnuTLS Vulnerabilities

Solution Article: K59836191

653217-2 : Multiple Samba Vulnerabilities

Solution Article: K03644631

653201 : Update the default CA certificate bundle file to the latest version and remove expiring certificates from it

Component: Local Traffic Manager

Symptoms:
The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.

Conditions:
If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.

Impact:
When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.

Workaround:
You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm'

Alternatively, you can use a separate certificate, for example:
tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem
tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt

Fix:
This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.

653014-1 : Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name

Component: Application Security Manager

Symptoms:
An issue was introduced when dealing with custom Blocking pages containing an HTTP Header that has an underscore in the name.

Conditions:
A custom Blocking page is defined containing an HTTP Header that has an underscore in the name.

Impact:
Set Active fails

Workaround:
Use hyphens instead of underscores in the header name.

Fix:
Underscores in HTTP Headers in Blocking Response pages are handled correctly.

652973-2 : Coredump observed at system bootup time when many DHCP packets arrive

Component: Policy Enforcement Manager

Symptoms:
During system bootup, system coredump is observed when many DHCP packets arrive before system is fully ready and many flow entry creation failures are observed

Conditions:
-- BIG-IP DHCP proxy is in forwarding mode.
-- DHCP relay agent in front of BIG-IP modifies giaddr field of DHCP packets to its own IP address.
-- DHCP packets arrive during system bootup and before system is fully ready (i.e., some VLANs, interfaces and routes are not fully up).

Impact:
System crash and coredump.

Workaround:
Make sure system has come up completely before sending DHCP packets to the system.

Fix:
Coredump no longer occurs under these conditions.

652968-2 : IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys

Solution Article: K88825548

Component: TMOS

Symptoms:
During negotiations that use CREATE_CHILD_SA, IKEv2 will fail to send a KE in the payload when PFS (perfect forward security) is used in config.

Rekey in IKEv2 does not negotiate new keys; the PFS value in phase1-perfect-forward-secrecy is used in the first exchange, then this first key is re-used in later rekey negotiation. Vendor interop problems exist when PFS is required by the other peer.

Conditions:
Define phase1-perfect-forward-secrecy with value other than none. After IPsec SAs expire or are manually deleted, the CREATE_CHILD_SA phase to negotiate new keys has no KEi payload from the BIG-IP Initiator and so no new encryption key.

Impact:
PFS settings apply only to first negotiation and not to subsequent SA rekeys. PFS is therefore absent. When the BIG-IP enters CREATE_CHILD_SA with a third party IPsec peer, negotiation will fail if the peer requires PFS. Under the same conditions, BIG-IP to BIG-IP tunnels will not fail.

Workaround:
To resolve vendor interop problems, disable PFS in the IPsec policy of both peers.

Fix:
When phase1-perfect-forward-secrecy is configured with a value other than none, the BIG-IP will now perform PFS negotiation correctly. Now rekey with CREATE_CHILD_SA generates a new key using the same DH Group as the first exchange that creates the first SA.

Note: In the ipsec-policy configuration object, the ike-phase2-perfect-forward-secrecy option is relevant only to IKEv1 and has no influence on IKEv2 PFS rekeying.

652848-2 : TCP DNS profile may impact performance

Solution Article: K44200194

652796-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
ECA may be constantly restarting on BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
ECA NTLM functionality will not be accessible to the users.

Workaround:
If ECA functionality is not required - disable process by running 'bigstart stop eca'.

If ECA functionality is needed:

1. Stop eca by running "bigstart stop eca'.

2. Modify file '/etc/bigstart/scripts/eca' as follows:

a) Replace line:
cpu_count=$(get_number_cpu)

with line:
tmm_count=$(get_tmm_count)

b) Replace line:
exec /usr/sbin/${service} -n ${cpu_count}

with line:
exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start eca'.

Fix:
ECA no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.

652792-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
urldb may be constantly restarting on a BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
URLDB functionality will not be accessible to the users.

Workaround:
If URLDB functionality is not required - disable process by running 'bigstart stop urldb'.

If urldb functionality is needed:

1. Stop urldb by running "bigstart stop urldb'.

2. Modify file '/etc/bigstart/scripts/urldb' as follows:

a) Replace line:
cpu_count=$(get_number_cpu)

with line:
tmm_count=$(get_tmm_count)

b) Replace line:
exec /usr/sbin/${service} -n ${cpu_count}

with line:
exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start urldb'.

Fix:
urldb no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.

652691-1 : Installation fails if only .iso.384.sig (new format signature file) is present★

Component: TMOS

Symptoms:
Tab completion only will complete the names of ISO images that have an old style signature format ("BIG-IP-version-build.iso.sig"), not the new style ("BIG-IP-version-build.iso.384.sig"). Then, installation will fail even if you type out the full name.

Conditions:
This only happens when signature checking is enabled for ISO images. You can determine this by looking at the value of the DB variable "liveinstall.checksig".

Impact:
Tab completion will not show the ISO image, and even if you type out the full name, the installation will fail. An error message will appear in "show sys software status" and /var/log/liveinstall.log .

Workaround:
Put both types of signature file (.iso.sig and .iso.384.sig) on the device.

Fix:
Tab completion and installation will now work if the old signature file format (.iso.sig) is missing, and only the new signature format (.iso.384.sig) is present.

652689-2 : Displaying 100G interfaces

Solution Article: K14243280

Component: TMOS

Symptoms:
Interfaces' Active Media Type and Media Speed rows display none.

Conditions:
Having a server with 100G interfaces.

Impact:
Cannot use GUI to determine interfaces' Active Media Type and Media Speed.

Workaround:
Use tmsh to see the affected interface.

Fix:
100G interfaces now display correctly.

652638-2 : php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()

Solution Article: K23731034

652539 : Multiple Bash Vulnerabilities

Solution Article: K73705133

652535-1 : HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.

Solution Article: K54443700

Component: Local Traffic Manager

Symptoms:
HTTP/2 RST_STREAM is seen with PROTOCOL_ERROR when frame header is fragmented.

Conditions:
HTTP/2 profile is enabled on the virtual. The frame header gets fragmented because of TCP segmentation.

Impact:
HTTP/2 stream is reset.

Workaround:
None.

Fix:
HTTP/2 parser changed to handle header splitting across multiple buffers.

652516 : Multiple Linux Kernel Vulnerabilities

Solution Article: K31603170

652484-2 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster

Component: TMOS

Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.

Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.

Impact:
The f5optics version is not displayed for all of the blades.

Fix:
f5optics version information for all blades within a chsasis is displayed when the user issues tmsh show net f5optics from the primary blade.

652445-2 : SAN with uppercase names result in case-sensitive match or will not match

Solution Article: K87541959

Component: Local Traffic Manager

Symptoms:
SSL certificates with SAN domain names with uppercase characters will fail to match SNI requests for that domain name.

Conditions:
Multiple client-ssl profiles configured with SNI associated with a single virtual where the SAN (Subject Alternative Name) contains DNS names with uppercase characters.

Impact:
SNI does not match, resulting in the wrong certificate being returned to the client, which potentially results in a security warning in the client application due to a non-matching domain.

Workaround:
Use lowercase characters for SAN domain names in SSL certificates.

Fix:
SNI match is now case-insensitive.

652200-1 : Failure to update ASM enforcer about account change.

Solution Article: K81349220

Component: Application Security Manager

Symptoms:
There is an error updating BD with the following information:
Errors:
------------
  bd_agent|ERR|...|F5::BdAgent::handle_bd_pipe_message,,Some records sent to enforcer were not handled

  ECARD|ERR |...|account_id_table_management.cpp:0222|Failed to PUT table
  ECARD|ERR |...|temp_func.c:0850|CONFIG_TYPE_ACCOUNTS message had errors in block_index: 0. status=9
-------------

Conditions:
In a high availability environment (with manual failover and ASM) with a UCS load that contains policies with the same names.

Impact:
Traffic is blocked due to Unknown HTTP selector

Workaround:
Use one of the following Workaround:
A) Deactivate and reactivate the affected policy.
B) Restart ASM on the affected device.

Fix:
The system now correctly handles a UCS containing policies with the same names in a high availability environment (with manual failover and ASM).

652151-1 : Azure VE: Initialization improvement

Solution Article: K61757346

652094-2 : Improve traffic disaggregation for uncommon IP protocols

Solution Article: K49190243

Component: TMOS

Symptoms:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default.

Conditions:
Traffic of uncommon IP protocols on VLAN configured with default DAG.

Impact:
Traffic for uncommon IP protocols not distributed evenly among available processing units.

Workaround:
None.

Fix:
The system now correctly distributes traffic for uncommon IP protocols based on src IP and dest IP.

The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.

Behavior Change:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.

652052-3 : PEM:sessions iRule made the order of parameters strict

Component: Policy Enforcement Manager

Symptoms:
In the versions before 12.0, the order of parameters for "PEM::SESSIONS" rule was flexible. It was made strict because of the new validation infrastructure in 12.0. This breaks some existing iRules.

The system will report a validation error such as:

01070151:3: Rule [/Common/test_irule] error: /Common/test_irule:2: error: ["invalid argument subscriber-type"][PEM::session create $ip subscriber-type e164 user-name $user imsi $imsi subscriber-id $callingstationid]

Conditions:
Some parameters, for example, subscriber-id come before the parameter user-name.

Impact:
Configuration that was valid in earlier versions is not accepted in newer versions. This may result in the configuration failing to load during an upgrade and return an MCP validation error.

Workaround:
Change the order of the parameters.

652004-2 : Show /apm access-info all-properties causes memory leaks in tmm

Solution Article: K45320415

Component: Access Policy Manager

Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.

Conditions:
when using show /apm access-info all-properties

Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.

Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.

Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.

651910-2 : Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later

Component: Access Policy Manager

Symptoms:
You cannot change the 'Enable Access System Logs' and 'Enable URL Request Logs' properties via the GUI.

Conditions:
After upgrade from 12.x to 13.0.0 (where these new fields were added) or later.

Impact:
You cannot change 'Enable Access System Logs' and 'Enable URL Request Logs'.

Workaround:
Manually add the properties via tmsh. To do so, follow these steps (substituting your affected log setting for abc in the following example):

modify log-setting abc access add { general-log { publisher sys-db-access-publisher } }
modify log-setting abc url-filters add { test_logsetting_swg { enabled true publisher sys-db-access-publisher }}

Fix:
Now it is possible to use the GUI to successfully use and configure log-setting objects that were created with tmsh.

651901-2 : Removed unnecessary ASSERTs in MPTCP code

Component: Local Traffic Manager

Symptoms:
There are many scenarios that call ASSERT in the MPTCP code, many of which can be handled without using ASSERT.

Conditions:
A virtual server is configured with a TCP profile with MPTCP enabled.

Impact:
If an ASSERT fails, traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
Replaced many ASSERTs with other mitigations that allow TMM to continue running.

651826-2 : SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly

Component: TMOS

Symptoms:
When checking the SPI fields of an IKEv2 IPsec SA, the byte order of the displayed number is rendered incorrectly. The SPI details are seen in "tmsh show net ipsec ike-sa all-properties".

For example, the BIG-IP will render this:
Spi(local): 0x3c4742cab016098c
Spi(Remote): 0x959f0a013581e25d

When the actual SPIs viewed on the peer device are:
Local spi: 5DE28135010A9F95
Remote spi: 8C0916B0CA42473C

Conditions:
IKEv2 IPsec SAs are established or attempting to be established.

Impact:
Can confuse a BIG-IP Administrator who is attempting to verify that IPsec peers have the same SAs.

Workaround:
Rearrange the SPI numbers manually or examine the ipsec.log to see the established SA SPI numbers.

Fix:
The correct SPI numbers are displayed when running the "tmsh show net ipsec ike-sa all-properties" command. Note that this command only shows IKEv2 SAs.

651772-3 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.

Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.

Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.

651681-4 : Orphaned bigd instances may exist (within multi-process bigd)

Component: Local Traffic Manager

Symptoms:
When multi-process 'bigd' is configured, orphaned 'bigd' instances may be exit; such as an orphaned 'bigd.1' alongside the active 'bigd.1'.

Conditions:
-- db variable Bigd.NumProcs to 2 or higher.
-- System monitors with long timeouts (such as ~183 seconds or longer), might also be relevant.

When 'bigd' manages monitor configurations that results in no monitoring activity for a long time (such as due to long monitor timeouts), the operating system may temporarily suspend (and later resume) the 'bigd' process. The system might treat the 'bigd' process as if it were "hung", and start another 'bigd' instance without explicitly terminating the suspended 'bigd' process.

Impact:
The suspended 'bigd' process consumes process memory. The process might be suspended (consuming no CPU resources), or running, which might result in "double-monitoring" the resources assigned to that 'bigd' process.

Note: If double-monitoring occurs, monitor status should be correct, but the double-monitoring unnecessarily consumes extra resources.

Workaround:
Configure 'bigd' to run as a single process. To do so, set the db variable Bigd.NumProcs to 1.

Shortening monitor timeouts can reduce the possibility of a 'bigd' process being (temporarily) suspended by the operating system.

Fix:
Multi-process 'bigd' no longer produces orphaned (suspended) process instances.

651651-3 : bigd can crash when a DNS response does not match the expected value

Solution Article: K54604320

Component: Local Traffic Manager

Symptoms:
bigd can crash when a response returned from a DNS request does not match the expected value.

Conditions:
Monitoring DNS server(s), or using FQDN.

Impact:
Potential bigd core and restart; may cause endless restart loop as long as DNS monitor instance is configured.

Workaround:
No workaround at this time.

Fix:
Prevented bigd from crashing when a response returned from a DNS request does not match the expected value.

651640-3 : queue full dropped messages incorrectly counted as responses

Component: Service Provider

Symptoms:
negative number of active response messages reported on sipsession profile stats

Conditions:
If a request message is dropped because the sip filter's ingress message queue is full, the wrong stats is incremented

Impact:
Counting the dropped request messages as response messages causes the calculation of the accepted response messages to be incorrectly calculated, thus producing a negative value.

Fix:
correct stats fields are incremented

651541-2 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile

Solution Article: K83955631

Component: Local Traffic Manager

Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.

Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.

Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.

Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.

Fix:
Changing the HTTP profile now triggers validation of all virtual servers using that profile.

651476 : bigd may core on non-primary bigd when FQDN in use

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.

Conditions:
FQDN is in use.

Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.

Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.

Fix:
Known causes of the bug have been fixed.

651413-2 : tmsh list ltm node does not return an error when node does not exist

Solution Article: K34042229

Component: TMOS

Symptoms:
TMSH does not post an error message in response to the tmsh command to list a specific, non-existent LTM node, or when listing a set of non-existent nodes using regular expressions.

Conditions:
-- Running the command: tmsh list ltm node.
-- Running a regular expression to list a set of nodes.
-- The specified node does not exist.

Impact:
The command produces no output or error message. No indication of why there is no output, nor is there a description of the possible error condition.

Workaround:
None.

Fix:
TMSH now posts the appropriate, node-not-found error message when LTM nodes do not exist when running the command: tmsh list ltm node.

651362 : eventd crashes during boot

Component: TMOS

Symptoms:
eventd may crash during boot due to heap corruption.

Conditions:
This happens during subscription and unsubscription of events.

Impact:
eventd crashes.

Workaround:
None.

Fix:
Race condition has been resolved, so eventd no longer crashes.

651221-2 : Parsing certain URIs may cause the TMM to produce a core file.

Solution Article: K25033460

651155-1 : HSB continually logs 'loopback ring 0 tx not active'

Component: TMOS

Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.

Conditions:
Unknown.

Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.

Workaround:
None.

651135-4 : LTM Policy error when rule names contain slash (/) character★

Solution Article: K41685444

Component: Local Traffic Manager

Symptoms:
Beginning with v12.0.0, there has been additional validation for LTM Policy rule names to allow only certain valid characters. Prior to v13.1.0, the slash (/) character was included in the set of valid characters.

But because the slash character is used as a delimiter in the BIG-IP virtual path hierarchy (e.g., /Common/my_policy/my_rule), extra slashes in a rule name causes validation problems because the rule appears to the system as having additional path segments.

Conditions:
LTM Policy rule contains the slash (/) character.

Impact:
Configuration will not load.
Configuration may load, but admin GUI may not show policy rule.

Workaround:
In the bigip.conf file, the LTM Policy rule names can be manually edited to either remove the illegal character or to substitute a valid character.

For example, the following policy won't load because the rule name contains a slash (/) character:

    ltm policy mypolicy {
    ...
       rules {
          /testperson/a {
    ...
    }

But it will load when the slash (/) characters are changed to a legal character, such as underscores (_):
    ltm policy mypolicy {
    ...
       rules {
          _testperson_a {
    ...
    }

Fix:
For upgraded configurations, the roll-forward process will automatically translate slash (/) to underscore (_) in LTM Policy rule names. When creating new rules, validation will not succeed if a rule name contains an illegal character, such as a slash, so the issue will be prevented.

651106 : memory leak on non-primary bigd with changing node IPs

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.

651001-1 : massive prints in tmm log: "could not find conf for profile crc"

Component: Advanced Firewall Manager

Symptoms:
Massive messages in tmm log:
"could not find conf for profile crc"

messages are shown while traffic is passing.

Conditions:
1. Have dos profile attached to vs. dos profile does not have dos application enabled.
2. Have ASM policy attached to VS with Web Scraping on/session hijacking/session awarness with DID collection/brute force with DID collection.

Impact:
Massive prints in tmm log that can cause tmm to abort. Traffic disrupted while tmm restarts.

Workaround:
Have DOS application enabled (even if doing nothing).

Fix:
disable prints.

650422-2 : TMM core after a switchover involving GY quota reporting

Component: Policy Enforcement Manager

Symptoms:
Core dump in the code path for async subscriber lookup causes core-dump.

Conditions:
This core happens in an intra-chassis HA configuration, if GY is configured & HA switchover is forced.

Impact:
An initial coredump (or HA switchover) forces multiple core dumps. Traffic disrupted while tmm restarts.

650349 : Creation or reconfiguration of iApps fails if high speed logging is configured

Component: TMOS

Symptoms:
If logging destination of any type is configured (ArcSight, IPFIX, remote high speed logging, etc.), creation or reconfiguration of iApps will fail. The following error will be reported in /var/log/webui.log and displayed in the GUI: The connection to mcpd has been lost, try again.

If the iApp is being create or modified via iControl then the following message will be logged in /var/log/audit

-- notice icrd_child[19904]: 01420002:5: AUDIT - pid=19904 user=admin folder=/Common module=(tmos)# status=[The connection to mcpd has been lost, try again.] cmd_data=create sys application service /Common/group2-analytics { template /Common/group2-analytics variables add { statistics__pushinterval { value 120 } statistics__customcollection { value Yes } } lists add { statistics__customcollectionconfig { value { tmm_stat interface_stat cpu_info_stat disk_info_stat host_info_stat profile_dns_stat gtm_wideip_stat dns_cache_resolver_stat tmmdns_zone_stat rule_stat virtual_server_stat pool_member_stat } } } }

The import part of the message is the daemon, which is 'icrd_child', and the status, which is 'The connection to mcpd has been lost, try again.'

Conditions:
-- Logging is configured: filter, destination, and publisher where scriptd logs to a high speed logging target, which can occur if the there is a logging filter that has source of 'all' or 'scriptd'.
-- Attempting to create or reconfigure iApps.

Impact:
iApp creation or reconfiguration fails. Cannot create new iApps or reconfigure existing ones.

Workaround:
This workaround stops scriptd from logging anything to any logging destination, so you should remove it and restart scriptd after the iApp is created/reconfigured.

1. Add a sys log-config filter; where the filter has a source of 'scriptd', level of 'debug' and a publisher of 'none'

For example:

sys log-config filter NoScriptd {
    app-service none
    description none
    level debug
    message-id none
    publisher none
    source scriptd
}

2. Restart scriptd

   bigstart restart scriptd

Fix:
Can now create or reconfigure iApps if logging is configured.

650317-3 : The TMM on the next-active panics with message: "Missing oneconnect HA context"

Component: Local Traffic Manager

Symptoms:
The next-active TMM panics with message: "Missing oneconnect HA context" on a virtual which doesn't have one-connect on the active.

Conditions:
A mirrored virtual is configured with one-connect on the next-active but no one-connect profile is present on the active. This can occur when the config-sync connection between peers is down or auto-sync on the device group is disabled. The next-active expects a one-connect HA context but the active does not send it.

Impact:
Connections on the active are not mirrored while the next-active restarts.

Workaround:
Resolving configuration differences between the active and next-active will prevent this panic.

Fix:
Mirrored connections which fail to find an HA context on the next-active are not established on the next-active.

650292-2 : DNS transparent cache can return non-recursive results for recursive queries

Component: Local Traffic Manager

Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.

Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.

Impact:
Non recursive responses for recursive requests.

Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.

Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.

650286-2 : REST asynchronous tasks permissions issues

Solution Article: K24465120

650152-1 : Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms

Component: Local Traffic Manager

Symptoms:
In Nitrox PX platforms, vCMP guests can't accelerate AES-GCM traffic, which might cause high CPU usage.

Conditions:
For those vCMP guests deployed on Nitrox PX-based platforms, and SSL cipher is configured to use AES-GCM.

The following blades support the Nitrox PX and vCMP combination: VIPRION B4200, B4300, B2100, and B2150 blades.

Impact:
High CPU usage.

Workaround:
No workaround.

Fix:
Added AES-GCM hardware acceleration support for Nitrox PX-based vCMP.

650081-1 : FP feature causes the blank page/delay on IE11

Solution Article: K53010710

Component: Advanced Firewall Manager

Symptoms:
When PBD and FP are both enabled, there is a very high client-side latency, especially on Microsoft Internet Explorer (IE).
On IE, sometimes the challenge remains on a blank page, never moving on to the site from the back-end server.

Conditions:
If you use ASM dos with fingerprint, but it causes the delay/blank page on browser Microsoft Internet Explorer v11 (IE11).

Impact:
Delay or blank page when clients access the page using IE11.

Workaround:
None

Fix:
Improved the client-side run-time of the JavaScript challenge and prevented it from getting stuck on Internet Explorer.

650074-1 : Changed Format of RAM Cache REST Status output.

Component: Local Traffic Manager

Symptoms:
The REST API returned cache contents in displayable form, not tagged field form.

Conditions:
Using REST API.

Impact:
Text must be parsed as if the caller plans to post-process it.

Workaround:
To present the data in some other format, the text can be displayed as is, but must be parsed as if the caller plans to post-process it.

Fix:
Now RAM Cache REST Status output is returned in field format, and must be parsed by a JSON parser and formatted for display. If you were using the previous format, you must now parse the JSON and re-format the data for display.

Behavior Change:
REST API calls for ramcache stats now returns data as formatted JSON.

650059-1 : TMM may crash when processing VPN traffic

Solution Article: K20087443

650002-1 : tzdata bug fix and enhancement update

Component: TMOS

Symptoms:
There have been changes to timezone data that impact tzdata packages:

* Mongolia no longer observes Daylight Saving Time (DST).

* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.

Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.

Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).

Workaround:
None.

Fix:
To accommodate for Mongolia no longer observing DST, the new America/Punta_Arenas zone was created. Changes were also made to support other timezone changes.

* The zone1970.tab file has been added to the list of files to be installed with the tzdata packages installation.

Note: Users of tzdata are advised to upgrade tzdata to zdata-2017b-1.el6

649949-1 : Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★

Component: TMOS

Symptoms:
Following the instructions at https://support.f5.com/csp/article/K13117 will occasionally fail on iSeries platforms, with the system being unable to find the installation media.

If this happens, running the following command will fail.

image2disk --instslot=HD1.1 --setdefault --nosaveconfig

Conditions:
This can occur on iSeries platforms while performing a clean installation.

Impact:
The /dev/cdrom softlink points to the virtual CD-ROM drive in iSeries platforms instead of the physical USB DVD-ROM drive. This prevents image2disk from automatically finding the installation media.

Workaround:
After the failure, while in MOS, determine USB CDROM device name, mount it, and tell image2disk specifically where it is:

bash (try 'info') / > dmesg | grep "sr0\|sr1"
sr0: scsi3-mmc drive: 62x/62x writer dvd-ram cd/rw xa/form2 cdda tray <-- cdrom name
sr 6:0:0:0: Attached scsi CD-ROM sr0
sr1: scsi-1 drive
sr 7:0:0:0: Attached scsi CD-ROM sr1

bash (try 'info') / > mount -r -t iso9660 /dev/srX /cdserver
bash (try 'info') / > image2disk --instslot=HD1.1 --nosaveconfig /cdserver

In the mount command, replace "/dev/srX" with whichever device is the physical drive.

649933-1 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.

649929-1 : saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it

Component: Access Policy Manager

Symptoms:
Cannot delete saml_sp_connector from a transaction even when all related objects are specified.

Conditions:
When deleting saml_sp_connector from a transaction along their associated objects.

Impact:
Cannot delete saml_sp_connector and associated objects.

Workaround:
Delete objects in the following order:
SSOResource
SSOSAMLConfig
SPConnector

Fix:
The apm sso saml_sp_connector object can now be deleted from a transaction involving all the related objects regardless of the order in which the objects are specified.

649907-2 : BIND vulnerability CVE-2017-3137

Solution Article: K30164784

649904-2 : BIND vulnerability CVE-2017-3136

Solution Article: K23598445

649866-1 : fsck should not run during first boot on public clouds

Component: TMOS

Symptoms:
Although it is not needed, filesystem check runs during the first boot. This increases the boot time, especially for images that were created more than 180 days before the first boot, because twice year, booting up runs a more comprehensive fsck operation.

Conditions:
This occurs when booting up public cloud configurations of Virtual Edition (VE).

Impact:
Potentially unacceptable long boot times.

Workaround:
None.

Fix:
fsck does not run during first boot on public cloud configurations of VE. Running fsck is postponed until the second boot. If the more comprehensive fsck operation is required, it runs during the second boot as well.

649617-2 : qkview improvement for OVSDB management

Component: TMOS

Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.

If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.

Conditions:
The following conditions need to be met:

- BIG-IP has the SDN services license.

- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.

- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.

Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.

Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.

In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.

Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.

649613-3 : Multiple UDP/TCP packets packed into one DTLS Record

Component: Access Policy Manager

Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.

However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.

Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.

Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.

Workaround:
None.

Fix:
DTLS performance has been improved in lossy or high latency networks by optimizing the number of encoded ppp records inside of DTLS records.

649571-1 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not act on the absence of renegotiation.

Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.

An example of such a TLS server is Apache/2.4.10 on Fedora Linux.

Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".

Workaround:
None.

Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.

649564-2 : Crash related to GTM monitors with long RECV strings

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.

Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.

Impact:
Core dump. Traffic might be disrupted while gtmd restarts.

Workaround:
None.

Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.

649465-1 : SELinux warning messages regarding nsm daemon

Component: TMOS

Symptoms:
Receiving SELinux warning messages regarding nsm daemon when BFD is enabled, and deleting VLANs.

Conditions:
-- BFD enabled for any route-domain.
-- Deleting VLANs.

Impact:
None. This warning message references actions that are extraneous for the nsm daemon.

Workaround:
None.

Fix:
nsm no longer triggers SELinux warning messages with BFD enabled, and deleting VLANs

649234-3 : TMM crash from a possible memory corruption.

Solution Article: K64131101

Component: Access Policy Manager

Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.

Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Access to an invalid or stale Access session result from custom iRules no longer causes TMM crash.

649171-4 : tmm core in iRule with unreachable remote address

Component: Local Traffic Manager

Symptoms:
TCP::unused_port <remote_addr> <remote_port> <local_addr> [<hint_port>] with a non reachable remote_addr, tmm cores

Conditions:
This occurs when using TCP::unused_port in an iRule and the remote address is not reachable

Impact:
Traffic disrupted while tmm restarts.

Workaround:
create faux route for the destination address

649161-1 : AVR caching mechanism not working properly

Solution Article: K42340304

Component: Application Visibility and Reporting

Symptoms:
The AVR caching mechanism fails to store dimension-based queries properly, which leads to incorrect reports.

Conditions:
Using AVR caching mechanism (turned-on by default).

Impact:
Reports will be incorrect.

Workaround:
Using the following TMSH command should solve the problem:
tmsh modify sys db avr.requestcache value disable

* NOTE: the above might cause AVR to perform a bit slower.

Fix:
The system no longer stores the dimension-based queries in the AVR cache.

648990 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded

Component: Local Traffic Manager

Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:

info tmm[17859]: 01260034:6: Block cipher data limit exceeded.

Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.

Impact:
Serverssl renegotiation does not occur, log message is displayed.

648954-5 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:

01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).

Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.

Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

648879-2 : Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555

Solution Article: K90803619

648865-2 : Linux kernel vulnerability: CVE-2017-6074

Solution Article: K82508682

648802-3 : Required custom AVPs are not included in an RAA when reporting an error.

Component: Policy Enforcement Manager

Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).

Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.

Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.

Workaround:
There is no workaround at this time.

Fix:
Custom AVPs included regardless of an error code in an RAA.

648786-5 : TMM crashes when categorizing long URLs

Solution Article: K31404801

648766-1 : DNS Express responses missing SOA record in NoData responses if CNAMEs present

Solution Article: K57853542

Component: Global Traffic Manager (DNS)

Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.

Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.

Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.

Workaround:
None.

Fix:
The SOA record is now included as appropriate.

648715-2 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0

Component: Local Traffic Manager

Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.

Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.

Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.

Workaround:
None.

Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.

648617 : JavaScript challenge repeating in loop when URL has path parameters

Component: Advanced Firewall Manager

Symptoms:
The JavaScript challenge is repeating in a loop on URLs which have path parameters (when the URL contains the ';' character). The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.

Conditions:
URLs contain the ';' character, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.

Impact:
Requests with ';' character will be blocked and the browser will repeat the challenge in a loop.

Workaround:
None

Fix:
The JavaScript challenge no longer gets stuck in a loop on URLs which have path parameters.

648544-5 : HSB transmitter failure may occur when global COS queues enabled

Solution Article: K75510491

Component: TMOS

Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.

Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.

Impact:
If this issue occurs then the BIG-IP is rebooted.

Workaround:
Do not use global COS queues.

Fix:
Loopback packet priority is now set during runtime to guarantee transmit on mgmt ring 0.

648320-3 : Downloading via APM tunnels could experience performance downgrade.

Component: Local Traffic Manager

Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.

Conditions:
When downloading using APM tunnels.

Impact:
High number of packet drops and inferior performance.

Workaround:
None.

Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.

648286-2 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.

Component: Global Traffic Manager (DNS)

Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.

Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.

Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.

Loss of functionality from earlier releases.

Workaround:
Manually select each entry to add to the member list.

Fix:
Restored behavior that selects the next available entry in list after pressing the Add button on GSLB Pool's Member manage page.

648242 : Administrator users unable to access all partition via TMSH for AVR reports

Solution Article: K73521040

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.

Fix:
Allowing for administrator users to get all partitions available on query.

648056-2 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.

Solution Article: K16503454

Component: TMOS

Symptoms:
bcm56xxd constantly crashes, device goes off-line.

Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.

Impact:
Device goes off-line.

Workaround:
None.

Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.

648053-1 : Rewrite plugin may crash on some JavaScript files

Solution Article: K94477320

Component: Access Policy Manager

Symptoms:
Rewrite plugin may crash parsing JavaScript files in US ASCII encoding.

Conditions:
JavaScript file in US ASCII encoding (not in UTF-8).

Impact:
Rewrite plugin may crash parsing this file. No response is sent to client.

Workaround:
It is possible to change/add 'charset' parameter in response header 'Content-type' to 'UTF-8' by iRule.

Fix:
Now Portal Access rewrite correctly handles JavaScript data if the web page uses US ASCII encoding.

648037-2 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.

Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure a monitor for the pool.

Fix:
Fixed a tmm crash related to LB::reselect

647988-3 : HSL Balanced distribution to Two-member pool may not be balanced correctly.

Solution Article: K15331432

Component: TMOS

Symptoms:
When configuring a two-member pool as HSL destination and using "balanced" distribution, logs from iRule HSL::send may end up balanced to a single pool member.

Conditions:
- Two-member pool configured as remote-high-speed-log destination.
- The remote-high-speed-log distribution is set to "balanced"
- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
Log message may not be distributed correctly resulting in more load on a single pool member.

Workaround:
None.

Fix:
Logs are distributed more equally on pool members in "balanced" distribution HSL.

647944-2 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server

Component: TMOS

Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.

Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:

- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.

Impact:
Traffic disrupted while mcpd restarts.

Fix:
Prevented MCP from crashing when the FIX profile is edited.

647757-2 : RATE-SHAPER:Fred not properly initialized may halt traffic

Solution Article: K96395052

Component: Local Traffic Manager

Symptoms:
RATE-SHAPER:Fred is not properly initialized and might halt traffic.

Conditions:
Initialize RATE-SHAPER:Fred as the drop policy using its default properties.

Impact:
Traffic is halted.

Workaround:
There are two possible workarounds:
-- Initialize the drop policy fred to the value of 9999 instead of default 0.
-- Use RED as drop policy instead of fred.

647137 : bigd/tmm con vCMP guests

Component: Local Traffic Manager

Symptoms:
bigd/tmm con vCMP guests.

Conditions:
Set up vCMP guest on VIPRION B2100, B4200, or B4300 blades.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
This release corrects this issue so the crash no longer occurs.

647108-1 : Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction

Component: Access Policy Manager

Symptoms:
The system posts messages similar to the following even when the server associated to the connector is also being deleted in the same transaction:
01070734:3: Configuration error: apm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/saml_connector because it is being used by aaa-saml-server (/Common/saml_server_test1

Conditions:
When deleting saml-idp-connector first then the associated saml server.

Impact:
Cannot delete saml-idp-connector and associated server in that specific order.

Workaround:
Delete saml server first and then delete the saml connector.

Fix:
Now saml-idp-connector can be deleted with associated objects in any order from a transaction.

646928-1 : Landing URI incorrect when changing URI

Component: Access Policy Manager

Symptoms:
User accesses resource1, and an access policy starts. Before the policy completes, the user changes to resource2. There is a warning page that the session already exists, and the user clicks to create a new session. After the policy completes, the user is directed to the landing URI of the resource1.

Conditions:
Attempting to change landing URI in the middle of an access policy

Impact:
End-user is inconveniently directed to the first resource instead of the second.

Fix:
Now the "To open a new session, please click here." link on the APM logout page reflects the last used landing URI rather than the first used landing URI.

646890-1 : IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512

Solution Article: K12068427

Component: TMOS

Symptoms:
Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.

Conditions:
If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.

Impact:
Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.

Workaround:
Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.

Fix:
Now tmipsecd sends the correct incremental config description of SHA authentication algorithms to racoon, so that IKEv1 ipsec-policy reconfiguration works immediately without requiring a restart of tmipsecd.

646760 : Common Criteria Mode Disrupts Administrative SSH Access

Component: TMOS

Symptoms:
If Common Criteria mode is enabled the administrative SSH interface on BIG-IP may become unavailable.

Conditions:
CC-mode enabled.

Impact:
SSH interface not available, sshd may fail to start.

Workaround:
There is no workaround at this time.

Fix:
Correct SSH configuration when in CC mode

646643-2 : HA standby virtual server with non-default lasthop settings may crash.

Solution Article: K43005132

Component: Local Traffic Manager

Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.

Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).

-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).

Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.

646615-1 : Improved default storage size for DNS Express database

Component: Global Traffic Manager (DNS)

Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.

Conditions:
DNS Express with configured zones.

Impact:
Possibly reduced database size.

Workaround:
N/A as this is an improvement.

Fix:
A tweak has been made to the DNS Express database to improve the initial database size.

646604-5 : Client connection may hang when NTLM and OneConnect profiles used together

Solution Article: K21005334

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.

646511-1 : BD crashes repeatedly after interrupted roll-forward upgrade★

Component: Application Security Manager

Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.

Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.

Impact:
BD crashes repeatedly on subsequent attempts to start ASM.

Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:

tmsh modify sys db ucs.asm.traffic_data.save value disable

Fix:
ASM completes roll-forward upgrade with traffic data correctly, even after upgrade process is interrupted.

646443-1 : Ephemeral Node may be errantly created in bigd, causing crash

Solution Article: K54432535

Component: Local Traffic Manager

Symptoms:
When FQDN Ephemeral Nodes are being used at the same time as static Node objects, and there is change in those objects, either via DNS resolver changes or manual changes to static nodes, there exists a chance where one may be misidentified as the other during an update, causing a crash in bigd.

Conditions:
FQDN Nodes and Static Nodes being used. Change in node settings or creation/deletion of nodes.

Impact:
Bigd crashes, causing interruption in monitoring.

Workaround:
Avoid use of FQDN Nodes and Pool Members; use only static-IP Nodes/Members instead.

Fix:
Fixed case where misidentification may occur, resulting in bigd running without crashing.

645805 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses

Solution Article: K92637255

Component: TMOS

Symptoms:
LACP PDUs generated by lacpd on the i4x00 and i2x00 platforms contain the wrong Ethernet source MAC address.

Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.

Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP system is not transmitting with an all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.

Workaround:
None.

Fix:
The BIG-IP software now inserts the correct Source MAC address in the LACP PDU.

645729-1 : SSL connection is not mirrored if ssl session cache is cleared and resume attempted

Component: Local Traffic Manager

Symptoms:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.

Conditions:
A previous ssl session is attempting to resume the connection after the ssl session cache has been cleared.

Impact:
Connection is established but is not mirrored.

Workaround:
Could be avoided by disabling ssl session cache.

Fix:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.

645723-2 : Dynamic routing update can delete admin ip route from the kernel

Solution Article: K74371937

Component: TMOS

Symptoms:
Routes obtained from dynamic routing (BGP, etc.) can replace existing management route for the admin IP address, making the BIG-IP lose its management route. Static routes created via TMSH can replace management route.

Conditions:
Using TMSH to create "net route" that matches management network, or dynamic routing accepts a route that matches the management network.

Impact:
Losing the management network route, and potential loss of access to the BIG-IP via the management network.

Workaround:
Don't accept route updates for the management network. Don't create static routes for the management network.

Fix:
Management network admin IP address is now protected from being overwritten.

645717 : UCS load does not set directory owner

Component: TMOS

Symptoms:
When loading a UCS file the directory /etc/ssh will become owned by the first user in the UCS with an .authorized_keys file.

Conditions:
UCS loaded that contains users with .authorized_key files

Impact:
Ownership of /etc/ssh is set to a non-root user after UCS load. This does not interfere with normal system operation or SSH authentication but does not follow secure coding practices

Workaround:
Ownership of on /etc/ssh can be restored with the command: chown root /etc/ssh

Fix:
UCS load now explicitly sets ownership of the /etc/ssh directory to root.

645684-2 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.

Conditions:
This can occur when viewing Flash video while connected to APM.

Impact:
Flash applications might fail to render through Portal Access.

Workaround:
None

Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.

645663 : Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.

Component: Local Traffic Manager

Symptoms:
Accelerated crypto and compression traffic may fail; stuck queue reports appear in logs.

Conditions:
Guests provisioned with more than 12 vcpus, and crypto or compression traffic passed through hardware acceleration.

Impact:
Can cause the hardware accelerator to fail and require host reboot.

Workaround:
Limit guest provisioning to 12 vcpus.

Fix:
Allow guests provisioned with more than 12 vcpus to operate without stalling hardware accelerators.

645615-2 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Solution Article: K70543226

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.

645480-3 : Unexpected APM response

Solution Article: K45432295

645339-2 : TMM may crash when processing APM data

Component: Access Policy Manager

Symptoms:
Under certain conditions TMM may crash while processing APM data

Conditions:
APM enabled

Impact:
TMM crash leading to a failover event

Fix:
TMM processes APM data as expected

645220-2 : bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs

Component: Local Traffic Manager

Symptoms:
When mcpd debug logging is enabled, mcp messages sent to or received from the bigd daemon are logged with a username of "(user %-P)" or "(user %-S)" instead of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".

Conditions:
mcpd debug messages with the "(user %-P)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and multiple instances of bigd are running.
mcpd debug messages with the "(user %-S)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and a single instance of bigd is running.

Impact:
Confusion about which daemon is referenced in mcpd debug logs with username "(user %-S)" or "(user %-P)".

Fix:
mcpd debug messages sent to or received from the bigd daemon are correctly logged with a username of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".

645197-3 : Monitors receiving unique HTTP "success" response codes may stop monitoring after status change

Component: Local Traffic Manager

Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) will accumulate in the monitor history; upon monitor status change (such as to "fail"), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from "success" to "fail"), notification from 'bigd' to 'mcpd' will fail due to this too-large history, resulting in the monitor remaining in its previous state (i.e., "success"). 'bigd' properly records the monitor status and continues to monitor; but 'mcpd' was not notified of that status change (due to message-send failure from the history being too large).

This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating "success"), as 'bigd' will elide/merge the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (for example, by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history will continue to grow for that monitor until a status-change is detected.

Conditions:
Web server returns unique HTTP/1.1 200 (success) codes, such as an included date/time stamp; and success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from "success" to "fail").

Impact:
The monitor will remain in the "success" state, as the status-change will be "lost" ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.

Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes; thus, receiving the same return-code will elide/merge with previously accumulated values in the monitor history.

Fix:
HTTP/1.1 200 codes with unique values accumulate for limited history, rather than unbounded history, such that monitor status change notifications are always recorded.

645179-6 : Traffic group becomes active on more than one BIG-IP after a long uptime

Component: TMOS

Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.

Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.

645101-2 : OpenSSL vulnerability CVE-2017-3732

Solution Article: K44512851

645058-3 : Modifying SSL profiles in GUI may fail when key is protected by passphrase

Component: Local Traffic Manager

Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:

01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.

This can occur even when the passphrase already in the SSL profile is correct.

Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:

tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }

Impact:
User cannot update client SSL profile via the GUI.

Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.

Fix:
User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

645036-3 : Removing pool from virtual server does not update its status

Solution Article: K85772089

Component: Local Traffic Manager

Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.

Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.

Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.

Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.

Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.

Fix:
Associating a pool with the virtual server now correctly updates the virtual server status.

644975-4 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost

Solution Article: K09554025

Component: TMOS

Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.

Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.

Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.

Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.

2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.

3) Save the file and exit the text editor to install the root user's new crontab configuration.

4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.

5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.

6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.

7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".

Fix:
The crontab configuration files now specify MAILTO="" at the top, so the /var/log/maillog errors no longer occur.

644970-1 : Editing a virtual server config loses SSL encryption on iSession connections

Component: Wan Optimization Manager

Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.

Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.

Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.

Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.

Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.

644946-2 : Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation

Solution Article: K05053251

Component: Service Provider

Symptoms:
When the mirror flag is enabled in the siprouter and diameterrouter profiles, outgoing per-client create connection will be usable by any client connection from the same IP address.

Conditions:
This occurs when the mirror flag is enabled in the siprouter and diameterrouter profiles.

Impact:
In the siprouter and diameterrouter profiles, enabling mirroring incorrectly enables the internal ignore_peer_port flag, which causes the router to not consider the remote port of the client side connection when determining which of an outgoing per-client connection can be used for forwarding messages.

Workaround:
None.

Fix:
The ignore_peer_port flag is no longer affected by the setting of the mirror flag, which is correct functionality.

644904-5 : tcpdump 4.9

Solution Article: K55129614

644873-2 : ssldump can fail to decrypt captures with certain TCP segmenting

Solution Article: K97237310

Component: Local Traffic Manager

Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.

The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data

Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.

Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.

Workaround:
None.

Fix:
ssldump now successfully decrypt a capture, so ssldump no longer crashes.

644855-2 : irules with commands which may suspend processing cannot be used with proactive bot defense

Component: Advanced Firewall Manager

Symptoms:
A request is dropped.

Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")

For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962

Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.

Workaround:
N/A

Fix:
irules which suspends the execution won't cause a request drop when the proactive bot defense is assigned.

644851-2 : Websockets closes connection on receiving a close frame from one of the peers

Component: Local Traffic Manager

Symptoms:
Websocket connection should be closed once an endpoint has both sent and received a Close control frame. BIG-IP closes connection on receiving a close frame from peer and does not wait for close frame from other endpoint. This results in data sent in the other direction to be dropped.

Conditions:
Websocket and HTTP profile are attached to the virtual.

Impact:
One endpoint sends a Websocket Close control frame. Other endpoint continues sending data which is dropped by BIG-IP.

Fix:
Half-close of connection will be triggered instead of closing the connection entirely.

644822-2 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned

Solution Article: K19245372

Component: Advanced Firewall Manager

Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.

This behavior does not match the BIG-IP behavior when AFM is not provisioned.

Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.

Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.

Workaround:
No workaround.

Fix:
Fixed, so FastL4 virtual servers with enabled loose-init option will forward any RST packets.

644799-1 : TMM may crash when the BIG-IP system processes CGNAT traffic.

Solution Article: K42882011

Component: TMOS

Symptoms:
TMM may crash when the BIG-IP system processes CGNAT traffic.

Conditions:
A TMM connflow related to CGNAT traffic is expired.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when the BIG-IP system processes CGNAT traffic.

644723-1 : cm56xxd logs link 'DOWN' message when an interface is admin DISABLED

Component: TMOS

Symptoms:
If you disable an interface, the interface is erroneously logged as DOWN:

Feb 12 23:14:09 i5800-R18-S30 info bcm56xxd[8210]: 012c0015:6: Link: 1.1 is DOWN

Conditions:
This is logged when disabling an interface.

Impact:
Log message says the interface is DOWN, it should say DISABLED.

644694 : FPS security update check ends up with an empty page when error occurs.

Component: Fraud Protection Services

Symptoms:
While checking for security updates in FPS, GUI may display an empty page caused by internal errors, such as network errors or temporary downtime.

Conditions:
-- Provision and license FPS.
-- Check for security updates.

Impact:
Empty page is presented, with no indication of what error occurred.

Workaround:
Use TMSH or REST API to perform an update check.

Fix:
Now, when an error occurs, the error will be displayed.

644693-3 : Fix for multiple CVE for openjdk-1.7.0

Solution Article: K15518610

644565-1 : MRF Message metadata lost when routing message to a connection on a different TMM

Component: Service Provider

Symptoms:
The system might choose to create a new outgoing connection when there is an available exiting connection that can be used.

Conditions:
When a message is forwarded to another TMM for delivery, an internal state might be lost.

Impact:
Messages should be delivered correctly as the metadata is lost after routing. There might be an impact if routing is retried and the ignore-peer-port setting is lost. This might cause a new connection to be created when an available existing connection exists.

Workaround:
None.

Fix:
The system now ensures that the ignore-peer-port flag is preserved when forwarding a message to a connection on another TMM.

644490-1 : Finisar 100G LR4 values need to be revised in f5optics

Component: TMOS

Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.

Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.

Impact:
Occasional packet loss at the 100G physical layer.

Workaround:
Use 100G SR4 optics modules on the link if possible.

Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.

For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).

644489-1 : Unencrypted iSession connection established even though data-encrypt configured in profile

Solution Article: K14899014

Component: Wan Optimization Manager

Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.

Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
1) An error occurs during dynamic server-ssl profile replacement.
2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.

In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.

Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.

Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
2) An error occurs during dynamic server-ssl profile replacement.

644447-2 : sync_zones script increasingly consumes memory when there is network connectivity failure

Component: Global Traffic Manager (DNS)

Symptoms:
sync_zones memory usage exponentially increases during network disruption

Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.

Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.

Workaround:
None.

Fix:
sync_zones script now exits successfully at network failure.

644418-2 : Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate.
Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.

Conditions:
This may occur when SSL Forward Proxy is in use.

Impact:
Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.

Workaround:
None.

Fix:
In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm

644404-1 : Extracting SSD from system leads to Emergency LCD alert★

Component: TMOS

Symptoms:
When an SSD in a dual-SSD system configuration is extracted, an emergency alert may be issued on the LCD. This does not match the actual severity (Warning) as reported in the LTM log.

Conditions:
Dual SSDs in any BIG-IP system where one has been selected for removal.

Impact:
LCD reports an Emergency-level alert, which does not match the actual Warning severity reported in the LTM log.

Workaround:
Clear the Emergency alert from the LCD.

Fix:
The classification for SSD removal has been changed to 'Warning' to match the LTM log level.

644220-3 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page

Component: Global Traffic Manager (DNS)

Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.

Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.

Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.

Workaround:
None.

Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.

644184-4 : ZebOS daemons hang while AgentX SNMP daemon is waiting.

Solution Article: K36427438

Component: TMOS

Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.

Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.

Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.

Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.

Fix:
ZebOS daemons no longer hangs while AgentX is waiting.

644112-2 : Permanent connections may be expired when endpoint becomes unreachable

Solution Article: K56150996

Component: Local Traffic Manager

Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.

Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.

Impact:
Tunnel, or other affected connection, will not pass traffic.

Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.

Fix:
Routing updates can no longer lead to expired permanent connections.

643813-2 : ZoneRunner does not properly process $ORIGIN directives

Solution Article: K32906881

Component: Global Traffic Manager (DNS)

Symptoms:
During an import zone operation, ZoneRunner incorrectly associates the "@" directive with the zone name and not $ORIGIN specified.

Conditions:
If the zone file to be imported contains the $ORIGIN directive, the following "@" directives will reference the zone name, which is incorrect.

Impact:
Zones will not be imported correctly.

Workaround:
Use the named-compilezone tool to "normalize" the zone file before importing into ZoneRunner.

The syntax for this command is similar to the following:
named-compilezone -s full -o outputfilename zone_name input.file
(For information about the other available options, see the named-compilezone tool's man page.)

For example, given a zone file named example.com.file that contains the following information:

"example.com"
$TTL 3600
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
@ IN NS ns1.example.com.
ns1.example.com. IN A 1.1.1.1
$ORIGIN alpha.example.com.
@ IN A 2.2.2.2
$ORIGIN bravo.example.com.
@ IN A 3.3.3.3

The command is as follows:

named-compilezone -s full -o example.com.file.full example.com example.com.file

The contents of the new file are:
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
example.com. 3600 IN NS ns1.example.com.
alpha.example.com. 3600 IN A 2.2.2.2
bravo.example.com. 3600 IN A 3.3.3.3
ns1.example.com. 3600 IN A 1.1.1.1

Which is correct. This file can then be used to import into ZoneRunner.

643785-3 : diadb crashes if it cannot find pool name

Component: Service Provider

Symptoms:
diadb utility crashes if it cannot find pool name.

Conditions:
-- diadb utility is running.
-- Pool name is not available in the Diameter persistence record.

Impact:
diadb utility crashes.

Workaround:
None.

Fix:
diadb will not crash even if it cannot find the pool name in the Diameter persistence record.

643777-2 : LTM policies with more than one IP address in TCP address match may fail

Solution Article: K27629542

Component: Local Traffic Manager

Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.

Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.

Impact:
The action configured with the match may not be taken.

Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.

Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.

643631 : Serverside connections on virtual servers using VDI may become zombies.

Solution Article: K70938130

Component: Local Traffic Manager

Symptoms:
Listing connections with "tmsh show sys connection all-properties" (please be cautious executing this command as it could have performance impact) will show connections with only a server side whose age is greater than the configured idle timeout. As more zombie connections accumulate, the BIG-IP may run out of memory.

Conditions:
APM provisioned and VDI (Virtual Desktop Infrastructure) is configured on the affected virtual.

Impact:
Zombie connections consume memory that cannot be reclaimed. Potential out-of-memory condition.

Workaround:
None.

Fix:
Expired serverside connections are properly torn down.

643602-2 : 'Select All' checkbox selects items on hidden pages

Component: Fraud Protection Services

Symptoms:
In FPS GUI, clicking 'Select All' when the list contains more than 10 items, selects all items and not just the items on the current page, as expected.

Conditions:
-- FPS provisioned and licensed.
-- Check 'Select All' and click Delete on a list page containing enough items to span more than one page, for example:

On the Security :: Fraud Protection Service :: Anti-Fraud Profile :: Mobile Security :: Man in the Middle Detection page, add 20 domains. This creates two pages of domains on the list page. When you then check 'Select all' and click Delete, all 20 domains are deleted instead of the expected 10 visible on the page.

Impact:
Unexpected behavior: items are deleted from pages that are not visible.

Workaround:
Check one or more items individually for deletion.

Fix:
Clicking the 'Select All' checkbox now selects all items on the currently visible page.

643582-2 : Config load with large ssl profile configuration may cause tmm restart

Component: Local Traffic Manager

Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.

Conditions:
Doing a full config load with large number of ssl profiles.

Impact:
Possible tmm restart.

Workaround:
Doing incremental sync of changes can avoid this issue.

Fix:
A full configuration reload with large number of ssl profiles may cause tmm restart.

643547-1 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP

Solution Article: K43036745

Component: Access Policy Manager

Symptoms:
Requests to /my.policy are not getting HTTP responses.

Log file '/var/log/apm' contains large number of error messages about failed XML data creation:

err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP APM system is configured with a large number of access policy agents.
-- You are performing an operation that requires the apmd process to start.
-- For example, your BIG-IP APM system is reloaded, you install a new image, or you manually restart the apmd process.

Impact:
APMD will not able to process any requests.

Workaround:
For some configurations and platforms, you can use the following steps to recover:

- Remove all unused access policies (if applicable).
- Restart apmd.

Fix:
Now APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.

643404-2 : 'tmsh system software status' does not display properly in a specific cc-mode situation★

Solution Article: K30014507

Component: TMOS

Symptoms:
If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.

Conditions:
Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true:
-- The system is in Common Criteria mode (db var Security.CommonCriteria).
-- The system is in FIPS compliance mode (db var security.fips140.compliance).
-- Signature checking is manually enabled (db var LiveInstall.CheckSig).

Impact:
It is difficult to ascertain why the software change cannot be made.

Workaround:
The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.

To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.

Fix:
The 'tmsh show system software status' now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso).

Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.

643396-2 : Using FLOW_INIT iRule may lead to TMM memory leak or crash

Solution Article: K34553627

Component: Local Traffic Manager

Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.

Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.

Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a memory leak in the FLOW_INIT iRule event.

643375-1 : TMM may crash when processing compressed data

Solution Article: K10329515

643294 : IGMP and PIM not in self-allow default list when upgrading from 10.2.x★

Component: TMOS

Symptoms:
IGMP or PIM not in self-allow by default after upgrade.

Conditions:
Upgrade from 10.2.x.

Impact:
Advance routing with multicast or PIM does not work, when configured after upgrade with default self-allow.

Workaround:
Manually add PIM or IGMP to self-allow default.

643210-2 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM

Solution Article: K45444280

Component: Local Traffic Manager

Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.

Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.

Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.

Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.

Fix:
The BIG-IP no longer deletes keys from the Safenet HSM when the key is deleted from the BIG-IP system. Now, you must manually delete keys using fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

Behavior Change:
Beginning with this release, the BIG-IP system will not delete a key from the SafeNet HSM when you delete the corresponding key on the BIG-IP system: You must manually delete the key on the HSM using either fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

643187-2 : BIND vulnerability CVE-2017-3135

Solution Article: K80533167

643143-2 : ARP and NDP packets should be QoS/DSCP marked on egress

Component: Local Traffic Manager

Symptoms:
There is currently no way to prioritize ARP/NDP traffic on BIG-IP or configure QoS on TMM-originated ARP/NDP packets.

Conditions:
ARP and/or NDP is in use.

Impact:
When the BIG-IP system's CPU is saturated, there is a possibility that ARP and NDP packets might be dropped.

Workaround:
N/A

Fix:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

Behavior Change:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

643121-1 : Failed installation volumes cannot be deleted in the GUI.

Component: TMOS

Symptoms:
Failed installation volumes aren't displayed under Disk Management and, therefore, cannot be deleted.

Conditions:
Have a failed installation volume.

Impact:
Cannot use the GUI to delete

Workaround:
Use tmsh to delete failed installation volumes using a command similar to the following:
tmsh delete /sys software volume <HDx.y>.

For example, to delete software volume HD1.0, use the following command:
tmsh delete /sys software volume HD1.0.

Fix:
Failed installation volumes can now be deleted in the GUI.

643054-2 : ARP and NDP packets should be CoS marked by the swtich on ingress

Component: Local Traffic Manager

Symptoms:
When ARP and NDP requests are dropped, ARP caches can time out, and peer nodes may fail to resolve the BIG-IP system's self-IP addresses or virtual servers.

Conditions:
TMM0 is saturated and dropping packets.

Impact:
ARP requests can be dropped, and peer devices, such as routers and monitored devices, can fail to resolve the BIG-IP system's address.

Workaround:
None.

Fix:
You can now use db variables to control internal traffic priority for ingress ARP/NDP packets in the switch.

-- arp.priority : high/normal (default)
-- ipv6.nbr.priority : high/normal (default)

The 'normal' value is the default.

-- Setting arp.priority to high raises ARP packet priority.
-- Setting ipv6.nbr.priority to high raises NDP packet priority.

Behavior Change:
You can now use db variables to raise the internal traffic priority for ingress ARP/NDP packets in switch.

arp.priority : high/normal(default)
ipv6.nbr.priority : high/normal(default)

Setting arp.priority to high raises ARP packet priority.
Setting ipv6.nbr.priority to high raises NDP packet priority.

643034-1 : Turn off TCP Proxy ICMP forwarding by default

Component: Local Traffic Manager

Symptoms:
Forwarding of ICMP PMTU messages through the BIG-IP can negatively impact performance if OneConnect or SNAT functionality is active.

Conditions:
Forwarding of ICMP PMTU messages through the BIG-IP when OneConnect or SNAT are active.

Impact:
Peers use suboptimal Path Maximum Transmission Units (PMTUs).

Workaround:
For TCP and UDP proxies, ensure proxy-mss is disabled in the profile.

OR

Disable MTU caching on pool members.

Fix:
There are legitimate reasons to forward ICMP messages through BIG-IP, so in some cases mitigation must occur at pool members. However, we have introduced more control (tm.tcp.enforcepathmtu) to tune this more precisely.

Behavior Change:
The default behavior on TCP proxies is now to not forward ICMP messages, restoring the default from TMOS 12.0.0 and earlier.

For TCP proxies to forward ICMP PMTU messages now requires BOTH proxy-mss 'enabled' in the TCP profile (which is the default setting) and 'tm.tcp.enforcepathmtu' set to 'enabled' (not the default).

643013 : DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3

Component: TMOS

Symptoms:
DAGv2 is a new DAG type and is designed to run on new platforms, including i5600, i5800, i7600, i7800, i10600, i10800 platforms. DAGv2 was not ready when these platforms were first released. DAGv2 is enabled on these platforms in v12.1.3.

Conditions:
i5600, i5800, i7600, i7800, i10600, i10800 platforms.

Impact:
No functional impact. This is simply an announcement of a change in the DAG version.

Workaround:
None.

Fix:
DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3.

642983-1 : Update to max message size limit doesn't work sometimes

Solution Article: K94534313

Component: Device Management

Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.

When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).

Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.

Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.

Workaround:
None.

Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.

642982-3 : tmrouted may continually restart after upgrade, adding or renaming an interface★

Solution Article: K23241518

Component: TMOS

Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a VLAN, VLAN group, or tunnel.

Conditions:
-- Dynamic routing configured.
-- Non-default partition name or VLAN names greater than 15 characters.

Impact:
Dynamic routing does not function. This may include monitors not functioning properly and marking pool members down incorrectly.

Workaround:
Shorten VLAN, VLAN group, or tunnel name, or move the interface into the Common partition.

Fix:
tmrouted no longer restarts when using long VLAN, VLAN group, or tunnel names in a non-default partition.

642952 : platform_check doesn't run PCI check on i11800

Component: TMOS

Symptoms:
When "platform_check misc" is run, it will return

Miscellaneous Tests
PCI: NOT RUN
Test not available on this platform

Conditions:
This always happens.

Impact:
No platform check for PCI is executed.

Workaround:
There is no workaround.

Fix:
It is fixed, platform check for PCI is executed.

642874-1 : Ready to be Enforced filter for Policy Signatures returns too many signatures

Solution Article: K15329152

Component: Application Security Manager

Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.

Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.

Impact:
Incorrect results are shown as a result of the filter.

Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.

Fix:
The "Ready to be Enforced" filter works correctly.

642723-3 : Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect

Component: TMOS

Symptoms:
In version 11.4.0, when pendsect was introduced, the Western Digital WD1600YS-01SHB1 hard drive was not supported. This drive was used in very early shipments of the 1600/3600 products.

If you are running 11.4.0 and have a WD1600YS-01SHB1, you might see the following errors in /var/log/ltm:

-- notice pendsect[1662]: skipping drive -- Model: WDC WD1600YS-01SHB1
-- notice pendsect[1662]: No known drives detected for pending sector check. Exiting

Conditions:
-- Running 11.4.0.
-- Using WD1600YS-01SHB1 hard drives.

Impact:
The only impact is a pendsect notice in /var/log/ltm. The hard drive operates as expected.

Workaround:
There is no mitigation or workaround for this issue.

Fix:
The WD1600YS-01SHB1 hard drive was added to the supported list of hard drives in versions 11.5.x, 11.6.x, and 12.1.3.

642703-2 : Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★

Component: TMOS

Symptoms:
Installation from external media (PXE or USB) fails with error:

error: status 768 returned by command: /sbin/lvcreate -L -4719088K -n dat.share vg-db-cpmirror
info: >++++ result:
info: Negative size is invalid
info: Run `lvcreate --help' for more information.
info: >----
error: MultiVolume_add cpmirror.dat.share failed.

Conditions:
-- i5000, i7000, i10000, i11000, and i12000 platforms.
-- Installation from external media (PXE or USB).
-- Running software v12.1.2 or v13.0.0.

Impact:
System is non-functional. It will not work at all, until an 'installation from external media' is performed. There is no software on the system because the operation failed during the early stages of a formatting installation.

Workaround:
Use an earlier version for the formatting installation, such as 12.1.1, and then upgrade to the target version.

Fix:
The error no longer occurs; the formatting installation succeeds.

642659-2 : Multiple LibTIFF Vulnerabilities

Solution Article: K34527393

642400-2 : Path MTU discovery occasionally fails

Component: Local Traffic Manager

Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.

Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.

Impact:
The connection may stall as large TCP segments are continually retransmitted.

Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.

Fix:
Path MTU discovery functions correctly with the TCP profile.

642330-2 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★

Component: Global Traffic Manager (DNS)

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

642314-2 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★

Solution Article: K24276198

Component: TMOS

Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.

Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.

Impact:
gtm config load failure after upgrade.

Workaround:
Remove trailing dots or set "Domain Validation" to "none".

Fix:
Upgrading from 11.x to 12.x or 13.x with GTM Pool with canonical-name removes trailing FQDN dot.

642298-3 : Unable to create a bidirectional custom persistence record in MRF SIP

Component: Service Provider

Symptoms:
Setting a persistence key via iRule sets the persistence entry as uni-directional

Conditions:
Setting a persistence key via iRule sets the persistence entry as uni-directional

Impact:
Custom SIP persistence entries cannot be bidirectional.

Fix:
This change adds a new SIP::persist key to set or reset the persistence entry as bidirectional.

642284 : Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.

Component: Carrier-Grade NAT

Symptoms:
Memory corruption caused by closing a PCP connection while requests are being processed.

Conditions:
This can occur when a PCP client sends multiple requests and closes before receiving the replies. When the client OS receives a reply it will send an ICMP destination unreachable message which causes the BIG-IP to close the PCP connection. If the PCP connection is closed while a request is being processed, memory corruption may occur when the request completes.

Impact:
When memory corruption occurs, TMM may crash or assert. Traffic disrupted while tmm restarts.

Fix:
Closing the PCP connection will not cause memory corruption.

642221-2 : Incorrect entity is used when exporting TCP analytics from GUI

Component: Application Visibility and Reporting

Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected

Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.

Impact:
Incorrect data is being exported.

Workaround:
Use tmsh.

Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.

642068-1 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens

Component: Policy Enforcement Manager

Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.

Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.

Impact:
PEM sessions remain in the marked-for-delete state.

Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.

Note: The value must be greater than 0 (zero).

Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.

642058-1 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances

Component: TMOS

Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.

The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic

The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic

The interface will report in tmsh as down:
tmsh show net interface 5.0

--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none

Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.

Impact:
The CBL-0138-01 will not work.

Workaround:
None.

Fix:
CBL-0138-01 Active Copper now works correctly on i2000/i4000/HRC-i2800 Series appliances.

642039-2 : TMM core when persist is enabled for wideip with certain iRule commands triggered.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV.

Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable persist on wideip.

Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.

Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.

642015-2 : SSD Manufacturer "unavailable"

Component: TMOS

Symptoms:
On systems with an SSD, the manufacturer displayed in 'tmsh show sys hardware' may appear as "unavailable"..

Conditions:
BIG-IP system with SSD installed.

Impact:
No functional impact, cosmetic only.

Workaround:
No workaround but the issue is only cosmetic and does not indicate an issue with the system.

Fix:
SSD Manufacturer now displays "Samsung" as expected.

641612-2 : APM crash

Solution Article: K87141725

641574 : AVR doesn't report on virtual and client IP in DNS statistics

Solution Article: K06503033

Component: Application Visibility and Reporting

Symptoms:
On the analytics DNS page, the virtual and client IP stats will be shown as "Aggregated".

Conditions:
This can be seen in DNS analytics, when view-by virtual or client-ip is selected.

Impact:
DNS statistics show incomplete results.

Workaround:
None.

Fix:
AVR now provides the complete report results on virtual and client IP in DNS statistics.

641512-4 : DNSSEC key generations fail with lots of invalid SSL traffic

Solution Article: K51064420

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.

Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.

641491-2 : TMM core while running iRule LB::status pool poolname member ip port

Solution Article: K37551222

Component: Local Traffic Manager

Symptoms:
An iRule response to a DNS request may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. As a result of this issue, you may encounter one or more of the following symptoms:

-- The BIG-IP system may temporarily fail to process traffic as it recovers from the TMM restart, and devices configured as an HA pair may fail over.
-- The BIG-IP system generates a TMM core file to the /shared/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP DNS system is configured with a wide IP that utilizes an iRule.
-- The iRule uses the DNS_REQUEST event command LB::status to check a pool member status.
-- The iRule pool address and port are separated by white space.

Example iRule syntax:

gtm rule pool_member_selection {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.0.0.10 80
    }
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use format 'ip:port' or vsname instead of 'ip port. Following are two examples:
1.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.2.108.100:80
    }
}

2.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member pool_vs_name
    }
}

Fix:
An iRule response to a DNS request no longer triggers TMM to produce a core file and restart.

641482-2 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received

Component: Policy Enforcement Manager

Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.

Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP

Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)

Workaround:
A tmm restart will cleanup all the stale sessions

Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP

641445-1 : iControl improvements

Solution Article: K22317030

641390-5 : Backslash removal in LTM monitors after upgrade

Solution Article: K00216423

Component: TMOS

Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.

Conditions:
-- Specific backslash escaping in LTM monitors.
-- Upgrading from 11.5.x, 11.6.0, 11.6.1, 11.6.2, or 11.6.3 to 12.0.0, 12.1.0, 12.1.1, 12.1.2, or 13.0.0.

Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS/GTM monitors.

For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.

ltm monitor https /Common/my_https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv "Test string"
    recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
    send Test
    time-until-up 0
    timeout 16
    username test\\\"me
}

Impact:
The monitor fails to load.

Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.

Fix:
Upgrade no longer results in incorrectly removing backslashes for some LTM monitor attributes.

641360-2 : SOCKS proxy protocol error

Solution Article: K30201296

641256-1 : APM access reports display error

Solution Article: K43523962

641248 : IPsec-related tmm segfault

Component: TMOS

Symptoms:
The tmm cores and all connections are reset.

Conditions:
Race condition during IPsec tunnel tear down.

Impact:
The tmm restarts and all connections reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The IPsec-related tmm segfault has been corrected.

641013-5 : GRE tunnel traffic pinned to one TMM

Component: TMOS

Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.

Conditions:
Use forwarding virtual to handle GRE tunnel traffic.

Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.

Workaround:
None.

Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.

640903-1 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen

Component: Global Traffic Manager (DNS)

Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.

Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.

Impact:
Extremely long page load time.

Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.

Fix:
The page can now load hundreds of records on a single screen under 3 seconds.

640824-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★

Solution Article: K20770267

Component: Application Security Manager

Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.

Impact:
Upgrade fails.

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never

2) Do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

Fix:
Roll-forward upgrade including traffic data now works correctly.

640768 : Kernel vulnerability: CVE-2016-10088

Solution Article: K05513373

640636-3 : F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade

Component: TMOS

Symptoms:
Inserting a 40G optic into a 100G port, or inserting a 100G optic into a 40G shows the optic as "Unsuported Optic". That is not correct, it may be a supported optic, just inserted in the wrong port.

Conditions:
B4450 Blades with 100G or 40G optics inserted in a port that does not support that speed optic.

Impact:
The user may be confused on why the optic is not working, the error message is misleading when the optic is inserted in the wrong port.

Workaround:
If the optic shows up in "tmsh list net interface" as "Unsuported Optic" remove the optic and verify that the optic speed matches the port.

Fix:
The "tmsh list net interface" will now show:

module-description "F5 Qualified Optic in invalid port"

And the LCD warning message will show:
Optic OPT-XXXX not valid in Interface <InterfaceNumber>.

640565-1 : Incorrect packet size sent to clone pool member

Solution Article: K11564859

Component: Local Traffic Manager

Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.

Conditions:
Clone pool is configured on a virtual server.

Impact:
Clone pool members may get traffic exceeding the link MTU.

Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.

640521-1 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices

Component: Access Policy Manager

Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.

Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.

Impact:
EdgeClient can not establish VPN connection.

Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.

Fix:
Now Edge Client can successfully interact with a greater number of wifi captive portals.

640510-3 : BWC policy category attachment may fail during a PEM policy update for a subscriber.

Component: Policy Enforcement Manager

Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.

Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.

Impact:
Use cases dependent on BWC can be impacted.

Fix:
Code changes were added such that BWC policy and category changes through PEM are handled correctly.

640457-2 : Session Creation failure after HA

Component: Policy Enforcement Manager

Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.

Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.

Impact:
A set of subscribers lost during HA will never be added back.

Workaround:
No workaround.

640407-1 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF

Component: Service Provider

Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.

Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.

640384-3 : New iRule options for MR::message route command

Component: Service Provider

Symptoms:
When routing a message via the MR::message route command, the connection-mode and max-connections attributes are not settable.

Conditions:
This is encountered when using the MR::message or MR::peer iRule commands and you wish to set the connection mode or max connections.

Impact:
For applications where other connection-modes are required (for example PER_CLIENT), it is not possible to implement via iRule.

Workaround:
NA

Fix:
New keywords added to MR::message route command to allow specification of the connection-mode and max-connections attributes of the temporary route added to the message.

640376-3 : STPD leaks memory on 2000/4000/i2000/i4000 series

Component: Local Traffic Manager

Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.

Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.

ex. top -b -n 1 | grep stpd

The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.

Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.

Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.

Fix:
BPDU process source code fixed to release memory allocated for each BPDU packet created and sent.

640369-2 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.

Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan

TMM may respond directly using the auto-lasthop feature and not via the route lookup.

Impact:
Traffic may not follow the expected path.

Fix:
TMM now correctly uses the configured option for auto-lashop and ICMPv6 traffic

640352-2 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet

Solution Article: K01000259

Component: Local Traffic Manager

Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.

Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.

Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.

Workaround:
None.

Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.

639970-3 : GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error

Component: Local Traffic Manager

Symptoms:
Client SSL profile certificate extensions names switch to numbers if there is any validation error in save.

Conditions:
Try to Create/Modify client ssl profile such that it results in a validation error and click 'Finished/Update'.

Impact:
No functional impact: certificate extensions names switch to their number representation, but if you correct the actual validation error and submit the change, the saved object will have the expected set of certificate extensions.

Workaround:
Use TMSH to create/update client SSL profile.

Fix:
GUI client SSL profile certificate extensions names are displayed even if there is a validation error.

639929-2 : Session variable replace with value containing these characters ' " & < > = may case tmm crash

Component: Access Policy Manager

Symptoms:
TMM crash with session variable replace with value containing these characters ' " & < > =

Conditions:
Session variable replace with value containing these characters ' " & < > =

Impact:
Traffic disrupted while tmm restarts.

Workaround:
avoid session variable values containing ' " & < > = if possible. Otherwise, there is no workaround.

Fix:
Session variable overwrite operation with value containing special characters now works correctly

639767-2 : Policy with Session Awareness Statuses may fail to export

Component: Application Security Manager

Symptoms:
ASM policy with many Session Awareness Statuses may fail to export.

Conditions:
There are many Session Awareness Statuses configured for the policy.

Impact:
ASM policy export will fail.

Workaround:
Remove all Session Awareness Statuses before export.

Fix:
ASM policy export only includes Session Awareness Statuses set to "Block All", and completes reliably.

639750-1 : username aliases are not supported

Component: Fraud Protection Services

Symptoms:
in is a common practice to use aliases for username. for example, an app might allow users to login with either their ID, cell number, or nickname.
WebSafe doesn't support username aliases.

Conditions:
This is encountered when your application uses username aliases.

Impact:
You are unable to use username aliases in your applications.

Workaround:
None.

Fix:
providing new ANTIFRAUD irule command for setting username (replace username alias with the "real" username)

639744-1 : Memory leak in STREAM::expression iRule

Solution Article: K84228882

Component: Local Traffic Manager

Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.

Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.

Impact:
This causes a memory leak in tmm.

Workaround:
None.

Fix:
This release fixes a memory leak in STREAM::expression iRule.

639729-2 : Request validation failure in AFM UI Policy Editor

Solution Article: K39428424

639505-3 : BGP may not send all configured aggregate routes

Component: TMOS

Symptoms:
As a result of a known issue, BGP may not send all configured Aggregate routes if one is a supernet of another.

Conditions:
- BGP established sessions.
- BGP configuration contains several aggregate routes, one or more being a supernet of others.

Impact:
The smaller prefix aggregate (least specific), may not be sent to the BGP peer.

Fix:
BGP now sends all configured aggregates

Behavior Change:
BGP now sends all configured aggregates, even if one is supernetwork of another.

639486-4 : TMM crash due to PEM usage reporting after a CMP state change.

Component: Policy Enforcement Manager

Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.

Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Instead of asserting, handled the error condition gracefully.

639395-2 : AVR does not display 'Max read latency' units.

Solution Article: K91614278

Component: Application Visibility and Reporting

Symptoms:
AVR does not display units for 'Max Read Latency'.

Conditions:
AVR, ASM, DoS, or AFM are provisioned.

Impact:
No units are displayed.

Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.

Fix:
Added units (microsecond) to AVR report.

639283-4 : Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate

Conditions:
* Virtual Server has untrusted certificate
* Using Custom Dialer or Windows logon integration features on client machine for establishing secure VPN

Impact:
Windows logon integration doesn't work. Cannot establish secure VPN connection before logging in to the machine.

Custom dialer doesn't work. Cannot establish secure VPN using Dial-up entry.

Workaround:
- Install trusted certificate to Virtual Server or whitelist untrusted certificate on the client machine.
or
- Use Edge Client to establish secure VPN connection.

Fix:
The Custom Dialer/Windows Logon Integration feature now shows a certificate warning when the certificate is untrusted by the client. This allows the logon to proceed if the user accepts the certificate.

639236-1 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute

Solution Article: K66947004

Component: Service Provider

Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute

Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.

Impact:
REGISTER is rejected with a '400 Bad request' error message

Workaround:
None.

Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.

639193-1 : BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.

Solution Article: K03453591

Component: Advanced Firewall Manager

Symptoms:
In high availability (HA) environment where BIG-IP devices are configured for Manual Sync, deleting parent policy causes sync to fail.

Conditions:
This occurs when you delete the parent of a policy that was used as the parent of another policy. For example:
1. Clone Policy A and create Policy B.
2. Clone Policy B and create Policy C.
3. Delete Policy B.

Impact:
Manual sync operation fails.

Workaround:
Use one of the following Workarounds:
A. Enable automatic sync for HA configurations.
B. Run the following commands:
   tmsh save sys config partitions all
   tmsh load sys config partitions all
   Sync

Fix:
In HA environments containing BIG-IP devices configured for Manual Sync, deleting parent policy no longer causes sync to fail.

639039-4 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons

Solution Article: K33754014

Component: Local Traffic Manager

Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.

Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.

Impact:
Dynamic routing information is lost and must be relearned.

Workaround:
When using dynamic routing, only change the host name during a maintenance window.

638997-2 : Reboot required after disk size modification in a running BIG-IP VE instance.

Component: TMOS

Symptoms:
- BIG-IP VE supports disk size modification during the lifetime of a running instance to expand or reduce the disk size that was allocated at the time of deployment.

- A reboot is required after any such modification in the disk size for the changes to take effect. In previous versions, the reboot happened automatically but an affected BIG-IP VE will not have the reboot happening automatically.

- Due to the lack of reboot, changes in disk size do not take effect on the BIG-IP system.

Conditions:
Modifying disk size in a running BIG-IP VE instance.

Impact:
Changes in the disk size do not take effect till BIG-IP system is rebooted.

Workaround:
Manually reboot the running BIG-IP VE instance after making changes in disk size.

Fix:
Reboot required after disk size modification in a BIG-IP VE instance.

638935-3 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★

Component: TMOS

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.

638881-1 : Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances

Component: TMOS

Symptoms:
When the fan tray is removed, the fan status in tmctl tables and 'tmsh show sys hardware' are not updated correctly to reflect the current status of the fan tray i.e. not-present.

Conditions:
When the fan tray is physically removed.

Impact:
It is important to be aware of the fan status since malfunctioning of the fan tray can result in thermal shutdown when temperature thresholds are reached. Having incorrect/incomplete status would result in delayed corrective actions if a problem should arise.

Workaround:
No workaround at this time.

638825-2 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD

Component: TMOS

Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.

Conditions:
This always occurs for this type of interface.

Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.

Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.

638799-1 : Per-request policy branch expression evaluation fails

Component: Access Policy Manager

Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:

info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)

Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.

The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.

Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:

   #define ACCESS_ALLOWED_IRULE_EVENTS ( \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))

Workaround:
None.

Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.

638780-3 : Handle 302 redirects for VMware Horizon View HTML5 client

Component: Access Policy Manager

Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.

Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.

Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.

Workaround:
For versions 11.6.x and 12.x:
===============================

priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location [substr $location $path_index]
                regsub "/portal/" $new_location $vmview_html5_prefix new_location
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

======================
For version 13.0:
priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location "$vmview_html5_prefix[substr $location $path_index]"
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.

638715-3 : Multiple Diameter monitors to same server ip/port may race on PID file

Solution Article: K77010072

Component: Local Traffic Manager

Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.

Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.

Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.

Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).

Fix:
The fix includes the monitor-template name in the generation of the PID file, which ensures multiple Diameter monitor instances probing the same server (IP/port) do not interfere with each other.

638629-2 : Bot can be classified as human

Component: Application Security Manager

Symptoms:
A bot is classified as human in a rare case.

Conditions:
Web scraping is turned on. The CSHUI is tried on the user.

Impact:
Bot traffic gets classified as human by ASM.

Workaround:
N/a

Fix:
Fixed the CSHUI algorithm to have better bot detection.

638594-3 : TMM crash when handling unknown Gx messages.

Component: Policy Enforcement Manager

Symptoms:
TMM crash resulting in potential loss of service.

Conditions:
PCRF sends unsupported Gx messages to PEM.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Add support for identifying unknown messages types and handle them gracefully.

638556-2 : PHP Vulnerability: CVE-2016-10045

Solution Article: K73926196

638170-1 : Pagination broken or missing while viewing pool statistics for GTM wideip

Solution Article: K36455356

Component: Global Traffic Manager (DNS)

Symptoms:
Error occurs while viewing pool statistics for GTM wideip if the number of pools are more than what can be displayed in a single screen.

Conditions:
When the number of pools are more than what can be displayed as specified in the System :: Preferences :: Record Per Screen setting.

Impact:
Unable to view the statistics of GTM wideip pools beyond those displayed on the screen.

Workaround:
Increase the number of Records Per Screen (System :: Preferences :: Records Per Screen) to a number larger than the number of pools in the GTM wideip.

Fix:
Can now view the statistics of GTM wideip pools beyond those displayed on the initial screen.

638137 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828

Solution Article: K51201255

637666-2 : PHP Vulnerability: CVE-2016-10033

Solution Article: K74977440

637561-1 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice

Component: TMOS

Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.

Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.

Impact:
Wildcard wideips are not returning wildcard requests correctly.

Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd

Fix:
Wildcard wideips now handle matching queries after tmsh load sys from gtm conf file twice.

637559-1 : Modifying iRule online could cause TMM to be killed by SIGABRT

Component: TMOS

Symptoms:
If iRule is used by several virtual servers, and you edit the iRule online, it could cause TMM to be eventually killed by SOD (watchdog).

Conditions:
This can occur under the following conditions:
1. The iRule is used by large number of virtual servers.
2. You edit the iRule and save changes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If iRule is used by several virtual servers, and you edit the iRule online, it no longer causes TMM to be eventually killed by SOD (watchdog).

637308-8 : apmd may crash when HTTP Auth agent is used in an Access Policy

Solution Article: K41542530

Component: Access Policy Manager

Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.

Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.

The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.

Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.

Workaround:
Use basic auth, or do not use HTTP Auth.

Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.

637252-1 : Rest worker becomes unreliable after processing a call that generated an error

Solution Article: K73107660

Component: Application Security Manager

Symptoms:
Unreliable behavior from ASM REST API.
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.

Conditions:
A REST worker can enter this state if it processes specific calls that ended in error, such as creating a new active Policy.

Note: Policies are meant to be created inactive and then activated through the apply-policy task.

Impact:
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.

Workaround:
1) Do not create 'active' policies. Create them with 'active': false, and then use the apply-policy task to set them active.

2) To recover a device that has reached this state, restart restjavad using the following command:
bigstart restart restjavad

Fix:
REST workers maintain correct state and behavior after calls with errors.

637227-4 : DNS Validating Resolver produces inconsistent results with DNS64 configurations.

Solution Article: K60414305

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS Validating Resolver incorrectly validates DNS responses received from A queries made as a result of a front-end AAAA query received on a profile with DNS64 configured.

A SERVFAIL response may be sent to the client unless the Validating Resolver cache has previously successfully validated a front-end A query. In this scenario where the A records already exist in the cache, the expected DNS64 AAAA records are synthesized.

Conditions:
This issue may be observed with a DNS Validating Resolver configured on a DNS profile with DNS64 configured when processing AAAA queries.

Impact:
Incorrect SERVFAIL responses for AAAA queries that should get valid responses.

Workaround:
None.

Fix:
DNS validation now occurs as expected, resulting in valid answers to AAAA queries.

637181-4 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.

636918-2 : Fix for crash when multiple tunnels use the same traffic selector

Component: TMOS

Symptoms:
Given multiple tunnels with the same traffic selector, a crash could sometimes occur.

Conditions:
Same traffic selector used with more than one tunnel.

Impact:
Possible tmm restart if problem happens. Traffic disrupted while tmm restarts.

Workaround:
Use different traffic selectors for different tunnels.

Fix:
Fixed a tmm crash related to traffic selectors used with more than one tunnel.

636853-2 : Under some conditions, a change in the order of GTM topology records does not take effect.

Component: Global Traffic Manager (DNS)

Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.

Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.

Impact:
In certain configurations, the topology load balancing decision may not be made correctly.

Workaround:
Reload the GTM configuration or add/delete a topology record.

Fix:
Changes in the order of topology records now take effect immediately.

636774-1 : Potential TMM crash credits to BWC token distribution logic

Component: TMOS

Symptoms:
tmm crashes at 'bwc_stb_static_recharge (stb_static=0x560086f501f0) at ../net/bwc_stb.c:364'.

Conditions:
Bandwidth Control (BWC) policies enabled with PEM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Fixed a potential TMM crash credits to BWC token distribution logic.

636744-1 : IKEv1 phase 2 SAs not deleted

Solution Article: K16918340

Component: TMOS

Symptoms:
The BIG-IP system will not start phase 1 or phase 2 ISAKMP negotiation after an Active -> Standby -> Active failover within a short period of time.

Conditions:
The HA Active BIG-IP system goes Standby and then becomes Active again within the phase 2 lifetime.

Impact:
IPsec tunnel(s) is/are not initiated by the BIG-IP system. Network connectivity is broken between the private networks.

Workaround:
Option 1: Switch to IKEv2 and 12.x, which skips the problem altogether. This combination will mirror the SAs and so deleting existing SAs upon failover is not required.

Option 2: Edit /config/failover/active and add the following two lines at the end:

logger -p local0.notice "Employ ID636744 workaround. Purge IPsec phase2 SAs."
tmsh delete net ipsec ipsec-sa

636702-3 : BIND vulnerability CVE-2016-9444

Solution Article: K40181790

636699-5 : BIND vulnerability CVE-2016-9131

Solution Article: K86272821

636541-3 : DNS Rapid Response filters large datagrams

Component: Global Traffic Manager (DNS)

Symptoms:
Assigning a profile with DNS rapid response enabled to a virtual server on a P8 chassis might result in problems with blades and the cluster.

Depending on the timing of operations (config is loaded and tmm restarts), blades might never join the cluster properly and you will see errors similar to the following looping in /var/log/tmm:
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445394
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445416

Conditions:
-- Assigning a profile with DNS rapid response enabled to a virtual server.
-- P8 chassis.
-- Large datagrams being passed.

Impact:
DNS Rapid Response filters large datagrams. Blades might never join the cluster.

Workaround:
There is no workaround at this time.

Fix:
The system now passes through any datagrams too big for DNS rapid response.

636535 : HSB lockup in vCMP guest doesn't generate core file

Solution Article: K24844444

Component: TMOS

Symptoms:
If an HSB lockup occurs in a vCMP guest, the system does not generate a core file.

Conditions:
HSB lockup, which occur rarely.

Impact:
Limited ability to diagnose failures due to HSB lockups.

Workaround:
None.

Fix:
Whenever an HSB lockup occurs in a vCMP guest, the system generates a core file.

636520-3 : Detail missing from power supply 'Bad' status log messages

Solution Article: K88813435

Component: TMOS

Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad

Conditions:
This occurs when the system posts an internal hardware sensor alert.

Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.

Workaround:
If power supply errors continue to be logged:

1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }

2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.

3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }

4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.

Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.

636397-1 : bd cores when persistent storage configuration and under some memory conditions.

Component: Application Security Manager

Symptoms:
bd cores. Log signature in /var/log/bd looks similar to the following:

BD_MISC|ERR |Jan 02 14:24:06.422|27867|io_manager_init.c:0395|internal_keep_alive: BD shrinking...,going down - BD will be right back.
ptr BD_MISC|CRIT |Jan 02 14:24:06.422|27867|signals.c:0073|Received SIGSEGV - Core Dumping.

Conditions:
There is persistent storage configuration. There is high memory usage.

Impact:
bd crash. Traffic resets and/or failover

Workaround:
None.

Fix:
This release fixes a bd crash due to specific memory conditions and persistent storage.

636370 : Application Layer Encryption AJAX support

Component: Fraud Protection Services

Symptoms:
WebSafe doesn't support parameters encryption in Single Page Applications (using AJAX)

Conditions:
Application uses AJAX for sending parameters to web server

Impact:
Encryption won't work for Single Page Applications

Workaround:
N/A

Fix:
Adding AJAX encryption support (full payload encryption)

for 12.1.2-hf, enabling this feature requires:

tmsh modify sys db antifraud.internalconfig.string1 value <AJAX-HEADER-NAME>

AJAX-HEADER-NAME existence will enable AJAX support for current request and its value may contain the username used in current request (if configured and exists)

Note that activating AJAX support in releases > 12.1.2-hf is done differently (configured in profile, not in db)

636290 : vCMP support for B4450 blade

Component: TMOS

Symptoms:
vCMP is not supported in the B4450 blade

Conditions:
This occurs on the B4450 blade on specific BIG-IP software versions, for more information on supported vCMP versions see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Impact:
You are unable to configure vCMP on the B4450 blade.

Fix:
vCMP is supported on the B4450 blade in this version.

636289-2 : Fixed a memory issue while handling TCP::congestion iRule

Component: Local Traffic Manager

Symptoms:
Increased memory usage in tmm.

Conditions:
TCP::congestion highspeed iRule is executed for the TCP connection. The issue is only observed for highspeed congestion control.

Impact:
The memory allocated for congestion control is not freed.

Workaround:
If it is desired to use highspeed congestion control under some conditions, it is possible to start with highspeed by choosing highspeed congestion control in the TCP profile and switch to other desired congestion control when condition does not hold. With this workaround, once congestion control is changed to something other than highspeed, it is not possible to switch back to highspeed again.

Fix:
Improved memory utilization while using TCP::congestion iRule.

636254-2 : Cannot reinitiate a sync on a target device when sync is completed

Component: Access Policy Manager

Symptoms:
After a policy sync is successful, re-initating a sync fails with the following error:
"PolicySyncMgr: Sync already in progress for policy xxx"

Conditions:
This occurs rarely when performing a sync after a successful sync.

Impact:
You cannot re-sync a policy. This is a rare occurrence, and after waiting a small amount of time sync should start working again.

Fix:
Now APM Policy Sync no longer hangs in rare cases with the message: "PolicySyncMgr: Sync already in progress for policy xxx"

636149-3 : Multiple monitor response codes to single monitor probe failure

Component: Local Traffic Manager

Symptoms:
A monitor probe failure to a monitor (such as HTTP) will be logged to '/var/log/ltm' when the probed resource is unavailable. In some cases for a probe resulting in an 'Unable to connect' error, multiple log entries will be made, with the *last* log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are "stale" and due to previous monitor probe behavior that was previously logged.

This is due to an error where the 'Could not connect' event appends a previous error message, rather than overwriting a possibly-present previous error message.

Conditions:
A monitor probe to a monitor is attempted (such as over HTTP), resulting in an "Unable to connect" failure; and where that specific monitor previously reported an error (which is now appended).

Impact:
No system behavior is affected, but multiple log entries are made. The *final* log entry of "Could not connect" or "Unable to connect" is relevant, while the possible multiple log entries immediately above are "stale" and not relevant (as they are due to a previous issue that was previously successfully logged).

Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, user should consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.

Fix:
The code fix is to "clear" previous monitor-log errors when reporting a 'Could not connect' error, rather than appending a previous error that might be present.

636096-1 : Nitrox PX chips may temporarily fail

Component: Local Traffic Manager

Symptoms:
Under certain conditions Nitro PX chips may fail temporarily

Conditions:
-- Using the following hardware:
+ BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 11xxx appliances.
+ VIPRION B42xx/B43xx, B21xx blades.

Impact:
TMM failure leading to a failover event. Normal operation of the Nitrox PX chip will resume after TMM restarts.

Workaround:
To restart tmm, run the following command:
bigstart restart tmm

Fix:
Nitrox PX chips reset as expected.

636044-1 : Large number of glob patterns affects custom category lookup performance

Solution Article: K68018520

Component: Access Policy Manager

Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.

Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.

Impact:
Slow response times to HTTP requests.

Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.

Fix:
Glob pattern matching has been extended to be context sensitive. If the pattern includes the marker "://", a glob immediately before it is restricted to the scheme, and a glob immediately after it is restricted to the hostname. If the match can be satisfied with prefix matching, the pattern will be processed with a prefix comparison rather than as a glob. Also, multiple glob patterns are combined together to create a more optimal match pattern. If custom categories patterns use the context sensitive feature, custom category lookup will be optimized.

635961-1 : gzipped and truncated files may be saved in qkview

Component: TMOS

Symptoms:
When looking at the files in the qkview, some files might be both gzipped and truncated, when only one or the other is expected.

Conditions:
This occurs for certain files that are large enough to require truncation and gzipping.

Impact:
Minimal impact, as the extra file can be ignored. This is primarily an issue of wasting image space.

Workaround:
Ignore the extra copy of the file.

Fix:
Files are no longer both gzipped and truncated.

635933-3 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Solution Article: K23440942

635754-1 : Wildcard URL pattern match works inncorectly in Traffic Learning

Solution Article: K65531575

Component: Application Security Manager

Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.

Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.

Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.

Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).

Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.

"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".

Fix:
Wildcard URL pattern match now works as expected in Traffic Learning

635703-1 : Interface description may cause some interface level commands to be removed

Solution Article: K14508857

Component: TMOS

Symptoms:
Adding a description to the interface from within ZebOS may cause interface level routing protocol commands to be lost on restart.

Conditions:
- Add interface level description to a configuration with interface level routing protocol commands.
- Restart services, tmrouted, or reboot.

Impact:
Interface level commands after the description will not appear in the imish running config and will not be loaded/functional.

Workaround:
To prevent this issue, do not use interface-level descriptions.

If the issue has already occurred, and the configuration is not loading, you can manually correct it using the following procedure:
1. Stop tmrouted using the following command: bigstart stop tmrouted
2. Edit the ZebOS.conf from the corresponding route-domain file manually and remove the interface-level 'description' and 'no shutdown' commands.
3. Restart tmrouted using the following command: bigstart restart tmrouted.

Note: Performing the workaround procedure will temporarily disrupt dynamic routing, so care and adequate planning must be taken into consideration.

Fix:
Routing protocol interface commands are no longer lost with the addition of interface descriptions.

635561-1 : Heavy URLs statistics are not shown after upgrade.

Component: Application Visibility and Reporting

Symptoms:
Heavy URLs statistics are not shown after upgrade.

Conditions:
Upgrading to newer version

Impact:
Missing statistics.

Workaround:
No workaround

Fix:
Upgrade and verify all heavy URLs statistics are shown.

635541 : "Application CSS Locations" is not inherited if changing parent profile

Component: Fraud Protection Services

Symptoms:
"Application CSS Locations" is not inherited if changing parent profile, which can cause to the following error while saving: Application CSS Locations cannot be empty.

Conditions:
This occurs in the GUI when FPS provisioned when the system is configured with phishing detection license.

Impact:
Cannot use FPS GUI to configure Application CSS Locations.

Workaround:
Use tmsh or the REST API to configure Application CSS Locations.

Fix:
"Application CSS Locations" is inherited if parent profile is changed. No errors are shown while saving.

635412 : Invalid mss with fast flow forwarding and software syn cookies

Solution Article: K82851041

635314-5 : vim Vulnerability: CVE-2016-1248

Solution Article: K22183127

635274-1 : SSL::sessionid command may return invalid values

Solution Article: K21514205

Component: Local Traffic Manager

Symptoms:
The SSL::sessionid iRule command might return random, invalid values. This also causes high CPU usage on TMM. This occurs when the SSL ID retrieved from SSL is on the stack and gets overwritten prior to use, resulting in a persist lookup loop which causes the high CPU. The issue is also associated with the SSL::sessionid iRule command because SSL::sessionid and SSL persistence use the same internal mechanism to retrieve the SSL session ID.

Conditions:
This issue occurs when either of the following conditions exists:
-- An iRule exists that queries the SSL::sessionid.
-- An SSL persist profile is configured on the virtual server.

Impact:
The iRule might not work as expected.
High CPU usage.

Workaround:
Do not use the SSL:sessionid iRule.

Fix:
The SSL::sessionid iRule returns the session ID as expected.

635257-2 : Inconsistencies in Gx usage record creation.

Solution Article: K41151808

Component: Policy Enforcement Manager

Symptoms:
Duplicate usage records may be created or expected usage records may be missing.

Conditions:
A subscriber session is associated with the following policies:

1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.

2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.

Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.

Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.

To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.

Fix:
Checks to create usage records are now done using the same keys that are used to create them, so there are no duplicate usage records created or expected usage records missing.

635252-1 : CVE-2016-9256

Solution Article: K47284724

635233-3 : Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages

Solution Article: K80902149

Component: Policy Enforcement Manager

Symptoms:
CCR-u or CCR-t sent in response to a non-existent policy may be missing some of the custom AVPs such as IMSI, E164, etc., even if the AVPs are marked mandatory.

Conditions:
This occurs when the BIG-IP system sends a CCR-u or CCR-t when the specified policy received from PCRF does not exist.

Impact:
CCR-u and CCR-t may miss some of the subscriber attributes such as IMSI, E164.

Workaround:
None.

Fix:
Added the custom AVPs in the case of CCR-u and CCR-t, if those attributes are enabled for reporting in the protocol profile.

635129 : Chassis systems in HA configuration become Active/Active during upgrade★

Component: TMOS

Symptoms:
When devices in a Device Service Cluster are upgraded, multiple devices will become Active simultaneously.

The affected versions erroneously clear their management-ip during reboot and synchronize this to other members of the Device Service Cluster. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the Device Service Cluster members lose contact with each other, and all become Active.

Conditions:
This problem occurs on VIPRION chassis systems, either running natively, or as a VCMP guest, when upgrading from the affected versions (12.1.0, 12.1.1, 12.1.2), to any other version. The problem occurs on any upgrade, whether on the list of affected versions, or a later version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until all Chassis are finished upgrade. See https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.

635116-1 : Memory leak when using replicated remote high-speed logging.

Solution Article: K34100550

Component: TMOS

Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.

Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.

Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.

Workaround:
Do not use replication in the HSL destination configuration.

Fix:
TMM no longer leaks memory when using a replicated HSL setup.

634779-1 : TMM may crash will processing SSL Forward Proxy traffic

Solution Article: K43945001

634576 : TMM core in per-request policy

Solution Article: K48181045

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

634371-2 : Cisco ethernet NIC driver

Component: TMOS

Symptoms:
The Cisco Ethernet NIC driver is version 2.1.1.67

Conditions:
N/A

Impact:
Cisco recommends using the updated version 2.3.0.12

Fix:
Cisco VIC Ethernet NIC Driver 2.3.0.12 is now used.

634265-2 : Using route pools whose members aren't directly connected may crash the TMM.

Solution Article: K34688632

Component: Local Traffic Manager

Symptoms:
The TMM crashes when trying to resolve routes using route pools whose members are not directly connected.

Conditions:
A configuration has route pools whose members aren't directly connected. Additionally, this is an issue only in configurations where the TMM doesn't proxy traffic but sources traffic. An example is an sFLOW configuration.

Impact:
Traffic disrupted while tmm restarts. The TMM crashes whenever a connection tries to resolve such a route.

Workaround:
Create route pools with directly connected members.

Fix:
Using route pools whose members aren't directly connected no longer crashes the TMM.

634252 : TMM crash with per-request policy in SWG explicit

Solution Article: K99114539

Component: Access Policy Manager

Symptoms:
TMM crash is seen intermittently when evaluating per-request access policies for SWG-explicit use cases.

Conditions:
Although the exact conditions required for this issue are unknown, evaluating per-request access policies for SWG-explicit use cases might be related.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM crash is no longer seen when evaluating per-request access policies for SWG-explicit use cases.

634215-1 : False detection of attack after restarting dosl7d

Component: Application Visibility and Reporting

Symptoms:
False detection of an attack.

Conditions:
Restarting dosl7d during traffic.

Impact:
False attack is reported.

Workaround:
No workaround

Fix:
Restart dosl7d during moderate traffic and verify no false attack is reported.

634115-1 : Not all topology records may sync.

Component: TMOS

Symptoms:
Some GTM topology records may silently not be synchronized to other devices in the sync group.

Conditions:
One known case occurs when topology records have overlapping subnet specifiers (such as 1.0.0.0/8 and 1.0.0.0/9). It is possible that there are other conditions that might cause this issue.

Impact:
Other devices in the GTM sync group will have an incomplete set of topology records, so the returned DNS answers may differ from the expected values.

Workaround:
After updating topology records, run the following command to force a push of all GTM objects: run cm config-sync force-full-load-push to-group gtm.

This can be performed from tmshell or bash.

tmshell:
---------
(/Common)(tmos)# run cm config-sync force-full-load-push to-group gtm
Force a full load sync? (y/n)y

bash:
---------
tmsh run cm config-sync force-load-push to-group gtm

Note: This command executes and returns to bash with no feedback. To determine the outcome, you can check /var/log/gtm for 'success'.

Fix:
Some GTM topology records may have silently not been synchronized to other devices in the sync group. This is now resolved; all topology objects will be synchronized to all expected devices.

634078-2 : MRF: Routing using a virtual with SNAT set to none may select a source port of zero

Component: Service Provider

Symptoms:
If a virtual server has a SNAT setting of none and the 'source-port' attribute set to 'preserve' or 'preserve-strict', the outgoing connection will be created with a source port of zero (0) instead of the remote port of the originating connection.

Conditions:
This occurs when a message routing SIP profile is in use.

Impact:
Source port is set to 0.

Workaround:
None.

Fix:
Source port is now set to the source port of the client when SNAT is set to none. This is correct behavior.

634015-3 : Potential TMM crash due to a PEM policy content triggered buffer overflow

Solution Article: K49315364

Component: Policy Enforcement Manager

Symptoms:
Failure to add a PEM policy to a subscriber session in addition to a TMM crash.

Conditions:
PEM configured with a large number of policy rules that goes beyond the maximum supported PEM resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Buffer allocation checks have been added in that result in an error log along in case of a buffer overflow.

634001-2 : ASM restarts after deleting a VS that has an ASM security policy assigned to it

Component: Application Security Manager

Symptoms:
ASM restarts with the following errors:

'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.

Impact:
ASM restart

Workaround:
None.

Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.

633879-1 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect

Solution Article: K52833014

Component: TMOS

Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.

Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.

Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.

Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.

Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.

633723-3 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.

Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.

Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Workaround:
None.

Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.

633691-4 : HTTP transaction may not finish gracefully due to TCP connection is closed by RST

Component: Local Traffic Manager

Symptoms:
HTTP or other higher layer protocol transactions may not finish gracefully due to TCP connection is closed by RST.

Conditions:
1. There is ClientSSL or ServerSSL configured on the Virtual Server.
2. HTTP or other higher layer protocol has not finished the translations yet.
3. Client or Server sends out the TCP FIN packet.

Impact:
Application-level responses may not be received at all by the client.

Workaround:
No Workaround.

Fix:
TMM should try to use the TCP FIN to close the connection gracefully as much as possible instead of using RST which will abandon the data which has not been sent out to the wire.

633512-1 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.

Component: TMOS

Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).

Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.

Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.

Workaround:
Do not configure Auto-Failback on VIPRION.

Fix:
The devices perform a clean handoff during Auto-Failback, with no Active/Active overlap.

633413-1 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI

Component: TMOS

Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).

Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.

Impact:
Get error with unrelated IPv4 address.

Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.

Fix:
You can now add/remove/edit IPv6 and IPv4 within an existing iRules data group.

633391-1 : GUI Error trying to modify IP Data-Group

Component: TMOS

Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.

Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update

Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.

Workaround:
Use tmsh to modify the record field of the data groups.

Fix:
You can now modify the IPv6&IPv4 value within an existing data group.

Behavior Change:
users would be able to modify and update data groups

633333-3 : During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent

Component: Local Traffic Manager

Symptoms:
During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and an MPTCP connection is established.

Impact:
The serverside connection is reset before all data has been sent, causing the tail end of the data stream to not be proxied.

Workaround:
There is no workaround

Fix:
Fixed sequence of events on connection closure.

633181-1 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section

Component: TMOS

Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.

Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR

Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.

Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.

633070-1 : Sync Inconsistencies when using Autosync ASM Group between Chassis devices

Component: Application Security Manager

Symptoms:
When at least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it, Devices may go out of sync and may end up with incorrect ASM configuration

Conditions:
At least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it.

An ASM policy is created.

Impact:
Devices may go out of sync and may end up with incorrect ASM configuration

Workaround:
Enable ASM sync on the failover device group, or use manual sync for the ASM device group.

Fix:
Bladed devices (chassis) handle ASM autosync device groups correctly

632875-3 : Non-Administrator TMSH users no longer allowed to run dig

Solution Article: K37442533

632824-1 : SSL TPS limit can be reached if the system clock is adjusted

Solution Article: K00722715

Component: Local Traffic Manager

Symptoms:
If you adjust the system clock you will occasionally get error messages of the form "SSL transaction (TPS) rate limit reached". (For the intended feature of this message, see K7747: Error Message: SSL transaction (TPS) rate limit reached https://support.f5.com/csp/article/K7747.)

Conditions:
Occurs when you adjust the system clock.

Impact:
When the message occurs, the connection and often several subsequent connections are dropped.

Workaround:
None.

Fix:
The message no longer occurs when the system clock is changed and only occurs when system legitimately reaches the SSL TPS limit.

632798-2 : Double-free may occur if Access initialization fails

Component: Access Policy Manager

Symptoms:
Double-free may occur if Access initialization fails.

Conditions:
Access initialization failure occurs, possibly due to license issues.

Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a double free condition so that the associated tmm crash no longer occurs.

632731-2 : specific external logging configuration can cause TMM service restart

Solution Article: K21964367

Component: Advanced Firewall Manager

Symptoms:
When external logging is configured for ACL rule hits, and the logging server connection is routed through a Forwarding Virtual, the ACL logging causes a TMM crash and service disruption.

Conditions:
The problem is seen when all the following conditions match:

1. External Logging server configured for ACL rule match.

2. External logging server is routed through a Forwarding Virtual (the destination IP of the external logging server matches a Forwarding Virtual's destination address/mask and hence gets routed through the Forwarding VIP).

3. The forwarded logging destination connection causes a crash in TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use one of the following workarounds:
--Avoid configuring remote logging to be forwarded through a Forwarding Virtual.
-- Do not have logging enabled on the forwarding Virtual.

Fix:
Connections originated from the BIG-IP to the remote logging server are not subjected to ACL checks, which prevents generation of logs for log server connection, which prevents the error conditions.

632685 : bigd memory leak for FQDN nodes on non-primary bigd instance

Component: Local Traffic Manager

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
None.

632668-5 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds

Component: TMOS

Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.

Conditions:
System is using statically configured BFD sessions. System is forced offline.

Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.

Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.

632658-4 : Enable SIP::persist command to operate during SIP_RESPONSE event

Component: Service Provider

Symptoms:
Without this change, it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Conditions:
It is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Impact:
it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Workaround:
NA

Fix:
It is possible to change the timeout of a SIP persistence entry during SIP response message processing.

632646-4 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.

Component: Access Policy Manager

Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.

Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.

Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.

Workaround:
No Workaround

Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.

632552-2 : tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event

Solution Article: K08634156

Component: Local Traffic Manager

Symptoms:
tmm crashes.

Conditions:
When CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event which is fired before either event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Move the script in _CLOSED events to another events.

Fix:
tmm no longer crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event.

632504-1 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list

Solution Article: K31277424

Component: Access Policy Manager

Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.

Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".

Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.

Workaround:
If it is a static resource, do not select it as dynamic resource.

Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.

632499-1 : APM Policy Sync: Resources under webtop section are not sync'ed automatically

Solution Article: K70551821

Component: Access Policy Manager

Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.

Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.

Impact:
Sync will fail and some configured resources will not be available on the other devices.

Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.

Fix:
Now administrators can sync access profiles with resources under webtop sections without including them manually as dynamic resources.

632472-1 : Frequently logged "Silent flag set - fail" messages

Component: Access Policy Manager

Symptoms:
APM logs excessive messages similar to the following:

2016-12-07,21:46:10:864, 1740,884,APPCTRL, 2, \UBindSecurityMgr.h, 119, UBindSecurityMgrImpl::GetWindow, Silent flag set - fail

Conditions:
This can occur when connecting to APM via the Edge Client.

Impact:
Excessive messages are logged. These messages can be ignored.

632423-4 : DNS::query can cause tmm crash if AXFR/IXFR types specified.

Component: Global Traffic Manager (DNS)

Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.

Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.

Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.

Workaround:
Do not explicitly use AXFR or IXFR query types.

If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:

if { not [DNS::question type] ends_with "XFR" } {
set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}

Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.

632386-1 : EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists

Component: Access Policy Manager

Symptoms:
When a iClient control connection, between Edge Client and BIG-IP, exists for a given session id, a new iClient control connection for the same session id cannot be established until the existing connection is torn down. When the client interface is down or the client changes networks, it takes time for the BIG-IP to detect that the existing control connection is down. During this time, if the client attempts to establish a new control connection (interface up or different network), BIG-IP rejects the new connection request.

Conditions:
EdgeClient attempts to open a new iClient control connection with the same session id as that of an existing control connection and without explicitly closing the current connection. This could happen when the client interface is down or clients changes the network it is on.

Impact:
Edge Client cannot establish a iClient control connection and hence a tunnel to the BIG-IP.

Fix:
When BIG-IP sees a new iClient control connection request for a session id for which another iClient control connection exists, the existing connection is closed and the new connection request is attempted to be accepted.

632366-1 : Prevent a spurious Broadcom switch driver failure.

Component: TMOS

Symptoms:
When a high volume traffic is sent to a BIG-IP system, the Broadcom network switch driver might fail. The failure occurs because the switch driver is preempted (by tmm) from completing a long chip reprogramming routine and touching a watchdog. Sod, which monitors the watchdog, thinks the switch driver has become nonfunctional and kills it.

Conditions:
A very high volume traffic is sent to a BIG-IP system under certain circumstances.

Impact:
Potential eventual system outage if the Broadcom switch driver fails.

Workaround:
None.

Fix:
A spurious Broadcom switch driver failure is not possible anymore.

632344-2 : POP DIRECTIONAL FORMATTING causes false positive

Component: Application Security Manager

Symptoms:
ASM reports false positive violation for the XML request.

Conditions:
This occurs when using "%E2%80%AC" POP DIRECTIONAL FORMATTING as a input in the XML request.

Impact:
When one of the following 3 byte chars arrives to the XML parser, the payload considered as malformed XML:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

Workaround:
None.

Fix:
This release now supports the following 3 byte chars within the XML parser:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

632326-2 : relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation

Solution Article: K52814351

Component: Application Security Manager

Symptoms:
You observe Malformed XML violations on valid XML, even with the relax_unicode_in_xml flag set. The same can apply to JSON with the relax_unicode_in_json flag.

Conditions:
Valid XML containing unicode characters is passed through ASM, and the relax_unicode_in_xml flag is enabled.

Impact:
False positive Malformed XML violations may still be reported.

Workaround:
N/A

Fix:
XML and JSON unicode now operates as expected when using the relax_unicode_in_xml or relax_unicode_in_json internal parameter.
To set these parameters, run the following commands:
/usr/share/ts/bin/add_del_internal add relax_unicode_in_xml 1.
/usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1.
bigstart restart asm.

632324-2 : PVA stats does not show correct connection number

Component: Local Traffic Manager

Symptoms:
do command tmsh show sys pva-traffic global

The current connection number showed up may not be correct

Conditions:
This occurs when there is PVA Traffic

Impact:
Wrong stats number for current PVA connections

Fix:
Fixed incorrect statistics for PVA Traffic

632178-1 : LDAP Query agent creates only two session variables when required attributes list is empty

Component: Access Policy Manager

Symptoms:
When required attributes list is empty, LDAP Query agent produces only two session variables.
in previous releases, the default behavior was - to get all user's attributes and populate those as session variables

Conditions:
LDAP Query agent configured in an Access Policy.
Required attributes list is empty (not any attr is configured)

Impact:
LDAP Query agent failed if branch rule expects to get user's attributes.
any other agent in the policy that relies on user's LDAP attributes will also fail.

Workaround:
As a workaround you can configure required attributes to be retrieved by LDAP Query agent explicitly

Fix:
The default behavior is back; when the required attributes list is empty, the LDAP Query Agent will retrieve all user's attributes and populate them as session variables.

632069-3 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076

Component: TMOS

Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.

Conditions:
VE platform
Authenticated user with advanced shell access

Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.

Fix:
Update sudo package to improve security

632060-1 : restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

Component: iApp Technology

Symptoms:
when upgrading to 12.1.1, 12.1.2 or 13.0 releases, executing a command similar to

curl -k -u admin:admin https://127.0.0.1:443/mgmt/shared/device-discovery-tasks causes the following error:

"errorMessage": "Could not connect to host 10.0.0.160. Please ensure there are no licensing, firewall, port lockdown or network connectivity issues. Error: Failed to read key /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_12100_2: invalid header",

Conditions:
Upgrading from releases prior to 12.1.1 to 12.1.1 or 12.1.2 or 13.0

Impact:
if your device has an iApps LX application, then that application sill not synchronize to the standby device. So if a failover occurs, then the iApps LX application will seem to disappear, and traffic will not pass through the application.

Workaround:
If you have upgraded and are in this condition, and you need to use iAppsLX, you can perform the following procedure to recover.

Impact of procedure: this procedure disables HA and requires you to rebuild your HA environment. You only need to use this procedure if you absolutely need to run an iAppLX.

1. Reset device trust, then re-establish device trust, your device group(s), and your traffic group(s)
2. At the BIG-IP command line for each of the devices, run the following command:
clear-rest-storage

Fix:
Upgrade to 13.1 or 13.0.x hot fix

632005-1 : BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML Service provider (SP), IdP connector creation can be automated using list of URIs containing IdP metadata.

Symptom for this issue:
When remotely published metadata changes - BIG-IP will not be able to modify previously created idp-connector object(s) to reflect the changes.

When issue happens, the error similar to following is logged in /var/log/saml_automation.log :

"apm aaa saml-idp-connector *NAME* import-metadata only supports create operations."

Conditions:
BIG-IP is used as SP. IdP connector creation is automated. Metadata published on automation URIs changes.

Impact:
BIG-IP configuration will not contain the latest changes reflected in published IdP metadata.

This may have different impact based on how metadata is changed.
Impact can be from none to user authentication failure (e.g. when IdP signing certificate is changed).

Workaround:
When error is encountered:
- Manually remove affected idp-connector configuration object
- Restart samlidpd service : "bigstart restart samlidpd"

As a result, SAML connector automation will re-create new idp-connector objects will current up-to-date metadata files.

Fix:
BIG-IP is able to modify previously created idp-connector object(s) to reflect the changes when connector automation is deployed.

632001-1 : For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys

Component: Local Traffic Manager

Symptoms:
fipskey.nethsm uses a Thales utility to actually generate/export keys. This utility looks at files in .../kmdata/local to determine what type of protection to use. If there are any softcard or OCS files, then the key will be token protected. If there aren't any files then the key will be module protected.

This can be a problem for BIG-IP since that entire folder is synced down to it, so OCS or softcard files unrelated to the BIG-IP operation will change fipskey.nethsm's behavior.

Conditions:
Use fipskey.nethsm to generate/export a nethsm-protected key while there are OCS or softcard files in the BIG-IP system's .../kmdata/localfolder.

Impact:
Key protection type changes based on the presence of softcard or OCS files in .../kmdata/local.

Workaround:
Explicitly use the -c or --protect option to define the protection type when generating/exporting keys.

Fix:
fipskey.nethsm will now default to making a module-protected key regardless of the presence of OCS or softcard files in .../kmdata/local.

Scripts that export or generate token or softcard protected keys will now need to explicitly set the protection type via the -c or the --protect option in all situations.

631866-2 : Cannot access LTM policy rules in the web UI when the name contains certain characters

Component: TMOS

Symptoms:
Access LTM policy rules in the web UI when the name contains percent (%) or slash (/) displays an empty page.

Conditions:
The LTM policy rule name being accessed contains the characters percent (%) or slash (/).

Impact:
The policy rule properties page displays an empty page.

Workaround:
Update the LTM policy rule using tmsh.

Fix:
LTM policy rules can be accessed as expected in the web UI regardless of their names.

631862-1 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk

Solution Article: K32107573

Component: Local Traffic Manager

Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.

Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).

Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.

Workaround:
Use following iRule for broken URLs:

when HTTP_RESPONSE {
  if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
    HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
  }
}

A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.

Fix:
When OWS serves Transfer-Encoding chunked with zero size chuck, BIG-IP properly handles the response and sends END_STREAM flag finalizing the response.

631737-1 : ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations

Solution Article: K61367823

Component: Application Security Manager

Symptoms:
ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.

Conditions:
This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows:
-- HTTP Protocol Compliance/ High ASCII characters in headers.
-- HTTP Protocol Compliance/ Host header contains IP address.
-- HTTP Protocol Compliance/ CRLF characters before request start.
-- HTTP Protocol Compliance/ Header without header value.
-- HTTP Protocol Compliance/ Body in GET/HEAD requests.
-- Evasion technique/ directories traversals.

Impact:
When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)

Workaround:
None.

Fix:
Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.

631722 : Some HTTP statistics not displayed after upgrade

Component: Application Visibility and Reporting

Symptoms:
Some statistics will disappear after upgrade due to bug in HTTP statistics backup.

Conditions:
Upgrading to newer version

Impact:
Not all statistics are shown.

Workaround:
No workaround

Fix:
Fixed an issue where some ASM HTTP statistics would disappear after upgrade.

631700-1 : sod may kill bcm56xxd under heavy load

Solution Article: K72453283

Component: TMOS

Symptoms:
Under heavy load, bcm56xxd may not get enough CPU cycles to finish some of its operations and activate the watchdog process. In that case, sod will suspect that bcm56xxd has halted and terminate the process.

Conditions:
When the system is very busy, tmm has higher execute priority, and bcm56xxd does not have enough CPU cycles.

Impact:
The switch will not operate during the restart, and traffic might be interrupted.

Workaround:
Reduce the traffic to make the system less busy.

Fix:
The system now has bcm56xxd activate the watchdog so that sod does not terminate the bcm56xxd process.

631688-7 : Multiple NTP vulnerabilities

Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302

631627-4 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start

Component: TMOS

Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.

Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.

Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.

Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.

Workaround:
Remove BWC from route domain and then reapply the BWC back.

Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.

631609-1 : ASM Centralized Management Infrastructure Sync issues

Component: Application Security Manager

Symptoms:
Devices in a multiple Automatic sync device-groups may extraneously request a full sync after initial device sync creation, or after a full sync event.

Conditions:
Devices are in an autosync failover group and an autosync sync-only group with ASM sync enabled.

Impact:
A device may extraneously request additional full syncs after receiving a full sync from its peer or after adding an ASM policy.

Workaround:
No workaround.

Fix:
Extraneous full sync requests are no longer sent.

631582 : Administrative interface enhancement

Solution Article: K55792317

631472-1 : Reseting classification signatures to default may result in non-working configuration

Component: Traffic Classification Engine

Symptoms:
Configuration will not load when running "tmsh load ltm classification signature default" or clicking Reset to Defaults button on Traffic Intelligence :: Applications : Signature Update page.

Conditions:
1. You upgrade classification signatures to an IM package, and reference one of the newly added applications / categories in your configuration (e.g., PEM classification filter).
2. You reset classification signatures back to default by running "tmsh load ltm classification signature default" or selecting "Reset To Defaults" on the Traffic Intelligence :: Applications : Signature Update page.

Impact:
Configuration will not load.

Workaround:
Remove application that came with the new IM from the configuration.

Fix:
The release solves the problem of potentially non-working configurations after classification signatures were reset to default.

631444-2 : Bot Name for ASM Search Engines is case sensitive

Component: Application Security Manager

Symptoms:
CS challenge is returned for request with known search engine which is sent with different case than configured.

Conditions:
ASM profile is configured on the VS; DoS profile is not configured on the VS.

Impact:
Known search engines will get CS challenge.

Workaround:
Have DoS profile on the VS, in which the only feature turned on is Bot Signature, in report only, where only search engine category is turned on.

Fix:
making the ASM Search Engines case insensitive

631316 : Unable to load config with client-SSL profile error★

Solution Article: K62532020

Component: TMOS

Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
This occurs when both of the following conditions are met:
-- The system is loading config.
-- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:

    cert-key-chain {
        cert /Common/default.crt <==== default cert
        chain /Common/chainCA.crt <==== non-empty
        key /Common/default.key <==== default key
        rsa {
            cert /Common/default.crt <==== default cert
            chain /Common/chainCA.crt <==== non-empty
            key /Common/default.key <==== default key
        }
    }

Impact:
Configuration can not be loaded.

Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.

Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).

3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:

    cert-key-chain {
        cert /Common/kc.crt <==== changed to non-default
        chain /Common/chainCA.crt
        key /Common/kc.key <==== changed to non-default
        rsa {
            cert /Common/kc.crt <==== changed to non-default
            chain /Common/chainCA.crt
            key /Common/kc.key <==== changed to non-default
        }
    }

4. Save your changes, and then run the following command:
tmsh load sys conf

631204-1 : GeoIP lookups incorrectly parse IP addresses

Solution Article: K23124150

631172-4 : GUI user logged off when idle for 30 minutes, even when longer timeout is set

Solution Article: K54071336

Component: TMOS

Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.

Conditions:
User logged in to gui and idle for 20-30 minutes

Impact:
User is logged out of the GUI.

Workaround:
None.

Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.

631131-3 : Some tmstat-adapters based reports stats are incorrect

Component: Application Visibility and Reporting

Symptoms:
Stats are being collected in a wrong way for tmstat tables that are using partial-key. This leads to wrong values on reports.

Conditions:
Using partial key from tmstat-table on tmstat-adapter

Impact:
Wrong stats values for some reports.

Fix:
Tmstat-Adapters is now using the correct API from tmstat-framework which simulate a 'group-by' function on the query, and thus provide the correct result-set.

631025-1 : 500 internal error on inline rule editor for certain firewall policies

Component: Advanced Firewall Manager

Symptoms:
While attempting to use the inline rule editor on a firewall policy, the system returns a 500 internal error. Viewing and editing the same policy in tmsh works as expected.

Conditions:
-- This occurs when editing certain firewall policies in the GUI.
-- The issue is specific to policies with rules that meet the following criteria:

a) At least two addresses with the same first three octets.
b) Addresses should have non-default partition.

141.146.155.40%1 { }
141.146.155.41%1 { }

Impact:
Unable to view or edit the policy, page returns an error

Workaround:
You can view these rules in the GUI by disabling the inline rule editor.

Fix:
Fixed an issue with certain AFM rules generating a 500 internal error in the GUI.

630929-1 : Attack signature exception list upload times-out and fails

Solution Article: K69767100

Component: Application Security Manager

Symptoms:
httpd_errors log:
------------
err httpd[<PID>]: [error] [client <client_IP>] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/ts/dms/common/classes/Thrift/packages/asmconfig/f5_thrift.php on line <line_ID>, referer: https://<BIG-IP_MGMT_IP>/dms/policy/pl_header_normalization.php
------------

Conditions:
ASM provisioned.
Attack signature exception list uploaded.

Impact:
Attack signature exception list upload times-out and fails.

Workaround:
N/A

Fix:
Improved the Attack signature exception list upload process to take much less time.

630661-2 : WAM may leak memory when a WAM policy node has multiple variation header rules

Solution Article: K30241432

Component: WebAccelerator

Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.

Conditions:
WAM policy with node utilizing multiple variation header rules.

Impact:
Potential per-request memory leakage driven by client traffic.

Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.

Fix:
WAM no longer leaks memory when evaluation policy nodes which utilize two or more header variation rules.

630622-1 : tmm crash possible if high-speed logging pool member is deleted and reused

Component: TMOS

Symptoms:
When deleting and then re-using a high-speed logging pool member that is in use, a rare tmm crash may occur.

Conditions:
High-speed logging profile configured, high-speed logging pool configured, and a pool member is removed and re-added while the pool is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Rare tmm crash no longer occurs if high-speed logging pool member is deleted and reused.

630611-1 : PEM module crash when subscriber not fund

Solution Article: K84324392

Component: Policy Enforcement Manager

Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.

Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.

Impact:
PEM/TMM SIGSEV.

Workaround:
None.

Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.

630610-5 : BFD session interface configuration may not be stored on unit state transition

Solution Article: K43762031

Component: TMOS

Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.

Conditions:
State transitions from online to offline.

Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.

Workaround:
Re-add statements manually.

Fix:
BFD session interface configuration is now stored on unit state transition.

630571-1 : Edge Client on Mac OSX Sierra stuck in a reconnect loop

Solution Article: K35254214

Component: Access Policy Manager

Symptoms:
Upon waking laptop Edge Client stuck in a reconnect loop.

Conditions:
Full-Tunnel, no Local LAN Access profile; when opening the device lid, which attempts to reconnect to the VPN service. This occurs only with MAC OS X 10.12.1.

Impact:
Cannot connect to VPN, and the Edge Client gets stuck in a reconnect loop.

Workaround:
Allow local subnet access set to enabled.

Fix:
In this release, using MAC OS X 10.12.1 now resumes a connection to VPN using the Edge Client.

630546-1 : Very large core files may cause corrupted qkviews

Component: TMOS

Symptoms:
If a core file is found on a slave blade in a chassis, that is too large for qkview to include, this can cause the qkview file for the blade to be corrupted.

Conditions:
qkview is run when core files greater than 2.4 GB exist in /var/core.

Impact:
iHealth will not parse the qkview.

Workaround:
Copy the core files on the slave blade from /etc/core to a back up location and delete the original files before creating the qkview.

Fix:
qkview files run when core files greater than 2.4 GB exist in /var/core now complete as expected.

630475-5 : TMM Crash

Solution Article: K13421245

630446-1 : Expat vulnerability CVE-2016-0718

Solution Article: K52320548

630356-1 : JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge

Component: Advanced Firewall Manager

Symptoms:
The JavaScript challenge that is sent to a POST request within an iframe will have a follow-up request of GET when coming from Microsoft Internet Explorer or Edge browser. The request reconstruction is incorrect, and the back-end server does not receive the request payload.
This is relevant to all types JavaScript challenges: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Conditions:
JavaScript challenge is used in a POST request, when one of the following features in enabled: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Impact:
POST requests will be sent as GET and the request payload will not reach the back-end server.

Workaround:
None.

Fix:
JavaScript challenges to POST requests are sent correctly to the back-end server when coming from iframe in Microsoft Internet Explorer/Edge browsers.

630306-1 : TMM crash in DNS processing on UDP virtual server with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a UDP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.

Fix:
This release prevents a crash in DNS processing on UDP virtual server with no available pool members.

630150-1 : Websockets processing error

Solution Article: K51351360

629921-4 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.

Component: Access Policy Manager

Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.

Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth

Impact:
Backend server access is restricted.

Workaround:
None

Fix:
Now when using SWG in explicit proxy mode with NTLM authentication with the Proxy-Authenticate header, BIG-IP allows NTLM authentication to proceed simultaneously to protected resource servers that also use NTLM authentication with the Authenticate header.

629871-2 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Component: Carrier-Grade NAT

Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.

Conditions:
FTP ALG deployment.

Impact:
PASV response 464 XLAT cases overwritten.

Workaround:
None.

Fix:
Deploying NAT64 part of a 464 XLAT solution no longer overwrites PASV response 464 XLAT cases.

629845-2 : Disallowing TLSv1 connections to HTTP causes iControl/REST issues

Component: Device Management

Symptoms:
When HTTP disallows TLSv1 connections, UCS via iControl/REST fails with the following in the logs:

[SEVERE][86][08 Nov 2016 16:47:20 UTC][com.f5.rest.icontrol.IControlRunnable] (iControl execution) AxisFault[; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]:
[WARNING][87][08 Nov 2016 16:47:20 UTC][8100/tm/shared/sys/backup/52d67805-3aab-4260-8770-a690154c698e/worker UcsBackupTaskWorker] Failed to restore from backup: backup_test.ucs

Conditions:
This occurs when TLSv1 is explicitly disallowed in the HTTP profile.

Impact:
iControl REST clients are unable to connect.

Workaround:
None.

Fix:
Explicitly disallowing TLSv1 in the HTTP profile no longer causes iControl/REST issues.

629801-2 : Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.

Component: Access Policy Manager

Symptoms:
After syncing an access policy, the access policy change on the other device should be prompting you to apply the policy, but instead it applies the policy automatically.

Conditions:
Two or more devices configured in a trust group, one device group is a failover device group, and one device group is a sync-only device group with automatic sync enabled.

A key component that triggers this symptom is that the failover device group is listed first in the configuration. When this occurs, the policy will be applied automatically, which shouldn't occur.

Impact:
Policy changes are automatically applied, when they should only be synced with a prompt to apply after the sync.

Workaround:
None.

Fix:
After syncing an access policy, the access policy change on the other device in the trust group now prompts you to apply the policy, which is correct behavior.

629698-1 : Edge client stuck on "Initializing" state

Component: Access Policy Manager

Symptoms:
It takes a lot of time to reestablish the VPN connection when the Edge Client switches to network with Captive Portal authentication. Edge client freezes on "Initializing" state for around 1 minute.

Conditions:
This can occur on the Edge Client with Captive Portal configured.

Impact:
Edge client is stuck on "Initializing" for an excessive amount of time.

629663-1 : CGNAT SIP ALG will drop SIP INVITE

Solution Article: K23210890

Component: Service Provider

Symptoms:
SIP INVITE message is dropped.

Conditions:
Subscriber registers and then attempts to call out.

Impact:
Subscriber not able to make calls.

Workaround:
None.

Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.

629627-1 : FPS Log Publisher is not grouped nor filtered by partition

Component: Fraud Protection Services

Symptoms:
If there are several log publishers assigned to different partitions, it is not clear which log publisher is assigned to which partition.

All log publishers are displayed regardless of the partition selected.

Conditions:
Provision FPS.
Two or more partitions
Two or more log publishers assigned to different partitions

Impact:
All log publishers are displayed regardless of partition.

Workaround:
None.

Fix:
Log publishers are now grouped in GUI and filtered by the currently selected partition.

629573-1 : No drill-down filter for virtual-servers is mentioned on exported reports when using partition

Solution Article: K66001885

Component: Application Visibility and Reporting

Symptoms:
The selected filters will not appear in exported reports for virtual servers created under non 'Common' partitions.

Conditions:
When using virtual-servers and ASM policies under a non 'Common' partition, exported reports will not display the the selected drill-down filters.

Impact:
Exported reports will be displayed without the filters.

Workaround:
None.

Fix:
Exported reports will take into consideration partitions which will make the drill-down filters appear as expected.

629530-2 : Under certain conditions, monitors do not time out.

Solution Article: K53675033

Component: Global Traffic Manager (DNS)

Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".

Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.

Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.

Workaround:
Disable the affected resources, and then enable them again.

Fix:
The resource status is now correct under all monitor timeout conditions.

629499-9 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"

Component: TMOS

Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found

This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.

Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.

Impact:
Certain tmsh sys perf commands fail to work and give an error.

Workaround:
Restart statsd on all blades once the chassis is up.

e.g.

"bigstart restart statsd" on each blade.

Fix:
statsd has been updated to reparse the statsd config file before rebuild it's config so that it doesn't lose the unsupported tables in it's list.

629421-1 : Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.

Component: Global Traffic Manager (DNS)

Symptoms:
The memory consumption of Big3d will slowly increase if a lot of Wide IPs are being created or deleted.

Conditions:
Adding or removing Wide IPs on a GTM sync pair.

Impact:
A few bytes of memory will be leaked by Big3d on sync.

Workaround:
there is no workaround at this time.

Fix:
The leak has been eliminated.

629412-3 : BIG-IP closes a connection when a maximum size window is attempted

Component: Local Traffic Manager

Symptoms:
HTTP2 provides flow control options which allow you to limit the amount of data on flight. A client can send an increment for a window size to an initial value set by standard to 65,535 bytes. BIG-IP used 64K value inherited from SPDY, causing overflow when the client tried to increment the value to its maximum.

Conditions:
HTTP2 profile is configured on a virtual, and client sends a WINDOW_UPDATE frame to increment the value to its maximum.

Impact:
BIG-IP considers the window size overflow as a protocol violation thus it shuts the connection down not serving any request.

Workaround:
None.

Fix:
With a correct value for initial window size (for both a connection and a stream) BIG-IP correctly processes an increment request of the window size to its maximum.

629178-1 : Incorrect initial size of connection flow-control window

Solution Article: K42206046

Component: Local Traffic Manager

Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.

Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).

Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.

Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).

Fix:
The fix in this release allows BIG-IP to behave according to RFC and send WINDOW_UPDATE frames, preventing the connection flow-control window from exhaustion on a remote endpoint.

629145-1 : External datagroups with no metadata can crash tmm

Component: Local Traffic Manager

Symptoms:
If a large data group exists or the db variable tmm.classallocatemetadata is set to disabled, tmm may crash if the class match iRule matches 9 or more items in the datagroup.

Conditions:
External datagroups in use, a class match iRule will produce at least 9 matches, and the datagroup is extremely large or the db variable tmm.classallocatemetadata is set to disabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to large datagroups.

629127-1 : Parent profiles cannot be saved using FPS GUI

Component: Fraud Protection Services

Symptoms:
Any parent profile (profile that has bee inherited) cannot be saved in FPS GUI.

Conditions:
Provision FPS
License FPS.
1 or more child profiles.

Impact:
User configurations may not be saved.

Workaround:
Can use TMSH or REST.

629085-1 : Any CSS content truncated at a quoted value leads to a segfault

Solution Article: K55278069

Component: TMOS

Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.

Example:
...
.c1 {background-image: url('some

Conditions:
CSS ends without closing quote in value.

Example:
...
.c1 {background-image: url('some

Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.

Workaround:
Use a particular iRule.

Fix:
CSS content truncated at a quoted value no longer leads to a segfault.

629069-2 : Portal Access may delete scripts from HTML page in some cases

Component: Access Policy Manager

Symptoms:
If JavaScript uses Range.createContextualFragment() call to insert new scripts into HTML document, in some cases Portal Access may delete one of the scripts in the page.

Conditions:
JavaScript with Range.createContextualFragment() call which is used to add new scripts by subsequent insertBefore()/insertAfter() calls.

Impact:
Web application may not work correctly.

Workaround:
None.

Fix:
Now web apps delivered via APM Portal Access can use Range.createContextualFragment(), insertBefore(), and insertAfter() javascript properly.

628972-2 : BMC version 2.51.7 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.51.7.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Upgrading firmware.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

628897-1 : Add Hyperlink to gslb server and vs on the Pool Member List Page

Component: Global Traffic Manager (DNS)

Symptoms:
Hyperlinks to the GSLB Server and Virtual-server are missing from the GSLB Pool Member list page.

Conditions:
This can be seen in the DNS :: GSLB : Pools : Pick a pool : Members tab

Impact:
You are unable to to quickly get to the server and virtual server from this page.

Workaround:
Manually navigate to associated server and Virtual Server.

Fix:
Hyperlinks for associated server and VS are not showing on the Pool Member list page.

628890-1 : Memory leak when modifying large datagroups

Component: Local Traffic Manager

Symptoms:
When modifying large external datagroups, a significant memory leak may occur.

Conditions:
This can occur when a large datagroup is in use and is modified.

Impact:
Memory is leaked, and the amount of memory leaked can be significant.

Workaround:
None.

Fix:
Fixed a memory leak related to modifying large datagroups.

628869-4 : Unconditional logs seen due to the presence of a PEM iRule.

Component: Policy Enforcement Manager

Symptoms:
TMM log files will fill up.

Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.

Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.

Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.

628836-4 : TMM crash during request normalization

Solution Article: K22216037

628832-4 : libgd vulnerability CVE-2016-6161

Solution Article: K71581599

628739-1 : BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD

Component: TMOS

Symptoms:
Configuring the management IP outside the management subnet succeeds without error.

Conditions:
On the LCD, navigate to the 'Setup' tab, and select 'Management'.
1. Set the default Gateway for the network.
2. Now set an IP address outside the Gateway subnet.
3. Notice no errors and commit is successful.

Impact:
Admin IP and Gateway for management route (/Common/default) not in a connected network.

Workaround:
Do not configure the IP and Gateway outside the management route.

Fix:
LCD no longer allows invalid configuration of mgmt IP (with gateway IP outside mgmt subnet).

628735-1 : Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles

Component: TMOS

Symptoms:
The Hardware SYN Cookie Protection field is not displayed in the GUI configuration screen for TCP/FastL4/FastHTTP profiles, despite hardware support for the feature existing on the
platform.

Conditions:
Configuring TCP/FastL4/FastHTTP profiles in the BIG-IP GUI.

This occurs on vCMP guests, on the 10350N, i5600, i5800, i7600, i7800, i10600, i10800 platforms, and on VIPRION systems using the B4450 or B4450N blades.

Impact:
The Hardware SYN Cookie Protection field is not displayed.

Workaround:
Use tmsh to set the Hardware SYN Cookie Protection field.

Fix:
The system no longer uses a static list of platforms that have an HSB as a basis for displaying the Hardware SYN Cookie Protection option in the GUI, so the field is shown as expected.

628721-1 : In rare conditions, DNS cache resolver outbound TCP connections fail to expire.

Component: Local Traffic Manager

Symptoms:
If a TCP connection is initiated by the DNS cache resolver but fails to be fully created, it may be leaked until the next restart of tmm.

Conditions:
This is only known to occur when other internal issues are affecting the tmm's functionality. If there are ongoing log messages in the tmm logs of the form: "hud_msg_queue is full," and a DNS cache resolver is attempting new outbound TCP connections, then it is possible to leak these connections.

Impact:
If enough connections are leaked, the tmm will not be able to create new connections even if the conditions causing the "hud_msg_queue" log messages resolve.

Workaround:
Restarting tmm will clear the leaked connections.

Fix:
The connections are now properly cleaned up if they are unsuccessfully created.

628687-2 : Edge Client reconnection issues with captive portal

Component: Access Policy Manager

Symptoms:
Edge Client stuck at 'Reconnecting' when losing connection to Captive Portal with certificate warning.

Conditions:
Connect to APM through a captive portal.

Impact:
EdgeClient stuck at "Reconnecting".

Workaround:
None.

Fix:
Edge Client no longer hangs at 'Reconnecting' when losing connection to Captive Portal with certificate warning.

628685-2 : Edge Client shows several security warnings after roaming to a network with Captive Portal

Solution Article: K79361498

Component: Access Policy Manager

Symptoms:
Network is blocked by a captive portal. Captive portal uses HTTPS. Periodic-session-check reports SSL certificate is not trusted because access to APM is redirected (to captive portal).

Conditions:
Create a VPN tunnel over WiFi.
Place the computer in sleep/hibernate.
Move to a new network with Captive Portal with SSL and resume from sleep/hibernate.

Impact:
Numerous security warnings.

Workaround:
None.

Fix:
Edge Client no longer shows several security warnings after roaming to a network with Captive Portal.

628623-1 : tmm core with AFM provisioned

Component: Advanced Firewall Manager

Symptoms:
tmm cores on the secondary blade while passing traffic.

Conditions:
This can occur intermittently with AFM provisioned while passing traffic, even if AFM is not in use.

Impact:
Traffic disrupted while tmm restarts.

628351-1 : Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled

Component: Advanced Firewall Manager

Symptoms:
When Proactive Bot Defense is enabled, requests to URLs with Path Parameters (URLs containing a semicolon ;) may get stuck on a redirect loop. This typically applies to URLs which do not respond with HTML content or to URLs with low traffic.

Conditions:
-- Proactive Bot Defense is enabled.
-- URLs use Path Parameters (containing the semicolon ; character).

Impact:
Clients cannot access the web server, getting caught in an infinite redirect loop.

Workaround:
None.

Fix:
Requests to URLs with ";" no longer get stuck in a redirect loop when Proactive Bot Defense is enabled.

628348-1 : Cannot configure any Mobile Security list having 11 records or more via the GUI

Component: Fraud Protection Services

Symptoms:
Any item added to a list with more than 10 records in Mobile Security section is ignored.

Conditions:
Provision FPS
License mobilesafe
add 11 records to a list

Impact:
User configuration may not be saved.

Workaround:
Use TMSH or Rest.

Fix:
GUI allows adding items to lists with more than 10 records.

628337-1 : Forcing a single injected tag configuration is restrictive

Component: Fraud Protection Services

Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.

Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.

Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.

Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.

Fix:
Injected tags configuration has been moved to the URL level.

628311-3 : Potential TMM crash due to duplicate installed PEM policies by the PCRF

Solution Article: K87863112

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash due to duplicate installed PEM policies by the PCRF.

Conditions:
- PEM enabled with Gx and Gy.
- PEM policies configured with Gy quota management.
- PCRF installs an already-installed policy against a subscriber.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Configure the PCRF to not install an already-installed policy against a subscriber.

Fix:
PEM now prevents PCRF from installing an already-installed policy against a subscriber.

628202-4 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging

Component: TMOS

Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.

Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".

Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.

Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.

Fix:
Prevented audit_forwarder from using more memory than it needs.

628164-3 : OSPF with multiple processes may incorrectly redistribute routes

Solution Article: K20766432

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.

OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.

628009-1 : f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800

Component: TMOS

Symptoms:
The f5optics functionality is not initialized on Herculon iSeries variants.

Conditions:
This occurs on the following Herculon iSeries platforms: HRC-i2800, HRC-i5800, HRC-i10800.

Impact:
None. No f5optics optics module database is presently provided for Herculon platforms. Herculon uses no optics modules that require tuning (e.g., 100G).

Workaround:
None.

Fix:
With the fix, if an optics module data base is provided via an f5optics install, f5optics will become operational on Herculon. An f5optics database will be provided if optics modules requiring tuning are ever used with Herculon.

627972-2 : Unable to save advanced customization when using Exchange iApp

Solution Article: K11327511

Component: Access Policy Manager

Symptoms:
When Policy created using Microsoft Exchange iApp script, Advanced Customization (usually of logon page) might fail with error similar to the following: 01020066:3: The requested Customization Template File (/Common/Exchange.app/exch_custom_logon_ag logon.inc) already exists in partition Common.

Conditions:
Usually: HA Pair, iApp exchange created profile, in general any advanced customization where name not equals customization_group_name:filename is affected.

Impact:
Unable to edit advanced customization, functionality is unaffected.

Workaround:
edit bigip.conf
apm policy customization-group /Common/Exchange_2010.app/exch_custom_logon_ag {
    templates {
        logon.inc {
            name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
        }
    }
}
change
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
to customizaton_group_name:filename i.e.

name /Common/Exchange_2010.app/exch_custom_logon_ag:logon.inc

Fix:
Can now save advanced customization when using Microsoft Exchange iApp.

627961-3 : nic_failsafe reboot doesn't trigger if HSB fails to disable interface

Solution Article: K15130343

Component: TMOS

Symptoms:
The HSB driver attempts a nic_failsafe in the case of failing to disable the interface.

Conditions:
The driver disables nic_failsafe prior to triggering the nic_failsafe. This is in hsb_ifdown_go_dead.

Impact:
TMM may restart continuously resulting in interfaces bouncing constantly.

Workaround:
Reboot the device.

Fix:
This release fixes issues where nic_failsafe reboot did not happen on HSB failures.

627926-1 : Retrieving a server-side SSL session ID in iRules does not work

Solution Article: K21211001

Component: Local Traffic Manager

Symptoms:
Retrieving the server-side SSL session ID using iRule does not work.

Conditions:
Retrieve server-side SSL Session ID using an iRule.

Impact:
iRules that try to log or capture an SSL session ID will not work properly.

Workaround:
None.

Fix:
The server-side SSL session ID can now be retrieved with an iRule.

627916-1 : Improve cURL Usage

Solution Article: K81601350

627914-1 : Unbundled 40GbE optics reporting as Unsupported Optic

Component: TMOS

Symptoms:
When a 40G interface is configured "bundle disabled" the optic module in use on the interface will be declared as an "Unsupported optic" module even though the optic module is F5 branded.

Conditions:
Using unbundled 40GbE optics.

Impact:
This is a cosmetic problem. The interface is able to function as intended.

Workaround:
No workaround, problem is cosmetic.

Fix:
The fix for the defect results in no longer declaring an otherwise supported optics module as unsupported when bundling is configured disabled on the interface.

627907-1 : Improve cURL usage

Solution Article: K11464209

627898-2 : TMM leaks memory in the ECM subsystem

Component: TMOS

Symptoms:
TMM leaks memory in the ECM subsystem.

Conditions:
This issue occurs when the user has imported one or more SSL certificates onto the system and named them in such a way that the "ca-bundle.crt" string appears in their names. For example, "my-ca-bundle.crt". With this configuration in place, TMM leaks memory each time the configuration is modified.

Impact:
TMM will run out of free memory. This will initially impact traffic and could eventually lead to TMM crashing. Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue by renaming your SSL certificates so that their names don't contain the "ca-bundle.crt" string.

Fix:
TMM no longer leaks memory in the ECM subsystem.

627798-3 : Buffer length check for quota bucket objects

Component: Policy Enforcement Manager

Symptoms:
For quota bucket (Rating Groups) object, BIG-IP allocates a large buffer locally, and doesn't expect it to be over-run as the objects are expected to be smaller

Conditions:
Any quota bucket objects which are being inserted in PEM database

Impact:
For quota bucket objects which are in PEM database, the buffer is usually large enough, so there should not be any impact. But if the quota bucket ever gets larger, then potential corruption of the quota bucket information could occur. This could trigger a tmm core. Traffic disrupted while tmm restarts.

Workaround:
quota bucket with fewer rules

627764-2 : Prevent sending a 2nd RST for a TCP connection

Component: Local Traffic Manager

Symptoms:
After a specific sequence of packets resulting in sending a RST packet, TCP connection was kept alive and sent another RST when connection expired.

Conditions:
A specific sequence of packets (a second SYN segment within the TCP window) is received by a TCP connection.

Impact:
2 RST segments is sent to the client instead of 1. In addition, the TCP connection was kept alive until the sweeper cleaned it.

Workaround:
There is no workaround at this time.

Fix:
TCP sends a single RST for specific sequence of packets

627747-1 : Improve cURL Usage

Solution Article: K20682450

627695-2 : [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational

Component: Local Traffic Manager

Symptoms:
'Yes' and 'No' options to proceed or cancel the uninstall operation are not operational.

Conditions:
Issue happens when running safenet-sync.sh -u.

Impact:
No impact.

Workaround:
None.

Fix:
In this release, there is no Yes or No option for the SafeNet uninstall 'safenet-sync.sh -u.' command.

627616-3 : CCR-U missing upon VALIDITY TIMER expiry when quota is zero

Component: Policy Enforcement Manager

Symptoms:
CCR-U is not sent upon VALIDITY TIMER experts.

Conditions:
If PCRF does not grant any GSU (no quota), but only specifies the VALIDITY timer.

Impact:
OCS does not get the CCR-U message and misses the information about quota.

Workaround:
Work around is to set the following timers using sysdb to non-zero value. Here is an example:
sys db tmm.pem.session.quota.bucket.denied.timeout { value "1" }
sys db tmm.pem.session.quota.bucket.depleted.timeout { value "2" }
sys db tmm.pem.session.quota.bucket.idle.timeout { value "3" }

Fix:
CCR-U is now sent upon VALIDITY TIMER experts.

627574-1 : After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.

Component: Local Traffic Manager

Symptoms:
If a BIG-IP system has Local Traffic Policies defined in a non-Common partition, and the system is upgraded to version 12.1.0, 12.1.1, or 12.1.2, attempting to create a new draft of the policy by selecting "Create Draft" will fail and give an error message similar to:

err mcpd[8140]: 01070734:3: Configuration error: Can't associate policy rule (/Partition1/Drafts/policy_name policy_name_policy_rule) folder does not exist

Conditions:
A system is upgraded to version v12.1.x with Local Traffic Policies in a non-default partition.

Impact:
You cannot modify existing Local Traffic Policies.

Workaround:
Manually create a 'Drafts' folder in the appropriate partition, e.g.:

tmsh create sys folder /Partition1/Drafts

Alternately, create a new (different) policy in the specified partition, and then delete it. Doing this has a side-effect of creating the Drafts folder.

627433-1 : HSB transmitter failure on i2x00 and i4x00 platforms

Component: TMOS

Symptoms:
On the BIG-IP i2x00 and i4x00 platforms, tmm enters an infinite 'restart' loop after a 'bigstart restart' or 'bigstart restart tmm' command if traffic is actively flowing through the TMM. This is the result of an HSB transmitter failure.

Conditions:
Traffic actively flowing through the tmm and you issue 'bigstart restart' or 'bigstart restart tmm'.

Another instance occurs when syncing the datasync-global-dg device-group for an HA configuration on iSeries platforms.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure all traffic is stopped before issuing the 'bigstart restart' or 'bigstart restart tmm' commands.

Set HSB::failures_before_reset in /config/tmm_init.tcl to a high value, such as 1000 (default is 50) may resolve the issue, depending on the conditions this issue occurred.

Fix:
TMM restart loop no longer occurs following 'bigstart restart' on i2x00 and i4x00 platforms.

627403-2 : HTTP2 can can crash tmm when stats is updated on aborting of a new connection

Component: Local Traffic Manager

Symptoms:
HTTP2 allocates a block of memory for collecting stats on a connection. If the connection is aborted for any reason, tmm may try to update stats prior the memory is allocated.

Conditions:
HTTP2 profile is configured and assigned to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Fix:
A fix stops HTTP2 from accessing stats prior memory is allocated preventing TMM crash for this reason.

627360-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★

Component: Application Security Manager

Symptoms:
These errors come up in asm log, upon first start after upgrade:
-------------------------
2016-11-02T08:33:09-06:00 localhost notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
Nov 2 08:35:34 c5af5ltm1b info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
Nov 2 08:36:03 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script launched
Nov 2 08:36:17 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script finished
Nov 2 08:36:23 c5af5ltm1b info asm_start[19802]: ASM config loaded

Nov 2 08:37:40 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

Nov 2 08:38:33 c5af5ltm1b info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
ASM provisioned
Local request logging enabled
Upgrade of a maintenance release, HF or EHF

Impact:
Upgrade fails

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never

2) do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

627279-2 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
tmm on a blade may crash during a CMP and PEM change.

Conditions:
Multi-blade chassis undergoing a CMP state change. Additionally requires PEM policy changes resulting in usage record updates.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an HA pair and have the active chassis fail over during a CMP state change. Allow for the new stand by chassis to complete its CMP state change activity.

Fix:
Handle sessionDB failures gracefully.

627257-2 : Potential PEM crash during a Gx operation

Component: Policy Enforcement Manager

Symptoms:
Tmm may core during a Gx operation

Conditions:
Requires a PEM virtual with Gx, Sd or Gy enabled. This occurs when tmm starts.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Perform proper validation checks as part of API processing.

627246-1 : TMM memory leak when ASM policy configured on virtual server

Solution Article: K09336400

Component: Local Traffic Manager

Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.

Conditions:
-- ASM policy is configured on a virtual server.
-- URL access via the virtual server.

Impact:
System leaks 64 bytes of memory. TMM might run out of memory and eventually crash.

Workaround:
None. But disabling ASM policy configuration on the virtual server can alleviate the problem.

Fix:
A memory leak in hud_oob when ASM policy configured on virtual server has been fixed.

627214-3 : BGP ECMP recursive default route not redistributed to TMM

Component: TMOS

Symptoms:
ECMP recursive routes are not properly redistributed to TMM, resulting in an incorrect routing table.

Conditions:
Dynamic routing configured with multiple equal cost paths reachable through a recursive nexthop.

Impact:
Packets are not routed to all ECMP nexthops.

Workaround:
None.

Fix:
ECMP routes with a recursive nexthop are now used correctly by TMM.

627203-1 : Multiple Oracle Java SE vulnerabilities

Solution Article: K63427774

627117-1 : crash with wrong ceritifcate in WSS

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
Web services security is turned on.
a bad / wrong / missing certificate is attached.

Impact:
Traffic drop until the BD is back (or failover).

Workaround:
The workaround would be to fix the attached certificate.

Fix:
Fix an issue with wrong certificates.

627059-1 : In some rare cases TMM may crash while handling VMware View client connection

Component: Access Policy Manager

Symptoms:
TMM crashes.

Conditions:
VMware View client uses PCoIP to connect to backend via APM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed rare TMM crash during handling of VMware View client PCoIP connection

626990-1 : restjavad logs flooded with messages from ChildWrapper

Solution Article: K64915164

Component: TMOS

Symptoms:
Running iControl REST under heavy load might result in restjavad logs being filled with multiple, repeating messages similar to the following:

[WARNING][76559][13 Dec 2016 07:08:00 UTC][ChildWrapper] Exception found in child runner thread: null

Conditions:
-- Put iControl REST under a heavy load.
-- View restjavad logs.

Impact:
Logs fill with messages and rotate out. Logs full of these error messages might cause other messages to be missed.

Workaround:
None.

Fix:
iControl REST properly handles the exception described.

626910-1 : Policy with assigned SAML Resource is exported with error

Component: Access Policy Manager

Symptoms:
If Access Profile's Access Policy has saml resource assigned export is failing with error.

Conditions:
1. Access profile/access policy
2. Saml resource is assigned

Impact:
Unable to Export Policy

Fix:
Work order is restored

626861-2 : Ensure unique IKEv2 sequence numbers

Component: TMOS

Symptoms:
Although BIG-IP generates random sequence numbers for use in protocol negotiation, it is possible to allocate a new number already in use by a phase-one ike-SA or a phase-two child-SA.

Conditions:
When a sufficiently large number of tunnels are in use (e.g., numbering in thousands), odds of generating a duplicate sequence number is relatively high, given the number of random bits used to generate the number. More tunnels makes it more likely to occur.

Impact:
On sequence number collision, this might confuse an old SA, and probably never complete negotiation of a new SA. In addition, the system might crash if updating an old SA happened in a state where update is not expected.

Workaround:
None.

Fix:
Now BIG-IP uses more random bits in generated sequence numbers, and it always checks whether a new sequence number is currently in use anywhere else before proceeding. Thus collisions cannot be generated in sequence number allocation. New numbers should always be guaranteed unique now.

626851-2 : Potential crash in a multi-blade chassis during CMP state changes.

Solution Article: K37665112

Component: Policy Enforcement Manager

Symptoms:
CMP state change can result in a blade crash.

Conditions:
CMP state change with a PEM profile enabled on a virtual. The former can be triggered using a TMM restart/unrelated crash, blade insertion or blade administrative state change.

Impact:
Blade crash resulting in potential loss of service.

Workaround:
Deploy PEM in an HA-pair with a chassis fail over configured to occur if at most one blade on the active chassis fails.

Fix:
The system now gracefully handles sessionDB errors due to a CMP state change.

626839 : sys-icheck error for /var/lib/waagent in Azure.

Component: TMOS

Symptoms:
On a BIG-IP deployed in Azure cloud, sys-icheck reports readlink error for /var/lib/waagent directory as following:

ERROR: ....L.... /var/lib/waagent

Conditions:
BIG-IP deployed in Azure cloud.

Impact:
sys-icheck reports "rpm --verify" errors for /var/lib/waagent. This doesn't have any functional impact on the product but looks like factory RPM settings were modified externally and incorrectly.

Workaround:
No workaround exists for this issue.

Fix:
sys-icheck error for /var/lib/waagent in Azure.

626721-5 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart

Component: TMOS

Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:

Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342

Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.

Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).

Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.

Fix:
Prevented the command "tmsh reset-stats auth login-failure <username>" from restarting mcpd instances on secondary blades when <username> is an unknown user. The bad command is intercepted at the primary blade and is dealt with there.

626596 : Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.

Component: TMOS

Symptoms:
Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections' instead of 'Assisted Connections'.

Conditions:
-- Running vCMP.
-- System provides hardware acceleration.
-- Statistics :: Analytics :: Hardware Acceleration menu.

Impact:
Spelling of 'Assited' instead of the expected 'Assisted'.

Workaround:
N/A

Fix:
Changed spelling of 'Assited' to 'Assisted'.

626542-2 : Unable to set maxMessageBodySize in iControl REST after upgrade★

Component: Device Management

Symptoms:
After upgrading and attempting to set maxMessageBodySize via iControl REST, you get an error indicating the command is not implemented:

{"code":400,"message":"onPut Not implemented","originalRequestBody":"{\"maxMessageBodySize\": \"111111111\"}","referer":"127.0.0.1","restOperationId":216941,"kind":":resterrorresponse"}

Conditions:
This occurs when upgrading from v11.6.1 to v12.1.0, v12.1.1,or v12.1.2, and applying the UCS from the 11.6.1 release. The error is generated because new defaults were added but they are not set on UCS restore.

Impact:
Command fails, unable to set maxMessageBodySize.

Workaround:
If you encounter this after an upgrade and UCS restore, you can run the following commands from the BIG-IP command line:

1. curl -X DELETE http://localhost:8100/shared/storage?key=shared/server/messaging/settings/8100.
2. bigstart restart restjavad.

Fix:
You can now set maxMessageBodySize via iControl REST after upgrading.

626438-1 : Frame is not showing in the browser and/ or an error appears

Component: Advanced Firewall Manager

Symptoms:
frame going blank when ASM policy enabled. this will trigger the following JS error in clients console:
Uncaught TypeError: Cannot read property '3' of undefined

Conditions:
Asm policy enabled. Device id is enabled theough one of the supporting features

Impact:
Site not operating correctly.

Workaround:
N/a

Fix:
Fixed device id javascript issue that prevented a frame from being displayed .

626434-6 : tmm may be killed by sod when a hardware accelerator does not work

Solution Article: K65283203

Component: Local Traffic Manager

Symptoms:
tmm may hang and crash (killed by the switchover daemon, sod), when the Cavium hardware accelerator does not come back after the reset from the driver.

Conditions:
This is a rarely seen occurrence. It is triggered when the Cavium hardware accelerator stops working.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Power cycling the system might correct the error.

Fix:
The system now prints out an error message in the log file, improving the way tmm handles the failure.

626386-1 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled

Solution Article: K28505256

Component: Local Traffic Manager

Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.

Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.

Impact:
Client connection hangs during the handshake. No impact to any other module.

Workaround:
Disable SSL persistence.

Fix:
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.

626360 : TMM may crash when processing HTTP2 traffic

Solution Article: K22541983

626311-2 : Potential failure of DHCP relay functionality credits to incorrect route lookup.

Solution Article: K75419237

Component: Local Traffic Manager

Symptoms:
DHCP requests from client to server may not make it through.

Conditions:
-- BIG-IP system configured as a DHCP relay.
-- Input variable (flow_key) incorrectly initialized.

Impact:
Clients might not get an IP address from the DHCP server.

Workaround:
None.

Fix:
Input variable (flow_key) is initialized properly to prevent a potential route-lookup failure.

626141-3 : DNSX Performance Graphs are not displaying Requests/sec"

Component: Global Traffic Manager (DNS)

Symptoms:
The DNSX Performance graphs have a X and Y axis of Requests/second but the data actually shows total requests.

Conditions:
Always.

Impact:
The data displayed in the graph is not correct.

626106-3 : LTM Policy with illegal rule name loses its conditions and actions during upgrade★

Component: Local Traffic Manager

Symptoms:
BIG-IP version 12.0.0 introduced more strict checking on the characters allowed in policy and rule names, and it also introduced an auto-migration feature to convert any disallowed characters to an underscore (_). Allowed characters in policy and rule names are:
A-Z a-z 0-9 . / : % -
Spaces are allowed between these characters.

When there is a pre-v12.0 Policy that contains an illegal character, the rule has each illegal character converted to a legal one. But conditions and actions, which are joined to the rule by name were not similarly adjusted. After migration, LTM Policy rule does not have any conditions or actions referring to its new name.

Conditions:
- Pre-v12.0 BIG-IP
- Policy and/or rule names contain illegal characters like: * < > ( ) [ ]
- Upgrade to v12.0 or later

Impact:
Policy rule name is changed, illegal characters converted to benign underscore (_). The upgraded configuration will load successfully, but the Rule's associated conditions and actions are not changed, and still point to the policy by its former name, effectively becoming orphaned. Inspecting rule using UI or tmsh shows conditions and actions missing.

Workaround:
The bigip.conf file can be manually edited to fix illegal characters and configuration reloaded.

625892-2 : Nagle Algorithm Not Fully Enforced with TSO

Component: Local Traffic Manager

Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.

Conditions:
TCP Segmentation Offload is enabled.

Impact:
Sub-MSS packets increase overhead and client power consumption.

Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable

Fix:
Deliver Integer Multiples of MSS to the TSO hardware when Nagle's algorithm applies.

625860-2 : Improved handling of crypto hardware decrypt failures on B4450 platform.

Solution Article: K55102452

625832-4 : A false positive modified domain cookie violation

Component: Application Security Manager

Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.

Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.

Impact:
A false positive violation.

Workaround:
Remove the modified domain cookie violation from blocking.

Fix:
Fixed a false positive modified domain cookie violation.

625824-1 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory

Component: TMOS

Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, that causes swap space to increase continuously and might lead to exhaustion of swap space

Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem

Impact:
iControlPortal.cgi memory increases

Workaround:
Restart httpd to reload the iControl daemon.

Fix:
Fixed a memory leak associated with iControl

625784 : TMM crash on i4x00 and i2x00 platforms with large ASM configuration.

Component: TMOS

Symptoms:
With large ASM configurations (50 virtual servers, 50 ASM policies), TMM continuously crashes on boot-up or restart.

Conditions:
-- Large ASM configurations (50 virtual servers, 50 ASM policies).
-- Using i4x00 and i2x00 platforms.

Impact:
TMM continuously crashes and restarts; system is unusable.

Workaround:
None.

Fix:
TMM no longer crashes on i4x00 and i2x00 platforms with large ASM configurations.

625783-1 : Chassis sync fails intermittently due to sync file backlog

Component: Application Security Manager

Symptoms:
Chassis sync may fail intermittently if policies are changed and applied in a short interval.

Conditions:
Policies are changed and applied in a short interval on a chassis platform.

Impact:
Disk partition /var may fill up and synchronized changes may not appear on secondary blades.

Fix:
ASM configuration sync on chassis platform now works more reliably.

625703-2 : SELinux: snmpd is denied access to tmstat files

Component: TMOS

Symptoms:
When a custom SNMP MIB is created by using Tcl scripts or other methods, the snmpwalk will fail to access the created MIB data.

Conditions:
Custom created MIBs.

Impact:
Access to that MIB is denied.

Workaround:
None.

Fix:
When a custom SNMP MIB is created by using a Tcl scripts or other methods, the snmpwalk no longer fails to access the created MIB data.

625671-4 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.

Component: Global Traffic Manager (DNS)

Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.

Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.

Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.

Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.

Fix:
dnsxdump handles non-standard resource record types.

625542-1 : SIP ALG with Translation fails for REGISTER refresh.

Component: Service Provider

Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.

Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.

Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.

Workaround:
None

Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.

625474-1 : POST request body is not saved in session variable by access when request is sent using edge client

Component: Access Policy Manager

Symptoms:
POST body sent by Edge Client is not saved in the session db session variable by access hudfilter.

Conditions:
- Configure BIG-IP as SAML Service Provider. To simplify reproduction change Access Policy execution timeout to few seconds.
- Use Edge Client to connect to BIG-IP.
- Saml Agent will redirect user for authentication to IdP
- Wait for few seconds for access policy to time out on BIG-IP.
- Enter credentials/complete authentication on IdP
- User will be redirected back to BIG-IP as SP. At this moment APM will create a new session, and will evaluate access policy again.

Impact:
SAML Agent will now fail with the following error:
SAML Agent: <AgentNameHere> cannot find assertion information in SAML request

Workaround:
Removing the ‘Origin’ header from the request with iRule does fix the issue, and the POST body becomes available to access hudfilter.

Fix:
Check for receipt of HUDEVT_REQUEST_DONE before falling through from EV_ACCESS_TCL_COMPLETION to EV_ACCESS_REQUEST_DONE in client wait for request body to ensure proper storage of POST request body in sessiondb.

625456-5 : Pending sector utility may write repaired sector incorrectly

Component: TMOS

Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.

When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)

For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements

Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.

Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades

Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.

The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:

# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device

# smartctl -i /dev/sda | grep "Sector Size"

Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical

Not Affected:
Sector Size: 512 bytes logical/physical

Impact:
Potential corruption of unknown files on BIG-IP volumes.

625372-5 : OpenSSL vulnerability CVE-2016-2179

Solution Article: K23512141

625275-1 : Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI

Component: Fraud Protection Services

Symptoms:
When trying to add URL parameters containing square brackets "[]" in FPS GUI >> URL the parameters name become "0". If trying to modify, the parameters are not saved.

Conditions:
Provision FPS
Create URL

Impact:
FPS GUI

Workaround:
via tmsh, an example:

tmsh modify security anti-fraud profile criteria urls modify { /xml.php { parameters add { "mouse\[2]" } } }

Fix:
It is now possible to add parameters containing square brackets in FPS GUI.

625198-1 : TMM might crash when TCP DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
All of the below are required to see this behavior:

DSACK is enabled

MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.

cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.

an iRule exists that changes any of the conditions above besides DSACK.

various client packet combinations interact in certain ways with the iRule logic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change any of the conditions above.

Fix:
TCP maintains state appropriately to avoid crash.

625172-1 : tmm crashes when classification is enabled and ftp traffic is flowing trough the box

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification profile attached to the virtual server
2. ftp traffic flows through the system
3. complex configuration with iRules and multiple modules enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
remove classification profile from the virtual server

Fix:
Incorrect memory management in one of classification matching mechanisms led to a crash.

625159-1 : Policy sync status not shown on standby device in HA case

Component: Access Policy Manager

Symptoms:
After policy sync, policy sync statuses are not shown in admin GUI on standby device in a failover device group.

Conditions:
- Create a failover device group whose members are in a bigger sync-only device group for policy.
- Initiate a policy sync from an active device
- Check policy sync stats on standby device

Impact:
It does not affect sync functionality and user still can see the sync status on an active device.

Workaround:
Check sync status on an active device in the group.

Fix:
User will be able to see the sync statuses on a standby device, including itself as well as the list of devices in the whole sync-only group where sync is performed.

625114-2 : Internal sync-change conflict after update to local users table

Solution Article: K08062851

Component: Device Management

Symptoms:
User sync is initiated unexpectedly and automatically by the REST framework. To the internal sync system, this will appear as if the same change is being made manually on all devices, causing a change conflict. In other words, 'show cm sync-status' will return output similar to the following:

-------------------------------------------------------------------------------------------------
CM::Sync Status
-------------------------------------------------------------------------------------------------
Color red
Status Changes Pending
Mode high-availability
Summary There is a possible change conflict between device1 and device2.
Details
         device1: connected
         mydg (Changes Pending): There is a possible change conflict between device1 and device2.
          - Recommended action: Synchronize device2 to group mydg

In addition, users that were synchronized by the REST framework may not have the correct role and/or partition assigned to them.

Conditions:
A sync-failover device group exists.

In addition, the REST framework's 'gossip' mechanism must be set up correctly. This should happen automatically, but might not be ready yet. You can confirm that this is the case by running 'restcurl shared/resolver/device-groups/tm-shared-all-big-ips/devices'. The output must show all your devices, and show that they all have the same 'version' and the same 'restFrameworkVersion'.

Impact:
An unexpected change conflict between your devices.
In some cases, high CPU utilization by restjavad may be observed.

Workaround:
When you have the change conflict, force a sync to the device group from the device where the user was originally created.

The high CPU utilisation by restjavad may persisting after a full sync.
Recommendation is to restart the restjavad service: restart sys service restjavad

Fix:
Internal sync-change conflict is no longer present after update to local users table.

625106-2 : Policy Sync can fail over a lossy network

Component: Local Traffic Manager

Symptoms:
Policy Sync fails.

Conditions:
BIG-IPs are connected over a lossy link.

Impact:
HA redundancy fails.

Workaround:
tmsh modify sys db TM.TCPProgressive.AutoBufferTuning value disabled

Fix:
Change configuration as described.

625098-3 : SCTP::local_port iRule not supported in MRF events

Component: Service Provider

Symptoms:
SCTP::local_port iRule not supported in MRF events

Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.

Impact:
SCTP::local_port won't work under MR events.

Fix:
After the fix, SCTP::local_port iRule will be supported in MRF events.

625085 : lasthop rmmod causes kernel panic

Component: TMOS

Symptoms:
If someone attempts to unload the lasthop kernel module, it will cause a kernel panic.

Conditions:
Attempting to unload the lasthop kernel module.

Impact:
The system reboots.

Workaround:
Avoid running the following command:

# rmmod lasthop

Fix:
The lasthop kernel module should never be unloaded. The system now prevents the lasthop kernel module from being unloaded, so no kernel panic occurs.

624966-2 : Edge client starts new APM session when Captive portal session expire

Component: Access Policy Manager

Symptoms:
When a Captive portal session expires during Network Access,
Edge-Client shows the Captive portal Authentication page. If the user doesn't authenticate for some amount of time (30-60sec) the Edge Client tries to disconnect the current session. When the user successfully authenticates, Edge Client starts new APM session instead of waiting until the user authenticates on Captive page.

Conditions:
This can occur when Captive portal is configured and the session expires.

Impact:
The Edge Client starts a new session when it should re-use the existing session.

624903-6 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.

Solution Article: K55102452

624876-1 : Response Policy Zones can trigger even after entry removed from zone

Component: Global Traffic Manager (DNS)

Symptoms:
If an entry (resource record) is removed from a response policy zone it is possible that it may still trigger as a match for RPZ.

Conditions:
-- An RPZ zone contains an entry, for example badzone.example.com.
-- That entry is subsequently removed.

Impact:
The badzone.example.com entries will continue to be blocked by RPZ, even though the item has been removed.

Workaround:
Delete /var/db/zxfrd.bin and /var/db/tmmdns.bin and restart the system using the following command: bigstart restart zxfrd.

This recreates the databases without the remnants of the deleted entries.

Fix:
The deleted entries are now properly handled and no longer trigger incorrect matches.

624846-1 : TCP Fast Open does not work for Responses < 1 MSS

Component: Local Traffic Manager

Symptoms:
BIG-IP does not send the data until receiving the first client ACK.

Conditions:
TCP Fast Open requests an object of less than 1 MSS in size.

Fast open and delayed acks enabled.

Impact:
Delayed completion of the connection.

Workaround:
Disable delayed acks.

Fix:
TCP sends SYN/ACK immediately after receiving the SYN, and the response as soon as it arrives from the server.

624831-2 : BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps

Component: TMOS

Symptoms:
tmm crashes while using Bandwidth Control (BWC) dynamic policies.

Conditions:
max-user-rate is set at 2gbps or higher.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Use a maximum of 1gbps for dynamic BWC policy max-user-rate.

Fix:
tmm crashes while using Bandwidth Control (BWC) dynamic policies with max-user-rate set at 2gbps or higher.

Behavior Change:
no

624826-2 : mgmt bridge takes HWADDR of guest vm's tap interface

Component: TMOS

Symptoms:
MGMT interface becomes unreachable and stops responding to traffic. Whenever guest is in provisioned state MAC address assigned to mgmt is correct (taken from base MAC). Whenever guest is in deployed state MAC address on host mgmt interface changes and is exactly the same as mgmt_vm_tap MAC.

Conditions:
The platform shipped with a "low" F5 base_mac

A Linux bridge by default takes as its mac the lowest mac of its constituent interfaces. This did not cause a problem before because F5 Networks systems' baseMacs have historically been "low", e.g., with legacy_baseMacs in {00:01:D7, 00:0A:49, 00:23:E9}.

When a guest tap interface is added to the mgmt bridge, the bridge takes its Linux default action, which is to take as its mac the lowest mac address of its constituent interfaces. With the comparison min(eth0's mac, guestTap's mac) returning guestTap's mac, the mgmt bridge incorrectly assumes a guestTapIntfc mac.

Impact:
Connectivity to the vCMP host platform is lost when the guest is deployed.

Workaround:
Use ifconfig to ensure that the mac address of the mgmt bridge never changes from eth0. For example, the following command sets as the mac of this bridge, the value passed in Mac.

ifconfig <bridgeName= mgmt> hw ether <Mac of Eth0>

Note: This assumes that eth0 will always be contained in the mgmt bridge.

Fix:
The system now uses ifconfig to assign the mac of interface eth0 to bridge mgmt.

624805-1 : ILX node.js process may be restarted if a single operation takes more than 15 seconds

Component: Local Traffic Manager

Symptoms:
There is an ILX node.js process restart that occurs, conditional on the code and operations of the node.js process. The restart occurs when one specific operation (code path in your node.js app) takes longer than 15 seconds to complete.

Conditions:
-- Running ILX with a node.js RPC or streaming setup.
-- A single operation takes more than 15 seconds.

Impact:
Connflow is dropped, traffic processing for the flows handled by that process stops until it restarts fully.

Workaround:
To work around this issue, you can time yourself in your node.js app, to either make sure operations complete within the timeframe, or determine where operations exceed the 15 second limit and rework the code so that operations complete within 15 seconds.

Fix:
There is no longer a time restriction on a single operation.

624744-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.

Fix:
NULL check has been added prior to calling a callback for asynchronous handling.

624733-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.

Fix:
NULL check has been added to facilitate a graceful failure during asynchronous handling.

624692-3 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying

Component: TMOS

Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.

Conditions:
Certificate with multi-byte encoded strings.

Impact:
Unable to view certificate list page or view certificate information via iControl/REST.

624616-1 : Safenet uninstall is unable to remove libgem.so

Component: Local Traffic Manager

Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:

rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.

Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.

Impact:
Uninstall is unable to complete.

Workaround:
None.

Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.

624570-1 : BIND vulnerability CVE-2016-8864

Solution Article: K35322517

624526-3 : TMM core in mptcp

Solution Article: K10002335

624484-2 : Timestamps not available in bash history on non-login interactive shells

Solution Article: K09023677

Component: TMOS

Symptoms:
There are no timestamps in bash history when bash is initiated from tmsh.

Conditions:
This issue arises when an Administrator or Resource Administrator with tmsh as the default shell runs bash from tmsh and then runs the 'history' command.

Impact:
Running 'history' in bash will not include timestamps of commands.

Workaround:
Timestamps can be added to bash history by running the following command in bash: export HISTTIMEFORMAT="%Y-%m-%d %T ".

Fix:
Added timestamps to bash history for non-login interactive shells.

624457-5 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195

Solution Article: K10558632

624370-1 : tmm crash during classification hitless upgrade if virtual server configuration is modified

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification hitless upgrade is triggered
2. pending (not saved) changes on any of the virtual servers

Impact:
Traffic disrupted while tmm restarts.

Fix:
Change of virtual server configuration triggers new library to be loaded during upgrade which wasn't expected by hitless upgrade mechanism and led to tmm crash. This is fixed in versions starting with 12.1.2.

624362-1 : VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file

Component: TMOS

Symptoms:
/shared disk usage growth and the diskmonitor can alarm when percent of disk usage reaches the configured threshold.

Conditions:
VCMP guest, overtime /shared/tmp/guestagentd.out grows and not rotated.

Impact:
/shared filesystem can fill and cause alerting and inability to copy files such as .iso to /shared.

Workaround:
1. periodically delete the non-critical file /shared/tmp/guestagentd.out

OR,

2. bigstart stop guestagentd (this will disable vcmp health feature on the host)

Fix:
The guestagentd logs no longer fill the tmp file.

624361-1 : Responses to some of the challenge JS are not zipped.

Component: TMOS

Symptoms:
Performance is affected on the JS challenge.

Conditions:
The following is turned on in the application dos configuration :
CS challenge, or PBD challenge when Suspicious browsers are disabled or the Device-ID challenge.

Impact:
1. These responses consume more CPU and more Bandwidth than needed.
2. Client-side latency is degraded.
3. More disk space is utilized than needed

Workaround:
None.

Fix:
Some of the JS challenge have better performance now.

624263-4 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.

624231-5 : No flow control when using content-insertion with compression

Component: Policy Enforcement Manager

Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases

Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled

Impact:
Performance impact to flows and possible system crash.

Workaround:
Enable hardware offload and use the pem throttle feature for content insertion

624228-1 : Memory leak when using insert action in pem rule and flow gets aborted

Component: Policy Enforcement Manager

Symptoms:
Memory keeps increasing in PEM after several hours of live service.

Conditions:
Insert action in pem rule and response spawning multiple segments. Connection gets aborted midway.

Impact:
Connections can get reset once memory usage increases beyond threshold

Fix:
free xfrags when aborting flows

624198-1 : Unable to add multiple User-Defined alerts with the same search category

Component: Fraud Protection Services

Symptoms:
Adding 2 or more User-Defined alerts causes to DB exception error.

Conditions:
Provision FPS
Malware Detection license

Add multiple User-Defined alerts with the same "Search In" category.

Impact:
Can impact detection of certain malware.

Workaround:
Adding single record each time.
Use TMSH or Rest.

Fix:
GUI allows adding multiple User-Defined alerts of the same search category.

624193-2 : Topology load balancing not working as expected

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.

Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.

Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.

Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.

Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.

624155-2 : MRF Per-Client mode connections unable to return responses if used by another client connection

Component: Service Provider

Symptoms:
When an outgoing connection is created in per-client mode, that connection is exclusively for use by the client whose message was routed to the destination. All messages (response or requests) received by the server are automatically forwarded to the client. The messages received from the server are forwarded to the original connection from the client (even if it has been closed).

Conditions:
The connection from the client closes and the client connects again.

Impact:
Messages from the new client connection will be routed using the previously created outgoing connection. But messages received from the server will be forwarded to the original connection from the client which is closed. These message will fail to be delivered.

Workaround:
None.

Fix:
When message arrive from a new client connection, the outgoing connection will be to forward messages received from the server to the new connection.

624023-3 : TMM cores in iRule when accessing a SIP header that has no value

Component: Service Provider

Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.

Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.

Fix:
Fix includes adjusting the buffer offset properly to handle the empty header attributes while parsing the SIP message.

623940-3 : SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello

Component: Local Traffic Manager

Symptoms:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

The ltm error log message looks like:
*****************************************************
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260009:4: Connection error: ssl_select_suite:6799: no shared ciphers (40)
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260026:4: No shared ciphers between SSL peers 10.1.6.50.36563:10.1.6.15.443.
*****************************************************

Conditions:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

Impact:
SSL Handshake fails.

623930-3 : vCMP guests with vlangroups may loop packets internally

Component: TMOS

Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.

Conditions:
vCMP guest, vlangroups.

Impact:
High CPU utilization and potentially undelivered packets.

Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.

Fix:
Packets are no longer looped between vlangroup children on vCMP guests.

623927-2 : Flow entry memory leaked after DHCP DORA process

Solution Article: K41337253

Component: Policy Enforcement Manager

Symptoms:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is not freed.

Conditions:
Run the DHCP DORA process through BIG-IP (in relay mode or forwarding mode, and wait for client connection flow entry ages out.

Impact:
The system leaks flow entry memory. Over a long period of time, system memory will eventually run out.

Workaround:
None.

Fix:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is now freed, so no memory leak occurs.

623922-5 : TMM failure in PEM while processing Service-Provider Disaggregation

Solution Article: K64388805

Component: Policy Enforcement Manager

Symptoms:
TMM failure in PEM while processing Service-Provider Disaggregation.

Conditions:
System crashes when traffic flows and rules get executed on the flow.

Impact:
System crashes.

Workaround:
Set Service-Provider Disaggregation to sp as suggested by documentation.

Fix:
There is no longer a TMM failure in PEM while processing Service-Provider Disaggregation.

623885-4 : Internal authentication improvements

Solution Article: K41107914

623803-2 : General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'

Solution Article: K12921801

Component: TMOS

Symptoms:
When SCTP profile is selected, the system posts a general DB error due to 'read access denied type Virtual Address profile SCTP'.

Conditions:
-- Login to GUI with non-Admin user.
-- Select SCTP profile from the GUI

Impact:
Cannot get the SCTP profile.

Workaround:
Login with Admin user.

Fix:
The non-Admin user is now be able to login to GUI, select the SCTP profile and retrieve SCTP profile information correctly.

623562-3 : Large POSTs rejected after policy already completed

Component: Access Policy Manager

Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:

/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big

/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960

Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.

Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.

Workaround:
Move the resource from '/' to another URL.

Fix:
The logic of '/' in this area was changed to be consistent with other URLs.

623518-1 : Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition

Component: Fraud Protection Services

Symptoms:
If a profile is assigned to a user-defined partition, it is not possible to add users to User Enforcement list.

Also, if a user-defined partition is selected, the GUI will not display a message if a there are available signatures/engine updates.

Conditions:
Provision and license FPS.
Create user-defined partition.

Impact:
You are unable to manage the profile in the user-defined partition.

Workaround:
Use tmsh to add users.

Fix:
Users can be added to User Enforcement list and a message will be displayed if a new update is available.

623491-2 : After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.

Component: Policy Enforcement Manager

Symptoms:
The BWC action against a rule is lost and the traffic flow is capped at the maximum bandwidth configured in the BWC policy.

Conditions:
A flow should be associated with a PEM rule that has atleast a BWC action along with a Gx reporting action.

Impact:
The traffic flow is not capped by the correct BWC action, instead it is capped by the maximum configured bandwidth in the BWC policy.

Fix:
The BWC policy is restored correctly after a policy update.

623401-1 : Intermittent OCSP request failures due to non-optimal default TCP profile setting

Component: TMOS

Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.

Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.

Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.

Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.

623391-5 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★

Component: TMOS

Symptoms:
cpcfg fails with errors similar to:

Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.

Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.

Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size

Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3

Fix:
cpcfg could incorrectly calculate the amount of free space required, refusing to do the copy unless the / filesystem on the target volume had sufficient space to do the copy (not taking into account /config, /usr, /var, and other filesystems). This has been resolved and this free space calculation is done correctly.

623336-4 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★

Component: TMOS

Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.

Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)

Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.

This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

Fix:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check was performed incorrectly, and the old bundle could accidentally have been chosen. This has been fixed, and the newer version of the file is correctly chosen.

623119 : Linux kernel vulnerability CVE-2016-4470

Solution Article: K55672042

623093-1 : TIFF vulnerability CVE-2015-7554

Solution Article: K38871451

623055-1 : Kernel panic during unic initialization

Component: TMOS

Symptoms:
During system initialization, the kernel panics during unic initialization.

Conditions:
This can occur on BIG-IP Virtual Edition if an error (on memory allocation, io etc.) occurs during unic initialization.

Impact:
The kernel panics, system will not boot.

Fix:
Initialize resources to fail gracefully on error.

623037-2 : delete of pem session attribute does not work after a update

Component: Policy Enforcement Manager

Symptoms:
it will not be possible to delete the session attribute through rules.

Conditions:
rules with session attribute update & delete

Impact:
unable to delete session attribute

623023-1 : Unable to set DNS Topology Continent to Unknown via GUI

Component: Global Traffic Manager (DNS)

Symptoms:
No option in dropdown menu to select Unknown Continent when configuring DNS Topology Record via GUI. Existing Topology Records will be displayed as "Continent is", instead of "Continent is Unknown".

Conditions:
Attempting to configure a DNS Topology Record via the GUI.

Impact:
Unable to set the Continent field to 'Unknown' via GUI.

Workaround:
Set the continent via tmsh using the command `create gtm topology ldns: continent -- server: continent --`

Fix:
The dropdown menu now has an option to select an "Unknown" Continent.

622913-2 : Audit Log filled with constant change messages

Component: Application Security Manager

Symptoms:
Frequent changes by Policy Builder fill the audit log too quickly and can affect viewing the Security Logs:

Error 502 Bad Gateway when clicking "Application Security" logs

Conditions:
Frequent Policy Builder changes occur and no ASM device group is configured.

Impact:
Disk space usage and errors viewing the Application Security logs

Workaround:
Workarounds:
1) Turn off "Recommend Sync when Policy is not applied". (Security ›› Options : Application Security : Preferences)

2) Enable ASM sync on a device group.

Fix:
Updates to the audit log are throttled at max 1/minute.

622877-1 : i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away

Component: TMOS

Symptoms:
Messages like the following in /var/log/ltm:

Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface: 6.0 transmit power too low alarm. Transmit power:0.0515 mWatts
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 transmit power too low alarm cleared
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 receive power too low alarm cleared
'

Conditions:
i2000 or i4000 series appliances with DDM enabled and a reboot or restart of the pfmand daemon

Impact:
No functional impact, these are not valid DDM alarms or warnings.

Workaround:
Ignore DDM errors that clear right away after powerup or pfmand restart.

Fix:
During DDM initialization clear any alarms or warnings cached in the hardware registers.

622856-1 : BIG-IP may enter SYN cookie mode later than expected

Component: Local Traffic Manager

Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.

Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.

Impact:
BIG-IP does not enter SYN cookie mode at the expected time.

Workaround:
Disable verified accept on all VIP TCP profiles.

Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.

622790-1 : EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP

Component: Access Policy Manager

Symptoms:
Edge Client takes a lot of time to disconnect when machine is moved to network with no connectivity to BIG-IP

Conditions:
* VPN is established
* Machine is moved to different network (with no BIG-IP) connectivity
* EdgeClient stays in "Disconnecting..." state for few minutes

Impact:
User have to wait until Disconnect procedure is complete

Fix:
Now Edge Client uses 5000msec timeout in order to complete logout HTTP request. This is enough in normal conditions

622735 : TCP Analytics statistics does not list all virtual servers

Component: Application Visibility and Reporting

Symptoms:
In "Statistics :: Analytics : TCP", displaying the stats by virtual server will only allow the option of "Aggregated".

Conditions:
This occurs on virtual servers with the TCP Analytics profile attached.

Impact:
GUI does not list all virtual servers that have the TCP Analytics profile attached.

Fix:
Fixed an issue with displaying TCP Analytics statistics for virtual servers.

622662-7 : OpenSSL vulnerability CVE-2016-6306

Solution Article: K90492697

622619-5 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD

Component: TMOS

Symptoms:
MCPd cpu utilization is high and renders it unresponsive.

Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.

Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.

Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.

622496 : Linux kernel vulnerability CVE-2016-5829

Solution Article: K28056114

622386-1 : Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled

Component: Application Security Manager

Symptoms:
Internet Explorer browsers will get into an endless loop of requests, never reaching the back-end server, when accessing a Virtual Server which is enabled with both the Web Scraping feature, and the Proactive Bot Defense, if the mode of Proactive Bot Defense is set to During Attacks.

Conditions:
1. ASM Security Policy is attached to the Virtual Server, and has Web Scraping's Bot Detection set to Alarm & Block.
2. Within Web Scraping, both Fingerprint and Persistent Client Identification are disabled.
3. DoS profile is attached to the Virtual Server, and has Proactive Bot Defense set to During Attacks.
4. Users are using the Internet Explorer browser.

Impact:
Internet Explorer browser users are getting blocked from accessing the back-end server.

Workaround:
Two options for workaround:
1. Set Proactive Bot Defense to Always instead of During Attacks.
2. Enable either Fingerprint or Persistent Client Identification in the Web Scraping configuration.

Fix:
Internet Explorer users are no longer blocked when accessing a Virtual Server which has both Web Scraping enabled, and Proactive Bot Defense set to During Attacks.

622281-1 : Network DoS logging configuration change can cause TMM crash

Component: Advanced Firewall Manager

Symptoms:
Whenever a DoS Network logging profile is assigned or removed from a Virtual Server, it could cause random TMM crash.

Conditions:
The problem happens only with runtime config change.

Any logging profile config settings which was configured already and which gets loaded on TMM startup does not have this problem. Since this problem is a one time event on config change, TMM restart will pickup the config change and will work without any problem after the one time crash and TMM restart.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Invalid memory reference after free resulted in crash, which is fixed.

622244-2 : Edge client can fail to upgrade when always connected is selected

Component: Access Policy Manager

Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client

Impact:
Upgrade will fail

Workaround:
Disable the Always Connected mode

Fix:
Upgrade functions as intended regardless of connection mode

622220-2 : Disruption during manipulation of PEM data with suspected flow irregularity

Component: Policy Enforcement Manager

Symptoms:
tmm crashes.

Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to manipulating Policy Enforcement Manager data.

622199 : sys-icheck reports error with /var/lib/waagent

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /var/lib/waagent.

On BIG-IP version 12.0.0:
ERROR: ....L.... /var/lib/waagent
L - readLink(2) path mismatch

On BIG-IP version 12.1.0 and 12.1.1:
ERROR: .M....... /var/lib/waagent

M - Mode differs (includes permissions and file type)

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with waagent that was causing sys-icheck to fail.

622194 : sys-icheck reports error with ssh_host_rsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub

ERROR: SM5...... /config/ssh/ssh_host_rsa_key
ERROR: SM5...... /config/ssh/ssh_host_rsa_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud when running the sys-icheck utility.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with ssh_host_rsa_key and ssh_host_rsa_key.pub that was causing sys-icheck to generate an error.

622183-5 : The alert daemon should remove old log files but it does not.

Component: TMOS

Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.

Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.

Impact:
The log filesystem may become completely full, and new log messages cannot be saved.

Fix:
The alert daemon will now remove old log files as intended.

622178-1 : Improve flow handling when Autolasthop is disabled

Solution Article: K19361245

622133-1 : VCMP guests may incorrectly obtain incorrect MAC addresses

Component: TMOS

Symptoms:
vCMP guests may be re-configured to use MAC addresses based off an all zero MAC address (00:00:00:00:00:00).

The 'tmsh show net vlan' command will show the vlan interfaces having mostly 0's in the MAC address:

-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:00:00:00:00:01
MTU 1500
Tag 3702
Customer-Tag

-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) 00:00:00:00:00:02
MTU 1500
Tag 3703
Customer-Tag

Conditions:
For this to manifest the vCMP host vcmpd process will have to have had a prior crash or be killed.
In this scenario vcmpd on restart uses a default zero-base MAC address for the guests.
The guests will not use the new zero-based MAC until services are restarted on the guest, on which the new MAC address will take effect.

Impact:
This can cause network issues and conflicts if occurring on multiple guests in the same VLAN as the same MAC addresses will be used.

Workaround:
Restart the guest from the hypervisor.

Fix:
vCMP no longer uses zero-based MACs on vcmpd crash/kill.

622126-1 : PHP vulnerability CVE-2016-7124

Solution Article: K54308010

622017-8 : Performance graph data may become permanently lost after corruption.

Solution Article: K54106058

Component: Local Traffic Manager

Symptoms:
During an upgrade, system reboot or restart of the statsd daemon, if a performance graph /var/rrd/*.info file is corrupt, the system is expected to backup the performance data before replacing it and starting with new empty graph data. It is then possible to manually recover the previous performance data.

However, if the /shared/rrd.backup directory already exists, the system restarts the performance graph with new data without backing up the previous data.

Conditions:
During startup of the statsd daemon (such as after an upgrade or reboot), the issue occurs if the following two conditions are present:
* The /var/rrd/<filename>.info files are corrupt (CRC value does not match contents).
* The /shared/rrd.backup directory exists.

Impact:
The previous performance graph data is not displayed, and is no longer available for manual recovery.

Workaround:
Old performance graph data can be extracted from the var/rrd directory of a QKView taken prior to the beginning of the problem.

Fix:
Corrupt performance graph RRD data is now backed up to the /shared/rrd.backup directory during startup even if the directory already exists.

621976-4 : OneDrive for Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
OneDrive for Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.

621974-4 : Skype For Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
Skype For Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.

621957-2 : Timezone data on AOM not syncing with host

Component: TMOS

Symptoms:
Updating the timezone on the host does not sync to the AOM, because certain tzdata files are placed in the wrong directories.

Conditions:
A system using tzdata version v2016i-1 may encounter this problem. If the following files exist:

/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab

then the system has this problem.

Impact:
Time on the AOM is incorrect.

Workaround:
If the following files exist:

/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab

move them to:

/usr/share/zoneinfo/F5zone.tab
/usr/share/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/F5zone.tab

Fix:
Timezone data on AOM now syncs correctly with host again

621937-1 : OpenSSL vulnerability CVE-2016-6304

Solution Article: K54211024

621935-6 : OpenSSL vulnerability CVE-2016-6304

Solution Article: K54211024

621909-4 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members

Solution Article: K23562314

Component: TMOS

Symptoms:
When a trunk on the BIG-IP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.

Conditions:
This can occur for two reasons:
-- Purposefully configuring an odd number of members.
-- A port goes down in a trunk that has an even number of members.

Impact:
Uneven traffic distribution.

Workaround:
None.

Fix:
This release fixes uneven egress trunk distribution on the BIG-IP 5000 or 10000 platforms when there is an odd number of ports.

621870-2 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.

Conditions:
VIP-VIP configuration

Impact:
System outage

Workaround:
None.

621808-1 : Proactive Bot Defense failing in IE11 with Compatibility View enabled

Component: Advanced Firewall Manager

Symptoms:
Internet Explorer 11 browsers which have "Compatibility View" enabled (under Compatibility View Settings IE menu), will fail the JavaScript challenge, when Proactive Bot Defense is enabled and the "Block requests from suspicious browsers" checkbox is checked.

The challenged request will be blocked using a TCP_RST flag, and the browser will show "This page can’t be displayed" is seen in the browser.

Conditions:
1. DoS profile that is attached to the Virtual Server has Proactive Bot Defense is enabled and "Block requests from suspicious browsers" checkbox is checked.
2. Internet Explorer 11 browsers in which the site's domain is inserted to the "Compatibility View Settings" in the browser's menu.

Impact:
Legitimate browsers get blocked when accessing the site.

Workaround:
None

Fix:
Internet Explorer 11 browsers with "Compatibility View" enabled on the site no longer get blocked when Proactive Bot Defense is enabled on the DoS profile.

621736-6 : statsd does not handle SIGCHLD properly in all cases

Component: Local Traffic Manager

Symptoms:
- Performance graphs are not updating or are not existant.
- proc_pid_stat shows statsd time not increasing
- Top also shows that statsd is not taking any processor time.

Infact statsd is stuck on a wait in a signal handler.

Conditions:
If statsd receives a SIGCHLD signal it will get stuck and not process anything.

The following can trigger the issue:

rm -rf /shared/rrd.backup
- sed -i "s/^#CRC.*$/#CRC $RANDOM/" /var/rrd/throughput.info
- kill -HUP $(pgrep -f /usr/bin/statsd)

Impact:
No performance graphs are collected / generated

Workaround:
Restart statsd:
- bigstart restart statsd

621682-1 : Portal Access: problem with specific JavaScript code

Component: Access Policy Manager

Symptoms:
Portal Access does not rewrite JavaScript code with try...catch... operator followed by literal regular expression.

Conditions:
JavaScript code like follows:
try {} catch (e) {} /aaa/.test(b)

Impact:
Web application may not work correctly.

Fix:
Now try / catch operator followed by literal regular expression in JavaScript code is handled correctly by Portal Access.

621524-2 : Processing Timeout When Viewing a Request with 300+ Violations

Component: Application Security Manager

Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.

Conditions:
Attempting to view a request that triggered hundreds or thousands of violations

Impact:
A timeout is encountered.

Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.

Fix:
Processing high violation requests is now more efficient.

621452-1 : Connections can stall with TCP::collect iRule

Solution Article: K58146172

Component: Local Traffic Manager

Symptoms:
Connection does not complete.

Conditions:
-- A TCP::collect command is in use.
-- The first packet received after the SYN carries data.

The Initial Sequence number in the SYN, plus the length of the data in the first packet, plus 1, is greater than-or equal to 2^31.

Note: APM VDI profiles internally use TCP::collect, so virtual servers with VDI profiles may be affected as well.

Impact:
Connection fails.

Workaround:
There is no workaround at this time.

Fix:
The system no properly sets state variables associated with TCP::collect.

621447-1 : In some rare cases, VDI may crash

Component: Access Policy Manager

Symptoms:
VDI process crashes and connections to VDI resources are aborted.

Conditions:
VDI receives unexpected session variable result which is meant for some other VDI thread.

Impact:
Existing VDI connections are aborted and the user needs to login again.

Fix:
VDI should gracefully handle the error condition and should not crash

621423 : sys-icheck reports error with /config/ssh/ssh_host_dsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_dsa_key and other files:

ERROR: missing /config/ssh/ssh_host_dsa_key
ERROR: missing /config/ssh/ssh_host_dsa_key.pub
ERROR: missing /config/ssh/ssh_host_key
ERROR: missing /config/ssh/ssh_host_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /config/ssh/ that was causing sys-icheck to report errors.

621422 : i2000 and i4000 series appliances do not warn when an incorrect optic is in a port

Component: TMOS

Symptoms:
A 1G optic is inserted in a port that only supports 10G optics, or a 10G optic is inserted in a port that only supports 1G optics.

The invalid optic may show a link light, and no warning appears on the LCD.

Conditions:
i2000 or i4000 platforms ports do not auto-negotiate between 1G and 10G optics. Ports are assigned to one or the other speed.

Impact:
User may not understand why optic is not working correctly

Workaround:
Move the optic to the correct port.

621401 : When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

Component: Device Management

Symptoms:
When BIG-IQ is monitoring more than 1 BIG-IP in a HA clustser, AVR reporting on the BIG-IQ may fail if one of the BIG-IPs is under heavy load.

Conditions:
BIG-IQ monitoring BIG-IPs in a HA cluster
BIG-IPs running AFM and/or ASM
BIG-IQ used to monitor AFM and/or ASM reporting.
At least one of the BIG-IPs is under significant load so as to cause delays in responding to BIG-IQ requests.

Impact:
AVR reporting will stop functioning.

Workaround:
bigstart restart restjavad

621386-1 : restjavad spawns too many icrd_child instances

Solution Article: K91988084

Component: TMOS

Symptoms:
icrd_child process keeps crashing and can lead to an out-of-memory condition.

Conditions:
This occurs due to a race condition while restarting the icrd daemon.

Impact:
icrd might crash.

Workaround:
None.

Fix:
Fixed race condition that caused the system to run out of memory by spawning too many icrd_child processes.

621379-2 : TCP Lossfilter not enforced after iRule changes TCP settings

Component: Local Traffic Manager

Symptoms:
TCP Lossfilter function doesn't work properly, although the first few losses will be properly ignored.

Conditions:
TCP profile has ALL of the following settings:
mptcp disabled; rate-pace disabled; tail-loss-probe disabled; fast-open disabled; cmetrics-cache-timeout = 0; congestion ctrl is reno, new-reno, high-speed, or scalable; nagle enabled or disabled; rtx_thresh = 3; loss-filter settings are both > 0.

an iRule changes any of the above settings except loss-filter.

Impact:
Sending rate declines due to packet losses improperly interpreted as congestion.

Workaround:
Change any of the conditions above.

Fix:
Properly handle loss-filter state when switching TCP stacks.

621374-1 : "abbrev" argument in "whereis" iRule returns nothing

Component: Global Traffic Manager (DNS)

Symptoms:
The iRule [whereis <ip|ldns> abbrev] does not return a value.

Conditions:
iRule relying on whereis abbrev is used.

Impact:
The whereis iRule command will not return the expected value.

621371-2 : Output Errors in APM Event Log

Solution Article: K43523962

621337-6 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469

Solution Article: K97285349

621314-6 : SCTP virtual server with mirroring may cause excessive memory use on standby device

Solution Article: K55358710

Component: TMOS

Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.

Conditions:
SCTP virtual server has mirroring enabled.

Impact:
TMMs will have high memory usage on standby device.

Workaround:
Disable mirroring on the SCTP virtual server.

Fix:
SCTP virtual server with mirroring no longer causes excessive memory use on standby device.

621273-1 : DSR tunnels with transparent monitors may cause TMM crash.

Component: TMOS

Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.

Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM does not crash.

621259-3 : Config save takes long time if there is a large number of data groups

Component: TMOS

Symptoms:
Config save takes a long time to complete

Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration

Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM

621242-1 : Reserve enough space in the image for future upgrades.

Component: TMOS

Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.

Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).

Impact:
Extends the disk image to reserve more disk space for upgrades.

Workaround:
N/A

Fix:
Increased the reserved free space on VE images.

621239-2 : Certain DNS queries bypass DNS Cache RPZ filter.

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.

Conditions:
A DNS Cache configured with RPZ.

Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.

Fix:
The DO-bit is now ignored with respect to RPZ filtering.

621233-1 : FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm

Solution Article: K49440608

621225 : LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"

Component: TMOS

Symptoms:
When BIG-IP is initially booted or re-started, there are certain conditions under which the LTM log may report the following message for front panel interfaces, "PCI Device not found for Interface <X.0>", where X can be in the range of 1-6. These messages are misleading because the front panel interfaces do not have any PCI devices associated with them and should not have been flagged as errors.

Conditions:
i2600/i2800 products intermittently produce these messages upon power-up or BIG-IP re-start.

Impact:
They are false alarms in the log. The associated interfaces do not have said PCI devices.

Fix:
Removed the possibility of getting false alarm messages in the LTM log for front panel interfaces 1.0-6.0 that claim, "PCI Device not found for Interface X.0".

621210-2 : Policy sync shows as aborted even if it is completed

Component: Access Policy Manager

Symptoms:
After syncing a policy in a sync-only device group, the policy appears to be synced to the target successfully, however, the remote HA pair devices show status as canceled/aborted.

Conditions:
It is not known exactly what triggers this condition. It was observed in a 4-device trust group consisting of 2 sync/failover groups and a single sync-only device group for all 4 devices. After the sync the status reported as cancelled/aborted.

Impact:
Sync status is displayed incorrectly, even after the sync was successful.

Workaround:
None.

Fix:
Policy sync now shows as completed when it is completed.

621126-2 : Import of config with saml idp connector with reuse causes certificate not found error

Component: Access Policy Manager

Symptoms:
Export and then Import with reuse of config that has SAML Idp Connector as part of configuration would fail with Object not found or Certificate not found error:

Import Error: 01070734:3: Configuration error: /Common/my_cert.crt certificate not found.

Conditions:
Exporting and then importing with "Reuse existing objects" checked. Normal import is ok.

Impact:
Importing fails.

Workaround:
On From box:Disconnect Idp configuration, export config.
On To box:Recereate Idp configuration, import, reconnect it.

Fix:
Importing with reuse is fixed.

621115-1 : IP/IPv6 TTL/hoplimit may not be preserved for host traffic

Component: Performance

Symptoms:
Traffic to and from the Linux host has TTL set to 255 or hop limit set to 64. This may impact any protocols that scrutinize the TTL such as IGMP or BGP.

Conditions:
IP/IPv6 TTL/hoplimit for host traffic.

Impact:
IGMP packets will not be passed from TMM to the Linux host and remote routers may reject IGMP packets from the BIG-IP.

BGP neighbors may reject packets from the BIG-IP.

Workaround:
Adjust TTL verification restrictions on peer devices.

Fix:
The IP/IPv6 TTL/hoplimit of host traffic is no longer modified when it traverses TMM.

620929-4 : New iRule command, MR::ignore_peer_port

Component: Service Provider

Symptoms:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port. Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.

Conditions:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port.

Impact:
Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.

Workaround:
Without this change, a new connection would need to be created to the client.

Fix:
New iRule command allow script author to identify the current connection as equivalent to other connections of the IP and route domain ID matches.

620903-1 : Decreased performance of ICMP attack mitigation.

Component: Performance

Symptoms:
Decreased performance of ICMP attack mitigation.

Conditions:
A Big-Ip is under attack, for example a ICMP flood attack.

Impact:
Decreased performance of ICMP attack mitigation.

Workaround:
NA

Fix:
Increased performance of ICMP attack mitigation.

620829-2 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
None.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.

620801-3 : Access Policy is not able to check device posture for Android 7 devices

Component: Access Policy Manager

Symptoms:
APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item.

If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.

Conditions:
- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status
- User accesses APM from an Android 7 device using F5 Edge Client app.

Impact:
Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.

Workaround:
This workaround only applies to IBM Maas360:

Add Variable Assign agent just before Managed Endpoint Status agent with the following variables:

session.client.platform_tmp = expr {[mcget session.client.platform]}
session.client.platform = expr {"iOS"}
session.client.unique_id = expr {"Android[mcget session.client.unique_id]"}

And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state:
session.client.platform = expr {[mcget session.client.platform_tmp]}

Fix:
Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.

620788-1 : FQDN pool created with existing FQDN node has RED status

Solution Article: K05232247

Component: Local Traffic Manager

Symptoms:
After creating an FQDN pool using an existing FQDN node, the pool has RED status.

Conditions:
-- Existing FQDN node.
-- Pool created with an existing FQDN node as a member.

Impact:
Traffic will not pass in this pool.

Workaround:
As a workaround, follow these steps:
1. Delete the existing FQDN node.
2. Create a new one.
3. Create a pool that includes the new FQDN node.

Fix:
When creating an FQDN pool with an existing FQDN node, the pool status now reflects the actual monitor status.

620782 : Azure cloud now supports hourly billing

Component: TMOS

Symptoms:
Prior to 12.1.2 hourly billing was not supported in Azure cloud.

Conditions:
Any version prior to 12.1.2 in Azure Cloud

Impact:
Hourly billing not possible

Fix:
With 12.1.2 hourly billing is now supported in Azure.

620759-4 : Persist timeout value gets truncated when added to the branch parameter.

Component: Service Provider

Symptoms:
Persist timeout value gets truncated when added to the branch parameter due to difference in storage type.

Conditions:
If the persist timeout value was higher that 65535 then the value gets truncated.

Impact:
Incorrect persist timeout get into affect for the call other than the value set in the config.

Workaround:
None.

Fix:
Persist timeout value no longer gets truncated when added to the branch parameter.

620659-3 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.

Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.

620635-2 : Request having upper case JSON login parameter is not detected as a failed login attempt

Component: Application Security Manager

Symptoms:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ JSON login parameter with an upper-case character

Impact:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Workaround:
N/A

Fix:
We've made sure that JSON login parameter are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.

620625-2 : Changes to the Connection.VlanKeyed DB key may not immediately apply

Solution Article: K38094257

Component: Local Traffic Manager

Symptoms:
Changes to the Connection.VlanKeyed DB key may not immediately apply to all TMMs

Conditions:
The Connection.VlanKeyed DB key is changed

Impact:
Asymmetrically routed connections may fail with Connection.VlanKeyed disabled

Workaround:
Restarting TMM will resolve the issue, though this will interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:

-- on an appliance (BIG-IP platform): bigstart restart tmm
-- on a clustered system (a VIPRION or VIPRION-based vCMP guest): clsh bigstart restart tmm

Fix:
Asymmetrically routed connections no longer fail with Connection.VlanKeyed disabled.

620614-4 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account

Component: Access Policy Manager

Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.

/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.

The above error, otherwise, below error which deletes the session id abruptly.

Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).

Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.

Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth

Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.

Fix:
Use the right session id for decrypting the password.

620543-1 : Security Address Lists and Port Lists can't change Description field

Component: Advanced Firewall Manager

Symptoms:
'Description' doesn't get saved when a user tries to create a Address List, or Port List.

Conditions:
Create an Address List/Port List with a description, and hit 'Finished'. The Address/Port List will be created, but the object will not be saved.

Impact:
Users will not be able to save description when Address List/Port List gets created via GUI.

Workaround:
Use tmsh to create Address/Port List.

Fix:
'Description' gets saved when a user tries to create a Address List, or Port List.

620445-4 : New SIP::persist keyword to set the timeout without changing key

Component: Service Provider

Symptoms:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout> disables bidirectional persistence.

Conditions:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout>.

Impact:
Disables bidirectional persistence. Persistence entry only records destination (not source) of the session.

Workaround:
None.

Fix:
New keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key.

Behavior Change:
There is a new keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key. Previously, if you changed the timeout, it disabled bidirectional persistence.

620400-1 : TMM crash during TLS processing

Solution Article: K21154730

620366-4 : Alertd can not open UDP socket upon restart

Component: TMOS

Symptoms:
alertd fails to restart due to the following error:
Sep 29 18:29:44 B2200-R76-S19 err alertd[16882]: 01100009:3: Couldn't open file UDP listener

Conditions:
alertd has spawned a long-running process (e.g. ntpd) which does not close inherited file descriptors.

Impact:
alertd fails to restart

Fix:
Mark alertd file descriptors for automatic closure in child processes.

620215-5 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.

620079-3 : Removing route-domain may cause monitors to fail

Component: Local Traffic Manager

Symptoms:
Removing route-domain may cause icmp and gateway-icmp monitors in unrelated route-domains to fail.

Conditions:
Route-domain is removed and icmp/gateway-icmp monitor is used.

Impact:
Monitor marking node down resulting in partial service outrage.

Workaround:
Restart bigd (bigstart restart bigd).

620056-1 : Assert on deletion of paired in-and-out IPsec traffic selectors

Component: TMOS

Symptoms:
When two traffic-selectors, one in and one out, mirror each other by reversing source and destination addresses, then deleting one can miss-fire an assert, restarting tmm.

Conditions:
Defining two clearly related traffic selectors, one for in and one for out, can confuse a later check of their names.

Impact:
When a traffic selector is deleted, from such a pair, an assert can fail that restarts tmm processes. Traffic disrupted while tmm restarts.

Workaround:
Using one traffic selector with direction=both would avoid the problem, before this change appears in a release.

Fix:
The confusion of over names for such paired traffic selectors is now fixed, so the assert cannot occur. Such traffic selectors -- just like each other execpt for reversed source and destination -- will work correctly for IKEv1 configs. For IKEv2 it is still best to use single TS insances with direction=both.

619879-1 : HTTP iRule commands could lead to WEBSSO plugin being invoked

Component: Access Policy Manager

Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 BIG-IP3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor

With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 BIG-IP3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))

Conditions:
HTTP::disable followed by HTTP::enable.

when CLIENT_ACCEPTED {
    HTTP::disable
    // do some other stuff
    HTTP::enable
}

Impact:
client receives a HTTP 503 reset

Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.

Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.

619849-4 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGABRT (killed by sod)

Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.

This issue occurs extremely rarely.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
disable verify accept.

Fix:
the loop is fixed.

619844-2 : Packet leak if reject command is used in FLOW_INIT rule

Component: Local Traffic Manager

Symptoms:
TMM memory usage (packets) increases steadily over time.

Conditions:
'reject' command is used in a FLOW_INIT rule

Impact:
Packet leak over time will consume TMM memory.

Workaround:
Do not use reject command in FLOW_INIT iRule

619811-2 : Machine Cert OCSP check fails with multiple Issuer CA

Component: Access Policy Manager

Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.

Conditions:
This can only happen when issuing CA is not first in the CA file.

Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.

Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.

Follow these steps:

iRule:

1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"

Variable Assign:

3) Read this issuer cert from the session db and assign it back to the same session variable:

session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }

Fix:
Issuer cert is now looked up and set properly from the CA bundle. So there is no longer any failure response from OCSP responder.

619757-1 : iSession causes routing entry to be prematurely freed

Component: Wan Optimization Manager

Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.

Conditions:
iSession-enabled virtual.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No reasonable workaround short of not using iSession functionality.

Fix:
iSession no longer causes routing entries to be prematurely freed.

619663-3 : Terminating of HTTP2 connection may cause a TMM crash

Solution Article: K49220140

Component: Local Traffic Manager

Symptoms:
TMM crashes when an HTTP2 connection is being terminating on client and server sides concurrently.

Conditions:
-- HTTP2 profile is configured and assigned to a virtual server.
-- A client SSL profile is also used on the same virtual server.
-- Client interrupting a connection and server terminating a connection at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A fix stops HTTP2 from further processing when a connection is terminating preventing TMM crash for this reason.

619528-4 : TMM may accumulate internal events resulting in TMM restart

Component: Local Traffic Manager

Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.

Conditions:
HTTP virtual with long-lived connections.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.

Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.

619516-1 : Inconsistencies in Automatic sync ASM Device Group

Component: Application Security Manager

Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.

Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.

Impact:
This can cause any of the following depending on the change:
-- Superfluous full sync operations.
-- Updating the wrong element on the remote devices.
-- Missing changes on the remote devices.

Workaround:
Disable automatic sync on the device group, and periodically push changes manually.

Fix:
Calls are correctly propagated across Automatic sync Device Groups with ASM enabled.

619486-3 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self

Component: Access Policy Manager

Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.

To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.

Conditions:
This can occur if a web application has javascript that modifies the value of window.self.

Impact:
Affected web-applications will not work when accessed through Portal Access.

Workaround:
None

Fix:
Scripts on pages accessed through Portal Access are no longer failing when web application code modifies window.self.

619473-2 : Browser may hang at APM session logout

Component: Access Policy Manager

Symptoms:
Browser hangs at logout from APM session with RDP client and/or VMware View client.

Conditions:
- APM Virtual server with RDP client and/or VMware View client on webtop;
- active session on this webtop with opened client.

Impact:
Logout from APM session may take a long time (several minutes). In some cases, it may be necessary to restart browser.

Fix:
Now browser does not hangs at logout from APM session with RDP client and/or VMvare View client.

619410-1 : TMM hardware accelerated compression not registering for all compression levels.

Component: TMOS

Symptoms:
DEFLATE/gzip/zlib compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.

Conditions:
-- Compression requests for DEFLATE/gzip/zlib levels other than level 1.
-- BIG-IP devices using Coleto Creek SSL hardware acceleration.

Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.

Workaround:
None.

Fix:
Hardware accelerator correctly registers for all DEFLATE/gzip/zlib compression levels, not just level 1.

619398-7 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.

619250-1 : Returning to main menu from "RSS Feed" breaks ribbon

Component: Access Policy Manager

Symptoms:
When you go to "RSS Feed" configuration page for Document, Picture Library, List etc. and go back to SharePoint Dashboard using link at the top pointing to "RSS FEED for ..." and then click any option on the ribbon, you got "500 Internal Server Error" and ribbon stops working. When you use built-in browser button "go back" instead, everything works Ok.

Conditions:
"500 Internal Server Error" occurred. Ribbon stop working.

Impact:
Ribbon stop working.

Workaround:
Use built-in browser "go back" button instead.

Fix:
Returning to main menu from "RSS FEED for ...", ribbon continue to work. No more "500 Internal Server Error".

619158-1 : iRule DNS request with trailing dot times out with empty response

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS request takes about 20 seconds to respond and the response is empty.

Conditions:
An iRule uses RESOLV::lookup or NAME::lookup to resolve a domain name that ends with a dot.

Impact:
The request does not properly resolve to an IP address.

Workaround:
Strip the trailing dot from the domain name before calling RESOLV::lookup or NAME::lookup.

Fix:
Domain names with trailing dots are properly resolved from iRules. The trailing dot is stripped when the request is saved to later match with the response.

619110-1 : Slow to delete URLs, CPU spikes with Automatic Policy Builder

Component: Application Security Manager

Symptoms:
Deleting a URL causes an incorrect event to be generated and logged for every other URL in the Policy.

When a policy has many URLs configured, deleting a URL takes a long time and consumes heavy CPU time.

Conditions:
Many URLs are configured in the Policy.
This can be due to Policy Builder being set to "Always" learn new HTTP URLs.
If Policy Builder is also configured to collapse common URLs to wildcards, then it deletes the collapsed urls and these calls can be resource intensive.

Impact:
1) GUI is slow to delete URLs
2) Misleading (incorrect) logs are present in the audit log for each other URL in the system after a URL delete.
3) CPU can spike to 100%

Workaround:
A) Change "Learn New HTTP URLs" mode to "Selective" from "Always"
B) Disable collapse URLS.

Fix:
URL delete no longer incorrectly generates an event for every other URL in the system.

619097 : iControl REST slow performace on GET request for virtual servers

Component: TMOS

Symptoms:
Performing a GET request on a BIG-IP with a large number of virtual servers may result in slow performance and timeout errors.

Conditions:
When a significant number of virtual servers reference persistence profiles.

Impact:
Unable to perform large GET query on virtual servers.

Workaround:
None.

Fix:
Improved iControl REST performance for Performing a GET request on a BIG-IP with a large number persistence profiles on virtual servers.

619071-3 : OneConnect with verified accept issues

Component: Local Traffic Manager

Symptoms:
System may experience an outage.

Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed

Impact:
System outage.

Workaround:
Disabled verified accept when used with OneConnect on a VIP.

Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.

619060 : Reduction in boot time in BIG-IP Virtual Edition platforms

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) version has experienced increased boot time.

Conditions:
The increased boot time occurs each time a VE is booted.

Impact:
Long boot time, longer than previous releases.

Workaround:
None.

Fix:
Reduction in boot time in BIG-IP Virtual Edition platforms.

618957-1 : Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates

Component: Access Policy Manager

Symptoms:
BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.

Conditions:
Imported metadata contains two certificates with different use types: 'signing' and 'encryption'

Impact:
There is no impact if in metadata signing and encryption certificates are the same. If certificates are different - SAML SSO may not function properly due to incorrect certificate imported in configuration.

Workaround:
Import certificates manually, and assign them to created from metadata SAML SP connector

Fix:
Issue is now fixed: both certificates are imported correctly.

618944-1 : AVR statistic is not save during the upgrade process

Component: Application Visibility and Reporting

Symptoms:
All AVR statistics will be lost after upgrade from 12.1.0 or 12.1.1.

Conditions:
AVR statistic was collected on 12.1.0 or 12.1.1.
The BIG-IP was upgraded.

Impact:
Old AVR statistics will be lost

Workaround:
1. before upgrade edit the following file:
./usr/libdata/configsync/avr_save_pre
2. change the following line " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 $(is_provisioned asm) -eq 1 ] && "

with " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 -o $(is_provisioned asm) -eq 1 ] && "

Fix:
AVR upgrade script fixed

618905-1 : tmm core while installing Safenet 6.2 client

Component: Local Traffic Manager

Symptoms:
tmm core while installing Safenet 6.2 client.

Conditions:
Safenet 6.2 client installation

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm core related to Safenet 6.2 client installation.

618902-4 : PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation

Component: Advanced Firewall Manager

Symptoms:
Each time the Packet Classification Compiler Daemon (PCCD) process recompiles rules due to configuration changes, it loses approximately 20 bytes or more (depends on the rule complexity) due to small memory leak.

Conditions:
This occurs when making changes to the firewall configuration when AFM is configured.

Impact:
This can potentially lead to an out-of-memory situation if the system runs for a long time without reboot and PCCD continuously recompiles due to frequent configuration changes.

Workaround:
None.

Fix:
The PCCD memory leak was identified and fixed.

618779-1 : Route updates during IPsec tunnel setup can cause tmm to restart

Component: TMOS

Symptoms:
During the setup of IPsec tunnel flows, tmm depends on a valid route being available towards a remote peer to correctly create the IPsec inbound tunnel flows. The absence of the route at this stage, causes tmm to crash and restart. This is more likely to happen if the route towards the endpoint is dynamic.

Conditions:
IPsec tunnels are being set up with a given remote peer and the route towards that peer is not reliably present (as is in the case of dynamic route updates)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that there is always a valid route towards each of the remote peers.

Fix:
The tmm process no longer restarts if there is no valid route towards the remote peer during IPsec tunnel setup.

618771-1 : Some Social Security Numbers are not being masked

Component: Application Security Manager

Symptoms:
ASM does not block or mask some SSN numbers.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.

Impact:
The traffic passes neither masked nor blocked to the end client.

Workaround:
None.

Fix:
The system now correctly masks and/or blocks all relevant social security numbers.

618657-4 : Bogus ICMP unreachable messages in PEM with ipother profile in use

Component: Policy Enforcement Manager

Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.

Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.

Impact:
Unnecessary ICMP traffic

Fix:
Fixed an issue related to unnecessary ICMP traffic in the PEM filter.

618656-2 : JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters

Component: Advanced Firewall Manager

Symptoms:
The JavaScript challenge is repeating in a loop on Firefox on URLs which are longer than 1033 characters. The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.

Conditions:
URLs are longer than 1033 characters, AND:
Users are using the Firefox browser, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.

Impact:
Requests to URLs longer than 1033 will be blocked on Firefox, and the browser will repeat the challenge in a loop.

Workaround:
None

Fix:
The JavaScript challenge no longer gets stuck in a loop on Firefox, on URLs which are longer than 1033 characters.

618549-1 : Fast Open can cause TMM crash CVE-2016-9249

Solution Article: K71282001

618517-1 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring

Solution Article: K61255401

Component: Local Traffic Manager

Symptoms:
- In v11.6.1, bigd reports pool members were marked down that are not actually down, and logs messages similar to the following in the ltm log file:

warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.

- Because of changes in the v12.1.x software, although the problem is still present, it has negligible impact.

Conditions:
-- Monitoring is in use.
-- bigd debug logging is enabled.
-- The bigd debug log file (/var/log/bigdlog) is full.

Impact:
- On v11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.

- In v12.1.x, some of the underlying logging code changed, and there is no real impact.

Workaround:
Prevent the log file from getting full. To do so, rotate the log file using the following command:
logrotate -f bigdlog

Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.

618506 : TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Component: Access Policy Manager

Symptoms:
TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Conditions:
APM is provisioned and access profile is attached to the virtual.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Correctly handle session DB data in APM to prevent memory segmentation fault.

618430-2 : iRules LX data not included in qkview

Component: Local Traffic Manager

Symptoms:
Qkview does not contain any of the iRuleLX information.

Conditions:
N/A

Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.

Fix:
The following ILX information was added to the qkview:

TMSH commands:
  list ilx workspace all-properties
  list ilx plugin all-properties
  list ilx global-settings (13.0.0+)
  list ltm profile ilx all-properties (13.0.0+)
  show ilx plugin all
  show ltm profile ilx all (13.0.0+)

The files in the following folders:
  /var/ilx - master copies of workspaces
  /var/sdm - running files of the plugins
  /var/log/ilx - ILX specific logs

618428 : iRules LX - Debug mode does not function in dedicated mode

Component: Local Traffic Manager

Symptoms:
In case if the debug option is enabled in the dedicated mode, sometimes some of the nodejs process can be allocated a "in-use" port, which prevents it from starting successfully.
By design every process is guaranteed a debug port in the configured range as long as there are enough ports available in the system. In-use ports are skipped, so consecutive port allocation is not guaranteed.

Conditions:
some of the ports in the range are busy.

Impact:
Some of the nodejs processes fail to start which prevents normal iRuleLX operation.

Workaround:
Consult with netstat output and set the debug-port-range-low to a higher value (eg. 10000+) to minimise the change of a port conflict.

618421 : Some mass storage is left un-used

Component: TMOS

Symptoms:
It is intended that all mass storage capacity be available for use by application data, site-local configuration, or sofwtare. In some conditions, about 10% of the mass storage capacity is not made available for application data.

Conditions:
This occurs on the BIG-IP i-Series platforms.

Impact:
Applications that use a lot of storage may not function optimally.

Fix:
The storage is optimally reallocated.

618404-1 : Access Profile copying might end up in invalid way if series of names.

Component: Access Policy Manager

Symptoms:
After copying an access policy, you receive an error when trying to open the copy: "Unable to load accessPolicy '/Common/my_policy_access_1_1' from source."

Conditions:
When items with names ending with _#_#_1 and _#_#_2, _# reduction is working.

Impact:
Unable to copy policy properly.

Workaround:
Export policy, import with reuse.

Fix:
Copying is fixed for this conditions.

618382-4 : qkview may cause tmm to restart or may take 30 or more minutes to run

Component: TMOS

Symptoms:
When taking a qkview on a heavily loaded BIG-IP device (with lots of connections) running 12.1.0 or 12.1.1, the qkview utility may take a very long time to complete (30+ minutes) or cause tmm to restart. This is due to a new qkview command that was added to gather a list of recent connections with the tmsh show sys connection command, which has a significant performance impact when run while the BIG-IP is heavily loaded.

Conditions:
This can occur on the following versions:

- 12.1.0 including 12.1.0 HF1 and 12.1.0 HF2
- 12.1.1 including 12.1.1 HF1

This can occur when the BIG-IP is heavily loaded and while running the qkview command.

Impact:
Qkview command can take an exceedingly long time to run (30+ minutes).
Traffic disrupted while tmm restarts.

Workaround:
Do not run the qkview command if the device is heavily loaded.

Fix:
Removed offending "show sys connection" command from qkview utility.

618324-1 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor

Component: Access Policy Manager

Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.

Conditions:
Wrongful information displayed.

Impact:
Wrongful information displayed.

Workaround:
N/A

Fix:
Correct (*** Invalid ***) information displayed.

618306-2 : TMM vulnerability CVE-2016-9247

Solution Article: K33500120

618263-1 : OpenSSL vulnerability CVE-2016-2182

Solution Article: K01276005

618261-6 : OpenSSL vulnerability CVE-2016-2182

Solution Article: K01276005

618254-4 : Non-zero Route domain is not always used in HTTP explicit proxy

Component: Local Traffic Manager

Symptoms:
You may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction.

Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.

Impact:
End-to-end connectivity failure.

Workaround:
Change configuration so that all services required are on the default route domain, 0.

618185-1 : Mismatch in URL CRC32 calculation

Component: Fraud Protection Services

Symptoms:
In some cases URL CRC32 calculated by JS does not match referrer CRC32 calculated by Plugin.

Conditions:
Each one of next conditions cause this problem:
1. CRC32 calculated for URL with path parameters while strip_path_parameters BigDB variable value is 'true'.
2. CRC32 calculated for URL with a fragment (hashmark '#') in query string.

Impact:
A component validation alert is triggered as a result of mismatch between URL CRC32 calculated by JS and referrer CRC32 calculated by Plugin.

Workaround:
No workaround.

Fix:
strip_path_parameters BigDB variable value is passed to JS and JS URL normalization before CRC32 calculation is now similar to the one Plugin does.

618170-3 : Some URL unwrapping functions can behave bad

Component: Access Policy Manager

Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.

Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.

Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.

Fix:
Fixed.

618161-1 : SSL handshake fails when clientssl uses softcard-protected key-certs.

Component: Local Traffic Manager

Symptoms:
SSL handshake fails when clientssl uses softcard-protected key-certs.

Conditions:
Softcard-protection is enabled and token protection is disabled.

Impact:
SSL handshake fails

Workaround:
None known.

Fix:
SSL handshake no longer fails when clientssl uses softcard-protected key-certs.

618121 : "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★

Component: Local Traffic Manager

Symptoms:
"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x

Conditions:
When the RTSP_RESPONSE event and "persist add" iRule are used and upgrade to v12.x.x.

Impact:
"persist add" iRule validation failed. The iRule will not be loaded.

Workaround:
possible workaround is to bypass validation

when RULE_INIT {
  set static::persist_cmd { persist add uie $SessionID $static::persist_timeout }
}

when RTSP_RESPONSE {
   set SessionID [RTSP::header value "Session"]
  if { $SessionID != "" }{
    #persist add uie $SessionID $static::persist_timeout
    eval $static::persist_cmd
  }
}

618024-2 : software switched platforms accept traffic on lacp trunks even when the trunk is down

Component: Local Traffic Manager

Symptoms:
On software switched platforms tmm owned LCAP trunks still accept traffic even though the trunk is down from the control plane ( LACP status down).

Conditions:
LACP trunk with status down

Impact:
VLAN failsafe timers are erroneous reset, VLAN failsafe is broken.

Workaround:
no workaround

Fix:
tmm now checks the link status on tmm owned lacp trunks before accepting traffic.

617986-2 : Memory leak in snmpd

Component: TMOS

Symptoms:
Memory usage in snmpd is increases until the OOM process kills snmpd.

Conditions:
BIG-IP configured with virtual servers that have the same destination IP address

Impact:
snmp disrupted while snmp restarts.

Workaround:
No workaround

Fix:
Fixed memory leaks.

617935 : IKEv2 VPN tunnels fail to establish

Component: TMOS

Symptoms:
IKEv2 VPN tunnels fail to establish.

Conditions:
This occurs with IKEv2 on a specific 12.1.2 HF1 engineering hotfix.

Impact:
IPsec IKEv2 VPN tunnels fail to establish.

Workaround:
Use IPsec IKEv1.

Fix:
IKEv2 VPN tunnels now establish as expected.

617901-1 : GUI to handle file path manipulation to prevent GUI instability.

Solution Article: K00363258

617875-1 : vCMP guest may fail to start due to not enough hugepages

Component: TMOS

Symptoms:
In rare cases, when there are many vCMP guests, the last one may fail to start because the system has apparently leaked a few 2M hugepages. The shortfall so far has been very small, 5 - 20 hugepages missing, but occasionally this is enough that the last guest can not start.

Conditions:
It is not yet known what triggers this.

Impact:
vCMP guest fails to start.

Workaround:
Once in this state, only restarting the host system seems to clear the condition. Restarting the VCMP guests does not appear to help.

Fix:
Addressed by changes to the pagemap code.

617865-1 : Missing health monitor information for FQDN members

Component: TMOS

Symptoms:
Health monitor information and status are both missing for FQDN nodes and pool members.

Conditions:
FQDN nodes and pool members configured.

Impact:
GUI does not show health monitors info/status in node properties page, pool member properties page, or monitor instances page. Difficulty checking health monitor info/status for FQDN members.

Workaround:
Check logs for this info.

Fix:
The system now exposes health monitors info/status and the GUI shows them in node properties page, pool member properties page, and monitor instances page.

617862-2 : Fastl4 handshake timeout is absolute instead of relative

Component: Local Traffic Manager

Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.

Conditions:
A TCP connection in three-way handshake.

Impact:
Connections are expired prematurely if they are still in three-way handshake.

Workaround:
Disable handshake timeout.

Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.

Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.

617858-2 : bigd core when using Tcl monitors

Component: Local Traffic Manager

Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.

Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).

Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.

Workaround:
None.

Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.

617824-3 : "SSL::disable/enable serverside" + oneconnect reuse is broken

Component: Local Traffic Manager

Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.

Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.

Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.

Workaround:
You can work around the problem by disabling oneConnect.

617733-1 : Error message: subscriber id response; Subscription not found

Component: TMOS

Symptoms:
BIG-IP restarts the icr_eventd process and generates a core file. You might see the following messages in the LTM log file:

-- err icr_eventd[4589]: 01a10003:3: Receive MCP msg failed: could not get subscriber id response, status: 0x1020046
-- err mcpd[4206]: 01070069:3: Subscription not found in mcpd for subscriber Id %icr_eventd.

Conditions:
Might be related to restarting a BIG-IP Virtual Edition installation.

Impact:
The icr_eventd process restarts, and the system produces a core file.

Workaround:
None.

617690-4 : enable SIP::respond iRule command to operate during MR_FAILED event

Component: Service Provider

Symptoms:
When an message fails to route, it is not possible to return an error status back to the client.

Conditions:
When a message fails to route, the MR_FAILED event is raised for the message.

Impact:
Without this change, it is not possible for the script author to generate a response message to the client based on the routing failure.

Workaround:
NA

Fix:
SIP::respond command now works during MR_FAILED event.

617688 : Encryption is not activated unless "real-time encryption" is selected

Component: Fraud Protection Services

Symptoms:
Encryption is not activated as expected

Conditions:
Encryption enabled
Real-time encryption disabled

Impact:
Encryption error alert received in alert server

Workaround:
Enable "real-time encryption"

Fix:
Encryption on submit is now supported better.

617648 : Surfing with IE8 sometimes results with script error

Component: Fraud Protection Services

Symptoms:
Slow devices running Internet Explorer 8 can suffer performance issues on websafe protected sites.

Conditions:
Slow device running Internet Explorer 8.
Large number of configured or updated malware signatures.

Impact:
Clientside slowness.
In extreme cases, a popup asking the user whether to stop the script.

Workaround:
Reduce the number of malware signatures

Fix:
Compressed signatures

617628-1 : SNMP reports incorrect value for sysBladeTempTemperature OID

Component: TMOS

Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.

# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245

# tmsh show sys hardware

Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...

The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.

Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.

Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.

config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
  1 1 0 19 49 Blade air outlet temperature 1
  1 2 0 14 41 Blade air inlet temperature 1
  1 3 0 21 57 Blade air outlet temperature 2
  1 4 0 16 41 Blade air inlet temperature 2
  1 5 0 25 60 Mezzanine air outlet temperatur
  1 6 0 27 72 Mezzanine HSB temperature 1
  1 7 0 17 63 Blade PECI-Bridge local tempera
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
  1 9 0 25 68 Mezzanine BCM56846 proximity te
  1 10 0 22 69 Mezzanine BCM5718 proximity tem
  1 11 0 19 57 Mezzanine Nitrox3 proximity tem
  1 12 0 16 46 Mezzanine SHT21 Temperature

617622 : In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure

Component: TMOS

Symptoms:
In TMSH, when trying to save the AAM configuration, TMSH removes value from matching rule. It corrupts bigip.conf and causes system loading configuration failure, with the following error in /var/log/ltm:

01070734:3: Configuration error: Policy "/Common/Drafts/<policy>", node "test_node", matching rule "path:Path": Must have a value.
Unexpected Error: Validating configuration process failed.

Conditions:
-- Use TM Shell to load configuration.
-- AAM configuration is loaded on BIG-IP and it is saved

Impact:
TMSH fails to load system configuration file.

Before the configuration save the policy would look like this:
matching {
  path {
    values {
      / { }
    }
  }
}

After the save it is converted to
matching {
  path { }
}

Workaround:
None.

Fix:
TMSH now saves AAM configuration without removing values from matching rules. Saving/loading system configuration succeeds.

617481-1 : TMM can crash when HTML minification is configured

Component: TMOS

Symptoms:
When AAM is provisioned and is used to cache dynamic pages, it can be configured to use HTML Minification to improve performance and optimize memory utilization. In some cases, HTML may incorrectly process the HTML code and cause TMM to crash.

Conditions:
1) AAM has to be provisioned and
2) AAM policy has to be configured and
3) has HTML minification enabled and
4) be applied to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disabling minification prevent TMM from crashing for this reason.

617310-2 : Edge client can fail to upgrade when Always Connected is selected★

Component: Access Policy Manager

Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client.

Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.

Workaround:
Turn off Always Connected before upgrading.

Fix:
Edge client now succeeds during upgrade when Always Connected is selected.

617273-7 : Expat XML library vulnerability CVE-2016-5300

Solution Article: K70938105

617229-1 : Local policy rule descriptions disappear when policy is re-saved

Solution Article: K54245014

Component: TMOS

Symptoms:
Local policy rule descriptions disappear when policy is re-saved.

Conditions:
A rule with description exists, and the policy it's under is saved.

Impact:
An existing rule description disappears when the policy it's under is saved.

Workaround:
Use TMSH to modify the policy's properties.

Fix:
Local policy rule descriptions now remain visible when policy is re-saved.

617187-1 : APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
If APM server uses untrusted SSL certificate/or it is accessed using IP address CustomDilaer, access is refused and there is no prompt to confirm the security warning.

Conditions:
APM has invalid certificate
User uses CustomDialer to access VPN

Impact:
VPN connection can't be established

Workaround:
Use valid SSL certificate on APM or add particular invalid certificate to trusted store on Windows

Fix:
Now CustomDialer warns user about invalid certificate and allows to proceed with invalid certificate.

617124 : Cannot map hardware type (12) to HardwareType enumeration

Component: TMOS

Symptoms:
iControl-SOAP throws an error whenever a method call to SystemInfo::get_hardware_information() is made.

Conditions:
This is reproducible in under all conditions.

Impact:
iControl-SOAP crashes when this call is made.

Workaround:
Don't call this SystemInfo::get_hardware_information().

Fix:
Call this method no longer leads to a crash.

617063-1 : After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel

Component: Access Policy Manager

Symptoms:
After VPN tunnel is established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel.

Conditions:
VPN tunnel is established. Place the computer in hibernation. Resume from hibernation and connect to a new network where a Captive Portal is present, e.g. Starbucks.

Impact:
EdgeClient may show an error page for captive portal or stay in Reconnecting state for extended period. Disconnect button may not be responsive.

Fix:
If captive portal is detected during reconnect, close VPN resources before showing captive portal authentication page.

617014-3 : tmm core using PEM

Component: Policy Enforcement Manager

Symptoms:
tmm core when using PEM with cloning monitored traffic

Conditions:
Using PEM with iRules and cloning traffic

Impact:
Traffic disrupted while tmm restarts.

Fix:
The problem with PEM and cloning traffic via iRule has been corrected.

617002-1 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Component: Access Policy Manager

Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.

Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.

Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.

Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.

616918-1 : BMC version 2.50.3 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.50.3.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- PXE boot.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

616864-1 : BIND vulnerability CVE-2016-2776

Solution Article: K18829561

616838-3 : Citrix Remote desktop resource custom parameter name does not accept hyphen character

Component: Access Policy Manager

Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,

01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"

Conditions:
Having Citrix resource with custom parameter name with hyphen character

Impact:
Custom parameter can not be used with hyphen character

Workaround:
None

Fix:
Accept custom parameter name with hyphen character

616242-3 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★

Solution Article: K39944245

Component: TMOS

Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:

01070711:3: basic_string::compare

If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.

Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.

Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).

Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.

616215-4 : TMM can core when using LB::detach and TCP::notify commands in an iRule

Component: Local Traffic Manager

Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.

Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.

Fix:
TMM no longer cores in this instance.

616169 : ASM Policy Export returns HTML error file

Component: Application Security Manager

Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.

Conditions:
It is not known what triggers this condition.

Impact:
Unable to export ASM Policies.

Workaround:
Delete all files in /ts/dms/policy/upload_files/. All files are transient and can safely be deleted.

Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.

616104-2 : VMware View connections to pool hit matching BIG-IP virtuals

Component: Access Policy Manager

Symptoms:
When a VMware View resource is configured to use a pool as a destination, for all the connections to this pool, except the very first one, a matching virtual lookup is performed.
This doesn't align with the typical BIG-IP behavior on pool connections that should go directly to the chosen pool member and not hit matching virtual servers.

Conditions:
If a VMware View resource is configured to connect to a pool and there is a virtual server matching some or all the IP/port values of pool members, connections to those members will go through the matching virtual server, except for the very first one.

Impact:
If a matching virtual is not intended to pass the traffic through (e.g., a 'reject-all' virtual), those connections routed to this virtual server will fail.

Workaround:
None.

Fix:
All the connections to VMWare View pool members now go directly without hitting matching BIG-IP virtual servers.

616059-1 : Modifying license.maxcores Not Allowed Error

Solution Article: K19545861

Component: TMOS

Symptoms:
Your sync-failover device group status says 'Sync Failed' and reports the following error in Device Management :: Overview: Sync error on <device name>: Load failed from /Common/BIG-IP1 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.

Conditions:
-- Non-homogeneous Virtual Edition (VE) configured with different licenses in a device group, or with hardware-based BIG-IP systems.
-- License variable perf_VE_cores is different among licenses.

Impact:
The device group fails to sync.

Workaround:
If you are using VEs in a device group, ensure that their licenses are the same.

Fix:
The license variable perf_VE_cores no longer syncs, so there is no error message.

616022-2 : The BIG-IP monitor process fails to process timeout conditions

Solution Article: K46530223

Component: Local Traffic Manager

Symptoms:
Pool members that are down are not marked down by the monitor. The BIG-IP system continues to attempt to monitor the object.

Conditions:
It is not known exactly what triggers this condition. It was encountered on an HTTPS monitor.

Impact:
Incorrect monitor state. Pool members may not be marked down even though the target pool-member is down.

Workaround:
No known workaround.

Fix:
The monitor process no longer inadvertently skips processing monitor timeouts and correctly marks monitored objects down.

616008-3 : TMM core may be seen when using an HSL format script for HSL reporting in PEM

Solution Article: K23164003

Component: Policy Enforcement Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.

Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.

615970-1 : SSO logging level may cause failover

Component: Access Policy Manager

Symptoms:
SSO logging level may cause failover.

Conditions:
SSO logging level set to "Debug".

Impact:
TMM may crash. Core file may be generated.

Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".

Fix:
The SSO logging level of "Debug" no longer causes failover.

615934-1 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.

Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.

615824-1 : REST API calls to invalid REST endpoint log level change

Component: iApp Technology

Symptoms:
In Big-IP 12.x versions before 12.1.2 invalid requests to a REST endpoint were being recorded in the FINE level logs, making it difficult to audit when an invalid request to a REST endpoint was coming in. In version 12.1.2, the log level was changed to INFO so that these messages are more easily consumed by users attempting to audit the log.

Conditions:
Any request made to an invalid REST endpoint will trigger a log message at the FINE level indicating that a request came in to an invalid REST endpoint.

Impact:
Auditing the REST Framework logs is more difficult, requiring you to look at messages logged at the FINE level.

Workaround:
Users can increase the log level of the REST Framework to FINE by making the following change to the file '/etc/restjavad.log.conf':

Before:
.level=FINE
After:
.level=INFO

Fix:
This message is included in the INFO log level on BIG-IP v12.1.2.

615432-1 : Multiple TFTP data transfers cannot be initiated in a single session

Component: Carrier-Grade NAT

Symptoms:
Multiple TFTP data transfers cannot be initiated in a single session.

Conditions:
Virtual server with TFTP profile is configured to handle TFTP traffic.

Impact:
Multiple TFTP data transfers cannot be initiated in a single session.

Workaround:
There is no workaround at this time.

Fix:
Multiple TFTP data transfers can be initiated in a single session

615388-1 : L7 policies using normalized HTTP URI or Referrer operands may corrupt memory

Component: Local Traffic Manager

Symptoms:
TMM may restart when using a L7 policy that contains the 'normalized' keyword for HTTP URI or Referrer operands.

Conditions:
Normalized HTTP URI or Referrer operands used in L7 policies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No workaround short of removing use of normalization for HTTP URI and Referrer instances in L7 policies.

Fix:
Use of URI or Referrer normalization in L7 policies no longer results in memory corruption.

615377-3 : Unexpected rate limiting of unreachable and ICMP messages for some addresses.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might fail to send RSTs, ICMP unreachable, or ICMP echo responses for some addresses.

/var/log/ltm might contain messages similar to the following:
-- Limiting icmp unreach response from 251 to 250 packets/sec.
-- Limiting icmp ping response from 251 to 250 packets/sec.
-- Limiting closed port RST response from 251 to 250 packets/sec.

Conditions:
Certain traffic patterns to addresses in two or more different traffic-groups.

Impact:
Certain response messages from addresses in one or more traffic-groups (but not all) might be rate limited by the BIG-IP system even though the level of traffic has not exceeded the tm.maxrejectrate setting.

Workaround:
None known.

Fix:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.

Example old log message:
warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.

Behavior Change:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.

Example old log message:
warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.

615338-2 : The value returned by "matchregion" in an iRule is inconsistent in some cases.

Component: Global Traffic Manager (DNS)

Symptoms:
The value returned by "matchregion" in an iRule is inconsistent when the GTM global setting, "cache-ldns-servers", is set to "yes" and the region contains a region, continent, country, state, or ISP.

Conditions:
The GTM global setting, "cache-ldns-servers" must be set to "yes" and the region must contain a region, continent, country, state, or ISP.

Impact:
The value returned by "matchregion" in an iRule is inconsistent and may lead to inconsistent behavior in the iRule.

Workaround:
Set the GTM global setting, "cache-ldns-servers" to "no".

Fix:
"Matchregion" returns the correct value under all conditions.

615269-1 : CVE-2016-2183: AFM SSH Proxy Vulnerability

Solution Article: K13167034

615267-2 : OpenSSL vulnerability CVE-2016-2183

Solution Article: K13167034

615254-2 : Network Access Launch Application item fails to launch in some cases

Component: Access Policy Manager

Symptoms:
If access policy has multiple network resources with application launch configured, applications will launch only from first network resource.

Conditions:
Multiple Network access resources are configured with application launch.

Impact:
Applications will launch only from first network resource. Applications will not launch for other network resources

Workaround:
Launch applications manually after VPN is established.

Fix:
Applications from all network resources are now detected and launched correctly.

615226-5 : Libarchive vulnerabilities: CVE-2016-8687 and others

Solution Article: K13074505

615222-1 : GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★

Component: Global Traffic Manager (DNS)

Symptoms:
The user configuration set (UCS) configuration file may fail to load due to the global server load balancing (GSLB)-referenced virtual server name syntax. The system posts errors similar to the following:

01070226:3: Pool Member 20002 references a nonexistent Virtual Server.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have configured your BIG-IP DNS system (formerly known as BIG-IP GTM) with a virtual server name that includes the colon (:) character.
-- The virtual server is included as a GSLB pool member.
-- You save the configuration to a UCS file.
-- You attempt to load the UCS configuration file.

Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.

Workaround:
None.

Fix:
Fixed issue related to parsing of GTM Pool member names that prevents the use of GTM virtual servers or GTM servers with a colon (:) in the name from being used as a GTM pool member.

615143-1 : VDI plugin-initiated connections may select inappropriate SNAT address

Component: Local Traffic Manager

Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual server before reaching the external network, the selected SNAT address may be inappropriate for the egress VLAN.

Conditions:
-- APM configuration.
-- VDI functionality enabled.
-- Additional virtual server matching the VDI-initiated connections.

Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.

Workaround:
No workaround short of removing the additional virtual server matching the VDI traffic.

Fix:
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtual servers before reaching the external network.

615107-1 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).

Component: TMOS

Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.

Conditions:
Presence of /etc/ssh directory on host.

Impact:
AOM/SCCP unable to connect to host without password.

Workaround:
None.

Fix:
Can now SSH from AOM/SCCP to host without password (host-based authentication).

614891-2 : Routing table doesn't get updated when EDGE client roams among wireless networks

Component: Access Policy Manager

Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.

Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.

Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.

614865-5 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()

Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.

Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.

Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.

- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.

Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.

614788-1 : zxfrd crash due to lack of disk space

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that the zone transfer daemon (zxfrd) can crash if the /var disk partition fills up and zxfrd needs to increase the size of its database.

Conditions:
DNS Express configured
Full /var partition
Changes to the zone database require more space to be allocated for zxfrd.

Impact:
zxfrd may crash and restart. This process may repeat depending on the need for space on restart.

Workaround:
Free up space in the /var partition.

Fix:
zxfrd now correctly handles the out of space condition.

614766-1 : lsusb uses unknown ioctl and spams kernel logs

Component: TMOS

Symptoms:
RHEL6 version of lsusb and associated libusb1 libraries
are using an ioctl that isn't properly supported by the kernel in the 32-bit syscall path.

Conditions:
RHEL6 version of lsusb and associated libusb1 libraries.

Impact:
Spamming of kernel logs.

Workaround:
None.

Fix:
kernel.el6.5: fix missing ia32 compat mapping for USBDEVFS_GET_CAPABILITIES.

614702-1 : Race condition when using SSL Orchestrator can cause TMM to core

Solution Article: K24172560

Component: Local Traffic Manager

Symptoms:
A race condition you encounter when you use the F5 Herculon SSL Orchestrator system can cause the Traffic Management Microkernel (TMM) to restart.

Conditions:
Running the F5 Herculon SSL Orchestrator system with large numbers of connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the race condition so that TMM does not restart.

614563-3 : AVR TPS calculation is inaccurate

Component: Advanced Firewall Manager

Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.

Conditions:
DoS profile attached to the virtual server.

Impact:
Attack can wrongly be detected.

Workaround:
None.

Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.

614530-2 : Dynamic ECMP routes missing from Linux host

Component: TMOS

Symptoms:
When an ECMP route is learned via dynamic routing, it is not added to the Linux host and local processes may not be able to reach the destination prefix. Load balanced traffic is not affected.

Conditions:
Dynamic routing in use, ECMP configured, ECMP route received from neighbors.

Impact:
Monitors may fail, other host-originated traffic may be sent out the wrong interface or nowhere at all.

Workaround:
Disable ECMP in ZebOS by setting "maximum-paths 1" in imish.

Fix:
ECMP routes are correctly added to the Linux host.

614509-1 : iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart

Component: Local Traffic Manager

Symptoms:
When the 'all' keyword is used with 'class match' on large external datagroups, the results will be incorrect and may result in TMM restarting.

Conditions:
iRule utilizing 'all' keyword with 'class match' on large external datagroups. A more unusual case is external datagroups with the tmm.classallocatemetadata bigdb entry set to the non-default 'disable' value.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No reasonable workaround short of not using 'all' keyword with 'class match' in iRules.

Fix:
'all' keyword with 'class match' now returns the correct results and TMM does not restart.

614486-1 : BGP community lower bytes of zero is not allowed to be set in route-map

Component: TMOS

Symptoms:
The bgpd process does not accept community attributes that contain values of the form ASN:0.

Conditions:
set the BGP community value to a value of form ASN:0

Impact:
if you attempt to configure a BGP daemon community attribute with a value of the form ASN:0, the system does not set the community value. This could also impact upgrading from the old versions to the version that doesn't support community values of the form ASN:0.

Workaround:
None

Fix:
BGP community can be set to values of the form ASN:0.

614441-4 : False Positive for illegal method (GET)

Solution Article: K04950182

Component: Application Security Manager

Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----

Conditions:
This was seen after upgrade and/or failover.

Impact:
-- False positives.
-- BD has the incorrect security configuration.

Workaround:
Run the following command: restart asm.

614322-1 : TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway

Solution Article: K31063537

Component: Access Policy Manager

Symptoms:
TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway.

Conditions:
RDP client uses RDG-RPC protocol to connect via APM's RD Gateway implementation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fixed TMM crash, which occurred during RDG-RPC protocol handling.

614296-1 : Dynamic routing process ripd may core

Component: TMOS

Symptoms:
As a result of a known issue the dynamic routing protocol daemon ripd, used for the RIP protocol may produce a core file when configuring it to use a interface configured with multiple self IP addresses on different subnets on the same VLAN.

Conditions:
- Use the RIP dynamic routing on an affected version.
- Have multiple self IP addresses belonging to different subnets on the same VLAN
- Add one of the subnets with the network command within the "router RIP" stanza.

Impact:
ripd will core and the configuration will not be allowed.

Workaround:
Configure one subnet/self IP address per VLAN.

Fix:
ripd no longer cores when configured with multiple subnets on the same VLAN.

614284-2 : Performance fix to not reset a data structure in the packet receive hotpath.

Component: Advanced Firewall Manager

Symptoms:
No symptoms. This is a performance fix.

Conditions:
This will happen always in the packet receive hotpath.

Impact:
No impact. Without this fix BIG-IP could have 0.5% (hard to measure) performance impact.

Workaround:
No workaround.

Fix:
Made an optimization to the packet receive hotpath.

614180-1 : ASM is not available in LTM policy when ASM is licensed as the main active module

Component: TMOS

Symptoms:
ASM is not available in LTM policy rule creation when ASM is licensed as the main active module

Conditions:
ASM is licensed as the main active module

Impact:
ASM is not available in LTM policy rule creation

Workaround:
Use a license that has ASM as a sub-module. For example, LTM with Best Bundle.

Fix:
Fixed license data parsing so that the main module is also included in the license map used to determine whether a module is licensed or not.

614147-1 : SOCKS proxy defect resolution

Solution Article: K02692210

614097-1 : HTTP Explicit proxy defect resolution

Solution Article: K02692210

613765-3 : Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.

Component: TMOS

Symptoms:
Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.

Conditions:
When a virtual server with a destination address of 0.0.0.0:0 is in the list, sorting the list is slow because of extra name resolution performed.

Impact:
Degraded user experience waiting for the extra logic and misleading error in logs.

Workaround:
None.

Fix:
Creating 0.0.0.0:0 Virtual Server in TMUI no longer results in slow-loading virtual server page and name resolution errors.

613671-2 : Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation

Component: Fraud Protection Services

Symptoms:
Wrong handling of nonexistent parameter configured with Encryption and Obfuscation

Conditions:
nonexistent parameter configured with Encryption and Obfuscation

Impact:
Error in console

Fix:
Ignore nonsexist parameter

613613-2 : Incorrect handling of form that contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.

Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.

613576-1 : QOS load balancing links display as gray

Component: Global Traffic Manager (DNS)

Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.

Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.

Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.

Workaround:
Remove all ilnks from configuration or install this hotfix.

613536-5 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED

613524-3 : TMM crash when call HTTP::respond twice in LB_FAILED

Component: Local Traffic Manager

Symptoms:
TMM core-dumps when these conditions are met:
- LB_FAILED event
- irule script must use a "delay" (parked) statement together with two HTTP::respond statements.

Conditions:
- LB_FAILED event must be triggered by good IP address and bad port so that the serverside connflow is establish. you will not see this bug if no pool member is used or invalid IP address is used.
- irule script must use a "delay" (parked) statement. the delay together with http response creates the right timing for the client side connflow to go away while proxy is pushing Abort event down to both clientside and serverside.

Impact:
Traffic disrupted while tmm restarts.

Fix:
This fix rectifies the problem.

613459-1 : Non-common browsers blocked by Proactive Bot Defense

Component: Advanced Firewall Manager

Symptoms:
Some non-common browsers may get blocked by the Proactive Bot Defense feature. This has been seen in rare cases, and causes these browsers to remain in a white page while the request is not being sent to the back-end server.

Conditions:
Proactive Bot Defense enable on the DoS profile.

Impact:
In rare cases, some non-common browsers may get blocked.

Workaround:
None

Fix:
Non-common browsers no longer get blocked when Proactive Bot Defense is enabled.

613429-2 : Unable to assign wildcard wide IPs to various BIG-IP DNS objects.

Component: Local Traffic Manager

Symptoms:
Assigning a wide IP with wildcard characters in the name to a DHS distributed application may not work properly when done via tmsh, and such configurations created via the GUI will result in configuration files that fail to load.

Conditions:
A wide IP with a wildcard character in its name.

Impact:
Unable to assign wide IP to BIG-IP DNS distributed-app.

Workaround:
None.

Fix:
Fixed issue preventing wide IPs to be assigned to BIG-IP DNS distributed apps if those wide IPs have a wildcard character in their name.

613415-2 : Memory leak in ospfd when distribute-list is used

Solution Article: K22750357

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.

Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.

Fix:
ospfd no longer leaks memory when a distribute-list is configured.

613396-1 : Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs

Component: Application Security Manager

Symptoms:
Exported Policy in XML format cannot be imported.

Conditions:
Metacharacter overrides are defined on a Websocket URL in the policy.

Impact:
Exported XML policies cannot be imported back into the system without manual manipulation

Workaround:
If such a policy has already been exported only manual manipulation would allow it to be imported again.

Fix:
Policy export now correctly creates valid XML Policies for configurations with metachar overrides configured on Websocket URLs.

613373-2 : Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page

Component: Access Policy Manager

Symptoms:
When accessing the SAML Authentication Context UI page with application editor user role, the following error will be displayed:
Read Access Denied: user (username) type (SAML authentication context classes list)

Conditions:
User attempting to view the page belongs to application editor group/role

Impact:
SAML Authentication Context UI page will not display existing objects

Workaround:
SAML Authentication Context UI page will still show existing object for users with administrative role.

Fix:
With the fix, no errors will be shown to users with Application Editor role when accessing SAML Authentication Context UI page

613369-4 : Half-Open TCP Connections Not Discoverable

Component: Local Traffic Manager

Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.

Conditions:
A TCP connection in half-open state.

Impact:
Half-open TCP connections are not discoverable

Fix:
Properly acknowledge half-open TCP connections.

613326-1 : SASP monitor improvements

Component: Local Traffic Manager

Symptoms:
A SASP monitor created in versions earlier than 13.0.0 might exhibit problems in certain situations, such as:
-- Attempting to connect multiple times with GWM pairs.
-- Dropping and reconnecting frequently with GWM pairs.
-- Problematic behavior with mixed Push/Pull workgroups on the same GWM.
-- Overly-chatty use of the SASP protocol when establishing/reestablishing connections.
-- Marking pool members down during GWM switch-over.
.-- Inability to handle many hundreds of workgroups/workloads

Conditions:
Using versions of the SASP monitor created in versions earlier than 13.0.0.

Impact:
Might cause flapping pool members or unstable pools.

Workaround:
None.

Fix:
A significantly improved SASP monitor has been developed in version 13.0.0. It properly handles the SASP protocol, GWM pairs, and connection semantics. In addition, it has the ability to briefly delay node down on GWM switchover, resulting in no interrupted traffic in most cases, and has vastly improved scalability.

When run in push mode (now the default), it is more efficient with the SASP protocol, only asking for changes from GWM, and pinging GWM infrequently if no traffic has been received.

The improved monitor uses Pool name rather than Monitor name as the Workload name. This allows a single Monitor definition to be shared among many Pools, where previously a single unique Monitor was required for each SASP Pool.

613297-3 : Default generic message routing profile settings may core

Component: Service Provider

Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.

Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.

Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.

Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.

Fix:
In this release, the system automatically disables the internal parser if no separator is provided, so if a virtual is created using the default generic message profile, the first packet received no longer produces an infinite number of messages and overflows the internal buffers.

613282-2 : NodeJS vulnerability CVE-2016-2086

Solution Article: K15311661

613275-2 : SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up

Solution Article: K62581339

Component: TMOS

Symptoms:
The values returned during an SNMP get/MIB walk are incorrect for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

The values should match what is displayed in tmsh list net interface media-max and tmsh list net interface media-active respectively which are correct.

Conditions:
-- Performing an SNMP get or MIB walk.
-- Viewing values for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

Impact:
The system reports inaccurate information for these objects.

Workaround:
To get the correct results, use the following commands:
tmsh list net interface media-max
tmsh list net interface media-active

Fix:
SNMP get/MIB walk now return correct information for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

613225-7 : OpenSSL vulnerability CVE-2016-6306

Solution Article: K90492697

613127-3 : Linux TCP Stack vulnerability CVE-2016-5696

Solution Article: K46514822

613088-3 : pkcs11d thread has session initialization problem.

Component: Local Traffic Manager

Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.

Conditions:
This occurs when SafeNet is configured with VIPRION chassis

Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.

Workaround:
None.

Fix:
Fixed a pkcs11d thread session initialization problem that prevented SafeNet connections.

613079-4 : Diameter monitor watchdog timeout fires after only 3 seconds

Component: Local Traffic Manager

Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.

Conditions:
A Diameter monitor must be configured.

Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.

Workaround:
None.

Fix:
Removed the 3-second Diameter monitor watchdog timeout so that interval and timeout can be used like other external monitors.

613065-1 : User can't generate netHSM key with Safenet 6.2 client using GUI

Component: Local Traffic Manager

Symptoms:
With Safenet6.2, creating key using GUI may hang and timeout. The GUI eventually quits with error message.

Conditions:
Installing Safenet6.2 client and attempting to create netHSM key from the GUI

Impact:
netHSM key creation fails, GUI hang.

Workaround:
You can use the corresponding tmsh command to create key.

Fix:
NetHSM key waiting time has been increased and you can now create a netHSM key using GUI.

613045-7 : Interaction between GTM and 10.x LTM results in some virtual servers marked down

Component: Global Traffic Manager (DNS)

Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.

Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.

Impact:
On the GTM side, that LTM virtual server will never get marked up.

Workaround:
None.

Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.

613023-4 : Update SIP::Persist to support resetting timeout value.

Component: Service Provider

Symptoms:
SIP::persist needs improvement to support long-lived SIP sessions. Having a long timeout for persistence entries globally does not seem efficient for resource usage.

Conditions:
Efficiently using long-lived SIP sessions.

Impact:
Smaller persist timeouts will result in messages being delivered to the wrong entity in the case of supporting long lived SIP sessions.

Workaround:
Set a higher persist timeout value globally.

Note: This workaround might result in memory issues, depending on the BIG-IP system setup and traffic.

Fix:
New SIP Persist iRule commands allow persistence key and an additional parameter to redefine lifetime of the persistence entry to any new value.

Behavior Change:
In previous versions, the SIP Persist iRule command allowed only the persistence key as the parameter to store the persistence entry in the table.

New SIP Persist iRule commands allows persistence key and an additional parameter to define the lifetime of persistence entry. BIG-IP systems now can have better control on the persistence entry for long lived SIP sessions.

612952-1 : PSU FW revision not displayed correctly

Component: TMOS

Symptoms:
When EUD displays the PSU FW revison it is truncated from 16 bytes to 14 bytes.

Conditions:
This occurs when using a Murata REV02 M1845 PSU with AOM FW less than 2.7.14

Impact:
Incomplete PSU FW rev.

Workaround:
Infer the last 2 characters of the PSU FW rev from the 14 that are displayed and the HW revision of the PSU.

612874-1 : iRule with FLOW_INIT stage execution can cause TMM restart

Component: Advanced Firewall Manager

Symptoms:
If you have an iRule that has FLOW_INIT stage execution, it is likely to result in random TMM crashes.

Conditions:
iRule that has FLOW_INIT stage action in it.

The FLOW_INIT stage iRule could be executed either because it was attached to a Virtual Server or configured on an AFM ACL Rule.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule with FLOW_INIT action. Other stage iRules does not cause this problem.

Fix:
Memory allocation and release during iRule FLOW_INIT execution was not handled right in a specific scenario, which was corrected.

612809-1 : Bootup script fails to run on on a vCMP guest due to a missing reference file.

Component: TMOS

Symptoms:
Script /etc/sysconfig/sysinit/10virtual-platform.sysinit fails to run. sod log spamming.

Conditions:
Startup in a vCMP guest.

Impact:
vCMP guests shows dbg_echo related errors in /var/log/boot.log.

Workaround:
Disable sys db variable "failover.usetty01" and restart sod.

If unable to restart sod at the moment, apply a filter with no publisher matching message-id 012a0003:
    sys log-config filter no-serial-failover-logs {
        message-id 012a0003
    }

Fix:
This release adds a separate sysinit file for vCMP instead of using sysinit-virtual-platform.

612769-1 : Hard to use search capabilities on the Pool Members Manage page.

Solution Article: K33842313

Component: Global Traffic Manager (DNS)

Symptoms:
With hundreds of potential pool members the GUI does not make it easy to search for them. The search list only supports searches that match the beginning of the pool member's name.

Conditions:
This difficulty exists when there are more than a few potential pool members.

Impact:
Frustrating BIG-IP system administrator experience.

Workaround:
A workaround is to perform the needed virtual server/member addition to the pool via TMOS/CLI using a command similar to the following:

$ tmsh modify gtm pool <record> <pool> members add { <member> }.

Tip: You can take advantage of auto-completing the member's name by pressing the <tab> key, which saves typing the entire name.

Fix:
The system now provides better search capabilities on the Pool Members Manage page.

612752-1 : UCS load or upgrade may fail under certain conditions.★

Component: TMOS

Symptoms:
UCS load fails, with the following error message: loaddb[20786]: 01080023:3: Error return while getting reply from mcpd: 0x10718e6, 010718e6:3: The requested primary admin user (user1) must exist in local user database.

Conditions:
Root login is disabled and the primary administrative user is set to anything other than 'admin', the default.

Impact:
UCS load or upgrade will fail.

Workaround:
Before upgrading or generating the UCS, re-enable the root account by setting DB variable systemauth.disablerootlogin to 'false'.

Unset the custom primary administrative user by setting DB variable systemauth.primaryadminuser to 'admin'.

These settings may be safely reinstated after the upgrade is complete.

612721-4 : FIPS: .exp keys cannot be imported when the local source directory contains .key file

Component: TMOS

Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.

Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).

Impact:
Unable to import the FIPS key

Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.

612694-5 : TCP::close with no pool member results in zombie flows

Component: Local Traffic Manager

Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.

Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).

Impact:
Connection does not tear itself down.

Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.

Fix:
The system now properly handles TCP teardown when TCP::close has already torn down the rest of the stack.

612564 : mysql does not start

Component: TMOS

Symptoms:
ASM storage initialization does not happen.

Conditions:
BIG-IP iSeries platforms; this occurs after new software install.

Impact:
Application is non-functional.

Workaround:
remove the sentinel file ;
/appdata/mprov/local/HD1.4/mysqldb/.moved.to.asmdbvol.
and reboot.

612419-1 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))

Component: Access Policy Manager

Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.

Conditions:
Network access; full webtop, multiple Network Access resources.

Impact:
Memory usage increases over time.

Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.

Fix:
Fixed a memory leak related to network access.

612229-1 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing an LTM policy.

Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.

Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.

Workaround:
Ensure any LTM policy disable action is the last in the list of actions.

Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.

612135-3 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic

Component: Service Provider

Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.

Conditions:
Configuring a virtual server with generic message profile without message routing profile.

Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.

Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.

Fix:
Validation has been improved to fail unless both a generic message profile and a message routing profile are used.

612040-4 : Statistics added for all crypto queues

Component: Local Traffic Manager

Symptoms:
Requests for crypto operations that have been issued but not yet actively queued in the crypto hardware will not show up in the "tmm/crypto" statistics table.

Conditions:
Crypto requests issued but not actively queued in the crypto hardware.

Impact:
Crypto requests do not show up in the "tmm/crypto" statistics table.

Fix:
New rows have been added to the "tmm/crypto" statistics table that will count requests that have been issued but not actively queued to the crypto hardware.

611968-3 : JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow

Component: Access Policy Manager

Symptoms:
JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow.

Conditions:
- IE8 only.
- Significant number of links: >1000.
- JavaScript event handlers presence.

Impact:
Web application performance slowdown.

Workaround:
None

Fix:
Fixed.

611922-1 : Policy sync fails with policy that includes custom CA Bundle.

Component: Access Policy Manager

Symptoms:
Policy sync fails with a policy that includes a custom CA Bundle with an error similar to the following: mcpd[6191]: 01070710:3: Database error (65), Can't set attribute value, type:certificate_summary attribute:name.

Conditions:
- Add a custom certificate bundle
- Add it to a policy, e.g. create an LTM SSL CA profile and add it to the endpoint security check agent in the access policy.
- Initiate a policy sync.

Impact:
Policy sync fails.

Workaround:
Use a built-in certificate bundle on source device and sync the policy.

Import the custom certificate bundle to all devices

Replace the built-in certificate bundle with the custom one in the policy.

Fix:
Policy sync now succeeds when the policy includes a custom certificate bundle.

611704-5 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event

Component: Local Traffic Manager

Symptoms:
A tmm crash was discovered during internal testing.

Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT

611691-5 : Packet payload ignored when DSS option contains DATA_FIN

Component: Local Traffic Manager

Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.

Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.

Impact:
The last packet of data is not received.

Workaround:
Disable MPTCP.

Fix:
Accept data when a packet contains both a payload and an MPTCP DSS option with DATA_FIN set.

611669-4 : Mac Edge Client customization is not applied on macOS 10.12 Sierra

Component: Access Policy Manager

Symptoms:
Mac Edge Client's Icon, application name, company name, amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.

Conditions:
macOS Sierra 10.12, Edge client, customization

Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.

Workaround:
run following command on Terminal and re-launch Edge client:

For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"

For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"

For Japanese
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"

For French
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"

For spanish
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"

For Chinese traditional
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"

For Chinese simplified
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"

Fix:
Edge client honors customization on macOS Sierra 10.12 now.

611658-3 : "less" utility logs an error for remotely authenticated users using the tmsh shell

Component: TMOS

Symptoms:
when using 'less' Syntax Error: unexpected argument "/usr/bin/lesspipe.sh"

Conditions:
admin user configured with tmsh shell

Impact:
admin user cannot use the less command from shell

Workaround:
configure admin user to use the bash shell

611512-1 : AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.

Component: TMOS

Symptoms:
In AWS, Pool member autoscaling in BIG-IP fails to add pool members when pool name in BIG-IP is same as Autoscaling Group name in AWS.

Conditions:
- BIG-IP is configured to perform autoscaling of pool members in AWS.
- Pool name in BIG-IP is same as the autoscaling group name in AWS attached with it.

Impact:
- Pool member autoscaling doesn't occur correctly without user intervention.

Workaround:
When configuring pool member auto-scaling in AWS, you must choose a different name for the pool compared to the autoscaling group name attached with it.

Fix:
Choose different names for Pool in BIG-IP and autoscaling group in AWS to correctly configure Pool member autoscaling in BIG-IP .

611487-3 : vCMP: VLAN failsafe does not trigger on guest

Component: TMOS

Symptoms:
vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host.

Conditions:
vCMP host configured, VLAN failsafe enabled on a VLAN, one or more VCMP guests enabled that use that VLAN

Impact:
Since the heartbeat messages going over IPv6 link-local addresses continue to be successfully passed from host to guest, VLAN failsafe does not trigger if a downstream router or switch goes down that's connected to the VLAN.

Workaround:
If you are able to, disabling IPv6 on the host will allow VLAN failsafe to work as expected.

611469-3 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector

Solution Article: K95444512

611467-3 : TMM coredump at dhcpv4_server_set_flow_key().

Component: Policy Enforcement Manager

Symptoms:
TMM coredump at dhcpv4_server_set_flow_key().

Conditions:
1. You are using Policy Enforcement Manager (PEM) DHCP to discover subscribers.
2. You have configured a DHCP relay virtual server.
3. Two PEM DHCP subscriber connections share the same connection to a remote DHCP server.
4. One of the PEM DHCP subscriber connections expires.
5. The non-expired PEM DHCP subscriber connection sends a new DHCP request.
6. The remote PEM DHCP server responds to the new PEM subscriber request.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The client uses broadcast to do DHCP renewal is an indication the client did not get ACK from DHCP server when it uses unicast to talk to DHCP server directly. The most likely reason for this to happen is the server routing table is not configured to send DHCP ACK packets back to the client.

You can work around this problem by configuring DHCP server routing table so that it knows how to send DHCP ACK to the client.

611385-1 : "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'

Component: Application Security Manager

Symptoms:
Under some scenarios, setting "Learn Explicit Entities" to 'Never' has no effect; it continues to work as if it is 'Add All Entities'

Conditions:
Steps to Reproduce:
1) Create a default policy, set "Learn New HTTP URLs" to "Add All Entities".
2) Create a non-pure wildcard URL "/in*".
3) Send the following request:
     GET /index.html HTTP/1.1\r\n
     Host: <Host URL>\r\n
     \r\n
4) There will be no suggestion to add /index.html URL since learning mode on "/in*" wildcard is "Never" by default.
5) Set "Learn Explicit Entities" to "Add All Entities" on "/in*" wildcard.
6) Send the same traffic again; there will be suggestion to add /index.html URL (which is still correct).
7) Delete all suggestions.
8) Set "Learn Explicit Entities" to "Never" on "/in*" wildcard.
9) Send the same traffic again.

Impact:
There is suggestion to add /index.html URL when there should be no such suggestion since the wildcard is in 'Never' mode now.

Workaround:
Go to "Learning and Blocking Settings", set "Learn New HTTP URLs" to "Never" press "Save", then set it back to "Add All Entities". press "Save" again.

Fix:
"Learn Explicit Entities" to 'Never' now works as expected.

611352 : Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms

Solution Article: K68092141

Component: TMOS

Symptoms:
In /var/log/sel you see these errors:
0082 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: corerrsts: replay_num_rollover_status
0083 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: rperrsts: correctable_error_received

Conditions:
This can be seen on BIG-IP iSeries platforms.

Impact:
This error message is benign and can be safely ignored.

Workaround:
N/A

Fix:
Benign message "replay num rollover error condition correctable errors" counter is no longer seen.

611320-3 : Mirrored connection on Active unit of HA pair may be unexpectedly torndown

Component: Local Traffic Manager

Symptoms:
Mirrored connection on Active unit is torn down. TCP connection is RST with cause of 'HA Expire flow'.

Conditions:
Mirrored connection on Standby unit times out due state mismatch with connection on Active unit.

Impact:
Traffic loss.

Workaround:
Disable mirroring.

Fix:
The system no longer mirrors connflow expiration from Standby to Active. This is correct behavior.

611240-3 : Import of config with securid might fail

Component: Access Policy Manager

Symptoms:
Import of the profile used for securid auth might fail if the profile has already been used for auth purposes at the moment of export.

Conditions:
This occurs when the following conditions are met:
-- Profile configured for securid authenticaiton with securid server attached.
-- Profile has been used for authentication more than 0 times.
-- Full import (no reuse) or Reuse import when secureid server under the same name is not present.

Impact:
Unable to import certain configurations.

Workaround:
1. In VPE, open securid auth item and set server to none before export.
2. Export profile.
3. Import profile.
4. Re-create the aaa securid server.
5. In VPE, open the securid auth item and set server to one from step #4.

Or
1. Export profile.
2. Create aaa securid server under the same name.
2. Import profile with reuse.

It is also possible to remove securid entry from config-files of securid server configuration in .conf.tar.gz, which would also work.

Fix:
It is now possible to successfully export and the import profile using securid in any state.

611161-3 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Solution Article: K28540353

Component: Local Traffic Manager

Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.

Impact:
There are very rare situations in which failsafe triggers but it should have not.

Workaround:
None.

Fix:
VLAN failsafe no longer generates traffic using ICMP, and now supports non-default cmp-hash on VLAN.

611154-1 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
An iRule (or other non-ASM module) that adds or delete the server headers. Especially if it touches the Set-Cookies header

Impact:
Failover, traffic disrupted while TMM restarts.

Workaround:
No workaround at this time.

Fix:
Added checking for bad dictionary on the response side.

611151-2 : An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive

Component: Application Security Manager

Symptoms:
If you configure a sensitive parameter with an upper-case character (like "Password"), the data masking does not take place. When the sensitive parameter is all lower-case (like "password"), the data masking takes place as expected.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ a sensitive parameter with an upper-case character

Impact:
no data masking for a JSON sensitive parameter

Workaround:
N/A

Fix:
We've made sure that JSON parameters are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.

610897-2 : FPS generated request failure throw "unspecified error" error in old IE.

Component: Fraud Protection Services

Symptoms:
If FPS generated request sent and failed in old IE, it will throw "unspecified error" error.

Conditions:
FPS generated request sent and failed in old IE

Impact:
The browser will show error message in the left bottom side.

Workaround:
N\A

Fix:
N\A

610857-1 : DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.

Component: Advanced Firewall Manager

Symptoms:
When selenium client webdriver is detected running a browser Chrome or Firefox it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome or Firefox webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A

Fix:
Adjusted scoring for selenium detection to trigger CAPTCHA upon an attempt to access a website without TSPD101 cookie (usually occurs upon accessing a website's first page)

610830-1 : FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.

Component: Advanced Firewall Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned and to a virtual sever assigned dos application profile where Device ID mitigation configured or ASM policy with WebScraping and FingerPrint detection enabled.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
tmsh modify sys db dosl7.fp_fonts_enabled disabled

Fix:
The javascript slowness bottleneck is fonts collection, to improve the performance the number of font reduced from 300 to 50. If you wish to eliminate the slowness of the fonts collection at all, a new sys db has been added. tmsh list sys db dosl7.fp_fonts_enable. Note, that eliminating the fonts collection for the fingerprint can reduce the its entropy.

610710-2 : Pass IP TOS bits from incoming connection to outgoing connection

Component: Service Provider

Symptoms:
ToS is set to 0 when going through a SIP profile.

Conditions:
This occurs when a SIP profile is in use and ToS is set.

Impact:
Currently outgoing packets TOS bits are configured via profile and are not affected by TOS bits of incoming packet.

Workaround:
NA

Fix:
Outgoing packets TOS bits can be configured via profile to preserve the TOS bits of incoming packet.

Behavior Change:
This change will only change existing behavior if the transport protocol (TCP, UDP or SCTP) has the ip-tos-to-client attribute set to pass-through. If configured as pass-through, the TOS bits of the incoming packet containing a message will be used on the outgoing packets containing the message. Without this change, the TOS bits of the outgoing packet would be undefined if configured this way.

610609-3 : Total connections in bigtop, SNMP are incorrect

Component: Local Traffic Manager

Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.

Conditions:
This occurs on PVA-enabled hardware platforms.

Impact:
The total connection count statistic is incorrect.

610582-2 : Device Guard prevents Edge Client connections

Component: Access Policy Manager

Symptoms:
When Device Guard is enabled, BIG-IP Edge Client cannot establish a VPN connection.

Conditions:
-- Clients running Windows 10.
-- Device Guard enabled.
-- Attempting to connect using the Edge client.

Impact:
Clients are unable to establish a VPN connection.

Workaround:
As a workaround, have the affected Edge Client users disable Device Guard.

Note: Previously, Device Guard was disabled by default. Starting with the Windows 10 Creators Update, however, Device Guard is enabled by default.

Fix:
The F5 VPN Driver is recertified and is now compliant with Microsoft Device Guard, so that Edge Client users can now establish a VPN connection as expected.

610442-2 : vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★

Solution Article: K75051412

Component: TMOS

Symptoms:
On a vCMP guest, If a user attempts to install using the block-device-image argument (e.g., install sys software block-device-image <some.iso>), and the .iso file has incorrect file permissions (e.g., $chmod 600 <some.iso>), then the lind process on the guest will enter a restart loop, and the system posts the following error:
lind[23565]: 013c0004:3: Fatal error: vcmp_media_insert failed

Conditions:
-- vCMP guest.
-- Run a command similar to the following:
install sys software block-device-image <some.iso>.
-- <some.iso> has bad permissions, e.g., -r--------.

Impact:
On the guest, lind restarts continuously, logging its restart to /var/log/ltm each time and posting the vcmp_media_insert failed error message.

Workaround:
Use either of the following workarounds:
-- Avoid installing block-device-images known to have bad permissions.

-- From the host, attempt to repair the file with bad permissions, copy the repaired file to /shared/images/, and try the install again. To do so, follow this procedure, running these commands from the host:

1. To repair the file, run the following command:
chmod 644 <some.iso>

2. To copy the file, run the following command:
scp <some.iso> mysystem:/shared/images/

3. To install the guest, run the following commands:
bigstart restart lind
tmsh install sys software block-device-image <some.iso>

Fix:
Instead of throwing a runtime error, lind will log an error to /var/log/ltm and return.

610441-3 : When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Component: TMOS

Symptoms:
When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Conditions:
This occurs when adding a new member to an existing pool using iControl REST.

Impact:
Unable to tell if the request has succeeded or failed via iControl REST.

Workaround:
Add the following to partitionInfo in icrd.conf.

{"gtm/pool/a/members":[true, true]},
{"gtm/pool/aaaa/members":[true, true]}

610429-5 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields

610417-1 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.

Solution Article: K54511423

Component: TMOS

Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2

If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established

Conditions:
This exists when configuring devices in a device cluster.

Impact:
Unable to configure stronger ciphers for device trust.

If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.

Workaround:
None.

Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).

610354-1 : TMM crash on invalid memory access to loopback interface stats object

Component: TMOS

Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.

Conditions:
TMM drops packets on its internal loopback interfaces.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.

610352-1 : sys-icheck reports error with /etc/sysconfig/modules/unic.modules

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /etc/sysconfig/modules/unic.modules:

ERROR: S.5...... /etc/sysconfig/modules/unic.modules

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /etc/sysconfig/modules/unic.modules that was causing sys-icheck to report errors.

610350-1 : sys-icheck reports error with /config/bigpipe/defaults.scf

Component: TMOS

Symptoms:
n Azure cloud, running sys-icheck may report an error with /config/bigpipe/defaults.scf and /usr/share/defaults/defaults.scf:

ERROR: S.5...... c /config/bigpipe/defaults.scf (no backup)
ERROR: S.5...... /usr/share/defaults/defaults.scf

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /config/bigpipe/defaults.scf that was causing sys-icheck to report errors.

610307 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber

Component: TMOS

Symptoms:
This error message may be generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.

Impact:
None. This can be ignored.

Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.

Fix:
This error message could have been generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

It no longer appears. Note that even when it was present, it only occurred at system shutdown and could be ignored.

610302-1 : Link throughput graphs might be incorrect.

Component: Local Traffic Manager

Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.

Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.

For example, there are two links defined and named "mylink" and "mylink2".

Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.

For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"

As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.

Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.

Fix:
Link throughput graphs now collect and show the throughput for the proper link when one link name is a prefix of one or more other links. Note that historical information gathered before the fix will not be corrected.

610295-1 : TMM may crash due to internal backplane inconsistency after reprovisioning

Solution Article: K32305923

Component: TMOS

Symptoms:
In some scenarios on BIG-IP Virtual Edition (VE) platforms, TMM may crash due to backplane inconsistency shortly after a provisioning change.

Conditions:
- BIG-IP VE with performance-limited license.
- Additional licensing/provisioning of modules raises performance limits. New TMM processes are started.
- No reboot has occurred after provisioning.

Impact:
TMM may core with panic and post the following message in /var/log/tmm log: 'Unexpected backplane address'. Traffic disrupted while tmm restarts.

Workaround:
Reboot after provisioning if new license add-on keys raises performance of the BIG-IP system.

Fix:
TMM no longer crashes after provisioning if new license add-on keys raises performance of the BIG-IP system.

610273-3 : Not possible to do targeted failover with HA Group configured

Component: TMOS

Symptoms:
With a traffic-group configured to use HA Group, it is not possible to disable the HA Group to perform targeted failover. Running tmsh run sys failover standby traffic-group traffic-group-1 produces an error:
"Unexpected Error: SOD command standby may not be issued for traffic group /Common/traffic-group-1 because it is configured to use HA group."

Conditions:
Traffic-group configured to use HA Group. Versions prior to 12.0.0 allowed you to disable the HA Group to do targeted failover.

Impact:
Unable to force the traffic-group to standby if HA Group is configured. You would need to change it to use a different mode, such as HA Order.

Workaround:
Temporarily change the traffic group to use a different Failover Method such as Load Aware or HA Order in order to failover. Note that this will disable HA Group functionality until the Failover Method is restored.

610255-1 : CMI improvement

Solution Article: K62279530

610224-3 : APM client may fetch expired certificate when a valid and an expired certificate co-exist

Component: Access Policy Manager

Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.

Conditions:
A valid and an expired certificate co-exist in the certificate store.

Impact:
Machine Certificate check fails.

Workaround:
Remove the expired certificate from the store.

Fix:
When a valid and an expired certificate co-exist, the system now matches the valid certificate.

610180-2 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.

Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO

Impact:
SSO plugin leaks memory

Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.

Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.

610129-3 : Config load failure when cluster management IP is not defined, but instead uses address-list.

Solution Article: K43320840

Component: Advanced Firewall Manager

Symptoms:
In Cluster setup with multiple blades, if configurations do not have management IP addresses assigned to individual blades, but instead assign a cluster management IP address list to the cluster of blades. The configuration load will fail. System posts an error message similar to the following: err mcpd[24235]: 01071824:3: The address list is referenced by one of the rules of the admin IP either directly or in a nested manner, and the entry is of a different address family from that of the Admin IP.

Conditions:
1. Cluster setup with multiple blades.
2. No management IP assigned to individual blades.
3. Assign cluster management IP address list to the cluster of blades.

Impact:
After reboot, configuration load failure on secondary blades.

Workaround:
Define the cluster management IP address as the destination (in rule) without using address list.

Fix:
Config load failure no longer occurs when cluster management IP is not defined, but instead uses address-list.

610122-1 : Hotfix installation fails: can't create /service/snmpd/run★

Component: TMOS

Symptoms:
Hotfix installation fails with RPM transaction errors.
The system posts several errors similar to the following in /var/log/liveinstall.log: info: RPM: can't create /service/snmpd/run at usr/share/perl5/vendor_perl/daemon.pm line 99.

Conditions:
12.x hotfix installation from 11.6.0 on top of a 12.x base image that was previously booted.

Impact:
It is not possible to perform a hotfix installation to a 12.x volume from 11.6.0 after the 12.x volume has been booted.

Workaround:
- Install the hotfix directly to a new slot which has not been booted into before using a command similar to the following:
tmsh install sys software hotfix 12.1.0-hf1 create-volume volume HD1.4

609967-2 : qkview missing some HugePage memory data

Solution Article: K55424912

Component: TMOS

Symptoms:
Some HugePage status data is missing from qkview, if the contents of /proc/meminfo does not list a units column for the Huge Page data.

Conditions:
/proc/meminfo file does not list units for HugePage data.

Impact:
HugePage data is missing from qkview diagnostics file.

Workaround:
Separately provide /proc/meminfo file.

Fix:
HugePage status data is now collected as expected.

609793-1 : HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response.

Component: Access Policy Manager

Symptoms:
HTTP Header Modify agent skips execution if it believes it is in the serverside chain, as the check is based on receipt of HUDEVT_REQ_DONE, which can be true on the clientside chain, causing HTTP header modify agent operations to log out with an error message.

Conditions:
Receipt of HUDEVT_REQ_DONE before execution of HTTP Header Modify agent.

Impact:
HTTP header modify agent cannot perform modification of headers/cookies.

Workaround:
None.

Fix:
Appropriate check for disabling HTTP header agent only in serverside chain has been added and the check for the receipt of request has been processed has been removed.

609788 : PCP may pick an endpoint outside the deterministic mapping

Component: Carrier-Grade NAT

Symptoms:
When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.

Conditions:
With PCP configured and enabled with a lsn-pool in deterministic mode.

Impact:
Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.

Workaround:
Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.

Fix:
PCP no longer picks mappings outside of a client's DNAT range after the first mapping attempt fails.

609691-1 : GnuPG vulnerability CVE-2014-4617

Solution Article: K21284031

609677-1 : Dossier warning 14

Component: TMOS

Symptoms:
After each boot, the var/log/ltm log file contains messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.

Conditions:
This occurs upon reboot after licensing and management port configuration is complete on i5000/i7000/i10000-Series platforms.

Impact:
There is no functional impact. This is a benign message that can be safely ignored.

Workaround:
None.

Fix:
The var/log/ltm log file no longer contains the benign messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.

609628-2 : CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session

Component: Local Traffic Manager

Symptoms:
When a client performs an abbreviated handshake by reusing the session from a previously established full handshake, the SSL forward proxy does not raise the CLIENTSSL_SERVERHELLO_SEND event.

Conditions:
This occurs when the following conditions are met:
-- SSL forward proxy configured
-- Session cache is enabled.

Impact:
iRule commands inside of the CLIENTSSL_SERVERHELLO_SEND are only executed for full handshakes but not for abbreviated handshakes; thus any logic that's applied per SSL connection should not run inside of CLIENTSSL_SERVERHELLO_SEND event since it is not reliably raised under all types of handshakes.

Workaround:
To make sure that the CLIENTSSL_SERVERHELLO_SEND event is reliably raised, disable session cache in the client SSL profile.

609614-3 : Yafuflash 4.25 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to Yafuflash 4.25.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Yafuflash.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

609575-5 : BIG-IP drops ACKs containing no max-forwards header

Component: Service Provider

Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.

Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.

Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".

609527-2 : DNS cache local zone not properly copying recursion desired (RD) flag in response

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNS query sets the RD flag, that setting is supposed to be copied to the response. When a DNS query is handled by a cache local zone, the RD flag is not set properly.

Conditions:
A DNS cache local zone must be configured and a DNS query with the RD flag set must be handled by this local zone.

Impact:
The flag is not set properly in the DNS response. This most likely will only be noticed by protocol validation tools as standard DNS clients generally do not check this bit.

Workaround:
Use an equivalent DNS Express configuration instead of the local zone.

Fix:
The fix is to properly check the RD flag on the query so that it can be copied to the response.

609499-1 : Compiled signature collections use more memory than prior versions

Component: Application Security Manager

Symptoms:
Compiled signature collections use more memory than prior versions.

Conditions:
Different signature sets are used for different policies.

Impact:
BD memory usage for compiled signature collections is increased.

Fix:
Compiled signature collections memory usage was consolidated and reduced.

609496-2 : Improved diagnostics in BD config update (bd_agent) added

Component: Application Security Manager

Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.

Conditions:
Further troubleshooting of BD config update transmission is needed.

Impact:
No diagnostics are available.

Workaround:
None.

Fix:
Improved diagnostics in BD config update (bd_agent) were added.

609335-1 : IPsec tmm devbuf memory leak.

Component: TMOS

Symptoms:
A small memory leak was discovered during internal testing of IPsec tunnels. Over time tmm might run out of memory and crash.

Conditions:
It is not known exactly what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

609328-3 : SIP Parser incorrectly parsers empty header

Solution Article: K53447441

Component: Service Provider

Symptoms:
If a SIP message contains an empty header, the following header will be included as the value of the empty header.

Conditions:
A SIP header without any value will incorrectly cause the next header to be used as the value.

Impact:
If the following header is needed for processing the message, it will not be seen (since it is incorrectly considered the value of the previous header).

Workaround:
None.

Fix:
Parser has been corrected to terminate an empty header when a line ending is seen.

609325 : Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported

Component: TMOS

Symptoms:
QSFP modules that do not support DDM (Digital Diagnostic Monitoring), write messages to /var/log/ltm indicating DDM is not supported, however, there are certain unsupported DDM F5-branded SFP modules that do not write a message to the log.

Conditions:
Upon inserting the unsupported DDM SFP modules.

Impact:
DDM is not reporting information for the following optics:

Unsupported DDM 1Gb-10GB SFP modules:

OPT-0004
OPT-0007
OPT-0011
OPT-0015
OPT-0051
OPT-0033

Workaround:
None.

Fix:
All DDM SFP 1Gb-10GB modules now log in /var/log/ltm that DDM is not supported with that optical transceiver.

609244-4 : tmsh show ltm persistence persist-records leaks memory

Component: Local Traffic Manager

Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.

Conditions:
This occurs when running tmsh show ltm persistence persist-records.

Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.

Workaround:
None.

Fix:
tmsh show ltm persistence persist-records no longer leaks memory.

609199-6 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join

Component: Local Traffic Manager

Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.

Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP.

Fix:
Remove unestablished joining subflows when freeing the MPTCP connection structure.

609119-7 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:

Component: TMOS

Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:

-- err mcpd[19114]: 01070711:3:

For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.

Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.

Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.

Workaround:
None. The problem corrects automatically when the system rewrites the log.

Fix:
The logging system prints out a blank message in response to failed file object configuration change validations.

609114-1 : Add the ability to control dropping of alerts by before-load-function

Component: Fraud Protection Services

Symptoms:
Too many alerts prevents you from enabling FPS. If it does get enabled, a large number of 'missing component' alerts are generated.

Conditions:
This can occur when enabling FPS will trigger a high number of alerts.

Impact:
FPS is disabled, or alerts are not categorized.

Fix:
Add before-load-function capability to drop alert on client.

609107-1 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf

Component: TMOS

Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.

Conditions:
A folder is removed from a previously valid configuration file.

Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.

Workaround:
Do not remove folders from the configuration file.

Fix:
mcpd now properly validates missing 'sys folder' config in bigip_base.conf, so the config performs as expected.

609098-1 : Improve details of ajax failure

Component: Fraud Protection Services

Symptoms:
When AJAX request fails, insufficient information is provided to debug the failure.

Conditions:
AJAX failure

Impact:
Difficult to diagnose the failure.

Workaround:
Not relevant

Fix:
Add information to alert about AJAX failure.

609095-1 : mcpd memory grows when updating firewall rules

Component: Advanced Firewall Manager

Symptoms:
While updating firewall rules such as adding/deleting a blacklist, mcpd memory grows by a small amount with each update.

Conditions:
This can occur when making changes to firewall policies.

Impact:
mcpd memory grows unbounded; over a significant amount of time with many changes and no restarts, mcpd can run out of memory and oom killer can trigger a failover.

609084-2 : Max number of chunks not configurable above 1000 chunks

Solution Article: K03808942

Component: Application Security Manager

Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:

Unparsable request content Chunks number exceeds request chunks limit: 1000.

Conditions:
This occurs when the request exceeds 1000 chunks.

Impact:
Requests that are valid from the server side are being rejected.

Workaround:
None.

Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

609027-1 : TMM crashes when SSL forward proxy is enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes when SSL forward proxy is enabled.

Conditions:
This can occur when SSL forward proxy is enabled and there is a server handshake done when client SSL handshake is not ongoing.

Impact:
Traffic disrupted while tmm restarts.

Fix:
SSL forward proxy now ignores server handshake done when client SSL handshake is not ongoing, so an intermittent TMM crash no longer occurs.

609005-2 : Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).

Component: Policy Enforcement Manager

Symptoms:
Two client side DHCP packets with giaddr field set, one with source port 67 and another client side packet with source port 68 (not conforming to RFC since giaddr set DHCP packet (from relay agent) should use 67 as source port per RFC),
tmm will crash during err message logging.

Conditions:
1) Two client side DHCP packets arrive one after another.
2) Both DHCP packets have giaddr fields set
3) One packet uses 67 as source port, the other uses 68

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The conditions that cause the crash should not happen in a normal network setup. A DHCP relay agent should only use 67 as source port.

608991-7 : BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed

Component: Local Traffic Manager

Symptoms:
If a SYN with MP_JOIN is received on a new subflow during an MPTCP connection and the connection closes before the three-way handshake is complete, the BIG-IP will continue trying to complete the three-way handshake.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a SYN with MP_JOIN is received on another flow during an MPTCP connection.

Impact:
The BIG-IP retransmits the SYN/ACK to the joining flow after the connection is closed.

Workaround:
There is no workaround

Fix:
Free joining connections when an MPTCP connection is closed.

608941-1 : AAA RADIUS system authentication fails on IPv6 network

Component: Access Policy Manager

Symptoms:
APM supports RADIUS authentication to IPv6 servers for APM clients if the IPv6 servers are in a pool, but using RADIUS for system authentication directly to a RADIUS server fails on invalid IP address. The signature in the log file is as follows:

err apmd[13481]: 01490108:3: /Common/profilename: RADIUS module: authentication with 'aa' failed: Invalid Server IP(0)/Port(0) (1)

Conditions:
RADIUS authentication configured for system authentication direct to a RADIUS server, and the RADIUS server is an IPv6 server.

Impact:
RADIUS is unable to connect directly to the IPv6 RADIUS server, clients unable to log into the system.

608826-1 : Greylist (bad actors list) is not cleaned when attack ends

Component: Anomaly Detection Services

Symptoms:
When attack ends the greylist (detected bad actors) remains till the timeout expiration.

Conditions:
Detected bad actors and attack end.

Impact:
If new attack will start sooner than greylist expiration time, greylist member will be mitigated even if they are not related to the current attack.

Workaround:
It it's necessary it's possible to clear greylist manually using ipidr utility.

Fix:
Clear the greylist upon attack end.

608742-2 : DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.

Solution Article: K48561135

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP system is configured in Forwarding mode, the BIG-IP system drops the renewal ACK message from the server in response to unicast renewal message from DHCP clients.

Conditions:
-- BIG IP system configured in forwarding mode.
-- DHCP clients sending unicast renewal message to DHCP server.

Impact:
Unicast DHCP renewal requests are not responded to with ACKs. DHCP clients will send broadcast renewal messages and will receive ACK from servers.

Workaround:
None.

Fix:
After being unable to receive ACK responses from DHCP servers for unicast DHCP renewal messages, the DHCP client will send broadcast DHCP renewal messages and receive an ACK from the DHCP server and ACKs forwarded by the BIG-IP system and received by DHCP clients.

608591-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers

Component: Policy Enforcement Manager

Symptoms:
CCR-I requests from PEM to PCRF have subscriber ID type set to 6 (UNKNOWN) for DHCP subscribers instead of 3 (NAI).

Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.

Impact:
Might impact the way policies are provided from the PCRF.

Workaround:
None

Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.

608566-1 : The reference count of NW dos log profile in tmm log is incorrect

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles, the log message in tmm log is showing incorrect reference cnt to the log profiles.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
This may lead to issues such as TMM crash if the reference count is not calculated correctly

Fix:
The reference count now is showing correct number in the log message after the fix

608555-1 : Configuring asymmetric routing with a VE rate limited license will result in tmm crash

Component: Local Traffic Manager

Symptoms:
Configuring asymmetric routing with a VE rate limited license results in tmm crash.

Conditions:
Asymmetric routing is configured (i.e., client and/or server ingress and egress travel on different VLANs), and a VE rate limited license is used.

Impact:
tmm might continually crash when passing traffic. Traffic disrupted while tmm restarts.

Workaround:
Do not use asymmetric routing with a rate limited license.

Fix:
The VE rate shaper now works correctly when asymmetric routing is configured, tmm does not crash.

608551-3 : Half-closed congested SSL connections with unclean shutdown might stall.

Component: Local Traffic Manager

Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.

Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.

Impact:
Possible stalled flow.

Workaround:
Use SSL client that sends clean shutdown.

Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.

608509-1 : Policy learning is slow under high load

Component: Application Security Manager

Symptoms:
On systems with high load, policy learning is slow and learning suggestions are slow to arrive.

Conditions:
Policy builder generates many learning suggestions on a system that processes intense traffic.

Impact:
Learning suggestions appear with considerable delay, policy learning speed goes down.

Workaround:
No workaround

Fix:
Fixed an issue with slow policy learning on heavily loaded systems.

608424-2 : Dynamic ACL agent error log message contains garbage data

Component: Access Policy Manager

Symptoms:
Starting in BIG-IP version 12.0.0, Dynamic ACL error log messages might contain garbage data.

Conditions:
This occurs when Dynamic ACL detects incorrect syntax of an ACL entry.

Impact:
The system logs garbage data.

Workaround:
Make sure the ACL entry is correct.

Fix:
Dynamic ACL error log messages no longer contain garbage data when Dynamic ACL detects incorrect syntax of an ACL entry.

608408-2 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library

Component: Access Policy Manager

Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.

Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.

Impact:
TMM may restart.

Workaround:
None.

Fix:
TMM no longer restarts when internal error happens upon adding new SAML SSO configurations. Instead, the system logs the following error in /var/log/apm to indicate problematic configuration object: Internal error processing sso config <name>.

608373-2 : Some iApp LX packages will not be saved during upgrade or UCS save/restore

Component: iApp Technology

Symptoms:
iApp LX packages that include dependencies on system utilities (like /bin/sh, /bin/bash, python etc.) cannot be imported to iApp LX RPM database.

Conditions:
oApp LX packages that depends on system utilities.

Impact:
iApp LX packages with dependencies will not be restored during upgrade or UCS restore process.

Workaround:
None.

Fix:
iApp LX UCS save process is updated turn off automatic dependency generation by rpmbuild so iApp LX package can be imported during UCS restore or upgrade.

608320-3 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.

608304-1 : TMM crash on memory corruption

Solution Article: K55292305

Component: Local Traffic Manager

Symptoms:
In rare cases tmm might crash on memory corruption.

Conditions:
It is not known what sequence of events triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes on memory corruption in rare cases.

608245 : Reporting missing parameter details when attack signature is matched against parameter value

Component: Application Security Manager

Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.

Conditions:
An attack signature was detected in a parameter value.

Impact:
Bad reporting

Workaround:
N/A

608024-3 : Unnecessary DTLS retransmissions occur during handshake.

Component: Local Traffic Manager

Symptoms:
Unnecessary DTLS retransmissions occur during handshake.

Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.

Impact:
Possible DTLS handshake failure on VE platform.

Workaround:
None.

Fix:
This release fixes a possible failed DTLS handshake on VE platforms.

608009-1 : Crash: Tmm crashing when active system connections are deleted from cli

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address by relay agent, tmm may crash when active system connections are deleted from cli or via aging.

Conditions:
1) BIG-IP in forwarding mode
2) giaddr field in unicast DHCP renewal packet is set to IP address of relay agent (Typically, it is set to 0 by the DHCP client)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This is not a typical network setup. Usually DHCP relay agent will not modify DHCP renewal packet to insert its own address as giaddr.

607961-1 : Secondary blades restart when modifying a virtual server's route domain in a different partition.

Component: TMOS

Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).

Conditions:
- Only happens on chassis.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.

Impact:
Traffic disrupted while secondary blades restart.

Workaround:
None.

Fix:
Secondary blades no longer restart when modifying a virtual server's route domain in a different partition.

607857-1 : Some information displayed in "list net interface" will be stale for interfaces that change bundle state

Component: TMOS

Symptoms:
Changing the bundling on an interface does not clear the following fields in the previously configured interface:
module-description, serial, vendor, vendor-oui, vendor-partnum, vendor-revision.

That information will be correct for the active interface, it is just not cleared for the previously configured interface.

Module description is not correctly reported on unbundled interfaces.

Conditions:
Bundling change on an interface

Impact:
"list net interface" on previously configured interfaces will show stale information. May be confusing.
Module description is missing from "list net interface" on unbundled interfaces.

Workaround:
Stale data will clear on a reboot. This is purely a display issue, it does not affect the functionality of the currently configured interfaces.

607803-3 : DTLS client (serverssl profile) fails to complete resumed handshake.

Solution Article: K33954223

Component: Local Traffic Manager

Symptoms:
DTLS client (serverssl profile) fails to complete resumed handshake.

Conditions:
This occurs when the BIG-IP system acts as a DTLS client.

Impact:
Possible failed resumed handshake.

Workaround:
Disable session reuse.

Fix:
This release fixes a possible failed resumed DTLS handshake.

607724-2 : TMM may crash when in Fallback state.

Solution Article: K25713491

Component: Local Traffic Manager

Symptoms:
There is a chance, when HTTP in Fallback mode, that the HTTP filter will send an Abort event to the TCP filter (causing tear down) prematurely while the Aborting that was triggered by the upper filter/proxy is occurring.

TMM may crash when this happens.

Conditions:
It is not known exactly what conditions trigger this, but it has been known to occur when issuing HTTP::respond in the LB_FAILED event in an iRule, and it has been seen only rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a rarely occurring tmm crash that might be related to issuing HTTP::respond in the LB_FAILED event in an iRule.

607713-3 : SIP Parser fails header with multiple sequential separators inside quoted string.

Component: Service Provider

Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.

Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.

Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.

Workaround:
None.

Fix:
The SIP parser has been improved to ignore multiple sequential separators if within quotes.

607658-1 : GUI becomes unresponsive when managing GSLB Pool

Component: Global Traffic Manager (DNS)

Symptoms:
GUI Locks Up and becomes unresponsive. Most major web browsers will complain about slow javascript and prompt you to kill the script.

Conditions:
Managing an A type GSLB pool when hundereds of virtual servers exist. These virtual servers do not have to be associated with the pool you are attempting to manage.

Impact:
Page takes a significantly long time to load.

Workaround:
Manage pools through tmsh, or wait for it to load.

607524-2 : Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.

Component: Local Traffic Manager

Symptoms:
When the last member of a list of multiple DHCP servers is down, the original DHCP packet from client is not freed and memory is leaked.

Conditions:
Multiple DHCP servers are configured, and the last DHCP server configured is down.

Impact:
Packet memory is leaked.

Workaround:
Remove the last DHCP server that is down, or move it to the middle or front of the server member list.

Fix:
Free the original packet memory when last DHCP server is down.

607360-5 : Safenet 6.2 library missing after upgrade★

Component: Local Traffic Manager

Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.

Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.

Impact:
Safenet 6.2 is not functional.

Workaround:
Reinstall Safenet 6.2. Or,

run this command at all blades of BIG-IP after the installation.

ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so

Fix:
Add symbolic link to libgem at time of pkcs11d daemon start/restart.

607314-1 : Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508

Solution Article: K25075696

607304-5 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Conditions:
This can occur under normal operation, while running the geo_update command.

Impact:
Traffic disrupted while tmm restarts.

607246-10 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires

Component: Local Traffic Manager

Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile

Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.

Impact:
Persistence fails after fallback expired.

Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.

607200-1 : Switch interfaces may seem up after bcm56xxd goes down

Component: TMOS

Symptoms:
'tmsh show net interface' may show that switch ports are still up after bcm56xxd is brought down. This is because bcm56xxd does not notify mcpd that bcm56xxd will go down.

Conditions:
If the switch ports are up and bcm56xxd is brought down, 'tmsh show net interface' will show that the switch ports are still up.

Impact:
The switch ports may seem up, but traffic can't be sent/received.

Workaround:
None.

Fix:
Fix for bcm56xxd to notify mcpd that all ports become uninitialized before it goes down has already been implemented.

607152-1 : Large Websocket frames corrupted

Component: Local Traffic Manager

Symptoms:
If large Websocket frames are being sent by the end-point and this transfer is interleaved with frames being sent by the other endpoint, corrupted frames could be sent by BIG-IP.

Conditions:
Websocket profile is attached to the virtual. Large Websocket frames are sent by the end-point. This transfer is interleaved with frames being sent in the other direction.

Impact:
Connection reset because of corrupted frames being received by the end-point.

606983-3 : ASM errors during policy import

Component: Application Security Manager

Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.

ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.

Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.

Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.

Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.

Fix:
Import failure no longer occurs when importing ASM policy with more than 1000 Session Awareness Data Points. Now, there is a maximum of 1000 Session Awareness Data Points exported into an XML policy export.

606940-3 : Clustered Multiprocessing (CMP) peer connection may not be removed

Component: Local Traffic Manager

Symptoms:
- High memory usage due to connflow allocations
- conn_remove_cf_not_found stat is non-zero

Conditions:
CMP with multiple TMMs. CMP peer connection is removed before it has been established.

Impact:
Low memory may lead to allocation failures that may lead to tmm core

Fix:
Fix validation performed on parsed CMP flow keys that allows unknown CMP connections to be removed.

606875-1 : DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page

Component: Advanced Firewall Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
N/A

Fix:
The javascript has improved as much as possible to reduce the time to get the website's first page.

606807-1 : i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error

Component: TMOS

Symptoms:
If the LCD is not communicating with BIG-IP when the chassis manager daemon starts occasionally LCD errors will be displayed using the sensor number rather than the name "LCD"

Conditions:
chmand restart and LCD unable to commuicate

Impact:
cosmetic

Fix:
LCD error will show name "LCD" rather than sensor number in communication error.

606771-2 : Multiple PHP vulnerabilities

Solution Article: K35799130

606710-10 : Mozilla NSS vulnerability CVE-2016-2834

Solution Article: K15479471

606575-6 : Request-oriented OneConnect load balancing ends when the server returns an error status code.

Component: Local Traffic Manager

Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.

Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.

Impact:
The client remains connected to the server, and no further load-balancing decisions are made.

Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.

To do so, use an iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 200 } { return }
    if { [HTTP::status] == 401 } {
        set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
        if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
            # Connection-oriented auth. System should already be doing the right thing
            unset auth_header
            return
        }

        unset auth_header
    }

    catch { ONECONNECT::detach enable }
}.

Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).

Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.

606573-3 : FTP traffic does not work through SNAT when configured without Virtual Server★

Component: Local Traffic Manager

Symptoms:
After upgrading to 12.1.0 or 12.1.1, FTP traffic no longer works correctly with SNAT, when SNAT is configured without a virtual server.

Conditions:
The BIG-IP system configured to allow FTP traffic through, and SNAT is configured without a virtual server.

Impact:
The BIG-IP system does not SNAT port 21 traffic. In rare circumstances this can cause tmm to restart.

Workaround:
None.

Fix:
FTP traffic now works through SNAT when SNAT is configured without a virtual server.

606565-2 : TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection

Solution Article: K52231531

Component: Local Traffic Manager

Symptoms:
When the /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection', TMM may crash during a TCP simultaneous 4 way handshake.

Conditions:
1. The /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection'.
2. A TCP 4 way handshake (simultaneous open) occurs as described in RFC 793.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The crash can be avoided, while still mitigating TCP 4 way handshakes, by setting the /sys db tm.simultaneousopen variable to 'drop_pkt'.

606521-1 : Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade

Component: Application Security Manager

Symptoms:
Policy with UTF-8 encoding has disallowed high ASCII meta-characters even after upgrade, which results in suggestions for allowing meta-characters that cannot be accepted.

Conditions:
System with a policy with encoding set to UTF-8 (uppercase).
Upgrading from v11.6.x/v12.x to v12.1.2 or 13.0.0.

Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.

Workaround:
None.

Fix:
The upgrade process now fixes policies that had their encoding stored in uppercase as well.

606518-3 : iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.

Component: Device Management

Symptoms:
Cannot use username containing an 'at' ( @ ) character, or specify the email address when requesting authentication token using iControl REST when 3rd party authentication provider being used.

Conditions:
Set-up the BIG-IP system to use 3rd party RADIUS or LDAP authentication and configure a username containing an 'at' ( @ ) character, or specify the email address.

Impact:
Cannot authenticate and get authentication token using iControl REST.

Workaround:
Do not use username with special characters, such as 'at' ( @ ), period ( . ), and so on).

Fix:
Updated logic to allow any special characters in username and password when 3rd party authentication system is used on the BIG-IP system.

606509-4 : Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★

Component: TMOS

Symptoms:
Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover.

Conditions:
This occurs when the following conditions are met:
* vCMP provisioned.
* vCMP hypervisor (host) running 12.1.0
* vCMP guest with 2 or more cores deployed and running 11.5.0 or greater.
* vCMP guest has HT-Split enabled (tmsh list sys db scheduler.splitplanes.ltm).

Impact:
vCMP guests may experience control-plane issues (such as failures to send or receive network failover traffic in an HA-pair, causing a failover).

Fix:
This release restores the process nice value of VCMP guest control-plane, so the vCMP guest no longer experiences potential frequent failovers.

606316-4 : HTTPS request to F5 licensing server fails

Component: iApp Technology

Symptoms:
Licensing BIG-IP systems through REST API fails.

Conditions:
Licensing BIG-IP systems using the REST API.

Impact:
Cannot use REST API to license BIG-IP systems.

Workaround:
Use TMUI or TMSH to license BIG-IP systems.

Fix:
Licensing BIG-IP systems through REST API now completes successfully.

606257-3 : TCP FIN sent with Connection: Keep-Alive header for webtop page resources

Solution Article: K56716107

Component: Access Policy Manager

Symptoms:
When using customized webtops (for example, using custom images for the webtop links), sometimes a TCP FIN flag will be sent with a packet with an HTTP "Connection: Keep-Alive" header. Not all clients recover from this.

Conditions:
Use a customized webtop link.

Impact:
The webtop links page does not render correctly.

Fix:
Weptop page resources no longer send FIN flags with Keep-Alive headers.

606110-2 : BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.

Component: TMOS

Symptoms:
On AWS and Azure, dataplane interfaces use socket-based networking instead of UNIC modules. After upgrading a version later than 12.1.0, the default module for dataplane interfaces is UNIC modules instead of socket-based networking.

Conditions:
Upgrading BIG-IP VE on AWS or Azure running versions 12.0.0 or 12.1.0.

Impact:
The raw socket-based tmm driver is replaced by a UNIC driver. The socket-based driver eliminates kernel driver dependencies and provides better portability during kernel/driver upgrades.

Workaround:
None.

Fix:
BIG-IP VE socket-based networking driver retained after upgrade on AWS or Azure.

606066-2 : LSN_DELETE messages may be lost after HA failover

Component: Carrier-Grade NAT

Symptoms:
After a failover, an LSN_DELETE message may be lost if the connection continued after the failover.

Conditions:
CGNAT configured as an HA pair, with session logging enabled.

Impact:
An LSN_DELETE message may be missing from the logs.

Fix:
After the fix, the LSN_DELETE message will not be lost.

605983-1 : tmrouted may crash when being restarted in debug mode

Component: Local Traffic Manager

Symptoms:
tmrouted may restart after it being manually restarted with debug level equal or higher than 2.

Conditions:
tmrouted is manually restarted with debug level equal or higher than 2.
Multi route-domain setup with independent routing processes enabled on several route-domains.

Impact:
tmrouted may restart additional times which can add delay to getting back to service after manually restarting tmrouted.
Any restart of tmrouted already causes loss of dynamic routing sessions.

Workaround:
Do not use equal or higher than 2 debug level for tmrouted. This should be carried out only under recommendation from F5 Support.

Fix:
tmrouted no longer crashes when being restarted in debug mode

605982-1 : Policy settings change during export/import

Component: Application Security Manager

Symptoms:
Exporting a security policy from one device with specific learning and blocking settings selected, and then imports it to another device, the security policy does not load the expected learning and blocking settings on the target device, and is a mismatch from what is on the source device.

Conditions:
On device A: Security :: Application Security : Policy Building : Learning and Blocking Settings

• Select 'Enable' and 'Learn' under HTTP protocol compliance failed for all the sub-violations.

• Save and export the policy in XML format.

• Import to device B.

Impact:
The loaded policy on device B does not have all the options checked for HTTP protocol compliance failed for all the sub-violations as expected.

When exporting the policy from device B, the name of the exported file does not change to match device B's name, but still remains as device A's name.

Workaround:
For exporting a policy that has Policy Builder enabled, use either of the methods below:

-- Use XML export:

  + On export:
    - Stop policy builder.
    - Export to XML policy.
    - Start policy builder.

   + On import:
     - Import the XML policy.
     - Start the policy builder on the newly imported policy.

  2) Use binary export/import.

Fix:
This release fixes the XML Policy export/import processes so that there are no differences created in the 'HTTP protocol compliance' learning settings

605894-3 : Remote authentication for BIG-IP users can fail

Component: TMOS

Symptoms:
While trying to log into the command line of BIG-IP as a remotely authenticated user, login will intermittently fail. You may see the following in /var/log/secure: "err httpd[19596]: pam_ldap: ldap_simple_bind Can't contact LDAP server" but the LDAP server is up and is accessible by the BIG-IP

Conditions:
Remote authentication configured, users configured to use remote authentication, ssl-check-peer is enabled and one or more of these properties are different than "none": ssl-ca-cert-file, ssl-client-cert, ssl-client-key.

Impact:
The remote authentication service will fail to initiate a connection to the LDAP server with the ssl-check-peer setting enabled, even if the ssl-ca-cert-file is valid. It will terminate the connection and remote authentication will fail.

Workaround:
Disabling ssl-check-peer and setting ssl-ca-cert-file, ssl-client-cert and ssl-client-key to "none" can work around this issue.

605865-4 : Debug TMM produces core on certain ICMP PMTUD packets

Component: Local Traffic Manager

Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.

Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.

Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.

Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.

Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.

605792-1 : Installing a new version changes the ownership of administrative users' files★

Component: TMOS

Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.

Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.

Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.

Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.

Fix:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID. This still happens by design, but no longer applies to the user's SSH configuration files, which stay at UID 0. Therefore, these users are no longer be prevented from using stored public keys in authorized_keys.

605682-2 : With forward proxy enabled, sometimes the client connection will not complete.

Component: Local Traffic Manager

Symptoms:
If forward proxy is enabled, and a required forged certificate is not in the cache, the connection might not complete.

Conditions:
Forward proxy is enabled, and a required forged certificate is not in the cache.

Impact:
Degraded service due to connections not completing.

Workaround:
None.

Fix:
The stalling caused by a missing forged certificate no longer happens.

605627 : Selinux denial seen for apmd when it is being shutdown.

Component: Access Policy Manager

Symptoms:
When Apmd process is stopped, you observe a selinux related log which indicates that apmd process does not have the getattr permission for shared memory component owned by tmm.

Conditions:
When apmd is stopped or restarted.

Impact:
No Impact to APMD functionality. APMd stops and starts normally.

605616-1 : Creating 256 Fundamental Security policies will result in an out of memory error

Component: Application Security Manager

Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.

Conditions:
Create 256 fundamental security policies.

Impact:
Out of memory error.

Workaround:
None.

Fix:
Improved memory allocations for shared XML profiles to enable more than 256 fundamental security policies.

605579-8 : iControl-SOAP expat client library is subjected to entropy attack

Solution Article: K65460334

605537-5 : Error when resetting statistics on GSLB Pool Members

Solution Article: K03997964

Component: Global Traffic Manager (DNS)

Symptoms:
GUI error: "An error has occurred while trying to process your request." when attempting to reset the GSLB stats for DNS Pool Members.

Conditions:
-- In the GUI on the Statistics :: Module Statistics : DNS : GSLB :: Pool Members page.
-- Attempting to reset statistics.

Note: This occurs only on Pool Members Statistics. Other Types are unaffected.

Impact:
Inability to reset stats for BID-IP DNS Pool Members statistics from the GUI.

Workaround:
You can attempt to reset using a command line command similar to the following:

$ tmsh reset-stats gtm pool <record> <pool> members { <server_obj>:<member> }.

For example:

$ tmsh reset-stats gtm pool a myPool1 members { LTM107:/Common/myFastL4VS }.

Fix:
Fixed issue on the GSLB Pool Member stats page.

605525-1 : Deterministic NAT combined with NAT64 may cause a TMM core

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when a virtual is configured with nat64 enabled, and a deterministic NAT lsn-pool, and there is traffic.

Conditions:
lsn-pool in deterministic mode is attached to a virtual server with nat64 enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Deterministic NAT is not supported with nat64, and should not be configured.

605480-4 : BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection

Component: Local Traffic Manager

Symptoms:
After completing an active close of an MPTCP connection, the BIG-IP sends MP_FASTCLOSE.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and MPTCP performs an active close of a connection.

Impact:
The BIG-IP retransmits MP_FASTCLOSE after the connection closing is complete until the maximum number of retransmissions is reached.

Fix:
Fixed sequence of events on connection closure.

605476-3 : statsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.

Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.

Impact:
iStatsd process will restart due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.

3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.

4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.

Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.

605427-1 : TMM may crash when adding and removing virtual servers with security log profiles

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.

Traffic disrupted while tmm restarts.

Fix:
TMM no longer crashes with multiple creation, modification and deletion of many virtual servers with security log profiles attached.

605420-5 : httpd security update - CVE-2016-5387

Solution Article: K80513384

605270-5 : On some platforms the SYN-Cookie status report is not accurate

Component: TMOS

Symptoms:
On a vCMP guest, after a ePVA-enabled virtual server enters SYN Cookie mode, the FPGA will never leave SYN Cookie mode even though BIG-IP has returned to normal mode.

Conditions:
This occurs intermittently on virtual servers with ePVA enabled on a vCMP instance where SYN Protection is triggered.

Impact:
Since this occurs very intermittently, the entire impact is not known. Initially this is an incorrect SYN Cookie status reporting issue for LTM Virtual statistics, but it is possible that if SYN Cookie mode is triggered again, hardware SYN might not be enabled properly.

Workaround:
Upgrade with new fixes for this.

Fix:
BIG-IP FPGAs now correctly report hardware SYN Cookie mode.

605260-1 : [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0

Component: Global Traffic Manager (DNS)

Symptoms:
When a listener is created in a partition that has a default route domain set, you cannot make changes to the listener in the GUI via DNS -> Delivery -> Listeners. It gives 'Instance not found' error when you try to save the change. Also, a listener in the /Common partition cannot even be viewed when a partition that has a default route domain other than 0 is selected.

Conditions:
This occurs when using partitions that have default-route-domain set to something other than 0.

Impact:
You will be unable to make changes to the listener.

Workaround:
Use TMSH or through LTM GUI: Local Traffic :: Virtual Servers.

605125-2 : Sometimes, passwords fields are readonly

Component: Fraud Protection Services

Symptoms:
Sometimes, passwords fields are readonly so the user won't be able to type any password.

Conditions:
WebSafe protection enabled on a site

Impact:
the user won't be able to type any password on the site.

Workaround:
N/A

Fix:
N/A

605123-1 : IAppLX objects fail to sync after establishing HA in auto-sync mode★

Component: Device Management

Symptoms:
IAppLX objects are part of REST Framework. REST Framework implements gossip based replication. This replication might not work when restFrameworkVersion in device-group device out of sync with actual restFrameworkVersion

Conditions:
DeviceInfoWorker detects and update the framework version after rest RPM upgrade. But device group device doesn't get updated correctly

Impact:
REST framework objects (Including iAppLX instances, templates, packages) fail to sync to HA peer

Workaround:
Mitigation is to run DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update. Workaround is to patch the restFrameworkVersion manually on the device-group device.

Fix:
Run the DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update.

605039-3 : lwresd and bind vulnerability CVE-2016-2775

Solution Article: K92991044

605010-1 : Thrift::TException error

Component: Application Visibility and Reporting

Symptoms:
Trying to send a scheduled report might fail in some cases with the error "Thrift::TException=HASH(0x9a65410)".

Conditions:
This occurs when sending scheduled reports.

Impact:
Failure on sending scheduled-report.

Workaround:
Modify the script to use the explicit address instead of the 'localhost' value. This can be achieved with the following command:

mount -o remount -rw /usr
sed -i 's/localhost/127\.0\.0\.1/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
mount -o remount -r /usr

Fix:
Changing script to use explicit address instead of 'localhost'.

604977-2 : Wrong alert when DTLS cookie size is 32

Solution Article: K08905542

Component: Local Traffic Manager

Symptoms:
When ServerSSL profile using DTLS receives a cookie with length of 32 bytes, the system reports a fatal alert.

Conditions:
Another LTM with ClientSSL profile issues 32-byte long cookie.

Impact:
DTLS with cookie size 32-byte fails.

Workaround:
None.

Fix:
DTLS now accepts cookies with a length of 32 bytes.

604926-3 : The TMM may become unresponsive when using SessionDB data larger than ~400K

Solution Article: K50041125

Component: Local Traffic Manager

Symptoms:
There is a hard limit on messages sizes sent on the backplane on chassis platforms. Messages larger than the limit (~400K) are refused from being sent at a lower layer but buffered for resending at a higher layer. The messages are never sent which cases backplane communication to lockup.

Conditions:
-- The BIG-IP system is a chassis with more than one blade.
-- Client traffic triggers the creation of SessionDB data larger than ~400K.

Impact:
The TMM becomes unresponsive to client traffic. If left running under load, the TMM might run out of memory from buffering SessionDB data and crash.

Workaround:
The workaround is the avoid sending large SessionDB data. The TMM may be restarted in the event it does become unresponsive.

Fix:
There is no longer a hard limit for sending SessionDB data on the backplane.

604923-5 : REST id for Signatures change after update

Component: Application Security Manager

Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.

Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.

Impact:
The REST id of the modified signatures is changed which may confuse REST clients.

Workaround:
Execution of the following script will repair an affected device:

perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'

Fix:
Updated Signatures now retain the correct REST id.

604885-1 : Redirect/Route action doesn't work if there is an alert logging iRule

Component: Fraud Protection Services

Symptoms:
When "Trigger iRule Events" is enabled in FPS profile and there are configured FPS rules with Route/Redirect actions, the actions will not be performed.

Conditions:
"Trigger iRule Events" is enabled in FPS profile and the virtual server has at least one iRule with ANTIFRAUD_ALERT or ANTIFRAUD_LOGIN events.

Impact:
Configured FPS rules with Route/Redirect actions will not be performed.

Workaround:
Disabling the "Trigger iRule Events" in FPS profile.

Fix:
"Trigger iRule Events" no longer breaks FPS rules with configured Route/Redirect actions.

604880-4 : tmm assert "valid pcb" in tcp.c

Component: Local Traffic Manager

Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.

604838-1 : TCP Analytics reports incorrectly reports entities as "Aggregated"

Component: Local Traffic Manager

Symptoms:
Although the user has configured TCP Analytics to store statistics for a certain entity, it reports data for that entity in a single "Aggregated" row.

Conditions:
ALL of these conditions must be true:

The TCP Analytics profile is attached to a virtual with both clientside or serverside collection turned off in the profile.

TCP profile has mptcp, rate-pace, tail-loss-probe, fast-open, AND enhanced-loss-recovery all disabled. Also, Nagle, send-buffer, receive-window, proxy-buffer are not in AUTO mode. Finally, rexmt-thresh is 3 and the congestion control algorithm is not delay-based (NewReno, HighSpeed, Cubic). Regrettably, this matches the default TCP profile.

An iRule enables TCP-Analytics when disabled by default in the tcp-analytics profile.

Impact:
Defect eliminates nearly all data granularity for TCP Analytics.

Workaround:
Change the TCP profile on the virtual to violate any of the conditions listed above. The easiest is probably to enable rate pace or mptcp. For all affected versions, this will result in a noticeable CPU performance penalty.

Fix:
Load entity information for both TCP stacks.

604767-1 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.

Component: Access Policy Manager

Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.

Conditions:
BIG-IP is used as SAML SP.

Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.

Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.

604727-1 : Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★

Component: TMOS

Symptoms:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. After upgrade from 10.2.4 to 12.1.x, you are unable to use the GUI. The system posts the following message: The configuration has not yet loaded. CLI login works, and /var/log/ltm shows that the following message was recorded during the device bootup phase:

emerg load_config_files: "/usr/libexec/bigpipe base daol" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip_sys.conf Line 113): 012e0010:3: The requested value ({ i192_168_0_20_1) is invalid (<trapsess list> ` none) [add ` delete]) for 'trapsess' in 'snmpd'.

Conditions:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. The root cause is that the host parameter in the trap is encapsulated in quotation marks.

Impact:
The upgrade completes, but the configuration does not load when the system restarts.

Workaround:
After the configuration fails to load in this case, you can remove the SNMP trap destination configuration by editing the /config/bigpipe/bigip_sys.conf file, and performing a manual configuration conversion and reload to recover.

Alternatively, to prevent the configuration load failure from occurring, you can remove the SNMP trap destination configuration before you upgrade to BIG-IP 12.1.x. Both procedures require that you re-create the SNMP trap destination configuration once the upgrade to BIG-IP 12.1.x and/or configuration load are complete.

Fix:
Upgrade from 10.2.4 now completes successfully when the host parameter exists in the 10.2.4 configuration includes SNMP traps.

604612-1 : Modified ASM cookie violation happens after upgrade to 12.1.x★

Solution Article: K20323120

Component: Application Security Manager

Symptoms:
False positive modified ASM cookie violation. Perhaps other false positive cookie related violations.

Conditions:
System upgraded to 12.1.x. Existing end users are connected with their browsers to the site.

Impact:
False positive violations. A blocking page will be shown in case the modified ASM cookie is set to blocking (which is the default for this violation in case the policy is in blocking state).

Workaround:
There are three options:
A. Set the modified ASM cookie violation to transparent after an upgrade for some time after the upgrade.
B. Use the erase cookie blocking page as the default blocking page for some time after the upgrade.
C. Use an iRule similar to the following:
when ASM_REQUEST_DONE {
    if {[ASM::violation names] contains "VIOLATION_MOD_ASM_COOKIE"} {
        log local0. "remove TS01d2cce8 cookie"
        HTTP::respond 302 Location "http://sub.some_domain.com/index.html?[ASM::support_id]" "Set-Cookie" "TS01d2cce8=deleteOldTSCookie;expires=Thu, 01 Jan 1970 00:00:01 GMT"
    }

Fix:
Modified ASM cookie violation no longer happens after upgrade to this version.

604549-7 : MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data

Component: Local Traffic Manager

Symptoms:
If a DATA_FIN is received with a DATA_ACK that acknowledges data, the BIG-IP will not process the DATA_ACK and will not shutdown the connection properly as it thinks there is still outstanding data to be acknowledged.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a DATA_FIN that DATA_ACKs data is received on an MPTCP connection.

Impact:
The connection is not closed properly and eventually times out.

Fix:
Fixed DATA_FIN handling.

604547-1 : Unix daemon configuration may lost or not be updated upon reboot

Solution Article: K21551422

Component: TMOS

Symptoms:
The confpp script is invoked to pass TMOS configuration information to other non-TMOS daemons running on a BIG-IP system. When a BIG-IP system is rebooted, if TMOS configuration elements are parsed or configuration changes or other events occur early in the boot process, the corresponding changes may not be propagated to the confpp.dat file and processed by the confpp script. As a result, configuration information may not be propagated as expected to non-TMOS daemons.

A common symptom of this issue is that syslog-ng configuration is not updated to reflect the selection of the primary blade in a VIPRION chassis.

Conditions:
This issue may occur when booting an affected version of BIG-IP, such as:
- Rebooting blades in a VIPRION chassis.
- Rebooting a BIG-IP appliance or Virtual Edition instance.

Impact:
Expected configuration settings may not be applied to non-TMOS daemons upon a reboot.

For example, syslog-ng configuration may not be updated to include expected logging on the primary blade in a VIPRION chassis.

Workaround:
On a running BIG-IP system that shows symptoms of this issue, changing a db variable will trigger the confpp script to run and update the relevant non-TMOS daemons with appropriate settings from the current configuration. To implement this workaround, use the Traffic Management Shell (tmsh) to update a db variable.

For example:
tmsh modify sys db log.clusterd.level value "Informational"

This issue can be avoided by forcing the MCP configuration to be reloaded from configuration files instead of from the MCP binary database (mcpdb.bin).

For details, see:
K13030: Forcing the mcpd process to reload the BIG-IP configuration.

Fix:
Configuration data/changes that occur early in the BIG-IP boot process are propagated successfully to non-TMOS daemons by the confpp script.

604496-4 : SQL (Oracle) monitor daemon might hang.

Component: Local Traffic Manager

Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.

Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.

Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.

Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.

Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.

604459-1 : On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up

Component: TMOS

Symptoms:
The following message appears on the console shortly after the system boots:

emerg logger: Re-starting bcm56xxd.

Conditions:
This occurs as a result of a possible race condition on On i5x00, i7x00 and i10x00 platforms.

Impact:
No functional impact, bcm56xxd daemon restarts successfully.

Workaround:
None.

604371-1 : Pagination controls missing for GSLB pool members

Component: Global Traffic Manager (DNS)

Symptoms:
The pagination controls for GSLB pool members do not appear when there are more items in the list than can be displayed (Record Per Screen)

Conditions:
Customer is running 12.1.0 - 12.1.2

Impact:
Unable to view the status of, or modify GSLB pool members beyond those displayed on the screen

Workaround:
Increase the number of Records Per Screen (System / Preferences / Records Per Screen) to a number larger than the number of items in your pool

604272-1 : SMTPS profile connections_current stat does not reflect actual connection count.

Component: Local Traffic Manager

Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.

Conditions:
This occurs if you have an SMTPS virtual server configured.

Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.

604237-3 : Vlan allowed mismatch found error in VCMP guest

Component: TMOS

Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "

Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."

Impact:
Unable to use VLAN.

Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.

604223-2 : pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"

Component: Local Traffic Manager

Symptoms:
The current signal handler use 'exit' at time of 'SIGTERM'. This may result in a core under some abnormal situations.

Conditions:
When stopping pkcs11d using command like 'bigstart restart pkcs11d' or 'kill pkcs11d'.

Impact:
pkcs11d cores.

Workaround:
pkcs11d automatically comes up again after the core.

Fix:
The system now waits for all threads to finish before the pkcs11d program exits, so the core no longer occurs.

604211-1 : License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★

Solution Article: K72931250

Component: TMOS

Symptoms:
On Azure, after upgrading to any version other than 12.0.0 HF1-EHF14 or 12.1.0-HF1-EHF22, the system boots up as Not Licensed and Inoperative.

Although certain cloud-specific 12.x EHFs such as BIG-IP Virtual Edition 12.1.0 HF1 EHF1 is intended for AWS only, BIG-IP does not prevent you from accidentally downloading and installing it into Azure environments. If you upgrade Azure from BIG-IP Virtual Edition 12.0.0 HF1 EHF14 to the 12.1.0 HF1 EHF1 or 12.0.0-hf4 or 12.1.1, the Azure license becomes nonoperational and gets invalidated.

Conditions:
Upgrading a BYOL instance on Azure to 12.1.0 HF1 EHF1 or 12.1.1. The Azure-specific versions are as follows:
- 12.0.0-HF1-EHF14.
- 12.1.0-HF1-EHF22.

Impact:
License becomes unusable. Re-licensing the instance gets an invalid license.

Workaround:
The workaround for this issue is to boot back into previous boot volume, and then upgrade to 12.1.0-HF1-EHF22 in Azure.

To change default boot volume, choose one of the following methods:
1. tmsh reboot volume volume-name.
2. switchboot utility (interactive mode by default).
3. Admin UI.

For more information about the switchboot utility, see SOL5658: Overview of the switchboot utility, available here: https://support.f5.com/csp/#/article/K5658

Fix:
This release fixes the issue that occurred when the Azure license become nonoperational after upgrading to BIG-IP Virtual Edition 12.1.0 HF1 EHF1 from 12.0.0 HF1 EHF14.

Note: Do not use BIG-IP 12.1.0 HF1 EHF1 in the Azure environments.

604191-1 : AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★

Component: Application Visibility and Reporting

Symptoms:
Loading the configuration after upgrade might fail due to mishandling of scheduled-reports, with an error similar to the following:

err mcpd[5492]: 01071afc:3: Report scheduling requires specifying valid measures for entity asm_repev_ip.

Conditions:
-- AVR provisioned.
-- Having scheduled report defined on a version earlier than v12.1.0, and upgrading to v12.1.0, v12.1.0, or v12.1.0.

Impact:
Loading the configuration after upgrade might fail.

Workaround:
None.

Fix:
Loading the configuration after upgrade of scheduled-reports is now properly handled.

604133-2 : Ramcache may leave the HTTP Cookie Cache in an inconsistent state

Component: Local Traffic Manager

Symptoms:
Ramcache may re-use internal HTTP data without clearing the cookie cache. If other filters later inspect that cache they may read corrupted cookie information, or cause a TMM crash.

Conditions:
Ramcache + another filter or iRule inspecting/modifying cookies in a Ramcache response.

Impact:
The modifications of the corrupt cookie cache may cause HTTP headers to be malformed. Inspecting the cookie cache may cause the TMM to crash with an assert. Traffic disrupted while tmm restarts.

Fix:
Ramcache clears the HTTP cookie cache in its responses.

604061-2 : Link Aggregation Control Protocol May Lose Synchronization after TMM Crash

Component: TMOS

Symptoms:
Traffic does not pass through a trunk interface and /var/log/ltm contains messages such as:

lacpd[6636]: 01160011:6: Link 2.2 Actor Out of Sync
lacpd[6636]: 01160012:6: Link 2.2 Partner Out of Sync

Conditions:
1) BIG-IP 2000/4000 or similar platform where "qprop tmos.lacpd_depends_on_tmm == true"
2) Passive LACP trunk
3) tmm has crashed after box has come up
4) tmm startup delayed by dumping large core file
5) tmm startup delayed by large config or busy control plane

Impact:
Trunks created by LACP do not pass traffic.

Workaround:
Restart lacpd after tmm has come up again: "bigstart restart lacpd"

Alternatively, modify /etc/bigstart/scripts/tmm.finish to restart lacpd on tmm going down

Modify this line:
for d in admd asm avrd dosl7d; do

With these:
for d in lacpd admd asm avrd dosl7d; do
        if [ `$BIGSTART singlestatus $d` = "run" ]; then
            $BIGSTART restart $d &
        fi
    done

604011-1 : Sync fails when iRule or policy is in use★

Component: TMOS

Symptoms:
After upgrading and attempting to sync to devices in a sync group, sync fails with the following error:

Load failed from 119.big.ip 01070621:3: Rule priorities for virtual server (vs1) must be unique.

Load failed from /Common/big152 01070712:3: Caught configuration exception (0), Values (/Common/vs1) specified for virtual server policy (/Common/vs1 /Common/asm_auto_l7_policy__vs1): foreign key index (vs_FK) do not point at an item that exists in the database.

Conditions:
- A virtual address exists in the traffic-group-local-only group, meaning that it is not synced
- A CPM policy or iRule is applied to that virtual server
- Conduct a sync

This was seen on an upgrade from 12.0.0 to 12.1.0 HF1 or beyond, but could be triggered on an upgrade from any version from 11.4.0 and beyond to 12.1.0 HF1.

Impact:
Config sync fails.

Workaround:
Disassociate the iRule or policy from the virtual server, then attempt to sync.

603997 : Plugin should not inject nonce to CSP header with unsafe-inline

Component: Fraud Protection Services

Symptoms:
When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may invalidate the application's 'allow inline script' policy, since the more restrictive directive is always applied.

Conditions:
Server response contains either header from the 'Content-Security-Policy' header family.

Impact:
The application's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.

Workaround:
None.

Fix:
CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.

603979-4 : Data transfer from the BIG-IP system self IP might be slow

Component: Local Traffic Manager

Symptoms:
When a large amount of data needs to be transferred using a selp IP address, the BIG-IP system might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput

Conditions:
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set.

Impact:
Data transfer from the BIG-IP system's self IP might be slow.

Workaround:
Run the following command: ethtool -K tmm tso off.

Note: This has a different effect from setting db key tm.tcpsegmentationoffload to 'disable' (which is not a workaround for the issue).

Note: To persist the effect of this command across reboots, use the solution specified in K14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/csp/#/article/K14397. For example,

alert tmmready "Tmm ready" {
exec command="/sbin/ethtool -K tmm tso off"
}

Fix:
Data transfer from the BIG-IP system self IP has been improved.

603945-2 : BD config update should be considered as config addition in case of update failure

Component: Application Security Manager

Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.

Conditions:
The condition that leads to this scenario is not clear and is still under investigation.

Impact:
The update fails and the entity is not added.

Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.

This fixes the issue in the cases in which it is a single entity.

Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.

603875-2 : The statistic ASM memory Utilization - bd swap size: stats are wrong

Component: Application Visibility and Reporting

Symptoms:
AVR reports incorrect bd swap size statistics.

Conditions:
-- ASM provisioned.
-- Viewing swap size statistics.

Impact:
Wrong value is displayed.

Workaround:
1. Edit /etc/avr/tmstat_tables.xml
2. Change the following line:
From:
<value publishName="swap_size" columnName="swap_size" behavior="total" type="diff"/>
To:
<value publishName="swap_size" columnName="swap_size" behavior="average" type="status"/>
3. Run the following command: restart avrd.

Fix:
The statistic ASM memory Utilization - bd swap size: stats are now correct.

603825-2 : Crash when a Gy update message is received by a debug TMM

Component: Policy Enforcement Manager

Symptoms:
Debug TMM will crash when a Gy update message is received.

Conditions:
- Need a Debug TMM running
- Gy update message must be received by the BIG-IP

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use non-debug TMM.

Fix:
Added checks to detect Gy udpate messages and handle them accordingly in the debug TMM. Thus, preventing a crash in the debug TMM.

603758-1 : Big3D security hardening

Component: Global Traffic Manager (DNS)

Symptoms:
The Big3D utility, used in GTM, does not follow current secure coding best practices.

Conditions:
GTM active

Impact:
Big3D usage does not follow current secure coding best practices.

Workaround:
None.

Fix:
Update Big3D use to use current secure coding best practices.

603723-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
None.

Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.

603700 : tmm core on multiple SSL::disable calls

Component: Local Traffic Manager

Symptoms:
tmm can crash if SSL::disable is called repeatedly in an iRule event.

Conditions:
Invoking SSL::disable multiple times in the same iRule event

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a crash related to multiple calls of SSL::disable

603667-2 : TMM may leak or corrupt memory when configuration changes occur with plugins in use

Component: Local Traffic Manager

Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.

Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.

Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.

Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).

Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.

603609-2 : Policy unable to match initial path segment when request-URI starts with "//"

Component: Local Traffic Manager

Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".

Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".

Impact:
The policy does not match in this case.

Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.

603605-1 : Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active

Component: iApp Technology

Symptoms:
After installation, the rpm on active device applications will be replicated to the standby. If standby does not have DHD installed, the installation page is never shown.

Conditions:
HA setup for DoS Hybrid Defender, with DHD only installed on Active.

Impact:
HA cannot be supported for DHD application on 12.1.0 and 12.1.1.

Workaround:
None.

Fix:
Can now install DoS Hybrid Defender on standby device in HA pair if it's already installed on active.

603598-3 : big3d memory under extreme load conditions

Component: Global Traffic Manager (DNS)

Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.

This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.

Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.

When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.

For this to happen, the Active queue must be full as well as the Pending queue.

One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.

Thus the Pending queue might become full and the memory leak can occur.

In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.

In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.

Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.

In later versions, the leak is still possible, but is less likely to occur.

Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.

Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.

This will minimize the chances that the Pending queue
does not become full.

There is no mechanism to resize the queues.

Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.

603550-1 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.

Solution Article: K63164073

Component: Local Traffic Manager

Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.

As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.

-- Virtual stats 'Current SYN Cache' does not decrease.

Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).

Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.

Workaround:
None.

Fix:
Virtual servers that use both FastL4 and HTTP profiles will have correct syn cache stats.

603397-2 : tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config

Component: Service Provider

Symptoms:
tmm will core if the transport config specified in a MR::message route iRule command does not exist.

Conditions:
the transport config specified in a MR::message route iRule command does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use the correct name for the trasnport-config object.

Fix:
fixed a tmm core.

603236-1 : 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware

Component: Local Traffic Manager

Symptoms:
Creating 1024 and 4096 size keys fail when the SafeNet client version installed on BIG-IP is 6.2 and SafeNet appliance firmware is 6.10.9.

Conditions:
-- SafeNet appliance: 6.2.
-- SafeNet client: 6.2.
-- SafeNet firmware: 6.10.9.

Impact:
Cannot create 1024 or 4096 size RSA keys.

Workaround:
None.

Fix:
Removed the config line, RSAKeyGenMechRemap = 1, that was conflicting with 6.10.9 firmware.

603234-3 : Performance Improvements

Component: Fraud Protection Services

Symptoms:
Certain detection algorithms can slow down the client application.

Conditions:
FPS enabled, full AJAX encryption enabled

Impact:
Client side AJAX detection can be slow.

Fix:
The performance of some detection algorithms has been improved

603149-2 : Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy

Component: TMOS

Symptoms:
Setting max data limit transmitted (in kilobytes) to a very large limit results in a smaller limit, causing SAs to expire too quickly. Values for ike-phase2-lifetime-kilobytes inside ipsec-policy can reach 2^32-1 kilobytes, but will be processed incorrectly, as if the value were smaller.

Conditions:
When lifetime-kilobytes is large enough, it can act as though it were smaller.

Impact:
Negotiated SAs expire too quickly when size lifetime is calculated too small.

Workaround:
Before the fix, decrease lifetime-kilobytes until properly stable.

Fix:
The fix should make every value no more than 4294967295 kilobytes work correctly, without becoming some smaller value. (Note this value is 2^32-1.) If the size of ike-phase2-lifetime-kilobytes becomes 64-bit in the future, this will also work, causing a 64-bit value for kilobytes to occur in isakmp negotiation.

603082-3 : Ephemeral pool members are getting deleted/created over and over again.

Component: Local Traffic Manager

Symptoms:
When fqdn nodes are configured, you may see ephemeral pool members getting created and deleted continuously. In severe cases, this can cause mcpd to run out of memory and crash.

Conditions:
It is not known exactly what triggers this condition, but it has been observed after running bigstart restart in a configuration containing many fqdn nodes.

Impact:
Traffic disrupted while mcpd restarts.

603032-1 : clientssl profiles with sni-default enabled may leak X509 objects

Component: Local Traffic Manager

Symptoms:
SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.

Conditions:
clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.

Impact:
The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.

Workaround:
No workaround short of not using sni-default.

Fix:
SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.

603019-3 : Inserted SIP VIA branch parameter not unique between INVITE and ACK

Component: Service Provider

Symptoms:
The branch parameter of the inserted VIA header is sometimes the same between an INVITE and ACK message.

Conditions:
If the CSEQ number of a SIP message is the same, the inserted VIA header will contain the same branch parameter.

Impact:
SIP proxy servers which perform strict message validations may reject the call.

Fix:
Included a hash of the branch parameter of the received top-most via header into the branch parameter of the inserted via header. Thus is the received top-most via conforms to the spec and generates a different branch parameter between INVITE and ACK, the inserted via will have a different branch parameter.

602975-1 : Unable to update the HTTP URL's "Header-Based Content Profiles" values

Component: Application Security Manager

Symptoms:
When HTML5 Cross-Domain Request Enforcement is enabled on a URL, Header-Based Content Profiles cannot be updated.

Conditions:
HTML5 Cross-Domain Request Enforcement is enabled on a URL.

Impact:
Header-Based Content Profiles cannot be updated on the URL.

Workaround:
Use the following procedure:
1. Disable HTML5 Cross-Domain Request Enforcement on the URL.
2. Update the Header-Based Content Profiles.
3. Re-enabled HTML5 Cross-Domain Request Enforcement.

Fix:
Updating Header-Based Content Profiles for a URL with HTML5 Cross-Domain Request Enforcement is now successful.

602854-8 : Missing ASM control option from LTM policy rule screen in the Configuration utility

Component: TMOS

Symptoms:
In the Configuration utility, when creating or editing a LTM policy, the ASM control option may be missing from the rule screen.

Conditions:
Whether the ASM control option is present or missing purely depends on the license installed on the system.

The system incorrectly reports certain licensed modules to the Configuration utility, which fails to parse them and ultimately to display the ASM control option. If you wish to determine whether you are affected by this issue, SSH to the advanced shell of the BIG-IP system and run this command:

# grep -E '^active module : [^|]*\|[^|]*$' /config/bigip.license

If any output is returned, then you are affected by this issue.

Impact:
ASM cannot be enabled in LTM policies using the Configuration utility.

Workaround:
Use the TMSH utility to enable ASM in LTM policies.

Fix:
ASM can now be enabled in LTM policies using the Configuration utility regardless of the license installed on the system.

602830-1 : BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode

Component: TMOS

Symptoms:
The LCD display does not indicate diagnostic mode when you stop BIG-IP daemons(bigstart stop) and run platform_check diagnostic command.

Conditions:
Dignostic mode is not displayed on LCD.

Impact:
There is no visible indication on LCD display to indicate when system in diagnostic mode.

Fix:
Diagnostic message display on LCD when system is diagnostic mode.

602654-2 : TMM crash when using AVR lookups

Component: Application Visibility and Reporting

Symptoms:
When trying to find/insert data into AVR lookups TMM/AVR core might occur.

Conditions:
AVR lookups in use.

Impact:
tmm crashes. The crash occur when two processes simultaneously try to access the same cell in the lookup. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when using AVR lookups.

602653-1 : TMM may crash after updating bot-signatures

Component: Local Traffic Manager

Symptoms:
TMM may crash after DOSL7 bot signatures config has changed.

Conditions:
This is likely to happen after DOSL7 bot signatures config has changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Try adding/removing some signatures, this should avoid the crash.

Fix:
Fixed a memory corruption when updating bot signatures.

602502-2 : Unable to view the SSL Cert list from the GUI

Component: TMOS

Symptoms:
When you try to see information about any SSL certificates in the GUI, it displays an error: An error has occurred while trying to process your request.

Conditions:
Can not view any SSL certificates in the GUI if at least one certificate has a double extension(like test.crt.crt) in its name.

Impact:
Unable to view the any SSL Cert from the GUI

Workaround:
Delete such certificate through TMSH and reimport without .crt extension in the certificate name.

delete sys file ssl-cert test.crt.crt

Fix:
Should be able to view/delete/export certificates from GUI.

602434-1 : Tmm crash with compressed response

Component: Application Visibility and Reporting

Symptoms:
AVR decompressed all the traffic in order to do classification.
This can cause tmm core due to too many decompress request.

Conditions:
Sending stressed compressed traffic on virtual with dos profile.

Impact:
Traffic disrupted while tmm restarts.

Fix:
AVR will ask no more than 10 decompressed request simultaneously.

602429-1 : DNS suffix is not restored after disconnecting Network Access

Component: Access Policy Manager

Symptoms:
DNS suffix search list is not restored after disconnecting the VPN connection. The client DNS search list retains the suffix that came from Network Access Resource.

Conditions:
-- On Microsoft Windows.
-- Use APM client to establish VPN tunnel.

Impact:
Certain hostname resolution may fail.

Workaround:
There is no workaround at this time.

Fix:
DNS suffix is restored after disconnecting from VPN.

602385-1 : Add zLib compression

Component: Local Traffic Manager

Symptoms:
Current driver supports only compress GZip and compress deflate.

Conditions:
APM Network Access tunnel has an option for compression. Compression is implemented in GZIP hudfilter which uses COMPRESS_ZLIB compression method. Currently only 'zlib' compression provider (software based) is implementing this method. None of the hardware providers (such as Coleto Creek) support it; they support COMPRESS_DEFLATE and COMPRESS_GZIP. GZIP hudfilter could use all 3 methods, but only ZLIB is compatible with current and older versions of the client. To preserve backward compatibility it must use ZLIB.

Impact:
Current compression hardware (such as Coleto Creek) is needed to support ZLIB method, otherwise compression in APM Network Access tunnel does not scale.

Workaround:
None.

Fix:
zLib compression is now supported.

602376-1 : qkview excludes files

Component: TMOS

Symptoms:
When running the qkview command to generate a diagnostic file, some files are omitted from the qkview.

Conditions:
This occurs when running qkview, when the configuration settings for qkview for the admin user include the --exclude flag. For example if the setting has --exclude core then none of the core files will be included in the qkview even if it is run without the --exclude parameter.

Impact:
Debugging of issues impaired if the missing files were needed to resolve the problem.

Workaround:
None.

Fix:
Corrected errors and made sure all files are included or excluded as designed.

602366-1 : Safenet 6.2 HA performance

Component: Local Traffic Manager

Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.

Conditions:
Safenet 6.2 client is installed and Safenet HA is used.

Impact:
Only one HSM is used for the HA setup.

Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>

Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable

Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test

Fix:
Installation script is updated for Safenet 6.2 HA.

602358-5 : BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version

Component: Local Traffic Manager

Symptoms:
During SSL/TLS renegotiation, the TLS standard requires that the new ClientHello version matches the first session.

Usually, SSL/TLS servers require the new ClientHello version to match the previous negotiated (ServerHello) version. The BIG-IP ServerSSL default behavior is to match this requirement.

The problem occurs if the SSL/TLS server requires the ClientHello (both in the Record layer and Handshake Protocol) in the new ClientHello to be exactly the same as the SSL/TLS version of the first ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************
As a result, the SSL/TLS server will reject the renegotiation handshake, causing the connection to terminate.

Conditions:
This occurs when using virtual servers configured with one or more ServerSSL profiles, and an SSL/TLS renegotiation occurs, and the server requires the new ClientHello version to match the first ClientHello instead of the previous ServerHello version.

Impact:
SSL/TLS renegotiation between BIG-IP ServerSSL profile and server may fail, resulting in an unexpected connection close or reset.

Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.

Fix:
A new db variable called ssl.RenegotiateWithInitialClientHello has been added to control the SSL/TLS version in the 2nd ClientHello:

1. The default is disable, which means that the 2nd ClientHello SSL/TLS version will be set to the negotiated version in the 1st round ServerHello.

2. If it is set to enable, both ClientHello versions will be exactly the same.

602326-1 : Intermittent pkcs11d core when installing Safenet 6.2 software

Component: Local Traffic Manager

Symptoms:
Sometimes you may see pkcs11d core when stopping/restarting pkcs11d service.

Conditions:
bigstart issues "stop" to pkcs11d while pkcs11d receives message.

Impact:
pkcs11d may core intermittently.

Workaround:
pkcs11d may automatically restart without intervention.

Fix:
Fixed pkcs11d signal handler and avoid sys_call in the signal handler.

602300-1 : Zone Runner entries cannot be modified when sys DNS starts with IPv6 address

Component: Global Traffic Manager (DNS)

Symptoms:
Zone Runner entries cannot be modified if an IPv6 DNS name server is listed first. This can happen when a user runs the tmsh command
tmsh modify sys dns name-servers add { <IPv6> }

as the first dns name-server.
This will show in the /etc/resolv.conf file (an example)
nameserver 2001::1
nameserver 192.168.100.1

Conditions:
When an IPv6 nameserver is the first server defined.

Impact:
ZoneRunner records cannot be modified.

Workaround:
Do not use DNS server with IPv6 address or add IPv4 server at top of the list.

Fix:
The IP address type was not set properly while communicating with BIND. This does not matter if the first nameserver listed is an IPv4 address or if there are no nameservers listed at all.

If the first nameserver listed is an IPv6 and the IP address type is not set to IPv4 (AF_INET), BIND libraries will attempt to use the IPv6 library from /etc/resolv.conf.

We not properly set the AF_INET type to IPv4.

602221-2 : Wrong parsing of redirect Domain

Component: Application Security Manager

Symptoms:
ASM learns wrong domain names

Conditions:
no '/' after domain name in the redirect domain

Impact:
wrong learning suggestion can lead to wrong policy

Workaround:
N/A

Fix:
Fixing an issue with parsing the URL in the location header

602171-1 : TMM may core when remote LSN operations time out

Component: Carrier-Grade NAT

Symptoms:
TMM configured with LSN may core during high utilization, when local endpoint resources are exhausted, and request for remote resources times out.

Conditions:
LSN remote operation time out. LSN can request remote TMM for resources when local resources are exhausted, when such request time out, this can result in a core in affected versions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM LSN remote operations will no longer cause core.

602136-5 : iRule drop command causes tmm segfault or still sends 3-way handshake to the server.

Component: Local Traffic Manager

Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.

Conditions:
Client-side iRule that drops a connection.

Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

602061 : i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages

Component: TMOS

Symptoms:
When firmware is updated on a i5000, i7000, i10000 series series appliance messages appear on the console indicating the update is in progress. The messages are inconsistent, some give an expected time the update will take and some do not.

Conditions:
Firmware update following the installation of a new iso with new firmware that must be programmed.

Impact:
cosmetic

Workaround:
None

602040-3 : Truncated support ID for HTTP protocol security logging profile

Component: Local Traffic Manager

Symptoms:
The HTTP Protocol Security logging profile yields to incomplete support ID published in the local storage.

Conditions:
Configuration: LTM with Protocol Security Module provisioned, LTM virtual server with HTTP Protocol Security and local-storage logging profile attached. The log-db entries created by the HTTP Protocol Security logging profile have a truncated support ID.

Impact:
The support ID presented to the user does not match the one in the logs because the log entry is truncated (missing a few digits)

Workaround:
There is no workaround

601989-3 : Remote LDAP system authenticated username is case sensitive★

Solution Article: K88516119

Component: TMOS

Symptoms:
Unable to login via ssh, with cause being reported as 'user account has expired'. Wrong role being assigned for remote-user.

Conditions:
The character-case for the username returned from LDAP must match the login username and the configured account name. This can be exposed on an upgrade from 11.6.0 to 12.1.0 or 12.1.1.

Impact:
Unable to login via ssh with remote-user or remote-user being assigned incorrect role when multiple accounts exists with the same name and mixed case.

Workaround:
Avoid configuring the same account username with different case. The authenticated user account in TMOS used to login should exactly match the user account name returned from LDAP.

Fix:
When logging in to BIG-IP via ssh, the case of the logged-in user name is preserved when authenticating against an LDAP source, and matched in a case-sensitive manner to the appropriate locally defined user role.

601938-2 : MCPD stores certain data incorrectly

Solution Article: K52180214

601927-1 : Security hardening of control plane

Solution Article: K52180214

Component: TMOS

Symptoms:
File permissions changes needed as found by internal testing

Conditions:
N/A

Impact:
N/A

Fix:
Apply latest security practices to control plane files.

601924-1 : Selenium detection by ports scanning doesn't work even if the ports are opened

Component: Advanced Firewall Manager

Symptoms:
When selenium server package is running on an end point and a traffic being sent from there, proactive bot defense mechanism doesn't see selenium server opened ports.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
Low impact as the selenium detection by ports scan has a low score and doesn't mitigate a client, unless it has another suspicious client properties (for example tor browser)

Workaround:
N/A

Fix:
Ports scanning has fixed - wider range of ports are scanned.

601919-2 : Custom categories and custom url filter assignment must be specific to partition instead of global lookup

Component: Access Policy Manager

Symptoms:
Custom categories lookup and matching is not partition specific.

Conditions:
Create SWG Explicit VS, access policy, per-request policy, custom-category with a glob URL and URL filter in custom partition say partition1
and similarly create similar set in partition2 (Note make sure the glob URL is matched in custom categories in 2 different partitions). Set the browser to explicit proxy:port information of partition1 VS and access the URL to be matched to the custom category.

Impact:
Partition specific custom category match is not available if user specific whitelist needs to be applied.

Workaround:
None

Fix:
Code to check custom categories only for the partition that connflow belongs to and Common partition has been added

601905-1 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server

Component: Access Policy Manager

Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.

Conditions:
Most likely, the POST request contains large post data.

Impact:
The POST request will fail.

Workaround:
The following iRule will workaround the issue:

when HTTP_REQUEST {

  if {[HTTP::method] eq "POST"}{
    # Trigger collection for up to $max_collect of data
    set max_collect 1000000
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
      set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length $max_collect
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
  }

601893-2 : TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.

Component: TMOS

Symptoms:
Tmm cores. There might be messages similar to the following notice in /var/log/ltm just before the crash: notice BWC: instance already exist. This is an extremely rarely occurring issue.

Conditions:
This extremely rare issue occurs when the following conditions are met:
Dynamic BWC use with dynamic change in rate for each instance.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use dynamic modification of rates for dynamic policies.

Fix:
You can now successfully use dynamic modification of rates for dynamic policies.

601828-1 : An untrusted certificate can cause tmm to crash.

Solution Article: K13338433

Component: Local Traffic Manager

Symptoms:
If the certificate sent by an SSL server to the server-side BIG-IP profile is untrusted, tmm might crash.

Conditions:
-- Server-side SSL profile is attached to a virtual server.
-- The SSL server sends an untrusted certificate to the BIG-IP system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system will now log the certificate name 'unknown' if an SSL server sends an untrusted certificate, and tmm does not restart.

601709-2 : I2C error recovery for BIG-IP 4340N/4300 blades

Solution Article: K02314881

Component: TMOS

Symptoms:
The I2C internal bus for the front switch on BIG-IP 4340N/4300 blades may not work.

Conditions:
This rarely happens.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.

Workaround:
bigstart restart bcm56xxd

Fix:
The system now ensures that the I2C internal bus can recover from occasional errors.

601536-1 : Analytics load error stops load of configuration★

Component: Application Visibility and Reporting

Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.

Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.

Impact:
Configuration fails to load, will not pass traffic.

Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.

Fix:
An analytics configuration that was valid in a previous release now loads successfully in the current release.

601527-4 : mcpd memory leak and core

Component: TMOS

Symptoms:
Mcpd can leak memory during config update or config sync.

Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http

Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.

Fix:
Fixed a memory lean in mcpd

601502-4 : Excessive OCSP traffic

Component: TMOS

Symptoms:
With OCSP configured on a virtual server, you see excessive OCSP requests going to the OCSP server.

Conditions:
Virtual server configured with an OCSP profile

Impact:
OCSP responses are not cached properly and excessive requests are sent to the server.

Workaround:
None.

Fix:
OCSP responses are now cached properly, so excessive requests are no longer sent to the server.

601496-4 : iRules and OCSP Stapling

Component: Local Traffic Manager

Symptoms:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak.

You may notice warning messages similar to the following in /var/log/ltm:
warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.

Conditions:
This occurs when the following conditions are met:
-- Virtual server with OCSP Stabling enabled.
-- iRule attached to the virtual server that uses SSL::renegotiate.

Impact:
TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.

Workaround:
None.

Fix:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile no longer causes OCSP requests to be reissued, so there is no associated memory leak.

601420-3 : Possible SAML authentication loop with IE and multi-domain SSO.

Component: Access Policy Manager

Symptoms:
When APM is configured with SAML authentication and multi-domain SSO, Internet Explorer may encounter authentication loop and never complete the access policy.

Conditions:
APM is configured with SAML authentication and multi-domain SSO.

Impact:
Using Internet Explorer, the client may not be unable to connect to its desired destination.

Workaround:
Chrome and Firefox do not seem to be affected.

Fix:
Use cookie for session for multi-domain if TOKEN lookup fails. Previously, the cookie was ignored for multi-domain response URI. However, with the introduction of TOKEN based session lookup, this causes a failure if the client retries the request (since the TOKEN was consumed in the request prior to the retry).

601378-2 : Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons

Component: Application Security Manager

Symptoms:
These errors can be observed in '/var/log/asm':
-------------------------
The caller:[F5::ASMConfig::Entity::Charset::get_policy_encoding_type] did not pass in a value for 'encoding_name' to retrieve the 'encoding_type' for -- aborting.

ASM subsystem error (asm_config_server.pl,): ASM Config server died unexpectedly

ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads.

ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: asm_config_server.pl, Failure: Insufficient number of threads.
-------------------------

Conditions:
ASM provisioned.
Create security policy with "Auto accept" language.

Impact:
ASM daemons restart, numerous errors in asm log.

Workaround:
None.

Fix:
Creating an ASM security policy with "Auto accept" language no longer leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons

601309 : Locator LED no longer persists across reboots

Component: TMOS

Symptoms:
The Locator LED (blinking F5 logo ball) state could be retained across reboots if the TMSH config was saved. The intended behavior is to default to disabled on reboot.

Conditions:
Setting the Locator to "enabled" via either the LCD or TMSH, then saving the TMSH config.

Impact:
i5600, i5800, i7600, i7800, i10600, and i10800 appliances

Workaround:
Disable the Locator LED and save the TMSH config

Fix:
Fixed Locator LED state persisting through reboots

601268-5 : PHP vulnerability CVE-2016-5766

Solution Article: K43267483

601255-4 : RTSP response to SETUP request has incorrect client_port attribute

Component: Service Provider

Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)

Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection

Impact:
Unicast media may forwarded to incorrect UDP port (0).

Fix:
Initialize 'client_port' attribute to value received from server when re-writing response to client.

601180-2 : Link Controller base license does not allow DNS namespace iRule commands.★

Solution Article: K73505027

Component: Global Traffic Manager (DNS)

Symptoms:
The Link Controller base license improperly prevents DNS namespace iRule commands.

Conditions:
A Link Controller license without an add-on that allows Layer 7 iRule commands.

Impact:
An administrator cannot add DNS namespace commands to an iRule. Cannot upgrade from a pre-11.5 configuration, where the commands were working, to 11.5.4 through 12.1.2.

Workaround:
To enable upgrade, remove DNS namespace commands from the configuration prior to upgrade.

Fix:
DNS namespace iRule commands are now properly accepted with a Link Controller base license.

601178-6 : HTTP cookie persistence 'preferred' encryption

Component: Local Traffic Manager

Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.

Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.

Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.

601168-1 : Incorrect virtual server CPU utilization may be observed.

Component: TMOS

Symptoms:
The virtual_server_cpu_stat table counters are always at zero.

Conditions:
ASM license is in effect.

Impact:
Wrong CPU utilization per virtual server.

Workaround:
No workaround.

Fix:
An issue in computing CPU averages for virtual server has been resolved.

601083-1 : FPS Globally Forbidden Words lists freeze in IE 11

Component: Fraud Protection Services

Symptoms:
When attempting to move more than 1 item in Globally Forbidden Words in Internet Explorer 11 browser, the lists freeze.

Conditions:
FPS Provisioned
Add 2 or words in "Search for malicious words in the HTML or JavaScript code"

Impact:
FPS GUI freezes

Workaround:
Add 1 item each time and save.
Use tmsh.

Fix:
Internet Explorer 11 will not freeze if moving more than one item at a time.

601076 : Fix watchdog event for accelerated compression request overflow

Component: TMOS

Symptoms:
Accelerated compression requests that exceed 128 in-flight requests can cause a watchdog event.

Conditions:
Very rapid queuing of concurrent accelerated compression requests.

Impact:
TMM generates an HA failover driven by the accelerated compression watchdog timer.

Workaround:
Disable accelerated compression by disabling hardware accelerated compression with:

% tmsh modify sys db compression.strategy value softwareonly

Fix:
Apply a constraint on accelerated compression request DMA ring so no more than 128 in-flight requests are queued at any one time.

601059-6 : libxml2 vulnerability CVE-2016-1840

Solution Article: K14614344

601056 : TCP-Analytics, error message not using rate-limit mechanism can halt TMM

Component: Application Visibility and Reporting

Symptoms:
An error message is displayed when TCP-Analytics fails to save new data. This error message is not rate-limited, as all other TMM error messages are, so if the error situation is encountered very frequently, the message will be displayed only occasionally, and not for every error event.

Since the error message is not rate-limited, hitting this error many times might eventually lead to TMM halt.

Conditions:
-- TCP-Analytics is assigned to virtual server.
-- The aggregation method of TCP Analytics causes a full table situation because of the distribution of the client IP addresses and subnets.

Impact:
TMM can halt. Traffic disrupted while tmm restarts.

Workaround:
Remove TCP-Analytics from virtual servers.

Fix:
Error message is performed with rate-limiting mechanism.

601035 : TCP-Analytics can fail to collect all the activity

Component: Application Visibility and Reporting

Symptoms:
When the traffic reaching the BIG-IP system comes from a very large number of different client IP addresses and subnets, the TCP-Analytics table can get full, which leads to ignoring the activity that follows, until next snapshot of data.

Conditions:
-- TCP-Analytics profile is attached to a virtual server.
-- Incoming traffic represents a large amount of client IP addresses and subnets (the exact number that causes the full table condition depends on machine type and provisioned modules).

Impact:
TCP Analytics is showing only some of the activity, not all of it. In addition, numerous log messages might fill the logs.

Workaround:
Disable TCP-Analytics.

Fix:
Aggregation method of TCP Analytics was fixed, so the system no longer reaches the full table situation, no matter the distribution of the client IP addresses.

600982-5 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"

Component: Local Traffic Manager

Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.

Conditions:
No conditions to be set, however this is a very rare occurrence in which a random number generator can technically generate the number Zero ( 0 ) which would trigger this.

Impact:
Traffic disrupted while TMM restarts, and failover occurs if high availability is configured. Mirroring and LB may be lost with renegotiation for certain types of traffic.

Workaround:
None.

Fix:
When SSL is configured, the TMM no longer intermittently crashes with the message: Assertion "cached" failed.

600894-1 : In certain situations, the MCPD process can leak memory

Component: TMOS

Symptoms:
In certain situations, the MCPD process can leak memory. This has been observed, for example, while updating large external data-group file objects. Each time an external data-group file is updated, MCPD's memory utilization grows a little bit. Once enough iterations have occurred, the system may no longer be able to update the external data-group file, but instead return the following error message:

err mcpd[xxxx]: 01070711:3: Caught runtime exception, std::bad_alloc.

Conditions:
So far, this issue has only been observed while updating a large external data-group file object.

Impact:
The system may no longer be able to update the external data-group file object. It is also possible for MCPD to crash, or be killed by the Linux OOM killer, as a result of the memory leak.

600859-2 : Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★

Component: TMOS

Symptoms:
After upgrading 11.6.0 Hourly instances to 12.1.0 EHF Hourly instances with Instance Registration support, instance license becomes invalid and BIG-IP is unable to acquire a new hourly license.

Conditions:
Upgrading 11.6.0, or earlier Hourly Licensing instance to 12.1.0 HF1 EHF.

Impact:
License is invalidated and instance becomes unusable.

Workaround:
- Run "/usr/libexec/autoLicense -l" from command-line.

Fix:
Module licenses correctly after upgrade from 11.6.0 to 12.1.0 HF2 or later.

600827-8 : Stuck Nitrox crypto queue can erroneously be reported

Solution Article: K21220807

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Hardware Error(Co-Processor): n3-crypto0 request queue stuck.

Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses Nitrox PX or Nitrox 3 encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.

Workaround:
None.

Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.

600811-2 : CATEGORY::lookup command change in behaviour★

Component: Access Policy Manager

Symptoms:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.

Only a valid hostname can be used and have its category returned.

In versions prior to v12.1.1, the following iRule command is valid:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host][HTTP::uri]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Starting in v12.1.1, the previous example you need to remove the HTTP::uri statement. If an HTTP::uri is provided to the command, an error will be returned

err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"

Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.

Conditions:
- BIG-IP licensed and provisioned for:
o APM and URL Filtering
o URL Filtering (used for SSL Bypass decisions in SSL Air-Gap deployments).
- An iRule that supplies a URI path to the CATEGORY::lookup iRule command.
- Upgrading from pre-v12.1.1 versions that use the CATEGORY::lookup iRule command and use an HTTP::uri or pass in a plain text string that contains anything other than an HTTP hostname.

Impact:
There is an error returned from the command. This can cause errors in existing deployments.

Workaround:
Update the iRule to only pass an HTTP hostname to the CATEGORY::lookup iRule command

Fix:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.

Only a valid hostname can be used and have its category returned.

Behavior Change:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.

Only a valid hostname can be used and have its category returned.

In versions prior to v12.1.1, the following iRule command is valid:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host][HTTP::uri]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Starting in v12.1.1, the previous example you need to remove the HTTP::uri statement. If an HTTP::uri is provided to the command, an error will be returned

err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"

Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.

600662-9 : NAT64 vulnerability CVE-2016-5745

Solution Article: K64743453

600614-5 : External crypto offload fails when SSL connection is renegotiated

Component: Local Traffic Manager

Symptoms:
If and external crypto offload client is configured with an SSL profile and renegotiation is enabled for the SSL profile, the crypto client connection will fail when the SSL connection is renegotiated.

Conditions:
External crypto offload client configured with an SSL profile with renegotiation enabled.

Impact:
Crypto client connection to the crypto server will fail.

Workaround:
Disable renegotiation on the SSL profile.

Fix:
The crypto client connection to the crypto server will no longer fail when the SSL connection is renegotiated.

600593-1 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests

Component: Local Traffic Manager

Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.

Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.

Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.

Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:

when HTTP_PROXY_REQUEST {
   if { [HTTP::method] equals "CONNECT" } {
      ONECONNECT::reuse disable
   }
   else {
      ONECONNECT::reuse enable
   }
}

600558-5 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:

1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.

Fix:
Errors are no longer logged after deleting user in GUI.

600357-2 : bd crash when asm policy is removed from virtual during specific configuration change

Component: Application Security Manager

Symptoms:
BD restarts and produces a core file

Conditions:
A configuration change which involves headers configuration or a policy re-configuration and at the same time, while this update is taking place the ASM policy is removed from the virtual.
This is more likely to happen in scripted tests than in the field.

Impact:
Traffic gets dropped while the ASM gets restarted.

Workaround:
Don't change ASM configuration at the same time as changing the virtual server configuration.

Fix:
System will still restart but will not produce a core file when this happens.

600232-9 : OpenSSL vulnerability CVE-2016-2177

Solution Article: K23873366

600223-2 : OpenSSL vulnerability CVE-2016-2177

Solution Article: K23873366

600205-9 : OpenSSL Vulnerability: CVE-2016-2178

Solution Article: K53084033

600198-2 : OpenSSL vulnerability CVE-2016-2178

Solution Article: K53084033

600119-3 : DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions

Component: Access Policy Manager

Symptoms:
When connected to the vpn and wifi adapter is enabled (not connected to any wlan) access to websites outside the vpn is very slow.
Access is fine when wifi interface is disabled.

Conditions:
- number of DNS servers configured for active network adapters matches the number of DNS servers configured in Network Access resource

Impact:
User experience while navigating servers outside of VPN scope is impacted by increased connection time

Workaround:
Disable unused adapters or change the number of configured DNS servers

Fix:
DNS requests for names outside the VPN scope sent to VPN DNS server are redirected to DNS servers from NIC using Round Robin algorithm

600069-6 : Portal Access: Requests handled incorrectly

Solution Article: K54358225

600052-1 : GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system

Component: Local Traffic Manager

Symptoms:
Cannot access SSL certs/keys using the GUI. GUI displays "Internal Server Error" page.

Conditions:
Having large (~3k) number of SSL certs/keys in the system.

Impact:
Cannot use the GUI to view/edit the SSL certs/keys.

Workaround:
User tmsh to access SSL certs/keys.

Fix:
Can now access SSL certs/keys using the GUI

599858-7 : ImageMagick vulnerability CVE-2015-8898

Solution Article: K68785753

599839-3 : Add new keyords to SIP::persist command to specify how Persistence table is updated

Component: Service Provider

Symptoms:
SIP::persist command keywords were not present prior to 12.1.2

Conditions:
Using the SIP::persist command in an iRule

Impact:
Limited control via SIP::persist

Workaround:
N/A

Fix:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.

-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.

Behavior Change:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.

-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.

599816-2 : Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.

Component: TMOS

Symptoms:
Packets arriving on members of the VLAN group are CMP redirected. Redirections may be tracked with the tmm/flow_redir_stats table.

Conditions:
VLANs in the VLAN group must have different cmp-hash settings. For example, one VLAN may configure src-ip and another dst-ip.

Impact:
Throughput drops because of the redirections. However, because this is an error in the software disaggregator, components and features which depend on correct disaggregation may fail. Some features of PEM may fail.

Fix:
Packets are correctly disaggregated without redirections.

599803 : TMM accelerated compression incorrectly destroying in-flight contexts.

Component: Performance

Symptoms:
You see a tmm core while using compression profiles.

Conditions:
Related to use of hardware compression.

Impact:
Report of a watchdog event, or an ASSERT generated by the compression layer. Traffic disrupted while tmm restarts.

Workaround:
Disable accelerated compression using the following command:

% tmsh modify sys db compression.strategy value softwareonly.

Fix:
The system now correctly dispatches cancelled in-flight accelerated compression contexts when cancellation comes while hardware is still actively compressing.

599769 : TMM may crash when managing APM clients.

Component: Local Traffic Manager

Symptoms:
When managing APM clients it is possible to encounter a rare tmm crash.

Conditions:
APM enabled and actively managing clients.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
There is no longer a rarely encountered TMM crash when managing APM clients.

599720-2 : TMM may crash in bigtcp due to null pointer dereference

Component: Local Traffic Manager

Symptoms:
TMM crashed in bigtcp_queue_pkt() due to null pointer dereference of clientside flow.

Conditions:
This only occurs for serverside flow whose peer no longer exists.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
A problem of null pointer dereferece in bigtcp has been fixed.

599536-1 : IPsec peer with wildcard selector brings up wrong phase2 SAs

Solution Article: K05263202

599521-5 : Persistence entries not added if message is routed via an iRule

Component: Service Provider

Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.

Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.

Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.

Workaround:
An iRule could be used to route messages directed towards the original client.

Fix:
MRF SIP will add a persistence entry for message routed via an iRule.

599424-2 : iApps LX fails to sync★

Component: iApp Technology

Symptoms:
In a device group, iApps LX applications fail to sync to the other devices. In restjavad.0.log you notice this log entry, approximately once per hour:

[8100/tm/shared/BIG-IP-failover-state BIG-IPFailoverStateWorker] Failed to discover [address]: java.lang.IllegalStateException: Authentication Failure to host [address]. Please check the credentials provided.

Conditions:
- This occurs after upgrading devices in a device group from 12.1.1 to a version higher than 12.1.1, such as 12.1.1 HF1.

- It can also occur on UCS restore.

- This occurs after upgrading devices in a device group from 12.1.0 to a version higher than 12.1.0, such as 12.1.0-HF1 (or above).

- Also found this can occur with a clean install of v12.1.2-Final and upgraded to v12.1.2 HF1.

Impact:
If you do not have iApps LX configured, there should be no impact other than the warning in restjavad.0.log which you can safely ignore. If you have iApps LX configured and the iApp is not syncing, then this will impact traffic if a failover event occurs.

Workaround:
None.

Fix:
iApps LX will now sync correctly.

599423-1 : merged cores and restarts

Solution Article: K24584925

Component: TMOS

Symptoms:
The vCMP host overwrites the stats table with data from guests.

Conditions:
vCMP running SSL traffic for more than one day.

Impact:
An internal value that tracks the interfaces changes, and merged cores and restarts.

Workaround:
None.

Fix:
The host no longer overwrites the reference values in the interface stats table, so merged does not core and restart.

599285-2 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095

Solution Article: K51390683

599223-1 : Prevent static destructors in tmipsecd daemon

Component: TMOS

Symptoms:
The tmipsecd daemon can leave a core when it exits main().

Conditions:
When tmipsecd exits deliberately, say in response to an exception, this can crash during program cleanup, despite the cleanup not being necessary. What begins as a clean termination turns into a messy crash.

Impact:
Generation of a distracting core, using disk space and attracting user attention unnecessarily. (Since tmipsecd was restarting anyway, the restart is not extra impact.)

Workaround:
there is no workaround.

Fix:
When a tmipsecd process terminates, cleaning up globals on shutdown is unnecessary, so this has now been prevented. So we cannot get a core when cleanup fails.

599221-1 : ASM Policy cannot be created in non-default partition via the Import Policy Task

Component: Application Security Manager

Symptoms:
An ASM Policy cannot be created in a non-default (/Common) partition using the Import Policy Task (/mgmt/tm/asm/tasks/import-policy).

Conditions:
User attempts to create a new ASM policy in a non-/Common partition using a file or template via the import policy tasks.

Impact:
Policy is created in /Common instead of the specified partition.

Workaround:
1) Create a Policy in the desired partition via a POST to the /mgmt/tm/asm/policies endpoint.
2) Execute the Import Policy Task (/mgmt/tm/asm/tasks/import-policy) using the created policy as the policyReference to overwrite it.

Fix:
Policy Import creates new policies in the specified partition.

599191-2 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card

Component: TMOS

Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.

Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync

Impact:
A stale key is left on the FIPS card. There is no impact to functionality.

Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>

599168-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Solution Article: K35520031

599135-2 : B2250 blades may suffer from high TMM CPU utilisation with tcpdump

Component: Local Traffic Manager

Symptoms:
B2250 blades may suffer from continuous TMM CPU utilization when tcpdump has been in use.

Conditions:
Run tcpdump on a B2250 platform

Impact:
Increment in TMM CPU utilization with every run of tcpdump.

Workaround:
Restart TMM, avoid the use of tcpdump.

Fix:
B2250 blades no longer suffer from high TMM CPU utilisation with tcpdump

599121-2 : Under heavy load, hardware crypto queues may become unavailable.

Solution Article: K24036315

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.

Conditions:
BIG-IP system under heavy load and using hardware crypto.

Impact:
HA failover. You might see messages similar to the following:
-- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
-- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
-- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.

Workaround:
None.

Fix:
BIG-IP system now performs an extra check to determine whether the crypto hardware queues are available.

599054-2 : LTM policies may incorrectly use those of another virtual server

Component: Local Traffic Manager

Symptoms:
LTM policies may use policies configured on another virtual server.

Conditions:
- A configurations with several virtual servers and several configured ltm policies attached to those virtual servers.
- Configuration load: manually using the command tmsh load sys conf, or automatically by an upgrade or full config-sync.

Impact:
LTM policies get incrementally added to virtual servers as the policies are compiled, causing unexpected traffic handling decisions based on other policies.

Workaround:
Do not run tmsh load sys conf if you have policies configured. After an upgrade or full config-sync issuing a bigstart restart command or restarting the device will fix this condition.

Fix:
LTM policies no longer incorrectly use those of another virtual server

599033-5 : Traffic directed to incorrect instance after network partition is resolved

Component: TMOS

Symptoms:
After a network partition is resolved, the BIG-IP high availability subsystem may select a different device to handle traffic than the external network.

Conditions:
If the external network does not respond to GARP (Gratuitous ARP) messages to direct IP traffic to the correct device after an Active/Active condition is resolved, then it may continue to send traffic to a device that is now in Standby mode.

Impact:
Traffic will be interrupted since the upstream network is sending traffic to a device that won't process it.

Workaround:
The administrator might be able to manually run a script or command to redirect traffic to the correct device that is hosting the virtual service.

Fix:
When a network partition is resolved, and an Active/Active high availability pair chooses a single Active node, it now invokes a script that can be used to automatically notify the external network infrastructure of the new location for the virtual service. This new script is located in /config/failover/tgrefresh, and is invoked in addition to the transmission of GARP messages.

598983-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Solution Article: K35520031

598981-3 : APM ACL does not get enforced all the time under certain conditions

Solution Article: K06913155

Component: Access Policy Manager

Symptoms:
APM ACL does not get enforced all the time under certain conditions

Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.

Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.

Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.

Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.

598874-2 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.

Fix:
Do not send anything in response to a SYN retransmission timeout.

598860-4 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address

Component: Local Traffic Manager

Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.

Example:
ltm rule test_bug {
when CLIENT_DATA {
log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}

Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1

Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1

Conditions:
using IP::addr to convert an IPv6 to an IPv4 address

Impact:
Address is converted into an IPv4-compatible IPv6 address.

598854-3 : sipdb tool incorrectly displays persistence records without a pool name

Component: Service Provider

Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb

Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.

Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.

Fix:
The fix corrects the sipdb tool so that entries which do not have a pool name will display correctly.

598748 : IPsec AES-GCM IVs are now based on a monotonically increasing counter

Component: TMOS

Symptoms:
IPsec was using random IVs.

With random IVs and shortest packets the complete integrity loss will happen before 8 Gb of data are exchanged over the security association in one direction (assuming probability of collision at 0.1%).

Conditions:
Use of AES-GCM or GMAC in IPsec.

Impact:
The use of random IVs limits the amount of traffic that can be sent with AES-GCM in IPsec.

Workaround:
The workaround is to limit the amount of traffic per above guidelines for long-lived security associations in IPsec.

A re-key before 10 Gbyte of data are exchanged is recommended. For 1 Gbps connection the rekey should happen in under 1 min (100 Mbps -- 15 min, 10 Gbps -- 10 sec).

Fix:
Changed IPsec AES-GCM IV scheme to use a counter-based IV.

This is an improvement that allows maximum amount of traffic to be sent on the same security association for AES-GCM in IPsec.

598724-1 : Abandoned indefinite lifetime SessionDB entries on STANDBY devices.

Component: TMOS

Symptoms:
Memory hold/leak in SessionDB due to poor HA connection. Active device cannot tell the Standby device that an entry has been deleted because of poor HA connection. These entries accumulate on the Standby device, consuming extra memory which is not released.

Conditions:
A poor HA or insufficient connection exists, one that is not capable of handling the required HA traffic between devices.

Impact:
Eventual out-of-memory errors on standby device.

Workaround:
The mitigation steps in ID 555465 apply to this as well:

You can mitigate by temporarily disabling HA:
- Disable session mirroring: tmsh modify sys db statemirror.mirrorsessions value disable
- Wait a minute for HA connections to stabilize
- Sync the config changes
- Reboot the standby
- Re-enable session mirroring: tmsh modify sys db statemirror.mirrorsessions value enable

Fix:
On the Next Active ("Standby") device, SessionDB will remove all Subkey entries that the Next Active did not receive HA (re)mirror messages for during the HA sync that occurs after an HA (re)connect; the Next Active not receiving a (re)mirror for an entry generally indicates that the entry no longer exists on the Active.

598700-6 : MRF SIP Bidirectional Persistence does not work with multiple virtual servers

Component: Service Provider

Symptoms:
Messages received by different virtual servers (sharing the same router) are not able to be properly routed using the call-id persistence.

Conditions:
A router with multiple virtual servers bridging between networks are not able to use the same call-id persistence entry for routing messages. Messages trying to use a persistence entry created by a different virtual server may be routed to the wrong device.

Impact:
Messages received on another virtual server trying to use the persistence entry will be routed to the wrong device.

Fix:
Fix corrects problems identifying which end of the bi-directional persistence the message has arrived on so that it can be forwarded to the proper device.

598697-1 : vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★

Component: TMOS

Symptoms:
After installing v12.1.0 on a vCMP host system the guests don't start anymore and remain in "failed" state.

Errors similar to these are logged in the ltm log file:

Jun 10 08:17:22 slot1/VIP4480-R68-S26 crit vcmpd[14354]: 01510003:2: User "qemu" doesn't exist
<..>
Jun 10 08:17:22 slot1/VIP4480-R68-S26 err vcmpd[14354]: 01510004:3: Guest (test-guest): Failure - Error starting VM.
Jun 10 08:17:22 slot1/VIP4480-R68-S26 info vcmpd[14354]: 01510007:6: Guest (test-guest): VS_STARTING->VS_FAILED

Conditions:
Upgrade vCMP host to v12.1.0 or higher
vCMP host system was originally installed with v11.6.0 or older builds.

Impact:
After installing v12.1.0 on a vCMP host system the guest don't start anymore and remain in "failed" state.

Workaround:
Workaround is to run the following command:

useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu

then:

bigstart restart vcmpd

598498-7 : Cannot remove Self IP when an unrelated static ARP entry exists.

Component: TMOS

Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.

Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.

Impact:
Must delete static ARP entries in order to delete Self IP addresses.

Workaround:
None.

Fix:
In this release, you can delete Self IP addresses if unrelated static ARP entries exist.

598443-1 : Temporary files from TMSH not being cleaned up intermittently.

Component: TMOS

Symptoms:
/var/tmp/tmsh and /var/system/tmp/tmsh can have left over unused directories if there was an abrupt termination wherein TMSH does not get a chance to clean up remaining directories. This script does not automatically run, but instead provides a way for you to manually clean up these scripts. To execute script run bin # ./clean_tmsh_tmp_dirs and follow the prompts.

Conditions:
This can occur if a running task creates a TMSH tmp file, then gets killed before it finishes its clean-up.

Impact:
This can cause the directories /var/tmp/tmsh and /var/system/tmp/tmsh to fill up and cause out of memory exceptions.

Workaround:
Manually delete all unused files in /var/tmp/tmsh and /var/system/tmp/tmsh.

Fix:
The BIG-IP system now contains a command ("clean_tmsh_tmp_dirs") that can be run to clean-up temporary files in /var/system/tmp/tmsh and /var/tmp/tmsh.

598437-1 : SNMP process monitoring is incorrect for tmm and bigd

Component: TMOS

Symptoms:
The default configuration for SNMP process monitoring causes an error of "Too many bigd running", and "No tmm process running".

snmpwalk -c public -v 2c localhost prErrMessage
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too many bigd running (# = 2)
...
UCD-SNMP-MIB::prErrMessage.6 = STRING: No tmm process running

Conditions:
Depending on system capacity and configuration, more than one "bigd" process may be running, resulting in the incorrect report of "Too many bigd running".

The system does not properly count instances of the "tmm" process. In older releases, the system always detected a single "tmm" process, even if more than one existed. In the affected releases, no "tmm" process is detected.

Impact:
SNMP monitoring of system health incorrectly reports error conditions.

Workaround:
For the 'bigd' problem, the administrator can change the the process-monitor max-processes to allow for more instances of "bigd". For example:

(tmos)# modify sys snmp process-monitors modify { bigd { max-processes infinity } }

max-processes should be set to the same value as the sys dbvar bigdb.numprocs or "infinity" if the dbvar is set to "0", allowing bigd to dynamically adjust the number of processes.

For tmm process count

(twos)# modify sys snap process-monitors modify { tmm { process tmm.0 max-processes 1 } }

Fix:
The system now correctly counts the number of TMM process instances, which is not the same as the number of TMM threads. but is based on the hardware capabilities.

Existing/upgraded configurations need to manually adjust the bigd 'max-processes' attribute as described in the Mitigation section. New configurations will be configured appropriately.

598294-1 : BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472

Solution Article: K17119920

598211-1 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.

Component: Access Policy Manager

Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.

Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.

Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.

Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.

when HTTP_REQUEST {
    if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
        log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
        HTTP::path "/Citrix/$store_name/"
    }
}

Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.

598134-1 : Stats query may generate an error when tmm on secondary is down

Component: TMOS

Symptoms:
Querying for stats results in an error and further iControl messages are incorrect.

Conditions:
Must be on a chassis. The query must be for stats generated by tmm. A secondary tmm must be down.

Impact:
The iControl session must be restarted.

Workaround:
Ensure all tmms are up and running.

Fix:
The request is handled appropriately even if a tmm is down and no unexpected error is generated.

598110-1 : pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic.

Component: Local Traffic Manager

Symptoms:
The pkcs11d daemon shows 'up' when the connections to HSM is not up and the BIG-IP system is not ready to process traffic.

Conditions:
When the connections to HSM is not up and the BIG-IP system is not ready to process traffic.

Impact:
The pkcs11d daemon shows status as 'up'. The traffic will be dropped since the connections to HSM is not up or the BIG-IP system is not ready to process traffic.

Workaround:
There is no workaround.

Fix:
This release fixes the pkcs11d thread session initialization problem.

598052-1 : SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails

Component: Local Traffic Manager

Symptoms:
When enabling the SSL Forward Proxy "Cache Certificate by Addr-Port" on the client SSL profile, later flows on cached certificate lookups by "Addr-Port" do not hit the cache.

Conditions:
Enable SSL Forward Proxy and use "Cache certificate by Addr-Port".

Impact:
The client side certificate lookup failed, it may trigger the server side SSL handshake.

Fix:
With this fix, the certificate lookup by "Addr-Port" may have a cache hit.

598039-6 : MCP memory may leak when performing a wildcard query

Component: TMOS

Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.

Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).

Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).

Workaround:
Do not perform wildcard queries.

Fix:
Stopped MCP leaking when wildcard queries are performed.

598002-10 : OpenSSL vulnerability CVE-2016-2178

Solution Article: K53084033

597978-2 : GARPs may be transmitted by active going offline

Component: Local Traffic Manager

Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.

Conditions:
Multiple traffic-groups configured and active goes offline.

Impact:
It is not expected that this will cause any impact.

Workaround:
Make the unit standby before forcing offline.

597879-1 : CDG Congestion Control can lead to instability

Component: Local Traffic Manager

Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.

Conditions:
Running the Debug TMM with CDG Congestion Control.

Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.

Workaround:
Use a congestion control algorithm other than CDG.

Switch to the default TMM.

Fix:
Fixed congestion window calculation in CDG.

597835-3 : Branch parameter in inserted VIA header not consistent as per spec

Solution Article: K12228503

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.

Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.

Workaround:
None.

Fix:
The system now ensures the branch field in the via header does not change.

597828-1 : SSL forward proxy crashes in some cases

Component: Local Traffic Manager

Symptoms:
SSL forward proxy crashes when a check in the state machine is called with something other than a fwdp lookup result

Conditions:
SSL forward proxy is enabled.

Impact:
SSL forward proxy crashes sometimes.

Workaround:
None.

Fix:
Fixed a crash in the SSL forward proxy.

597797-4 : Allow users to disable enforcement of RFC 7057

Solution Article: K78449695

Component: Local Traffic Manager

Symptoms:
When RFC7057 (fallback SCSV) was implemented, some BIG-IP administrators found their SSL clients were incompatible and could no longer connect to the BIG-IP system.

Conditions:
Incompatible SSL clients were not able to connect to the the BIG-IP system.

Impact:
Service disruption.

Workaround:
There is no workaround.

Fix:
When SSL.fallback_SCSV is set to disable, the RFC 7057 implementation will be disabled, though it must be acknowledged that this introduces a security hole when negotiating SSLv3.

Behavior Change:
When RFC7057 was implemented, some BIG-IP administrators found that their SSL clients were incompatible. This change introduces a bigdb variable (SSL.fallback_SCSV) to disable this.

597729-5 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:

1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.

597708-4 : Stats are unavailable and vCMP state and status are incorrect

Component: Local Traffic Manager

Symptoms:
Unable to retrieve statistics or statistics are all 0 (zero) when they should not be zero.

This is vCMP related.

Guest virtual-disks always show in-use even when the guest is not in the running state.

When the guest O/S is shut down, the GUI and TMSH do not show accurate information about status.

Conditions:
If a directory is removed from /shared/tmstat/snapshots merged might run at 100% CPU utilization and become unresponsive.

Impact:
No statistics are available. Some statistics, such as traffic stats from TMM, will not be updated, though they may be non-zero. Others, such as system CPU stats that are calculated by merged, will be zero. This will be evident through all management interfaces such as TMSH, TMUI, SNMP, etc.

vCMP guest O/S status is reportedly incorrectly.

Workaround:
If merged has stopped responding, restart the daemon using the following command:

bigstart restart merged

On a chassis with multiple blades or a device with vCMP guests, merged is running on each blade and on each guest. To determine which instance of merged is not responding, ssh to each blade and each vCMP guest, and run the following command to check the CPU utilization of merged:

top -p `pidof merged`

Any merged that has a CPU utilization of over 90% for more than a few seconds is potentially in this state and should be restarted.

To prevent the issue from occurring, disable tmstat snapshots using the following command:

tmsh modify sys db merged.snapshots value false.

Fix:
The merged process no longer becomes unresponsive when a directory is removed from /shared/tmstat/snapshots.

597532-1 : iRule: RADIUS avp command returns a signed integer

Component: Local Traffic Manager

Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.

Conditions:
iRules using RADIUS::avp to retrieve data.

Impact:
iRules using the RADIUS::avp command will not work as expected.

Workaround:
The result can be cast to an unsigned integer after obtaining the value, as follows:

ltm rule radius_avp_integer {
    when CLIENT_DATA {
                set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
                set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}

Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.

Fix:
Ensure that the system uses unsigned integers for RADIUS AVPs.

597471 : Some Alerts are sent with outdated username value

Component: Fraud Protection Services

Symptoms:
user-defined, components validation and vtrack Alerts are sent with outdated username value

Conditions:
Log in, then log in again with different user (with conditions to generate an alert)

Impact:
Alert is sent with username of the first login

Fix:
Alerts sending is blocked until after parameters processing is done

597431-2 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.

597394-2 : Improper handling of IP options

Solution Article: K46535047

597309-2 : Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms

Component: TMOS

Symptoms:
The Maximum Members Per Trunk limits is 8 or 16 depending on platform. This is due to

1. The limitation of an SDK from a third party vendor.
2. The number of external interfaces actually provided by the platform.

Conditions:
These platform limits are on the BIG-IP 10000 appliance and B2400, B4300, and B4450 blades.

Impact:
The number of interfaces per trunk is limited to either 8 or 16.

Workaround:
None.

Fix:
New limit of 32 is implemented for the BIG-IP 10000 appliance, and on VIPRION 2400 and VIPRION 4300. New limit 64 is implemented for VIPRION 4450N.

597303 : "tmsh create net trunk" may fail

Component: TMOS

Symptoms:
When a trunk is created with "tmsh create net trunk", with LACP enabled or disabled, the addition of a trunk member may fail. When it fails, there will be log in /var/log/ltm like

Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: bs_trunk_addr_set: unit=0 Invalid parameter bs_trunk.cpp(2406)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: Trouble setting trunk 1, unit 0 bs_trunk.cpp(2591)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: SDK error Invalid parameter bs_trunk.cpp(2592)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble setting trunk: unit=0, trunk=testTrunk bs_trunk.cpp(1886)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble adding interface to trunk=testTrunk bsx.c(3109)

Conditions:
The problem tends to happen when a trunk is created right after it is deleted. If you wait for over 30 seconds, it is unlikely to happen.

Impact:
A trunk can't be created, and no trunk members can be added.

Workaround:
Wait for over 30 seconds before adding back the same trunk.

Fix:
A fix is already staged, and may show up in a hot fix later.

597270-2 : tcpdump support missing for VXLAN-GPE NSH

Component: TMOS

Symptoms:
The tcpdump utility does not support VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).

Conditions:
Running tcpdump on BIG-IP systems.

Impact:
No support for VXLAN-GPE NSH.

Workaround:
None.

Fix:
tcpdump now has support for VXLAN-GPE NSH.

Behavior Change:
tcpdump now has support for VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).

597214-5 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
It is possible to use iRule to rename field names in original code.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.

597176-1 : Multiple Wireshark (tshark) vulnerabilities

Solution Article: K01837042

597089-8 : Connections are terminated after 5 seconds when using ePVA full acceleration

Component: Local Traffic Manager

Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.

Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.

Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.

Workaround:
Disabling the PVA resolves the issue.

597023-1 : NTP vulnerability CVE-2016-4954

Solution Article: K82644737

597010-1 : NTP vulnerability CVE-2016-4955

Solution Article: K03331206

596997-1 : NTP vulnerability CVE-2016-4956

Solution Article: K64505405

596814-4 : HA Failover fails in certain valid AWS configurations

Component: TMOS

Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.

Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.

Fix:
Failover now narrows network description by filtering with VPC id.

596809-1 : It is possible to create ssh rules with blank space for auth-info

Component: Advanced Firewall Manager

Symptoms:
In tmsh it is possible to create profile actions that contain blank spaces, such as in this example:

create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }

Conditions:
This occurs when creating profile actions.

Impact:
Actions can be created with blank spaces in them, you should be receiving a validation error. These rules also cannot be deleted.

Workaround:
Do not create profile actions with blank spaces.

Fix:
BIG-IP will now throw a validation error if you create a profile action containing only a blank space.

596685-1 : Request Log failure on request with XML format violation

Solution Article: K76841626

Component: Application Security Manager

Symptoms:
When Request Log entry with violations for XML format violation is selected, it cannot be displayed and an error is returned.

Conditions:
Request Log entry with violations for XML format violation is selected.

Impact:
Request Log entry cannot be displayed.

Workaround:
None.

Fix:
Requests with XML format violations are now displayed correctly.

596674-2 : High memory usage when using CS features with gzip HTML responses.

Component: Application Visibility and Reporting

Symptoms:
AVR use consumes a lot of memory while trying to decompress responses. This can cause tmm core during stress traffic.

Conditions:
-- Enabled Dosl7d virtual server with CS features.
-- The server is sending compressed responses.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
High memory usage no longer occurs when using CS features with gzip HTML responses.

596631-2 : SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later

Component: Service Provider

Symptoms:
A SIP media flow deny-listener was to have been deleted but an unrelated listener was deleted instead due to an incorrect address/port match.

For example, when the wrongly deleted listener is later meant to be deleted, there might be a SIGFPE with assertion failure "Assertion "bound listener" failed.".

Conditions:
A SIP MRF media flow existed and was deleted.
An unrelated flow exists with an address/port with wildcards such that it includes that of the media flow.

Impact:
Later when the wrongly deleted listener is referenced, the TMM crashes.

Fix:
When a SIP media flow deny-listener is searched for deletion, an exact match is required that uniquely identifies the deny-listener, so that an unrelated listener is not deleted.

596603-2 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.

Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.

596502-1 : Unable to force Bot Defense action to Allow in iRule

Component: Advanced Firewall Manager

Symptoms:
When a request is being blocked (or challenged with CAPTCHA) due to being a suspicious browser, the action cannot be forced to allow in the iRule

Conditions:
This occurs when a bot defense action is triggered on suspicious browser, and you wish to allow the request to go through anyway and not send a RST.

Impact:
The bot defense action cannot be forced to "allow", the RST will still be sent.

596488-1 : GraphicsMagick vulnerability CVE-2016-5118.

Solution Article: K82747025

596450-1 : TMM may produce a core file after updating SSL session ticket key

Component: Local Traffic Manager

Symptoms:
When regenerating SSL session ticket key, TMM may restart unexpectedly, leaving a core file.

Conditions:
When the value of ssl.sessionticketkey.regen is reached (every 3 days by default), TMM will regenerate its SSL session ticket key. This operation may lead to an assert: "shared random data inited".

Impact:
TMM core and restart.

Workaround:
None.

Fix:
Resolved a problem that could cause TMM to restart when regenerating the SSL session ticket key

596433-3 : Virtual with lasthop configured rejects request with no route to client.

Component: Local Traffic Manager

Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.

Conditions:
This issue occurs when the following conditions are meet:

- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.

Impact:
Connection is erroneously reset with no route to client.

Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.

596340-8 : F5 TLS vulnerability CVE-2016-9244

Solution Article: K05121675

596242-1 : [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record

Solution Article: K17065223

Component: Local Traffic Manager

Symptoms:
Improperly configured master name server for one zone prevents updates to other, properly configured zones
from propagating to tmm, thus making DNS Express respond with an old record.

Conditions:
Incorrectly configured DNS zone that cannot get updates correctly.

Impact:
DNS Express responds with previous record after zone transfer.

Workaround:
Correct the configuration on the incorrectly configured zone.

Fix:
DNS Express now responds with current record after zone transfer.

596116-3 : LDAP Query does not resolve group membership, when required attribute(s) specified

Component: Access Policy Manager

Symptoms:
Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.

Conditions:
This occurs when the following conditions are met:
-- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All".
-- The Required Attribute includes the "memberOf" LDAP attribute.

Impact:
Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.

Workaround:
Add the following attribute to the "Required Attributes" list:

"objectClass"

If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list:

"primaryGroupID"

Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.

Fix:
LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.

596104-1 : HA trunk unavailable for vCMP guest★

Solution Article: K84539934

Component: TMOS

Symptoms:
If a vCMP guest is configured with a high availability (HA) trunk with a threshold value greater than 0, the HA trunk configuration fails with a message similar to the following:

err mcpd[5926]: 01071569:3: Ha group ha_group threshold for trunk _your_trunk_name_here_ 1 is greater than the maximum number of members 0.

Conditions:
This occurs when an HA trunk is configured a vCMP guest, with a threshold value greater than 0. This may occur by any of the following means:
1) Attempting to upgrade a guest to an affected version of BIG-IP, with an HA trunk configured with a threshold value greater than 0. The upgrade fails with the indicated error message.
2) Attempting to load a UCS from a guest with an HA trunk configured with a threshold value greater than 0. The UCS load fails with the indicated error message.
3) Creating an HA group and then attempting to modify the threshold value for the HA trunk. The modify command fails with the indicated error message.

Impact:
HA trunks do not work.
You cannot upgrade the vCMP guest to an affected version of BIG-IP or load a configuration with an HA trunk configured with a threshold value greater than 0.

Workaround:
To allow the upgrade to succeed or the configuration to load, configure the HA trunk threshold to 0.

Important! This disables the HA trunk feature.

Fix:
HA trunks with a threshold value greater than 0 are supported on vCMP guests.

596083-1 : Error running custom APM Reports with "session creation time" on Viprion Platform

Component: Access Policy Manager

Symptoms:
Error is encountered when running custom APM Reports with "session creation time" on Viprion Platform

Conditions:
- On Viprion platform
- Create a APM custom report
- Select "Session creation time" field
- Run the report

Impact:
Won't be able to run custom APM report on Viprion platform

596067-2 : GUI on VIPRION hangs on secondary blade reboot

Component: TMOS

Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.

Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.

Impact:
GUI becomes unresponsive

Workaround:
bigstart restart httpd will clear this condition if it occurs.

595900-4 : Cookie Signature overrides may be ignored after Signature Update

Solution Article: K11833633

Component: Application Security Manager

Symptoms:
Cookie Signature overrides may be ignored after Attack Signature Update.

Conditions:
Cookie Signature overrides are configured in the policy, and Attack Signatures are updated.

Impact:
Cookie Signature overrides are ignored.

Workaround:
Remove Cookie Signature override and re-add it.

Fix:
Cookie Signature overrides are observed correctly, even after Signature Update.

595819-1 : Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,

Component: Access Policy Manager

Symptoms:
Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a HTTP/2 enabled browser and HTTP/2 profile attached.

Conditions:
This occurs when the following conditions are met:
- An HTTP/2 enabled browser is in use.
- APM and HTTP/2 are enabled on the same virtual.

Impact:
APM statistics for bytes in and out are not updated.

Workaround:
None.

Fix:
Access session 'Bytes In' and 'Bytes Out' are now getting updated when accessed with a http/2 enabled browser and HTTP/2 profile attached,

595783 : Changing console baud rate for B2100, B2150 and B2250 blades does not work

Component: TMOS

Symptoms:
Changing the console baud rate does not take effect and leaves the setting unchanged.

Conditions:
Whenever the console baud rate is changed via tmsh, GUI, or iControl on the VIPRION B2100, B2150 and B2250 blades.

Impact:
Changing the console baud rate causes the front panel display manager to restart and does not actually modify the baud rate.

Workaround:
None.

Fix:
Added needed object to global config map for VIPRION B2100, B2150 and B2250 blades so modify message no longer fail the object lookup.

595773-4 : Cancellation requests for chunked stats queries do not propagate to secondary blades

Component: TMOS

Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.

Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).

Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.

Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.

595712-1 : Not able to add remote user locally

Component: TMOS

Symptoms:
When a user has logged in remotely, using tmsh to add a user with the same name will fail:

01020066:3: The requested user role partition (raduser TestPartition) already exists in partition Common.

Conditions:
Remote authentication is configured and a remote user has logged in.

Impact:
Changing remote user to local fails.

Workaround:
Use "replace-all-with" for partition access:

create auth user raduser password raduser1 partition-access replace-all-with { TestPartition {role manager }}

595693 : Incorrect PVA indication on B4450 blade

Component: TMOS

Symptoms:
When you run guishell -c "select HAS_PVA, PVA_VERSION from platform" on a B4450 blade (which includes PVA), the output indicates that it does not have PVA.

Conditions:
This occurs when looking at platform information on B4450 blades.

Impact:
PVA acceleration is not detected properly

Fix:
PVA service is now indicated properly on the B4450 blade.

595605 : Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★

Component: TMOS

Symptoms:
An upgrade to BIG-IP v12.0.0 will fail when all of the following conditions are met:
- AVR provisioned
- Upgrading to v12.0.0 from the following versions :
- 11.6.1

Certain engineering hotfixes are also affected.

Conditions:
The following Engineering Hotfixes are affected.

- 11.6.0-hf5 EHF index 110 (Hotfix-BIGIP-11.6.0.5.110.429-HF5-ENG.iso)
- 11.6.0-hf5 EHF Index 214
- 11.6.0-hf5 EHF index 233
- 11.6.0-hf6 EHF index 240

11.6.1 is also affected.

Impact:
The upgrade to 12.0.0 will succeed but the configuration will fail to load.

This can be detected by running tmsh load sys config verify. You will see the following signature:

Unexpected Error: "Can't load keyword definition (analytics-report.device_group)"

Workaround:
12.1.1 is schema compatible with 11.6.1, so upgrade to 12.1.1 instead.

595394-3 : Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★

Component: TMOS

Symptoms:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.

Conditions:
11.5.x/11.6.x Hourly Billing instances with multiple NICs attached.

Impact:
User might not be able to log-in to the instance.

Workaround:
Rebooting the instance corrects the problem.

Fix:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x works with new Hourly billing licenses.

595293-4 : Deleting GTM links could cause gtm_add to fail on new devices.

Component: Global Traffic Manager (DNS)

Symptoms:
Once links are auto-discovered, if auto discovery is disabled and the links are deleted, they could become stuck in the Server > Virtual Server list, preventing new devices from joining the sync group. If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.

Conditions:
Links are auto-discovered
Auto discovery is disabled
The links are deleted

Impact:
If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.

Workaround:
None

Fix:
Cleanup all aspects of a GTM link when it is deleted.

595281-1 : TCP Analytics reports huge goodput numbers

Component: Local Traffic Manager

Symptoms:
TCP Analytics reports that 2^32 bytes have been delivered, rather than 0.

Conditions:
When the serverside connection attempt fails.

Impact:
TCP Analytics stats are inaccurate.

Fix:
Handle the failed connection case properly.

595275-5 : Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN

Component: Local Traffic Manager

Symptoms:
Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN when pool goes empty.

Conditions:
This occurs when the configuration contains a pool with only one FQDN pool member.

Impact:
VIP can go briefly RED and offline.

Workaround:
Configuring a fallback static IP node or multiple FQDN pool members removes this risk.

595272-1 : Edge client may show a windows displaying plain text in some cases

Component: Access Policy Manager

Symptoms:
Under captive portal environment, sometimes edge client may show a windows with some plain text content.

Conditions:
Edge client is launched when users machine is inside captive portal network.

Impact:
User may not be able to establish VPN

Workaround:
Authenticate to captive portal using browser and Launch edge client again.

595242-1 : libxml2 vulnerabilities CVE-2016-3705

Solution Article: K54225343

595231-1 : libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705

Solution Article: K54225343

595227-1 : SWG Custom Category: unable to have a URL in multiple custom categories

Component: Access Policy Manager

Symptoms:
When configuring a url in multiple categories you receive a validation error message:
May 19 16:13:44 bigip12 err mcpd[8992]: 010717f3:3: Custom category (/Common/category_allow_group2) has invalid URL (http://172.16.20.1/*). Reason: You cannot have the same URL in two or more custom categories. URL used in category (/Common/category_allow_group1).

Conditions:
Configuring the same URL in multiple custom categories.

Impact:
Unable to have the same URL in multiple custom categories, and therefore cannot configure the system to have a URL allowed for one group but not for another.

Workaround:
None

Fix:
Validation preventing the configuration of same URL for multiple custom categories has been fixed.

594910-1 : FPS flags no cookie when length check fails

Component: Fraud Protection Services

Symptoms:
You see No Cookie errors for validation errors other than No Cookie.

Conditions:
Malformed component validation cookie

Impact:
No Cookie errors counted when the validation error was not due to No Cookie

Workaround:
No

Fix:
Fixed an issue with No Cookie error counting.

594869-4 : AFM can log DoS attack against the internal mpi interface and not the actual interface

Component: Advanced Firewall Manager

Symptoms:
While under an attack that matches a DoS profile, BIG-IP may indicate that the interface is the internal mpi interface and not the interface that the attack is happening on.

Conditions:
This can occur in CMP-enabled systems.

Impact:
A valid DoS attack will be misreported

594642-3 : Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.

Component: Local Traffic Manager

Symptoms:
Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.

Conditions:
Stream filter is active during low memory situations

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Stream may now be configured to parse xbufs in chunks. This limits the maximum amount of memory required and reduces the chance of an allocation failure.

594496-1 : PHP Vulnerability CVE-2016-4539

Solution Article: K35240323

594426-2 : Audit forwarding Radius packets may be rejected by Radius server

Component: TMOS

Symptoms:
The Accounting-Request packets are missing two required AVPs (Attribute Value Pair), Acct-Session-ID and Acct-Status-Type. Some Radius servers drop Radius Accounting-Requests which are missing these AVPs.

Conditions:
Configured to use audit forwarding with radius and audit messages are not logged on the Radius server.

Impact:
Unable to log audit messages from BIG-IP using audit forwarding.

594302-1 : Connection hangs when processing large compressed responses from server

Component: Local Traffic Manager

Symptoms:
When large compressed responses are sent by the server, the connection hangs when trying to send decompressed content to the client.

Conditions:
An LTM policy which enforces decompression for responses is attached to the virtual server. The virtual server also has http compression profile attached to it. Server sends large compressed responses.

Impact:
Connection hangs when trying to process the compressed response in order to send decompressed content to client.

Fix:
The large compressed responses are successfully processed and no connection hangs are seen.

594288-1 : Access profile configured with SWG Transparent results in memory leak.

Component: Access Policy Manager

Symptoms:
Access profile configured with SWG Transparent results in memory leak.

Conditions:
Create an access profile of type SWG Transparent, and assign to a virtual. Run traffic through this virtual.

Impact:
TMM leaks memory.

Workaround:
None

Fix:
Fixed the memory leak caused by access filter for SWG transparent use case.

594127-2 : Pages using Angular may hang when Websafe is enabled

Component: Fraud Protection Services

Symptoms:
Pages using angular may not load correctly when Websafe "inject Javascript into page" is enabled

Conditions:
Application using Angular.js
Websafe: "inject Javascript into page" is enabled

Impact:
Page does not load fully

Fix:
Websafe no longer changes the page's "documentMode"

594075-2 : Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically

Component: Advanced Firewall Manager

Symptoms:
With pccd.alwaysfromscratch set to true, the blob doesn't compile and pccd restarts periodically when firewall rules are modified.

Conditions:
1. pccd.alwaysfromscratch is set to true (default value is false)
2. Modify some firewall rules.

Impact:
The blob doesn't compile and pccd keeps restarting without loading new rules.

Workaround:
Remove saved blob files in /var/pktclass/ (rm -f /var/pktclass/*) and restart pccd.

593925-1 : ssh profile should not contain rules that begin and end with spaces (cannot be deleted)

Component: Advanced Firewall Manager

Symptoms:
When attempting to delete a rule for an ssh profile and committing the changes in the GUI, you get an error: "Operation is not supported on property /security/ssh/profile/~Common~ssh-test/rules."

Conditions:
This occurs if you previously created ssh profile rules that contain spaces in them, such as this example:

create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }

Impact:
Unable to delete the rules

Fix:
You can now delete ssh profile rules that contain spaces for the rules.

593696-1 : Sync fails when deleting an ssh profile

Component: Advanced Firewall Manager

Symptoms:
After creating an ssh profile and successfully syncing it to the sync group, you later delete the profile and sync fails with this error on the target device:
"err mcpd[5178]: 01071488:3: Remote transaction for device group /Common/syncme to commit id 6 6285666289815053813 /Common/bigip2.mysite.com 0 failed with error 01071aaf:3: SSH profile: [/Common/ssh1] default actions is required and cannot be removed."

Conditions:
This is triggered when deleting an ssh profile that has been synced in a sync group. Sync group is configured for manual sync. It is not known if automatic sync also exhibits this behavior.

Impact:
Sync fails.

593530-6 : In rare cases, connections may fail to expire

Component: Local Traffic Manager

Symptoms:
Connections have an idle timeout of 4294967295 seconds.

Conditions:
Any IP (ipother) profile is assigned to virtual server.

Impact:
Connections may linger.

Workaround:
None.

Fix:
Fixed idle initialization error when using Any IP (ipother) profile.

593447-1 : BIG-IP TMM iRules vulnerability CVE-2016-5024

Solution Article: K92859602

593390-4 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.

Component: Local Traffic Manager

Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.

Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.

Impact:
Higher memory usage than necessary.

Workaround:
Always have iRules select profiles using the complete path.

Fix:
If an iRule attempts to select a profile using only its name, the system now prepends the /Common path prior to looking it up, so there is no potential of instantiating another version of the profile, so no memory issue occurs.

593355 : FPS may erroneously flag missing cookie

Component: Fraud Protection Services

Symptoms:
You see Missing Cookie errors for validation errors other than Missing Cookie.

Conditions:
Any component validation error.

Impact:
Missing Cookie errors counted when the validation error was not due to Missing Cookie

Workaround:
No.

Fix:
Fixed an issue with Missing Cookie error counting.

593139-9 : glibc vulnerability CVE-2014-9761

Solution Article: K31211252

593137-1 : userDefined property for bot signatures is not shown in REST

Component: TMOS

Symptoms:
The user defined property of the signature is not exposed in iControl REST.

Conditions:
Attempting an iControl REST API call to see a signature.

Impact:
The userDefined field is not shown. Impacts external interfaces interacting with the BIG-IP configuration and expecting to see a field and a value there.

Workaround:
None.

Fix:
The userDefined field exists now and has a true/false values.

593078-1 : CATEGORY::filetype command may cause tmm to crash and restart

Component: Access Policy Manager

Symptoms:
If an iRule command is created using the CATEGORY::filetype command, the tmm may eventually suffer a failure, and restart.

Conditions:
This can occur when using the CATEGORY::filetype iRule under normal operation.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash in CATEGORY::filetype

593070-2 : TMM may crash with multiple IP addresses per session

Component: Policy Enforcement Manager

Symptoms:
TMM crash

Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Check for timer expiration prior to processing the timer.

592871-3 : Cavium Nitrox PX/III stuck queue diagnostics missing.

Component: Local Traffic Manager

Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.

Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.

Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.

Workaround:
None.

Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.

592870-2 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).

592868-3 : Rewrite may crash processing HTML tag with HTML entity in attribute value

Component: Access Policy Manager

Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.

Conditions:
HTML tag like this:
<script src="
" type="text/javascript"></script>

Impact:
Web application may not work correctly.

Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.

Fix:
Now rewrite correctly handles HTML entities in attribute values.

592854-1 : Protocol version set incorrectly on serverssl renegotiation

Component: Local Traffic Manager

Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.

Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.

Impact:
Protocol field is invalid (0), and the server will reset the connection.

Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.

592784-2 : Compression stalls, does not recover, and compression facilities cease.

Component: Local Traffic Manager

Symptoms:
Compression stalls, does not recover, and compression facilities may cease.

Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).

Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.

Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.

Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.

592731-1 : Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.

Solution Article: K34220124

Component: Local Traffic Manager

Symptoms:
Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.

Conditions:
In case of heavy SSL traffic, Cavium Nitrox SSL hardware accelerator card might need more time than the default interval to complete the encryption or decryption.

Impact:
The /var/log/ltm log contains the following message: Hardware Error(Co-Processor): n3-crypto1 request queue stuck. tmm will be in failure state.

Workaround:
Use tmsh to increase the device.request.timeoutfactor db variable to allow more time for encryption or decryption to complete. For example, to increase device.request.timeoutfactor to 200, run the following command: tmsh modify sys db device.request.timeoutfactor value 200.

Fix:
The default value of device.request.timeoutfactor is now sufficient to allow the Cavium Nitrox SSL hardware accelerator card to complete the encryption or decryption as expected.

592716-1 : BMC timezone value was not being synchronized by BIG-IP

Component: TMOS

Symptoms:
You notice that errors on the LCD have an incorrect timestamp compared to what is reported in BIG-IP

Conditions:
This can occur when running the 12.1.1 base release on the BIG-IP i-Series platforms.

Impact:
Timestamp is reported in the wrong time zone.

Fix:
Fixed an issue with incorrect timestamp reporting on the LCD display

592699-3 : IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance

Component: Local Traffic Manager

Symptoms:
IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP might encounter significant performance impacts when initiated over a BIG-IP data port using IPv6.

Conditions:
-- Protocols: HTTPS, SCP, SSH, DNS, SMTP.
-- IPv6.
Note: Management port is not impacted.

Impact:
Performance impact pulling data over affected ports from the BIG-IP over IPv6.
BIG-IQ performance is impacted trying to manage BIG-IP devices over IPv6.

Workaround:
Disable TSO for IPv6 at the command line by running the following command: ethtool -K tmm tso off.
Note: This command must be run each time after reboot.

Fix:
The issue has been corrected, so that there is no performance impact pulling data over affected ports using HTTPS, SCP, SSH, DNS or SMTP from the BIG-IP over IPv6, and there is no BIG-IQ performance issue managing BIG-IP devices over IPv6.

592682-1 : TCP: connections may stall or be dropped

Component: Local Traffic Manager

Symptoms:
TCP connections stall or get dropped.

Conditions:
Under some network conditions especially with rateshaper enabled TCP connection could stall and ultimately get reset.

Impact:
This usually happens with rateshaper or BWC enabled. Rarely could also happen with very lossy networks.

Fix:
Properly manage re-transmissions after a tail drop by not not doing the exponential back-off. Reset the re-transmit timer for every partial ack received after a tail drop.

592497-1 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.

Component: Local Traffic Manager

Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.

Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.

Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.

Workaround:
None.

Fix:
This release honors the idle timeout in FIN_WAIT_2 when server-side expired and HTTP in fallback state.

592485 : Linux kernel vulnerability CVE-2015-5157

Solution Article: K17326

592414-4 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed

Component: Access Policy Manager

Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.

Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.

Impact:
Web application malfunction.

Workaround:
None.

Fix:
Fixed.

592363 : Remove debug output during first boot of VE

Component: TMOS

Symptoms:
There was unneeded debug output during 1st boot of VE on Cloud deployments.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
Extra debug output on 1st boot.

Fix:
Debug output was removed.

592354 : Raw sockets are not enabled on Cloud platforms

Component: TMOS

Symptoms:
Cloud VMs come configured with UNIC driver instead of using raw sockets.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
UNIC is used instead of raw sockets.

Workaround:
Manually disabling unic driver will force raw sockets to be used.

Fix:
Enabled raw sockets by default on Cloud deployments.

592320-5 : ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1

Component: TMOS

Symptoms:
When a fastL4 profile's pva-offload-state set to establish (default is embryonic), the corresponding UDP virtual server using that profile won't offload UDP traffic and causes performance degradation.

Conditions:
This issue is introduced during v12.0.0 development and only impacts v12.1.0 and v12.1.1 releases.
A fastL4 UDP virtual server is using a fastL4 profile that has pva-offload-state set to establish.

Impact:
Performance degradation.

Workaround:
Use default setting for pva-offload-state of embryonic for fastL4 profile.

Fix:
With the fix in 12.1.2 and 13.0.0, ePVA will load UDP traffic when pva-offload-state set to establish.

592274-3 : RAT-Detection alerts sent with incorrect duration details

Component: Fraud Protection Services

Symptoms:
If a remote access trojan (RAT) detection alert is thrown immediately upon initialization, the timestamp of the alert will be incorrect.

Impact:
False positives

Workaround:
n/a

Fix:
When generating RAT Detected alert within 5 seconds from page load, actualCounter in alert details is lower than 5 seconds for example:
"timeToResetCounter":5000,"actualCounter":4296

592113-5 : tmm core on the standby unit with dos vectors configured

Component: Advanced Firewall Manager

Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump

Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured

Impact:
Traffic disrupted while tmm restarts.

592070-5 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied

Component: Policy Enforcement Manager

Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.

Conditions:
DHCP virtual created in a non-local traffic group.

Impact:
Variable sharing in the TCL context will not work.

Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.

Fix:
Copy the traffic group from client to server connFlows such that both connFlows have the same traffic group.

592001-1 : CVE-2016-4073 PHP vulnerabilities

Solution Article: K64412100

591918-2 : ImageMagick vulnerability CVE-2016-3718

Solution Article: K61974123

591908-2 : ImageMagick vulnerability CVE-2016-3717

Solution Article: K29154575

591894-2 : ImageMagick vulnerability CVE-2016-3715

Solution Article: K10550253

591881-1 : ImageMagick vulnerability CVE-2016-3716

Solution Article: K25102203

591840-1 : encryption_key in access config is NULL in whitelist

Component: Access Policy Manager

Symptoms:
encryption_key in access config is NULL sometime when applying 404 whitelist action and will result in TMM crash.

Conditions:
All the following must be true:
- Access policy action resulted in a "not found".
- The session corresponding to above action must be expired.
- FIPS platform.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Data required to serve a "not found" action is retrieved and made available early so that such responses can be served correctly.

591828-4 : For unmatched connection, TCP RST may not be sent for data packet

Component: Advanced Firewall Manager

Symptoms:
When TCP connection times out (no entry in 'show sys conn'), and subsequent data packet comes in (not SYN), The BIG-IP system does not send a RST to the client to reset the connection.

Conditions:
This issue occurs if AFM is provisioned. Additionally, in BIG-IP v12.1.0 and above, it occurs if ASM is provisioned (regardless of AFM provisioning).

-- Packets other than SYN with no entry in the connection table arrive.

This can occur either after a failover (when mirroring is disabled) when traffic arrives at the newly-active system, or can occur if the relevant virtual server has 'reset-on-timeout' disabled.

Impact:
Client retransmits several times and then terminates TCP connection. There is no RST sent from BIG-IP to client for unmatched connection.

Workaround:
Enable the reset on timeout option to send TCP RST to client when connection times out.

Note: This workaround does not address the circumstances where a newly-active BIG-IP system receives traffic (e.g. after a failover or system reboot).

Fix:
The BIG-IP system now sends a TCP RST for unknown connections so the clients and backend servers can start a new connection.

591806-8 : ImageMagick vulnerability CVE-2016-3714

Solution Article: K03151140

591767-8 : NTP vulnerability CVE-2016-1547

Solution Article: K11251130

591733-4 : Save on Auto-Sync is missing from the configuration utility.

Solution Article: K83175883

Component: TMOS

Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.

Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.

Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.

Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.

Fix:
This release adds per-device-group save_on_auto_sync flag to GUI: flag now shows in GUI and correctly saves.
GUI: The "Sync Type" option in the GUI must be set to "Automatic with Full/Incremental Sync" in order for "Save on Auto-Sync" option to show.

Behavior Change:
Beginning in version 11.5.0, the /cm trust-domain 'save-on-auto-sync' attribute is no longer configured as part of the trust-domain, but is part of the configuration of a device group. With this change, the option to set that attribute becomes available in the GUI on the condition that the "Sync Type" option is set to "Automatic with Full/Incremental Sync".

591666-3 : TMM crash in DNS processing on TCP virtual with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Product corrected to prevent crash when there are no available members.

591659-5 : Server shutdown is propagated to client after X-Cnection: close transformation.

Solution Article: K47203554

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.

Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.

591590-1 : APM policy sync results are not persisted on target devices

Component: Access Policy Manager

Symptoms:
Policy sync results, including profile, sync folder, new partition, statuses, history are not persisted on target devices after sync, when there is no LSO resolution.

Conditions:
1. Create an APM policy with no LSO to resolve, or have an APM policy that has LSO resolved by the previous sync.
2. Start a policy sync.

Impact:
Sync results including the policy profiles are not persisted, so when the BIG-IP system restarts, all the sync data will be lost.

Workaround:
Run tmsh command to save config:

tmsh save sys config

Fix:
Policy sync result will be persisted on target devices so even when those devices restart, the data will still be there.

591495-2 : VCMP guests sflow agent can crash due to duplicate vlan interface indices

Component: TMOS

Symptoms:
When a VCMP guest uses sflow, the sflow agent will crash when it tries to add a row to its internal data structure and finds the key already exists for some other entry.

Conditions:
This issue can occur on systems with VCMP guests, its occurrence is is more likely with a higher number of cores.

Impact:
sflow agent will crash.

Fix:
Make sure the allocated interface index for a vlan is not already taken by another interface object.

591476-7 : Stuck crypto queue can erroneously be reported

Solution Article: K53220379

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck.

Conditions:
-- Running on one of the following platforms:
+ BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 2xxx, 4xxx, 5xxx, 7xxx, 10xxx, 11xxx, 12xxx, i2xxx, and i4xxx
+ VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.

Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:

tmsh modify sys db crypto.queue.timeout value 0

Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue on Nitrox devices.

591455-7 : NTP vulnerability CVE-2016-2516

Solution Article: K24613253

591447-1 : PHP vulnerability CVE-2016-4070

Solution Article: K42065024

591438-7 : PHP vulnerability CVE-2015-8865

Solution Article: K54924436

591358-1 : Oracle Java SE vulnerability CVE-2016-3425

Solution Article: K81223200

591343-5 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.

Solution Article: K03842525

Component: Local Traffic Manager

Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.

Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.

Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.

Workaround:
None.

Fix:
The returned session ID in both the SERVERSSL_SERVERHELLO and SERVERSSL_HANDSHAKE events is the one presented by the SSL server.

591328-7 : OpenSSL vulnerability CVE-2016-2106

Solution Article: K36488941

591325-8 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109

Solution Article: K75152412

591268-1 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions

Component: Access Policy Manager

Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns

Conditions:
Specific client machine configuration

Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue

Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service

Fix:
Now DNS Relay proxy service cleans up DNS cache after initialization mitigating issue described

591261 : BIG-IP VPR-B4450N shows "unknown" SNMP Object ID

Component: TMOS

Symptoms:
The BIG-IP VPR-B4450N blade does not show the correct Object ID for SNMP. An SNMP query will return "unknown".

Conditions:
This issue may occur on VIPRION B4450N blades running affected versions of BIG-IP software.

Impact:
Some network management applications may complain and fail.

Workaround:
None.

Fix:
A new SNMP Object ID is added to TMOS v12.1.1 for VPR-B4450N.

591246-1 : Unable to launch View HTML5 connections in non-zero route domain virtual servers

Component: Access Policy Manager

Symptoms:
Currently APM always attempts to uze the RTDom 0 when VMware View HTML5 client is launched.

This doesn't work with the virtual servers in non-zero route domains.

Conditions:
APM configured as a PCoIP proxy on a VS in non-zero route domain.

Impact:
You cannot use virtuals in non-zero route domains if they need VMware View HTML5 client functionality

Fix:
APM now uses the proper route domain from the virtual server to handle VMware View HTML5 client connections.

591139 : TMM QAT segfault after zlib/QAT compression conflation.

Component: Local Traffic Manager

Symptoms:
TMM can segfault during prolonged mixture of software and hardware accelerated compression.

Conditions:
Continuous and prolonged mixture of software and hardware accelerated compression.

Impact:
TMM segfaults.

Workaround:
Disable hardware accelerated compression with:

tmsh modify sys db compression.strategy value speed

Fix:
TMM QAT compression added pointer-hardening for compression context.

591119 : OOM with session messaging may result in TMM crash

Component: TMOS

Symptoms:
Under out of memory conditions, session messaging may not initialize storage correctly, resulting in a later TMM crash.

Conditions:
Under out of memory conditions, memory allocation for session messaging fails, and storage is not initialized correctly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce load on box in order to avoid OOM conditions.

Fix:
Initialize storage on memory allocation failure.

591117-3 : APM ACL construction may cause TMM to core if TMM is out of memory

Component: Access Policy Manager

Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.

Conditions:
BIG-IP is extremely loaded and out of memory.

Impact:
Traffic disrupted while tmm restarts.

Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.

591104-1 : ospfd cores due to an incorrect debug statement.

Component: TMOS

Symptoms:
ospfd cores due to an incorrect debug statement.

Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.

Impact:
ospfd might crash, interrupting dynamic routing.

Workaround:
Do not enable debugging in ospf that includes 'route ase'.

Fix:
ospfd no longer crashes when debugging is enabled in imish.

591042-17 : OpenSSL vulnerabilities

Solution Article: K23230229

591039 : DHCP lease is saved on the Custom AMI used for auto-scaling VE

Component: TMOS

Symptoms:
When configuring the instance for auto-scaling purpose and subsequently generating the Custom/Model AMI that is used for autoscaling VEs, the new instances generated from this image, might have the old DHCP lease acquired by the custom instance before an AMI was generated from it. This can collide with the new lease that the new instances get in their boot-up.

Conditions:
This occurs when Auto-scaling VEs.

Impact:
Multiple valid DHClient leases exist, which could result dhclient in BIG-IP choosing wrong IP address for the management interface.

Workaround:
Delete the /var/lib/dhclient/dhclient.leases before shutting down the custom instance and generating a Custom/Model AMI out of it.

Fix:
Auto-scaling AMI will no longer contain a DHCP lease when they are saved.

590993 : Unable to load configs from /usr/libexec/aws/.

Component: TMOS

Symptoms:
In 12.1.0, a new tmsh object 'sys global-settings file-whitelist-path-prefix' controls the path from which config can be loaded. To be allowed as a config storage location, the path must exist in file-whitelist-path-prefix. Because /usr/libexec/ is not part of the path, loading auto-scaling and CloudWatch iCall configuration files from /usr/libexec/aws/ fails.

Conditions:
The issue occurs with AWS auto-scaling- and CloudWatch-related configuration files in TMOS v12.1.0.

Impact:
AWS auto-scaling-related automation and CloudFormation Templates (CFTs) for deploying BIG-IP will not work because 'sys global-settings file-whitelist-path-prefix' disallows /usr/libexec/aws/ is disallowed as legitimate config location.

Workaround:
To work around this, add /usr/libexec/aws/ into the 'sys global-settings file-whitelist-path-prefix'. To do so, run the following tmsh command:

tmsh modify sys global-settings file-whitelist-path-prefix "{/var/local/scf} {/tmp/} {/shared/} {/config/} {/usr/libexec/aws}".

Fix:
Starting in 12.1.0-HF1, F5 Networks has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.

Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.

12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:

The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.

Behavior Change:
Starting in 12.1.0-HF1, the system has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.

Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.

12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:

The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.

590992-3 : If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working

Component: Access Policy Manager

Symptoms:
- If an IP address on an interface changes after the connection to APM is established, DNS resolution stops working if the DNS on that adapter has not changed.
- DNS resolution stops working until DNS relay proxy service is restarted or stopped.

Conditions:
- Using Microsoft Windows version 10.
- Split tunneling configuration with split DNS scope.
- IP address on the network adapter changes after the connection to APM is established, but the DNS on that adapter remains unchanged.
- This might also occur when adapter 1 goes down and adapter 2 with same DNS as adapter 1 comes up.

Impact:
DNS resolution stops working until DNS relay proxy is stopped or restarted.

Workaround:
Stop or restart DNS relay proxy.

Fix:
This issue has been fixed.

590938-3 : The CMI rsync daemon may fail to start

Component: TMOS

Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.

Conditions:
The rsync daemon failed unexpectedly.

Impact:
Sync of file objects will fail with an error like this:

01070712:3: Caught configuration exception (0), Failed to sync files...

Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.

590904-1 : New HA Pair created using serial cable failover only will remain Active/Active

Component: TMOS

Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.

Conditions:
Create a new sync-failover device-group without enabling network failover.

Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.

Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.

Fix:
After creating the sync-failover group with without network failover configured, but a serial failover cable installed, one of the devices becomes Standby and the other remains Active.

590840-2 : OpenSSH vulnerability CVE-2015-8325

Solution Article: K20911042

590820-3 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Component: Access Policy Manager

Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.

Impact:
Very low web application performance when using Microsoft Internet Explorer.

Workaround:
None.

Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.

590805-4 : Active Rules page displays a different time zone.

Component: Advanced Firewall Manager

Symptoms:
Active Rules page displays a different time zone.

Conditions:
When Active Rules page is loaded after the BIG-IP system timezone has changed.

Impact:
GUI shows incorrect timezone.

Workaround:
Run the following command after changing BIG-IP timezone: bigstart restart tomcat.

Fix:
Active Rules page now shows the correct timezone after the BIG-IP system timezone has changed.

590795-1 : tmm crash when loading default signatures or updating classification signature★

Component: Traffic Classification Engine

Symptoms:
When upgrading classification signatures or downgrading to the default signatures, tmm will crash.

Conditions:
This occurs when loading updated classification signatures on versions 12.1.0 and 12.1.1.

Impact:
tmm will crash during the load. Traffic disrupted while tmm restarts.

Fix:
Fixed a crash when loading classification signatures.

590779 : Rest API - log profile in json return does not include the partition but needs to

Component: TMOS

Symptoms:
When querying the log profile via the Rest API, the returned response does not include the partition name in FullPath.

For example, for a log profile named mySample:
https://bigip_ip/mgmt/tm/security/log/profile/~Common~mySample/application/mySample

The JSON returned will contain
"fullPath": "testProfile",
It should contain
"fullPath": "/Common/testProfile",

This can cause BIG-IQ to fail to sync.

Conditions:
Log profile created. This is most visible when using BIG-IQ to sync.

Impact:
Applications relying on the folder path can fail

Fix:
The Rest API will now provide the full path to the log profile.

590608-1 : Alert is not redirected to alert server when unseal fails

Component: Fraud Protection Services

Symptoms:
Alert is not redirected to the alert server when unseal fails and iRule is enabled.

Conditions:
1. Unsealing alert failure.
2. iRule enabled.

Impact:
Alert is not redirected to the alert server and FPS returns 404 response.

Workaround:
Disable iRule.

Fix:
FPS now correctly redirects the alert.

590601-2 : BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed

Component: Access Policy Manager

Symptoms:
After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI.

Conditions:
BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP

Impact:
User is not redirected to original request URI.

Workaround:
Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'.

SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri}

After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).

Fix:
SAML SSO requests will now be redirected to the original request URI.

590578-4 : False positive "URL error" alerts on URLs with GET parameters

Component: Fraud Protection Services

Symptoms:
False-positive URL Error alerts are sometimes generated on URLs with GET parameters.

Conditions:
Use of URLs with GET parameters.

Impact:
Unwanted alerts in alert server.

Workaround:
None

Fix:
Hash calculation is done on slightly different URL inputs, causing mismatch.

590428-1 : The "ACCESS::session create" iRule command does not work

Component: Access Policy Manager

Symptoms:
When the "ACCESS::session create" iRule command is used with an APM virtual, the command does not resume properly and causing the sessions to disconnect/hang.

Conditions:
APM virtual configured with an iRule that includes "ACCESS::session create" iRule command.

Impact:
APM virtual won't function correctly.

Workaround:
The "ACCESS::session create" iRule command should be removed from the iRule attached to the virtual.

Fix:
Updated the session DB calls to include req_id parameter so that the TCL context gets updated/saved and used upon resume.

590345-1 : ACCESS policy running iRule event agent intermittently hangs

Component: Access Policy Manager

Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.

Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.

Impact:
Policy execution intermittently hangs.

Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}

Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.

590211-2 : jitterentropy-rngd quietly fails to start

Component: TMOS

Symptoms:
If jitterentropy-rngd fails to start, it does so quietly during system start, causing init.d script [ OK ] when it should be [ FAILED ].

This can cause the system to hang indefinitely at boot time at the following step (the key name may vary, depending on what needs to be generated):

Generating /var/named/config/rndc.key ( 09:08:10 ) ...

Similarly, if jitterentropy-rngd fails to start but there are no keys to be generated at boot time, the system will boot successfully. However, the genkeys and genkeys-1024 processes invoked by crontab every hour might hang.

Conditions:
This can occur on any BIG-IP system if jitterentropy-rngd fails to start. The issue has been observed chiefly on vCMP guests running on VIPRION B21x0 blades.

Impact:
1) The system may fail to boot (user intervention will be required at this point to recover the system).

2) As crontab invokes the genkeys and genkeys-1024 processes every hour, these may start but never terminate (any hung processes might eventually cause increased memory and CPU utilization, potentially leading to unpredictable system failures).

Fix:
jitterentropy-rngd now starts up as expected, so no failures occur.

590122-2 : Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.

Component: Local Traffic Manager

Symptoms:
Standard TLS rollback detection for TLSv1 or earlier clients might be too strict for clients that do not comply with RFC 2246 and later. These clients may require 'tls-rollback-bug' option set.

Conditions:
Standard behaviour of TLS clients is to use ClientHello.client_version in pre-master secret (PMS).

Some clients, incorrectly, might use negotiated version in PMS.

Impact:
Failed TLS handshake.

Workaround:
Configure the BIG-IP client SSL profile to include tls-rollback-bug, using a command similar to the following:

create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.

Fix:
Added support for tls-rollback-bug

Behavior Change:
This release provides improved support for "TLS rollback bug workaround" feature described in Managing SSL Traffic :: Configuring workarounds in the LTM documentation on AskF5. ([1] link below). The value is set by existing tls-rollback-bug option, using the command described in [2], below.

This is an existing option.

When this option is enabled in clientssl profile, RSA-only ciphersuites will have relaxed treatment of the version field set by the SSL/TLS client as part of the sequence of bytes encrypted to the server RSA key, called pre-master secret (PMS).

With the option enabled, PMS can contain either ClientHello.client_version, or negotiated version. Standard behaviour of TLS clients is to use ClientHello.client_version in PMS.

[1] https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_ssl_profiles.html.

[2] create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.

590074-1 : Wrong value for TCP connections closed measure

Component: Application Visibility and Reporting

Symptoms:
In TCP analytics, the measure 'connections closed' displays the wrong value.

Conditions:
TMM_API debug enabled.

Impact:
Wrong value displayed.

Workaround:
Do not turn on debug printing.

Fix:
Memory corruption found and fixed. All debug printing organized together at the beginning of the function.

589661 : PS2 power supply status incorrect after removal

Component: TMOS

Symptoms:
After removing the second power supply (PS2), running system_check indicates that the power supply status is still good:

system_check -d | grep power
Chassis power supply 1: status FAN=good; VINPUT=good; VOUTPUT=good; STATUS=good
Chassis power supply 2: status VINPUT=good; VOUTPUT=good; STATUS=not present

Conditions:
This occurs on 10000-series and 12000-series platforms when removing the PS2 power supply and running system_check

Impact:
Erroneous indication that the power supply is still good

Fix:
Power supply status for PS2 is now correctly indicated when the power supply is removed.

589400-1 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Component: Local Traffic Manager

Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.

Impact:
Additional connection latency.

Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.

If init-cwnd is low, raising it might also help.

Disabling abc can also reduce the problem, but might have other negative network implications.

Fix:
Incoming packets are now pulled more aggressively into the send buffer, if there are no negative implications for CPU performance.

589379-2 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.

Solution Article: K20937139

Component: TMOS

Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.

Conditions:
OSPF using route health injection for default route.

Impact:
No functional impact. The extraneous LSA is immediately aged out.

Workaround:
Configure a static default route in imish instead of using RHI for the default route.

Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.

589318-1 : Clicking 'Customize All' checkbox does not work.

Component: Fraud Protection Services

Symptoms:
Clicking 'Customize All' in Safari browser does not check the checkboxes below, and the settings remain grayed out.

Conditions:
Provision and license FPS.

Impact:
FPS child profile page.

Workaround:
Use tmsh.

Fix:
Clicking 'Customize All' checkbox in Safari browser now checks the checkboxes below and changes the state of the cosponsoring settings.

589256-1 : DNSSEC NSEC3 records with different type bitmap for same name.

Solution Article: K71283501

Component: Global Traffic Manager (DNS)

Symptoms:
For a delegation from a secure zone to an insecure zone, the BIG-IP system returns different type of bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.

Conditions:
For insecure delegations, the DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND, if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which the system dynamically signs.

Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.

Workaround:
None.

Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.

589223-1 : TMM crash and core dump when processing SSL protocol alert.

Component: Local Traffic Manager

Symptoms:
TMM crash and core dump when processing SSL protocol alert.

Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A problem of TMM restarting when processing SSL protocol alert has been fixed.

589083-2 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Solution Article: K46205123

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.

Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.

589006-5 : SSL does not cancel pending sign request before the handshake times out or is canceled.

Component: Local Traffic Manager

Symptoms:
When TMM has many SSL handshake, for ephemeral key, SSL does not sign for ServerKeyExchange message. Then it is possible that sign request is pending on crypto SSL queue. Even the handshake is timeout or canceled, the sign request is still in the queue. This might cause memory accumulation.

Conditions:
When TMM has many SSL handshake, for ephemeral key, SSL should sign for ServerKeyExchange message.

Impact:
Even if the handshake times out or canceled, the sign request is still in the queue. This might cause memory accumulation.

Note: Although this issue was fixed in 11.5.4 HF3, the fix was reverted in 11.5.4 HF4, meaning that the issue is not fixed in 11.5.4 HF4.

Workaround:
None.

Fix:
SSL now cancels sign pending request before it times out or is canceled.

588959-2 : TMM may crash or behave abnormally on a Standby BIG-IP unit

Solution Article: K34453301

Component: Local Traffic Manager

Symptoms:
TMM may crash or behave abnormally on a Standby BIG-IP unit. Memory utilization before the crash can appear to be unusually high.

Conditions:
This is a rare issue, currently known to occur only in WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring. Virtual servers that make use of the standard TCP profile are not affected.

Impact:
The unit is not operational until TMM has finished writing the core file to disk and restarting. If the unit was Active for a different traffic-group, traffic for that traffic-group will be disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes in the rare case of WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring.

588929-2 : SCTP emits 'address conflict detected' log messages during failover

Component: TMOS

Symptoms:
The system may advertise, on the client-side, SCTP alternate addresses that are in a route-domain different from that of the virtual server.

Conditions:
Configuring an SCTP virtual server with alternate-addresses that are not in the correct route domain.

Impact:
No impact to traffic processing. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.

Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.

Fix:
The SCTP profile now screens alternate addresses for route domain membership before advertising them.

588888-3 : Empty URI rewriting is not done as required by browser.

Solution Article: K80124134

Component: Access Policy Manager

Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat this type of URI in a specific way).

Conditions:
A tag with an empty 'src' or 'href' attribute.

Impact:
Web application malfunction, such as incorrect or unexpected behavior or error messages.

Workaround:
Use an application-specific iRule that modifies the empty URI.
-- For example, for JavaScript methods such as setAttribute(), an iRule should change this:
'F5_Invoke_setAttribute(o, "src", uri)'
to this:
'(uri=="")?o.setAttribute("src", uri):F5_Invoke_setAttribute(o, "src", uri)'.

-- As another example, for JavaScript methods such as write(str), writeln(str), innerHTML=str, outerHTML=str, and similar methods, if str contains <img src="" ... >, the iRule must remove the src attribute.

Fix:
This release fixes the issue of rewriting the empty URI the same way at the server side and client side: as empty URI (all browsers treat this type of URI in a specific way).

588879-2 : apmd crash under rare conditions with LDAP

Component: Performance

Symptoms:
apmd crashes during periods of high Active Directory (AD) lookups.

Conditions:
-- APM configured to use LDAP.
-- Might be related to stress testing AD queries.

Impact:
apmd crashes, clients unable to connect.

Workaround:
None.

Fix:
apmd no longer crashes during periods of high Active Directory (AD) lookups.

588794-2 : Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements

Component: TMOS

Symptoms:
SCTP alternate addresses may be advertised on the server-side that are in a route-domain that is different from that of the virtual server.

Conditions:
Alternate-addresses are configured on an SCTP virtual server that aren't in the correct route domain.

Impact:
There is no impact to traffic processing. Alternate-addresses will be advertised even though they are not in the correct domain. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.

Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.

Fix:
The SCTP profile now screens alternate addresses for route domain membership before advertising them.

588771-2 : SCTP needs traffic-group validation for server-side client alternate addresses

Component: TMOS

Symptoms:
Addresses may be advertised in an SCTP INIT chunk even though they are not usable by the BIG-IP.

Conditions:
When an SCTP virtual server has server-side-multihoming enabled and the snatpool used by the virtual server contains addresses from other traffic groups, it will advertise all of the addresses from the snatpool in the INIT chunk.

Impact:
Some of the paths advertised in the SCTP association establishment creation process will be unusable. A conformant SCTP implementation on the server-side should test and disregard these paths, causing no impact to traffic.

Fix:
The SCTP filter in BIG-IP has been fixed so that all of the alternate addresses advertised during SCTP association establishment are in the same traffic group as the virtual server. Configured addresses are checked for the correct traffic group membership before being advertised.

588686 : High-speed logging to remote logging node stops sending logs after all logging nodes go down

Component: TMOS

Symptoms:
All logging to external logging nodes (such as BIG-IQ) suddenly stop.

Conditions:
This occurs when all of the configured logging nodes go down. Even when they are brought back up, tmm will not send logs to the remote servers.

Impact:
Remote logging stops and will only resume if tmm is restarted.

588456-3 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).

Solution Article: K60250444

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP system is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP (giaddr) instead of ciaddr. BIG-IP DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.

Conditions:
-- The BIG-IP system is configured in forwarding mode.
-- The giaddr field in the unicast DHCP renewal packet is set to the IP address of relay agent. (Typically, it is set to 0 by the DHCP client.)

Impact:
PEM Subscriber Session will age out.

Workaround:
None.

Fix:
PEM no longer deletes existing PEM Subscriber Sessions after the lease time expires, so the DHCP renewal is now processed.

588405-1 : BADOS - BIG-IP Self-protection during (D)DOS attack

Component: Anomaly Detection Services

Symptoms:
Problem: 100% accurate detection may not help to prevent an attack

It's necessary to protect BIG-IP CPU utilization during attack - for BAD actors (in addition to shunlist) and for unknown IPs.
This mechanism should allow bad actors detection and keep CPU utilization in reasonable limits.

Conditions:
High BIG-IP CPU utilization during (D)DOS attack

Impact:
Service impact due to BIG-IP CPU high utilization

Workaround:
No workaround

Fix:
Added additional CPU protection during a (D)DOS attack

588399-1 : BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated

Component: Anomaly Detection Services

Symptoms:
BIG-IP CPU utilization can be excessively high even after mitigating bad actors.

Conditions:
This can occur when Bad Actor detection is used

Impact:
CPU utilization will be higher than expected.

Fix:
An issue with referencing bad actors that have been detected and affecting CPU utilization has been fixed.

588351-5 : IPv6 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
IPv6 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.

Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.

588327 : Observe "err bcm56xxd' liked log from /var/log/ltm

Component: TMOS

Symptoms:
Some "err bcm56xxd" log is observed from /var/log/ltm that read "err bcm56xxd[10968]: 012c0012:3: bs_module_do_precond:No preconditioning provided for module on port 3/5.0"

Conditions:
This occurs when during system start.

Impact:
The error is benign and can be ignored.

Fix:
The "No preconditioning provided for module" message is now logged at the info level.

588289-1 : GTM is Re-ordering pools when adding pool including order designation

Component: Global Traffic Manager (DNS)

Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.

Conditions:
This occurs when adding pools with a specified order.

Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.

588140 : Pool licensing fails in some KVM/OpenStack environments

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.

588115-1 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw

Component: Local Traffic Manager

Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.

Conditions:
- Unit configured with a floating self-IP and allow-service != none.
  - More specific route exists via GW to the self-IP.
  - Configured gateway for the overlapping route is unreachable.
  - Ingress traffic to the floating self-IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.

Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.

588089-3 : SSL resumed connections may fail during mirroring

Component: Local Traffic Manager

Symptoms:
SSL resumed connections when using SSL mirroring may fail during mirroring. This could result in SSL connections being unable to recover after failover.

Conditions:
Mirroring enabled on virtual with an associated client-ssl profile.

Impact:
SSL connections unable to recover after failover.

Workaround:
Disable session cache to prevent connections from resuming.

588087-1 : Attack prevention isn't escalating under some conditions in session opening mitigation

Component: Application Security Manager

Symptoms:
Attack is detected and isn't escalating in session opening

Conditions:
A session opening attack, challenges are being answered by the attacker.

Impact:
The attack continues.

Workaround:
Configure the attack prevention as rate limit.

Fix:
Fixed attack escalation in some cases on session opening.

588058-3 : False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer

Component: Fraud Protection Services

Symptoms:
Large numbers of "failed to unseal" Source Integrity alerts.

Conditions:
Source integrity feature enabled. Clients using Internet Explorer 8 to 10.

Impact:
High number of false positive alerts in alert dashboard.

Workaround:
Create alert dashboard signature to ignore source integrity alerts containing "failed to unseal" and Internet Explorer 8 to 10 user agent.

Fix:
Fixed parsing in relevant browsers.

588049-1 : Improve detection of browser capabilities

Component: Application Security Manager

Symptoms:
Browsers can override native functions, and manipulate the PBD capabilities test.

Conditions:
1. Proactive Bot defense is on.
2. Attacker override its native functions.

Impact:
Malicious browsers can go undetected by PBD.

Workaround:
N/A

Fix:
Check that majority of browsers native functions are not overridden.

587966-1 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port

Solution Article: K77283304

Component: Local Traffic Manager

Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.

Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.

Impact:
A Type DNS Query dropped intermittently.

Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.

Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.

587791-1 : Set execute permission on /var/lib/waagent

Component: TMOS

Symptoms:
Due to recent changes of the build process /var/lib/waagent didn't have proper execute permission set. This caused failure in executing user custom scripts during deploying.

Conditions:
First deployment of VM in Azure, which requires executing custom scripts.

Impact:
Custom scripts cannot be executed.

Workaround:
N/A

Fix:
Properly set execute permissions to /var/lib/waagent directory.

587780 : warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Component: TMOS

Symptoms:
ltm log contains multiple instances of the following message on VIPRION B4450 blades: warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Conditions:
This often happens when VIPRION 4480 or 4800 chassis with B4450 blades is rebooting.

Impact:
No operation impact. This is a cosmetic message that you can safely ignore.

Workaround:
None needed. This message is cosmetic only.

Fix:
A more robust XLMAC recovery mechanism has been implemented which reduces the maximum retries to four. It does not completely eliminate this warning message (HSBe2 XLMAC initial recovery failed after 11 retries), but its frequency is greatly reduced.

587735 : False alarm on LCD indicating bad fan

Component: TMOS

Symptoms:
During some blade power ON conditions, a false alarm message is displayed on the LCD on the chassis bezel.
This alarm indicates that several chassis fans are bad, however in reality the fans are not bad.
Typically, the messages look like this:
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 2: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 3: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 4: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 5: status (0) is bad.

Conditions:
Erroneous fan warnings may occur when a blade is inserted into a VIPRION 4800 chassis.

Impact:
No functional impact. The user may experience concern over the false alarms.

Workaround:
Press green check button on the front of chassis bezel to clear the alarm.

587705-5 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.

Solution Article: K98547701

Component: Local Traffic Manager

Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.

Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.

Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.

Workaround:
None.

Fix:
Persist lookups now succeed for source_addr with match-across-virtual servers when multiple entries exist with different pools.

587698-3 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured

Component: TMOS

Symptoms:
bgpd daemon crashes

Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.

Impact:
bgpd daemon crashes leading to route loss and traffic loss.

Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.

587676-2 : SMB monitor fails due to internal configuration issue

Component: Local Traffic Manager

Symptoms:
SMB monitor fails due to internal configuration issue

Conditions:
Configure the SMB monitor

Impact:
SMB monitor fails to execute

Fix:
Fixed an internal configuration issue so that the SMB monitor will load properly

587668 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.

Component: TMOS

Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.

Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.

Impact:
Cannot clear the alert using the LCD.

Workaround:
Press the checkmark button followed by the left or right arrow buttons.

Fix:
In this release, unneeded LCD updates that might have clogged the message channel have been optimized, and the keypress passed along at a later time, so it is not lost. So pressing the LCD checkmark button now correctly brings up clearing prompt on VIPRION blades.

587656-2 : GTM auto discovery problem with EHF for ID574052

Component: Global Traffic Manager (DNS)

Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Conditions:
After applying EHF9-685.88-ENG

Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG

Fix:
This problem only occurs with the one faulty EHF9-685.88-ENG and does not occur anywhere else.

587629-2 : IP exceptions may have issues with route domain

Component: Application Security Manager

Symptoms:
The IP exception feature doesn't work as expected.

Conditions:
There are many defined same IPs but with different route domain.
There were config changes to these IPs regarding their exception properties.

Impact:
An ignored IP is not ignored etc.

Workaround:
bigstart restart asm

Fix:
Fixed an issue with IPs and route domain.

587617-1 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.

Conditions:
No GTM server object configured with existent selfip.

Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.

Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671

Fix:
gtmd will not core.

587419-1 : TMM may restart when SAML SLO is performed after APM session is closed

Component: Access Policy Manager

Symptoms:
TMM may core when user performs SAML SLO on external to BIG-IP SP/IdP, and BIG-IP's APM session is no longer valid.

Conditions:
- User initiated SAML SLO on external SAML provider, and external provider redirect users to BIG-IP with SLO request.
- User does not have a valid session on BIG-IP when SLO request is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable SAML SLO by removing SLO request/response URLs from configuration

Fix:
TMM will no longer restart in the case described above.

587107-3 : Allow iQuery to negotiate up to version TLS1.2

Component: Global Traffic Manager (DNS)

Symptoms:
big3d accepts only TLS1.0, and gtmd offers only TLS1.0 during iQuery SSL handshake. iQuery does not negotiate up to TLS 1.2.

Conditions:
Establishing iQuery connections.

Impact:
The older, less secure TLS1.0 version is the only possible iQuery connection.

Workaround:
None.

Fix:
big3d now accepts, and gtmd now offers up to, TLS1.2 in iQuery handshakes.

TLS1 and TLS1.1 are still accepted by both ends of the iQuery connection (gtmd and big3d) to enable older clients (gtmd) to connect to newer servers (big3d) and vice versa.

Behavior Change:
big3d now accepts TLS1.2 in iQuery handshakes, and gtmd now offers up to TLS1.2.

587106-1 : Inbound connections are reset prematurely when zombie timeout is configured.

Component: Carrier-Grade NAT

Symptoms:
When an LSN pool is configured in PBA mode with a non-zero zombie timeout, inbound connections are killed and reset prematurely, often in a matter of seconds.

Conditions:
PBA mode configured on the pool, and zombie_timeout set to a non-zero value.

Impact:
Inbound connections to PBA pools with a zombie timeout configured may not be usable.

Workaround:
None.

Fix:
Inbound connections are no longer reset when zombie_timout is configured to a non-zero value.

587077-1 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118

Solution Article: K37603172

587016-3 : SIP monitor in TLS mode marks pool member down after positive response.

Component: Local Traffic Manager

Symptoms:
SIP monitor in TLS mode marks pool member down after positive response. The SIP monitor in TLS mode is constantly marked down.

Conditions:
SIP monitor configured in TLS mode.
Server does not send close_notify alert in response to the monitor's close_notify request.

Impact:
Unable to monitor the status of the TLS SIP server.

Workaround:
None.

Fix:
SIP monitor in TLS mode now marks pool member up after positive response. This is correct behavior.

586938-1 : Standby device will respond to the ARP of the SCTP multihoming alternate address

Solution Article: K57360106

Component: TMOS

Symptoms:
When there is a SCTP connection established, the router will request the ARP for the client-side multi-homing alternate address, but the standby device will reply to the ARP request as well.

Conditions:
When an SCTP profile has at least one alternate-address configured, and is used in an high availability (HA) scenario, this issue will manifest.

Impact:
Traffic for the alternate-addresses may be directed to the wrong device in an HA group. The multi-homing function will fail as the alternate connection cannot established on the standby device.

Workaround:
Do not use a VLAN address as an alternate address. Use only routed addresses, and route those addresses to the floating Self-IP address of the BIG-IP system.

Fix:
SCTP multihoming has been fixed to work correctly when used in a high availability setup with VLAN addresses

586887-2 : SCTP tmm crash with virtual server destination.

Solution Article: K25883308

Component: TMOS

Symptoms:
Rare configuration with SCTP can cause TMM core.

Conditions:
Complex configurations including wildcards, virtual servers and SCTP profiles.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a rare SCTP tmm crash with virtual server destination when using complex configurations including wildcards, virtual servers and SCTP profiles.

586878-4 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★

Component: TMOS

Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.

The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.

Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).

Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.

Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
    For example, it might look similar to the following:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            "" { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }

   Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            default { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.

586738-4 : The tmm might crash with a segfault.

Component: Local Traffic Manager

Symptoms:
The tmm might crash with a segfault.

Conditions:
Using IPsec with hardware encryption.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.

586718-1 : Session variable substitutions are logged

Component: Access Policy Manager

Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged

Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.

Impact:
Session variable substitution should not be logged, even if it is secure.

Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.

Fix:
Session variable substitutions are no longer logged.

586587-1 : RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.

Component: Local Traffic Manager

Symptoms:
RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. That results in sending data at higher rates than specified Max Rate.

Conditions:
RTT is less than 6ms.

Impact:
Packet loss might happen (queue overflow) due to sending at higher data rate than the specified max rate.

Workaround:
None.

Fix:
RatePaceMaxRate works as expected, irrespective of latency.

586449-1 : Incorrect error handling in HTTP cookie results in core when TMM runs out of memory

Component: Local Traffic Manager

Symptoms:
If an under provisioned TMM runs out of memory, then this may result in allocation failures. Incorrect error handling of allocation failures in HTTP cookie code results in TMM core.

Conditions:
Cookie persistence with encryption required is enabled on the virtual. If an under provisioned TMM runs out of memory, then this may result in allocation failures.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fix error handling in HTTP cookie code. Allocation errors result in connection resets as opposed to core due to assert.

586412-2 : BGP peer-group members address-family configuration not saved to configuration

Component: TMOS

Symptoms:
Deactivation of the ipv6 address-family for an IPv6 BGP neighbor that is a member of a peer group may be removed when the configuration is reloaded or the system restarts.

Conditions:
IPv6 BGP neighbors in a peer group
Individual group members with different address-family configurations than the peer-group

Impact:
BGP behavior may change after reboot

Workaround:
If a neighbor must have different behavior than other peer group members it can be removed from the peer group and configured individually.

Fix:
BGP address-family configuration is now correctly saved and reloaded for neighbors belonging to a peer-group.

586070 : 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Component: Advanced Firewall Manager

Symptoms:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Conditions:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Impact:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Workaround:
N/A

Fix:
Fixed a typo in GUI

586006-1 : Failed to retrieve CRLDP list from client certificate if DirName type is present

Component: Access Policy Manager

Symptoms:
Client certification revocation check will fail.

Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.

585905-1 : Citrix Storefront integration mode with pass-through authentication fails

Component: Access Policy Manager

Symptoms:
Citrix Storefront integration mode with pass-through authentication fails. Client fails with error message saying "Authentication service is not reachable"

Conditions:
Citrix Storefront integration mode with only pass-through authentication enabled on the Storefront.

Impact:
Could not use pass through authentication on the storefront for remote access of the store.

Workaround:
None

Fix:
Passthrough authentication could be used for remote-access of the store.

585833-3 : Qkview will abort if /shared partition has less than 2GB free space

Component: TMOS

Symptoms:
In order to inform the user that the /shared partition needed to be cleaned up, qkview was checking for at least 2GB of free space. This isn't a hard requirement to build a qkview which potentially could use much less than the 2GB limit. Additionally, some F5 VE systems are shipped with less than 2GB in /shared, thus qkviews cannot be produced.

Conditions:
The /shared partition is smaller than 2GB or has less than 2GB free.

Impact:
User is unable to create a qkview despite having enough room to build one.

Workaround:
Increase the size of /shared so that it has at least 2GB of free space. See https://support.f5.com/csp/#/article/K14952 for detailed instructions on resizing volumes.

Fix:
A warning about having less than 2GB will still be issued, but the qkview will continue to attempt to finish.

585823-1 : FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)

Component: Advanced Firewall Manager

Symptoms:
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic

Conditions:
Following conditions suffice for the issue:

a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic

AND

b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)

Impact:
Translation failure occurs as described resulting in the connection failures.

Workaround:
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.

Fix:
Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.

585813-3 : SIP monitor with TLS mode fails to find cert and key files.

Component: Local Traffic Manager

Symptoms:
SIP monitor with TLS enabled fails to find cert and key in filestore.

Conditions:
SIP monitor with TLS mode.

Impact:
Cannot create SIP monitor with TLS mode enabled and have the pool correctly checked.

Workaround:
Create an external monitor script to invoke the SIP monitor. Supply the correct arguments to the script.

Fix:
SIP monitor with TLS mode now finds cert and key files, so you can create SIP monitor with TLS mode enabled and have the pool correctly checked.

585807-2 : 'ICAP::method <method>' iRule is documented but is read-only

Component: Service Provider

Symptoms:
'ICAP::method' iRule function is documented as 'ICAP::method <REQMOD|RESPMOD>' which is said to get as well as set (modify) the ICAP method type in the ICAP_REQUEST event. Validation has at times rejected an argument, and at times accepted it. In fact the argument is ignored even if validation accepts it: the method type cannot be changed by the iRule. When validation rejects it, the system posts an error similar to the following: 01070151:3: Rule [/Common/icap_test] error: /Common/icap_test:2: error: [unexpected extra argument "REQMOD"][ICAP::method "REQMOD"]

Conditions:
iRule in ICAP_REQUEST event with 'ICAP::method REQMOD' or 'ICAP::method RESPMOD'.

Impact:
Users may attempt to change the method type. Usually the validator rejects it. In some versions the validator accepts it, but the methods only return the existing method type.

Workaround:
Do not attempt to change the method type with 'ICAP::method <method>'.

Fix:
ICAP::method is now documented as simply 'ICAP::method' with no argument, and it simply returns the current method type 'REQMOD' or 'RESPMOD'.

585745-2 : sod core during upgrade from 10.x to 12.x.

Component: TMOS

Symptoms:
The failover daemon (sod) may core during an upgrade, when the peer device upgrade completes and rejoins the trust.

Conditions:
Upgrading a high availability configuration from 10.x to 12.x or later.

Impact:
Corefile generated, and system will temporarily go offline, resulting in an interruption of service.

Workaround:
Upgrade multiple devices in the high availability configuration from 10.x to a supported 11.x release, and then upgrade to the desired 12.x release.

Fix:
The failover daemon (sod) no longer cores during an upgrade, when the peer device upgrade completes and rejoins the trust.

585654 : Enhanced implementation of AES in Common Criteria mode

Component: Local Traffic Manager

Symptoms:
Common Criteria (CC) mode disallows the use of dedicated BIG-IP accelerator. It can be observed that performance of the BIG-IP in CC mode may not be as fast as benchmarks for some implementations AES on CPU.

Conditions:
Common Criteria (CC) mode is enabled.

Impact:
Lower performance with CBC-based AES ciphersuites.

Fix:
Updated AES implementation may achieve higher performance of CBC-based AES ciphersuites.

585562-3 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari

Component: Access Policy Manager

Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.

Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.

Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.

Workaround:
when HTTP_REQUEST {
    if { [HTTP::header "Origin"] ne "" } {
        HTTP::header remove "Origin"
    }
}

Fix:
VMware View HTML5 client shipped with Horizon 7 now work sthrough BIG-IP APM in Chrome/Safari.

585547-1 : NTP configuration items are no longer collected by qkview★

Solution Article: K58243048

Component: TMOS

Symptoms:
qkview was collecting the file "/etc/ntp/keys" which in some cases, contains secret keys used for integrity verification of NTP messages.

Conditions:
Execute qkview to collect diagnostic information.

Impact:
Possibility for keys to be exposed.

Workaround:
1. Do not execute qkview.
2. If executing qkview, do not share this file with untrusted parties.

Fix:
With this release, qkview no longer collects this file.

585485-3 : inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system

Component: TMOS

Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.

The BIG-IP system sends and expect messages with two SPI's inside.

Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.

Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.

Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:

(tmos)# delete net ipsec ipsec-sa ?
Properties:
  "{" Optional delimiter
  dst-addr Specifies the destination address of the security associations
  spi Specifies the SPI of the security associations
  src-addr Specifies the source address of the security associations
  traffic-selector Specifies the name of the traffic selector

Fix:
The BIG-IP system will remove both SAs associated with one traffic-selector (tunnel) when the peer sends a delete SPI message.

585442-2 : Provisioning APM to "none" creates a core file

Component: Access Policy Manager

Symptoms:
Provisioning APM level to "none" may result in apmd creating a core file.

Conditions:
When the APM service is shut down, the apmd daemon may create a core file.

Impact:
Harmless

Workaround:
There is no loss in functionality.

585424-1 : Mozilla NSS vulnerability CVE-2016-1979

Solution Article: K20145801

585412-4 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines

Component: Local Traffic Manager

Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'

Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.

8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.

Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.

Workaround:
None.

Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.

585352-2 : bruteForce record selfLink gets corrupted by change to brute force settings in GUI

Component: Application Security Manager

Symptoms:
If you update the brute force settings in the GUI, rest_uuid is updated as well, which breaks the self-link in the iControl REST API

Conditions:
Update brute force settings in GUI

Impact:
Unique record part updated

Workaround:
Update brute force settings using the REST API

Fix:
GUI is not changing rest_uuid when brute force settings are updated

585332 : Virtual Edition network settings aren't pinned correctly on startup★

Component: TMOS

Symptoms:
You notice unusually high CPU utilization on Virtual Edition after upgrading to 12.1.0 when compared to a previous release (such as version 11.6.1).

Conditions:
This occurs after upgrading to 12.1.0. In Virtual Edition version 12.1.0, there is an issue where network interface IRQs don't get pinned correctly at startup.

Impact:
Since CPU0 is unusually high compared to previous releases, upgrading could put Virtual Edition into an overloaded state.

Workaround:
bigstart restart tmm will start the network interfaces and pin them to the right IRQ.

Fix:
Fixed an issue where interfaces and their IRQs were not configured correctly during system boot.

585120-1 : Memory leak in bd under rare scenario

Component: Application Security Manager

Symptoms:
Under high traffic, bd may leak memory and cause an ASM restart under certain rare conditions

Conditions:
ASM enabled and under high traffic

Impact:
Causes traffic abort while restart is happening. High swap and memory.

Workaround:
None.

Fix:
A memory leak in the bd was fixed.

585097-1 : Traffic Group score formula does not result in unique values.

Component: TMOS

Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.

Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.

The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.

Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.

Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.

Fix:
The Active device selection logic has been changed to deterministically choose the Active device location, even in cases with identical static scores.

585054-1 : BIG-IP imports delay violations incorrectly, causing wrong policy enforcement

Component: Application Security Manager

Symptoms:
When you import an XML file that contain references to violations in the delay blocking session tracking configuration, extra violations get added to the list.

Conditions:
This occurs when importing delay-type violations in ASM

Impact:
A very large subset of the violations is added to the policy

Fix:
BIG-IP now imports delay-type violations correctly.

584926-1 : Accelerated compression segfault when devices are all in error state.

Component: Local Traffic Manager

Symptoms:
TMM segfaults. Kernel log contains "Uncorrectable Error" and "icp_qa_al err" messages.

Conditions:
All physical or virtual devices concurrently enter error state.

Impact:
Tmm segfaults and restarts. May require a reboot.

Workaround:
Disable QAT compression using tmsh:

tmsh modify sys db compression.strategy value softwareonly

Fix:
TMM QAT compression driver will not fail if all QAT devices concurrently go down.

584921-1 : Inbound connections fail to keep port block alive

Component: Carrier-Grade NAT

Symptoms:
Connections that use a PBA port block should keep the port block from expiring. However inbound connections to a client using a port block will fail to refresh the block, causing the block to expire pre-maturely. An inbound connection can remain active while the port block has been deleted.

Conditions:
An inbound connection with no outbound connections fails to keep a port block alive, resulting in an inbound connection to a client without a corresponding port block.

Impact:
When reverse mapping an inbound connection to a subscriber (e.g. trying to find who was using an ip address/port at a particular time), customers may find no corresponding port block, or a port block belonging to another client when the reverse map is performed at a time when the connection is closed.

Workaround:
When performing a reverse map, customers should use the start time of a connection to determine which port block was in use.

Fix:
Inbound connections properly refresh the port block, preventing premature expiration of the port block.

584865-1 : Primary slot mismatch after primary cluster member leaves and then rejoins the cluster

Component: Local Traffic Manager

Symptoms:
Secondary blades in a Viprion system can disagree about the identity of the Primary blade.

Conditions:
Viprion chassis with 3 or more blades. If the primary is temporarily isolated from the other blades, a new primary will be elected. When the primary rejoins, the non-primary blades do not correctly switch back to the newly re-elected primary.

Impact:
Configuration and status may not be kept properly in sync between blades.

Fix:
Secondary blades properly identify the Primary on changes.

584670 : Output of tmsh show sys crypto master-key

Component: TMOS

Symptoms:
In this release, tmsh show sys crypto master-key has changed and will now display its output as the base 64 encoded form of a SHA512 hash.

Conditions:
You will see this when running tmsh show sys crypto master-key, or f5mku -Z, or f5mku -U

Impact:
None

584661 : Last good master key

Component: TMOS

Symptoms:
When applying a UCS file to a platform that was different from the one the UCS was taken on, for example after RMA, you get a master key decrypt error because the master key is different.

Conditions:
This can occur either when applying a UCS file to an identical platform you received as an RMA exchange, or while performing the platform-migrate command.

Impact:
UCS load fails when extracting a UCS that came from another system.

Fix:
Secure Vault now stores the last good master key, which allows you to set the master key password to be the same as the other device you are importing from, then load the UCS from the other system. If master key decryption fails, the system will load the master key that was in effect before the UCS load was initiated. If that master key matched the master key from the system where the UCS was taken then encrypted attributes in the UCS can be loaded into the configuration.

584655 : platform-migrate won't import password protected master-keys from a 10.2.4 UCS file

Component: TMOS

Symptoms:
If you run the platform-migrate command to migrate from a UCS file generated on a platform running 10.2.4, the password protected master key won't import

Conditions:
You would encounter this when doing platform migration from an older platform running 10.2.4, and using the UCS file from that platform to platform-migrate to 12.1.1. This also only occurs if your 10.2.4 UCS contains secure attributes, such as clientssl or serverssl keys and profiles

Impact:
The platform-migrate command will fail if the 10.2.4 UCS contains a password protected master key.

Fix:
The 12.1.1 release can successfully platform-migrate UCS files from a 10.2.4 configuration if some steps are taken to generate a password protected master key on the 10.2.4 release. Without these steps, this impact exists. The 10.2.4-specific solution https://support.f5.com/csp/#/article/K9420

584642-1 : Apply Policy Failure

Component: Application Security Manager

Symptoms:
Some Policies cannot be successfully applied/activated

Conditions:
Signature overrides on Content Profiles are configured

Impact:
Policy cannot be applied

Workaround:
None.

Fix:
Policies can be successfully applied.

584623-2 : Response to -list iRules command gets truncated when dealing with MX type wide IP

Component: Global Traffic Manager (DNS)

Symptoms:
GTM iRule "members" with the "-list" flag will truncate MX-type WideIP pool members when printed out to a log.

Conditions:
Use the GTM iRule "members" with the "-list" flag to print out the members of an MX WideIP pool during a DNS event.

Impact:
WideIP MX-type pool members are truncated in the log.

Workaround:
None

584583-3 : Timeout error when using the REST API to retrieve large amount of data

Solution Article: K18410170

Component: TMOS

Symptoms:
The Rest API might time out when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API appears as follows: errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET

Conditions:
Configuration containing a large number of GTM pools and pool members (numbering in the thousands).

Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.

Workaround:
There is no workaround at this time.

Fix:
TMSH performance has been improved for this GTM case (improvement ~5-10 times), which is root case for REST failure. Timeout is no longer triggered for this amount of data.

584582-1 : JavaScript: 'baseURI' property may be handled incorrectly

Component: Access Policy Manager

Symptoms:
If generic JavaScript object has 'baseURI' property, it may be handled incorrectly via Portal Access: web application may get 'undefined' value for this property.

Conditions:
User-defined JavaScript object with 'baseURI' property.

Impact:
Web application may work incorrectly.

Workaround:
iRule can be used to remove F5_Deflate_baseURI() calls from rewritten JavaScript code.

Fix:
Now JavaScript objects with 'baseURI' property are handled correctly by Portal Access.

584545-2 : Failure to stabilize internal HiGig link will not trigger failover event

Component: Local Traffic Manager

Symptoms:
The internal HiGig interface potentially and repeatedly report FCS errors or does not become stable in rare cases.

Conditions:
The internal HiGig interfaces experiences FCS or XLMAC link failures.

Impact:
Device is left in a state where it cannot receive or pass traffic or have frame checksum errors.

Workaround:
None.

Fix:
HA failover mechanism is now activated when internal HSB ports on critical data path are consistently unstable.

Behavior Change:
There is a condition in which failures happen on the internal HiGig interfaces on the critical packet path between the HSB and the Broadcom switch, causing traffic interruption. Such failures can be inferred by HSB XLMAC instability or by observing increasing FCS errors. When these HSB XLMAC failures happened in the past, TMOS initiated a recovery mechanism by resetting the HSB MAC interface. However, if the failure persisted even after repeated recovery attempts, TMOS triggered a high availability (HA) failover event to prevent prolonged traffic disruption. The failover triggering condition is set as either the consecutive recovery attempts or consecutive FCS failure events that reach a configurable preset limit. After the HA failover was triggered, the original active unit will still keep trying to recover, and will mark itself ready if the failure condition is no longer observed. The XLMAC reset was existing behavior. The new behavior also applies to FCS failure events.

584471-1 : Priority order of clientssl profile selection of virtual server.

Component: Local Traffic Manager

Symptoms:
When a SSL connection with specified server name is received in a virtual server from the client side, the BIG-IP system selects one clientssl profile for this connection based on the given server name. Currently the system matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the common names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.

The issue is, based on RFC6125, common name should be used as a 'last resort'. In other words, the third rule should be the second rule.

Conditions:
The issue occurs when all of the following conditions are met.
(1) The incoming SSL request includes SNI (server name) extension in the clienthello, used to specify its desirable SSL server.
(2) The given server name from the client side does not match any server name configured in all the clientssl profiles of the virtual server.
(3) The certificates used by the clientssl profile of the virtual server have subject alternative names (note that every certificate has common name but not necessarily subject alternative names).

Impact:
The virtual server might select a clientssl profile that is not preferred by the client side.

Workaround:
None.

Fix:
Priority order of clientssl profile selection of virtual server. The system now matches the server name using the following rules:

(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the common names of the certificates used by the clientssl profiles.

So the common-name match is last, which is correct according to RFC6125.

584374-2 : iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.

Solution Article: K67622400

Component: Global Traffic Manager (DNS)

Symptoms:
iRule command RESOLV::lookup causes tmm crash when resolving an IP address.

Conditions:
Using the RESOLV::lookup iRule command to resolve an IP address.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the RESOLV::lookup command to resolve an IP address.

Fix:
TMM no longer crashes when the iRule command RESOLV::lookup is used.

584373-2 : AD/LDAP resource group mapping table controls are not accessible sometimes

Component: Access Policy Manager

Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds

Conditions:
very long group names and resource names

Impact:
Impossible to delete and move rows in table - still possible to edit tho.

Workaround:
Spread one assign thru multiple rows

Fix:
Scroll bar is appearing when needed

584310-1 : TCP:Collect ignores the 'skip' parameter when used in serverside events

Solution Article: K83393638

Component: Local Traffic Manager

Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.

Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.

Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.

Workaround:
None.

Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.

584213-1 : Transparent HTTP profiles cannot have iRules configured

Component: Local Traffic Manager

Symptoms:
When an HTTP profile is configured in transparent mode, but has a nonexistent iRule attached to it, then tmm will crash.

Conditions:
-- There is iRule.
-- Proxy is transparent.

when HTTP_PROXY_REQUEST {
after 1000
}

-- Change configuration from explicit to transparent while the system is processing in the after command.
-- There is then an attempt to use a configuration that does not exist.

Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.

Workaround:
This is incorrect configuration. Either detach the iRule or configure the profile in a mode other than transparent.

Fix:
Incorrectly configured proxy types from TMOS installations of earlier versions will be corrected at upgrade time. A warning will be logged that describes the change made.

584210-1 : TMM may core when running two simultaneous WebSocket collect commands

Component: Local Traffic Manager

Symptoms:
TMM may core with a SIGFPE when running two or more WebSocket collect commands in parallel.

Conditions:
-- WebSocket profile is attached to the virtual server.
-- Multiple iRules with WebSocket collect commands are attached to the virtual server.

Impact:
TMM may core with a SIGFPE resulting in loss of service.

Workaround:
Behavior is undefined when multiple collect commands are running at the same time. Rewrite iRules to have only one collect command executing at a time.

Fix:
iRule documentation was updated and WebSocket filter state machine was changed to reject multiple collect commands.

584103-2 : FPS periodic updates (cron) write errors to log

Component: Application Security Manager

Symptoms:
FPS periodic updates (run via cron) write errors to log when FPS is not provisioned.

Conditions:
FPS is not provisioned.

Impact:
Errors appears in FPS logs.

584082-3 : BD daemon crashes unexpectedly

Component: Application Security Manager

Symptoms:
bd crashes, with the following log signature immediately before the crash in /var/log/bd.log:

"IO_PLUGIN|ERR |Mar 29 20:48:02.217|17328|plugin_common.c:0085|plugin context doesn't match the argument which was originally set on it".

Conditions:
It is not known exactly what triggers this condition; it can occur intermittently during normal use of ASM.

Impact:
A bd crash, failover, traffic disturbance.

Workaround:
None.

Fix:
Fix a bd crash scenario.

584029-6 : Fragmented packets may cause tmm to core under heavy load

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file while processing fragmented packets.

As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- In one of the /var/log/tmm log files, you observe an error message similar to the following example:
notice panic: ../base/flow_fwd.c:255: Assertion "ffwd flag set" failed.
panic: ../net/packet.c:168: Assertion "packet is locked by a driver" failed.

notice ** SIGFPE **

Conditions:
This issue occurs when all of the following conditions are met:

-- The TMM process offloads a fragmented packet by way of an ffwd operation.
-- Your BIG-IP system is under heavy load.

Workaround:
None.

Fix:
Fragmented packets no longer cause tmm to core under heavy load.

583957-6 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.

Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.

Impact:
The TMM will be restarted by SOD.

Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.

583943-1 : Forward proxy does not work when netHSM is configured on TMM interfaces

Solution Article: K27491104

Component: Local Traffic Manager

Symptoms:
Forward proxy feature does not always work when netHSM is configured on TMM interfaces.

Conditions:
When netHSM device is configured on TMM interface.

Impact:
The forward proxy feature does not work. This is an intermittent issue.

Workaround:
None.

Fix:
Forward proxy now works consistently when netHSM is configured on TMM interfaces.

583936-5 : Removing ECMP route from BGP does not clear route from NSM

Component: TMOS

Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.

Conditions:
ECMP routing must be enabled and in-use.

Impact:
ECMP routes are not properly removed from the main routing table.

Fix:
Now properly removing ECMP routes from the routing table.

583754-7 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.

Component: TMOS

Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.

Conditions:
TMM must be down.

Impact:
Non-obvious / unhelpful error message is generated, leading to confusion.

Workaround:
N/A

583700-3 : tmm core on out of memory

Component: Local Traffic Manager

Symptoms:
tmm memory increases quickly, then crashes on out of memory condition

Conditions:
It is not known exactly what triggers this, but it was observed on a hardware platform processing a large number of ECDH ciphers.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Cancel ongoing crypto requests when handshake is dropped.

583686-2 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import

Component: Application Security Manager

Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.

Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.

Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered

583678-1 : SSHD session.c vulnerability CVE-2016-3115

Solution Article: K93532943

583631-2 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.

Component: Local Traffic Manager

Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.

Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.

Impact:
The connection fails. The system might generate an alert.

Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.

Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.

Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.

583516-2 : tmm ASSERT's "valid node" on Active, after timer fire..

Component: TMOS

Symptoms:
TMM crashes on ASSERT's "valid node".

Conditions:
The cause is unknown, and this happens rarely.

Impact:
tmm crash

Workaround:
no

Fix:
TMM no longer asserts on 'valid node'

583475-1 : The BIG-IP may core while recompiling LTM policies

Component: TMOS

Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.

Conditions:
Creating or modifying LTM policies.

Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.

Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.

Fix:
Not fixed yet.

583355-1 : The TMM may crash when changing profiles associated with plugins

Component: Local Traffic Manager

Symptoms:
The TMM may crash when changing profiles associated with plugins.

Conditions:
The must be a profile associated with a plugin already on a virtual server and traffic must be running. When the profile is removed or swapped for another, the crash may occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
A safe way to definitely avoid a crash is to stop the plugin before making changes to its profile.

583285-5 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Solution Article: K24331010

Component: TMOS

Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>

583272-2 : "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth

Component: Access Policy Manager

Symptoms:
Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server.

The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this:
Location: https://[login.example.com]/my.policy

Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.

Conditions:
IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.

Impact:
Client is unable to authenticate.

Workaround:
None.

Fix:
Clients connecting to an APM access policy with on-demand certificate authentication to an IPv6 virtual server now transmit the client certificate correctly when executing the access policy.

583177 : LCD text truncated by heartbeat icon on VIPRION

Component: TMOS

Symptoms:
while looking at informational text on the first line of the LCD display on a VIPRION, the end of the string is truncated by a heartbeat icon.

Conditions:
This occurs on platforms that display a heartbeat icon on the LCD display.

Impact:
The heartbeat icon is displayed over the last character of the string, this is cosmetic.

Fix:
In this release, longer messages on the LCD are now displayed on multiple lines.

583113-1 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials.

when HTTP_PROXY_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
    }
}

Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.

Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.

Workaround:
The following iRule works from HTTP_REQUEST

when HTTP_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
        ECA::disable
    }
}

Fix:
When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin"

Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."

583111-1 : BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured

Component: TMOS

Symptoms:
When BGP is configured with 'no bgp default ipv4-unicast,' configuring a peer-group with IPv6 members adds 'neighbor <neighbor> activate' for the IPv6 neighbors under address-family ipv4.

Conditions:
This occurs when the following conditions are met:
-- 'no bgp default ipv4-unicast' is configured in imish.
-- 'neighbor <neighbor> peer-group <peergroup>' is configured.

Impact:
Despite disabling IPv4 unicast for BGP by default, neighbors in the peer group have the IPv4 unicast address family enabled.

Workaround:
Delete the line in the configuration that was automatically added in imish in the 'router bgp' section:
no neighbor <neighbor> activate

Fix:
Configuring IPv6 members of a peer-group when 'no bgp default ipv4-unicast' no longer automatically enables IPv4 unicast for the peer-group members.

583108-1 : Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.

Component: TMOS

Symptoms:
when a neighbor with ipv4 address is disabled in ipv6 address family, show running configuration displays that the neighbor is disabled. However, when we restart or reboot the tmrouted or bgp protocol, the neighbor is enabled again. The configuration persistence is not maintained.

Conditions:
1. disable a neighbor with ipv4 address in ipv6 address family.
2. reboot/restart tmrouted or bgp protocol

Impact:
configuration persistence is not maintained. This impacts the BIGIP upgrades as the configuration loaded is not the same as it was before the upgrade. Similarly, a restart/reboot will also have different configuration loaded than originally used. This might alter the intended behavior of the protocol that the use expects to function.

Workaround:
disable the neighbor again.

Fix:
configuration persistence is maintained for the disabled neighbor with ipv4 address in the ipv6 address family.

583024-1 : TMM restart rarely during startup

Component: Advanced Firewall Manager

Symptoms:
A TMM crashes with a core file during startup. It restarts then correctly.

Conditions:
The system starts up.

Impact:
The system startup takes longer. A core file appears. Traffic is not impacted and a failover usually doesn't occur since the system didn't reach the active state.

Workaround:
None.

Fix:
TMM no longer crashes during startup.

583010-4 : Sending a SIP invite with 'tel' URI fails with a reset

Component: Service Provider

Symptoms:
Using a 'INVITE tel:' URI results in SIP error (Illegal value).

Conditions:
Sending a SIP "INVITE tel:" to the BIG-IP system.

Impact:
'INVITE tel:' messages are not accepted by BIG-IP system.

Workaround:
None.

Fix:
'INVITE tel:' messages are now accepted by BIG-IP system.

582773-5 : DNS server for child zone can continue to resolve domain names after revoked from parent

Component: Global Traffic Manager (DNS)

Symptoms:
See CVE-2012-1192. A domain name in a child server may continue to be resolved by the child server even after the parent server revokes the NS record for the child server.

Conditions:
A steady series of DNS queries for a domain name in the child. The TTL for the domain name A record is shorter than the TTL for the NS record for the child name server. The NS record is removed from the parent server.

Impact:
The revoked child server will still be used by a client after it is revoked.

Workaround:
Restart the TMM to clear out the cache.

Fix:
Do not update the NS record TTL to the value returned from the child server.

582769-1 : WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual

Solution Article: K99405272

Component: Local Traffic Manager

Symptoms:
WebSockets frames are not forwarded with WebSocket profile and ASM enabled on virtual.

Conditions:
Virtual has WebSocket profile attached to it. ASM is enabled on the virtual. WebSockets server replies with a "Connection: upgrade" header. The issue is also seen if multiple header values are present in Connection header.

Impact:
WebSockets frames are not forwarded to the pool member

Workaround:
Use a simple iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 101 } {
        HTTP::header replace "Connection" "Upgrade"
    }
}

Fix:
The system now accepts "Connection: UPGRADE" or "Connection: upgrade" as valid header for WebSocket handshake, and supports a comma-separated list of values for the Connection response header.

582752-3 : Macrocall could be topologically not connected with the rest of policy.★

Component: Access Policy Manager

Symptoms:
It is possible to create macrocall access policy item that:

1. Belongs to policy items list.
2. Correctly connected to ending.
3. Have no incoming rules (i.e., no items pointing at it).

Conditions:
1. Create access policy with macrocall item in one of the branches.
2. Remove the item which refers to this macrocall item from AP

As a result, macrocall item remains.

Impact:
VPE fails to render this access policy.

Workaround:
Delete macrocall access policy item manually using tmsh commands.

Fix:
Any modification of access policy is not allowed if it makes any access policy item non-referenced.
At upgrade time, non-referenced access policy items are deleted. All subsequent access policy items are deleted as well. Resulting access policies can be rendered correctly by VPE. Note that only active configuration is corrected, saved configuration file (/config/bigip.conf) contains uncorrected version until any new configuration changes are done. Active configuration can be saved by explicit tmsh command ('tmsh save sys config partitions all").

582683-2 : xpath parser doesn't reset a namespace hash value between each and every scan

Component: Application Security Manager

Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.

Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.

Impact:
XML content based routing does not work dependably.

Workaround:
N/A

Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.

582629-1 : User Sessions lookups are not cleared, session stats show marked as invalid

Component: Application Visibility and Reporting

Symptoms:
AVR session statistics may be reported as excessively high, and when the sessions time out they get marked as invalid instead of being removed.

Conditions:
The exact conditions which cause this in a production configuration are unknown, as this was discovered during internal testing.

Impact:
Session statistics will report incorrectly

Fix:
An issue with session statistics not clearing after session timeout has been fixed.

582526-3 : Unable to display and edit huge policies (more than 4000 elements)

Component: Access Policy Manager

Symptoms:
It takes a very long time or is not possible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple halts.

Conditions:
Huge Access Policy, for example, containing 4000 or more elements.

Impact:
Unable to edit policy because VPE times out.

Workaround:
None.

Fix:
VPE loading times for APM policies is greatly improved, so displaying very large policies (for example, 4000 elements) now completes successfully.

582487-2 : 'merged.method' set to 'slow_merge,' does not update system stats

Solution Article: K22210514

Component: Local Traffic Manager

Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats is not updated and remains zero.

Conditions:
Merged.method is set to slow_merge.

Impact:
System stats such as overall CPU usage remain at zero.

Workaround:
Set Merged.method to fast_merge.

Fix:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats are not updated as expected.

582465-1 : Cannot generate key after SafeNet HSM is rebooted

Component: Local Traffic Manager

Symptoms:
After the SafeNet Hardware Security Module (HSM) is restarted, users cannot generate a new key.

Conditions:
The BIG-IP system uses the SafeNet HSM.

Impact:
HSM service is not usable even after restarting pkcs11d. Users must re-authenticate.

Workaround:
To generate a new key, after HSM finishes starting up, run the following commands:

# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -c
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -o -p <hsm_partition_password>

Or, you can reinstall SafeNet client.

Fix:
After the SafeNet Hardware Security Module (HSM) is restarted, users can now generate a new key.

582374-1 : Multiple 'Loading state for virtual server' messages in admd.log

Component: Anomaly Detection Services

Symptoms:
When a dosl7d profile is configured on a BIG-IP that's in a device group and the BIG-IP is set to "Forced Offline" in the Device Management settings, admd will log multiple messages to admd.log similar to 47854390298368 Mar 22 02:38:50 [info] virtual bool CVirtualServerImpl::loadState() : Loading state for virtual server

Conditions:
- dosl7d profile attached to a virtual server
- BIG-IP is part of a DSC cluster
- a BIG-IP is forced offline in the cluster

Impact:
Excessive logging occurs to /var/log/adm/admd.log

Workaround:
None

Fix:
An issue with excessive logging to admd.log has been fixed.

582133-1 : Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)

Component: Application Security Manager

Symptoms:
When conditions of "Track Site Change" settings are met the staging flag on "*" entities is supposed to be turned ON in order to learn sub-sequences of site changes without blocking traffic. However it doesn't happen. The staging flag stays OFF.

Conditions:
Staging was set OFF on "*" entity. After that conditions of "Track Site Change" settings are met.

Impact:
in a situation when the protected Web application was changed, ASM can block traffic when it should not be blocked.

Workaround:
Staging flag can be changed manually via GUI

Fix:
The problem was a sub-sequence of other code changes. The code was fixed he way it should count for "Track Site Change" conditions and change Staging flag when it is needed.

582084-1 : BWC policy in device sync groups.

Component: TMOS

Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.

Conditions:
If BWC policy is created both in global sync and local.

Impact:
Configuration error, BWC policies will not be synced due to errors.

Workaround:
Ensure that BWC policy is in global sync only.

Fix:
BWC policy is now configured for device group sync only in the global group and not local.

582029-4 : AVR might report incorrect statistics when used together with other modules.

Component: Application Visibility and Reporting

Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.

Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.

Impact:
AVR reports incorrect statistics: unexpectedly large numbers.

Workaround:
None.

Fix:
AVR now identifies the other modules' activity and collects the activity statistics accordingly.

581991-1 : Logging filter for remote loggers doesn't work correctly with more than one logging profile

Component: Application Security Manager

Symptoms:
A logging message arrived at a remote logger while the remote logger's filter have a criteria that doesn't match.

Conditions:
More than one logging profile is attached to a virtual server, the logging profiles have different filters conditions.

Impact:
A non related messages will be presented at the remote logger

Fix:
Fixed an issue with multiple remote logging with different filters.

581945-2 : Device-group 'datasync-global-dg' becomes out-of-sync every hour

Component: TMOS

Symptoms:
The datasync-global-dg device-group may become out-of-sync unexpectedly without any user changes.

When this happens, you can manually sync the device-group, but after about an hour, the device-group becomes out-of-sync again.

Conditions:
-- This happens only in certain timezones, depending on the timezone configured on the BIG-IP system. (This issue has been seen only in relation to the Europe/London timezone.)
-- The problem starts happening about three days after the first installation of an ASM Signature Update (ASU) or FPS Engine/Signature Update.

Impact:
GUI/shell shows config-sync 'possible change conflict' or 'changes pending' in regards to the datasync-global-dg device-group.

Workaround:
There is no workaround other than manually syncing the device-group approximately every hour.

Fix:
The datasync-global-dg device-group no longer becomes out-of-sync unexpectedly and repeatedly every hour.

581851-2 : mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands

Component: TMOS

Symptoms:
The Master Control Program Daemon (MCPD) on secondary blades may unexpectedly restart when the BIG-IP system processes multiple, concurrent TMOS Shell (tmsh) commands.

Under these circumstances, a race condition may occur and cause the mcpd process on the secondary blades to fail to correctly process concurrent updates from the primary blade.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The mcpd process on secondary blades unexpectedly restarts.
-- You notice error messages in the /var/log/ltm file on the BIG-IP system that appears similar to the following example:
+ err mcpd[<PID>]: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

+ err mcpd[<PID>]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

-- Depending on your high availability (HA) configuration, the device may unexpectedly fail over to another system in the device group.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have a VIPRION platform or Virtual Clustered Multiprocessing (vCMP) guest configuration that uses two or more blades.
-- You attempt to run multiple, concurrent tmsh commands on the BIG-IP system. For example, you run a tmsh command to continually reset persistence records and at the same time run another tmsh command to continually reset the TCP statistics.

Impact:
The BIG-IP system may experience performance degradation when the secondary blades become unavailable while the mcpd process restarts. Depending on your HA configuration, the device may fail over.

Workaround:
None.

Fix:
This issue no longer occurs.

581840-5 : Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.

Solution Article: K46576869

Component: Device Management

Symptoms:
If trying to manage a BIG-IP version 11.6.1 or 11.6.1 HF1 with an administrator account named other than “admin”, this can fail.

Conditions:
This can occur with a BIG-IQ managing a BIG-IP version 11.6.1 or 11.6.1HF1 system with a different account than “admin”.

Impact:
You cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.

Workaround:
Install 11.6.1 HF2 on the BIG-IP system, or use an administrator account named “admin” for managing the device.

Fix:
Can now manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.

Behavior Change:
local requests through iControl client are now made on port 80, instead of 443.

581835-1 : Command failing: tmsh show ltm virtual vs_name detail.

Component: TMOS

Symptoms:
The following command fails: tmsh show ltm virtual vs_name detail. The system posts the following error:

01020036:3: The requested profile exchange: virtual server object (exchange_profile_name:vs_name) was not found.

Conditions:
Occurs when an APM Access Profile has an Exchange Profile attached and the access profile is then assigned to a virtual server.

Impact:
No information is displayed by the tmsh show command.

Workaround:
None.

Fix:
The tmsh show command now presents information, and 'tmsh show ltm virtual vs_name detail' shows the expected details without error.

581834-5 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above

Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin

Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above

Fix:
The Firefox plugin now supports all versions.

581824-2 : "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.

Component: Global Traffic Manager (DNS)

Symptoms:
When you attempt to view the monitors' properties, the page throws an "Instance not found" error.

Conditions:
Viewing the GSLB Monitors tcp_half_open, gateway_icmp and bigip_link's properties page.

Impact:
You cannot view some of their monitors' properties.

Fix:
Fixed the "Instance not found" error.

581811 : The blade alarm LED may not reflect the warning that non F5 optics is used.

Component: TMOS

Symptoms:
When non F5 optics is used for front switch ports, the LCD and /var/log/ltm will display some warning message. But the alarm LED may not reflect that.

Conditions:
This is caused by a race condition. When a blade comes up and decides its role as a primary blade or a secondary blade, it will clear the alarm LED. So the last blade coming up may have its alarm LED in the right state, but the blades that came up earlier may have their alarm LEDs cleared.

Impact:
The alarm LED may not reflect the warning.

Workaround:
None.

Fix:
The problem is fixed in TMOS v12.1.1.

581746-1 : MPTCP or SSL traffic handling may cause a BIG-IP outage

Solution Article: K42175594

Component: Local Traffic Manager

Symptoms:
Occasional BIG-IP outages may occur when MPTCP or SSL traffic is being handled by a virtual server.

Conditions:
MPTCP has been enabled on a TCP profile on a virtual server, or SSL is in use.

Impact:
A system outage may occur.

Workaround:
None.

Fix:
An issue with handling of MPTCP and SSL traffic has been corrected.

581438-2 : Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.

Component: Global Traffic Manager (DNS)

Symptoms:
Prior to this, only 16 pool members could be chosen during a single load-balancing decision.

Impact:
Cannot return more than 16 pool members in a DNS response.

Fix:
GTM now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.

Behavior Change:
BIG-IP DNS GSLB now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.

581406-1 : SQL Error on Peer Device After Receiving ASM Sync in a Device Group

Component: Application Security Manager

Symptoms:
When:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)

Then upon loading the full sync in the peer an SQL error will appear during the load:
"Failed on insert to PLC.PL_SESSION_AWARENESS_DATA_POINT (DBD::mysql::db do failed: Duplicate entry '<ID>' for key 'PRIMARY')"

Conditions:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)

Impact:
Benign error which does not affect configuration or enforcement.

Workaround:
None

Fix:
SQL error no longer occurs on CMI Sync with Session Awareness

581315-1 : Selenium detection not blocked

Component: Application Security Manager

Symptoms:
When selenium client webdriver is detected running the Chrome browser it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A

Fix:
Only for Desktop Google Chrome browsers, the PBD javascript code checks if a plugin called "Widevine Content Decryption Module" doesn't exists, the browser considered as running via the selenium tool and will be blocked by PBD.

581101-1 : non-admin user running list cmd: can't get object count

Component: TMOS

Symptoms:
Non-admin user running list cmd: can't get object count.

Conditions:
Login as non admin user

Impact:
Very minor
non-admin user got some restrictions to view.

Workaround:
Use admin account.

Fix:
Non admin user rights fixed.

580893-2 : Support for Single FQDN usage with Citrix Storefront Integration mode

Solution Article: K08731969

Component: Access Policy Manager

Symptoms:
Adding a new login account onto Citrix Receiver enumerates the applications and desktop. Logging off and reconnecting using the same account starts failing.

Conditions:
-- Citrix Storefront Integration mode with APM.
-- Using the same FQDN to access both Storefront as well as an APM virtual server.

Impact:
Clients are unable to connect.

Workaround:
No workaround other than using different FQDNs.

Fix:
You can now use the same FQDN to successfully access both Storefront as well as an APM virtual server.

580862-1 : Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes

Component: Application Security Manager

Symptoms:
After the Apply-policy task completes successfully, there is an LTM incremental sync back from the peer unit and the policy is deactivated.

Conditions:
High availability (HA) configuration with an auto-sync failover group with ASM sync enabled.

Impact:
ASM policy is erroneously deactivated several seconds after it has been activated via the Apply-policy task.

Workaround:
Temporarily disable ASM sync on the device group.

Fix:
This release fixes the Apply-policy task so that there is no erroneous deactivation after it has completed.

580753-1 : eventd might core on transition to secondary.

Solution Article: K82583534

Component: TMOS

Symptoms:
Upon transition to secondary, eventd shuts down its consumer list. However, during this shutdown, there could still be queued events yet to be process. This leads to a race condition between processing the events and freeing the memory of the consumer.

Conditions:
This happens when eventd is being shutdown while processing events.

Impact:
Causes eventd segmentation fault and core dump

Workaround:
None.

Fix:
eventd no longer cores on transition to secondary when eventd is being shutdown while processing events.

580747-1 : libssh vulnerability CVE-2016-0739

Solution Article: K57255643

580596-1 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Solution Article: K14190 K39508724

580567-1 : LDAP Query agent failed to resolve nested group membership

Component: Access Policy Manager

Symptoms:
Not all of the nested group membership are resolved for a user

Conditions:
Several conditions need to be met:
1. LDAP Query agent is configured to connect to GC (Global Catalog) in AD environment; AND
2. There are sub domains in the AD environment; AND
3. A user who is a member of a group from one of the sub domains login in.

Impact:
User authentication might fail or not getting all the assigned resources due to missing nested group membership.

Fix:
after fix, LDAP agent retrieve group from server when talking to Global Catalog

580537-1 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data

Component: Global Traffic Manager (DNS)

Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.

Conditions:
Attempting to install the City2 GeoIP data.

Impact:
The City2 GeoIP data must be installed manually.

Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:

rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat

Fix:
The geoip_update_data script was updated to support installing City2 GeoIP data.

580500-1 : /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.

Component: TMOS

Symptoms:
/etc/logrotate.d/sysstat fails to read /var/log/sa6 or fails to write to /var/log/sa6,, diskspace in /var/log/sa6 is not rotated and disk space reclaimed.

Conditions:
/var/log/sa6 becomes corrupt or disk space becomes full in /var/log/sa6

Impact:
Disk space is not reclaimed in /var/log/sa6

Workaround:
edit /etc/logrotate.d/sysstat
Add "exit 0" after sadf line

Fix:
When /etc/logrotate.d/sysstat's sadf fails, exit cleanly
so logrotate reclaims disk space

580340-1 : OpenSSL vulnerability CVE-2016-2842

Solution Article: K52349521

580313-1 : OpenSSL vulnerability CVE-2016-0799

Solution Article: K22334603

580303-5 : When going from active to offline, tmm might send a GARP for a floating address.

Component: Local Traffic Manager

Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.

Conditions:
Using high availability, and switching a device from active to offline.

Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.

Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.

Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.

580168-4 : Information missing from ASM event logs after a switchboot and switchboot back

Component: Application Security Manager

Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back

Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone

Impact:
Information missing from ASM event logs after a switchboot and switchboot back

Workaround:
N/A

Fix:
N/A

580026-5 : HSM logging error

Solution Article: K74759095

579955-6 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475

Solution Article: K01587042

579953 : Updated the list of Common Criteria ciphersuites

Component: Local Traffic Manager

Symptoms:
This is a continuous maintenance of the default set per certification requirements

Conditions:
These changes are only in effect when ccmode script is executed.

Impact:
Current set of ciphersuites is the following, subject to change in future releases:

AES{128,256}-{SHA,SHA256}
ECDHE-RSA-AES128-CBC-{SHA,SHA256}
ECDHE-RSA-AES256-CBC-{SHA,SHA384}
ECDHE-RSA-AES128-GCM-{SHA256,SHA384}
ECDHE-ECDSA-AES128-{SHA,SHA256}
ECDHE-ECDSA-AES256-{SHA,SHA384 }
ECDHE-ECDSA-AES128-GCM-{SHA256,SHA384}

579926-1 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode

Component: Local Traffic Manager

Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.

Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.

Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.

Workaround:
No workaround.

579917-1 : User-defined signature set cannot be created/updated with Signature Type = "All"

Component: Application Security Manager

Symptoms:
When creating a User-Defined Signature Set the Signature Type cannot be set to "All". After saving the setting, it resets back to Request.

Conditions:
Creating a new signature set with Signature Type set to "All" (the dropdown defaults to "Request" when opening the create page).

Impact:
A Custom Signature Set cannot be created for with Request and Response Signatures

Workaround:
No workaround, but can be mitigated by creating two signature sets, or using manual sets.

Fix:
Signature Type can now successfully be set to "All" Signatures

579843-1 : tmrouted may not re-announce routes after a specific succession of failover states

Component: Local Traffic Manager

Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.

Conditions:
- Active/Standby HA pair set up
- Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
- Active unit has the following succession of failover states:
Active->Offline->Online->Standby->Active

Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.

Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.

Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.

579829-7 : OpenSSL vulnerability CVE-2016-0702

Solution Article: K79215841

579760-3 : HSL::send may fail to resume after log server pool member goes down/up

Solution Article: K55703840

Component: TMOS

Symptoms:
High speed logging (HSL): asymmetric bandwidth loss might result in no bandwidth tracking.

Conditions:
This will occur if the log server pool only has a single member in it, and that member goes down and up while HSL::send is occurring during traffic processing.

Impact:
For a period of time after the logging node comes back up, HSL::send events will not be sent to the log server. Sometimes it never recovers and tmm needs to be restarted.

Workaround:
If possible, configure log server pools with multiple members to avoid this condition.

579529 : Stats file descriptors kept open in spawned child processes

Component: TMOS

Symptoms:
No known user visible impact.

Conditions:
This occurs in all multi-blade platforms where clusterd is running.

Impact:
No known user visible impact.

Workaround:
None.

Fix:
Stats file descriptors are opened so that they are closed when a child process is spawned.

579495-1 : Error when loading Upgrade UCS★

Component: Application Security Manager

Symptoms:
When loading an older version UCS file while ASM is live an error may occur when processing the new configuration. You will see the following error in the asm log:

Mar 9 07:16:06 dut30 err perl[22696]: 01310011:3: ASM configuration error: event code T1499 Failed to update configuration table CONFIG_TYPE_DYNAMIC_TABLES

Conditions:
Loading an older version UCS on a live system.

Impact:
Enforcement of Allowed Methods may be incorrect

Workaround:
Restart ASM

Fix:
Configuration is correctly processed when loading a UCS file for upgrade on a live device.

579371-4 : BIG-IP may generate ARPs after transition to standby

Solution Article: K70126130

Component: Local Traffic Manager

Symptoms:
tmm generates unexpected ARPs after entering standby.

Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.

Impact:
Unexpected ARP requests that might result in packet loops.

Workaround:
None.

Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.

579220-1 : Mozilla NSS vulnerability CVE-2016-1950

Solution Article: K91100352

579210-3 : VIPRION B4400N blades might fail to go Active under rare conditions.

Solution Article: K11418051

Component: TMOS

Symptoms:
Over extended periods of booting and rebooting a VIPRION system containing B4400N blades, a switch port connected to the HSB might fail to initialize properly. In some cases, logs indicate an occurrence of the problem in the following form: hgm_fcs_errs[higig mac #] exceeds 1000.

Conditions:
This happens under very rare conditions on B4400N blades; for example, after approximately 8-12 hours of continuous rebooting.

Impact:
When the problem is manifest, the HSB receives FCS errors at a high-frequency and does not receive any valid traffic from the port switch. The B4400N blade might be unable to go active and join the cluster.

Workaround:
To recover, reboot the system once.

579085-6 : OpenSSL vulnerability CVE-2016-0797

Solution Article: K40524634

578983-4 : glibc: Integer overflow in hcreate and hcreate_r

Solution Article: K51079478

578951-2 : TCP Fast Open connection timeout during handshake does not decrement pre_established_connections

Component: Local Traffic Manager

Symptoms:
If a TCP connection is started and contains a valid Fast Open cookie, then times out during the three-way handshake, the failure is not accounted for properly. If this occurs more than a threshold number of times, BIG-IP will stop performing TCP Fast Open.

Conditions:
A TCP connection using TCP Fast Open with a valid Fast Open cookie times out during the three-way handshake.

Impact:
Each connection that times out in this fashion decreases the number of valid pre-established connections that the BIG-IP can support. If the number of connections timed out in this fashion rises above a threshold, BIG-IP will act as if TCP Fast Open is disabled. This threshold cannot be changed.

Fix:
Decrement the pre-established connections counter when a TCP Fast Open connection times out during the initial handshake.

578573-1 : SSL Forward Proxy Forged Certificate Signature Algorithm

Component: Local Traffic Manager

Symptoms:
In SSL Forward Proxy, the signature algorithm used by the CA certificate configured on the client SSL profile can change the signature algorithm used by the server certificate.

For example, if the server certificate uses SHA1 but the CA certificate configured in client SSL profile uses SHA256, the forged certificate will use SHA256. If the server certificate uses SHA256 but the CA certificate configured in client SSL uses SHA1, the forged certificate will use SHA1.

Both scenarios are a problem for a customer.

Conditions:
when the signature algorithm of the CA certificate configured in client SSL profile differs from the signature algorithm of the server certificate.

Impact:
The signature algorithm of forged certificate may differ from the signature algorithm of the server certificate.

Workaround:
Configure the CA certificate in client SSL profile so that the signature algorithm matches that in server certificate.

578570-1 : OpenSSL Vulnerability CVE-2016-0705

Solution Article: K93122894

578564-4 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response

Component: Service Provider

Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"

Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.

Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.

Fix:
HTTP::respond works as expected even on an HTTP response returned by an ICAP server after request adaption.

578551-5 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot

Component: TMOS

Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot

Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp

Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp

Fix:
the persistence of "network 0.0.0.0/0 route-map Default" in bgp is maintained after a restart/reboot

578415-2 : Support for hardware accelerated bulk crypto SHA256 missing

Component: Local Traffic Manager

Symptoms:
Requests for bulk crypto SHA256 will be performed in software, not by the accelerator.

Conditions:
Any bulk crypto operation that uses SHA256 on the BIG-IP 1600, 3600, 5000, 6900, 7000, 8900, 10000, 11000, 11050, and 12000 platforms, and on VIPRION B2250 blades.

Impact:
The request will be completed in software which may result in increased CPU load.

Workaround:
None.

Fix:
Requests for bulk crypto operations using SHA256 will be assigned to a hardware accelerator, and no longer serviced in software.

578413-1 : Missing reference to customization-group from connectivity profile if created via portal access wizard

Component: Access Policy Manager

Symptoms:
An extra customization group is created for connectivity profile when the profile is created via portal access wizard and the configuration is reloaded.

Conditions:
Use portal access wizard to create configure objects.

Impact:
There is no functional impact since customization is not actually used for connectivity group.

Workaround:
Create configure object manually rather than via wizard.

Fix:
There will be a reference to customization group from connectivity profile when the profile is created by wizard.

578064 : tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade

Component: TMOS

Symptoms:
tmsh show sys hardware show "unavailable" for hard disk manufacturer

Conditions:
In VIPRION B4400/B4450 blades, tmsh show sys hardware always shows "unavailable" for hard disk manufacturer.

Impact:
Can't get correct hard disk manufacturer information.

Fix:
Fixed

578036-1 : incorrect crontab can cause large number of email alerts

Component: TMOS

Symptoms:
There is an incorrect crontab entry in /etc/cron.usbflush for /sbin/lsusb

Conditions:
This occurs for the usbflush entry.

Impact:
usbflush does not run, alert email is generated once per minute.

Workaround:
change /etc/cron.usbflush to use /usr/sbin/lsusb

Fix:
Fix /etc/cron.usbflush to use /usr/sbin/lsusb

577863-5 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time

Solution Article: K56504204

Component: Policy Enforcement Manager

Symptoms:
If the routing table on the DHCP server is misconfigured, so that the DHCP server knows how to send packets to the BIG-IP self IP address (used by the BIG-IP system DHCP relay), but does not know how to send packets to DHCP clients, DHCP clients will not receive a DHCP reply for unicast requests and will start to broadcast DHCP renewal. After a while, the BIG-IP system will stop relaying DHCPOFFER and DHCPACK back to DHCP clients altogether.

Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets (with client's IP address as the source IP address).

Impact:
The BIG-IP system stops relaying DHCPOFFER and DHCPACK back
to DHCP clients.

Workaround:
Modify the DHCP server routing table, so that the DHCP server can deliver DHCP reply packets back to clients successfully.

Fix:
DHCP relay now continues forwarding the server DHCPOFFER and DHCPACK messages under these conditions.

577474-3 : Users with auditor role are unable to use tmsh list sys crypto cert

Solution Article: K35208043

Component: TMOS

Symptoms:
The system returns error messages after running the following command: tmsh list sys crypto cert. Error messages appear similar to the following:

-- Key management library returned bad status: -4, Invalid Parameter.
-- Unexpected Error: Can't chmod key management directory: "/var/tmp/key_mgmt", error: [1] Operation not permitted".

Conditions:
-- BIG-IP user accounts configured with the auditor role.
-- Running the command: tmsh list sys crypto cert.

Impact:
BIG-IP users with the auditor role cannot view certificates using the command: list sys crypto cert.

Workaround:
Use the following command: sys file ssl-cert

For example, use either of the following:
-- list sys file ssl-cert default.crt
-- list sys file ssl-cert

Fix:
BIG-IP users with the auditor users can now see certificates using the following command: list sys crypto cert.

576591-6 : Support for some future credit card number ranges

Component: Application Security Manager

Symptoms:
ASM does not block or mask when a specific credit card number range appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.

Impact:
The traffic passes unmasked or unblocked to the end client.

Workaround:
A custom pattern is possible for these cases, but should be adjusted to each configuration specifically.

576478 : Enable support for the Purpose-Built DDoS Hybrid Defender Platform

Component: Advanced Firewall Manager

Symptoms:
N/A

Conditions:
Requires new DoS License

Impact:
None

Fix:
This fix adds support for recognition of a Purpose-Built DDoS Hybrid Defender license, and the necessary mechanisms to launch the DDoS Application.

Behavior Change:
There is no change in behavior to existing behavior and functionalities. However, when a DoS License is installed, the Big-IP platform takes on the role of a dedicated DoS protection device. Consequently most non-DoS related functionalities are either disabled or function in limited capacity.

576305-7 : Potential MCPd leak in IPSEC SPD stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IPSEC SPD stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.

576123-3 : ASM policies are created as inactive policies on the peer device

Solution Article: K23221623

Component: Application Security Manager

Symptoms:
ASM policies are created as inactive policies on the peer device.

Conditions:
This occurs when the following conditions are met:
-- ASM Sync is enabled on a Sync-Only auto-sync Device Group.
-- There is either no failover group, or the failover group is a manual sync group.

Impact:
ASM policies are created as inactive policies on the peer device, resulting in an inconsistency between peers.

Workaround:
You can use either of the following workarounds:
-- Set the device group with ASM sync enabled to manual sync.
-- Enable auto-sync for the failover group.

Fix:
This release fixes the ASM Synchronization mechanism so that ASM policies are correctly created on the peer device

575649-5 : MCPd might leak memory in IPFIX destination stats query

Component: TMOS

Symptoms:
MCPd might leak memory in IPFIX destination stats query.

Conditions:
In some cases, querying IPFIX destination stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPFIX destination stats.

575629-3 : NTP vulnerability: CVE-2015-8139

Solution Article: K00329831

575591-6 : Potential MCPd leak in IKE message stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE message stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IKE message stats.

575589-5 : Potential MCPd leak in IKE event stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE event stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IKE event stats.

575587-7 : Potential MCPd leak in BWC policy class stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying BWC policy stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.

575444-1 : Wininfo agent incorrectly reports OS version on Windows 10 in some cases

Component: Access Policy Manager

Symptoms:
If Custom Dialer client is used to establish VPN, Wininfo agent incorrectly reports OS as Win8 on Microsoft Windows 10.

This could result in VPN establishment failure.

Conditions:
Custom Dialer client is used on Windows 10
Access policy uses Wininfo agent.

Impact:
VPN cannot be established.

Workaround:
None.

Fix:
Wininfo agent now correctly reports OS version when running Custom Dialer client on Microsoft Windows 10.

575176-1 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic

Component: TMOS

Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.

Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.

Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.

Fix:
The BIG-IP system no longer increases Syn Cookie cache statistics on ePVA enabled devices with UDP traffic.

575170-2 : Analytics reports may not identify virtual servers correctly

Component: Application Visibility and Reporting

Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.

Conditions:
This occurs for virtual servers that are configured in one of these ways:

1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.

2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).

Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.

Workaround:
None.

Fix:
Correct identification of the virtual server and the activity reported in the charts is displaying to the right virtual server.

575133-1 : asm_config_server_rpc_handler_async.pl SIGSEGV and core

Component: Application Security Manager

Symptoms:
asm_config_server_rpc_handler_async.pl SIGSEGV and core

Conditions:
Import ASM XML security policy

Impact:
asm_config_server_rpc_handler_async.pl SIGSEGV and core. This occurs after the policy import completes.

Workaround:
N/A

Fix:
The asm_config_server_rpc_handler_async.pl no longer crashes upon import ASM XML security policy.

575066-1 : Management DHCP settings do not take effect

Component: TMOS

Symptoms:
Modifications to /sys management-dhcp do not take effect.

Conditions:
Custom management-dhcp settings configured.

Impact:
DHCP for management interface does not function correctly.

Workaround:
Perform the following procedure:

1. Remount /usr to be read-write.
# mount -o rw,remount /usr

2. Edit the following file, which is a symlink into /usr.
# vi /defaults/config/templates/dhcp.tmpl

3. Change this line around line 7 to add escaped quotes
print "interface \"$mgmt_interface\" {\n";

4. Remount /usr back to read-only.
# mount -o ro,remount /usr

5. Make a change to the list of DHCP requested options.
# tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { ntp-servers }

6. Verify that "eth0" is quoted in this file:
# grep interface /etc/dhclient.conf
interface "eth0" {

7. Create a symbolic link to dhclient.conf
# cd /etc/dhcp
# ln -s ../dhclient.conf .

8. Restart DHCP on the management interface.
# tmsh modify sys global-settings mgmt-dhcp disabled
# tmsh modify sys global-settings mgmt-dhcp enabled

No system reboot should be necessary.

Fix:
Management DHCP settings now take effect as expected when custom management-dhcp settings are configured.

575027-1 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Component: TMOS

Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.

Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)

Workaround:
Use untagged VLANs and hypervisor side tagging.

Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.

575011-1 : Memory leak. Nitrox3 Hang Detected.

Solution Article: K21137299

Component: Local Traffic Manager

Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".

Conditions:
Compression device unavailable during creation of a new context.

Impact:
System can run out of memory.

Workaround:
Disable hardware compression using tmsh:

% tmsh modify sys db compression.strategy softwareonly

Fix:
Repaired memory leak.

574880-3 : Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.

Component: Local Traffic Manager

Symptoms:
When connection rate limit is set on a fastL4 virtual server,
client connections hang with high probability.

Conditions:
Set Connection Rate Limit on a fastL4 virtual server.

Impact:
Client connections hang with high probability.

Workaround:
Do rate limiting using iRules.
https://devcentral.f5.com/articles/iruleology-table-based-rate-limiting

Fix:
Fixed Connection Rate Limiting on a fastL4 virtual server.

574526-1 : HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter

Solution Article: K55542554

Component: Local Traffic Manager

Symptoms:
HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter.

Conditions:
when http/2 or spdy is configured and client query URI contains '?' (question mark).

Impact:
No query parameter will be returned.

Workaround:
None.

Fix:
Issue fixed.

574052-4 : GTM autoconf can cause high CPU usage for gtmd

Component: Global Traffic Manager (DNS)

Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.

In large configurations of LTM vses that contain "." (dot) in the name.

Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.

This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.

This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)

Impact:
CPU usage is high, which may impact monitoring and LB decisions.

Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.

1. Rename the virtual servers on the LTM to remove the "."
   This would require deleting the GTM configuration and
   rediscovering it and recreating pools.

2. Turn off autoconf.
   Run autoconf once to populate the config, then turn it
   off.

3. Reduce the frequency of autoconf. It will still cause
   a high CPU usage scenario, but it will be less frequent.

Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.

Fix:
Change algorithm used to match LTM VS names to GTM VS to reduce linear walk of all VSes on a server.

574020-5 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')

Component: Local Traffic Manager

Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').

Conditions:
This issue occurs when the following conditions are met:

-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').

Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.

Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).

Fix:
Safenet HSM installation script install now completes successfully if partition password contains special metacharacters (!#{}').

Note: When using passwords with non-alphanumeric characters, make sure that they are escaped correctly, so that bash does not attempt to reinterpret or expand the password.

573764-1 : In some cases, only primary blade retains it's statistics after upgrade on multi bladed system

Component: Application Visibility and Reporting

Symptoms:
Statistics from the primary blade remain after upgrade, but not from the other blades.

Conditions:
Upgrade to new version in multi bladed system.

Impact:
Not all statistics are present after upgrade.

Workaround:
No workaround

573643-3 : flash.utils.Proxy functionality is not negotiated

Component: Access Policy Manager

Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.

Conditions:
Presence of flash.utils.Proxy descendants.

Impact:
Customer application malfunction.

Workaround:
None.

573611-1 : Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs

Component: Access Policy Manager

Symptoms:
When a user session times out, then subsequently attempts access using the expired session ID, APM may log a log message at "err" level similar to this:

Aug 15 14:54:25 bigip.hostname err tmm[10206]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete, Line:

Conditions:
User is logged into APM and session times out.

Impact:
Error log messages may be confusing to BIG-IP APM administrators. The client is able to successfully reconnect.

Fix:
Erroneous messages of "Access encountered error: ERR_NOT_FOUND" are no longer logged in the APM log.

573602-1 : FQDN pool members not shown by tmsh show ltm monitor

Component: Local Traffic Manager

Symptoms:
The tmsh 'show ltm monitor <monitor-type>' command does not display the status of FQDN pool members.

Conditions:
-- LTM monitor is assigned to FQDN pool members (including FQDN members of an LTM pool to which the monitor is assigned).
-- Running the tmsh command: show ltm monitor <monitor-type>.

Impact:
Unable to view status of FQDN pool members via the tmsh 'show ltm monitor <monitor-type>' command.

Workaround:
There is no workaround at this time.

Fix:
The status of FQDN pool members is displayed by the tmsh 'show ltm monitor <monitor-type>' command. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

573584 : CPLD update success logs at the same error level as an update failure

Component: TMOS

Symptoms:
On booting after a successful CPLD update, you see an error in /var/log/ltm: "err chmand[4933]: 012a0003:3: CPLD not updated after previous power cycle."

Conditions:
This occurs during reboot after a successful firmware update

Impact:
The message is logged as an error, but it actually means that the CPLD version is as it is expected to be. This error can be safely ignored.

Fix:
CPLD update not required is now logged at the info level, not error.

573366-4 : parking command used in the nesting script of clientside and serverside command can cause tmm core

Component: Local Traffic Manager

Symptoms:
tmm cores in configuration using certain iRules

Conditions:
An iRule that parks the interpreter is used in the nesting script of clientside and serverside command. (e.g. when doing a table lookup).

For more information on iRule commands that park, see SOL12962: Some iRule commands temporarily suspend iRule processing, https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html

Impact:
Traffic disrupted while tmm restarts.

Workaround:
move the parking command outside the nesting script.

573343-1 : NTP vulnerability CVE-2015-8158

Solution Article: K01324833

573302-1 : FQDN pool member remains in disabled state after removing monitor

Component: Local Traffic Manager

Symptoms:
If an FQDN pool member has been disabled by a monitor (for example, after the monitor receives the configured recv-disable string from the node) and the monitor is then removed from the pool or member configuration, the FQDN pool member remains in a 'disabled' state (state and session-status are 'disabled') instead of changing to an 'unknown' state.

Conditions:
-- FQDN pool member is marked 'disabled' by a monitor.
-- The monitor is then removed.

Impact:
The FQDN pool member remains in a 'disabled' state and is unable to receive traffic.

Workaround:
There is no workaround at this time.

Fix:
When an FQDN pool member is marked 'disabled' by a monitor, then the monitor is removed, the FQDN pool member is updated to an 'unknown' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

573075-4 : ADAPT recursive loop when handling successive iRule events

Component: Service Provider

Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause 'ADAPT unexpected state transition'.

The adapt profile statistic 'records adapted' reaches a very high number as it counts every attempt.

Conditions:
-- A requestadapt or responseadapt profile is configured.
-- An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
-- The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
-- Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.

Impact:
The connection is aborted with RST cause 'ADAPT unexpected state transition'.

The 'records adapted' statistic reaches a very high number.
Eventually the TMM crashes and the BIG-IP system fails over.

Workaround:
If possible, arrange the iRules to avoid the conditions above.

In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.

Fix:
ADAPT correctly processes successive iRule events exactly once for each adaptation, and the 'records adapted' statistic reports the correct number.

573031-1 : qkview may not collect certain configuration files in their entirety

Component: TMOS

Symptoms:
If the following files exceed 5M in size, they will be truncated when collected by qkview:

/config/partitions/*/bigip.conf
/config/partitions/*/BIG-IP_base.conf
/config/BIG-IP_gtm.conf

Conditions:
Any of the listed files exceeds 5 Mbytes.

Impact:
Fault diagnosis may be affected.

Workaround:
Create a qkview, and examine the qkview_run.data file. If this file indicates that any of the listed files has been truncated, manually copy that file from the BIG-IP device.

572885-1 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
ASM provisioned.
Device group w/ ASM policy sync configured.
ASM Policy is in automatic learning mode.
A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.

572568-2 : Gy CCR-i requests are not being re-sent after initial configured re-transmits

Component: Policy Enforcement Manager

Symptoms:
For Gy interface, if OCS doesn't respond to the initial set of CCR-I requests as per the diameter-endpoint profile (1+ msg-max-retransmits <n>), the new set of CCR-I requests are not being generated, even after provisioning pending timeout happens.

Conditions:
This issues happens only for Gy interface and when initial set of CCR-I request doesn't get a CCA response.

Impact:
The subscriber will be left in Idle state till the default quota is breached and brought down or subscriber can reconnect once OCS CCA response is fixed.

Workaround:
Re-connect the subscriber once the CCA response is fixed in OCS

Fix:
The solution is to resend CCR-I requests once the provisioning timeout happens

572558-1 : Internet Explorer: incorrect handling of document.write() to closed document

Component: Access Policy Manager

Symptoms:
HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page.

Conditions:
HTML page with document.write() calls inside event handlers or another scripts executed after document loading.
Strings passed to document.write() function contain HTML tags with URL or another re-writable content in attributes.

Impact:
HTML page is not shown at all or works incorrectly in Internet Explorer.

Workaround:
No workaround known

Fix:
Now HTML pages with document.write() calls for closed document are handled correctly by Portal Access.

572281-5 : Variable value in the nesting script of foreach command get reset when there is parking command in the script

Component: Local Traffic Manager

Symptoms:
When there is something like the following script:

foreach a [list 1 2 3 4] {
set a 10
after 100
}

There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.

Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962

Impact:
Variable values get reset.

Workaround:
Set(or set again) the variable value after the parking command.

Fix:
Will fix in later release.

572272-5 : BIG-IP - Anonymous Certificate ID Enumeration

Solution Article: K65355492

572133-5 : tmsh save /sys ucs command sends status messages to stderr

Component: TMOS

Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.

Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.

Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.

Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.

Fix:
The command will send the status messages to stdout.

571651-3 : Reset crypto accelerator queue if it becomes stuck.

Solution Article: K66544028

Component: Local Traffic Manager

Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:

'n3-cryptoX request queue stuck'.

Conditions:
An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.

Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.

Workaround:
Disable crypto acceleration.

Fix:
The crypto accelerator is gracefully reset when the accelerator stalls due to a misconfigured request.

Note: This issue resolution is limited to SSL handshake issues, and is not a resolution for all possible causes of a 'queue stuck' event.

571095-1 : Monitor probing to pool member stops after FQDN pool member with same IP address is deleted

Component: Local Traffic Manager

Symptoms:
If an FQDN pool member resolves to the same IP address (node) as a non-FQDN (static) pool member, and the FQDN pool/member is deleted, no further monitor probes are sent to the remaining non-FQDN (static) pool member.

Conditions:
This occurs if an FQDN pool member resolves to the same IP address (node) as an existing non-FQDN (static) pool member.

Impact:
Loss of health monitoring to remaining non-FQDN (static) pool member.

Workaround:
There is no workaround other than avoiding creating a static pool member with the same IP address that could be resolved to an FQDN name.

Fix:
An FQDN pool member and static (non-FQDN) pool member can no longer be created with the same IP address, preventing loss of monitoring of the static member of the conflicting FQDN pool member is deleted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

570818-4 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.

Component: TMOS

Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.

Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.

Impact:
Failure in establishing IPsec SA.

Workaround:
None.

Fix:
Address lease-pool in IKEv2 no longer interferes with IKEv2 negotiations.

570697-1 : NTP vulnerability CVE-2015-8138

Solution Article: K71245322

570667-2 : OpenSSL vulnerabilities

Solution Article: K64009378

570570-5 : Default crypto failure action is now 'go-offline-downlinks'.

Component: Local Traffic Manager

Symptoms:
Previously, if a crypto accelerator encountered a failure, the default action was "none" or "failover". Now, the default behavior is "go-offline-downlinks".

(Note: You can find information on crypto accelerator fail-safe behavior in K16951: Overview of SSL hardware acceleration fail-safe :: https://support.f5.com/csp/article/K16951.)

Conditions:
Crypto accelerator encounters a failure and crypto.ha.action has not been changed from its default.

Impact:
If a hardware accelerator failed on a blade in a chassis, the system would failover, but if there was a second failover back to the chassis with the failed blade, SSL traffic might get dropped.

Workaround:
Set the db variable crypto.ha.action to your desired value.

Fix:
Previously, if a crypto accelerator encountered a failure, the default action was either 'none' or 'failover'. Now, the default behavior is 'go-offline-downlinks'.

Behavior Change:
The default value of the db variable crypto.ha.action has changed to 'go-offline-downlinks'. The only time this has an effect on the system is when a crypto accelerator fails. For a chassis, this value will cause the blade that had the failed crypto device to go offline, leaving the other blades to handle the load, while an appliance will failover to its standby peer. See https://support.f5.com/csp/article/K16951 for more details.

570277-1 : SafeNet client not able to establish session to all HSMs on all blades.

Solution Article: K16044231

Component: Local Traffic Manager

Symptoms:
SafeNet client not able to establish session to all HSMs on all blades.

Conditions:
When the BIG-IP chassis is used with SafeNet HSM high availability (HA), and when BIG-IP tmm interface is used.

Impact:
SafeNet HSM HA is not being used at its maximal capacity.

Workaround:
Restart pkcs11d to mitigate this issue.

Fix:
We have adjusted the startup timing of pkcs11d to wait until tmm initialization finishes. Also we added retry for pkcs11d threads when connecting to HSM.

570217-2 : BIG-IP APM now uses Airwatch v2 API to retreive device posture information

Component: Access Policy Manager

Symptoms:
Airwatch version 8.3 and above no longer use the v1 REST API. APM is not be able to retrieve device information from Airwatch MDM version 8.3 and higher and device posture checking in APM policies fails.

Conditions:
- Airwatch configured on APM
- Airwatch is upgraded to version 8.3 or higher

Impact:
BIG-IP APM is unable to retrieve device information and device posture check will fail.

Workaround:
n/a

Fix:
BIG-IP APM now utilizes the Airwatch v2 API to access device posture information.

Important: you must be using Airwatch release 8.3 and up because older releases do not support the v2 REST API end points.

570057-2 : Can't install more than 16 SafeNet HSMs in its HA group

Component: Local Traffic Manager

Symptoms:
With installation script on the BIG-IP, you can't install more than 16 SafeNet HSMs in its high availability group with versions 5.2 and 5.4.

Conditions:
Attempt to install more than 16 SafeNet HSMs.

Impact:
Installer script failure.

Workaround:
The limit is set by SafeNet. Currently, with F5-supported 5.2 and 5.4 client software, SafeNet doesn't allow more than 16 HSMs in one high availability configuration.

Fix:
Updated SafeNet installation scripts by replacing "vtl" to "lunacm" for high availability group creation and member adding operations for version 6.2.

569814-2 : iRule "nexthop IP_ADDR" rejected by validator

Solution Article: K30240351

Component: Local Traffic Manager

Symptoms:
The nexthop command allows an administrator the ability to specify a forwarding address in an iRule. The form which takes an IP address may be rejected by the validator with an error message of the form:

01070151:3: Rule [/Common/irule_example] error: Unable to find vlan, vlangroup or tunnel (10.0.0.1) referenced at line 2: [nexthop 10.0.0.1]

Conditions:
This occurs when the nexthop command contains only the IP address, for example:

when HTTP_REQUEST {
nexthop 10.0.0.1
}

Impact:
The iRule containing the 'nexthop IP_ADDR' command cannot be associated with a virtual server.

Workaround:
The 'nexthop VLAN IP_ADDR' form of the command does pass the validator. Choose the named vlan on which IP_ADDR can be reached. For example:

when HTTP_REQUEST {
nexthop internal 10.0.0.1
}

Fix:
Validator now allows 'nexthop IP_ADDR' in iRules.

569563-3 : Sockets resource leak after loading complex policy

Component: Access Policy Manager

Symptoms:
File descriptors used by apmd remain unclosed (TCP and UDP) after loading a complex access policy.

After some time, the APM process file descriptor table is exhausted and no more access policies are processed.

The following error messages may be observed in the logs:

err apmd[16013]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 86 Msg: epoll_create() failed [Too many open files].

Conditions:
This can happen at the initial stage after apmd starts, or later when policies are reloaded. Although this is not directly related to log-level, this problem is easier to observe when the access control log-level is Warning or lower (Notice, Info, Debug).

File descriptors leak (remain unclosed) after loading complex policies that contain many agents.

Impact:
The APM process is unable to create new sessions, leading to an inability to process access policy operations.

Workaround:
This can happen at the initial stage after apmd starts, or later when policies are reloaded.

Current preferred workaround is to set log level to ERROR or higher and restart apmd.

When a large number of file descriptors has already been observed, the only way to close them other than disabling logging is to raise log levels to ERROR or above, and then issue the following command:

bigstart restart apmd

Note 1: Do not use sys db variables to change log level for versions 12.0.0 and later.

Note 2: Double-check log levels using the following command: tmsh list apm log-setting all-properties

Note 3: Opened file descriptors do not close until apmd is restarted.

Note 4: When in doubt (about whether file descriptors are leaking), run the following command on the BIG-IP system:

lsof -p `pidof apmd` | grep TCP; lsof -p `pidof apmd` | grep UDP. This gives you the number of open files.

- Detailed steps to change logging-level to ERROR:

Step 1. Modify access control log level using the following command: tmsh modify apm log-setting all access modify { all { log-level { access-control err } } }

Step 2. Check the log levels using the following command: tmsh list apm log-setting all-properties

Step 3. Manually restart apmd using the following command: bigstart restart apmd

Fix:
Sockets are now closed properly, so there is no longer file descriptor leakage when loading or reloading complex access policies.

569542-1 : After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★

Component: Access Policy Manager

Symptoms:
After upgrade, an existing user-created partition will not be able to load any existing hosted-content file or upload a new one.

The issue happens because the required APM Sandbox directory w.r.t. this partition is missing after the upgrade.

01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_file_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Loading configuration process failed.

REPRODUCTION STEPS:
1) Before upgrade, create a partition (make sure APM is provisioned), say 'p1'.
2) Install the upgrade and reboot.
3) After upgrade, partition 'p1' is created but the required directory '/var/sam/www/webtop/sandbox/files_d/p1_d' is not created.

This can occur on upgrades from prior to 11.6.0 to 11.6.0 through 12.1.0.

Conditions:
Partition is created before the upgrade.

Impact:
Configuration load fails if the existing partition had any hosted-content file before upgrade. If it did not have any hosted-content file before upgrade, the configuration load will be successful, but the user cannot upload/create a new hosted-content file in this partition sandbox.

Workaround:
Workaround is manually create the required sandbox directory using bash command:

mkdir -p /var/sam/www/webtop/sandbox/files_d/p1_d

569467-5 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Solution Article: K11772107

569355-1 : Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494

Solution Article: K50118123

569316-1 : Core occurs on standby in MRF when routing to a route using a transport config

Component: Service Provider

Symptoms:
If routing a message to a route that uses a transport-config to define how to create an outgoing connection, the standby device will core.

Conditions:
routing a message to a route that uses a transport-config to define how to create an outgoing connection.

Impact:
The standby device will core.

Workaround:
NA

Fix:
Fix properly initializes a field on the standby.

569309-3 : Clientside HTML parser does not recognize HTML event attributes without value

Component: Access Policy Manager

Symptoms:
Assignment of a specific HTML content to tag.innerHTML could lead to a JavaScript error. This happens when one or more of tags in HTML text contain html event attributes without value (such as <div onclick />)

Following or similar error is logged in browser JavaScript console:
Unable to get property 'charAt' of undefined or null reference

Impact:
Web application does not work when accessed through Portal Access.

Workaround:
iRule could be provided for specific application.

Fix:
Now empty inline event handler attributes are not rewritten on client side.

569288-6 : Different LACP key may be used in different blades in a chassis system causing trunking failures

Component: Local Traffic Manager

Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.

Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.

Impact:
Non aggregated trunk members won't be able to pass traffic.

Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"

569121-1 : Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low

Component: Anomaly Detection Services

Symptoms:
If you have a large CMP configuration using Advanced Detection and rate limiting with a low rate limit applied, the per-core rate limit on attack traffic can end up being lower than the desired overall rate limit.

Conditions:
This was seen during internal testing with a large number of cores (3 blades / 24 cores) and a very low rate limit applied.

Impact:
Overall rate limit is lower than expected.

Fix:
Improvements were made to rate limiting in environments with a high number of tmms

569100-1 : Virtual server using NTLM profile results in benign Tcl error

Component: TMOS

Symptoms:
Tcl error in /var/log/ltm.

Tcl error: bad option "serverside": must be require or preclude while executing "constrain NTLM require clientside {HTTP} serverside {CONNPOOL} preclude FTP

Conditions:
Virtual server using the NTLM profile. Only logged when the first virtual server is created or when TMM restarts.

Impact:
If you are using TMSH to configure virtual server and NTLM profile, validation/constraint is not performed/enforced.

Workaround:
This is a benign, cosmetic error. There should be no functional impact to the system.

Fix:
Fixed the unexpected error message encountered and added validation when creating a virtual server with an NTLM profile.

568672-1 : Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI

Component: TMOS

Symptoms:
After an SA goes down, 'show net ipsec traffic-selector' may report that the traffic-selector is up. The Web UI also reports up.

Conditions:
This occurs if a tunnel times out and goes to the down state.

Impact:
Confusion on the true state of the tunnel.

Workaround:
None needed.

Fix:
Now, when a tunnel times out and goes to the down state, the state is shown correctly.

568545-2 : iRules commands that refer to a transport-config will fail validation

Solution Article: K17124802

Component: Service Provider

Symptoms:
If an iRule command refers to a transport-config, the iRule fails validation even if the object exists.

Conditions:
-- iRule command refers to a transport-config.
-- iRule validation occurs.

Example:
create ltm pool p1 members add { 10.2.3.4:5060 }
create ltm message-routing sip transport-config tc1 profiles add { udp sipsession }
create ltm virtual vs1 destination 10.1.1.50:5060 profiles add { udp sipsession siprouter }
create ltm rule r1
ltm rule r1 {
    when MR_INGRESS {
        MR::message route config tc1 pool p1 <==command refers to tc1 which is a transport-config object
    }
}

Impact:
Validation fails even though object exists. Unable to directly refer to a transport-config from an iRule command.

Workaround:
If the name of the transport-config is loaded into a Tcl variable, the Tcl variable can be use to indirectly refer to the transport-config object.

Fix:
iRule validation logic has been improved to check for the existence of a transport config object.

568543-4 : Syncookie mode is activated on wildcard virtuals

Component: Local Traffic Manager

Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.

Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.

Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.

Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.

Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)

567743-2 : Possible gtmd crash under certain conditions.

Solution Article: K70663134

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core leading to a SIGSEV due to a possible race condition.

Conditions:
Due to a possible race condition that occurs under certain conditions (such as a sync event), gtmd might core.

Impact:
This event could lead to an outage.

Workaround:
None.

Fix:
The system now correctly processes this condition so that no race condition occurs.

567546-1 : Files with file names larger than 100 characters are omitted from qkview

Component: TMOS

Symptoms:
If the filename of a file being gathered by qkview happens to be larger than 100 characters, the qkview will simply not include it.

Conditions:
No conditions necessary. Any file with a name larger than 100 characters is automatically omitted.

Impact:
Files with names larger than 100 characters are being omitted from the qkview. Since UNIX files can be 256 characters long, this potentially could omit important files that could help diagnose problems.

Workaround:
One would have to rename any files with names larger than 100 characters to names with less than 100 characters.

Fix:
Qkview was fixed to not use POSIX as the tar format, but instead to use the "GNU" format which allows for up to 256 characters (the system limit). The fixed program now allows any length of characters possible.

567457-2 : TMM may crash when changing the IKE peer config.

Component: TMOS

Symptoms:
TMM might crash when changing the IKE peer config. It can happen with either IKEv1 or IKEv2 (TMM config crash).

Conditions:
This occurs when making changes to IPsec tunnels that causes the configuration to become invalid. For example, changing ISAKMP phase1 from SHA-1 to MD5 results in an invalid configuration.

Note: This occurs in the GUI only. The tmsh 'create' command does not cause this core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use tmsh to make the affected configuration changes... this occurs in the GUI only. The tmsh 'create' command does not cause this core.

Fix:
TMM no longer crashes when changing the IKEv1 or IKEv2 peer config, even if the changes are not valid for the configuration.

567233-1 : Multiple samba vulnerabilities

Solution Article: K92616530

567177-1 : Log all attempts of key export in ltm log

Component: TMOS

Symptoms:
Attempts to export keys are not logged.

Conditions:
-- Exporting keys.
-- Viewing ltm log.

Impact:
No messages logged to indicate the export attempts.

Workaround:
None.

Fix:
iControl:
======================
When any of the following iControl functions is called (either by the GUI or directly by a system user), the system logs it in ltm log. The log will include the iControl function name, key names, and BIG-IP user name.
key_export_to_file
key_export_to_pem
export_all_to_archive_stream
export_to_archive_stream
export_all_to_archive_file
export_to_archive_file

ltm logs example:
======================
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_file()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key, /Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_pem()
-- info iControlPortal.cgi[26687]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: keys (/Common/kc.key, /Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()

tmsh:
======================
The only possibility for using tmsh to export a key is saving a UCS file, so that will be logged.

ltm logs example:
======================
notice tmsh[21886]: 01420012:5: private key export: All keys are being exported by user "admin" via UCS saving.

GUI:
======================
There are 3 ways that a user can get key export from GUI:
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: default : Key Export
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: Archive...
-- System :: Archives :: New Archive...

These are internally implemented by using iControl and tmsh calls, so they will be automatically be logged in ltm log as iControl or tmsh users.

Behavior Change:
With this change, any attempt to export key will be logged in ltm log. Logged attempts include: save a UCS file, archive key files, or export key files, using tmsh/iControl/GUI.

566576-6 : ICAP/OneConnect reuses connection while previous response is in progress

Component: Service Provider

Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.

Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.

Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.

Workaround:
Remove OneConnect.

Fix:
Big-IP with ICAP and OneConnect never reuses a server connection while a previous ICAP transaction is still in progress. Whenever the IVS disconnects prior to completion of an ICAP transaction, the connection is not pooled for reuse.

566507-4 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.

Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system. Note: The ZebOS routing protocol suite available for BIG-IP configurations does not support traffic groups, so this issue might still be seen in certain circumstances.

566342 : Cannot set 10T-FD or 10T-HD on management port

Component: Local Traffic Manager

Symptoms:
When setting the B4450 or B4300 mgmt port to 10T-FD or 10T-HD, there is no link LED. However, the peer unit shows the correct link LED for this setting.

Conditions:
B4450 or B4300 blade and you want to set 10T-FD or 10T-HD media type

Impact:
Unable to set this media type.

Fix:
The management port of B4450 and B4300 blades can now be configured with 10T-FD or 10T-HD

566071-5 : network-HSM may not be operational on secondary slots of a standby chassis.

Component: Local Traffic Manager

Symptoms:
pkcs11d may not be running on secondary slots of a chassis.

Conditions:
This might occur when the following conditions are true:
1. Network-HSM installed on BIG-IP chassis.
2. Chassis is in standby state OR Secondary slots do not have management IP configured.

Impact:
If SSL profiles are configured with keys of security-type 'nethsm' when the specified conditions are true, traffic for such profiles will fail when the affected slots process traffic.

Workaround:
Manually install netHSM on each secondary slot.

Fix:
netHSM install no longer depends on management IP of secondary slots and also successfully installs on slots of a standby chassis.

565895-1 : Multiple PCRE Vulnerabilities

Solution Article: K17235

565799-4 : CPU Usage increases when using masquerade addresses

Component: Local Traffic Manager

Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.

Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.

Impact:
Possible performance degradation or reduction in capacity

Fix:
Performance of masquerade address checks is restored.

565137 : Pool licensing fails in some KVM/OpenStack environments.

Solution Article: K12372003

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Workaround:
There is no workaround.

Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.

564876-2 : New DB variable log.lsn.comma changes CGNAT logs to CSV format

Component: Carrier-Grade NAT

Symptoms:
New CSV format that does not use quotes as delimiters was not present prior to 12.1.2.

Conditions:
Setting the DB variable log.lsn.comma

Impact:
More control of logging format via the DB variable log.lsn.comma

Workaround:
N/A

Fix:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.

Behavior Change:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.

564771-1 : cron sends purge_mysql_logs.pl email error on LTM-only device

Component: TMOS

Symptoms:
On a device provisioned with LTM only, cron may log or send an email containing the following perl error:

/etc/cron.hourly/purge_mysql_logs.pl:

Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27

This script was only intended to be run with AM, ASM, or ASM provisioned and it generates an error if it is not.

Conditions:
Any device with AM, ASM, and PSM not provisioned. LTM-only devices are impacted.

Impact:
If cron can send email, it will send the perl error in the email once per hour.

564522-2 : cron is configured with MAILTO=root but mailhost defaults to 'mail'

Solution Article: K40547220

Component: TMOS

Symptoms:
The crontab and ssmtp configurations environment is MAILTO="", which means no email and it is difficult to find where the email went.

Conditions:
This exists in the default crontab and ssmtp configurations.

Impact:
- You may receive unexpected messages addressed to "root" at a host named "mail" on your network

OR

- You may encounter messages similar to the following in /var/log/maillog:

Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Unable to connect to "mail" port 25.
Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Cannot open mail:25

Workaround:
Change outbound-smtp mailhub to localhost with tmsh:

tmsh modify /sys outbound-smtp mailhub localhost

Fix:
Default mailhub has been changed to localhost. Starting in 12.0.0, MAILTO is set to root instead of "" in /etc/crontab so that the output of cron jobs can be captured. However, ssmtp is configured by default with a mailhost of 'mail', which may result in either error messages logged to /var/log/maillog or unexpected messages received on another system.

564281-3 : TMM (debug) assert seen during Failover with Gy

Component: Policy Enforcement Manager

Symptoms:
When using the debug version of the tmm, HA fail over may cause the tmm to assert when Gy is configured.

Conditions:
Using PEM and Gy is configured.

Impact:
The TMM (debug version) may core and restart, resetting all connections.

Workaround:
Do not use the debug tmm with Gy.

Fix:
This debug assert has been changed to a debug log message.

564058-1 : AutoDoS daemon aborts intermittently after it's being up for several days

Solution Article: K91467162

Component: Advanced Firewall Manager

Symptoms:
AutoDoS daemon aborts intermittently when accessing session db api for memcache interface.

Conditions:
This happens in control plan AutoDoS daemon. This is an intermittent issue that occurs in few platforms under specific stress testing.

Impact:
Core will be seen, but the daemon will restart, and there is no loss of state.

Workaround:
No workaround.

Fix:
AutoDoS daemon no longer aborts intermittently when accessing session db api for memcache interface.

563933-4 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs

Component: Local Traffic Manager

Symptoms:
A and AAAA RRsets in the additional section are dropped.

Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.

Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.

Workaround:
Set dns64-additional-section-rewrite is 'any'.

Fix:
v4-only and v6-only options work as expected. Note that DNS64 prefix operations occur after all other DNS processing blocks -- including GTM.

563727-1 : Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'

Component: Application Security Manager

Symptoms:
A GET request without payload but with payload indication doesn't issue the body in get violation.

Conditions:
A Get request without payload arrives.
The request has a 'transfer-encoding: chunked' header although there is no payload.

Impact:
A suspicious request goes by undetected.

Workaround:
Add an iRule that removes this header from the ASM and issues a custom violation.

Fix:
A GET request without payload but with 'transfer-encoding: chunked' will issue the body in GET sub violation.

563661-2 : Datastor may crash

Component: TMOS

Symptoms:
In rare cases datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.

Conditions:
WAM provisioned and enabled

Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.

563592 : Content diagnostics and LCD

Component: TMOS

Symptoms:
While running platform_check, you notice this on the LCD:

F5 LCD Server
Clients: 0
Screens: 0

Conditions:
This occurs when running platform_check after running bigstart stop

Impact:
This is cosmetic, the LCD does not indicate that it is in diagnostic mode.

Fix:
When the LCD is unable to communicate with BIG-IP, such as during shutdown or platform_check, the LCD now displays the following:
F5 LCD Server
Host inaccessible or
in diagnostic mode

563135-3 : SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt

Component: Access Policy Manager

Symptoms:
When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. http://www.example.com:8080) the first request after authentication will fail.

Conditions:
SWG Explicit Proxy configured
HTTP 407 Authorization configured in Per-Request Policy for authentication
Client requests a non-standard HTTP port in request

Impact:
The first request after authentication will fail.

Workaround:
If the user refreshes their browser request, subsequent requests will work as expected.

562928-2 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.

Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.

Impact:
TCP connections do not complete the three way handshake and traffic does not pass.

Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.

Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.

562921-4 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.

Conditions:
The value is hardcoded into the product.

Note: This is completely independent of the TMM profiles or the httpd cipher values.

Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.

Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.

Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"

562636-2 : Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.

Solution Article: K05489319

Component: Access Policy Manager

Symptoms:
When certain end user interface pages (e.g. 401 response) are served by the APM, these include a unique parameter in the URL. This results in the leak of objects representing caches for these pages, because their unique parameter renders caching ineffective.

Conditions:
This occurs when the following conditions are met:
-- Use of SWG in Transparent mode.
-- One of the following:
+ Use a logon page agent, an external logon page agent, or a 401 agent in the access policy.
+ Trigger an access policy evaluation when one is already in progress or when accessing a page that requires an established session.

Impact:
A memory leak in the TMM.

Workaround:
None (when the triggering conditions are encountered).

Fix:
This release corrects the possible memory exhaustion issue in access end-user interface pages for transparent proxy/SWG cases.

562267-3 : FQDN nodes do not support monitor alias destinations.

Component: Local Traffic Manager

Symptoms:
FQDN nodes do not support monitor alias destinations.

Conditions:
Configure a monitor with an alias address or port. The system will either prevent you from configuring, or the monitor will only be directed to the node address or port.

Impact:
The BIG-IP system does not send health checks to the configured monitor alias port. Monitor doesn't work as expected.

Workaround:
Depending on the functionality needed, you might be able to work around this by using an alternative configuration.

Fix:
FQDN nodes now support monitor alias destinations.

561892-2 : Kerberos cache is not cleared when Administrator password is changed in AAA AD Server

Solution Article: K08121752

Component: Access Policy Manager

Symptoms:
BIG-IP Administrator's password is changed and AD Query fails.

Conditions:
-- Administrator's password is changed for AAA AD Server.
-- Access policy applied.

Impact:
AD Query fails.

Workaround:
Remove Kerberos cache files (krb5cc_0 and krb5cc_1) manually in /var/run/apmd/krb5cc/ and all subdirectories.

Fix:
Kerberos cache is removed by apmd, if the administrator's password is changed and an access policy is applied.

561500-4 : ICAP Parsing improvement

Component: Service Provider

Symptoms:
If a malformed ICAP message is sent to the Big-IP the ICAP parser can enter a state where it consumes an increasing amount of CPU and memory.

Conditions:
A request-adapt or response-adapt profile is configured.
An ICAP message is received from an ICAP server lacking "ICAP/1.0" as initial header line.

Impact:
Memory and CPU usage increase.
Eventually the TMM may crash causing Big-IP fail-over.

Fix:
ICAP parser checks for correct initial ICAP/1.0 header line and rejects message if missing.

561444-1 : LCD might display incorrect output.

Component: TMOS

Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.

Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.

Impact:
LCD may display incorrect data.

Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.

Fix:
The issue allowing garbled messages between the front panel display daemon (fpdd) and the LCD daemon (LCDd) is now prevented from happening.

561348-7 : krb5.conf file is not synchronized between blades and not backed up

Component: Access Policy Manager

Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.

Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.

Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.

Workaround:
None.

Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.

In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.

Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.

When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.

560471-1 : Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down

Component: Local Traffic Manager

Symptoms:
Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down.

Conditions:
Changing the monitor configuration of a pool. For example:

tmsh modify ltm pool http-pool monitor http and tcp
tmsh modify ltm pool http-pool monitor min 1 of { http tcp }

Impact:
Virtual server may be incorrectly marked down, when it should not be.

Fix:
Changing the monitor configuration of a pool no longer causes the virtual server to be marked as down.

560114-6 : Monpd is being affected by an I/O issue which makes some of its threads freeze

Component: Application Visibility and Reporting

Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T

Conditions:
A system I/O issue (maybe caused by /var/log being full).

Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.

Workaround:
Run the following:

find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd

560109-7 : Client capabilities failure

Solution Article: K19430431

559953-1 : tmm core on long DIAMETER::host value

Component: Service Provider

Symptoms:
tmm crashes and restarts when an iRule is accessed that contains a large DIAMETER::host value.

Conditions:
This occurs with a DIAMETER::host iRule parameter set to a very large value (2000 characters).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Limit the length of the DIAMETER::host parameter to less than 1000 characters.

Fix:
BIG-IP now limits the DIAMETER::host parameter to 1000 characters.

559837-4 : Misleading error message in catalina.out when listing certificates.

Component: TMOS

Symptoms:
GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation. The exceptions are the actual cause of the failure.

java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229].

Conditions:
This occurs when listing certificates, and exceptions are returned.

Impact:
1. Throws table creation exceptions when randomly generated table name contains invalid character ('-').
2. Misleading 'Table not found" message in catalina.out.

Workaround:
Refreshing the page might fix the invalid table name issue because doing so generates a new table name. In some situations a restart of tomcat and httpd may be required.

Fix:
Errors occur when listing certificates that contain invalid characters from the randomly generated table names, so the GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation.

559655 : Post RMA, system does not display correct platform name regardless of license

Component: TMOS

Symptoms:
When you get an RMA and you are licensed for a 4000 and the unit received has been licensed as a 4200, you will have a difference between hardware on site and the new hardware received, regardless of what license you have.

Conditions:
Take a 4000 from manufacturing and license it for a 4200 wipe system and rebuild and license for a 4000 and tmsh show sys hardware and device groups will indicate it to be a 4200
if you have a 4200 from manufacturing and license it as a 4000 it will still indicate that it is a 4200
Affected platforms is following
2000/2200 4000/4200 5000/5200 7000/7200 10000/10200

Impact:
Confusion as to what the actual platform is

559080-5 : High Speed Logging to specific destinations stops from individual TMMs

Component: TMOS

Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.

Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.

Impact:
Logs are silently lost.

Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.

Fix:
The system now resets the expire timer when it initiates the close. If the server fails to reset or complete the close, the flow is aborted on the next expiration event.

559030-1 : TMM may core during ILX RPC activity if a connflow closes before the RPC returns

Solution Article: K65244513

Component: Local Traffic Manager

Symptoms:
TMM core with plugin context refcount error.

Conditions:
-- Using ILX RPC calls.
-- Connflow closes before the RPC returns.

Note: Most likely to occur when using a low-end unit or virtual edition configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
ILX plugin timeout no longer causes TMM core.

557680-4 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).

557471-3 : LTM Policy statistics showing zeros in GUI

Component: TMOS

Symptoms:
Statistics for LTM Policies, e.g., the total count of policy action invocations and number of successful policy action invocations, are not being updated in the GUI. The GUI shows zeros for both of these stats for every LTM Policy.

Conditions:
Occurs under all conditions.

Impact:
Through the GUI, Administrators cannot see invocation counts for general troubleshooting or to determine which policies are being used.

Workaround:
To work around this issue, you can use the tmsh utility to view BIG-IP LTM traffic policy statistics. To do so, perform the following procedure:

To retrieve stats for all policies, run the following command:
# tmsh show ltm policy.

To retrieve stats for a specific policy, run the following command:
# tmsh show ltm policy <policy-name>.

Fix:
LTM Policy statistics now shows the correct values in the GUI.

557434-4 : After setting a Last Resort Pool on a Wide IP, cannot reset back to None

Component: Global Traffic Manager (DNS)

Symptoms:
After configuring a wide IP with a Last Resort Pool set to something other than None, you can no longer change the Last Resort Pool back to None.

Conditions:
Last Resort Pool is set to something other than None.

Impact:
There is no None option in TMSH or GUI.

Workaround:
Setting the Pool Name to an empty string via tmsh will set it to None.
For example
modify gtm wideip a wip.f5.com last-resort-pool a

Fix:
None options added to tmsh and GUI.

557411-1 : Full Webtop resources appear overlapping in IE11 compatibility mode

Component: Access Policy Manager

Symptoms:
Full Webtop resources appear overlapping each other in MSIE 11 in compartibility mode

Conditions:
MSIE 11, compartibility mode. Full Webtop in use

Impact:
Everything is working but the icons overlap.

Workaround:
1. modify advanced customization of apm.css

#webtop_favorites_inner_container span.favorite span.caption{
...
    <? if( $_GET['ctype'] == 'IE' && $_GET['cversion'] < 9){ ?>
    zoom: 1;
    <? }elseif( $_GET['ctype'] == 'IE' && $_GET['cversion'] == 11){ ?>
    zoom: 0;
    <? } ?>
}

2. an irule that would change apm.css to
#webtop_favorites_inner_container SPAN.favorite SPAN.caption {
...
zoom: 1; /* <--- set 0 if msie 11 in compartibility mode */
}

Fix:
Everything is back to normal

557358-5 : TMM SIGSEGV and crash when memory allocation fails.

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV and crash when memory allocation fails.

Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.

Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.

Workaround:
None known at this time.

Fix:
TMM SIGSEGV and crash no longer occur when memory allocation fails due to a command attempting to remove the connection for removal from the SSL queue a second time.

557190-3 : 'packet_free: double free!' tmm core

Solution Article: K65615624

557155-8 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Solution Article: K33044393

Component: TMOS

Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Conditions:
Sustained high packet rate with a very small payload.

Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.

Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
sysctl vm.panic_on_oom=1

Fix:
BIG-IP Virtual Edition becomes unresponsive under extreme load test due to kernel memory exhaustion from over-provisioning.

555039-4 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration

Solution Article: K24458124

Component: TMOS

Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop

Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.

Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.

Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.

Workaround:
None.

Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.

554713-2 : Deployment failed: Failed submitting iControl REST transaction

Component: TMOS

Symptoms:
When deploying an access control policy to a sync group, you notice the following error: Deployment failed:
Failed submitting iControl REST transaction 1445978291443908: remoteSender:ip_address

Conditions:
This can happen on policy sync with a large number of ACLs.

Impact:
The system will function properly, but some transactions may take longer than expected. BIG-IQ deployment of APM access control lists is one known case to fail due to timeouts.

Workaround:
None.

Fix:
The audit log contains every database modification request message sent to mcpd. Certain messages once took an unexpectedly long time to render, which has been fixed.

553795-7 : Differing certificate/key after successful config-sync

Component: TMOS

Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.

2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.

Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.

2) High Availability failover systems configured with Manual Sync.

Impact:
1) An abandoned FIPS key is left behind.

2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.

Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Delete the FIPS key by-handle on the peer system(s).

2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).

Fix:
Systems now have the same certificate/key after successful config-sync of High Availability configurations.

551795-1 : Portal Access: corrections to CORS support for XMLHttpRequest

Component: Access Policy Manager

Symptoms:
XMLHttpRequest to external domain should fail if the server does not include 'Access-Control-Allow-Origin' header into response. Current implementation of CORS support in Portal Access does not enforce this failure.
If XMLHttpRequest to same-origin resource is redirected to external one, it has to be treated as cross-domain request. Current implementation of CORS support in Portal Access does not handle this case correctly.

Conditions:
XMLHttpRequest to external domain via Portal Access succeeds even when the server response does not include 'Access-Control-Allow-Origin' header.
XMLHttpRequest to same-origin resource succeeds via Portal Access in spite of response redirection.

Impact:
Web application may work incorrectly; some data access restrictions may not work.

Fix:
Now Portal Access supports CORS in case of response redirection for XMLHttpRequest.
CORS support enforces error in the case when 'Access-Control-Allow-Origin' header is absent in server response.

551349-5 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★

Solution Article: K80203854

Component: TMOS

Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.

Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)

Impact:
Monitors appears to function normally but they will have the wrong format in the config file.

Workaround:
None.

Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.

551208-6 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.

Component: Local Traffic Manager

Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.

Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435

Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.

Workaround:
None.

Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.

550547-2 : URL including a "token" query fails results in a connection reset

Component: Access Policy Manager

Symptoms:
Per Request Policy access to URL containing a "token" query parameter fails and results in a connection reset with the following error:

"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Conditions:
Configure an Explicit SWG with a PRP that includes [protocol lookup (https) + category-lookup]
It does not matter ntlm or basic auth.
This is triggered on sites that have "token" in the query parameters.

Impact:
Clients receive this response:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Workaround:
Workaround iRule:

when HTTP_REQUEST {
    if { [HTTP::query] contains "token" } {
      set fix 1
      HTTP::query [string map "token aabbcc" [HTTP::query]]
    }
}

when HTTP_REQUEST_SEND {
    if { [info exists fix] && $fix equals 1 } {
      clientside {
        HTTP::query [string map "aabbcc token" [HTTP::query]]
        unset fix
      }
    }
}

Fix:
Customization namespace for subsession state prefix with default value as "000fffff" has been added controlled via db variable "tmm.access.subsessionstateprefix" before state/token query param and validation is ensured to check for the prefix value before triggering serialize/deserialize code to avoid RST.

In case if a UCS is being restored and used for a Hotfix, the newly added DB variable may not be present in /config/Bigdb.dat file. The following information needs to be added in /config/Bigdb.dat file followed by a "bigstart restart" to ensure proper working.

#
# This string is used as the prefix for the subsession state value that is sent as
# part of the redirect URI being sent to the client.
#
[Tmm.Access.SubsessionStatePrefix]
default=000fffff
type=string
realm=local
display_name=Tmm.Access.SubsessionStatePrefix
scf_config=true
max=32

550161-4 : Networking devices might block a packet that has a TTL value higher than 230.

Component: Local Traffic Manager

Symptoms:
Some networking devices block a packet that has a TTL value higher than 230. The TTL value for the BIG-IP system is set to 255 internally and cannot be changed.

Conditions:
The issue occurs when traffic originates from the BIG-IP system (as a client).

Impact:
No access to the resources.

Workaround:
None.

Fix:
The TTL value can now be changed from the hardcoded value of 255. This supports the requirement that some networking devices have to block a packet whose TTL value is higher than 230.

549329-3 : L7 mirrored ACK from standby to active box can cause tmm core on active

Solution Article: K02020031

Component: Local Traffic Manager

Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.

Conditions:
HA active-standby configuration setup for L7 packet mirroring.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.

547479-5 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.

547053-1 : Bad actor quarantining

Component: Anomaly Detection Services

Symptoms:
An issue was found where bad actors could be released from quarantine due to a timing issue

Conditions:
This is a timing issue related to an having unusually high number of bad actors at the same time.

Impact:
Traffic can be removed from quarantine and passed to the web server

Fix:
An issue was fixed related to bad actor quarantining

546145-1 : Creating local user for previously remote user results in incomplete user definition.

Component: TMOS

Symptoms:
Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI.

Conditions:
Configure remote system authentication. Create a local user for remotely authenticated user.

Impact:
User cannot authenticate. User name does not appear in User List.

Workaround:
After initial creation, modify local user via tmsh to include appropriate partition-access.

545810-3 : TMM halts and restarts

Solution Article: K14304373

Component: Local Traffic Manager

Symptoms:
TMM halts and restarts.

Conditions:
This crash can happen when passing egress traffic on LTM virtual servers that meet the following two configuration criteria:
-- The virtual server is configured with a Fast HTTP profile.

Impact:
Halt and restart of TMM. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Now the system receives only packets that it owns and can be re-used, so this issue no longer occurs.

545796-5 : [iRule] [Stats] iRule is not generating any stats for executed iRules.

Component: Local Traffic Manager

Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.

Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.

Impact:
No iRule usage stats available.

Workaround:
None.

Fix:
iRule now generates stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.

545450-5 : Log activation/deactivation of TM.TCPMemoryPressure

Component: Local Traffic Manager

Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.

Conditions:
TM.TCPMemoryPressure set to "enable".

Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.

Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.

544906-2 : Issues when using remote authentication when users have different partition access on different devices

Solution Article: K07388310

Component: TMOS

Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user.

For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].

Conditions:
Devices configured for remote authentication.

User A on device 1 with role on all-partitions.

User A on device 2 with role restricted to a single partition.

Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.

Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.

Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.

Fix:
User authentication completes successfully for operations on multiple devices on which a single user has different partition access configured.

544477 : New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

Component: TMOS

Symptoms:
Phone support is not available for hourly billing customers in cloud marketplaces.

Conditions:
All hourly billing VE instances in AWS Marketplace.

Impact:
Phone support is not available for hourly billing VE instances.

Fix:
New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

Behavior Change:
Changed licensing for hourly billing instances from pre-licensed image to template reg key which must be licensed through the license server.

544033-5 : ICMP fragmentation request is ignored by BIG-IP

Solution Article: K30404012

Component: Local Traffic Manager

Symptoms:
Client sends a large ICMP Echo Request whose size exceeds the MTU of the network the packet traverses requiring the ICMP Echo Response to be fragmented. BIG-IP ignores the fragmentation request and continues sending ICMP Echo Replies that exceed the network MTU.

Conditions:
-- A large (exceeds MTU of network traversed) ICMP Echo Request is directed to a Virtual Address on the BIG-IP system.
-- ICMP Echo Reply is larger than upstream networks MTU resulting in fragmentation needed being sent to BIG-IP.

Impact:
ICMP Echo Reply is not received by the requester.

Workaround:
None.

Fix:
Client now receives correctly ICMP echo response from Virtual Address when echo request has been fragmented.

543344-3 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, an ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in either of these ways:
-- The session ID is embedded in the request.
-- The connection was processed by ACCESS previously.

When neither condition is satisfied, then the current ACCESS iRule cannot find the associated session ID.

Conditions:
This occurs when the following conditions are met:

-- ACCESS iRule such as ACCESS::session data get/set.
-- ACCESS::session exists.
-- Session ID is not provided by the caller.
-- Caller expects the session ID to be resolved internally.

Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.

Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.

Fix:
Fixed to allow ACCESS iRule commands in commands such as HTTP_PROXY_REQUEST where previously there was not enough data for them to execute.

Note: This fix is only for IP address-based sessions where the access policy is not evaluated via iRules, but in the usual method (attached to virtual server). This fix does not address the issue for NTLM-based sessions and sessions that use 'ACCESS::policy evaluate'.

543208-1 : Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★

Component: TMOS

Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:

01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..

Conditions:
This occurs when the following sets of conditions are met:

Condition set 1
===============
-- Your BIG-IP high availability (HA) device group members are running BIG-IP 11.6.0 or 11.6.1.
-- You upgrade a peer HA device to BIG-IP 12.x or later.
-- After you upgrade that peer, a failover event occurs.

Condition set 2
===============
-- Your BIG-IP HA device group members are running BIG-IP 12.0.0, 12.1.0, 12.1.1, or 12.1.2.
-- You upgrade a peer HA device to BIG-IP 13.x or later.
-- After you upgrade that peer, a failover event occurs.

Note: This might be most evident with APM configurations.

Impact:
mcpd on the devices running the affected versions may become unresponsive. Upgrade fails. This is fundamentally the result of device group members running different software versions.

Workaround:
None.

Fix:
This release corrects an issue in which a group of devices in a trust domain could potentially cause mcpd to become unresponsive and log failure messages.

542097-4 : Update to RHEL6 kernel

Component: TMOS

Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic

Conditions:
Running RHEL6 kernel under heavy disk load, more likely on a vCMP host

Impact:
Unexpected machine reboot causing loss of service

Workaround:
None.

Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:

jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()

541550-3 : Defining more than 10 remote-role groups can result in authentication failure

Component: TMOS

Symptoms:
Authentication fails, indicating the affected user is associated with an "unknown" role:

notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false

Conditions:
Define more than 10 remote-role groups and authenticate with a user having more than 10 roles.

Impact:
User cannot authenticate.

Workaround:
None.

541549-2 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.

Component: TMOS

Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.

Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.

Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.

Workaround:
None.

Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.

Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.

541320-10 : Sync of tunnels might cause restore of deleted tunnels.

Solution Article: K50973424

Component: TMOS

Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.

Conditions:
Viewing tunnels after a full load sync.

Impact:
This might result in a deleted tunnel being restored to the configuration.

Workaround:
None.

Fix:
Sync of tunnels no longer causes restore of deleted tunnels.

540928-1 : Memory leak due to unnecessary logging profile configuration updates.

Component: Application Security Manager

Symptoms:
There is a memory leak in ASM control plane daemons after processing many calls in a long lived process

Conditions:
A) Pool member state changes frequently.
or
B) Manual learning is enabled (versions 12.x)

Impact:
Memory consumption by ASM control plane daemons increases.

Workaround:
Restart ASM - which will cause a failover and a down time

OR just kill asm_config_server by:
-----------------------
pkill -f asm_config_server
-----------------------
which will get restarted back by ASM process watchdog in ~15 seconds and should not cause failover nor downtime.

Fix:
An async worker lifecycle was introduced so long lived processes will now dispatch a fixed number of calls to their workers before retiring them.

540872-1 : Config sync fails after creating a partition.

Component: TMOS

Symptoms:
Config sync fails after creating a partition. A config sync error similar to the following occurs:

Configuration error: Can't associate (/P1/pool1) with folder (/P1) folder does not exist

Conditions:
This error occurs when a folder is created in the same transaction that an object is also created in that folder.

This can be done either by explicitly using tmsh or iControl transaction mechanisms or through incremental sync of APM where folders get created.

Impact:
A transaction will fail or incremental sync on APM will fail on a peer.

Workaround:
In the case of transactions, create partitions and folders in a separate transaction from any object creation.

For incremental sync of APM, force a full sync by using the 'Overwrite Configuration' option in the UI.

539360 : Firmware update that includes might take over 15 minutes. Do not turn off device.

Component: TMOS

Symptoms:
On certain platforms, firmware updates might take over 15 minutes to complete. It is very important to wait until update completes. Do not turn on the device until the operation is finished.

Conditions:
This occurs on the following iSeries platforms: i2000, i4000, i5000, i7000, and i10000.

Impact:
Reboot takes a long time. The GUI posts the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.

Workaround:
None.

Fix:
Although reboot takes a long time on the iSeries platforms, the GUI posts a message containing a time range, similar to the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.

539093-1 : VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.

Solution Article: K26104530

Component: TMOS

Symptoms:
Virtual Edition (VE) deployed with 1 CPU only shows INOPERATIVE status until at least one VLAN is both configured and attached to an interface.

Conditions:
Install the BIG-IP Virtual Edition software on a VM with 1 CPU (1 CPU/2048 MB RAM option available in OVA) and license, but do not create any VLANs (or create VLANs, but do not attach them to an interface).

Impact:
In the CLI, device remains in INOPERATIVE state, but shows ACTIVE in the GUI. This might cause unneeded delay trying to rectify what appears to be a license issue when there is none.

Workaround:
To work around this, configure at least one VLAN and attach it to an interface.

537553-8 : tmm might crash after modifying virtual server SSL profiles in SNI configuration

Component: Local Traffic Manager

Symptoms:
Modifying a Secure Sockets Layer (SSL) profile associated with a virtual server may result in the Traffic Management Microkernel (TMM) producing a core file. As a result of this issue, you may encounter one or more of the following symptoms:

-- BIG-IP system sends an invalid memory access segmentation fault (SIGSEGV) or floating point error (SIGFPE), signal to TMM, resulting in a stack trace that appears in the /var/log/tmm file.
-- TMM restarts and produces a core file in the /shared/core directory.
-- The BIG-IP system generates an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
panic: ../kern/umem.c:3881: Assertion "valid type" failed

Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. A configuration change is made that affects the virtual server. Among others:
-- Configuration is reloaded either manually or automatically after config sync.
-- Change is made to any of the SSL profiles configured on the virtual server.
-- SSL profiles are added or removed from the virtual server profile list.
-- Change is made to the virtual server.
-- Virtual server is deleted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Making SSL profile configuration changes now completes successfully.

536563-7 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.

Component: Local Traffic Manager

Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.

Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.

Impact:
Unexpected RSTs (Clientside).

Workaround:
None.

534520-1 : qkview may exclude certain log files from /var/log

Component: TMOS

Symptoms:
After generating a qkview, some log files are missing.

Conditions:
This can occur intermittently while generating a qkview.

Impact:
Certain key log files that might be needed for troubleshooting are missing from the qkview.

Workaround:
None.

Fix:
After generating a qkview, all log files are now present.

534457-4 : Dynamically discovered routes might fail to remirror connections.

Component: Local Traffic Manager

Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.

Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.

Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.

Workaround:
Provide a static route instead of dynamic routes.

Fix:
Remirroring L4 connections using dynamic routes works correctly. (Note that when using dynamic routes it is not guaranteed that the active and standby systems will use the same routes; if the same routing is required on both active and standby fails over, there might be some dropped connections.)

534247-1 : Issue a Body in Get sub violation for GET request with content type header

Component: Application Security Manager

Symptoms:
A GET request without payload but with payload indication doesn't issue the body in get violation.

Conditions:
A Get request without payload arrives.
The request has a content type header although there is no payload.

Impact:
A suspicious request goes by undetected.

Workaround:
Add an iRule that removes this request from the ASM and issues a custom violation.

Fix:
A GET request without payload but with content type header will issue the body in GET sub violation.

533956-3 : Portal Access: Space-like characters in EUC character sets may be handled incorrectly.

Solution Article: K30515450

Component: Access Policy Manager

Symptoms:
Extended Unix Code (EUC) character sets include several white space characters which have no ASCII equivalents. These characters are not recognized as white spaces by Portal Access. This may lead to incorrect handling of HTML pages, XML files and/or JavaScript files in these character sets.

Conditions:
- HTML page, XML file or JavaScript file in any EUC encoding scheme (EUC-JP, for example).

Impact:
Page or file in EUC encoding scheme may not be parsed correctly.

Workaround:
Use an iRule to replace non-ASCII compatible white space characters by ordinal spaces.

Fix:
Now text content using EUC character encoding schemes is handled correctly by Portal Access.

531979-6 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Component: Local Traffic Manager

Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.

Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:

SSL Record:
    Content Type: Handshake (22)
    Version: $LOWEST_VERSION
    Handshake Record:
        Handshake Type: Client Hello (1)
        Version: $HIGHEST_VERSION

The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.

Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.

For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.

Impact:
SSL handshake fails.

Workaround:
There is no workaround for this issue.

Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.

530927-8 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed

Component: TMOS

Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.

Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.

Impact:
Interface cannot be added to the trunk.

Workaround:
Remove all interfaces, readd them all at the same time.

Fix:
The BIG-IP system now correctly adds interfaces to a trunk formed from interfaces running at a lowered speed.

530877-7 : TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.

Solution Article: K13887095

Component: Local Traffic Manager

Symptoms:
A specific combination of configuration options might cause iRule processing to run the CLIENT_ACCEPTED event twice.

If the iRule contains a suspending command, the system may eventually stop accepting connections to any TCP virtual servers with that have the Verified Accept option enabled.

Conditions:
This occurs when all of the following conditions are met:
- Standard Virtual Server is configured.
- Virtual Server is configured with a TCP profile in which Verified Accept is enabled.
- Client sends the initial data to be sent on the ACK of the three-way-handshake.

Impact:
Depending on the scenario, this might:
- Result in the specific connection being reset.
- Eventually result in TMM being unable to process any further connections to virtual servers with Verified Accept enabled.

Workaround:
You can use the following workarounds:
- Disable Verified Accept in the TCP profile.
- Modify the iRule to run the commands in the CLIENT_ACCEPTED event once, by setting a variable and checking whether the variable has been set on subsequent runs.

Fix:
The BIG-IP system now correctly processes initial data on the ACK of a three-way handshake when used with Verified Accept so iRule processing does not run the CLIENT_ACCEPTED event twice.

530530-6 : tmsh sys log filter is displayed in UTC time

Component: TMOS

Symptoms:
When using the time-based log filters hour, minute, and second, tmsh returns results based on UTC time.

Conditions:
Use range filter for 'tmsh show sys log' in either of the following ways:

Filter logs by hour.
Filter logs for less than 8 hours.

Impact:
tmsh does not filter the log correctly with 'range' filter.

Workaround:
Calculate the difference between the local BIG-IP system time and UTC, or change the system time to UTC.

530266-7 : Rate limit configured on a node can be exceeded

Component: Local Traffic Manager

Symptoms:
Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10.

Conditions:
More than 1 tmm needs to be there. Rate limit needs to be configured on the node.

Impact:
Node rate limit feature does not work as intended.

Workaround:
Rate limit can be shifted from the node to pool member and it works.

530109-3 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Component: Access Policy Manager

Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.

Impact:
OCSP auth might fail as wrong URL is used.

Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.

Fix:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.

Behavior Change:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.

528499-3 : AFM address lists are not sorted while trying to create a new rule.

Component: Advanced Firewall Manager

Symptoms:
AFM address lists are not sorted while trying to create a new rule.

Conditions:
Seen only in the rule creation page.

Impact:
AFM address lists are not sorted in the rule creation page.

Workaround:
none

Fix:
AFM address lists are now sorted in the rule creation page.

527720-1 : Rare 'No LopCmd reply match found' error in getLopReg

Component: TMOS

Symptoms:
An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally:
warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.

This message might be followed by a log message similar to one of the following:
err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0.
err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50.

This message might be followed by a log message similar to the following:
warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.

Conditions:
This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades.

Impact:
This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored.

Workaround:
None.

527206-5 : Management interface may flap due to LOP sync error

Component: TMOS

Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.

Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.

Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.

Workaround:
None.

Fix:
Rare Management interface flap due to LOP sync error no longer occurs on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.

526708 : system_check shows fan=good on removed PSU of 4000 platform

Component: TMOS

Symptoms:
Running system_check on a 4000 platform with one PSU removed will still show status FAN=good; STATUS=good

Conditions:
This applies only to the BIG-IP 4000 platform.

Impact:
Fan shows status of 'good' when the PSU is removed. Reading the power supply status in the system_check output will show the PSU as down.

Fix:
If a PSU has been removed, system_check will now show status STATUS=not present

525580-1 : tmsh load sys config merge file filename.scf base command does not work as expected

Solution Article: K51013874

Component: TMOS

Symptoms:
The presence of base option indicates that only the base objects in the configuration should be considered for the save operation. The non-base objects in the configuration should be ignored.

However, this is not true for the following command:
tmsh load sys config merge file filename.scf base.

Conditions:
Running the command: tmsh load sys config merge file filename.scf base.

Impact:
This command ignores the base option. When specified with the merge option the base option is ignored. It merges the non-base configuration objects. It does not load only the base config objects as specified in the command.

Workaround:
None.

Fix:
tmsh load sys config merge file filename.scf base command now loads only the base config objects as specified in the command.

525429-11 : DTLS renegotiation sequence number compatibility

Component: Access Policy Manager

Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.

Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.

Impact:
The current APM client is not compatible with new OpenSSL libary.

Fix:
The APM client is now compatible with both the old and new OpenSSL library.

524277-2 : Missing power supplies issue warning message that should be just a notice message.

Component: TMOS

Symptoms:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.

Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.

Conditions:
Running chassis with absent power supplies, or with power not applied, will cause ltm to issue warning messages.

Impact:
Extra logging.

Workaround:
Ignore missing power supply warning messages.

Fix:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.

Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.

523814-3 : When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections

Component: Local Traffic Manager

Symptoms:
An HTTP virtual server with OneConnect and RAM Cache will not consistently keep server-side connections alive and idle (for reuse), depending on the HTTP version that the client uses.

Clients that use HTTP/1.1 will result in fewer serverside connections being reused.

Conditions:
HTTP virtual server with HTTP cache enabled (in RAM cache mode, not AAM mode) and OneConnect profile.

Alternately, an iRule that down-steps the HTTP request version to HTTP/1.0

Impact:
Increased server utilization and number of ports in use / timewait / finwait as a result of OneConnect and RAM Cache closing serverside connections more frequently than expected.

Inconsistent behavior as a result of client HTTP version.

Workaround:
An iRule can work around this issue by inserting a Connection: Keep-Alive header.

522302-2 : TCP Receive Window error messages are inconsistent on UI

Component: Local Traffic Manager

Symptoms:
Different invalid inputs for Receive Window resulted in inconsistent error messages in TMUI.

Conditions:
Input invalid options (e.g, -1 and 0) for TCP Receive Window in TMUI.

Impact:
User is presented with two different input ranges whereas for both invalid options one correct input range should have been present.

Workaround:
There is no workaround at this time.

Fix:
TMUI for TCP Receive Window is fixed for invalid inputs.

521370-1 : Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8

Component: Application Security Manager

Symptoms:
Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8, which results in suggestions for allowing meta-characters that cannot be accepted.

Conditions:
Auto-Detect Language policy is created, and then set to UTF-8 encoding.

Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.

Fix:
Auto-Detect Language policy no longer contains disallowed high ASCII meta-characters.

521270-1 : Hypervisor might replace vCMP guest SYN-Cookie secrets

Component: TMOS

Symptoms:
Traffic suddenly stops passing on platforms in vCMP mode when SYN-cookie mode is triggered.

Occasionally, under HW-SYN-Cookie mode, HW-SYN-Cookie validation can fail, which triggers the software SYN-Cookie procedure, which does succeed.

Under vCMP guest, you might notice hwalgo_accept increasing under TMCTL table epva_hwvipstat. If this packet's destination is the local high-layer TCP stack, there is no functional impact. Otherwise, there might be a performance impact.

Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, which causes the connection issue.

Conditions:
vCMP provisioning setup.

Impact:
Under vCMP guest, you might notice hwalgo_accept increased under TMCTL table epva_hwvipstat, which, if under HW-SYN-Cookie mode, everything will be validated automatically by FPGA instead.

You might also notice hwalgo_invalid, if the FPGA used
the updated secret for SYN-Cookie generation from the hypervisor, and when guest and hypervisor secret index overlaps.

Even though guest and hypervisor secret index might not be the same, the history secret might be updated by hypervisor, which might trigger additional hwalgo_accept.

Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, so the error rate could be higher.

Workaround:
On the vCMP hypervisor, run the following commands.

1. echo "EPVA::enable_secret_diag true" > /config/tmm_init.tcl.
2. bigstart restart TMM.

On a multiple blade system, you must run these commands on all blades.

Fix:
Hypervisor no longer replaces vCMP guest SYN-Cookie secrets.

521204-2 : Include default values in XML Policy Export

Component: Application Security Manager

Symptoms:
XML Policy Export does not include some entities, unless their values are different from the system's default settings.

Conditions:
-- ASM provisioned.
-- Configuration contains some entities whose values match the defaults.
-- Export security policy in XML format.

Impact:
XML Policy Export does not include those entities; it only includes entities when their values are different from the system's default settings

Workaround:
None.

Fix:
XML policy export operations now exclude defaults only when exporting a minimal XML configuration.

519612-1 : JavaScript challenge fails when coming within iframe with different domain than main page

Component: Advanced Firewall Manager

Symptoms:
The JavaScript Challenge fails when coming within an iframe that is on a different domain than the main page.

Conditions:
1. The web application uses an iframe coming from a different domain than the main page, AND
2. Any of the following options are enabled on an ASM Policy or Application DoS Profile attached to the Virtual Server which is handling the iframe:
  a. DoS Client-Side Integrity Defense Mitigation (affecting only during attack mitigation)
  b. DoS CAPTCHA Mitigation (affecting only during attack mitigation)
  c. Device-ID (fingerprint)
  d. Web Scraping Bot Detection Challenge
  e. Proactive Bot Defense (with/without "Block Suspicious Browsers")

Impact:
On the browser, the iframe will fail to load, leaving a white box, or the following message:
"Please enable browser cookies to view the page content."
There may be error messages in the browser's console.

Workaround:
It is possible to workaround the problem using Proactive Bot Defense (DoS Profile) and iRules.
This works even if the problem is in Web Scraping and DoS profile was not previously used.

The following steps must be done for the Virtual Server handling the iframe, as well as the one handling the main page.

1. Attach a DoS profile to the Virtual Server (if not already attached).
2. Disable TPS-based detection (unless already enabled, or it is desired).
3. Enable Proactive Bot Defense on the DoS profile (if not already enabled).
   a. Disable "Block Suspicious Browsers" (unless already enabled, or it is desired).
   b. Configure Cross-Domain Requests to "Allow configured domains; validate upon request".
   c. Add the domain of the main page to the Related Site Domains.
4. Attach the following iRule to the virtual server:
ltm rule rule_fix_cross_domain_challenges {
    when HTTP_REQUEST {
        set refdom ""
        regexp -nocase {^https?://([^/]*).*$} [HTTP::header referer] -> refdom
        log local0. "uri [HTTP::uri] host [HTTP::host] referer [HTTP::header referer] refdom $refdom"
        if { $refdom ne "" && $refdom ne [HTTP::host] } {
            BOTDEFENSE::cs_allowed false
        }
    }
}
NOTES:
1. The challenges must run on the main page. The following rule block could be used to force the challenges to run on a specified URL or URLs.
    when HTTP_REQUEST {
        if { [HTTP::uri] eq "/" } {
            BOTDEFENSE::cs_allowed true
        }
    }
2. If additional URLs are getting blocked or challenged as a result of Proactive Bot Defense and it is unwanted, it is possible to control them in the iRule by checking for URLs and using the "BOTDEFENSE::action allow" command.

Fix:
JavaScript challenges no longer fail when coming within an iframe on a different domain than the main page.

518201-4 : ASM policy creation fails with after upgrading

Component: Application Security Manager

Symptoms:
You cannot create an ASM security policy after upgrading to version 11.6.x. You will see the following error message:
------------------
# tmsh create asm policy /Common/blabla active encoding utf-8
Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy.
------------------

It does not matter if the security policy was created by the command line or by the Configuration utility.

Conditions:
ASM provisioned
Upgrade to 11.6.X

Impact:
ASM policies cannot be created.

Workaround:
Please apply the following workaround, as root user, from the command line of the affected BIG-IP.
Please run these exact commands - copy and paste into the command line:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------

Be advised that this operation will permanently affect the mentioned database table.
It is strongly advised to first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP:
---------------------
# tmsh save sys ucs /shared/tmp/backup.ucs
---------------------

Before applying the workaround, first make sure that you indeed need one.
You can do that by running this in the command line:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
In case this query does not return any output - it means that there is no need to apply the mentioned workaround.

In case you do need to apply the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.

Fix:
We've fixed ASM policy creation so that it does not fail after upgrade

517756-6 : Existing connections can choose incorrect route when crossing non-strict route-domains

Component: Local Traffic Manager

Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.

Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.

Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.

Workaround:
None.

Fix:
Existing connections now choose the correct route when crossing non-strict route-domains.

516736-1 : URLs with backslashes in the path may not be handled correctly in Portal Access

Component: Access Policy Manager

Symptoms:
Safari, Chrome, Edge and Internet Explorer support backslashes in URL path and treat them as slashes. But Portal Access converts backslashes in URLs to slashes explicitly; this may cause unexpected results in some web applications. Note that FireFox has no such support.

Conditions:
HTML page with URL with backslashes in the path, for example:

<a href=http://some.com\some\path/file.ext>

Impact:
Web application may not work correctly.

Workaround:
In some cases it is possible to modify rewritten URLs by iRule.

Fix:
Now URLs with backslashes are supported correctly by Portal Access for all browsers except for Internet Explorer 7--9 and FireFox.

513288-7 : Management traffic from nodes being health monitored might cause health monitors to fail.

Component: Local Traffic Manager

Symptoms:
Management traffic from nodes being health monitored might cause health monitors to fail.

Conditions:
Health monitor checking node_ip:port where 1024 is less than or equal to port, which is less than 65536. Node periodically connects back to management service on self IP (e.g., iControl, GUI, SSH).

Impact:
Traffic is not sent to the node while the monitor is failing.

Workaround:
None.

Fix:
Management traffic from nodes being health monitored no longer causes health monitors to fail.

510631-1 : B4450 L4 No ePVA or L7 throughput lower than expected

Component: Performance

Symptoms:
L4 no ePVA and L7 performance was limited to as little as 146Gbps under some traffic conditions instead of the advertised capability of 160Gbps.

Conditions:
This occurs on the B4450 blade.

Impact:
Performance lower than expected

Fix:
Driver enhancements to 12.1.2 and 13.0 enable full 160G performance

509980-1 : Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.

Component: TMOS

Symptoms:
When a DSC cluster is configured using HA Groups, spurious HA group configuration errors can be displayed when rebooting another member of the DSC cluster.

These messages can appear in the output of the "show cm traffic-group", or on the Device Management -> Traffic Groups page.

Conditions:
HA-DSC Cluster with 2 or members. HA-Groups are configured on one or more traffic groups on all Cluster members.

A Cluster member is rebooted, and an administrator is viewing the Device Management- > Traffic Groups page, or issuing the "show cm traffic-group" .

Impact:
A message displaying that all traffic group(s) should have an HA Group configured may be incorrectly displayed. This has no affect on the operation of the system, and will clear once the cluster member has finished rebooting.

Workaround:
There is no workaround or mitigation other than upgrading to a release with the required fix.

Fix:
HA Daemon has been updated to correctly track the configuration of HA Groups on other devices during device reboots.

509858-5 : BIG-IP FastL4 profile vulnerability

Solution Article: K36300805

Component: Local Traffic Manager

Symptoms:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

Conditions:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

Impact:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

Fix:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

508113-3 : tmsh load sys config base merge file <filename> fails

Component: TMOS

Symptoms:
Save sys config file.

(tmos)# save sys config file demo.scf no-passphrase
Saving running configuration...
  /var/local/scf/demo.scf
  /var/local/scf/demo.scf.tar

Try to load the base configuration within this file.

(tmos)# load sys config base merge file demo.scf
Loading configuration...
  /var/local/scf/demo.scf
Syntax Error:(/var/local/scf/demo.scf at line: 6) "apm" unexpected argument

The error is from a system configuration, not user created.

apm report default-report {
    report-name sessionReports/sessionSummary
    user /Common/admin
}

Basically the configuration fails to load all components for unprovisioned modules and features.

Conditions:
Running the command: load sys config base merge file <filename> when the system contains unprovisioned modules and features.

Impact:
tmsh load sys config base merge file <filename> fails.

Workaround:
None.

Fix:
The provisioning checks were modified to let this command succeed.

507240-4 : ICMP traffic cannot be disaggregated based on IP addresses

Solution Article: K13811263

Component: TMOS

Symptoms:
ICMP traffic might not be disaggregated evenly if there is not enough entropy from the ICMP header.

Conditions:
-- ICMP traffic has low entropy in ICMP header.
-- System is configured to disaggregate traffic.

Impact:
Traffic imbalance.

Workaround:
None.

Fix:
This release supports disaggregation of ICMP traffic based on IP addresses, in addition to ICMP headers. To enable the feature, use the following commands:

In v13.x:
tmsh modify net dag-globals icmp-hash ipicmp

In v12.x:
tmsh modify sys db dag.icmp_hash value ipicmp

Note: This feature cannot be used if the BIG-IP system translates IP addresses for ICMP traffic.

507206-1 : Multicast Out stats always zero for management interface.

Component: TMOS

Symptoms:
Multicast Out stats are always zero for the management interface.

Conditions:
Statistics information on the management interface.

Impact:
The Multicast Out stats can help determine whether multicast network failover is working (from looking at a qkview). The missing stat might also delay or confuse other troubleshooting activities unrelated to network failover.

Workaround:
Run the following command: clsh 'ethtool -S eth0 | grep tx_mcast_packets'.

506543-5 : Disabled ephemeral pool members continue to receive new connections

Component: Local Traffic Manager

Symptoms:
Disabled ephemeral pool members continue to be selected for new connections.

Conditions:
FQDN parent node is disabled causing its derived ephemeral pool members to be marked disabled.

Impact:
Unexpected traffic load balanced to disabled pool members

Workaround:
None.

Fix:
Traffic will no longer be load balanced to disabled ephemeral pool members.

503842-4 : Microsoft WebService HTML component does not work after rewriting

Component: Access Policy Manager

Symptoms:
The Microsoft webservice.htc component provides JavaScript interface for SOAP services for Microsoft Internet Explorer (IE). It stops working after rewriting through reverse proxy.

Conditions:
-- Using Microsoft webservice.htc component.
-- Rewriting through reverse proxy.
-- Running IE.

Impact:
Microsoft WebService component stops working.

Workaround:
You can use the following iRule to work around this issue:
---
when HTTP_REQUEST {
  # Downgrade IE compatibility mode
  set downgrade_ie_compat 0
  if { [HTTP::path] contains "PreviewQualitySheet.aspx" } {
    set UAString [string tolower [HTTP::header User-Agent]]
    if { ! ($UAString contains "msie 8.") and ! ($UAString contains "msie 7.")} {
      set downgrade_ie_compat 8
    }
  }
  # do not rewrite WebService HTML Component
  # because IE ignores it after rewriting.
  # patching a few things manually instead
  set ms_webservice_fix 0
  if { [HTTP::uri] ends_with "webservice.htc"} {
    set ms_webservice_fix 1
    HTTP::uri "[HTTP::uri]?F5CH=I"
    if { [HTTP::version] eq "1.1" } {
      if { [HTTP::header is_keepalive] } {
        HTTP::header replace "Connection" "Keep-Alive"
      }
      HTTP::version "1.0"
    }
  }
}
when HTTP_RESPONSE {
  if { $downgrade_ie_compat > 0 && ! [HTTP::header exists X-UA-Compatible] } {
    HTTP::header replace "X-UA-Compatible" "IE=$downgrade_ie_compat"
  }
  if { $ms_webservice_fix == 1 } {
    if { [HTTP::header exists "Content-Length"] and \
        [HTTP::header "Content-Length"] > 0 and \
        [HTTP::header "Content-Length"] <= 1048576 } {
      HTTP::collect [HTTP::header Content-Length]
    } else {
      HTTP::collect 1048576
    }
  }
}
when HTTP_RESPONSE_DATA {
  if { $ms_webservice_fix == 1 } {
    set location [string first \
        {if (co.userName == null)} \
        [HTTP::payload]]
    if { $location > 0 } {
      HTTP::payload replace $location 0 {loc=F5_WrapURL(loc);}
    }
  }
  HTTP::release
}

Fix:
Microsoft WebService HTML component no longer stops working after rewriting.

501892-1 : Selenium is not detected by headless mechanism when using client version without server

Component: Advanced Firewall Manager

Symptoms:
DoSL7 Proactive Bot Defense (Block requests from suspicious browsers) detects selenium when the selenium server is running and a listener has opened on one of specific ports.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.

Impact:
If a bot is running selenium client package only it is not being blocked by DoSL7 Proactive Bot Defense mechanism.

Workaround:
N/A

Fix:
Selenium detection mechanism has improved and if a bot uses FF or Chrome selenium driver it is detected by PBD's javascript code via checking existence of required chrome plugins and FF webdriver.

500452-8 : PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware

Solution Article: K28520025

Component: TMOS

Symptoms:
PB4300 blade tries to disaggregate the ESP traffic based on the IPsec ESP Security Parameter Index (SPI) value in hardware. But the blade used doesn’t have that capability, which causes ESP traffic being sent to one HSB and results in throughput degradation.

Conditions:
When PB4300 receives ESP traffic.

Impact:
Throughput degradation.

Workaround:
None.

Fix:
The PB4300 blade now uses IP addresses to disaggregate ESP traffic in hardware, so throughput is no longer impacted.

495443-10 : ECDH negotiation failures logged as critical errors.

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.

Fix:
These ECDH failures are now logged as non-critical errors.

495242-3 : mcpd log messages: Failed to unpublish LOIPC object

Component: Local Traffic Manager

Symptoms:
The system posts the following message in the mcpd log: Failed to unpublish LOIPC object.

Conditions:
This is an intermittent issue that occurs on standby systems in High Availability configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either it has already been removed or it was not created.

Impact:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory). This is a benign error that can be safely ignored.

Workaround:
None.

487144-2 : tmm intermittently reports that it cannot find FIPS key

Component: Global Traffic Manager (DNS)

Symptoms:
You may see the following critical error message in /var/log/ltm: "FIPS acceleration device failure: cannot locate key"

Conditions:
There is FIPS card in the BIG-IP and the key is retrieved. It is not known the exact conditions that cause this, but it seems to be related to GTM being enabled.

Impact:
SSL can not locate the key from the FIPS card, and SSL will not function properly.

Workaround:
None known, but restarting tmm or rebooting might correct the condition.

Fix:
There is now additional information in the error message that can help resolve the issue.

484542-1 : QinQ tag-mode can be set on unsupported platforms

Component: Local Traffic Manager

Symptoms:
tmsh does not validate QinQ tag-mode and allows invalid values to be set.

Conditions:
This occurs when trying to set QinQ tag-mode to values other than 'none' on unsupported platforms. Only platforms with ePVA support QinQ tagging.

Impact:
Although you can set !in! tag-mode, the configuration has no effect. There is no negative impact on system functionality.

Workaround:
Only configure QinQ tag-mode on the following platforms: BIG-IP 5050s/5250v/7050s/7250v/10050s/10250v and VIPRION B2150 SSD-based models.

Fix:
QinQ tag-mode is now properly validated when configuring a VLAN via tmsh.

483953-1 : Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.

Component: Local Traffic Manager

Symptoms:
ICMP type 3 code 4 (needsfrag) messages are elicited when TMM transmits packets at the TM.MinPathMTU size if the path MTU is lower than that value.

Conditions:
Path MTU discovery results are cached by default. If a client responds to an IP datagram with an ICMP needsfrag message with a very small MTU (smaller than the value of the TM.MinPathMTU database variable), the cached path MTU value will be set to the TM.MinPathMTU value even though this still isn't able to traverse the path.

This can affect multiple endpoints when a low MTU is advertised by an endpoint (misconfigured or malicious) behind a shared NAT address.

Impact:
TMM may use and enforce a low path MTU for clients capable of handling a higher path MTU, but may use an MTU too high to reach clients whose path MTU is lower than TM.MinPathMTU.

This metric will live for 10 minutes by default.

Workaround:
This issue has no workaround at this time.
The route metric lifetime can be lowered using route.metrics.timeout db key.

Fix:
Path MTUs lower than the value of TM.MinPathMTU will no longer be cached by TMM.

480983-4 : tmrouted daemon may core due to daemon_heartbeat

Component: TMOS

Symptoms:
In rare instances, tmrouted for dynamic routing may core with a message similar to the following: warning sod[8953]: 01140029:4: HA daemon_heartbeat tmrouted fails action is restart.

Conditions:
This is a rarely occurring issue that occurs due to timing-related interactions in dynamic routing operations.

Impact:
tmrouted cores and restarts.

Workaround:
None.

Fix:
tmrouted now operates normally under these conditions.

478986 : Powered down DC PSU is treated as not-present

Component: TMOS

Symptoms:
When power is removed from the PSU but the PSU remains in the system, 'tmsh show sys hardware' reports the PSU as 'not-present'.

Conditions:
This occurs when an installed DC powered PSU loses power, and the user runs the command 'tmsh show sys hardware'.

Impact:
Only the message is incorrect. Although the PSU is present, the system cannot read its data without power, so the system marks the PSU 'not present'. Once power is restored, all information is available.

Workaround:
Plug the power cable into the PSU. The system can now detect the power supply status and read the PSU info.

472860-5 : RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Component: Policy Enforcement Manager

Symptoms:
The RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Conditions:
Session created via iRule running on the RADIUS virtual server.

Impact:
RADIUS session statistics are not incremented.

Workaround:
None.

Fix:
The session statistics for sessions created by RADIUS is now incremented whenever the user runs an iRule on the RADIUS virtual server, that creates a new session.

472571-7 : Memory leak with multiple client SSL profiles.

Component: Local Traffic Manager

Symptoms:
If multiple client SSL profiles are attached to a virtual server, memory will leak each time any profile is changed.

Conditions:
Multiple client SSL profiles are attached to a virtual server.

Impact:
Memory will leak a small amount of memory.

Workaround:
None.

Fix:
Multiple client SSL profiles attached to a virtual server no longer causes memory to be leaked.

471860-10 : Disabling interface keeps DISABLED state even after enabling

Solution Article: K16209

Component: TMOS

Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.

Conditions:
This occurs when using both tmsh and the GUI.

Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.

Workaround:
You can reboot correct the indicator.

Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.

471237-2 : BIG-IP VE instances do not work with an encrypted disk in AWS.

Solution Article: K12155235

Component: TMOS

Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.

Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.

Impact:
TMM cores at startup, and does not start.

Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.

Fix:
BIG-IP VE instances can now work with an encrypted disk in AWS.

471029-2 : If the configuration contains a filename with the $ character, then saving the UCS fails.

Component: TMOS

Symptoms:
If the configuration contains a filename or username with the $ character, then saving the UCS fails. Examples of filenames include cm cert cache-path and cm key cache-path.

tmsh save sys ucs <ucs-id> fails for such configuration.

The error displayed appears similar to the following.:
Fatal: executing: md5sum /var/tmp/filestore_temp/files_d/Common_d/certificate_d/:Common:?><.crt_53783_1
Operation aborted.
/var/tmp/configsync.spec: Error creating package.

Conditions:
Filenames or username in configuration contain $ character. For example, cm cert cache-path or cm key cache-path.

Impact:
Saving UCS fails.

Workaround:
Do not use the $ character as part of the filenames or usernames in the configuration.

467709-1 : FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN

Component: Local Traffic Manager

Symptoms:
FQDN nodes and pool members show a status of Green (Available) when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response.

Conditions:
This occurs when the DNS server returns an NXDOMAIN response for the configured FQDN name.

Impact:
FQDN nodes and pool members may appear to be Available when no ephemeral nodes/pool members have been created.

Workaround:
None.

Fix:
FQDN nodes and pool members show a status of Yellow (Unavailable) when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

466068-1 : Allow setting of the AAA Radius server timeout value larger than 60 seconds

Component: Access Policy Manager

Symptoms:
Sometimes 60 sec timeout for AAA Radius server is not enough especially when users need to provide input. Following error message will be displayed when user tries to set timeout value greater than 60 :

"01090676:3: The requested timeout value (120) out of range for aaa radius server (/Common/test-radius-server). (1-60)"

Conditions:
This only occurs whenever following conditions are met:
- APM is licensed and provisioned
- AAA Radius server is configured
- Radius Auth agent is included in the access policy

Impact:
Users can not set timeout value to more than 60 sec for AAA Radius server. If response time is more than 60 sec from AAA Radius server, users may not login and access resources if two factor auth is configured.

Workaround:
There is no workaround.

Fix:
Increased the AAA Radius Server timeout range from 0-60 to 0-180.

464801-3 : Intermittent tmm core

Component: Local Traffic Manager

Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an intermittent tmm core

463097-3 : Clock advanced messages with large amount of data maintained in DNS Express zones

Solution Article: K09247330

Component: Local Traffic Manager

Symptoms:
Clock advanced messages with a large amount of data maintained in DNS Express (DNSX) zones, the TMM can suffer from clock advances when performing the DB reload.

Conditions:
Large enough zones into DNSX (several hundred thousand to several million records depending on hardware).

Impact:
Clock advance messages in log. No traffic can be passed for this duration. When DNS Express zones are updated, you may see messages similar to the following in the /var/log/ltm log: notice tmm[25454]: 01010029:5: Clock advanced by 121 ticks.

Workaround:
Prevent all updates to DNSX zones.

Fix:
AXFR and IXFR to DNS Express (DNSX) with large zones has been significantly improved. DNSX DB now reside in /shared to resolve DB size issues.

462043-2 : DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Component: Local Traffic Manager

Symptoms:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged.

Conditions:
On 5000 and C2400 platforms.

Impact:
Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0.

Workaround:
None.

Fix:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner', the packets are now handled as expected.

460833-5 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This symptom may occur under the following conditions:

1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.

Fix:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.

459671-4 : iRules source different procs from different partitions and executes the incorrect proc.

Component: Local Traffic Manager

Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.

Conditions:
Multiple iRule procs defined in multiple admin partitions.

Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.

Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.

456376-4 : BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32

Solution Article: K53153545

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI. When trying to add '::ffff:0.0.0.0/96' to an address list or directly to a rule the system posts an error: Error parsing IP address: ::ffff:0.0.0.0/96.

Conditions:
-- IPv4-mapped-IPv6 notation in the configuration.
-- Adding prefix length greater than 32.

Impact:
Cannot successfully specify an IPv4-mapped-IPv6 block to be configured in AFM firewall rule (and possibly other AFM configurations as well).

Workaround:
To drop the IPv4-mapped-IPv6 block, enable the following DoS db variable: dos.dropv4mapped.

Fix:
You can now use tmsh for IPv4-mapped-IPv6 notation with prefix length greater than 32.

455975-1 : Separate MIBS needed for tracking Access Sessions and Connectivity Sessions

Component: Access Policy Manager

Symptoms:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.

Conditions:
Using SNMP MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns.

Impact:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.

Workaround:
This issue has no workaround at this time.

Fix:
Access Sessions and Connectivity Sessions are now exposed correctly in SNMP MIBS.

452283-2 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows

Component: Local Traffic Manager

Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.

Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.

Impact:
A connection remains that never expires; its idle time periodically resets to 0.

Workaround:
There is no workaround at this time.

Fix:
Fixed MP_FASTCLOSE handling.

448409-1 : 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle

Solution Article: K15491

Component: TMOS

Symptoms:
The commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect.

Conditions:
This affects the ConfigSync communication channel if configured.

Impact:
The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted.

Workaround:
You can avoid this issue by using the 'load sys config from-terminal verify' and 'load sys config file <filename> verify' commands 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the following command: tmsh load sys config partitions all.

Fix:
Previously, the commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' did some operations related to sync and provisioning, though they are supposed to check only the validity of the configuration (without changing it). This has been resolved.

447565-5 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Solution Article: K33692321

Component: Access Policy Manager

Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.

Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.

Impact:
End users will be unable to connect.

Workaround:
Correct the problem by running the following command:
bigstart restart eca.

442231-4 : Pendsect log entries have an unexpected severity

Component: TMOS

Symptoms:
Pendsect logs non-errors with a 'warning' severity.

Conditions:
This occurs when pendsect is executed.

Impact:
Unexpected log entries. When pendsect is executed and does not find any disk errors, it logs the following at the warning level: warning pendsect[21788]: pendsect: /dev/sdb no Pending Sectors detected. This is not an error. The message is posted at the incorrect severity level and does not indicate a problem with the BIG-IP system.

Workaround:
None needed. This is cosmetic.

Fix:
Adjusted severity level of various logs generated by pendsect script, so that informational messages are not logged as warnings.

441079-2 : BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved

Solution Article: K55242686

Component: Local Traffic Manager

Symptoms:
The BIG-IP system is modifying the source port on NAT connections.

Conditions:
This occurs when NAT is configured on the BIG-IP system. This occurs on BIG-IP 2000/4000 hardware platforms.

Impact:
This impacts any applications where the source port is expected to be preserved.

Workaround:
None.

Fix:
The source port is always preserved for NAT connections.

Behavior Change:
The source port is always preserved for NAT connections.

440620-2 : New connections may be reset when a client reuses the same port as it used for a recently closed connection

Component: Local Traffic Manager

Symptoms:
If a client reuses the same port that it used for a recently closed connection, the new connection may receive a RST in response to the client's SYN.

Conditions:
A client reuses the same port that it used for a recently closed connection. The 4-tuple of local address, local port, remote address, and remote port must be the same to trigger this issue.

Impact:
New connections reusing a 4-tuple may be reset for a brief period following a connection close.

Workaround:
Lowering the "Close Wait" and "Fin Wait 1" timeouts in the TCP profile will shorten the amount of time that a particular 4-tuple remains unusable.

Fix:
Improved abort handling to better clean up hanging connections.

434821-1 : Remote logging of staged signatures and staged sets

Component: Application Security Manager

Symptoms:
There is no option to see matched staged signature in the remote logging

Conditions:
A user has remote logger configured. There is no configuration option to see the stage signatures.

Impact:
A user without local logger can't make good decisions about the staged signatures

Workaround:
Add a local logger

Fix:
Added staged signatures ids, names and sets to the remote logger .

434573-6 : Tmsh 'show sys hardware' displays Platform ID instead of platform name

Solution Article: K25051022

Component: TMOS

Symptoms:
While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name.

For example, the 'tmsh show sys hardware' command may display a Platform ID like the following:

Platform
Name D113

instead of the official platform marketing name, such as:

Platform
Name BIG-IP 10000F

Conditions:
This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release.

Impact:
Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID.

Workaround:
Update platform-identification scripts to include the relevant platform IDs among the recognized match values.

Fix:
update Hot Fix Rollups to display Platform name.

433678-2 : A monitor removed from GTM link cannot be deleted: 'monitor is in use'

Solution Article: K32401561

Component: Global Traffic Manager (DNS)

Symptoms:
A monitor removed from GTM link cannot be deleted. Attempting to delete the monitor results in an error message similar to the following: 01070083:3: Monitor /Common/custom_gtm_mon is in use.

Conditions:
Deleting a custom monitor that was formerly used by a GTM link.

1. Create a custom GTM monitor that can be used on a link.
2. Create a GTM link, and add the custom monitor to it.
3. Remove the monitor from the link.
4. Attempt to delete the monitor.

Impact:
Unable to delete monitor.

Workaround:
Reload the GTM config and delete the monitor.

Fix:
This release enables deletion of a monitor removed from GTM link, and no monitor-in-use error message is returned.

433357 : Management NIC speed reported as 'none'

Component: TMOS

Symptoms:
Sometimes,after mcpd get restarted, mcpd didn't get management port nic speed information from chmand, "tmsh show net interface" could shows the speed of mgmt interface as "none".

Conditions:
Management interface is up and then restart mcpd.

Impact:
"tmsh show net interface" commands can't show correct management speed.

Workaround:
Use "bigstart restart chmand" to restart chmand.

Fix:
Fixed.

431840-3 : Cannot add vlans to whitelist if they contain a hyphen

Component: Advanced Firewall Manager

Symptoms:
When attempting to add a vlan to the DoS protection whitelist and the vlan contains a hyphen, the following validation error is returned:

01071792:3: Vlan should be numeric form as vlan number / mask

Conditions:
Adding a vlan containing a hyphen to the whitelist

Impact:
Unable to add vlans that contain a hyphen

Workaround:
Instead of using the vlan by name, just specify the vlan tag #. Ignore the drop down menu offering the vlan names.

424542-5 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments

Component: TMOS

Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"

Conditions:
Only happens on clustered or virtual environments, not on appliances.

Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.

Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"

423629-3 : bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted

Solution Article: K08454006

Component: Local Traffic Manager

Symptoms:
bigd restarts once, and afterwards, subsequent pings from the monitor fails.

Conditions:
This can occur when assigning an ICMP monitor to a pool member, and specifying a route domain that does not exist.

Impact:
For bigd, a single restart is actually harmless. The invalid config will cause monitor failures, since the route domain no longer exists, the pool member will be marked down.

Workaround:
None.

Fix:
bigd no longer cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted.

423392-6 : tcl_platform is no longer in the static:: namespace

Component: Local Traffic Manager

Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.

Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.

Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.

Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see K14544: The tcl_platform iRules variable is not in the static:: namespace, available here: https://support.f5.com/csp/#/article/K14544.

421797-3 : ePVA continues to accelerate IP Forwarding VS traffic even in Standby

Component: TMOS

Symptoms:
When the active BIG-IP unit in a redundant configuration becomes the standby unit after a failover event, the traffic sent to the virtual servers with hardware acceleration enabled will continue to be accelerated by the ePVA hardware on the original active unit (current standby unit). These offloaded flows will eventually be evicted after the failover switch period (16 second by default) though, and it does not affect the new active unit (original standby unit) to offload the flows to hardware for acceleration. As a result, accelerated traffic can still be observed on the standby unit.

Conditions:
When a failover event happens in a redundant configuration with virtual servers that have hardware acceleration enabled.

Impact:
No performance impact or traffic interruption. You might observe unexpected traffic on standby unit.

Workaround:
None. This is a cosmetic issue.

Fix:
The standby unit now evicts the accelerated flows from the ePVA hardware after the failover event. This is correct behavior.

419741-3 : Rare crash with vip-targeting-vip and stale connections on VIPRION platforms

Component: Local Traffic Manager

Symptoms:
Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause.

Conditions:
Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade.

Impact:
In rare situations, the TMM crashes.

Workaround:
None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.

418349-2 : Update/overwrite of FIPS keys error

Component: TMOS

Symptoms:
After deleting and re-creating a FIPS key, sync to other devices fails and /var/log/ltm gives the following error:

crit tmm[10817]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 78 status: 0x40000116 : ERR_HSM_ERROR

Note that this error is logged on any FIPS-related error, it might be this issue if you were attempting to replace FIPS keys with an identical name on devices in a device group.

Conditions:
This can occur on FIPS-enabled devices in a device group when a FIPS key is deleted and an identically-named FIPS key is added.

Impact:
Sync of the FIPS key fails.

Workaround:
If you are encountering this, you can do the following workaround.

Impact of workaround: this should have no negative impact to the system since your objective is to replace the FIPS keys.

- Detach all keys/certs from all SSL Profiles and delete all keys via script on the standby System
- Run “tmsh show sys crypto fips” and verify all keys have been deleted
- Run a configsync with override and verify the sync has been carried out successfully.

418009 : Hardware data display inaccuracies

Component: TMOS

Symptoms:
Sensor location fields show truncated. The Part Number and the PCA titles appear to be not right for some platforms because of the specific nature of the titles.

Conditions:
When displaying the hardware details you could see the problems in the sensor data and in the Hardware Version Information. This appears when running the command tmsh show sys hardware

Impact:
Missing sensor location data, and inaccuracy when naming the titles of the hardware characteristics.

Fix:
Fixed the truncation problem for the sensor location increasing the size of the data used for retrieving it; and used Part Number and PCA to have generic titles that apply to all platforms.

412817-3 : BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.

Component: TMOS

Symptoms:
The BIG-IP system is unreachable for IPv6 traffic via PCI pass-through interfaces, because current ixgbevf drivers do not support multicast receive.

Conditions:
When configured to see IPv6 traffic on a PCI pass-through interface, the BIG-IP guest is not able to see this traffic.

Impact:
PCI pass-through interfaces are unable to see IPv6 traffic.

Workaround:
None.

Fix:
BIG-IP system is now reachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.

401815-1 : BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic

Component: Service Provider

Symptoms:
The BIG-IP system resets the egress IP ToS to zero (0). As a result of this issue, you may encounter the following symptoms:

-- A packet capture on the affected traffic shows the DSCP value in the DS field is set to zero for SIP packets egressing from the BIG-IP system.
-- Traffic priority failure for SIP traffic egressing from the BIG-IP system, which may also cause voice quality degradation.

Conditions:
This issue occurs when all of the following conditions are met:

-- A virtual server is configured with both a SIP and UDP profile.
-- The IP ToS setting in the UDP profile is set to Pass Through.

The IP ToS setting controls the Differentiated Services Code Point (DSCP) values of the Differentiated Services (DS) field in the IP header. This information is used in Quality of Service (QoS) configurations to give specific traffic priority on the network. By resetting the DSCP values to zero, the SIP traffic egressing from the BIG-IP system does not receive the expected priority while traversing through the network.

Impact:
SIP traffic egressing the BIG-IP system does not receive the expected priority. This issue may cause voice quality degradation.

Workaround:
To work around this issue, you can use the following iRule to preserve the DSCP values when passing through the BIG-IP system:

when CLIENT_ACCEPTED {
set client_tos [IP::tos]
}
when SERVER_CONNECTED {
IP::tos $client_tos
}

Fix:
The BIG-IP system now propagates the ToS bit from ingress flow to the egress flow.

400778 : Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete

Component: TMOS

Symptoms:
On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1.

Conditions:
This occurs on VIPRION systems.

Impact:
The ltm log displays messages: -- err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete'. -- err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'.

Workaround:
None. These messages are benign and you can safely ignore them.

400550 : LCD listener error during shutdown

Component: TMOS

Symptoms:
During shutdown you see this error message: 012a0004:4: LCD listener write to LCDd exception: Psuedo Terminal: File I/O Error [Bad file descriptor] at PseudoTermDev.cpp:93

Conditions:
This can occur when shutting down a blade on a VIPRION 4400 platform.

Impact:
This occurs on shutdown and is cosmetic, and can be ignored.

393270-1 : Configuration utility may become non-responsive or fail to load.

Component: TMOS

Symptoms:
While doing normal operations via the configuration utility, the status indicators may become non-responsive or fail to load, the GUI could become very sluggish, and you could be unable to load the GUI, or you could be taken to the license activation screen.

Impact:
Unable to log into the GUI or GUI shows blank page

Workaround:
Run the command 'bigstart restart tomcat' or reboot the BIG-IP system.

Fix:
Configuration utility now responds as expected when deleting local users (Access Policy :: Local User DB : Manage Users), or under other conditions in which an internal timeout results in GUI non-responsiveness because of an incomplete transaction close.

392121-3 : TMSH Command to retrieve the memory consumption of the bd process

Component: Application Security Manager

Symptoms:
There is no tmsh commands to retrieve the memory consumption of the bd process.

Conditions:
tmsh commands don't show bd process memory usage.

Impact:
Difficult to diagnose memory consumption issues.

Workaround:
Review messages individually in /var/log/ts/bd.log.

### For ASM bd current memory consumption use the following grep command

cat /ts/log/bd.log | grep "UMU: total"
UMU: total 106 ( 0M) VM (1639M) RSS (164M) SWAP ( 0M) trans 0
UMU: total 106 ( 0M) VM (1639M) RSS (163M) SWAP ( 0M) trans 0
UMU: total 5 ( 0M) VM (1612M) RSS (163M) SWAP ( 0M) trans 0

### For XML memory consumption in bd process do the following on a big-ip.

*WARNING*: The following steps enable debug prints to the bd.log it may cause to an excessive io, handle with care on production boxes.

1. add the following 3 lines the /etc/ts/bd/logger.cfg

MODULE=BD_XML;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;

2. Run a CLI tool.
/usr/share/ts/bin/set_active.pl --update_logger_cfg

To stop the debug prints, remove the 3 mentioned lines from the logger.cfg file and run the CLI tool again.

Fix:
The following command now reports memory consumption of the bd process:
tmctl asm_memory_util_stats

For specific fields -s option can be used, for example:
tmctl asm_memory_util_stats -s total_xml_mem_used,total_xml_max_mem

389484-6 : OAM reporting Access Server down with JDK version 1.6.0_27 or later

Component: Access Policy Manager

Symptoms:
Cannot connect to Access Server.

When running eamtest tool to check the functionality between OAM and the access server are working correctly, the following error is seen:

Preparing to connect to Access Server. Please wait.

Access Server you specified is currently down. Please check your Access Server.oamconfig[2368]: Could not configure OAM

Conditions:
The problem occurs only when OAM server is installed with JDK version 1.6.0_27 or later.

Impact:
Cannot connect to backend OAM server using BIG-IP AccessGate.

Workaround:
Install older version of JDK than v1.6.0_27.

Fix:
Applied OAM ASDK patch given by Oracle, so OAM no longer reports Access Server down with JDK version 1.6.0_27 or later.

386517-1 : Multidomain SSO requires a default pool be configured

Component: Access Policy Manager

Symptoms:
When configuring multidomain SSO, a pool must be assigned to the virtual, even if one is not being used. A typical symptom of not assigning the pool is that after logon, the user will be redirected back to another logon page.

Conditions:
Any use case of multidomain SSO where there is no pool configured on the virtual servers, and there is not a webtop assigned.

Impact:
There are two known use cases where this is commonly encountered. 1) LTM + Secure Connectivity virtuals do not usually have a default pool configured.
2) The pool is being configured through an iRule

Workaround:
When configuring multidomain SSO, always assign a default pool to the virtual server.

Fix:
Some of the logic in ACCESS was updated to add consideration of dynamic pool assignments (eg. iRules) in addition to the default pool. Default pool is no longer needed for multidomain SSO.

371164-1 : BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.

Component: Local Traffic Manager

Symptoms:
Since traffic groups are not bound to any specific VLAN, so Neighbor Discovery (ND) for link-local addresses go out on all VLANs. This occurs because traffic groups are not bound to any particular VLAN or interface. Since MAC is bound to the traffic group, it is not bounded to particular VLAN either.

Conditions:
Using MAC masquerade addresses on VLANs. TMM creates new link-local address for each masquerading MAC. Thus, the same link-local address might be used on all interfaces, which means that the system might use the same MAC on different VLANs.

For example, in the following configuration, you might expect that traffic-group-1 and MAC 02:23:e9:74:e2:c4 are bound only to VLAN Internal. However, you can create another self IP address, assign it to different VLANs or route domains, and have them be part of the same traffic group. A traffic group is about availability and not about routing or partitioning.

Configuration
===========
net self 10.10.10.10%1 {
    address 10.10.10.10%1/23
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan Internal
}.

Impact:
Although this is intended functionality, some users might not expect the behavior. BIG-IP sends ND probes for all masquerading addresses on all VLANs. Although switches typically build up forwarding tables per VLAN, there are some switches that might not correctly, which results in failure to forward packets as expected. That might impact other traffic, including IPv4.

Workaround:
Set the db variable tm.macmasqaddr_per_vlan to True. This ensures that a single source MAC is associated with a single VLAN ID, and is guaranteed to be unique per VLAN.

370131-4 : Loading UCS with low GTM Autoconf Delay drops pool Members from config

Component: Global Traffic Manager (DNS)

Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.

Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.

Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.

Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.

Fix:
Loading UCS with low GTM Autoconf Delay now completes correctly.

367226-4 : Outgoing RIP advertisements may have incorrect source port

Component: Local Traffic Manager

Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.

If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.

Conditions:
Multiple TMM instances, RIP routing configured.

Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.

Fix:
TMM no longer modifies the source port of RIP traffic.

366695-1 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Component: Global Traffic Manager (DNS)

Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.

Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.

Impact:
Error message thrown

Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.

Fix:
Removed Manager's ability to create/modify/delete GTM data centers, links, servers, prober-pools, and topology objects. This was already prevented through validation code, but now TMSH users only have access to view these objects.

355806-7 : Starting mcpd manually at the command line interferes with running mcpd

Component: TMOS

Symptoms:
Starting mcpd at the command line while mcpd is running causes issues.

Conditions:
Having a running mcpd and executing mcpd at the command line.

Impact:
Various issues on the system, such as some utilities may no longer interact with mcpd, etc.

Workaround:
Don't try to use the mcpd directly.

Fix:
You are now told the PID of the current mcpd and the executed command will exit abnormally.

353229-2 : Buffer overflows in DIAMETER

Solution Article: K54130510

352957-4 : Route lookup after change in route table on established flow ignores pool members

Solution Article: K03005026

Component: Local Traffic Manager

Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.

Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.

Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.

Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.

Fix:
The nexthop for established flows, set using "nexthop vlan addr" in an iRule for CLIENT_ACCEPTED state, does not change when there are changes in the route table. This is correct behavior.

251162-3 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name

Component: Local Traffic Manager

Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.

For example:

tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)

Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.

Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.

Workaround:
None.

248914-4 : ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address

Component: Local Traffic Manager

Symptoms:
When self IP or virtual addresses are configured on a vlangroup, ARP replies for that address will have the locally administered bit set in the ARP payload, but the source MAC of the frame will have this bit clear.

Conditions:
vlangroup in translucent mode with self IP and/or virtual addresses configured.

Impact:
This may cause destination lookup failures on the layer 2 network.

Workaround:
Use transparent mode instead of translucent mode on the vlangroup.

Fix:
ARP and NDP replies sent from the BIG-IP to a vlangroup use the vlangroup MAC address as the layer 2 source address.

246726-1 : System continues to process virtual server traffic after disabling virtual address

Solution Article: K8940

Component: Local Traffic Manager

Symptoms:
A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address.

Conditions:
When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers.

Impact:
Traffic is still processed.

Workaround:
Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/csp/#/article/K8940

Fix:
When disabling a VIP in LTM the VIP no longer passes traffic. This is correct behavior.

Behavior Change:
When disabling a VIP in LTM the VIP no longer passes traffic.

238444-3 : An L4 ACL has no effect when a layered virtual server is used.

Solution Article: K14219

Component: Access Policy Manager

Symptoms:
A layer 4 ACL is not applied to the network access tunnel. As a result of this issue, you may encounter the following symptoms:

-- Unexpected network traffic may be allowed to pass.
-- Expected network traffic may be blocked.

Conditions:
This issue occurs when the following conditions are met:

-- The APM virtual server is targeting a layered virtual server, such as an SSO layered virtual server.
-- The referenced BIG-IP APM access policy is configured with a layer 4 ACL.
-- When an ACL is applied to a BIG-IP APM access policy, the access policy dynamically creates an internal layered virtual server that is used to apply the ACL. However, if the BIG-IP APM virtual server targets a layered virtual server, such as an SSO layered virtual server, traffic bypasses the dynamically-created internal layered virtual server and the ACL is not applied.

Impact:
Access control using a layer 4 ACL will not work. This may allow unwanted traffic to pass, or can block valid traffic.

Workaround:
None. However, a layer 7 ACL may be implemented if the network traffic is HTTP.

Fix:
With this fix, an admin needs to perform below tasks:

1. Create an iRule similar to the following:

when CLIENT_ACCEPTED {
ACL::eval
}

2. Attach this iRule to admin-defined layered virtual servers.

225634-1 : The rate class feature does not honor the Burst Size setting.

Solution Article: K12947

Component: Local Traffic Manager

Symptoms:
The rate class feature does not honor a Burst Size setting other than the default of 0 (zero).

The Burst Size setting is intended to specify the maximum number of bytes that traffic is allowed to burst beyond the base rate configured for the rate class. When the burst rate is set to zero, no bursting is allowed.

Conditions:
When using a non-default Burst Size setting for a single rate class, the setting does not have the intended effect of allowing traffic to burst beyond the base rate configured for the rate class. When using a non-default Burst Size setting for a rate class referencing a hierarchical rate class (a child class referencing a parent class), traffic processed by the rate class may cause TMM to panic and generate a core file.

Impact:
Traffic does not burst beyond the base rate configured for the rate class. In the case of hierarchical rate classes, the BIG-IP may temporarily fail to process traffic.

Workaround:
To work around this issue, you can disable the Burst Size setting by changing the value to zero. To do so, perform the following procedure:

Impact of workaround: None.

Log in to the Configuration utility.
Click Network.
Click Rate Shaping.
Click the appropriate rate class.
Change the Burst Size to 0.
Click Update.

222034-4 : HTTP::respond in LB_FAILED with large header/body might result in truncated response

Component: Local Traffic Manager

Symptoms:
If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated.

Conditions:
This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client.

Impact:
The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points.

Workaround:
To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see K9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: https://support.f5.com/csp/#/article/K9456.

Known Issues in BIG-IP v12.1.x

TMOS Issues

ID Number	Severity	Solution Article(s)	Description
694897-4	1-Blocking		Unsupported Copper SFP can trigger a crash on i4x00 platforms.
652223-1	1-Blocking	K50325308	BWC: Non-TCP data going through Category can make policy active
603093	1-Blocking		AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system
726487-1	2-Critical		VIPRION secondary MCPD, Node Name encodes IP address which differs from supplied
723722-3	2-Critical		MCPD crashes if several thousand files are created between config syncs.
716391-3	2-Critical	K76031538	High priority for MySQL on 2 core vCMP may lead to control plane process starvation
711683-4	2-Critical		bcm56xxd crash with empty trunk in QinQ VLAN
710277-2	2-Critical		IKEv2 further child_sa validity checks
708968-4	2-Critical		OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
703669-3	2-Critical		Eventd restarts on NULL pointer access
700386-1	2-Critical		mcpd may dump core on startup
697424	2-Critical		iControl-REST crashes on /example for firewall address-lists
693996-3	2-Critical	K42285625	MCPD sync errors and restart after multiple modifications to file object in chassis
693246-1	2-Critical		SOD may send SIGABRT to TMM when TMM has not reported its heartbeat for a long enough period of time.
691589	2-Critical		When using LDAP client auth, tamd may become stuck
690793-2	2-Critical	K25263287	TMM may crash and dump core due to improper connflow tracking
689437-2	2-Critical	K49554067	icrd_child cores due to infinite recursion caused by incorrect group name handling
688148-1	2-Critical		IKEv1 racoon daemon SEGV during phase-two SA list iteration
685458-5	2-Critical		merged fails merging a table when a table row has incomplete keys defined.
667114-1	2-Critical	K32622880	TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.
644135	2-Critical	K53342451	12.1.1-hf1 does not support module tuning for Finisar 100G LR4 optics
613542-2	2-Critical	K81463390	tmm core while running the iRule STATS:: command
613476-2	2-Critical		IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion
594366-1	2-Critical	K21271097	Occasional crash of icrd_child when BIG-IP restarts
727297-4	3-Major		GUI TACACS+ remote server list should accept hostname
725791-3	3-Major		Potential HW/HSB issue detected
725427	3-Major		OPT-0036-01 does not report DDM tx power alarms or tx power warnings
724706	3-Major		iControl REST statistics request causes CPU spike
723794	3-Major		PTI (Meltdown) mitigation should be disabled on AMD-based platforms
723579-3	3-Major		OSPF routes missing
722682-1	3-Major		Fix of ID 615222 results in upgrade issue for GTM pool member with colon -- config failed to load★
722380-3	3-Major		The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
721020-4	3-Major		Changes to the master key are reverted after full sync
720819-1	3-Major		Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720713-3	3-Major		TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail
720651-3	3-Major		Running Guest Changed to Provisioned Never Stops
720461-3	3-Major		qkview prompts for password on chassis
720269-3	3-Major		TACACS audit logging may append garbage characters to the end of log strings
718800-3	3-Major		Cannot set a password to the current value of its encrypted password
718201	3-Major		No alert for failed RAID disk
716166-3	3-Major		Dynamic routing not added when conflicting self IPs exist
715061-1	3-Major		vCMP: tmm core in guest when stopping vCMP guest from host
714986-1	3-Major		Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714903-1	3-Major		Errors in chmand
714654-3	3-Major		Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
714626-1	3-Major	K30491022	When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
713708-3	3-Major		Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
712266-2	3-Major		Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware
712033-1	3-Major		When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
711879	3-Major		Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor.
711249-2	3-Major		NAS-IP-Address added to RADIUS packet unexpectedly
711158-1	3-Major	K25280801	Admin user roles automatically demoted to guest
710841	3-Major		12.1.3.3 feature refinement might be lost after upgrade★
710039	3-Major		Merging config may not report syslog configuration errors
709559-3	3-Major		LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
709544-4	3-Major		VCMP guests in HA configuration become Active/Active during upgrade★
708803	3-Major		Remote admin user with misconfigured partition fallback to "All"
707740-3	3-Major		Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination
707391-4	3-Major		BGP may keep announcing routes after disabling route health injection
707320-1	3-Major		Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs
705037-3	3-Major	K32332000	System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
704449-4	3-Major		Orphaned tmsh processes might eventually lead to an out-of-memory condition
704247-3	3-Major		BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
702310-2	3-Major		The ':l' and ':h' options are not available on the tmm interface in tcpdump
701722-2	3-Major		Potential mcpd memory leak for signed iRules
701387-4	3-Major		qkview will not collect files greater than 2 GB
701341-2	3-Major	K52941103	If /config/BigDB.dat is empty, mcpd continuously restarts
700897-3	3-Major		sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG
700827-2	3-Major		B2250 blades may lose efficiency when source ports form an arithmetic sequence.
700757-2	3-Major		vcmpd may crash when it is exiting
700426-2	3-Major	K58033284	Switching partitions while viewing objects in GUI can result in empty list
700250-1	3-Major	K59327012	qkviews for secondary blade appear to be corrupt
698933-3	3-Major		Setting metric-type via ospf redistribute command may not work correctly
698844	3-Major		LCD splash screen may display incorrect platform name on iSeries appliance
698619-1	3-Major		Disable port bridging on HSB ports for non-vCMP systems
698599	3-Major		Cave Creek Crypto HW accelerated SSL traffic may encounter errors and performance problems.
698597	3-Major	K10300436	BIG-IP fails to go active after cryptographic hardware has recovered from a failure
698594	3-Major	K53752362	Cave Creek Crypto hardware reports a false positive of a stuck queue state
698462	3-Major		TCP timestamp rewrite mode not working on the client side of ePVA offloaded connections
698429-3	3-Major		Misleading log error message: Store Read invalid store addr 0x3800, len 10
698038	3-Major	K05730807	TACACS+ system auth file descriptor leaks when servers are unreachable
698013-4	3-Major	K27216452	TACACS+ system auth and file descriptors leak
696731-1	3-Major	K94062594	The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
695090	3-Major		In rare situations hardware syncookies may be sent for a L7 virtual server when hardware syncookie protection is disabled
693884-3	3-Major		ospfd core on secondary blade during network unstability
693563-3	3-Major	K22942093	No warning when LDAP is configured with SSL but with a client certificate with no matching key★
692753-3	3-Major		shutting down trap not sent when shutdown -r or shutdown -h issued from shell
692239-1	3-Major	K31554905	AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds
692189-3	3-Major		errdefsd fails to generate a core file on request.
691749-3	3-Major		Delete sys connection operations cannot be part of TMSH transactions
690890-3	3-Major		Running sod manually can cause issues/failover
689779	3-Major		VE HyperV packet drops under load due to interrupt distribution
689567-3	3-Major		Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
689002-1	3-Major		Stackoverflow when JSON is deeply nested
688406-3	3-Major	K14513346	HA-Group Score showing 0
687617-3	3-Major		DHCP request-options when set to "none" are reset to defaults when loading the config.
687172	3-Major		Pools do not appear as expected after deploying iApp via iWorkflow
686816-3	3-Major		Link from iApps Components page to Policy Rules invalid
686626-2	3-Major		The BIG-IP system may connect to an OCSP server using an unexpected source IP address
686124-3	3-Major		IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
684096-1	3-Major		stats self-link might include the oid twice
681782-4	3-Major	K30665653	Unicast IP address can be configured in a failover multicast configuration
679605-1	3-Major		Device groups with no members will cause upgrade to fail
679027	3-Major		Rare memory corruption in tmrouted while license is being reset
678380-3	3-Major		Deleting an IKEv1 peer in current use could SEGV on race conditions.
676442-2	3-Major	K37113440	Changes to RADIUS remote authentication may not fully sync
675298-1	3-Major		F5 MIB value types changed to become RFC compliant
674997	3-Major		It is not possible to use tmsh to change the password for 'admin' after configuring Remote-APM Based Auth on the BIG-IP system.
674957-1	3-Major		If a certificate is stored in DER format, exporting it using the GUI corrupts the output.
674328-3	3-Major		Multicast UDP from BIG-IP may have incorrect checksums
673974-1	3-Major	K63225596	agetty auto detects parity on console port incorrectly
673952	3-Major		1NIC VE in HA device-group shows 'Changes Pending' after reboot
673640	3-Major		Log messages for virtual server status changes are not immediately logged.
673241	3-Major		Platform AC power supply faults when subjected to temperature above 50C (122F) at low input voltage.
671712	3-Major		The values returned for the ltmUserStatProfileStat table are incorrect.
671553-2	3-Major		iCall scripts may make statistics request before the system is ready
671447-2	3-Major		ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
671372-2	3-Major	K01930721	When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
671261-2	3-Major	K32306231	MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo
671236-2	3-Major	K27343382	BGP local-as command may not work when applied to peer-group
671178	3-Major	K20274760	Date/time change after configuring HA may impair configuration sync
670528-1	3-Major	K20251354	Warnings during vCMP host upgrade.
669241-1	3-Major		Cannot create stateless virtual servers with ip-protocol set to 'gre'.
667476	3-Major		Upgrade and config load can fail if a data group record of type string contains a tab character
667257-2	3-Major		CPU Usage Reaches 100% After Traffic Flowed Into CGNAT
667082-2	3-Major	K21090061	Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.
666884-2	3-Major	K27056204	cpcfg cannot copy a configuration on a chassis platform★
666117-4	3-Major		Network failover without a management address causes active-active after unit1 reboot
663924-2	3-Major		Qkview archives includes Kerberos keytab files
658850	3-Major		Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
658036-2	3-Major	K04651090	Honoring negotiated MSS for TCP segmentation
657912-1	3-Major		PIM can be configured to use a floating self IP address
657834-2	3-Major	K45005512	Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
657727-2	3-Major	K39694060	Running tcpdump from TMSH cannot capture the local "tmm" interface
653928	3-Major		On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed with Conflicting configuration error.★
653888-2	3-Major		BGP advertisement-interval attribute ignored in peer group configuration
652877-3	3-Major		Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
652671-4	3-Major	K31326690	Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.
651136-2	3-Major	K36893451	ReqLog profile on FTP virtual server with default profile can result in service disruption.
648873-3	3-Major	K93513131	Traffic-group failover-objects cannot be retrieved via iControl REST
648621-1	3-Major		SCTP: Multihome connections may not expire
648316-3	3-Major	K10776106	Flows using DEFLATE decompresion can generate error message during flow tear-down.
647834-4	3-Major		Failover DB variables do not correctly implement 'reset-to-default'
647151-1	3-Major		CPU overtemp condition threshold is 75C
645206-4	3-Major	K23105004	Missing cipher suites in outgoing LDAP TLS ClientHello★
644979-2	3-Major		Errors not logged from hourly 1k key generation cron job
643799-1	3-Major		Deleting a partition may cause a sync validation error
643459-3	3-Major	K81809012	Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy
642923-2	3-Major	K01951295	MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
642422-2	3-Major		BFD may not remove dependant static routes when peer sends BFD Admin-Down
641582-1	3-Major		Rarely, an HSB transmitter failure occurs
641543-1	3-Major		bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled.
641450	3-Major	K30053855	A transaction that deletes and recreates a virtual may result in an invalid configuration
641001	3-Major		BWC: dynamic policy category sees lower bandwidth than expected in Congested policies
640054-1	3-Major		Selective ICMP-echo behavior is inconsistent, depending on where the virtual address is disabled
639774-5	3-Major	K30598276	mysqld.err rollover log files are not collected by qkview
639575-5	3-Major	K63042400	Using libtar with files larger than 2 GB will create an unusable tarball
638091-4	3-Major		Config sync after changing named pool members can cause mcpd on secondary blades to restart
638089-1	3-Major		LACP and CMP state simultaneous fail on A112 and A113 platform
637979-1	3-Major		IPsec over isession not working
637279	3-Major		Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS.
633824-2	3-Major	K39319200	Cannot add pool members containing a colon in the node name
633172	3-Major	K12473201	External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command
632825-5	3-Major		bcm56xxd crash following 'silent' port-mirror configuration failure
631046	3-Major		Unable to generate a FIPS key using the GUI
629834-4	3-Major		istatsd high CPU utilization with large number of entries
628402-4	3-Major	K79213220	Operator users receive 'can't get object count from mcpd' error in response to certain commands
627760-3	3-Major		gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
626589-6	3-Major	K73230273	iControl-SOAP prints beyond log buffer
624626-3	3-Major		Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
623488-4	3-Major		Custom adaptive reaper settings may be lost at upgrade time★
623371-1	3-Major		After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed
623367-1	3-Major	K57879554	When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.
623265-4	3-Major	K15645547	UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★
620969-3	3-Major		iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
620954-3	3-Major		Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
620311-1	3-Major		GUI Failover Unicast Address information incorrect
619419	3-Major		Workaround for Software Installation Failures in TMUI★
618982-1	3-Major		IPSEC + chassis behavior for case secondary blades on-off switch.
618319-5	3-Major	K58255321	HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked
617643-1	3-Major		iControl.ForceSessions enabled results in GUI error on certain pages
614493-1	3-Major		BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.
613509-1	3-Major	K49101035	2000/4000 platforms reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
612083	3-Major		Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors.
610449-2	3-Major		restarting mcpd on guest makes block-device-images disappear
609200-2	3-Major		Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★
609186-5	3-Major		TMM or MCP might core while getting connections via iControl.
606330-4	3-Major		The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
606032-2	3-Major		Network Failover-based HA in AWS may fail
605891-1	3-Major		Enable ASM option disappears from L7 policy actions
605840-5	3-Major		HSB receive failure lockup due to unreceived loopback packets
605800-3	3-Major		Web GUI submits changes to multiple pool members as separate transactions
603772-1	3-Major		Floating tunnels with names more than 15 characters may cause issues during config-sync.
602566-5	3-Major		sod daemon may crash during start-up
602193-4	3-Major		iControl REST call to get certificate fails if
601414-5	3-Major		Combined use of session and table irule commands can result in intermittent session lookup failures
600944-1	3-Major		tmsh does not reset route domain to 0 after cd /Common and loading bash
600732-2	3-Major		IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description
599543-3	3-Major		Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile
598650-1	3-Major		apache-ssl-cert objects do not support certificate bundles
598289-4	3-Major		TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
597818-2	3-Major		Unable to configure IPsec NAT-T to "force"
597564-3	3-Major		'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items
596826-5	3-Major		Don't set the mirroring address to a floating self IP address
596815-1	3-Major		System DNS nameserver and search order configuration does not always sync to peers
596020-3	3-Major		Devices in a device-group may report out-of-sync after one of the devices is rebooted
595868-1	3-Major		HSB TX HGM lockup on 3900, 8900, and 10000-series platforms.
595617-1	3-Major	K40420553	Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.
595317-4	3-Major		Forwarding address for Type 7 in ospfv3 is not updated in the database
593845-3	3-Major	K24093205	VE interface limit
593361-1	3-Major		The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.
591305	3-Major		Audit log messages with "user unknown" appear on install
589856-2	3-Major		iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients
588646-1	3-Major		Use of Standard access list remarks in imish may causes later entries to fail on add
588028-1	3-Major		Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up
587821-5	3-Major	K91818030	vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
584041	3-Major		forward slash '/' is used in the description field, admin user will be demoted to guest.
580602-1	3-Major		Configuration containing LTM nodes with IPv6 link-local addresses fail to load.
580499-2	3-Major	K34082034	Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled.
579035-5	3-Major	K46145454	Config sync error when a key with passphrase is converted into FIPS.
575919-3	3-Major		Running concurrent TMSH instances can result in error in access to history file
575372	3-Major		BIG-IQ Discovery may fail due to an invalid passphrase.
575368-5	3-Major		Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
571333-8	3-Major	K36155089	fastL4 TCP handshake timeout not honored for offloaded flows
569968	3-Major		snmpd core during startup
569331-3	3-Major		Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP
569281-6	3-Major	K33242855	L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot
567490-2	3-Major		db.proxy.__iter__ value is overwritten if it's manually set
563905-2	3-Major	K62975642	vCMP guest fails to go Active after the host system is rebooted
544568-5	3-Major		Flows for a FastL4 profile that are forwarded may now be accelerated.
535122-8	3-Major		[tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects
528295-7	3-Major	K40735404	Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
524193-5	3-Major		Multiple Source addresses are not allowed on a TMSH SNMP community
524123-1	3-Major		iRule ISTATS::remove does not work
523797-2	3-Major		Upgrade: file path failure for process name attribute in snmp.★
516167-2	3-Major	K21382264	TMSH listing with wildcards prevents the child object from being displayed
509497-1	3-Major		VCMP guests on a specific host may be restarted when that host system experiences large date/time changes
499348-5	3-Major		System statistics may fail to update, or report negative deltas due to delayed stats merging
489499-3	3-Major		chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd
469366-3	3-Major	K16237	ConfigSync might fail with modified system-supplied profiles
464650-4	3-Major		Failure of mcpd with invalid authentication context.
455066-2	3-Major		Read-only account can save system config
438574-1	3-Major		Web UI: iSession Profile properties page displays incorrect parent profile name.
375434-6	3-Major		HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
247527-2	3-Major	K14890	Mgmt interface cannot be disabled via tmsh
224665-2	3-Major	K12711	Proxy Exclusion List setting is not aware of administrative partitions
723988-3	4-Minor		IKEv1 phase2 key length can be changed during SA negotiation
723111	4-Minor		mailx is blocked by SELinux Policy
719241	4-Minor		Using custom DNS servers on the Azure VNet with the missing 168.63.129.16 causes Waagent provisioning failure.
713947-3	4-Minor		stpd repeatedly logs "hal sendMessage failed"
713183	4-Minor		Malformed JSON files may be present on vCMP host
713138	4-Minor		TMUI ILX Editor inserts an unnecessary linefeed
713134-3	4-Minor		Small tmctl memory leak when viewing stats for snapshot files
710410-1	4-Minor		TMM hardware accelerated compression not registering for all compression levels.
708415	4-Minor		Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
706106-1	4-Minor		PUT request sent to ltm/virtual failed because of ip-protocol property value any
703509-1	4-Minor		Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
702615-1	4-Minor		During reboot to another volume, the GUI login page becomes prematurely available★
698991	4-Minor	K64258832	CPU utilization on i850 is not a reliable indicator of system capacity
697766-3	4-Minor	K12431303	Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
697605	4-Minor		tmrouted connection closed messages logged on shutdown
696363	4-Minor		Unable to create SNMP trap in the GUI
692172-2	4-Minor		rewrite profile causes "No available pool member" failures when connection limit reached
692165-2	4-Minor		A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
691491-3	4-Minor	K13841403	2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
690781	4-Minor		VIPRION systems with B2100 or B2150 blades cannot run four 1-slot 8-core vCMP guests
689211-2	4-Minor		IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
689147-1	4-Minor		Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
687343-3	4-Minor		Running 'load sys config merge verify' will add new users to the PostGres database
685582-5	4-Minor		Incorrect output of b64 unit key hash by command f5mku -f
685233-2	4-Minor	K13125441	tmctl -d blade command does not work in an SNMP custom MIB
683029-2	4-Minor		Sync of virtual address and self IP traffic groups only happens in one direction
678254-2	4-Minor		Error logged when restarting Tomcat
678117-1	4-Minor		'Can't create a home directory' logged for remote users on secondary blades after configsync
675368-2	4-Minor		Unable to reorder rules when one of the rule names contain % or /
674145-3	4-Minor		chmand error log message missing data
673573	4-Minor		tmsh logs boost assertion when running child process and reaches idle-timeout
671044-3	4-Minor	K78612407	FIPS certificate creation can cause failover to standby system
671025	4-Minor		File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured
670691	4-Minor	K02331705	Unable to list ntlm profile in different root folder or partition
668964-2	4-Minor	K81873940	'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group
663911-2	4-Minor		When running out of memory, MCP can report an incorrect allocation size
662372-1	4-Minor	K41250179	Uploading a new device certificate file via the GUI might not update the device certificate
660760-1	4-Minor	K75105750	DNS graphs fail to display in the GUI
659888-1	4-Minor		Profiles with names that contain percentage signs cannot be accessed in TMUI
658943	4-Minor		Errors when platform-migrate loading UCS using trunks on vCMP guest
655484-1	4-Minor	K69912019	GUI LTM Pool Statistics Page running out of memory with large number of Pools
650019-2	4-Minor		The commented-out sample functions in audit_forwarder.tcl are incorrect
647812-3	4-Minor		/tmp/wccp.log file grows unbounded
640863-2	4-Minor	K29231946	Disabling partition selector in DNS Resolver's Forward Zones
640489	4-Minor	K53571714	iSeries LCD alerts screen returns to splash screen intermittently
638960-2	4-Minor		A subset of the BIG-IP default profiles can be incorrectly deleted
638893-1	4-Minor		Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command
636823-3	4-Minor		Node name and node address
636164	4-Minor		Remote IP not working in IE 8
636163	4-Minor		Certificate Key Chain not working in IE 8
636031-4	4-Minor	K23313837	GUI LTM Monitor Configuration String adding CR for type Oracle
634014	4-Minor		Absolute timers may fire one second early during the leap second event
633495	4-Minor		Cannot switch between partitions in Local Traffic :: Policies
630795-1	4-Minor		No guestagentd entry in merged.conf
626279-1	4-Minor		After reboot LCD reports "unit going standby" even if it has gone active.
625428-1	4-Minor		SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
624909-2	4-Minor		Static route create validation is less stringent than static route delete validation
623536-2	4-Minor		SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
623313	4-Minor		After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default.★
619706-1	4-Minor		tmsh appears to allow password change for internal lcd admin user
618889-1	4-Minor		Clicking the policies list tab does not refresh the policies list on click.
611054-1	4-Minor		Network failover "enable" setting is sometimes ignored on chassis systems
608348-4	4-Minor		Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system
606799-1	4-Minor	K16703796	GUI total number of records not correctly initialized with search string on several pages.
591732-2	4-Minor		Local password policy not enforced when auth source is set to a remote type.
590415-1	4-Minor		Partition can be removed when remote role info entries refer to it
589862-6	4-Minor		HA Grioup percent-up display value is truncated, not rounded
587804-1	4-Minor		Symmetric Unit Key decrypt failure on base load
586348-1	4-Minor		Network Map Pool Member Parent Node Name display and Pool Member hyperlink
584788-1	4-Minor		Directed failover of HA pair using only hardwire failover will fail
584504-2	4-Minor	K36912228	Allowing non-English characters on login screen
583777-5	4-Minor	K33230520	[TMSH] sys crypto cert missing tab completion function
583084-5	4-Minor	K15101680	iControl produces 404 error while creating records successfully
582595-2	4-Minor	K52029952	default-node-monitor is reset to none for HA configuration.
582127-1	4-Minor	K55138704	VE OVA logrotate max-file-size too big for /var/log partition size
581865-2	4-Minor	K11053914	6900, 8900, 8950, or 11050 platforms missing swap storage★
571727-1	4-Minor	K52707821	'force-full-load-push' is not tab expandable
571017-1	4-Minor		Extra log messages seen on optics removal.
565755	4-Minor		Dashboard does not work when custom port is used for management port.
520877-1	4-Minor		Alerts sent by the lcdwarn utility are not shown in tmsh
514703-1	4-Minor		gtm listener cannot be listed across partitions
501258-2	4-Minor		Unable to modify 'gtm region region-members' via iControl REST
479471-1	4-Minor	K00342205	CPU statistics reported by the tmstat command may spike or go negative
479262-4	4-Minor		'readPowerSupplyRegister error' in LTM log
476544-2	4-Minor		mcpd core during sync
436116-1	4-Minor	K43726131	The tcpdump utility may fail to capture packets
713519-3	5-Cosmetic		Enabling MCP Audit logging does not produce log entry for audit logging change
679431-3	5-Cosmetic		In routing module the 'sh ipv6 interface <interface> brief' command may not show header
676395-1	5-Cosmetic		Syslog messages seen with error code while viewing ssl certificate detail with debug turned on.
653273	5-Cosmetic		"Unexpected Error" showing traffic-selector default-traffic-selector
633568	5-Cosmetic		Pool statistics page doesn't show all pool members in IE8 with compatibility view
617578-2	5-Cosmetic		Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware
617161-1	5-Cosmetic		Cosmetic: duplicated partition names in the "Resource Management" window when assigning iRules to Virtual Servers.
603092-5	5-Cosmetic		"displayservicenames" does not apply to show ltm pool members
602390-2	5-Cosmetic	K87506901	Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
590399-1	5-Cosmetic	K11304001	Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.
571634-1	5-Cosmetic		tmstat CPU values can be incorrect
570013	5-Cosmetic		TCP Analytics Profile section in virtual server UI has erroneous caption
542347-2	5-Cosmetic		Denied message in audit log on first time boot
396273-2	5-Cosmetic		Error message in dmesg and kern.log: vpd r/w failed

Local Traffic Manager Issues

ID Number	Severity	Solution Article(s)	Description
726239-3	2-Critical		TMM panic via SIGABRT from sod
724868-2	2-Critical		dynconfd memory usage increases over time
721571-3	2-Critical		State Mirroring between BIG-IP 12.1.3.* and 13.* systems may cause TMM core on standby system during upgrade★
716900-1	2-Critical		TMM core when using MPTCP
716213-3	2-Critical		BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
706505-1	2-Critical		iRule table lookup command may crash tmm when used in FLOW_INIT
697259-1	2-Critical	K14023450	Different versioned vCMP guests on the same chassis may crash.
694656-3	2-Critical	K05186205	Routing changes may cause TMM to restart
683454	2-Critical	K99294671	HTTP::header command may crash TMM on an erroneous argument
673095	2-Critical		Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid'
670893-1	2-Critical		Sensitive monitor parameters recorded in monitor logs
666401-2	2-Critical		Memory might become corrupted when a Standby device transitions to Active during failover
663178-1	2-Critical		tmm may crash sometimes usng VPN
662296-1	2-Critical		Under heavy traffic load tcpdump -i 0.0 can impact the VIPRION management cluster IP address
659709-1	2-Critical	K80024155	Memory leak under rare conditions
652523	2-Critical		TMM may restart while processing timers
641869-1	2-Critical	K62744980	Assertion "vmem_hashlist_remove not found" failed.
639764-2	2-Critical		Crash when searching external data-groups with records that do not have values
635191-1	2-Critical		Under rare circumstances TMM may crash
634369-2	2-Critical		Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes
618463-2	2-Critical		artificial low route mtu can cause SIGSEV core from monitor traffic
618106-1	2-Critical	K74714343	bigd core due to memory leak, especially with FQDN nodes
615303-2	2-Critical	K47381511	bigd crash with Tcl monitors
615097-1	2-Critical		Incorrect use of HTTP::collect leads to TMM core.
606035-1	2-Critical		csyncd crash
603690-2	2-Critical	K82210057	CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.
586862-2	2-Critical	K30859144	Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule.
513310-1	2-Critical		TMM might core when a profile is changed.
726734-2	3-Major		DAGv2 port lookup stringent may fail
726327-1	3-Major		NodeJS debugger accepts connections from any host
726232-1	3-Major		iRule drop/discard may crash tmm
725592	3-Major		Outgoing RIP advertisements may have incorrect source port
723306-5	3-Major		Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
723112	3-Major		LTM policies does not work if a condition has more than 127 matches
722707	3-Major		mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
722363-1	3-Major		Client fails to connect to server when using PVA offload at Established
720799-3	3-Major		Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
720440	3-Major		Radius monitor marks pool members down after 6 seconds
720293-1	3-Major		HTTP2 IPv4 to IPv6 fails
720219-1	3-Major	K13109068	HSL::log command can fail to pick new pool member if last picked member is 'checking'
718867-3	3-Major		tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★
717896	3-Major		Monitor instances deleted in peer unit after sync
717888-2	3-Major		TMM may leak memory when a virtual server uses the MQTT profile.
717346-4	3-Major	K13040347	[WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
716716-3	3-Major		Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
716492-1	3-Major	K59332523	Rateshaper stalls when TSO packet length exceeds max ceiling.
715756-3	3-Major		Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
715750-3	3-Major		The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
715467-3	3-Major		Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
714559-1	3-Major		Removal of HTTP hash persistence cookie when a pool member goes down.
714503-3	3-Major		When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
714495-3	3-Major		When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
714384-5	3-Major		DHCP traffic may not be forwarded when BWC is configured
713585-1	3-Major	K31544054	When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
713388-3	3-Major		SSL handshake fails for OCSP + TLS false start + SSL hardware acceleration
712664-4	3-Major		IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
712489-3	3-Major		TMM crashes with message 'bad transition'
711981-3	3-Major		BIG-IP system accepts larger-than-egress MTU, PMTU update
710996-1	3-Major		VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
710564-3	3-Major		DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
710355-1	3-Major		High CPU when using HTTP::collect for large chunked payloads
710028-4	3-Major		LTM SQL monitors may stop monitoring if multiple monitors querying same database
709963-4	3-Major		Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
709837-3	3-Major		Cookie persistence profile may be configured with invalid parameter combination.
707691-2	3-Major		BIG-IP handles some pathmtu messages incorrectly
706102-3	3-Major		SMTP monitor does not handle all multi-line banner use cases
705112-1	3-Major		DHCP server flows are not re-established after expiration
704764-2	3-Major		SASP monitor marks members down with non-default route domains
704450-2	3-Major		bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
702450-4	3-Major		The validation error message generated by deleting certain object types referenced by a policy action is incorrect
702439-3	3-Major	K04964898	Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
701690-3	3-Major	K53819652	Fragmented ICMP forwarded with incorrect icmp checksum
701678-1	3-Major		Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
701033-1	3-Major		Tcl actions not run if conditions have overlapping IP ranges
700639	3-Major		The default value for the syncookie threshold is not set to the correct value
698211-3	3-Major	K35504512	DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
695925-3	3-Major		tmm crash when showing connections for a CMP disabled virtual server
695707-3	3-Major		BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
695109-3	3-Major	K15047377	Changes to fallback persistence profiles attached to a Virtual server are not effective
694697-3	3-Major	K62065305	clusterd logs heartbeat check messages at log level info
693910-2	3-Major		Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
693582-3	3-Major		Monitor node log not rotated for icmp monitor types
693308-3	3-Major		SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
691992	3-Major		MSTP: CIST bridge priority changes after adjusting the MSTI priority.
691785-3	3-Major		The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
691224-1	3-Major	K59327001	Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
690778-3	3-Major	K53531153	Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
690316	3-Major		Software syncookies are sent for FastL4 virtual server with software syncookies disabled
689361-3	3-Major		Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
688629-3	3-Major		Deleting data-group in use by iRule does not trigger validation error
688570-3	3-Major		BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
687807-3	3-Major		The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/ causes a GUI exception
687044-2	3-Major		tcp-half-open monitors might mark a node up in error
686563-3	3-Major		WMI monitor on invalid node never transitions to DOWN
686547-3	3-Major		WMI monitor sends logging data for credentials when no credentials specified
686101-3	3-Major	K73346501	Creating a pool with a new node always assigns the partition of the pool to that node.
685519-3	3-Major		Mirrored connections ignore the handshake timeout
683706-1	3-Major		Pool member status remains 'checking' when manually forced down at creation
683061-2	3-Major		Rapid creation/update/deletion of the same external datagroup may cause core
681673-2	3-Major		tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
680264	3-Major	K18653445	HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
679613-2	3-Major	K23531420	i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
678450-3	3-Major		No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.
678066	3-Major		LTM Policy Tcl-enabled values require 'tcl:' prefix★
677841-1	3-Major		Server SSL TLS session reuse with changed SNI uses incorrect session ID
677666-3	3-Major	K60909141	/var/tmstat/blades/scripts segment grows in size.
677442	3-Major		Bulk crypto processing for SSL traffic may crash the traffic deaemon in rare cases.
676643	3-Major		FTP passive monitor uses IP address from PASV (not monitor destination)
674459	3-Major		Users are not expected to change security.commoncriteria DB variable through TMSH
672312-2	3-Major		IP ToS may not be forwarded to serverside with syncookie activated
672240	3-Major	K50091255	iRuleLX (v1) plugins may cause TMM to core if originating flow is terminated before plugin work is complete
671725-1	3-Major	K19920320	Connection leak on standby unit
670520-3	3-Major		FastL4 not sending keepalive at proper interval when other side gets response
670258-2	3-Major		Multicast pings not forwarded by TMM
666889-1	3-Major	K25769531	Deleting virtual server may cause tmm to segfault
666595-2	3-Major		Monitor node log fd leak by bigd instances not actively monitoring node
666127-1	3-Major		Flows are incorrectly processed on a standby system.
664000	3-Major		TMM restart/core possible if key/cert is modified while SSL handshakes are ongoing
662816-2	3-Major	K61902543	Monitor node log fd leak for certain monitor types
660807	3-Major		Clientside command with parking command crashes TMM
660119-1	3-Major	K36005385	Monitor configured with timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.
655767-3	3-Major		MCPD does not prevent deleting an iRule that contains in-use procedures
655724-3	3-Major	K15695	MSRDP persistence does not work across route domains.
654981-2	3-Major		Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action
653930-2	3-Major	K69713140	Monitor with description containing backslash may fail to load.
653228-2	3-Major	K34312110	SNAT does not work properly on FTP VIP2VIP
653137-1	3-Major		Virtual flaps when FQDN node and pool configured with autopopulate
652370-1	3-Major		The persist cookie insert iRule command may leak memory
651889-2	3-Major		persist record may be inconsistent after a virtual hit rate limit
649897	3-Major		Using the REST API, making a change to an FQDN pool causes the pool member availability to become unknown.
646440	3-Major	K52140275	TMSH allows mirror for persistence even when no mirroring configuration exists
645635-2	3-Major		Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
643860-4	3-Major		Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
643041-4	3-Major	K64451315	Less than optimal interaction between OneConnect and proxy MSS
642786-3	3-Major	K01833444	TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.
640395-1	3-Major		When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly
637613-3	3-Major	K24133500	Cluster blade being disabled immediately returns to enabled/green
635173-1	3-Major		Standby BIG-IP TMM uses unexpectedly large amount of memory
633464-2	3-Major		Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.
633110-2	3-Major	K09293022	Literal tab character in monitor send/receive string causes config load failure, unknown property
632968-2	3-Major	K46042053	supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails
632604-1	3-Major		SSL::sessionid iRule command returns incorrect result
632553-2	3-Major	K14947100	DHCP: OFFER packets from server are intermittently dropped
630257-1	3-Major		Monitor send/receive strings cannot end with trailing single-backslash★
628696-1	3-Major		Under rare circumstances, all blades in cluster claim not primary during start up
625166-1	3-Major		Suspended iRules cannot complete on aborted flows
624917	3-Major		First few handshakes fail after chassis/appliance reboot when using HSM
624044-1	3-Major	K42806722	LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load★
623084-2	3-Major		mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★
622870	3-Major		When using a Thales key, SSL handshake failed after restarting pkcs11d
620556-1	3-Major		Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule
620053-1	3-Major		Gratuitous ARPs may be transmitted by active unit going offline
618131-1	3-Major		Latency for Thales key population to the secondary slot after reboot
618104-1	3-Major		Connection Using TCP::collect iRule May Not Close
614410-3	3-Major		Unexpected handling of TCP timestamps in HA configuration
613618-1	3-Major		The TMM crashes in the websso plugin.
613483-2	3-Major	K18133264	Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec.
611652-3	3-Major		iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.
611482-4	3-Major		Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
610682-2	3-Major		LTM Policy action to reset connection only works for requests
607410-1	3-Major	K81239824	In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible
607166-1	3-Major		Hidden directories and files are not synchronized to secondary blades
605175-1	3-Major		Backslashes in monitor send and receive strings
605147-1	3-Major		No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections.
601189-2	3-Major		The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
600385-1	3-Major	K43295141	BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout
599567	3-Major		APM assumes snat automap, does not use snat pool
598707-4	3-Major		Path MTU does not work in self-IP flows
598204-3	3-Major	K54284420	In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
597899-1	3-Major	K86025623	Disabling all pool members may not be reflected in Virtual Server status
597253-1	3-Major		HTTP::respond tcl command may incorrectly identify parameters as ifiles
596278	3-Major		ILX workspace created by iApp made from template not deleted when iApp deleted
595921-1	3-Major		VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
594751-3	3-Major	K90535529	LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN
590156-3	3-Major		Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
588720-1	3-Major		Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.
586660-1	3-Major		HTTP/2 and RAM Cache are not compatible.
586621-7	3-Major	K36008344	SQL monitors 'count' config value does not work as expected.
585248-1	3-Major		Resetting crypto client statistics can crash TMM and disrupt traffic handling.
584948-5	3-Major		Safenet HSM integration failing after it completes.
584414	3-Major		Deleting persistence-records via tmsh may result in persistence being created to different nodes
582331-1	3-Major		Maximum connections is not accurate when TMM load is uneven
582234-6	3-Major		When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
582207-7	3-Major		MSS may exceed MTU when using HW syncookies
579252-3	3-Major		Traffic can be directed to a less specific virtual during virtual modification
578971-3	3-Major		When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
575642-1	3-Major		rst_cause of "Internal error"
572234-2	3-Major		When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
572142-2	3-Major		Config sync peer may fail to monitor newly added pool member after it is added via sync
557322-1	3-Major		Sensitive monitor parameters recorded in bigd and monitor logs
542104-2	3-Major	K33458192	In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
537209-5	3-Major		Fastl4 profile sends RST packet when idle timeout value set to 'immediate'
516280-4	3-Major		bigd process uses a large percentage of CPU
510395-5	3-Major	K17485	Disabling some events while in the event, then running some commands can cause tmm to core.
499404-7	3-Major	K15457342	FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
486735-5	3-Major		Maximum connections is not accurate when TMM load is uneven
433572-4	3-Major		DTLS does not work with rfcdtls cipher on the B2250 blade
431480-1	3-Major		Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
405898-2	3-Major		If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected
374067-7	3-Major	K14098	Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections
369640-1	3-Major	K17195	Folder path objects in iRules can have only a single context per script
724746-2	4-Minor		Incorrect RST message after 'reject' command
722534-4	4-Minor		load sys config merge not supported for iRulesLX
716922-4	4-Minor		Reduction in PUSH flags when Nagle Enabled
699426-3	4-Minor		RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.
699076-3	4-Minor		URI::path iRules command warns end and start values equal
697626	4-Minor		iRules LX: Cannot modify workspace imported by "Import From Workspace"
693901-3	4-Minor		Active FTP data connection may change source port on client-side
689231	4-Minor		MSSQL filter assumes 64-bit token done row count field
688557-3	4-Minor	K50462482	Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
688542-1	4-Minor		SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request
684319-2	4-Minor		iRule execution logging
680680-2	4-Minor		The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
677270-2	4-Minor	K76116244	Trailing comments in iRules are removed from the config when entered/loaded in TMSH
675911	4-Minor	K13272442	Dashboard CPU history file may contain incorrect values
665777	4-Minor		TMM0 on the secondary blade sends out extra ARP replies
662905	4-Minor		Rate class configured at very low rate (under packet size per second) cannot pass traffic.
652577-2	4-Minor		Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
651005-3	4-Minor		FTP data connection may use incorrect auto-lasthop settings.
646495-2	4-Minor		BIG-IP may send oversized TCP segments on traffic it originates
640704	4-Minor	K20418658	A BIG-IP HA pair upgraded directly from 10.2.x to 12.1.x may lose the primary and secondary mirror IP addresses★
636348-3	4-Minor		BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.
635871-1	4-Minor		tmsh validation of hash persistence timeout setting is incorrect
632901-1	4-Minor	K03112333	JET documentation incorrect for RESOLV::lookup
628016-2	4-Minor		MP_JOIN always fails if MPTCP never receives payload data
622876-1	4-Minor		Certificate serial number is not displayed properly in OCSP Stapling logs.
622148-5	4-Minor		flow generated icmp error message need to consider which side of the proxy they are
621843-1	4-Minor		the ipother proxy is sending icmp error messages to the wrong side
618884-1	4-Minor		Behavior when using VLAN-Group and STP
603380-6	4-Minor		Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
602708-2	4-Minor	K84837413	Traffic may not passthrough CoS by default
599048-1	4-Minor		BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option
594547	4-Minor		LTM policy TCP address selector offers only "match any of" condition
594064-2	4-Minor	K57004151	tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
593396-5	4-Minor		Stateless virtual servers may not work correctly with route pools or ECMP routes
592620-1	4-Minor		iRule validation does not catch incorrect 'after' syntax
586138-1	4-Minor	K84112154	Inconsistent display of route-domain information in administrative partitions.
584772	4-Minor		ssldump may crash when decrypting bad records
571622-1	4-Minor		"Exceeding pool member limit" error with FQDN pool members and non-LTM license
564634-5	4-Minor		Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool
552988-2	4-Minor		Cannot enable MPTCP on some profiles in GUI.
539026-5	4-Minor		Stats refinements for reporting Unhandled Query Actions :: Drops
477992-3	4-Minor	K07450534	Instance-specific monitor logging fails for pool members created in iApps
474901-1	4-Minor		Profiles with a large number of regexps can cause excessive memory usage.
222409-6	4-Minor	K9952	The HTTP::path iRule command may return more information than expected
687579	5-Cosmetic		TMSH incorrectly allows settings snat-translation ip-idle-timeout to zero.
567330-1	5-Cosmetic		tmsh show sys memory on secondaries will generate innocuous error

Performance Issues

ID Number	Severity	Solution Article(s)	Description
632838-1	3-Major		Deterministic NAT performance may be degraded
616021-1	4-Minor	K93089152	Name Validation missing for some GTM objects

Global Traffic Manager (DNS) Issues

ID Number	Severity	Solution Article(s)	Description
722741-4	2-Critical		Damaged tmm dns db file causes zxfrd/tmm core
718885-1	2-Critical	K25348242	Under certain conditions, monitor probes may not be sent at the configured interval
685915-1	2-Critical		Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured
726255-3	3-Major		dns_path lingering in memory with last_access 0 causing high memory usage
723792-3	3-Major		GTM regex handling of some escape characters renders it invalid
723288-3	3-Major		DNS cache replication between TMMs doesn't always work for net dns-resolver
723095-1	3-Major		Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool
719644-1	3-Major		If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
716701-2	3-Major	K43005133	iControl REST: Unable to create Topology when STATE name contains space
715448-1	3-Major		Providing LB::status with a GTM Pool name in a variable caused validation issues
714507-4	3-Major		[tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
712500-2	3-Major		Unhandled Query Action Drops Stat does not increment after transparent cache miss
704198-1	3-Major		GTM equivalent of ID663502 - replace-all-with can leave orphaned monitor_rule, monitor_rule_instance and monitor_instance
704176-1	3-Major	K22540391	Monitor instances may not get deleted during configuration merge load
689583-3	3-Major		Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.
688335-3	3-Major	K00502202	big3d may restart in a loop on secondary blades of a chassis system
679316-1	3-Major		iQuery connections reset during SSL key renegotiation
659930-1	3-Major		Enterprise Manager may receive malformed data if there are multiple monitors on a pool
636790-3	3-Major		Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.
628180-1	3-Major		DNS Express may fail after upgrade★
517609-3	3-Major	K77005041	GTM Monitor Needs Special Escape Character Treatment
688266-3	4-Minor		big3d and big3d_install use different logics to determine which version of big3d is newer
674754-2	4-Minor		ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact
666258-2	4-Minor		GTM/DNS manual resume pool member not saved to config when disabled
665117-2	4-Minor	K33318158	DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
648806-1	4-Minor		Invalid "with the first highest ratio counter" logging for pool member ratio load balance
588229-1	5-Cosmetic		DNS protocol default profiles can be deleted after being modified.

Application Security Manager Issues

ID Number	Severity	Solution Article(s)	Description
734622	2-Critical		Policy change with newly enforced signatures causes sig collection failure in other policies
721741-2	2-Critical		BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
716788-3	2-Critical		TMM may crash while response modifications are being performed within DoSL7 filter
685230-1	2-Critical		memory leak on a specific server scenario
636669-3	2-Critical	K37300224	bd log are full of 'Can't run patterns' messages
612584-1	2-Critical	K34500121	Server side blocking/asm cookie setting may not work under some circumstances
721752-1	3-Major		Null char returned in REST for Suggestion with more than MAX_INT occurrences
721399-3	3-Major		Signature Set cannot be modified to Accuracy = 'All' after another value
718232-1	3-Major		Some FTP servers may cause false positive for ftp_security
713282-3	3-Major		Remote logger violation_details field does not appear when virtual server has more than one remote logger
711818-1	3-Major		Connection might get reset when coming to virtual server with offload iRule
701856-2	3-Major		Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
701039	3-Major		Requests do not appear in local logging due to rare file descriptor exhaustion
694934-3	3-Major		bd crashes on a very specific and rare scenario
689982-1	3-Major		FTP Protocol Security breaks FTP connection
685164-3	3-Major	K34646484	In partitions with default route domain != 0 request log is not showing requests
678322	3-Major		Missing Response Page for 'Login' is not populated upon upgrade
676223-2	3-Major		Internal parameter in order not to sign allowed cookies
674256-3	3-Major	K60745057	False positive cookie hijacking violation
670501-5	3-Major	K85074430	ASM policies are either not (fully) created or not (fully) deleted on the HA peer device
664714-1	3-Major		Client-side challenge is changing POST parameter value under some circumstances
660327-2	3-Major		Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
660326-2	3-Major		Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★
657531-2	3-Major	K02310615	High memory usage when using the ICAP server
653017-2	3-Major		Bot signatures cannot be created after upgrade with DoS profile in non-Common partition
650070-2	3-Major	K23041827	iRule that uses ASM violation details may cause the system to reset the request
648639-3	3-Major	K92201230	TS cookie name contains NULL or other raw byte
646800-2	3-Major		A part of the request is not sent to ICAP server in a specific case
644725-4	3-Major	K01914292	Configuration changes while removing ASM from the virtual server may cause graceful ASM restart
636412-1	3-Major		ASM start process fail with 'Protobuf message exceeds max defined size' on machines with thousands of ASM configuration entities
631715-1	3-Major		ASM::disable does not disable client side challenges
605649-3	3-Major	K28782793	The cbrd daemon runs at 100% CPU utilization
590851-4	3-Major		"never log" IPs are still reported to AVR
574113-2	3-Major		Block All - Session Tracking Status is not persisted across an auto-sync device group
569195-1	3-Major		A Set-Cookie for an existing ASM cookie without value change
564324-2	3-Major		ASM scripts can break applications
720588	4-Minor		Pages not loading correctly when AJAX response page is enabled
720581-3	4-Minor		Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
706930	4-Minor		"Enforce Ready" button has no effect for Signatures for Inactive Policy
702350	4-Minor		FingerPrint JS might be injected although it is disabled in all ASM features, and no DoS
700989-2	4-Minor		Better detecting browser extentsions
699898-3	4-Minor		Wrong policy version time in policy created after synchronization between active and stand by machines.
698917	4-Minor		Unexpected additional policy is created while creating a policy from a template via REST
688833-2	4-Minor		Inconsistent XFF field in ASM log depending violation category
653895	4-Minor		Admin user cannot edit policy
640751-2	4-Minor		No PCRE Validation Performed For Regular Expression Parameters
627144	4-Minor		Two users cannot create policies at the same time.
623779-2	4-Minor		Adding a client side challenge whitelist URL wildcard list
618693-3	4-Minor		Web Scraping session_opening_anomaly reports the wrong route domain for the source IP
583402-1	4-Minor		ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work
513887-8	4-Minor		The audit logs report that there is an unsuccessful attempt to install a mysql user on the system

Application Visibility and Reporting Issues

ID Number	Severity	Solution Article(s)	Description
713283-2	3-Major		Missing transaction count in = application security report under view by IP Intelligence
707204	3-Major		If the system has more than 264 analytics profiles, the upgrade fails.
703196-3	3-Major		Reports for AVR are missing data
702933	3-Major		Loading UCS with different provisioning can cause a single TMM crash
700035-3	3-Major		/var/log/avr/monpd.disk.provision not rotate
688813-1	3-Major	K23345645	Some ASM tables can massively grow in size.
685741	3-Major		DoS Overview is very slow to load data, to the point of timeout
683177-2	3-Major		Can't drilldown or filter by 'Client Countries'
665425-3	3-Major	K24182390	AVR Max metrics shows wrong values
654915-3	3-Major		Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address
652222-1	3-Major		Sending scheduled-reports will fail due to lack of backend support
649177-2	3-Major	K54018808	Testing for connection to SMTP Server always returns "OK"
636104-2	3-Major		If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
600634-2	3-Major		Schedule-reports can break the upgrade process★
588626	3-Major		Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member).
493524	3-Major		ASM attack appear ongoing forever if restarting dosl7d during an attack
473755-1	3-Major		It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side

Access Policy Manager Issues

ID Number	Severity	Solution Article(s)	Description
707738-4	1-Blocking	K84747528	Network Access cannot be established on Windows 10 RS4
722013-3	2-Critical		MCPD restarts on all secondary blades post config-sync involving APM customization group
708005-3	2-Critical		Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
701944-2	2-Critical	K42284762	machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6
672221	2-Critical		TMM cores if the certificate configured to validate message signature does not exist.
668849-1	2-Critical		Upgrade failure for apm-log-setting objects★
660826-1	2-Critical		BIG-IQ Deployment fails with customization-templates
658103	2-Critical	K00652162	TMM core while adding logging action to APM SWG
633349-3	2-Critical	K86613330	localdbmgr hangs and eventually crashes
631286-1	2-Critical		URI cache entries should be replaced /expired for euie hash table
618637-1	2-Critical		Sometimes f5fpc cannot establish Network Access connection and incorrectly reports 'Session timed out' error
614364-1	2-Critical		Linux client NA components cannot be installed neither using sudo password nor root password
582440-4	2-Critical		Linux client does not restore route to the default GW on Ubuntu 15.10
574318-3	2-Critical		Unable to resume session when switching to Protected Workspace
546489-1	2-Critical		VMware View USB redirection stops working after client reconnect
726895-1	3-Major		VPE cannot modify subroutine settings
722969-1	3-Major		Import with 'reuse' rewrites shared objects
710044-1	3-Major		Portal Access: same-origin AJAX request may fail in some case.
707953-1	3-Major		Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
703793-1	3-Major		tmm restarts when using ACCESS::perflow get' in certain events
695985-1	3-Major		Access HUD filter has URL length limit (4096 bytes)
687213-1	3-Major		When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED
686206-1	3-Major		Machine Info agent does not collect complete information on disconnected network adapters
682751-5	3-Major		Kerberos keytab file content may be visible.
679735-1	3-Major		Multidomain SSO infinite redirects from session ID parameters
677646-1	3-Major	K62171231	System cannot boot up due to prior aborted installation★
676854-1	3-Major		CRL Authentication agent will hang waiting on unresponsive authentication server.
676300-7	3-Major	K04551025	EPSEC binaries may fail to upgrade in some cases★
672818-2	3-Major		When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established
670456-3	3-Major		Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number
670367-2	3-Major	K39391280	On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.
667518	3-Major		SSO Configurations update is failing from UI
658278-3	3-Major		Network Access configuration with Layered-VS does not work with Edge Client
656784-2	3-Major	K98510679	Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM
640924-1	3-Major		On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
632958-2	3-Major		APM MIB gauges not reset on standby device
631626	3-Major		Unable to delete an access profile which contains a route domain agent
631048-1	3-Major		Portal Access [PeopleSoft] 'My Preferences' page does not have content
625165-2	3-Major		Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.
621158-1	3-Major		f5vpn does not close upon closing session
619667-1	3-Major	K34751151	Allow Local DNS Servers is not honored on Mac OS X
617629-1	3-Major		Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab
614072-1	3-Major		Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session.
611485-1	3-Major		APM AAA RADIUS server address cannot be a multicast IPv6 address.★
605018-2	3-Major	K47516511	Citrix StoreFront integration mode with pass through authentication fails for browser access
600872-1	3-Major		Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.
582606-1	3-Major		IPv6 downloads stall when NA IPv4&IPv6 is used.
578989-5	3-Major		Maximum request body size is limited to 25 MB
572519-1	3-Major		More than one header name/value pair not accepted by ACCESS::respond
571503-1	3-Major		Windows Edge client cannot detect local LAN in some cases
565347-2	3-Major		Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction
560601-1	3-Major		HTML5 File API and MediaSource URLs are blocked in Portal Access
559402-4	3-Major		Client initiated form based SSO fails when username and password not replaced correctly while posting the form
559082-2	3-Major		Tunnel details are not shown for MAC Edge client
554504	3-Major		Client OS version not logged in Browser/OS Reports for iOS client devices
552444-1	3-Major		Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
547692-3	3-Major		Firewall-blocked KPASSWD service does not cause domain join operation to fail
541622-2	3-Major		APD/APMD Crashes While Verifying CAPTCHA
535119-1	3-Major		APM log tables initial rotation in MySQL may be wrong
530092-2	3-Major		AD/LDAP groupmapping is overencoding group names with backslashes
527119-4	3-Major		Iframe document body could be null after iframe creation in rewritten document.
526519-1	3-Major		APM sessiondump command can produce binary data
525378	3-Major		iRule commands do not validate session scope
509596-1	3-Major	K44043455	iFrames with 'javascript:' scheme in SRC may not work
494135-1	3-Major	K43101043	HTML Event handlers may not work if 'eval' is redefined
482625-1	3-Major		Pages with utf-8 Content-Type and utf-16 META tag do not render
450136-3	3-Major		Occasionally customers see chunk boundaries as part of HTTP response
435419-4	3-Major	K10402225	Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
417819-2	3-Major	K69046914	APM - when Edge Clients, some JS contents are different causing warning
369407-3	3-Major		Access policy objects are created inconsistently depending on whether created using wizard or manually.
362511	3-Major	K52162658	HTML entities in inline CSS style attributes may cause incorrect rewriting of URLs
721375	4-Minor		Export then import of config with RSA server in it might fail
712321	4-Minor		Missing reference to customization-group from connectivity profile if created via network access wizard
708176	4-Minor		SNMP OIDs (NA throughput) incorrect when compression is disable
686718	4-Minor		VPN tunnel adapter stays up in some cases
666497-2	4-Minor		Some of the Korean translations in Windows Edge Client were incorrect
627384-1	4-Minor		eamtest tool fails with Segmentation fault after initialization.
619099	4-Minor		'General Database Error' while changing the Admin UI authentication type
611327-1	4-Minor	K35559723	Using an established app tunnel may display a Java exception error message.
610436-3	4-Minor	K13222132	DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.
608453-1	4-Minor		Shrink/Expand imgs of Webtop Section is customizable
607684	4-Minor		tmsh provides option to delete all URLs from a custom category, which is not possible
604050	4-Minor		Failed to get master key (ERR_NOT_FOUND) in apm log on first boot
589367-2	4-Minor		Some Edge Client's German translations are incorrect
579652-1	4-Minor		Multidomain SSO Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.
567503-1	4-Minor	K03293396	ACCESS::remove can result in confusing ERR_NOT_FOUND logs
563651-2	4-Minor		Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★
523158-1	4-Minor		In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails
496621-1	4-Minor		Portal Access incorectly rewrites expressions with JavaScript typeof operator

WebAccelerator Issues

ID Number	Severity	Solution Article(s)	Description
706642-3	2-Critical		wamd may leak memory during configuration changes and cluster events
701977-3	3-Major		Non-URL encoded links to CSS files are not stripped from the response during concatenation
621284-5	3-Major		Incorrect TMSH help text for the 'max-response' RAMCACHE attribute
686318	4-Minor		Inter TMM Caching Delay
674992-3	4-Minor		AAM traffic report's time period doesn't always apply
467589-4	4-Minor		Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.

Wan Optimization Manager Issues

ID Number	Severity	Solution Article(s)	Description
674367-1	3-Major	K20983428	SDD v3 symmetric deduplication may stop working indefinitely

Service Provider Issues

ID Number	Severity	Solution Article(s)	Description
689343-3	2-Critical		Diameter persistence entries with bi-directional flag created with 10 sec timeout
701680-1	3-Major		MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds
698911	3-Major		Periodically SIP requests are not sent to the server
691048-3	3-Major	K34553736	Support DIAMETER Experimental-Result AVP response
669978-4	3-Major	K15204204	SIP monitor - Via header's branch parameter collision.
651886-1	3-Major		Certain FIX messages are dropped
647158-3	3-Major	K76581555	Internal virtual server inherits CMP hash mode from parent virtual server
642211-2	3-Major		Warning logged when GENERICMESSAGE::message drop iRule command used
612143-2	3-Major		Potential tmm core when two connections add the same persistence record simultaneously.
583101-2	3-Major		ADAPT::result bypass after continue causes bad state transition
600431-6	4-Minor		DIAMETER::avp data get "id" ip4\|ip6 errors on valid AVP

Advanced Firewall Manager Issues

ID Number	Severity	Solution Article(s)	Description
724532-1	2-Critical		SIG SEGV during IP intelligence category match in TMM
717909-2	2-Critical		tmm can abort on sPVA flush if the HSB flush does not succeed
713629-1	2-Critical		Applying firewall policy to self-ip can cause tmm crash
710755-2	2-Critical	K30572159	Crash when cached route information becomes stale and the system accesses the information from it.
697265	2-Critical		MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.
685820-1	2-Critical		Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not
666221-2	2-Critical	K47152503	tmm may crash from DoSL7
632839	2-Critical		UDP Flood does not get detected if the vector limits are infinite
622204-1	2-Critical	K14141640	If a virtual server's name has a "." in it then a DoS profile cannot be attached to it
620844-1	2-Critical		DoS: tmm core after delete packet type from Device Sweep vector
726154-1	3-Major		TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
703165	3-Major		shared memory leakage
698806-2	3-Major		Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces
693515	3-Major		A '+' character in a log profile name causes import to fail
686376-1	3-Major		Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
677302	3-Major		Unable to save descriptions for firewall objects
663946-2	3-Major	K92111062	VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
651169-3	3-Major		The Dashboard does not show an alert when a power supply is unplugged
633454-1	3-Major		Older versions of Chrome get blocked when Proactive Bot Defense is enabled.
632723-1	3-Major	K05079458	tmm core with remote logging pool in non-zero route domain
627447	3-Major		Sync fails after firewall policy deletion
624314-1	3-Major		AVR reports incorrect 'actions' in ACL reports
613844	3-Major		iApp may fail to install if AFM is provisioned
612086-3	3-Major	K32857340	Virtual server CPU stats can be above 100%
592819-2	3-Major		Enabling of whitelists on a protected object requires disabling DoS protection support in hardware
592211-1	3-Major		Stress CPU on BIG-IP will also take into the packets dropped by hardware.
591505-1	3-Major		Policy may become unsyncable after changing contexts
581668	3-Major		DNS/SIP whitelisted packets not reported
714704	4-Minor		ICMP unreachable messages sent only from active to standby
701555-3	4-Minor		DNS Security Logs report Drop action for unhandled rejected DNS queries
632246-1	4-Minor		Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades.
568458	5-Cosmetic		DoS vectors must be enabled in both DoS Profile and Device Configuration

Policy Enforcement Manager Issues

ID Number	Severity	Solution Article(s)	Description
726647-2	3-Major		PEM content insertion in a compressed response may truncate some data
640548-1	3-Major		In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked.
624187-1	3-Major		Relocate TUC AVP to group AVP USU
564431-3	4-Minor		Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail

Carrier-Grade NAT Issues

ID Number	Severity	Solution Article(s)	Description
734446-3	2-Critical		TMM crash after changing LSN pool mode from PBA to NAPT
723658	2-Critical		TMM core when processing an unexpected remote session DB response.
669645-1	2-Critical	K44021449	tmm crashes after LSN pool member change
663531-1	2-Critical		TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel
722919	3-Major		Memory leak when using SP-DAG and a small LSN pool.
708830-1	3-Major		Inbound or hairpin connections may get stuck consuming memory.
721579-1	4-Minor		LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing
667295-1	4-Minor	K51601122	'RTSP::header exists' iRule command always returns True

Fraud Protection Services Issues

ID Number	Severity	Solution Article(s)	Description
716318-4	3-Major		Engine/Signatures automatic update check may fail to find/download the latest update
695401	3-Major		QS user defined alerts may not be sent if there is no URL with qs configured on FPS profile
674297-1	3-Major		Custom headers are removed on cross-origin requests
652530	4-Minor		Parameter names are case sensitive in Internet Explorer 9 only

Anomaly Detection Services Issues

ID Number	Severity	Solution Article(s)	Description
617324-2	3-Major		Service health calculation creates unjustified CPU utilization
653573	4-Minor		ADMd not cleaning up child rsync processes

Traffic Classification Engine Issues

ID Number	Severity	Solution Article(s)	Description
726303	3-Major		Unlock 10 million custom db entry limit
649441-2	3-Major		Classification memory allocation
674795-1	4-Minor		tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.

Device Management Issues

ID Number	Severity	Solution Article(s)	Description
676107	3-Major		With admin account disabled, user cannot use token-based authentication
667661-4	3-Major	K69015104	Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'
627341-1	3-Major		TMUI loginProviderName is invalid when requesting a REST token
688177-2	4-Minor		Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade
619397	4-Minor	K04055706	LCD shows error screen on boot or after license expires

iApp Technology Issues

ID Number	Severity	Solution Article(s)	Description
666505-2	2-Critical		Gossip between VIPRION blades

Known Issue details for BIG-IP v12.1.x

734622 : Policy change with newly enforced signatures causes sig collection failure in other policies

Component: Application Security Manager

Symptoms:
An ASM policy change with newly enforced signatures causes a signature collection failure in all other policies.

Conditions:
An ASM policy is changed by adding newly enforced signatures.

Impact:
Signature collection failures are logged for all other policies.

Workaround:
Apply all other ASM policies on the device. Alternatively, a new user-defined signature which would be included in enforcement can be spuriously added and then immediately removed.

734446-3 : TMM crash after changing LSN pool mode from PBA to NAPT

Component: Carrier-Grade NAT

Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.

Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.

The PBA pool can be deleted after the virtual servers are no longer using it.

727297-4 : GUI TACACS+ remote server list should accept hostname

Component: TMOS

Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.

Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.

Impact:
Validation does not accept a hostname. Cannot add hostname as a server.

Workaround:
Use tmsh to add a hostname.

726895-1 : VPE cannot modify subroutine settings

Component: Access Policy Manager

Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.

Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors.

Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.

Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE

Workaround:
Use tmsh to modify these values, for example:

tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }

726734-2 : DAGv2 port lookup stringent may fail

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.

Conditions:
Active FTP with mirroring enabled.

Impact:
Connection cannot get established.

Workaround:
There is no workaround other than to disable mirroring.

726647-2 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

726487-1 : VIPRION secondary MCPD, Node Name encodes IP address which differs from supplied

Component: TMOS

Symptoms:
MCPD on secondary blade of VIPRION exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Conditions:
-- VIPRION platform.
-- Non-primary blade.
-- Modified default route domain for a partition.
-- Deleting and creating pool members during configuration save from a different client.

Impact:
Failovers and traffic degradation while blade restarts.

Workaround:
There is no workaround other than not to delete/create pool members from a different client while saving configuration changes in another client.

726327-1 : NodeJS debugger accepts connections from any host

Component: Local Traffic Manager

Symptoms:
The NodeJS debugger accepts connections from any host.

Note: Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. This issue exists in Node.js, not in BIG-IP software.

Conditions:
This occurs under either of the following conditions:
-- iRuleLX plugin configured.
-- Administrator starts node-inspector.

Impact:
NodeJS Debugger exposed to remote access.

Important: Enabling the NodeJS debugger should only be part of active troubleshooting; it is not a recommended configuration for a production system.

Workaround:
Specify an authorized host for remote access using the following command:
--debug=<host>:<port>

726303 : Unlock 10 million custom db entry limit

Component: Traffic Classification Engine

Symptoms:
Cannot add more than 10 million custom db entries.

Conditions:
This happens when you try to add more than 10 million custom db entries.

Impact:
Not able to add more than 10 million entries.

Workaround:
There is no workaround at this time.

726255-3 : dns_path lingering in memory with last_access 0 causing high memory usage

Component: Global Traffic Manager (DNS)

Symptoms:
dns_path not released after exceeding the inactive path ttl.

Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.

Impact:
High memory usage.

Workaround:
There is no workaround at this time.

726239-3 : TMM panic via SIGABRT from sod

Component: Local Traffic Manager

Symptoms:
TCP receives SIGABRT during TCP persist mode.

Conditions:
When TCP is in persist mode.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

726232-1 : iRule drop/discard may crash tmm

Component: Local Traffic Manager

Symptoms:
TMM crash after an iRule attempts to drop packet.

Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
drop
# discard - drop is the same as discard
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

726154-1 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies

Component: Advanced Firewall Manager

Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domains.

Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.

Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.

Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.

725791-3 : Potential HW/HSB issue detected

Component: TMOS

Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.

With a burst of CRC errors in the SRAM for ePVA transformation cache, it won't trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This is because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.

In these cases, there might be the following messages in /var/log/tmm*:

Device error: hsb_lbb* tre2_crc_errs count *

Conditions:
Traffic is offloaded to HSB hardware for acceleration.

Impact:
Hardware accelerated traffic drop.

Workaround:
Switch traffic to software acceleration.

725592 : Outgoing RIP advertisements may have incorrect source port

Component: Local Traffic Manager

Symptoms:
TMM may change the source port of Routing Information Protocol (RIP) packets send by ripd to something other than port 520. Neighbor routers will not accept these packets and RIP routing will not work.

If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.

Conditions:
-- Multiple TMM instances.
-- RIP routing configured.
-- After reboot.

Impact:
Dynamic routing using RIP does not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.

Workaround:
Delete the sys connection for RIP; the new connection is expected to use the correct port.

725427 : OPT-0036-01 does not report DDM tx power alarms or tx power warnings

Component: TMOS

Symptoms:
The OPT-0036 optic does not report Tx alarms or warnings. The optic does report transmit power readings, but does not generate warnings or alarms if the transmit readings are outside the threshold ranges. OPT-0036-01 does not support SFF-8636.

Conditions:
-- Hardware using this optic:
    - vendor-oui 00176a
    - vendor-partnum OPT-0036
    - vendor-revision 01
-- DDM is enabled.

Impact:
OPT-0036-01 does not report DDM transmit alarms or warnings.

Workaround:
DDM Receive power alarms and warnings are correctly reported. You can view the transmit power readings and thresholds to manually determine if the power is outside the DDM transmit threshold values.

Note: When the OPT-0036 is disabled, the transmit laser is disabled and the transmit power is 0mW.

724868-2 : dynconfd memory usage increases over time

Component: Local Traffic Manager

Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.

Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.

Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.

724746-2 : Incorrect RST message after 'reject' command

Component: Local Traffic Manager

Symptoms:
BIG-IP sends RST containing "Internal error in tcpproxy invalid state for repick" instead of correct "iRule execution (reject command)".

Conditions:
Virtual Server with a HTTP profile, and an iRule using 'reject' command.

Impact:
Investigating RST causes may be confusing.

Workaround:
There is no workaround at this time.

724706 : iControl REST statistics request causes CPU spike

Component: TMOS

Symptoms:
BIG-IQ makes iControl REST requests to BIG-IP systems to get statistics. Regardless of the page size setting, the request causes the CPU to spike to 100% utilization.

Conditions:
An iControl REST API request from a BIG-IQ device for a few stats for an object on a BIG-IP system.

Note: A request for a single statistic usually does not cause a spike.

Impact:
Frequent requests by BIG-IQ for stats causes repeated spikes.

Workaround:
None.

724532-1 : SIG SEGV during IP intelligence category match in TMM

Component: Advanced Firewall Manager

Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.

Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

723988-3 : IKEv1 phase2 key length can be changed during SA negotiation

Component: TMOS

Symptoms:
Using IKEv1, if phase2 key length does not agree on both sides, a responder accepts whatever the initiator proposes as key length, but only after an initiator is authenticated. This results in key length downgrade or upgrade at a trusted peer's request, because the IKEv1 daemon was configured to obey the other peer's key length request.

Conditions:
The value of the ike-phase2-encrypt-algorithm on both sides agree on the encryption algorithm, but differ in key length. For example, if the initiator picks AES128 when the responder expects AES256.

Impact:
The responder accepts AES128 anyway. Although phase1 key length must be an exact match, when phase2 key length does not match, this allows an initiating peer to change the key length a responder uses, thus changing the strength configured by that responder.

Workaround:
No workaround is known at this time.

723794 : PTI (Meltdown) mitigation should be disabled on AMD-based platforms

Component: TMOS

Symptoms:
Platforms with AMD processors freeze when the PTI (Page Table Isolation) mitigation is enabled, after a period ranging from several hours to several days.

You can find information about which versions have the PTI (Meltdown) mitigations enabled in the AskF5 Article: Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations :: https://cdn.f5.com/product/bugtracker/ID707226.html.

Conditions:
-- AMD-based platforms:
   + BIG-IP B4100 blades
   + BIG-IP B4200 blades
   + BIG-IP 6900 and NEBS appliances
   + BIG-IP 89x0 appliances
   + BIG-IP 6400 FIPS and NEBS platforms
   + BIG-IP 110x0 appliances

-- The database variable kernel.pti is set to enable (to address PTI (Meltdown)).

Impact:
System locks up and is rebooted by the watchdog timer.

Workaround:
Set the database variable kernel.pti to disable by running the following command:

tmsh modify sys db kernel.pti value disable

According to AMD, these AMD processors are not vulnerable to PTI (Meltdown), so there is no reason to leave the db variable enabled.

723792-3 : GTM regex handling of some escape characters renders it invalid

Component: Global Traffic Manager (DNS)

Symptoms:
The memory footprint of big3d increases.

Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}

723722-3 : MCPD crashes if several thousand files are created between config syncs.

Component: TMOS

Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.

Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.

Impact:
Traffic is disrupted while the MCPD process restarts.

Workaround:
Run a config sync operation after every ~5000 files created.

723658 : TMM core when processing an unexpected remote session DB response.

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.

The system writes messages to /var/log/tmm* similar to the following:

   notice CDP: exceeded 1/2 timeout for PG 1
   notice CDP: PG 1 timed out
   notice CDP: New pending state 0f -> 0d
   notice Immediately transitioning dissaggregator to state 0xd
   notice cmp state: 0xd
   notice CDP: New pending state 0d -> 0f
   ...
   notice cmp state: 0xf
   notice CDP: exceeded 1/2 timeout for PG 1

Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

723579-3 : OSPF routes missing

Component: TMOS

Symptoms:
When newer link-state advertisement (LSA) (with greater seq) comes in, the Open Shortest Path First (OSPF) discards the old one by marking it DISCARD. The SPF calculation function suspends the calculation every 100 vertexes. If the discard happens during such a suspend, then after the calculation resumes, the discarded LSAs are ignored,n which can cause route unreachable, and eventually route withdraws.

Conditions:
A very large number (~500, beyond best practices) of routers in a single OSPF area.

Impact:
Intermittent route flaps occur that might cause unreachable destination or increased network traffic due to the non-optimal route choice.

Workaround:
There is no workaround.

723306-5 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on different partition.

723288-3 : DNS cache replication between TMMs doesn't always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share cache information between TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS cache configuration objects.

Impact:
Potential DNS resolver performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although the placeholder object must be created using tmsh, as the GUI menu is not available without a DNS license.)

723112 : LTM policies does not work if a condition has more than 127 matches

Component: Local Traffic Manager

Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.

Conditions:
LTM policy that has a condition with more than 127 matches.

Impact:
LTM policy does not match the expected condition.

Workaround:
There is no workaround at this time.

723111 : mailx is blocked by SELinux Policy

Component: TMOS

Symptoms:
The mail command is not functional with the SELinux Policy.

Conditions:
Using mailx to send mail.

Impact:
Cannot use mailx to send mail. This is a function of the SELinux Policy, which does not allow execution of the mailx commands.

Workaround:
To work around this issue, you can configure the BIG-IP system to communicate with an SMTP mail server using the method appropriate for your BIG-IP version. For specific procedures, see K3667: Configuring alerts to send email notifications :: https://support.f5.com/csp/article/K3667.

723095-1 : Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool

Component: Global Traffic Manager (DNS)

Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)

Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.

Impact:
Unable to add pool members quickly to all pools of the same type.

Workaround:
There is no workaround at this time.

722969-1 : Import with 'reuse' rewrites shared objects

Component: Access Policy Manager

Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.

Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.

Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.

Workaround:
None.

722919 : Memory leak when using SP-DAG and a small LSN pool.

Component: Carrier-Grade NAT

Symptoms:
High memory usage by objects of type cmp. Using SP-DAG and a small Large Scale NAT (LSN) pool, some TMMs may not have any local translation addresses. If connections are routed out a VLAN that has cmp-hash src-ip, a small amount of memory may be leaked.

Conditions:
-- Using SP-DAG.
-- Using small LSN pools.
-- Having TMMs that do not not have any local translation addresses.
-- Connections are routed out a VLAN that has cmp-hash src-ip.

Impact:
A small amount of memory may be leaked. The aggressive sweeper might kill connections. TMM may crash. Traffic disrupted while tmm restarts.

Workaround:
Using the default DAG with small LSN Pools gives all TMMs local translation endpoints.

To prevent the leak, allow only VLANs with cmp-hash dst-ip in the LSN pool egress interface list.

722741-4 : Damaged tmm dns db file causes zxfrd/tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd/tmm cores on startup.

Conditions:
Damaged tmm dns db file.

Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.

Workaround:
Delete the damaged db files.

722707 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall

Component: Local Traffic Manager

Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.

Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.

Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).

Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).

722682-1 : Fix of ID 615222 results in upgrade issue for GTM pool member with colon -- config failed to load★

Component: TMOS

Symptoms:
Loading configuration process failed after upgrade.

Conditions:
1. GTM pool member has colon in the name.
2. Upgrade to versions that has fix for ID 615222.

Impact:
Configuration load fails.

Workaround:
Add "\\" before the first ":" after upgrade.

722534-4 : load sys config merge not supported for iRulesLX

Component: Local Traffic Manager

Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:

# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"

Conditions:
The configuration being merged contains iRulesLX.

Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.

Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.

722380-3 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On these platforms, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs on an i10600 or i10800 platform, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
None.

722363-1 : Client fails to connect to server when using PVA offload at Established

Component: Local Traffic Manager

Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.

When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.

Conditions:
A FastL4 virtual server is configured with offload_state = EST.

Impact:
Clients fail to connect to the server.

Workaround:
There is no workaround other than to disable PVA acceleration.

722013-3 : MCPD restarts on all secondary blades post config-sync involving APM customization group

Component: Access Policy Manager

Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.

Each affected blade will log an error message similar to the following example:

Apr 25 09:05:06 slot4/VIP2400-R68-S40 err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1

Conditions:
This issue occurs when all of the following conditions are met:

- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).

- Said systems are provisioned for APM.

- The device-group is configured for incremental manual synchronizations.

- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.

- You synchronize the configuration from the source_system to the device-group.

- On the source_system, you create a new configuration object of any kind (for example, an LTM node).

- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).

- The MCPD daemon restarts on all secondary blades of the source_system.

Impact:
While the MCPD daemon restarts, the blade is off-line and many other F5 daemons need to restart along with MCPD.

If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.

If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.

Workaround:
None.

721752-1 : Null char returned in REST for Suggestion with more than MAX_INT occurrences

Component: Application Security Manager

Symptoms:
Unable to view ASM event log details for a majority of violations.

Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.

Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.

Workaround:
Use the following sql command:

UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;

721741-2 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative

Component: Application Security Manager

Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------

Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.

Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives

Workaround:
There is no workaround at this time.

721579-1 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing

Component: Carrier-Grade NAT

Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.

Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.

Impact:
lsndb shows misleading stats.

Workaround:
There is no workaround at this time.

721571-3 : State Mirroring between BIG-IP 12.1.3.* and 13.* systems may cause TMM core on standby system during upgrade★

Component: Local Traffic Manager

Symptoms:
BIG-IP devices running 12.1.3.x (12.1.3 or a 12.1.3 point release) and 13.x software versions in a High-Availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.

Conditions:
-- State mirroring configured on two or more BIG-IP systems (state mirroring is enabled by default).
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.
-- The active system is running v12.1.3.x, and the standby system is running v13.x, e.g., as a result of an in-progress upgrade.

Impact:
TMM may crash on a standby system during upgrade.

This issue should not disrupt traffic, because the TMM is coring only on the standby unit.

Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.x, or complete the upgrade of both devices to v13.x.

1. You can disable mirroring using either the GUI or the command line.

1a. In the GUI:
-- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.

1b. From the command-line:
-- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config

Important: This action results in connection state loss on failover.

2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IPs removed previously.

Note: F5 recommends that BIG-IP systems run with the same software version on all devices.

721399-3 : Signature Set cannot be modified to Accuracy = 'All' after another value

Component: Application Security Manager

Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.

Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.

Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.

Workaround:
You can use either of the following workarounds:

-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').

721375 : Export then import of config with RSA server in it might fail

Component: Access Policy Manager

Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.

Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.

Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.

Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.

721020-4 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.

720819-1 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups

Component: TMOS

Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.

For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.

Instead, the recovery mechanism should trigger almost instantaneously.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.

-- The HSB locks-up due to a different issue.

Impact:
Traffic will be negatively impacted until the BIG-IP system detects and remedies the condition.

Workaround:
None.

720799-3 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change

Component: Local Traffic Manager

Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.

This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.

Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).

Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.

Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.

720713-3 : TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail

Component: TMOS

Symptoms:
When a i10600/i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.

Note: Management port traffic to/from the device is unaffected.

Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.

The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.

Conditions:
This issue occurs when all of the following conditions apply:

- i10600/i10800 device in vCMP host mode.

- At least one vCMP guest is deployed or was deployed, at some point.

Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.

Workaround:
None.

720651-3 : Running Guest Changed to Provisioned Never Stops

Component: TMOS

Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.

Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.

Impact:
Guests do not stop and change status until vcmpd process is restarted.

Workaround:
There is no workaround.

720588 : Pages not loading correctly when AJAX response page is enabled

Component: Application Security Manager

Symptoms:
Enabling AJAX response page may prevent assets from loading properly due to a conflict with back-end JavaScript.

Browser console shows errors such as:
Uncaught TypeError: Cannot read property 'readyState' of undefined.

Conditions:
-- AJAX response page is enabled.
-- Back-end JavaScript conflicts with ASM JavaScript.

Impact:
Content within pages may fail to load.

Workaround:
None.

720581-3 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files

Component: Application Security Manager

Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.

Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.

Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.

Workaround:
None.

720461-3 : qkview prompts for password on chassis

Component: TMOS

Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.

Conditions:
SSH auth keys are missing or corrupted.

Impact:
This blocks collecting qkview.

Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:

$date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;

720440 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.

720293-1 : HTTP2 IPv4 to IPv6 fails

Component: Local Traffic Manager

Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.

Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.

Impact:
Traffic connection does not establish; no traffic passes.

Workaround:
None.

720269-3 : TACACS audit logging may append garbage characters to the end of log strings

Component: TMOS

Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.

Conditions:
Using audit forwarding with a remote TACACS server.

Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.

Workaround:
There is no workaround at this time.

720219-1 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Solution Article: K13109068

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.

Impact:
Failure to send log messages via HSL.

Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.

719644-1 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★

Component: Global Traffic Manager (DNS)

Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.

Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.

Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.

Workaround:
There is no workaround at this time.

719241 : Using custom DNS servers on the Azure VNet with the missing 168.63.129.16 causes Waagent provisioning failure.

Component: TMOS

Symptoms:
During the BIG-IP system boot-up, waagent is unable to get a response from the intended wire server endpoint, which stops it from running custom script extensions. This happens because of the missing route to the Azure virtual public IP address of 168.63.129.16.

The var/log/waagent.log contains error messages similar to the following:
-- INFO Protocol endpoint not found: WireProtocol, [ProtocolError] [Wireserver Exception] [HttpError] [HTTP Failed] GET http://n.n.n.n,n.n.n.n/?comp=versions -- IOError [Errno -3] Temporary failure in name resolution -- 6 attempts made

Conditions:
-- BIG-IP system is deployed in Azure VNet with a custom DNS server.
-- The DHCP server has assigned a classless-static-route in its dhclient lease (/var/lib/dhclient/dhclient.leases) which contains a custom route to 168.63.129.16.

Impact:
waagent custom script extensions do not complete, failing the BIG-IP provisioning that waagent intends to perform during startup.

Workaround:
Add 168.63.129.16 route on mgmt interface during BIG-IP system initialization to facilitate correct waagent custom script extension execution.

718885-1 : Under certain conditions, monitor probes may not be sent at the configured interval

Solution Article: K25348242

Component: Global Traffic Manager (DNS)

Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.

Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.

Impact:
Monitor probes are not consistently performed at the configured interval.

Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.

The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.

For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:

-- Change the interval for 10 of the monitors to a different value.

-- Set the monitor interval to 40.

Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.

718867-3 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★

Component: Local Traffic Manager

Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).

Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.

Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.

Workaround:
Reset the variable's custom value after upgrade.

718800-3 : Cannot set a password to the current value of its encrypted password

Component: TMOS

Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':

modify auth user <username> encrypted-password password

Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):

modify auth user <username> password password

Conditions:
Changing a password to the value of encrypted-password.

Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.

(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)

Workaround:
First, change the password to something else. Then, change it back to the correct value.

718232-1 : Some FTP servers may cause false positive for ftp_security

Component: Application Security Manager

Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.

Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.

Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.

Workaround:
There is no workaround at this time.

718201 : No alert for failed RAID disk

Component: TMOS

Symptoms:
If a BIG-IP system boots with a failed drive in a RAID array, no alert will be logged.

Conditions:
-- BIG-IP system with dual SSDs.
-- One of the drives has previously failed.
-- The system is booted/rebooted.

Impact:
There is no warning that the system is not operating in a mirrored RAID state.

Workaround:
Run 'tmsh show sys raid disk all-properties' to show the status of the RAID array

717909-2 : tmm can abort on sPVA flush if the HSB flush does not succeed

Component: Advanced Firewall Manager

Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash

Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).

Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

717896 : Monitor instances deleted in peer unit after sync

Component: Local Traffic Manager

Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.

During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.

Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.

Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.

Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.

Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.

717888-2 : TMM may leak memory when a virtual server uses the MQTT profile.

Component: Local Traffic Manager

Symptoms:
TMM may leak memory when a virtual server uses the MQTT profile.

Specifically, the xhead, xdata, mqtt_message, and mqtt_slab memory components might be seen leaking when inspecting TMM memory utilization using the following command: tmsh show sys memory.

Conditions:
This issue occurs when all of the following conditions are met:

-- A virtual server uses the MQTT profile.

-- That virtual server has no pool members available (hence it cannot load-balance traffic anywhere). This might occur because of the following:
  + A monitor has marked the pool members down.
  + A BIG-IP system Administrator manually forces the pool members off-line.
  + The pool members are unresponsive at connection time.

Impact:
Performance becomes degraded as TMM leaks memory. Eventually, TMM might crash due to memory exhaustion. Traffic disrupted while TMM restarts.

Workaround:
If the MQTT profile is not essential to the correct functioning of the virtual server (for example, because it is only used for gathering statistics), then you can remove the MQTT profile from the virtual server to prevent this issue from occurring.

You may want to restart TMM (using the command: bigstart restart tmm) to release any memory and start fresh after removing the MQTT profile. This will interrupt traffic momentarily and cause a failover on redundant units.

On multi-blade systems, you might want to wrap the command within 'clsh' to execute it on all blades (e.g.: clsh bigstart restart tmm).

717346-4 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Solution Article: K13040347

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket

716922-4 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.

716900-1 : TMM core when using MPTCP

Component: Local Traffic Manager

Symptoms:
In some cases TMM may crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

716788-3 : TMM may crash while response modifications are being performed within DoSL7 filter

Component: Application Security Manager

Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.

Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts, failover may occur.

Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.

716716-3 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core

Component: Local Traffic Manager

Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.

Conditions:
The scenario that can lead to this state is unknown.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
Either remove the kernel route, or add a matching TMM route.

716701-2 : iControl REST: Unable to create Topology when STATE name contains space

Solution Article: K43005133

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use iControl REST to create topology records when whitespace exist in a STATE name.

Conditions:
STATE name contains a space (e.g., New Mexico).

Impact:
Unable to create a topology record using iControl REST.

Workaround:
Use TMSH with quotes or escaping to create topology records for a STATE with whitespace in the name.

716492-1 : Rateshaper stalls when TSO packet length exceeds max ceiling.

Solution Article: K59332523

Component: Local Traffic Manager

Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.

Conditions:
TSO packet length exceeds the rateshaper's configured max ceiling.

Impact:
The flow stalls. Subsequent flows cannot go to the rateshaper from that particular tmm.

Workaround:
If you are running BIG-IP software v12.1.3.2 (or later) or v13.1.0(.x), you can use the following workaround:

There is a sys db variable called 'rateshaper.cmpdivide', which is enabled by default. When enabled, the system internally divides the bandwidth (rate/ceiling/burst) between the available tmm cores. If this issue occurs, set 'rateshaper.cmpdivide' to enabled.

There is no workaround for other versions.

716391-3 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores.
-- A module using MySQL is provisioned.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.

IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.

716318-4 : Engine/Signatures automatic update check may fail to find/download the latest update

Component: Fraud Protection Services

Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.

Note: This issue is relevant only for engineering hotfixes.

Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.

Impact:
Automatic update check will detect the wrong update file.

Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.

716213-3 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic

Component: Local Traffic Manager

Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).

Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.

Impact:
A blank page is observed due to the TCP reset.

Workaround:
No workaround is available.

716166-3 : Dynamic routing not added when conflicting self IPs exist

Component: TMOS

Symptoms:
Missing dynamic route in dynamic routing daemon as shown via 'show ip route'.

Conditions:
When a self IP host address is the same as the network address of the dynamic route being propagated. For example: self IP 10.10.10.0/31 versus dynamic route 10.10.10.0/24; or 10.10.0.0/24 versus dynamic route 10.10.0.0/16.

Impact:
Propagation of the dynamic route to the kernel, TMM.

Workaround:
There is no workaround other than not creating self IPs on the network address of a prefix.

715756-3 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only

Component: Local Traffic Manager

Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.

Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.

Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.

Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.

715750-3 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.

Component: Local Traffic Manager

Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.

For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.

Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.

Conditions:
This issue occurs when the following conditions are met:

-- A standard virtual server with the clientssl and serverssl profiles in use.

-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.

For example, if the original FIN was received by the BIG-IP system on the clientside:

-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.

-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.

Workaround:
There is no workaround at this time.

715467-3 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY

Component: Local Traffic Manager

Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.

Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.

Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.

Workaround:
There is no workaround at this time.

715448-1 : Providing LB::status with a GTM Pool name in a variable caused validation issues

Component: Global Traffic Manager (DNS)

Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.

Conditions:
LB::status pool a <Variable containing string>.

Impact:
Unable to use LB::status iRule.

Workaround:
There is no workaround at this time.

715061-1 : vCMP: tmm core in guest when stopping vCMP guest from host

Component: TMOS

Symptoms:
A tmm core in the guest on the primary blade, not the secondary blade, after the guest is disabled on the hypervisor.

Conditions:
-- A cross-blade vCMP guest.
-- Guest is disabled on the hypervisor.

Impact:
Because the guest is in the process of being disabled, there is no impact on traffic, however, the core file may take up space on the guest on the primary blade.

Workaround:
To mitigate the disk problem, manually delete the core file.

714986-1 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot

Component: TMOS

Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.

Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.

2. Exit from the login prompt in the current terminal session, or kill it and start a new session.

Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.

Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.

1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:

tmsh modify sys console baud-rate 9600

2. Re-program the TTY device with the desired speed by running a command similar to the following:

stty -F /dev/ttyS0 9600

3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:

/usr/bin/killall -q agetty

4. Restart bash logins by running the following command:

/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1

714903-1 : Errors in chmand

Component: TMOS

Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.

Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.

Impact:
Cluster does not form.

Workaround:
None.

714704 : ICMP unreachable messages sent only from active to standby

Component: Advanced Firewall Manager

Symptoms:
When the self IP has a firewall rule to reject ICMP unreachable, the system will be sent from active to standby and not from standby to active.

This is correct behavior, but v13.x might show ICMP unreachable messages sent from standby to active along with those from active to standby.

Conditions:
-- AFM firewall rule is applied to the self IP as reject ICMP unreachable messages.
-- Active/standby high availability (HA) cluster.

Impact:
No functional impact. ICMP unreachable messages not showing has no effect on BIG-IP system functionality.

Note: If there is a firewall to block traffic on self IPs, but still want ICMP unreachable messages, that configuration is not valid, and HA will not work.

Workaround:
There is no workaround.

714654-3 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM

Component: TMOS

Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.

Conditions:
Creating a static route for a network that already has an advertised dynamic route.

Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.

Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.

714626-1 : When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.

Solution Article: K30491022

Component: TMOS

Symptoms:
When the BIG-IP system is behind a proxy server, the licensing process does not work, despite having set the db variables for proxy.host, proxy.port, proxy.protocol, etc.

Conditions:
-- The BIG-IP system is behind a proxy server that gates internet access.
-- Attempting to license (or revoke the license of) the BIG-IP system is not possible using GUI or tmsh since communications with the license server will fail.

Impact:
Cannot license, reactivate license, or revoke the license of the BIG-IP system.

Workaround:
Instead of using GUI or tmsh, run the following command, substituting your proxy specification for <proxy> and your license registration key for <reg-key>:

/usr/local/bin/SOAPLicenseClient --proxy <proxy> --basekey <reg-key> --certupdatecheck

714559-1 : Removal of HTTP hash persistence cookie when a pool member goes down.

Component: Local Traffic Manager

Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.

Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.

Impact:
Connected clients must establish a new session.

Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:

when CLIENT_ACCEPTED {
persist cookie hash JSESSIONID
}

714507-4 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool

Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.

Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
# tmsh save sys config gtm-only

Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1

714503-3 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl

Component: Local Traffic Manager

Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the .tcl extension. The system will do that for you.

714495-3 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"

Component: Local Traffic Manager

Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
Creating a new iRulesLX iRule in TMSH.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the '.tcl' extension.

714384-5 : DHCP traffic may not be forwarded when BWC is configured

Component: Local Traffic Manager

Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.

Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.

Impact:
DHCP traffic may not be forwarded.

Workaround:
There is no workaround other than to remove the BWC policy.

713947-3 : stpd repeatedly logs "hal sendMessage failed"

Component: TMOS

Symptoms:
On non-primary clustered blades in a BIG-IP chassis environment, stpd may repeatedly log "hal sendMessage failed"

Conditions:
Two or more blades clustered in a chassis with STP enabled on one or more ports.

Impact:
All BIG-IP blades

Workaround:
No workaround except to ignore log messages - they are spurious and have no ill effect on the system besides log spam.

713708-3 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI

Component: TMOS

Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.

Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.

Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.

Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.

713629-1 : Applying firewall policy to self-ip can cause tmm crash

Component: Advanced Firewall Manager

Symptoms:
Applying a firewall policy to a self-ip can cause a tmm crash. This is due to an uninitialized local variable that cause memory corruption on a stat memory location.

Conditions:
No specific condition for this to happen. This can happen in any config. However, it should be a vary rare occurrence.

Impact:
Temporary traffic disruption while tmm restarts.

Workaround:
There is no workaround. Tmm should recover automatically and function normally.

713585-1 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long

Solution Article: K31544054

Component: Local Traffic Manager

Symptoms:
Config load could be very long and CPU usage very high.

Conditions:
There are many iRule and they are installed on many virtual servers.

Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.

Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.

713519-3 : Enabling MCP Audit logging does not produce log entry for audit logging change

Component: TMOS

Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.

Conditions:
This occurs when enabling MCP audit logging.

Impact:
The audit logging change itself is not logged in the audit logs.

Workaround:
None.

713388-3 : SSL handshake fails for OCSP + TLS false start + SSL hardware acceleration

Component: Local Traffic Manager

Symptoms:
SSL handshake will fail if Client initiate the handshake with TLS false start(Client SSL send the SSL record data to server before Server send out the CCS + FINISHED).

Conditions:
1. Client initiates the SSL handshake with False Start.
2. BIG-IP has SSL hardware acceleration enabled（which is default for for non-VE version).

Impact:
BIG-IP will send the RST to tear down the connection in TLS false start.

Workaround:
1. Disable TLS False Start - that needs to be done on all clients so might not be feasible;
2. Disable SSL acceleration.
3. Disable AES-GCM ciphers in clientssl profile. Without AES-GCM clients will not try to use TLS false start and still be able to use (EC)DHE.

713283-2 : Missing transaction count in = application security report under view by IP Intelligence

Component: Application Visibility and Reporting

Symptoms:
Transactions without an IP reputation threat are not listed on application security reports under viewed by IP Intelligence.

Conditions:
-- All transactions without an IP reputation threat.
-- Application security reports.

Impact:
Transaction count statistics are missing.

Workaround:
None.

713282-3 : Remote logger violation_details field does not appear when virtual server has more than one remote logger

Component: Application Security Manager

Symptoms:
Remote logger violation_details field appears empty.

Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.

Impact:
Violation_details field appears empty in logs.

Workaround:
There is no workaround at this time.

713183 : Malformed JSON files may be present on vCMP host

Component: TMOS

Symptoms:
Malformed JSON files may be present on vCMP host.

Conditions:
All needed conditions are not yet defined.

- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.

Impact:
Some vCMP guests may not show up in the output of the command:
tmsh show vcmp health

In addition, there might be files present named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.

Workaround:
None.

713138 : TMUI ILX Editor inserts an unnecessary linefeed

Component: TMOS

Symptoms:
If you use the TMUI edit for ILX, the system will append a linefeed character every time you save. This is not usually apparent, but if you edit the file, then delete your changes, and then save it, it will still register as changed.

A message indicates the need to refresh the workspace, and the actual content of the file will change, but not the functionality.

Conditions:
Edit a workspace file in ILX via the TMUI editor (i.e., the GUI).

Impact:
File contents can change unexpectedly and have needless characters at the end.

Workaround:
Use TMSH or a different editor, that is not TMUI, to change those files.

713134-3 : Small tmctl memory leak when viewing stats for snapshot files

Component: TMOS

Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:

tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>

Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access

Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).

Workaround:
None.

712664-4 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting

Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address

Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.

Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.

712500-2 : Unhandled Query Action Drops Stat does not increment after transparent cache miss

Component: Global Traffic Manager (DNS)

Symptoms:
After a transparent cache miss, if the LTM DNS profile has Unhandled Query Action set to Drop, the request is dropped without incrementing the Unhandled Query Action Drops stat.

Conditions:
LTM DNS profile with a Transparent Cache and Unhandled Query Action set to Drop.

Impact:
Inaccurate statistics for the Unhandled Query Action Drops

Workaround:
None.

712489-3 : TMM crashes with message 'bad transition'

Component: Local Traffic Manager

Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition

Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.

Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

712321 : Missing reference to customization-group from connectivity profile if created via network access wizard

Component: Access Policy Manager

Symptoms:
Connectivity profile generated from the use of network access wizard will not contain a reference to a customization-group.

Conditions:
Use network access wizard to create configure objects.

Impact:
There is no functional impact since customization is not actually used for connectivity group.

Workaround:
Configure the connectivity profile object manually from tmui (GUI) or tmsh (command line) rather than via wizard. Replace the connectivity profile created from the virtual server within the virtual server with the manually created connectivity profile.

712266-2 : Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware

Component: TMOS

Symptoms:
Messages like the following may show up in /var/log/ltm:

-- crit tmm5[28908]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=11): ctx dropped.

This occurs because the decompression of large compressed data failed.

Conditions:
When compressed data cannot be decompressed in a single request to the Nitrox 3 hardware accelerator.

Impact:
Requests fail with a connection reset.

Workaround:
Use zlib software decompression.

712033-1 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name

Component: TMOS

Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:

# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
  "kind": "tm:ltm:pool:members:membersstats",
  "generation": 3,
  "selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
  "entries": {
    "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {

Conditions:
When making a REST request to an object in /stats that is an association list.

Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.

Workaround:
None.

711981-3 : BIG-IP system accepts larger-than-egress MTU, PMTU update

Component: Local Traffic Manager

Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.

Conditions:
A valid PMTU message.

Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.

Workaround:
None.

711879 : Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor.

Component: TMOS

Symptoms:
The web GUI displays an incorrect value for cert and key for a GTM monitor.

Conditions:
The GTM monitor has the same name as an LTM monitor.

Impact:
Incorrect data can be presented regarding the GTM monitor's cert and key.

Workaround:
Use TMSH to display the correct cert and key.

711818-1 : Connection might get reset when coming to virtual server with offload iRule

Component: Application Security Manager

Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.

Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.

Impact:
Connection receives a RST.

Workaround:
There is no workaround at this time.

711683-4 : bcm56xxd crash with empty trunk in QinQ VLAN

Component: TMOS

Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.

Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.

Impact:
bcm56xxd continuously crashes.

Workaround:
Use either of the following workarounds:
-- Add members to the trunk.

-- Remove the trunk from the QinQ VLAN.

711249-2 : NAS-IP-Address added to RADIUS packet unexpectedly

Component: TMOS

Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.

Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.

Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.

Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.

711158-1 : Admin user roles automatically demoted to guest

Solution Article: K25280801

Component: TMOS

Symptoms:
Newly created admin users are immediately demoted to guest.

Conditions:
-- A sync-failover device group exists.

-- The REST framework's 'gossip' mechanism is configured.

-- Create a new admin user using a command similar to the following: tmsh create auth user test123 password **** partition-access add { all-partitions { role admin } }

Note: Correct REST framework 'gossip' mechanism configuration should occur automatically, but might not be ready. You can confirm whether this is the case by running the following command: restcurl shared/resolver/device-groups/tm-shared-all-BIG-IPs/devices. The output must show all your devices, and show that they all have the same 'version' and the same 'restFrameworkVersion'.

Impact:
In a few seconds, the newly created admin user account reverts to a guest role. User does not have the expected admin access.

Workaround:
On the primary BIG-IP system, do the following:

1. Disable failover by running the following command:
restcurl -X PATCH tm/shared/bigip-failover-state -d '{"isEnabled": false}'

2. Clear REST devices from the device group by running the following command:
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-BIG-IPs/devices

710996-1 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP

Component: Local Traffic Manager

Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP

Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.

Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.

Workaround:
There is no workaround at this time.

710841 : 12.1.3.3 feature refinement might be lost after upgrade★

Component: TMOS

Symptoms:
If you upgrade from 12.1.3.3 (or later) to 13.1.0 or 13.1.0.1, you will lose the VE-specific 12.1.3.3 feature refinements you gained.

Conditions:
Upgrade from 12.1.3.3 (or later) to 13.0.x, 13.1.0, or 13.1.0.1.

Impact:
Feature refinement provided in 12.1.3.3 will be lost after upgrade. Other functionality is unaffected.

Workaround:
Only upgrade from 12.1.3.3 or later to 13.1.0.2 or later.

710755-2 : Crash when cached route information becomes stale and the system accesses the information from it.

Solution Article: K30572159

Component: Advanced Firewall Manager

Symptoms:
The crash happens intermittently when the cached route information becomes stale and the system accesses the information from it.

Conditions:
Use stale cached route information.

Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access.

Workaround:
None.

710564-3 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0

Component: Local Traffic Manager

Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.

Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.

Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.

Workaround:
There is no workaround at this time.

710410-1 : TMM hardware accelerated compression not registering for all compression levels.

Component: TMOS

Symptoms:
DEFLATE/gzip compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.

Conditions:
-- Compression requests for DEFLATE/gzip levels other than level 1.
-- BIG-IP devices using Cave Creek SSL hardware acceleration.

Workaround:
None.

710355-1 : High CPU when using HTTP::collect for large chunked payloads

Component: Local Traffic Manager

Symptoms:
When collecting large amounts of chunked payload, approximately one million bytes, the processing to parse each chunk for the chunk headers and offsets results in large CPU utilization.

Conditions:
-- HTTP profile is attached to virtual server.
-- Server sends chunked response.
-- An iRule on the virtual server uses the HTTP::collect command to collect and parse large chunked payloads.

Impact:
High CPU utilization.

Workaround:
None.

710277-2 : IKEv2 further child_sa validity checks

Component: TMOS

Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.

Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.

Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.

Workaround:
None.

710044-1 : Portal Access: same-origin AJAX request may fail in some case.

Component: Access Policy Manager

Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.

Conditions:
- HTML page with explicit default port in base URL, for example:
  <base href='https://some.com:443/path/'>

- Same-origin AJAX request from this page, for example:
  var xhr = new XMLHttpRequest;
  xhr.open('GET', 'some.file');

Impact:
Web application may not work correctly.

Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:

when RULE_INIT {
  # hex-encoded string for 'https://some.com'
  set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
  # '3a343433' is hex-encoded form for ':443'
  set ::pattern "/f5-w-${encoded_backend}3a343433\$"
  set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
  set ::remove_start [ expr {$::remove_end - 7} ]
}

when HTTP_REQUEST {
  if { [HTTP::path] starts_with "$::pattern" } {
    set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
    HTTP::path "$path"
  }
}

710039 : Merging config may not report syslog configuration errors

Component: TMOS

Symptoms:
A 'load sys config verify merge' may return successfully, but 'load sys config merge' without the 'verify' argument might fail.

Conditions:
Running the 'load sys config merge' without the 'verify' argument.

Impact:
False positive might be received in response to a successful config verify. However, the syslog system is not actually configured during a 'verify', so it does not report errors.

Workaround:
None.

710028-4 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.

709963-4 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.

709837-3 : Cookie persistence profile may be configured with invalid parameter combination.

Component: Local Traffic Manager

Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.

Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.

Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.

Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.

709559-3 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name

Component: TMOS

Symptoms:
Loading configuration fails on upgrade

Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2

Impact:
The system won't be functional

Workaround:
Delete or rename "/Common/ssh"

709544-4 : VCMP guests in HA configuration become Active/Active during upgrade★

Component: TMOS

Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.

During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.

Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

708968-4 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address

Component: TMOS

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.

Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.

Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.

Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.

708830-1 : Inbound or hairpin connections may get stuck consuming memory.

Component: Carrier-Grade NAT

Symptoms:
When inbound or hairpin connections require a remote Session DB lookup and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They will be stuck in this state until they timeout and expire. In this state UDP connections will queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets will accumulate consuming memory. If the memory consumption becomes excessive, connections may be killed and “TCP: Memory pressure activated” and “Aggressive mode activated” messages will appear in the logs.

Conditions:
A LSN pool with inbound and/or hairpin connections enabled. Lost Session DB messages due to heavy load or hardware failure. Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.

Impact:
Excessive memory consumption that leads to dropped connections.

Workaround:
There is no workaround at this time.

708803 : Remote admin user with misconfigured partition fallback to "All"

Component: TMOS

Symptoms:
When remote role groups are used to set user role and partition from the remote authentication server, and the server is configured to set a user to Administrator role with access to a particular partition, the user instead receives Administrator role on all partitions. Users with Administrator role on the BIG-IP are required to have all partition access.

Conditions:
Remote authentication with remote role groups. Remote authentication server configured to set a user to Administrator role with access to a particular partition.

Impact:
Administrator users have access to all partitions.

Workaround:
Change configuration on remote authentication server. Users with Administrator role need all partition access. Users who must be restricted to a particular partition should be given a more restrictive role.

708415 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled

Component: TMOS

Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.

Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.

For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:

# modify net interface 1.1 flow-control tx-rx

# show net interface 1.1 all-properties

Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.

Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.

Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.

708176 : SNMP OIDs (NA throughput) incorrect when compression is disable

Component: Access Policy Manager

Symptoms:
SNMP OIDs related to Network Access VPN tunnel or connectivity traffic are not updated if compression is not enabled. However, the definitions for connectivity traffic make it seem like they should be updated.

Conditions:
1. Create an access policy with Network Access resource (no compression enabled). Also, connectivity profile with no compression.
2. Assign this to a virtual server.
3. Establish a VPN tunnel, and download a large file.
4. Compare the SNMP OID values before and after this large file download via VPN tunnel.

Impact:
Confusion and graphs that don't seem to show the expected traffic.

Workaround:
Turn on compression to see the stats updated.

708005-3 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources

Component: Access Policy Manager

Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.

Impact:
End user cannot launch VMware View resources with View HTML5 client.

Workaround:
You can use the following workarounds:

-- If you are already running Horizon 7.4, use native View clients instead.

-- If you have not upgraded to Horizon 7.4, stay on an older Horizon release until this issue is resolved.

-- If you are running BIG-IP APM release 13.1.0, you can add the following iRule to the virtual server that handles HTML5 client connections:

when HTTP_REQUEST {
    if { ([info exists tmm_apm_view_uuid]) &&
         ([HTTP::method] == "GET") &&
         ([HTTP::uri] ends_with "/portal/webclient/sessiondata")} {
        HTTP::cookie remove "sessionDataServiceId"
    }
}

when HTTP_RESPONSE {
    if { ([info exists tmm_apm_view_uuid]) } {
        set cookieNames [HTTP::cookie names]
        foreach aCookie $cookieNames {
            set path [HTTP::cookie path $aCookie]
            if {[string length $path] > 0} {
                HTTP::cookie path $aCookie "/f5vdifwd/vmview/$tmm_apm_view_uuid$path"
            }
        }
    }
}

Important:
-- After applying the iRule and before attempting a connection, be sure to clear all cache and cookies from the client systems. Otherwise, the test operation may need to be executed before exhibiting successful behavior.
-- The iRule workaround is for BIG-IP APM release 13.1.0. It is not supported for older BIG-IP releases.

707953-1 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page

Component: Access Policy Manager

Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.

Conditions:
Viewing APM and APM Lite licenses in the GUI.

Impact:
Cannot distinguish the difference in types of licenses.

Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).

707740-3 : Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination

Component: TMOS

Symptoms:
User would get "monitor is in use" when attempting to delete a GTM Monitor, even after removing that monitor from all GTM Virtual Servers

Conditions:
Attach a gtm monitor to multiple gtm virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port

Impact:
User will not be able to ever delete the un-used gtm monitor

Workaround:
There is no workaround at this time.

707738-4 : Network Access cannot be established on Windows 10 RS4

Solution Article: K84747528

Component: Access Policy Manager

Symptoms:
Network Access cannot be established on Microsoft Windows 10 RS4. Both EdgeClient and F5 VPN fails with the following error: An incorrect structure size was detected.

Note: Custom Dial-up entry client is not affected.

This is caused by Windows 10 RS4 regression in Remote Access System (RAS).

Conditions:
Networks Access connection fails when any of the following conditions are met:
-- The Windows system is clean Windows 10 RS4 installation
-- The Windows system has never connected to APM.
-- The Windows system previously was connected to APM, but the BIG-IP Administrator modified Network Access resource settings

When all of the following conditions are met, Network Access continues to work, unless the Administrator modifies the resource configuration or the user connects to a new APM server:
-- The Windows system was previously connected to a specific virtual server on a particular APM.
-- The Windows system was upgraded from previous Windows 10 version to Windows 10 RS4.
-- The Windows system Administrator has not modified any settings of Network Access resource.

Impact:
Network Access connection cannot be established.

Workaround:
None.

Note: This is caused by Windows 10 RS4 regression in RAS.

707691-2 : BIG-IP handles some pathmtu messages incorrectly

Component: Local Traffic Manager

Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.

Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).

Impact:
pmtu message is erroneously ignored.

Workaround:
There is no workaround at this time.

707391-4 : BGP may keep announcing routes after disabling route health injection

Component: TMOS

Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.

Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.

Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.

Workaround:
Workaround would be to restart the dynamic routing process.

707320-1 : Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs

Component: TMOS

Symptoms:
A pre-12.0.0 WideIP with ipv6-no-error-response enabled and a IPv4 last-resort-pool will only spawn an A-type WideIP after the upgrade

Conditions:
Pre-12.0.0 WideIP with an IPv4 last-resort-pool and ipv6-no-error-response enabled.

Impact:
Loss of the AAAA-type WideIP configuration item

Workaround:
There is no workaround at this time.

707204 : If the system has more than 264 analytics profiles, the upgrade fails.

Component: Application Visibility and Reporting

Symptoms:
If the system is upgraded from version 11.5.4-hf2, 11.6.0-hf4 and has more then 264 analytics profiles, the upgrade will fail.

Conditions:
1. The system has more than 264 different analytics profiles.
2. Upgrade from version 11.5.4-hf2,hhf3... or from version 11.6.0-hf4,hf5...

Impact:
The upgrade will fail.

Workaround:
Delete/reduce the number of analytics profiles before the upgrade.

706930 : "Enforce Ready" button has no effect for Signatures for Inactive Policy

Component: Application Security Manager

Symptoms:
The "Enforce Ready" button has no effect for Signatures on Inactive Policies.

Conditions:
The user accesses "Enforcement Readiness" page for an Inactive Policy.

Impact:
Pressing "Enforce Ready" button has no effect.

Workaround:
Signature Staging can be disabled from "Application Security > Attack Signatures" page, or via REST.

706642-3 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.

706505-1 : iRule table lookup command may crash tmm when used in FLOW_INIT

Component: Local Traffic Manager

Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.

Conditions:
iRule table lookup command is used in FLOW_INIT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use table lookup in the events after the flow is constructed.

706106-1 : PUT request sent to ltm/virtual failed because of ip-protocol property value any

Component: TMOS

Symptoms:
PUT request to ltm/virtual fails unexpectedly because ip-protocol property value any

Conditions:
When sending PUT request to ltm/virtual

Impact:
PUT request modifies properties that user includes in the request and resets the rest of property value to default.

Default ip-protocol property value could be 'any', 'ip' or 'hopopt'

Workaround:
Using PATCH request

706102-3 : SMTP monitor does not handle all multi-line banner use cases

Component: Local Traffic Manager

Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.

Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.

Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.

Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.

705112-1 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent doesn't have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

705037-3 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Solution Article: K32332000

Component: TMOS

Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.

Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.

Impact:
-- Unreliable or confusing statistics via SNMP polling.

-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.

Workaround:
None.

704764-2 : SASP monitor marks members down with non-default route domains

Component: Local Traffic Manager

Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.

Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:

ltm pool rd_test {
    members {
        test_1:http {
            address 12.34.56.78%99
        }
    }
    monitor my_sasp
}

Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.

Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.

The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.

Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.

704450-2 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.

704449-4 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.

704247-3 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted

Component: TMOS

Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.

Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.

Impact:
Installation attempt of the remaining image(s) might fail.

Workaround:
Restart the lind process, so the installation can continue.

704198-1 : GTM equivalent of ID663502 - replace-all-with can leave orphaned monitor_rule, monitor_rule_instance and monitor_instance

Component: Global Traffic Manager (DNS)

Symptoms:
Orphaned monitor_instance records in mcpd;
Secondary blade restarting in a loop.

Conditions:
Modify monitor for gtm objects using tmsh with replace-all-with.

Impact:
There is an leaked/extra monitor instance;
Restarting secondary slot will result in a restart loop.

Workaround:
Restart services, but this might change primary slot:
# bigstart restart

704176-1 : Monitor instances may not get deleted during configuration merge load

Solution Article: K22540391

Component: Global Traffic Manager (DNS)

Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.

-- err mcpd[8982]: 01020036:3: The requested monitor instance (/Common/bigip 10.10.9.39 443 gtm-vs) was not found.
-- err mcpd[8982]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bigip 10.10.9.39 443 gtm-vs) was not found.... failed validation with error 16908342.

Conditions:
Merge a GTM config file to update a virtual server's monitor.

Impact:
There is a leaked/extra monitor instance. Restarting secondary slot will result in a restart loop.

Workaround:
Remove the MCPD binary database on the Primary blade and restart services:
# touch /service/mcpd/forceload
# bigstart restart

Note: This might change the primary slot.

703793-1 : tmm restarts when using ACCESS::perflow get' in certain events

Component: Access Policy Manager

Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.

Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).

Impact:
tmm cores and traffic flow will be interrupted while it restarts.

Workaround:
None.

703669-3 : Eventd restarts on NULL pointer access

Component: TMOS

Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.

Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.

Impact:
Causes eventd to crash.

Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.

703509-1 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled

Component: TMOS

Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.

...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.

Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.

Impact:
User is unable to save the configuration.

Workaround:
A user with the administrator role can save the config.
The root user can save the config.

703196-3 : Reports for AVR are missing data

Component: Application Visibility and Reporting

Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.

Conditions:
Using AVR statistics.

Impact:
Expected AVR statistics may be missing.

703165 : shared memory leakage

Component: Advanced Firewall Manager

Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).

Conditions:
Many shmem segments allocated and used by tmm.

Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.

Workaround:
There is no workaround at this time.

702933 : Loading UCS with different provisioning can cause a single TMM crash

Component: Application Visibility and Reporting

Symptoms:
Saving a UCS file on one system and loading it on another that has different provisioning, can lead to TMM crash.

Note: The crash will take place only once and the next process of TMM that will be automatically restarted will work without problems.

Conditions:
-- Save a UCS on a system that has AVR or ASM with DoS configured.
-- Load the UCS on a system that does not have AVR nor ASM provisioned.

Impact:
When the system restarts after loading the UCS, TMM can crash but second process of TMM will work fine.

There is no actual impact, since the system is not operational anyway during UCS load, it only takes more time to bring the system to active state after loading the UCS.

Workaround:
When loading a UCS that was saved on a system that had AVR or ASM, make sure the same modules are provisioned first, and then load the UCS.

702615-1 : During reboot to another volume, the GUI login page becomes prematurely available★

Component: TMOS

Symptoms:
Less than a minute after a reboot to another volume is initiated from the GUI, the GUI reports that the reboot is complete and displays the login page. Normally, a reboot takes about 5 minutes.

Conditions:
User initiates a reboot to another volume from the GUI.

Impact:
Misleading information is shown in the GUI. The GUI reports that the reboot is completed and displays the login prompts. However this is not correct because the reboot is still in progress.

Workaround:
Check the reboot status from the console or simply wait about 5 minutes before attempting to login to the system again.

702450-4 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.

702439-3 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset

Solution Article: K04964898

Component: Local Traffic Manager

Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.

Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.

Impact:
HTTP/2 connections will be unusable.

Workaround:
Set the header table size argument back to its default.

702350 : FingerPrint JS might be injected although it is disabled in all ASM features, and no DoS

Component: Application Security Manager

Symptoms:
Fingerprinting is injected while no ASM feature using it is asking for it.

Conditions:
-- Web-scraping is configured in the policy history.
-- Policy iss configured using REST.

Impact:
FingerPrint JS is injected for each request.

Workaround:
1. Turn on Bot detection and click Save.
2. Turn off Bot detection, FP flag, and suspicious clients detection, and click Save.
3. Apply Policy.

702310-2 : The ':l' and ':h' options are not available on the tmm interface in tcpdump

Component: TMOS

Symptoms:
The ':l' and ':h' options are not available on the tmm interface in tcpdump.

Conditions:
Running tcpdump.

Impact:
Packet capture on the tmm interface from the Linux side or the host side of tmm interface is not possible.

Workaround:
There is no workaround at this time.

701977-3 : Non-URL encoded links to CSS files are not stripped from the response during concatenation

Component: WebAccelerator

Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.

Conditions:
White space in the URLs.

Impact:
As above.

Workaround:
No workaround at this time.

701944-2 : machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6

Solution Article: K42284762

Component: Access Policy Manager

Symptoms:
Machine certificate check crashes a Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when 'match issuer' is specified in the configuration.

Conditions:
- Machine certificate check configured for with 'match issuer' configuration.
- macOS Sierra 10.12.6 (16G29).
- BIG-IP Edge client.
- F5 EPI.

Impact:
Machine certificate check does not pass because Edge client crashes.

Workaround:
None.

701856-2 : Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart

Component: Application Security Manager

Symptoms:
In rare circumstance, when Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm), ASM-config Event Dispatcher memory usage grows uncontrollably.

Conditions:
In rare circumstances, Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm).

Impact:
ASM-config Event Dispatcher memory usage grows continuously until the device eventually fails over.

Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl

701722-2 : Potential mcpd memory leak for signed iRules

Component: TMOS

Symptoms:
There is an MCP memory leak that occurs when th message "Signature encryption failed" is seen in /var/log/ltm.

Conditions:
Signing of iRules must be in use. Signature encryption must be problematic.

Impact:
MCP leak memory.

Workaround:
Resolve the signature encryption issue.

701690-3 : Fragmented ICMP forwarded with incorrect icmp checksum

Solution Article: K53819652

Component: Local Traffic Manager

Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.

Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).

Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.

Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.

701680-1 : MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds

Component: Service Provider

Symptoms:
Applying rate-limiting to MBLB SIP or Diameter virtual servers might cause the virtual server to periodically stop sending packets to the pool member server for a few seconds.

Conditions:
-- MBLB SIP or Diameter virtual server.
-- Rate-limited is applied.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
There is no workaround at this time.

701678-1 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded

Component: Local Traffic Manager

Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limited value is exceeded.

Conditions:
-- Virtual configured with rate-limit.
-- Uses a UDP profile (i.e., not using TCP or FastL4).
-- The idle-timeout is set to immediate.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
None.

701555-3 : DNS Security Logs report Drop action for unhandled rejected DNS queries

Component: Advanced Firewall Manager

Symptoms:
DNS Security Logs report Drop action for unhandled rejected DNS queries.

Conditions:
DNS profile set unhandled-query-action reject.

Impact:
Incorrect event log. This is an incorrectly logged event and doe not indicate an issue with the system

Workaround:
None.

701387-4 : qkview will not collect files greater than 2 GB

Component: TMOS

Symptoms:
Due to a limitation of the file compression library employed by qkview, it cannot collect files greater than 2 gb in size. qkview will abort when encountering such a file, and not produce a resulting qkview file.

Conditions:
A file exists in a directory that qkview normally collects.

Impact:
No qkview diagnostics file is created.

Workaround:
Remove the file greater than 2gb in size.

701341-2 : If /config/BigDB.dat is empty, mcpd continuously restarts

Solution Article: K52941103

Component: TMOS

Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system will fail to start up, and mcpd will continually restart.

Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)

701039 : Requests do not appear in local logging due to rare file descriptor exhaustion

Component: Application Security Manager

Symptoms:
In an extremely rare circumstance, requests do not appear in local logging due to file descriptor exhaustion in asmlogd.

Conditions:
-- ASM configured.
-- ASM policy with an associated 'Log all requests' logging profile.
-- Requests sent to virtual server.
-- View Request Log.

Impact:
Requests do not appear in local logging.

Workaround:
Restart ASM, or pkill -f asmlogd.

701033-1 : Tcl actions not run if conditions have overlapping IP ranges

Component: Local Traffic Manager

Symptoms:
Overlapping CIDR subnets in rule's condition cause unexpected result.

Conditions:
-- LTM policy with more than one IP-address-based condition.
-- The IP address ranges overlap.
-- An associated action that invokes a Tcl command.

Impact:
Tcl action is not run.

Workaround:
None.

700989-2 : Better detecting browser extentsions

Component: Application Security Manager

Symptoms:
Browser extensions are not always detected

Conditions:
enabling "Web Scraping -> Suspicious Clients -> Detect browsers with Scraping Extensions", and choosing disallowed extensions.

Impact:
Browsers with disallowed extensions are not blocked.

Workaround:
None.

700897-3 : sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG

Component: TMOS

Symptoms:
sod consumes excessive amount of CPU time, and the traffic-group Active and Next-Active locations do not stabilize.

Conditions:
When the number of devices in the failover device group or the number of traffic groups is large. The limit varies by platform capacity, but any Device Service Cluster with more than 4 devices or more than 32 traffic groups can experience this issue.

Impact:
If the Active location is unstable, traffic will not be processed correctly. Excessive CPU consumption and network traffic interferes with other control plane functions including the UI.

Workaround:
There is no workaround at this time.

700827-2 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. It can be observed for example by running "tmsh show sys tmm-traffic".

Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a Big-Ip.

700757-2 : vcmpd may crash when it is exiting

Component: TMOS

Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:

err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create

It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:

umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy

Conditions:
vCMP must be in use.

Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.

Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:

tmsh restart sys service vcmpd

700639 : The default value for the syncookie threshold is not set to the correct value

Component: Local Traffic Manager

Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.

Conditions:
This issue may be encountered when a virtual server uses syncookies.

Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.

Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000

700426-2 : Switching partitions while viewing objects in GUI can result in empty list

Solution Article: K58033284

Component: TMOS

Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.

Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.

For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.

Impact:
The list of pools is empty despite the fact that there are pools available.

Workaround:
Return to the first page of objects before switching to any other partition.

700386-1 : mcpd may dump core on startup

Component: TMOS

Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.

Conditions:
This can happen only at startup.

Impact:
mcpd restarts, but resumes normal operation.

Workaround:
None.

700250-1 : qkviews for secondary blade appear to be corrupt

Solution Article: K59327012

Component: TMOS

Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.

Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.

Impact:
The system posts the following messages:
    gzip: stdin: unexpected end of file
    tar: Child returned status 1
    tar: Error is not recoverable: exiting now

Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.

Workaround:
None.

700035-3 : /var/log/avr/monpd.disk.provision not rotate

Component: Application Visibility and Reporting

Symptoms:
the log file may fill-up /var partition

Conditions:
there is no special condition for this issue - if the log is big it won't rotate

Impact:
the log file may fill-up /var partition

Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision

699898-3 : Wrong policy version time in policy created after synchronization between active and stand by machines.

Component: Application Security Manager

Symptoms:
After synchronization, the policy version time in the policy created on the standby BIG-IP system is different from the policy version time on the original policy on the active BIG-IP system.

Conditions:
Synchronizing the new policies on the active system with new policies on the standby system.

Impact:
Policy version timestamp on standby system is not synchronized properly.

Workaround:
Run full synchronization again from active system to the group.

699426-3 : RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.

Component: Local Traffic Manager

Symptoms:
If a blade already known to statsd goes down, statsd continues to update the blade's /var/rrd/bladeXcpu file
If a new blade joins and is announced to statsd, statsd stops updating all /var/rrd/bladeXcpu files especillay if it did not have prior knowledge of the blade.

Conditions:
If statsd is restarted after the blade is disabled, or goes down, and after that the blade rejoins the cluster, the /var/rrd/bladeXcpu files stop updating (where X is the blade number).

Impact:
Data of those files is not updated. This impacts the graphs generated from these files.

Workaround:
Execute the command "bigstart restart statsd" after the new blade has joined the cluster.

699076-3 : URI::path iRules command warns end and start values equal

Component: Local Traffic Manager

Symptoms:
URI::path iRules command warns end and start values equal

Conditions:
The end and start values equal

Impact:
Warning message shows in console.

Workaround:
Ignore the warning.

698991 : CPU utilization on i850 is not a reliable indicator of system capacity

Solution Article: K64258832

Component: TMOS

Symptoms:
Unlike previous platforms, the i850 may report between 50-70% CPU utilization when at full capacity. The specific number is workload dependent, and therefore should not be used as an indicator of system headroom for sizing purposes.

Conditions:
Running BIG-IP software on an i850.

Impact:
Confusion of actual capacity usage.

Workaround:
Refer to the BIG-IP stats and published capabilities to determine utilized capacity under a specific workload.

698933-3 : Setting metric-type via ospf redistribute command may not work correctly

Component: TMOS

Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.

Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"

Impact:
Metric type is not changed.

Workaround:
Change metric-type using a route-map applied to the redistribute command.

698917 : Unexpected additional policy is created while creating a policy from a template via REST

Component: Application Security Manager

Symptoms:
An unexpected additional policy is created while creating a policy from a template via REST while modifying other attributes.

Conditions:
The user creates a policy from a template via REST while modifying other attributes.

Impact:
An unexpected additional policy is created.

Workaround:
Use the import-policy task to create a new policy from a template in REST. Alternatively, if using the /policies endpoint, create the policy with just the name and template, and make any other changes as a separate update afterwards.

698911 : Periodically SIP requests are not sent to the server

Component: Service Provider

Symptoms:
When rate-limiting is configured on the virtual server and/or pool using a SIP profile, periodically SIP requests may not be forwarded to the server despite rate being under limit.

Conditions:
SIP profile associated with virtual server and rate-limit configured.

Impact:
SIP requests may not be forwarded to the server.

Workaround:
There is no workaround other than disabling rate-limiting.

698844 : LCD splash screen may display incorrect platform name on iSeries appliance

Component: TMOS

Symptoms:
The LCD on an iSeries appliance may show the incorrect platform name after a license is applied.

Conditions:
The platform name may be incorrect on the LCD until the first reboot.

Impact:
Display only, no functional impact

Workaround:
Use "tmsh show sys hardware" to see the correct platform name.

698806-2 : Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces

Component: Advanced Firewall Manager

Symptoms:
Egress Interfaces are not checked in the Source Translation page even if they are configured.

Conditions:
Create a source translation object with egress Interfaces set to 'Enabled on...', select Egress Interfaces from the list, and hit 'Finished'. Egress Interfaces will not be checked with the originally configured values.

Impact:
Egress Interfaces will not be checked even if they are configured.

Workaround:
Use tmsh to check if the object is actually configured with Egress Interfaces

698619-1 : Disable port bridging on HSB ports for non-vCMP systems

Component: TMOS

Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.

Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).

Impact:
This triggers a FDB flush and can result in packet flooding back to the HSB and potential network saturation.

Workaround:
None.

698599 : Cave Creek Crypto HW accelerated SSL traffic may encounter errors and performance problems.

Component: TMOS

Symptoms:
Cave Creek Hardware-accelerated Secure Sockets Layer (SSL) traffic may encounter errors and performance problems.

The BIG-IP system may experience SSL connection failures or reduced performance.

Following logs show an example of errors seen:
/var/log/ltm
-- crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
-- warning tmm3[11707]: 01260009:4: Connection error: ssl_basic_rx:1015: decrypt request error (20)

Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP system uses Cave Creek SSL hardware acceleration.
-- You are experiencing a high SSL traffic load.

Impact:
The BIG-IP system may experience SSL connection failures or reduced performance.

Workaround:
To work around this issue, you can increase the crypto.queue.timeout database key. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system. This procedure will mitigate future occurrences. A reboot of the BIG-IP system is required to clear a currently occurring condition.

1. Log in to the Traffic Management Shell (tmsh) as an administrative user.
2. Run the following command: modify /sys db crypto.queue.timeout value 300
3. Reboot the BIG-IP system.

698597 : BIG-IP fails to go active after cryptographic hardware has recovered from a failure

Solution Article: K10300436

Component: TMOS

Symptoms:
A BIG-IP system might not become active after a crypto-failsafe condition even after it has recovered from a cryptographic hardware failure.

As a result of this issue, you might see output of the tmsh show sys ha-status command similar to the following example:

Feature Key Action Fail Feature Take Client Proc Timeout
crypto-failsafe qa-crypto3-3 failover yes yes yes 0 tmm3 0

The /var/log/ltm file contains messages similar to the following examples:
-- crit tmm[9184]: 01010025:2: Device error: crypto codec cn-crypto-0 queue is stuck.
-- notice sod[8874]: 01140029:5: HA crypto_failsafe_t cn-crypto-0 fails action is failover.

Conditions:
This issue occurs when all of the following conditions are met:

-- Using BIG-IP 2000/2200, 4000/4200, or i2600/i2800 platforms.
-- The crypto-failsafe action is set to failover.
-- The failsafe condition is triggered.
-- The cryptographic hardware has recovered from its failure.

Impact:
The BIG-IP system stays down, even after the cryptographic hardware has recovered. When the system is in this condition, traffic is not being processed.

Workaround:
When your BIG-IP system is in this state, you can recover by restarting the Traffic Management Microkernel (TMM) process. To do so, perform the following procedure:

Impact of workaround: Because so there is no traffic being passed, there is no traffic impact to performing this procedure.

1. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh
2. Restart TMM by running the following command:
restart /sys service tmm

Note: There is no way to easily determine whether the cryptographic hardware has recovered from the failure. Unfortunately, therefore, performing this mitigation step might not return the BIG-IP system to an active state. There are other issues with similar symptoms. If your system is experiencing one of those issues instead, this mitigation step will not produce successful results.

Here are three other Known Issues that produce almost exactly the same error messages, but involve different configurations. You might find additional assistance here::
  + K53752362: The BIG-IP system may erroneously detect a stuck crypto queue in Cave Creek devices :: https://support.f5.com/csp/article/K53752362
  + K53220379: The BIG-IP system may erroneously detect a stuck crypto queue :: https://support.f5.com/csp/article/K53220379
  + K16632: A vCMP host may stop processing SSL and HTTP compressed traffic for a vCMP guest due to a worker-lite system timeout :: https://support.f5.com/csp/article/K16632

698594 : Cave Creek Crypto hardware reports a false positive of a stuck queue state

Solution Article: K53752362

Component: TMOS

Symptoms:
In some cases, a stuck crypto queue may be erroneously detected on Cave Creek-based systems. This includes BIG-IP 2x00, 4x00, i850, i2x00, i4x00, and HRC-i2800.

The system writes messages similar to the following example to the /var/log/ltm file:

crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
warning sod[4949]: 01140029:4: HA crypto_failsafe_t qa-crypto3-3 fails action is failover.

Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses the Cave Creek encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.

Workaround:
To work around this issue, you can modify the crypto queue timeout value. To do so, perform the following procedure.

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP system as an administrative user.

2. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh

3. To change the crypto queue timeout value, run the following command:
modify /sys db crypto.queue.timeout value 300

4. Save the change by running the following command:
save sys config

Increasing the crypto queue timeout gives the hardware enough time to process all queued request.

698462 : TCP timestamp rewrite mode not working on the client side of ePVA offloaded connections

Component: TMOS

Symptoms:
When the tcp-timestamp-mode is set to 'rewrite', not the default 'preserve', the client side TSecr is not set correctly for the FIN packets. When the flow is evicted due to FIN processing in ePVA, the process copies the timestamp from the server sending the FIN/ACK. This unexpected behavior causes the TCP client to halt at the FIN-WAIT-2 because the client thinks the FIN/ACK from the BIG-IP system includes illegitimate timestamp options, and drops it.

Conditions:
-- tcp-timestamp-mode is set to 'rewrite'.
-- FastL4 profile.
-- Systems with ePVA feature support.

Impact:
TCP client cannot handle the FIN packets properly, causing connection issues.

Workaround:
Use the default 'preserve' mode for FastL4 profiles.

698429-3 : Misleading log error message: Store Read invalid store addr 0x3800, len 10

Component: TMOS

Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:

Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...

These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.

Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.

Impact:
None. These messages do not indicate an actual problem with the system.

698211-3 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.

Solution Article: K35504512

Component: Local Traffic Manager

Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.

Conditions:
Delete a wildcard resource record to the related DNS express zone.

Impact:
DNS returns the incorrect response.

Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.

698038 : TACACS+ system auth file descriptor leaks when servers are unreachable

Solution Article: K05730807

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.

This might eventually lead to lack of HTTP-based access to the BIG-IP system.

Conditions:
-- Remote system authentication configured to use TACACS+.
-- Connections to one or more of the configured TACACS+ servers fails.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. -- Repeated automated access using iControl is the fastest route.

Impact:
Depending on the number of connection failures, the open files limit of the web server process might be exceeded and new connections to the web server will fail.

Administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
To prevent the issue, remove unreachable TACACS+ servers from the tacacs configuration, or restart the httpd process as necessary.

To recover if logins via remotely authenticated accounts are no longer possible, restart the httpd process.

698013-4 : TACACS+ system auth and file descriptors leak

Solution Article: K27216452

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):

-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.

This might eventually lead to lack of HTTP-based access to the BIG-IP system.

Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.

Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.

697766-3 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'

Solution Article: K12431303

Component: TMOS

Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen

isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.

Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.

In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:

   router isis isisrouter
   is-type level-2-only
   authentication mode md5
   authentication key-chain keychain-isis
   lsp-refresh-interval 5
   max-lsp-lifetime 65535
   net 49.8002.00c1.0000.0000.f523.00

Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.

Workaround:
None.

697626 : iRules LX: Cannot modify workspace imported by "Import From Workspace"

Component: Local Traffic Manager

Symptoms:
The permissions of an iRules LX workspace copy created from the "Import..." "From Workspace" are set to 775 (drwxr-xr-x) for directories and 444 (-r--r--r--) for files including the node and tcl code files. This causes the "Could not save file: <file>" error upon modification of the code.

Conditions:
Attempting to modify imported workspace.

Impact:
Cannot save changes.

Workaround:
A. Create an "archive file" first and use it for importing.
B. After creating a copy using "From Workspace", run chmod command to add +w to the group and others: e.g., chmod -R g+w,o+w <Workspacename>.

697605 : tmrouted connection closed messages logged on shutdown

Component: TMOS

Symptoms:
/var/log/ltm contains tmrouted connection closed messages. These are a normal part of system shutdown.

Conditions:
System is shut down.

Impact:
None.

Workaround:
n/a

697424 : iControl-REST crashes on /example for firewall address-lists

Component: TMOS

Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.

Conditions:
Making a call to /example on firewall address-list.

Impact:
The icrd_child process crashes.

Workaround:
There is no workaround other than not calling /example on firewall address-lists.

697265 : MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.

Component: Advanced Firewall Manager

Symptoms:
MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.

/var/log/ltm contains messages similar to the following:
-- err clusterd[7274]: 013a0004:3: IO error on recv from mcpd - connection lost
-- info sod[7953]: 010c0009:6: Lost connection to mcpd - reestablishing.
-- notice chmand[7594]: 012a0005:5: resetting chmand services
-- err snmpd[7952]: 010e0001:3: Cannot communicate with MCPD server.
-- err mysqlhad[7596]: 014e0006:3: MCP Failure: 1.
-- err zxfrd[7962]: 0153e0f7:3: Lost connection to mcpd.
-- err tmrouted[6299]: 01910013:3: FATAL error: 6 irrecoverable MCP I/O error (Unknown error 16908291).
-- err alertd[7280]: 01100042:3: Failed with MCPD at: MCP msg receive (16908291).
-- err alertd[7280]: 01100042:3: Failed with MCPD at: Socket read (16908291).

Conditions:
-- AFM configuration.
-- Devices in a device group trust configuration.
-- Device group configured with Autosync enabled.
-- Importing a configuration with a very large number of nested address lists (for example, 12000 nested address lists).

Impact:
mcpd cores.

Workaround:
Split the configuration into smaller chunks (e.g., 1000 address lists each) and load them one at a time.

697259-1 : Different versioned vCMP guests on the same chassis may crash.

Solution Article: K14023450

Component: Local Traffic Manager

Symptoms:
The vCMP guest TMM crashes soon after startup.

Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.

Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.

Workaround:
None.

696731-1 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled

Solution Article: K94062594

Component: TMOS

Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.

Conditions:
Administrative disabling an interface on BIG-IP

Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.

Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.

696363 : Unable to create SNMP trap in the GUI

Component: TMOS

Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.

Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.

Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.

Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.

Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.

695985-1 : Access HUD filter has URL length limit (4096 bytes)

Component: Access Policy Manager

Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.

Conditions:
Any URL with a request consisting of more than 4096 bytes.

Impact:
The URL cannot be processed, and client gets a RST.

Workaround:
None.

695925-3 : tmm crash when showing connections for a CMP disabled virtual server

Component: Local Traffic Manager

Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.

Conditions:
This occurs when all of the following conditions are met:

-- There is a CMP-disabled virtual server.

-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).

-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').

Impact:
tmm crashes and restarts impacting traffic.

Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.

Avoid using tmsh show sys connection

695707-3 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection

Component: Local Traffic Manager

Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.

Conditions:
Close an MPTCP connection.

Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.

Workaround:
There is no workaround at this time.

695401 : QS user defined alerts may not be sent if there is no URL with qs configured on FPS profile

Component: Fraud Protection Services

Symptoms:
when FPS signature update defines a URL with a query string, and defines a custom alert for that URL, the alert will not be sent if there is no URL with a query string configured on the FPS profile.

Conditions:
1. Custom alert for a URL with query string.
2. There are. no URLs with query string configured on FPS profile

Impact:
System does not send alert.

Workaround:
Define a URL (potentially a placeholder URL) with query string on FPS profile.

695109-3 : Changes to fallback persistence profiles attached to a Virtual server are not effective

Solution Article: K15047377

Component: Local Traffic Manager

Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.

Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.

Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.

Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.

695090 : In rare situations hardware syncookies may be sent for a L7 virtual server when hardware syncookie protection is disabled

Component: TMOS

Symptoms:
In rare situations, hardware syncookies may be sent for the traffic received on a L7 virtual server even though hardware syncookie protection is disabled on the virtual server.

Conditions:
It is unknown what triggers this error condition at this point.

Impact:
Some of the TCP options are not supported under hardware syncookie protection mode.

Workaround:
There is no workaround at this time.

694934-3 : bd crashes on a very specific and rare scenario

Component: Application Security Manager

Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.

Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.

Impact:
bd crashes.

Workaround:
None.

694897-4 : Unsupported Copper SFP can trigger a crash on i4x00 platforms.

Component: TMOS

Symptoms:
PFMAND can crash when an unsupported Proline Copper SFP is inserted in the 1G interfaces.

Conditions:
-- Using Proline CuSFP, Part number FCLF8521P2BTLTAA.
-- Inserted into 1 GB interfaces.
-- On i4x00 platforms.

Impact:
PFMAND cores.

Workaround:
Use only F5 branded Copper SFPs

694697-3 : clusterd logs heartbeat check messages at log level info

Solution Article: K62065305

Component: Local Traffic Manager

Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.

-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)

Conditions:
log.clusterd.level set to info.

Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.

Workaround:
Set log.clusterd.level to notice.

694656-3 : Routing changes may cause TMM to restart

Solution Article: K05186205

Component: Local Traffic Manager

Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).

Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.

-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.

-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).

Impact:
TMM restarts, resulting in a failover and/or traffic outage.

Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.

If dynamic routing is in use, there is no workaround.

693996-3 : MCPD sync errors and restart after multiple modifications to file object in chassis

Solution Article: K42285625

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.

693910-2 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)

Component: Local Traffic Manager

Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.

Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.

Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.

Workaround:
None.

693901-3 : Active FTP data connection may change source port on client-side

Component: Local Traffic Manager

Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.

Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.

Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.

Workaround:
None.

693884-3 : ospfd core on secondary blade during network unstability

Component: TMOS

Symptoms:
ospfd core on secondary blade while network is unstable.

Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.

Impact:
Dynamic routing process ospfd core on secondary blade.

Workaround:
None.

693582-3 : Monitor node log not rotated for icmp monitor types

Component: Local Traffic Manager

Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.

Conditions:
This occurs if Monitor Logging is enabled for an LTM node or pool member and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp

Impact:
Depending on the affected BIG-IP version in use, affects may include:
1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).
2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).
3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.

Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool member(s).
If symptom #1 (from Impact section above) occurs, Monitor Logging can be re-enabled after log rotation has occurred.
To address symptom #2 or #3 (from Impact section above), Monitor Logging can be re-enabled immediately.
For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors

693563-3 : No warning when LDAP is configured with SSL but with a client certificate with no matching key★

Solution Article: K22942093

Component: TMOS

Symptoms:
When LDAP auth is configured with SSL:

- Authentication attempts fail
- Packet captures between the BIG-IP system and the LDAP server show the BIG-IP system sending FIN after TCP handshake.

Conditions:
LDAP auth is configured with SSL with client cert set but no matching key.

Impact:
LDAP auth fails. There is no warning that the auth failed.

Workaround:
Configure a key that matches the specified client certificate.

693515 : A '+' character in a log profile name causes import to fail

Component: Advanced Firewall Manager

Symptoms:
When there is a '+' character in log profile name, importing the module on BIG-IQ fails as '+' is treated as a reserved character.

Impact:
Import fails due to reserved character

Workaround:
Do not use '+' in the name.

693308-3 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain

Component: Local Traffic Manager

Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.

Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.

Impact:
The backend server will not be securely accessible via SSL because the connection hangs

Workaround:
Disable SSL Session Persistence.

693246-1 : SOD may send SIGABRT to TMM when TMM has not reported its heartbeat for a long enough period of time.

Component: TMOS

Symptoms:
This seems to happen very infrequently. Symptoms vary from a simple TMM restart up to a blade reset. LTM log will show a sod message complaining about TMM heartbeats, followed later by SIGABRT messages from TMM.

Conditions:
TMM has not reported its heartbeat for a long enough period of time. The specific circumstances are unknown, but the issue has been seen with moderate-to-heavy system loads.

Impact:
Interruptions in data path processing. The interruption can be short for a simple TMM restart, longer for a full blade restart. Though these events altogether are rare, when they happen, it appears the simple TMM restart is more common than the blade restart.

Workaround:
None.

692753-3 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell

Component: TMOS

Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.

Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.

Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.

Workaround:
None

692239-1 : AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds

Solution Article: K31554905

Component: TMOS

Symptoms:
When using the AOM menu to power off then on the host CPU on i5600, i5800, i7600, i7800, i10600, i10800 platforms, the AOM creates a 'Host Power Cycle Event' SEL log entry every two seconds. The SEL log will continue to grow until external power to the appliance is fully power cycled.

Conditions:
-- Running on i5600, i5800, i7600, i7800, i10600, i10800 platforms.
-- With an older version of CPLD code installed (e.g., CPLD 0x45), bring up the AOM menu using ESP shift-9, then select 'p' and '0' from the menu to power off the host CPU complex.
-- Wait a few seconds, then select 'p' and '1' to power on the host CPU complex.

Impact:
This will result in ongoing 'Host Power Cycle Event' messages to post the the SEL log ( tail /var/log/sel ) every two seconds.

The SEL log will continue to grow and wrap as this message continues to post to the SEL log every two seconds.

This results in a very large number of SEL entry fetches by the host CPU to the AOM and can places a substantial load on the AOM interface.

Workaround:
The actual fix is to install a newer version of i5600, i5800, i7600, i7800, i10600, i10800 platform CPLD code (e.g., CPLD 0x54 or CPLD 0x55).

Another workaround is to fully power cycle the appliance.
However, every time AOM menu is used to power off then on the host, this SEL log entry will re-appear.

692189-3 : errdefsd fails to generate a core file on request.

Component: TMOS

Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.

Conditions:
Forcing errdefsd to core for diagnostic purposes.

Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.

Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd

692172-2 : rewrite profile causes "No available pool member" failures when connection limit reached

Component: TMOS

Symptoms:
ltm rewrite profile (with mode uri-translation) can cause connections on ltm forwarding virtual server to be terminated with reason "No available pool member".

Conditions:
Virtual server configured with ltm rewrite profile. Default pool has request queuing enabled and connection limits configured for all its nodes.

Impact:
When the connection limit is reached, further connections are terminated with "No available pool member" cause instead of being queued.

Workaround:
An iRule which selects default pool on HTTP_REQUEST:

when HTTP_REQUEST priority 1000 {
pool [LB::server pool]
}

692165-2 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token

Component: TMOS

Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).

Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.

- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.

Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.

Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.

However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.

691992 : MSTP: CIST bridge priority changes after adjusting the MSTI priority.

Component: Local Traffic Manager

Symptoms:
Changing the priority of a non-zero region MSTP instance results in BPDUs advertising a change to the CIST Bridge Priority, but not for the expected MSTID instance.

Conditions:
Issue a STP MSTID priority modify request.

Impact:
Changing the MSTID priority for forcing the BIG-IP system to become the root bridge, does not work as expected.

Note: F5 Networks recommends against having the BIG-IP system become the root bridge.

Workaround:
After modifying the MSTID priority, also restart the STP daemon (stpd) to have the BPDUs advertising the expected CIST/MSTID priorities.

691785-3 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes

Component: Local Traffic Manager

Symptoms:
The bcm570x driver will cause TMM to core with the log message:

panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.

Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.

Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

691749-3 : Delete sys connection operations cannot be part of TMSH transactions

Component: TMOS

Symptoms:
TMSH operations that delete sys connection cannot be part of transactions. Once the TMSH transaction is submitted, TMSH freezes up if a 'delete sys connection ...' command is included.

Conditions:
Include delete sys connection operations in TMSH transactions.

Impact:
TMSH freezes up and transactions do not complete.

Workaround:
Only use tmsh delete sys connection outside of TMSH transactions.

691589 : When using LDAP client auth, tamd may become stuck

Component: TMOS

Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.

Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.

Impact:
Authentication to the virtual server fails until tamd is restarted.

Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd

691491-3 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Solution Article: K13841403

Component: TMOS

Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.

Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.

Workaround:
Use OID sysInterfaceMediaActiveSpeed.

691224-1 : Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled

Solution Article: K59327001

Component: Local Traffic Manager

Symptoms:
Node Server rejects received-and-incomplete ClientHello message and connection terminates.

Conditions:
This occurs when the following conditions are met:
-- SSL Persistence is enabled.
-- There is no ClientSSL and ServerSSL profile.
-- The BIG-IP device receives fragments of a ClientHello message (typically, 11 bytes each) from an SSL front-end client.

Impact:
With Session Persistence enabled
-- The parser fails to reassemble fragmented ClientHello messages prior to passing it on to the backend server.
-- As a result, the backend server responds as if it has received an incomplete ClientHello message, rejects the handshake, and terminates the connection.

Workaround:
The issue disappears when SSL Persistence is disabled.

691048-3 : Support DIAMETER Experimental-Result AVP response

Solution Article: K34553736

Component: Service Provider

Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.

Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.

Impact:
The server side flow is aborted.

Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.

690890-3 : Running sod manually can cause issues/failover

Component: TMOS

Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.

Conditions:
Accidentally or intentionally executing the command 'sod'.

Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.

Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.

690793-2 : TMM may crash and dump core due to improper connflow tracking

Solution Article: K25263287

Component: TMOS

Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.

Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.

While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.

Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.

Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.

However, this does not eliminate entirely the chances of running into this issue.

690781 : VIPRION systems with B2100 or B2150 blades cannot run four 1-slot 8-core vCMP guests

Component: TMOS

Symptoms:
VIPRION systems equipped with B2100 or B2150 blades cannot run four 1-slot 8-core vCMP guests.

The system will allow all four guests to created, but the one deployed last will not work correctly.

Specifically, the guest deployed last will fail to access TMM networks.

Additionally, the hypervisor will log messages similar to the following example to the /var/log/ltm file:

info bcm56xxd[13741]: 012c0016:6: FP(unit 0) Error: Group (6) no room.
err bcm56xxd[13741]: 012c0011:3: entry create failed: SDK error No resources for operation bs_field.cpp(447)
err bcm56xxd[13741]: 012c0011:3: geteid_qualify_egress failed: SDK error No resources for operation bs_field.cpp(2009)
err bcm56xxd[13741]: 012c0011:3: program dest mod/port rule failed: SDK error No resources for operation bs_vtrunk.cpp(5353)
err bcm56xxd[13741]: 012c0011:3: vdag class L4 redirect failed: SDK error No resources for operation bs_vtrunk.cpp(3261)

Conditions:
This issue occurs when the following conditions are met:

- A C2400 VIPRION chassis is equipped with four B2100 or B2150 blades.

- A vCMP configuration consisting of four 1-slot 8-core guests was put in place (in other words, four full-blade guests).

Impact:
One guest does not function properly as it cannot access TMM networks. All traffic fails to pass.

Workaround:
This issue is caused by a hardware limitation on B2100 and B2150 blades preventing this specific vCMP configuration from instantiating correctly.

As a workaround, you must specify different vCMP guest sizes.

For instance, you could use one of the following configurations:

- Four 2-slot 4-core vCMP guests (although not the same, this yields the same total number of TMM instances as the affected vCMP configuration).

- Three 1-slot 8-core vCMP guests and two 1-slot 4-core vCMP guests (for example, you might use the smaller vCMP guests for development and staging purposes, leaving the full-blade guests for production).

690778-3 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule

Solution Article: K53531153

Component: Local Traffic Manager

Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.

Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.

Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.

Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.

690316 : Software syncookies are sent for FastL4 virtual server with software syncookies disabled

Component: Local Traffic Manager

Symptoms:
If a virtual server using FastL4 is configured with software SYN cookies disabled and global hardware SYN cookies disabled using the pvasyncookies.enabled DB setting, then software SYN cookies may still be sent if a SYN flood occurs on the VIP.

This can be observed by seeing that the virtual server went into syncookie mode in the LTM logfile.

Conditions:
If the FastL4 profile has software-syn-cookie disabled, hardware-syn-cookie enabled, and the pvasyncookies.enabled db setting is set to false.

Impact:
The VIP enters SYN cookie mode.

Workaround:
Both hardware-syn-cookie and software-syn-cookie should be disabled in the FastL4 profile.

689982-1 : FTP Protocol Security breaks FTP connection

Component: Application Security Manager

Symptoms:
FTP Protocol Security breaks FTP connection.

Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.

Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.

Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.

1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.

689779 : VE HyperV packet drops under load due to interrupt distribution

Component: TMOS

Symptoms:
A small number of dropped inbound packets to the BIG-IP system while under load.

Network captures on a virtual port mirror show that the packets are making it to the BIG-IP VE, but the packets are not seen by tmm or Linux by tcpdumping on 0.0, 1.1, or eth1.

Conditions:
HyperV Virtual Edition (VE) v12.1.x or earlier.

Impact:
Performance and network degradation due to packet loss.

Workaround:
None.

689583-3 : Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.

Component: Global Traffic Manager (DNS)

Symptoms:
Running big3d from the command line with arguments other than '-v' or '-version' might cause a GTM disruption. When viewing /var/log/gtm, you might see messages similar to the following:
notice big3d[4131]: 012b0020:5: Executable /shared/bin/big3d timestamp is newer than (or the same as) /usr/sbin/big3d.
notice big3d[4137]: 012b0018:5: Respawning to run /shared/bin/big3d.
err big3d[4026]: 012b1015:3: Error 'Address already in use' attempting to bind to socket.

Conditions:
This occurs when attempting to get the big3d version and accidentally typing an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit. Here are some examples (note the double-dash in the first example):
big3d --version
big3d
big3d -xyz
big3d -d

Impact:
GTM server goes red momentarily.

Workaround:
There is no workaround other than not specifying an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit.

689567-3 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned

Component: TMOS

Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.

Conditions:
You have an iSeries platform with no AAM license.

Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.

Workaround:
No workaround at this time.

689437-2 : icrd_child cores due to infinite recursion caused by incorrect group name handling

Solution Article: K49554067

Component: TMOS

Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.

Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.

Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.

Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.

689361-3 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)

Component: Local Traffic Manager

Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.

Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.

Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.

Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.

689343-3 : Diameter persistence entries with bi-directional flag created with 10 sec timeout

Component: Service Provider

Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds

Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.

Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.

Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.

689231 : MSSQL filter assumes 64-bit token done row count field

Component: Local Traffic Manager

Symptoms:
Virtual server with MSSQL profile gets tds internal error (Out of bounds) error message. This occurs when the row count of token done is not 64-bit, in which case the connection will be closed with a reset.

Conditions:
-- This occurs using the MSSQL profile for the virtual server.
-- Pool member is running Microsoft SQL Server 2016 with TDS version is 7.1 or earlier.

Impact:
Get reset cause: Packet capture RST cause: [23db241:1807] tds internal error (Out of bounds).

Unable to use TDS 7.1 or earlier with MSSQL filter.

Workaround:
Use TDS 7.2 or later. TDS 7.2 and later use 64-bit row count field for token done.

689211-2 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }

Component: TMOS

Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.

Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.

Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.

Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.

Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
bigstart restart

689147-1 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Component: TMOS

Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.

Errors similar to the following appear in /var/log/ltm:

-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition

Errors similar to the following appear in /var/log/secure:

tac_authen_pap_read: invalid reply content, incorrect key?

Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.

Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.

Workaround:
Check /var/log/ltm for more specific error messages.

689002-1 : Stackoverflow when JSON is deeply nested

Component: TMOS

Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.

Conditions:
Deeply nested JSON returned from iControl-REST.

Impact:
icrd_child process coredumps.

Workaround:
None.

688833-2 : Inconsistent XFF field in ASM log depending violation category

Component: Application Security Manager

Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.

Conditions:
Viewing the XFF results in ASM log.

Impact:
This might cause problems with the syslog filters configured on the remote loggers.

Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.

688813-1 : Some ASM tables can massively grow in size.

Solution Article: K23345645

Component: Application Visibility and Reporting

Symptoms:
/var/lib/mysql mount point gets full.

Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).

Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.

Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.

688629-3 : Deleting data-group in use by iRule does not trigger validation error

Component: Local Traffic Manager

Symptoms:
iRule aborts due to failed commands, causing connflow aborts.

Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server

Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.

Workaround:
Don't delete data-groups in use by an iRule.

688570-3 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes

Component: Local Traffic Manager

Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.

Conditions:
An MPTCP connection is closed.

Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.

Workaround:
There is no workaround at this time.

688557-3 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'

Solution Article: K50462482

Component: Local Traffic Manager

Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.

Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.

Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.

Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).

688542-1 : SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request

Component: Local Traffic Manager

Symptoms:
The version of the SASP monitor requests updates only from the SASP GWM (Global Workload Manager) for members whose state has changed from what the GWM last reported. The previous version of the SASP monitor requested periodic updates for all members monitored by the GWM.

Conditions:
Running the version of the SASP (Server/Application State Protocol) monitor included in post-12.1.2 BIG-IP software.

Note: This behavior does not occur with previous versions of the SASP monitor, included in pre-12.1.2 versions of BIG-IP software.

Impact:
This change in behavior from the previous SASP monitor implementation has not been confirmed to cause any observable symptoms. If any symptoms are observed which are suspected to be the result of this change, a support request should be opened with F5 support for further investigation.

Workaround:
None.

688406-3 : HA-Group Score showing 0

Solution Article: K14513346

Component: TMOS

Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.

Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.

Impact:
The total score is not calculated. An incorrect score value is displayed.

Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.

688335-3 : big3d may restart in a loop on secondary blades of a chassis system

Solution Article: K00502202

Component: Global Traffic Manager (DNS)

Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.

Conditions:
The following conditions are required to encounter this issue:

-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.

Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.

However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.

Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
bigstart restart big3d

To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
big3d_install -use_ssh <target IP>

688266-3 : big3d and big3d_install use different logics to determine which version of big3d is newer

Component: Global Traffic Manager (DNS)

Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.

This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.

Conditions:
A user runs the big3d_install utility.

Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.

If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.

Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.

If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.

688177-2 : Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade

Component: Device Management

Symptoms:
Following a BIG-IP software upgrade (for example, from version 11.5.4 to version 11.6.1), local users with Administrator role may be changed to Guest role.

Conditions:
The BIG-IP configuration includes one or more local accounts with Administrator role (other than the 'admin' user).

Please note that this issue does not occur on every upgrade, but has roughly a 10% probability of occurring.

Impact:
Administrator users other than 'admin' have no access after the upgrade.

The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.

Workaround:
The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.

688148-1 : IKEv1 racoon daemon SEGV during phase-two SA list iteration

Component: TMOS

Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.

Conditions:
Deleting phase-two SAs, either manually or in response to notifications.

Impact:
IKEv1 tunnel outage until the racoon daemon restarts.

Workaround:
None.

687807-3 : The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/ causes a GUI exception

Component: Local Traffic Manager

Symptoms:
When there is a file named *.crt.csr in folder /config/ssl/ssl.csr/, the GUI posts an error on page: System :: Device Certificates : Device Certificate :: Device Certificate: An error has occurred while trying to process your request.

Conditions:
The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/.

Impact:
-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
   + Inconsistently manages those files improperly.
   + May return errors on System :: Device Certificates : Device Certificate :: Device Certificate (e.g., 'An error has occurred while trying to process your request.').
   + May confuse objects (e.g., 'web-server.crt' and 'web-server.crt.csr').
   + GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing these files, and reports an error.

Workaround:
Rename the csr file suffix from '.crt.csr' to '.csr'.

687617-3 : DHCP request-options when set to "none" are reset to defaults when loading the config.

Component: TMOS

Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.

Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".

Impact:
User configuration is reverted as a side-effect of config load.

Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.

687579 : TMSH incorrectly allows settings snat-translation ip-idle-timeout to zero.

Component: Local Traffic Manager

Symptoms:
The configuration setting ' ip-idle-timeout' on the snat-translation object allows zero as a possible value.

Conditions:
Entering the following tmsh command:
tmsh create ltm snat-translation <snat-address> ip-idle-timeout 0

Impact:
The configuration will be invalid. This may cause issues with upgrades and the BIG-IP may not pass traffic correctly or as expected.

Workaround:
Do not set the snat-translation ip-idle-timeout to 0 using tmsh.

687343-3 : Running 'load sys config merge verify' will add new users to the PostGres database

Component: TMOS

Symptoms:
Running 'load sys config merge verify' will add new users to the PostGres database. The system posts an error similar to the following:

010719a2:3: PostgreSQL database error: ERROR: duplicate key value violates unique constraint "auth_user_pkey"
DETAIL: Key (name)=(admin1) already exists.

Conditions:
Issue occurs only under the following conditions:
-- 'load config merge verify' of configurations including user definition.
-- Attempt to create user with same name using 'load config merge', 'create user', or GUI options.

Impact:
It is not possible to use the verify argument when using 'load sys config merge' with configurations containing user definitions.

'verify' argument to 'load sys config' does not prevent or rollback side effects

Workaround:
Manually remove the user data from the PSQL database; from a bash prompt:

psql -U postgres

\c tmdb
DELETE FROM auth_user WHERE name='admin1'
DROP OWNED BY admin1
DROP ROLE admin1
DROP SCHEMA admin1 CASCADE
\q

687213-1 : When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED

Component: Access Policy Manager

Symptoms:
When access to APM is denied, Edge Client goes into ALWAYS_DISCONNECTED mode. Hence, it does not retry to establish VPN tunnel.

Conditions:
-- Edge Client installed in ALWAYS_CONNECTED mode (locked client).
-- Access to APM is denied.

Impact:
No VPN tunnel is established, even if APM becomes accessible momentarily.

Workaround:
None.

687172 : Pools do not appear as expected after deploying iApp via iWorkflow

Component: TMOS

Symptoms:
Only two of three pools are visible in the iApp view on the BIG-IP system after deploying via iWorflow 2.2, though the pool can be found as expected in the Pools view.

Conditions:
-- After deploying via iWorflow 2.2.
-- Using iApp to view configured pools.

Impact:
Unreliable query response can result in unexpected behavior.

Workaround:
Do not rely on the iApps Component View, but inspect
BIG-IP (management GUI) Local Traffic pages such as
Local Traffic :: Pools : Pool List or examine the
/config/bigip.conf file to ascertain whether a desired
BIG-IP configuration has been created.

687044-2 : tcp-half-open monitors might mark a node up in error

Component: Local Traffic Manager

Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.

Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.

Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.

Workaround:
You can use any of the following workarounds:

-- Configure bigd to run in single process mode by running the following command:
tmsh modify sys db bigd.numprocs value 1

-- Use a tcp monitor in place of the tcp-half-open monitor.

-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.

686816-3 : Link from iApps Components page to Policy Rules invalid

Component: TMOS

Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.

Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.

Impact:
Cannot navigate to the policy rule directly from the Components page.

Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.

686718 : VPN tunnel adapter stays up in some cases

Component: Access Policy Manager

Symptoms:
In some cases, the VPN tunnel adapter created by the VPN client stays up even when the tunnel is disconnected.

Conditions:
-- Application launch on VPN establishment is configured on APM.
-- Launched application is not closed.

Impact:
This is a cosmetic issue with no functionality impact. Subsequent launch of VPN creates a new tunnel adapter.

Workaround:
Close the launched application.

686626-2 : The BIG-IP system may connect to an OCSP server using an unexpected source IP address

Component: TMOS

Symptoms:
BIG-IP systems configured to perform OCSP Stapling may connect to an OCSP server using an unexpected source IP address.

The source IP address picked by the BIG-IP system may be something that doesn't exist at all in its configuration.

Additionally, the source IP address picked by the BIG-IP system may appear corrupted or invalid to an Administrator (for example: 0.0.0.112).

Conditions:
Required configuration:

1) The BIG-IP system is running a version prior to 13.0.0.

2) The BIG-IP system is deployed as an IPv4/IPv6 multihoming device.

3) The DNS Resolver used by the OCSP Stapling configuration belongs to a non-0 route domain.

4) The virtual servers performing OCSP Stapling belong to a non-0 route domain different than the one used by the DNS Resolver.

5) Virtual servers using OCSP Stapling include both IPv4 and IPv6 destinations.

6) The OCSP server FQDN resolves to an A record.

With these conditions in place, the issue occurs when a client attempts a connection to one of the OCSP Stapling-enabled IPv6 virtual servers, and this needs to connect to an IPv4 OCSP server.

The source IP address used by the BIG-IP system will be an IPv4 address containing the last 4 bytes of an IPv6 Self-IP address configured on the BIG-IP system.

Impact:
The BIG-IP system fails to perform OCSP Stapling, and the unusual traffic may trigger alarms on your network.

The actual impact is limited, as clients who request validation of the certificate status and do not get it should be able to perform it on their own.

Workaround:
Where possible, you can work around this issue by re-configuring the BIG-IP system so that some of the conditions required for this issue to occur no longer apply.

686563-3 : WMI monitor on invalid node never transitions to DOWN

Component: Local Traffic Manager

Symptoms:
A WMI monitor configured for an invalid node defaults to 'UP', and never transitions to 'DOWN'. Upon loading a configuration, a node defaults to 'UP' as an initial probe is sent based on the monitor configuration, and the node is then marked 'DOWN' as probes timeout or monitor responses indicate an error. However, an WMI monitor probe sent to a non-existent node is not detected as an error, and that node may persist in an 'UP' state (not transitioning to 'DOWN' as expected, such as after expiration of the configured monitor timeout).

Conditions:
WMI monitor is configured for an invalid node address, or for a node address on which no WMI service is running.

Impact:
The node persists in an 'UP' state, even though no WMI service is available, or that node does not exist.

Workaround:
An additional node monitor can be created to confirm the node is available (which may be a partial solution in some configurations). Using a non-WMI monitor (such as TCP) to probe availability of the WMI service on the target node may be possible in other scenarios.

686547-3 : WMI monitor sends logging data for credentials when no credentials specified

Component: Local Traffic Manager

Symptoms:
A properly configured WMI monitor requires username and password credentials; but when these are omitted from the configuration, logging data is sent in place of the username and password (with the monitored object likely being marked 'down'). Because username/password credentials are required, the monitor should have been identified as wrongly configured before the monitor is marked down.

Conditions:
A WMI monitor is configured without including the required username/password credentials.

Impact:
The monitored object will be marked 'down'.

Workaround:
Configure the WMI monitor to include the username/password credentials.

686376-1 : Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon

Component: Advanced Firewall Manager

Symptoms:
When there are scheduled firewall rules, and the BIG-IP system is restarted or PCCD daemon is restarted, new blob compilation succeeds, but TMM fails to activate the new blob. Both GUI and TMSH show error status: Firewall rules deployment failed. After the system gets in this state it cannot be fixed except by removing or disabling all scheduled firewall rules.

Conditions:
-- There are scheduled firewall rules.
-- The BIG-IP system is restarted or the PCCD daemon is restarted.

Impact:
After this failure, firewall rules are not applied on data traffic.

Workaround:
Remove or disable all scheduled firewall rules.

686318 : Inter TMM Caching Delay

Component: WebAccelerator

Symptoms:
In some rare circumstances on VE instances, the transmission of updated cache information from TMM to TMM can be delayed.

Conditions:
VE instances.

Impact:
Different TMM hot content caches may serve different versions of the same document from cache.

Workaround:
None

686206-1 : Machine Info agent does not collect complete information on disconnected network adapters

Component: Access Policy Manager

Symptoms:
On Mac OS X, the BIG-IP APM Machine Info agent does not collect information for disconnected network adapters.

On Microsoft Windows, the BIG-IP APM Machine Info agent does not collect the MAC address of disconnected network adapters.

Conditions:
Machine info agent is configured in the access policy.

Impact:
Access policy evaluation may yield incorrect results if a access policy node depends on this information.

Workaround:
There is no workaround at this time.

686124-3 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs

Component: TMOS

Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.

Conditions:
Events causing deletion of phase one IKE SAs.

Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.

Workaround:
None.

686101-3 : Creating a pool with a new node always assigns the partition of the pool to that node.

Solution Article: K73346501

Component: Local Traffic Manager

Symptoms:
When creating a node while creating a pool, the partition of the node is set to the one of the pool regardless of what was expected. For example, after running the command below, the new node will be assigned to differentpartition:
root@(v13)(Active)(/differentpartition)(tmos)# create ltm pool my_pool2 members add { /Common/172.16.199.33:0 }

Conditions:
Creating a node while creating a pool in a partition different from the node.

Impact:
The node is displayed in the wrong partition.

Workaround:
Create a node separately and then add it to the pool.

685915-1 : Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured

Component: Global Traffic Manager (DNS)

Symptoms:
If a DNS Express zone that has Verify Notify TSIG checked gets a notify with no TSIG at all, unsigned notifies are not processed.

Conditions:
Unigned notify is received when Verify Notify TSIG is checked.

Impact:
Unsigned notifies are not processed

Workaround:
There is no workaround at this time.

685820-1 : Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not

Component: Advanced Firewall Manager

Symptoms:
If ASM licensed and provisioned, but AFM is not licensed/provisioned, active connections are silently dropped after HA-failover.

In earlier versions, active connections were reset after HA-failover if only ASM was licensed/provisioned. When AFM is also licensed/provisioned, existing active connections were always silently dropped after HA-failover.

Conditions:
-- ASM licensed and provisioned, but AFM is not licensed/provisioned.
-- HA-failover occurs.

Impact:
ASM client connections are not reset, but are silently dropped after HA-failover event.

Workaround:
None.

685741 : DoS Overview is very slow to load data, to the point of timeout

Component: Application Visibility and Reporting

Symptoms:
When logs contains more than 1 million records, loading of attacks data is extremely slow and requires many SQL queries.

Conditions:
N/A

Impact:
DoS Overview page is unusable

Workaround:
N/A

685582-5 : Incorrect output of b64 unit key hash by command f5mku -f

Component: TMOS

Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.

Conditions:
Viewing output of 'f5mku -f' command.

Impact:
Inconsistent output of the b64 unit key.

Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:

f5mku -vf

For example:

# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...

685519-3 : Mirrored connections ignore the handshake timeout

Component: Local Traffic Manager

Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.

Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.

Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.

Workaround:
None.

685458-5 : merged fails merging a table when a table row has incomplete keys defined.

Component: TMOS

Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.

Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.

Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.

Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.

Workaround:
None.

685233-2 : tmctl -d blade command does not work in an SNMP custom MIB

Solution Article: K13125441

Component: TMOS

Symptoms:
tmctl -d blade commands run in an SNMP custom MIB fail.

Conditions:
-- Using an SNMP custom MIB.
-- Running tmctl -d blade commands.

Impact:
Unable to configure a custom MIB to gather data via a tmctl -d blade command.

Workaround:
Instead of tmctl -d blade, use the following command:
tmctl -d /var/tmstat/blade.

685230-1 : memory leak on a specific server scenario

Component: Application Security Manager

Symptoms:
The bd process memory increases.

Conditions:
A specific server scenario of handling the traffic.

Impact:
Swap may be used. The kernel OOM killer may be invoked. Possible traffic disturbance.

Workaround:
There is no workaround at this time.

685164-3 : In partitions with default route domain != 0 request log is not showing requests

Solution Article: K34646484

Component: Application Security Manager

Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.

Conditions:
Select a partition whose default route domain is not 0 (zero).

Impact:
No requests in request log.

Workaround:
As a partial workaround, you can use [All], but it's read only.

684319-2 : iRule execution logging

Component: Local Traffic Manager

Symptoms:
iRule execution can block tmm from getting CPU cycles.

Conditions:
when executing iRule TCL with e.g. a tight while loop, tmm will miss to sent its heartbeat. This change adds additional logging around this.

Impact:
Logging shows now iRule perpetrator.

Workaround:
No workaround.

684096-1 : stats self-link might include the oid twice

Component: TMOS

Symptoms:
The object ID might be erroneously embedded in the self-link twice.

Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats

Impact:
incorrect self-link returned

Workaround:
be mindful when parsing the self-link

683706-1 : Pool member status remains 'checking' when manually forced down at creation

Component: Local Traffic Manager

Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.

Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.

Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http

Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.

Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.

683454 : HTTP::header command may crash TMM on an erroneous argument

Solution Article: K99294671

Component: Local Traffic Manager

Symptoms:
An iRule command 'HTTP::header insert' or 'HTTP::header remove' allows manipulation of HTTP headers. The iRule accepts arguments that might result in an error if they have an invalid format. TMM generates an internal Tcl error for the argument but continues to process the command. This might cause TMM to crash.

Conditions:
-- iRule is associated with a virtual server.
-- The iRule contains either or both of the 'HTTP::header insert' and 'HTTP::header remove' commands.
-- An argument in the command generates a Tcl error.

Impact:
TMM crashes causing failover and possible disruption in processing traffic.

Workaround:
Sanitize arguments for the command to prevent TCL error.

683177-2 : Can't drilldown or filter by 'Client Countries'

Component: Application Visibility and Reporting

Symptoms:
When drilling down or filtering by 'Client Countries' (Security :: Reporting : Application : Charts) there is an error in the GUI.

Conditions:
-- ASM is provisioned.
-- Attempt to drill down or filter by 'Client Countries'.

Impact:
Internal Error is displayed in the GUI.

Workaround:
1. Edit file: /etc/avr/monpd/monp_asm_entities.cfg.
2. Delete line 171: (dim_authz_filter=vip_crc).
3. Issue the command: bigstart restart monpd.

683061-2 : Rapid creation/update/deletion of the same external datagroup may cause core

Component: Local Traffic Manager

Symptoms:
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.

Conditions:
Using external datagroup, rapidly creating updating and then deleting it.

Impact:
TMM fails

Workaround:
Allow TMM enough time to finish processing external data-group before starting another operation. Depending on the size of the datagroup anywhere from 1s to 10s or more may be needed. The LTM log can be examined for the create/finished message to help determine how much wait time is required.

683029-2 : Sync of virtual address and self IP traffic groups only happens in one direction

Component: TMOS

Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.

Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)

Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.

Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.

682751-5 : Kerberos keytab file content may be visible.

Component: Access Policy Manager

Symptoms:
Kerberos keytab file content may be visible.

Conditions:
Import a Kerberos keytab file.

From the command line, check the file permissions. It is readable.

Impact:
keytab is similar to a private key file and should not be readable.

Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.

681782-4 : Unicast IP address can be configured in a failover multicast configuration

Solution Article: K30665653

Component: TMOS

Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.

Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.

Impact:
Failover multicast configuration does not work.

Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.

681673-2 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results

Component: Local Traffic Manager

Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.

Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.

Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.

Workaround:
None.

680680-2 : The POP3 monitor used to send STAT command on v10.x, but now sends LIST command

Component: Local Traffic Manager

Symptoms:
in BIG-IP version 10.x, the POP3 monitor sent STAT command (which returned a count of messages in the mailbox). Now, the monitor sends the LIST command (which returns a list of messages and their sizes).

Conditions:
POP3 monitor set up on a mailbox.

Impact:
If the polled mailbox used in the monitoring has a huge amount of messages, the STAT command might fail to return results in time.

Workaround:
1. Create a mail account that does not receive many emails.
2. Make sure that the mailbox is nearly empty all the time (copy /dev/null periodically to the mailbox file).

680264 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags

Solution Article: K18653445

Component: Local Traffic Manager

Symptoms:
Intermittently, HTTP2 experiences protocol resets.

Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.

For example, the following returns the incorrect header length:
(0xFF BYTE1) next byte, http2_arbint_read.

Impact:
Unexpected loss of HTTP2 frames due to protocol resets.

Workaround:
No effective workaround.

679735-1 : Multidomain SSO infinite redirects from session ID parameters

Component: Access Policy Manager

Symptoms:
If an application uses a URL parameter of 'sid', 'sess', or 'S', the APM can enter an infinite redirect loop.

In a packet capture, the policy will complete on the auth virtual server. After policy completion, the client is redirected back to the resource virtual server. The resource virtual server will not be able to find the session, and will redirect back to the auth virtual server. This begins the infinite loop of redirecting between resource and auth virtual servers.

Conditions:
Application with URL paramater containing 'sid', 'sess', or 'S' while using multidomain SSO.

Impact:
Applications that use 'sid', 'sess', or 'S' parameters cannot be fronted by an APM.

Workaround:
None.

679613-2 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'

Solution Article: K23531420

Component: Local Traffic Manager

Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.

Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.

Impact:
Incorrect routing/switching of traffic.

Workaround:
Use VLANs with a tag value different from '1'.

679605-1 : Device groups with no members will cause upgrade to fail

Component: TMOS

Symptoms:
An empty device group will fail upgrade with this error message:

Syntax Error:(/config/bigip_base.conf at line: 37) "save-on-auto-sync" unexpected argument

Conditions:
This only affects systems with empty device groups.

Impact:
Configuration will fail to load after the upgrade.

Workaround:
Remove the empty device group before upgrading. An empty device group has no effect on the system, so this is a safe action to take.

679431-3 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header

Component: TMOS

Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header

Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.

Impact:
The header is not shown.

Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief

679316-1 : iQuery connections reset during SSL key renegotiation

Component: Global Traffic Manager (DNS)

Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Conditions:
When iQuery data is sent during SSL key renegotiation.

Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.

Workaround:
None.

679027 : Rare memory corruption in tmrouted while license is being reset

Component: TMOS

Symptoms:
tmrouted core due to memory corruption while license is being reset.

Conditions:
Rarely, when license file is being reset, tmrouted could core.

Impact:
restart of tmrouted daemon

678450-3 : No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.

Component: Local Traffic Manager

Symptoms:
When 'Source Port: Preserve Strict' option is configured in performance L4 virtual servers, the 'F5RST port in use' packet is not sent, and connection hangs until timeout.

Conditions:
-- Connect to client and launch:
# nc -p 8080 -v 10.10.10.40 80
-- Connect to client2 and launch:
# nc -p 8080 -v 10.10.10.40 80
-- Modify virtual server vs_web type on LTM and repeat.

When the virtual server is standard "F5RST port in use" is sent. When the virtual server is performance L4 is not.

Impact:
Connection hangs. No increase for port-in-use stats when using the following commands:
tmsh show /net rst-cause.

Workaround:
None.

678380-3 : Deleting an IKEv1 peer in current use could SEGV on race conditions.

Component: TMOS

Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.

Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.

Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.

Workaround:
None.

678322 : Missing Response Page for 'Login' is not populated upon upgrade

Component: Application Security Manager

Symptoms:
In a rare case, an error appears due to missing 'Login' Response Page when viewing Response Pages in ASM policy.

Conditions:
An ASM policy is missing a record for 'Login' Response Page. It's not clear how this condition was caused.

Impact:
An error appears:

Could not retrieve Login Page Response; Error: Could not get the ResponsePage 'Persistent Flow Response Page Properties', No matching record was found.

Workaround:
Missing Response Page can be added using this query:

mysql> INSERT IGNORE INTO PL_ALTERNATE_RESPONSES (policy_id, cause, response_type, alternate_response_header, alternate_response_content, redirect_url, ajax_action_type, ajax_redirect_url, ajax_popup_message, ajax_custom_content, rest_uuid) SELECT p.id as policy_id, cause, response_type, alternate_response_header, alternate_response_content, redirect_url, ajax_action_type, ajax_redirect_url, ajax_popup_message, ajax_custom_content, rp.rest_uuid
FROM PL_POLICIES p JOIN PL_ALTERNATE_RESPONSE_DEFAULTS rp where rp.flg_load_defaults = 1;

678254-2 : Error logged when restarting Tomcat

Component: TMOS

Symptoms:
An error is logged after restarting Tomcat and using the web UI.

Conditions:
Using the web UI to restart tomcat.

Impact:
An error is logged after restarting Tomcat and using the web UI.

Workaround:
There is no workaround.

678117-1 : 'Can't create a home directory' logged for remote users on secondary blades after configsync

Component: TMOS

Symptoms:
When a remotely authenticated user logs in, a new entry is created in /config/bigip/auth/userrolepartitions. During config sync operations, the secondary blade of the device receiving the config, logs the following errors:

-- err mcpd[7575]: 01070261:3: Can't create a home directory for username /home/<username> (Failed opening home directory: /home/<username> - No such file or directory)

There is no /home/<username> on the device used as the source of the config sync.

The error message is logged on the secondary blade (of the target system) but not the primary one.

Conditions:
1. Remote user username in /config/bigip/auth/userrolepartitions.
2. No home directory for the remote user in /home/.

Impact:
There is no apparent impact beyond the error message, which sounds quite serious, but has no functional impact.

Workaround:
Create local user account for remote authenticated users.

To do so using the GUI, navigate to System :: Users : User List, and click Create.

678066 : LTM Policy Tcl-enabled values require 'tcl:' prefix★

Component: Local Traffic Manager

Symptoms:
Prior to BIG-IP v12.1.0, LTM Policy implicitly allowed certain fields to contain Tcl expressions, which would be evaluated and used at runtime. Version 12.1.0 expanded the number of LTM Policy action fields that allow Tcl expressions, and also added the restriction that these fields must begin with the 4-character prefix tcl: to differentiate between a Tcl runtime expansion and a simple text string.

Conditions:
Pre-v12.1.0 LTM Policy containing an action that has a Tcl expression in one of the following actions, and does not begin with 'tcl:' prefix
   http-uri - value
            - path
            - query string
or
   http-reply - location

Impact:
The migration process, which should find this situation and automatically correct it, can miss in certain cases, leaving a configuration that may fail validation and not load.

Workaround:
Edit configuration file, manually add the 'tcl:' (without the quotes) prefix for the following actions:
http-uri plus value/path/query
http-reply plus location

677841-1 : Server SSL TLS session reuse with changed SNI uses incorrect session ID

Component: Local Traffic Manager

Symptoms:
If an iRule changes the SNI then the wrong session ID will be retrieved (using the original SNI).

Conditions:
Occurs when SNI is being modified by an iRule to an SNI that is different from the one specified in the server SSL profile.

Impact:
Connection may be rejected by the client if checking at the client occurs (Apache commonly does this). If the client finds that the SNI does not match the SNI in the session information, the connection may be rejected.

Workaround:
Disable SSL session cache. This has the side effect of reducing performance.

677666-3 : /var/tmstat/blades/scripts segment grows in size.

Solution Article: K60909141

Component: Local Traffic Manager

Symptoms:
Over time the /var/tmstat/blade/scripts file size grows.

Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.

Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out of memory condition.

Workaround:
No known workarounds.

677646-1 : System cannot boot up due to prior aborted installation★

Solution Article: K62171231

Component: Access Policy Manager

Symptoms:
System stuck at boot up and never comes up.

Conditions:
Running the rpm command was aborted.

Impact:
BIG-IP system not operational.

Workaround:
Run the following command to remove the extraneous files:

rm -f /shared/lib/rpm/__db.??? && shutdown -r now

677442 : Bulk crypto processing for SSL traffic may crash the traffic deaemon in rare cases.

Component: Local Traffic Manager

Symptoms:
Processing bulk crypto traffic may cause the traffic daemon to crash and restart.

Conditions:
When processing bulk crypto requests handled by the Nitrox-based accelerators, a rare memory corruption condition might cause a segmentation fault and cause a core dump. Currently the circumstances that trigger the corruption is not known.

Impact:
Traffic handling is temporarily disrupted until the traffic daemon TMM is restarted.

Workaround:
None.

677302 : Unable to save descriptions for firewall objects

Component: Advanced Firewall Manager

Symptoms:
System erases Description field of Address list/Port list objects when the object is modified.

Conditions:
-- Modifying an address/port definition for Address Lists or Port Lists/
-- Object contains a defined Description.

Impact:
Save operation erases Description.

Workaround:
Use tmsh to modify objects.

677270-2 : Trailing comments in iRules are removed from the config when entered/loaded in TMSH

Solution Article: K76116244

Component: Local Traffic Manager

Symptoms:
Comments at the bottom of an iRule (outside of any event stanza) end up missing from the config.

Conditions:
-- Merging an iRule in a config file in TMSH or entering the iRule manually in TMSH.
-- iRule comments are outside of any event stanza.

Impact:
Trailing comments in iRules are lost.

Workaround:
Use one or both of the following workarounds:

-- Make sure comments are inside of an event stanza.
-- Enter the iRule using the web GUI.

676854-1 : CRL Authentication agent will hang waiting on unresponsive authentication server.

Component: Access Policy Manager

Symptoms:
Some authentication requests never complete. APMD responsiveness degrades over time and eventually restarts.

Conditions:
The CRL Authentication server must be alive enough to accept connections but busy enough to drop requests without closing connections.

Impact:
APMD responsiveness degrades over time, usually weeks, before eventually restarting.

Workaround:
Restarting the CRL Authentication server usually releases the waiting threads and restores APMD responsiveness.
Using a BIG-IP monitor for the CRL backend can detect the issue and allow recovery before the need for APMD to restart.

676643 : FTP passive monitor uses IP address from PASV (not monitor destination)

Component: Local Traffic Manager

Symptoms:
A curl-based Tcl monitor for an FTP passive monitor uses the IP address from the FTP PASV command, rather then the IP address from the monitor destination. This is different from legacy behavior, which ignored the IP address obtained in the PASV command (to always establish a data connection to the IP address defined in the monitor destination). FTP passive monitors reliant upon the legacy behavior may stop working (with the pool member always being marked 'down').

Conditions:
FTP monitor is configured for passive, where the FTP PASV command provides an IP address.

Impact:
This new behavior is correct (the FTP passive monitor should use the IP address from the PASV command). However, configurations assuming legacy behavior to ignore the IP address in the PASV command and instead rely upon the IP address in the monitor destination may stop working (with the pool member always being marked 'down').

Workaround:
This behavior is correct, but to avoid using the IP address in the PASV command, configure the FTP monitor for active mode.

676442-2 : Changes to RADIUS remote authentication may not fully sync

Solution Article: K37113440

Component: TMOS

Symptoms:
With multiple devices in a sync group, changes to remote authentication (for example, changes made using commands such as: tmsh modify auth radius system-auth servers replace-all-with { AAA_a AAA_b } ) will be effective on the device where the change was made.

And although the changes are synced to tmsh config on the other devices in the group, the changes are not effective on those devices, as may be observed by checking that the changes do not appear in /config/bigip/auth/pam.d/system-auth and /config/bigip/auth/pam.d/radius/system-auth.conf.

Conditions:
Devices in a sync group that will sync system-auth config.

Impact:
Changes to RADIUS authentication will not be effective throughout the device group.

Workaround:
After syncing RADIUS changes, run the following command on all devices:
tmsh save sys config && tmsh load sys config.

676395-1 : Syslog messages seen with error code while viewing ssl certificate detail with debug turned on.

Component: TMOS

Symptoms:
Log message starting with 'Filemap returns Error 1 for file' gets logged into syslog while viewing certificate details.

Conditions:
1. Turn on debug using the following command:
tmsh modify sys syslog daemon-from debug
2. Go to Certificate Management and navigate to view certificate details.

Impact:
No known impact other than the logged message.

Workaround:
Turn off debug using the following command:
tmsh modify sys syslog daemon-from notice

676300-7 : EPSEC binaries may fail to upgrade in some cases★

Solution Article: K04551025

Component: Access Policy Manager

Symptoms:
Windows client may fail to upgrade endpoint security package in some cases. This happens due to a corrupted registration of old endpoint security components.

Conditions:
Corrupted registry entry related to endpoint security components.

Impact:
Client may not be able to upgrade to latest endpoint package hosted on APM.

Workaround:
Remove the following registry keys from the registry:

Note: Use extra care editing the registry. Only remove the following keys, and no others.

"HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_CLASSES_ROOT\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"

"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"

"HKCU\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"

676223-2 : Internal parameter in order not to sign allowed cookies

Component: Application Security Manager

Symptoms:
ASM TS cookies may get big (up to 4k).

Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.

Impact:
This increases web site throughput.

Workaround:
N/A

676107 : With admin account disabled, user cannot use token-based authentication

Component: Device Management

Symptoms:
To allow special characters in usernames when using remote authentication providers (LDAP, Radius, etc.) there are additional iControl REST calls during the login process to detect the authentication source type. Since there is no system account on the BIG-IP system, the operation uses the hardcoded admin account to perform that function. If the admin account is disabled, this fails, so the user cannot use token-based authentication.

Conditions:
-- admin account is disabled.
-- Remote authentication configured.
-- Logging on using iControl.

(Disabling the admin account might occur as a result of following the instructions in K15632: Disabling the admin and root accounts using the Configuration utility or tmsh :: https://support.f5.com/csp/article/K15632).

Impact:
Cannot use token-based authentication.

Workaround:
There is no workaround other than not disabling the admin user account.

675911 : Dashboard CPU history file may contain incorrect values

Solution Article: K13272442

Component: Local Traffic Manager

Symptoms:
Values such as 33%, 66% and 99% may appear in the CSV file exported from the dashboard utility

Conditions:
htsplit is enabled.

Impact:
CPU history in exported CSV file does not match actual CPU usage.

Workaround:
You can obtain CPU history through various other means.
One way is to use the sar utility:

In 12.x and 13.x:
  sar -f /var/log/sa6/sa
or for older data
  sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.

In 11.x:
  sar -f /var/log/sa/sa
or for older data
  sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.

675368-2 : Unable to reorder rules when one of the rule names contain % or /

Component: TMOS

Symptoms:
Unable to reorder rules when one of the rule names contain % or /

Conditions:
One of the rule names contain % or /

Impact:
The rules cannot be reordered

Workaround:
Rename rules to make sure they don't contain % or /

675298-1 : F5 MIB value types changed to become RFC compliant

Component: TMOS

Symptoms:
In BIG-IP Version 12.1.2 several F5 MIB variables changed from 64-bit counter types to 32-bit gauge types. This change was made to make the MIBs RFC compliant. In a mixed environment, where some BIG-IPs are running 11.x and some running 12.x this can cause problems with the management station. If the management station cannot load MIBs dependent upon BIG-IP version then those variables can cause errors to be reported on the management station due to type mismatch.

Conditions:
An environment where a management station is managing BIG-IP systems with a mix of version 11.x and 12.x. The station may import a MIB version whose types do not match the MIBs on the BIG-IP system with regards to the type changes made in version 12.x.

Impact:
The management station reports errors due to type mismatch for some variables.

Workaround:
None.

674997 : It is not possible to use tmsh to change the password for 'admin' after configuring Remote-APM Based Auth on the BIG-IP system.

Component: TMOS

Symptoms:
With APM-based system authentication, using tmsh to make changes to the password for user 'admin' will apparently succeed, but the password will be unchanged.

Conditions:
-- APM-based system authentication configured.
-- Using tmsh to make changes to the password for user 'admin'.

Impact:
Unable to change password for default system account.

Workaround:
Switch to local system authentication, change the password for 'admin', then switch back to remote authentication.

674992-3 : AAM traffic report's time period doesn't always apply

Component: WebAccelerator

Symptoms:
AAM traffic report's time period doesn't always apply.

Conditions:
Select a time period on the AAM traffic report page other than last hour.

Impact:
The table and graph still display last hour data.

674957-1 : If a certificate is stored in DER format, exporting it using the GUI corrupts the output.

Component: TMOS

Symptoms:
When a certificate stored in DER format is exported, all bytes with values larger than 0x7E are replaced with 0x3F, and there is one more byte added (0x0a) at the end of the binary file.

Conditions:
Using the GUI to export a certificate stored in DER format.

Impact:
Corrupted certificate.

Workaround:
You will need to use openssl to create a copy of the certificate in .pem or .der format. For example, to export the der certificate myder.crt to a mycert.pem certificate in .pem format, run the following command:

openssl x509 -out mycert.pem -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:myder.crt_75978_1 -inform der

Note: This works for system users who can access the bash command, specifically, those with the administrator role.

674795-1 : tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.

Component: Traffic Classification Engine

Symptoms:
tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds. In fact, it is in hours.

Conditions:
-- Viewing tmsh help/man page.
-- Searching for urldb feedlist polling interval.

Impact:
Note that the interval described is in hours instead of seconds.

Workaround:
None.

674754-2 : ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact

Component: Global Traffic Manager (DNS)

Symptoms:
Changing the email address in ZoneRunner and using a '@' character does not work. System validation catches that the '@' is invalid, but the operation fails silently, and the new email address is not stored.

Note. The '@' character is invalid for the email field because it has other uses in zone files. A dot should be used instead of '@'.

Conditions:
Zone already exists in ZoneRunner.
Trying to update it with a new email address.

Impact:
Confusion as to why the GUI is ignoring the new email address they entered.

Workaround:
The '@' (at sign) character is invalid for ZoneRunner email fields because it has other uses in zone files. Use a '.' (dot, or period) character instead of '@'.

674459 : Users are not expected to change security.commoncriteria DB variable through TMSH

Component: Local Traffic Manager

Symptoms:
Changing the security.commoncriteria db variable to true, and then attempting to change it back to false through TMSH causes validation errors related to SSHD configuration. Users are not expected to change this value without using the ccmode script.

Conditions:
Changing the security.commoncriteria db variable to true, and then back to false.

Impact:
Validation errors. The BIG-IP system remains stuck in Common Criteria mode when it is not desired.

Workaround:
None.

674367-1 : SDD v3 symmetric deduplication may stop working indefinitely

Solution Article: K20983428

Component: Wan Optimization Manager

Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may stop working indefinitely.

Conditions:
This issue occurs when all of the following conditions are met:

1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) Applications configured to benefit from symmetric deduplication are actively passing traffic.
4) Both BIG-IP HA pairs (the near and far sides) are failed over concurrently (although in more rare cases, even failing over a single pair is sufficient to reproduce the issue).

Impact:
Applications no longer benefit from symmetric deduplication, increasing the amount of data transmitted over the WAN.

Workaround:
Restarting the services on all BIG-IP units involved in the topology (without performing additional failovers after they return on-line) restores symmetric deduplication functionality. This will cause some downtime.

674328-3 : Multicast UDP from BIG-IP may have incorrect checksums

Component: TMOS

Symptoms:
BIG-IP may transmit UDP datagrams with a bad checksum.

Conditions:
Outgoing link-local multicast UDP traffic from the Linux host, such as RIP.

Impact:
Packets may be dropped by adjacent devices.

Workaround:
Disable checksum offloading on the virtual NIC for affected VLANS, e.g. "ethtool --offload vlan1274 rx on tx off"

674297-1 : Custom headers are removed on cross-origin requests

Component: Fraud Protection Services

Symptoms:
Custom headers are removed on cross-origin requests.

Conditions:
A cross domain FPS request uses the FPS custom header. For example: AJAX encryption from one domain to another.

Impact:
The request will be blocked, FPS functionality breaks.

Workaround:
For HOST <HOST NAME> and FPS custom header <HEADER NAME>, a variant of the following iRule can be used:

when HTTP_REQUEST {
    if {[HTTP::method] equals "OPTIONS" && [HTTP::host] equals "<HOST NAME>"} {
       set modify_allowed_headers 1
    }
}

when HTTP_RESPONSE {
    if { [info exists modify_allowed_headers] && $modify_allowed_headers equals "1"} {
        if { [HTTP::header exists "Access-Control-Allow-Headers"] } {
            set hdr [HTTP::header value "Access-Control-Allow-Headers"]
            append hdr ", <HEADER NAME>"
            HTTP::header replace Access-Control-Allow-Headers $hdr
        }
    }
}

674256-3 : False positive cookie hijacking violation

Solution Article: K60745057

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.

674145-3 : chmand error log message missing data

Component: TMOS

Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.

Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP

The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.

Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.

Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.

673974-1 : agetty auto detects parity on console port incorrectly

Solution Article: K63225596

Component: TMOS

Symptoms:
With a BIG-IP system configured for a console baud rate that is different from the baud rate of the serial terminal that is plugged in to the console port, he system returns garbled characters on the screen. Changing the terminal setting to match the console baud rate has no effect after that: the BIG-IP system continues to send garbage.

Conditions:
BIG-IP system with a console at certain baud rate.
-- Plug in a serial terminal with a different baud rate.
-- Press enter several times.

Impact:
The parity detection code selects the wrong setting, leaving the console port unusable until reboot of the BIG-IP system, or after killing and restarting agetty.

Workaround:
To recover from this condition, log on to the BIG-IP system via ssh, force parity off, and kill the agetty process (assuming the console is not logged in, and is therefore running agetty).

      via ssh:

      # stty -F /dev/ttyS0 -parenb ; killall agetty

   However, this is not an ideal workaround, as a frequent reason to use the serial console is lack of network access to the device.

   In that situation, you can log on by setting the terminal to Mark parity (8 data bits, Mark parity, 1 stop bit).

Note: There is no way to mitigate the issue from the console connection itself, as agetty doesn't run while the console is logged in.

You can also reboot the BIG-IP system, reset the terminal speed on the laptop to match the console speed set on the BIG-IP system, and reconnect the laptop.

673952 : 1NIC VE in HA device-group shows 'Changes Pending' after reboot

Component: TMOS

Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:

notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all

Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.

Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of an HA device-group, then this will result in a commit id update and the units will show 'Changes pending'.

Workaround:
None.

673640 : Log messages for virtual server status changes are not immediately logged.

Component: TMOS

Symptoms:
Log messages for virtual server status changes are not immediately logged.

Conditions:
-- Virtual server status due to lasthop-pool going down or coming back up.
-- Viewing associated logs.

Impact:
No status-change messages are present.

Workaround:
None.

673573 : tmsh logs boost assertion when running child process and reaches idle-timeout

Component: TMOS

Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.

The errors in /var/log/ltm begin with the following text:
'boost assertion failed'

Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.

Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.

Workaround:
None.

673241 : Platform AC power supply faults when subjected to temperature above 50C (122F) at low input voltage.

Component: TMOS

Symptoms:
BIG-IP i15600, i15800 appliances utilizing a single 1500W AC power supply (PWR-0341-XX) shut down and trigger a fault.

Conditions:
This occurs when all of the following conditions are met:
-- PWR-0341-XX Single Supply.
-- input voltage is less than or equal to 100VAC.
-- System is is drawing maximum power (greater than 1000W).
-- Inlet temperature of the power supply is greater than 50C (122F).

Impact:
The power supply shuts down to protect itself. This results in appliance shutdown.

Workaround:
You can avoid this issue by doing any of the following:
-- Installing two PSUs in the unit.
-- Ensuring that input voltage is above 100VAC.
-- Operating the system at a temperature lower than 50C (122F).

673095 : Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid'

Component: Local Traffic Manager

Symptoms:
Unable to load a UCS due to a VLAN validation error.

Conditions:
QinQ VLANs saved in a UCS file.

Impact:
Unable to reload the saved config.

Workaround:
Before loading the config, use tmsh to delete all VLANs. Then config will load successfully.

672818-2 : When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established

Component: Access Policy Manager

Symptoms:
When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established.

Conditions:
-- Install Traditional Chinese Windows.
-- Change the 'Region and Language' setting format to Simplified Chinese.
-- Edge Client or browser.

Impact:
Cannot establish VPN.

Workaround:
There is no workaround if there is a to change the 'Region and language' setting must be Simplified Chinese.

672312-2 : IP ToS may not be forwarded to serverside with syncookie activated

Component: Local Traffic Manager

Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.

Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.

Impact:
IP ToS header is not forwarded to the serverside.

Workaround:
None.

672240 : iRuleLX (v1) plugins may cause TMM to core if originating flow is terminated before plugin work is complete

Solution Article: K50091255

Component: Local Traffic Manager

Symptoms:
- Traffic processing is affected.
- Core file may be found in /var/core.
- /var/log/ltm may include a message similar to the following:
info tmm[19357]: 01220009:6: Pending rule /Common/irule_xxx <ACCESS_POLICY_AGENT_EVENT> aborted for 192.168.104.121:29261 -> 10.40.105.180:443

Conditions:
- Traffic passing through the BIG-IP system is processed by an iRule.
- iRule makes an RPC call to the iRule LX plugin.
- Plugin takes a long time to complete the task.
- Originating connection is terminated due to timeout or other external causes.
- Plugin completes work but corresponding connection is no longer present.

Impact:
Traffic processing is interrupted. Traffic disrupted while tmm restarts.

Workaround:
- Ensure timeout settings on protocol profiles are sufficiently long to allow for longer running plugin work.
- Ensure plugin code executes within timeout limits.

672221 : TMM cores if the certificate configured to validate message signature does not exist.

Component: Access Policy Manager

Symptoms:
TMM cores if the SAML message signature verification certificate cannot be found in the configuration.

Conditions:
-- SAML is configured with an invalid certificate in the message signature validation setting.
-- The control-plane is unable to detect such misconfiguration.

Note: This is an unlikely occurrence if the usual control-plane is used to configure the SSO/SAML object. In this particular case, the certificate-key was passed in as the certificate which triggered a certificate-not-found error.

Impact:
The issue can lead to momentary service interruption. Traffic disrupted while tmm restarts.

Workaround:
Make sure the certificate configured for use with the SAML message signature verification is correctly configured and the configuration loads successfully.

671725-1 : Connection leak on standby unit

Solution Article: K19920320

Component: Local Traffic Manager

Symptoms:
High connection count on standby unit.

Conditions:
-- High availability (HA) configuration.
-- Virtual server that has the attribute 'spanning enabled'.

Impact:
Flow leak on Next Active action.

Workaround:
None.

671712 : The values returned for the ltmUserStatProfileStat table are incorrect.

Component: TMOS

Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.

Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.

Impact:
Incorrect data returned in SNMP walk of LTM profile table.

Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.

671553-2 : iCall scripts may make statistics request before the system is ready

Component: TMOS

Symptoms:
iCall scripts may make statistics requests before statsd (a necessary service for stats collection) is ready.

Conditions:
Early during startup.

Impact:
The Tcl script may generate an error and stop working.

Workaround:
Use Tcl's 'catch' command to detect and handle the error.

671447-2 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form

Component: TMOS

Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.

Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)

Impact:
IS-IS adjacencies may not form.

Workaround:
None.

671372-2 : When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.

Solution Article: K01930721

Component: TMOS

Symptoms:
When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.

Conditions:
-- Creating a pool.
-- Modifying all of its members in a single tmsh transaction.

Impact:
The pool will be created but the members will not be modified.

Workaround:
Create a pool in one transaction; followed by modifying members in another transaction.

671261-2 : MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo

Solution Article: K32306231

Component: TMOS

Symptoms:
When selecting 'Notify Status to Virtual Address' on a virtual server, and using the 'Selective' setting of ICMP Echo for a corresponding virtual address, MCP does not recognize that this setting has changed and does not modify the ICMP echo settings of the virtual address accordingly. The previous setting will continue to take effect until another (unrelated) change is made to the virtual address.

Conditions:
The 'Selective' setting of ICMP Echo is used for a virtual address, and the user selects 'Notify Status to Virtual Address' on a virtual server associated with that address.

Impact:
The previous setting will continue to take effect, until an (unrelated) change is made to the virtual address, at which point the new setting will take effect.

Workaround:
After changing the 'Notify Status to Virtual Address' on a virtual server (where 'Selective' setting of ICMP Echo is used for the corresponding virtual address), make another change to the virtual address to cause the new setting to take effect.

671236-2 : BGP local-as command may not work when applied to peer-group

Solution Article: K27343382

Component: TMOS

Symptoms:
Using the BGP level command neighbor <peer-group> local-as <AS> might fail to apply on peers in the peer group.

Conditions:
Applying the BGP local-as command to a peer group.
For instance:
neighbor <peer-group> local-as <AS>.

Impact:
The command fails to apply, and the actual local AS sent to the peer is that of the BGP process and not the one specified in the command.

Workaround:
Apply the BGP local-as directly to the peer, not the peer-group.

671178 : Date/time change after configuring HA may impair configuration sync

Solution Article: K20274760

Component: TMOS

Symptoms:
Configuration not syncing among units in high availability (HA) group.

Conditions:
Date/time is set to an earlier date/time after HA is already configured.

Note: Changes are synced as expected when changing date/time to a later value; only setting to a earlier one results in this issue.

Impact:
-- Configuration changes are not recognized, and changes are not synced, however, system sync status incorrectly reports as 'in-sync'.

-- The 'Time Since Last Sync' displayed when running 'tmsh show /cm device-group' is negative. Note: This is only a cosmetic issue and has no effect on the system.

Workaround:
Note: Devices should be configured with NTP.

To restore consistency to the group, you can do one of the following:
-- Reset the time to be consistent with peers and make another config change.
-- Make a change on the peer device with the farthest future system time.
-- Force a sync to another device with the farthest future system time using a command similar to the following:
tmsh modify cm device-group <device group name> devices modify { <sync-to-device-name> { set-sync-leader } }.

671044-3 : FIPS certificate creation can cause failover to standby system

Solution Article: K78612407

Component: TMOS

Symptoms:
FIPS certificate creation can cause failover or outage of a system under heavy load. The certificate creation could take longer than the default timeout, causing TMOS to think the FIPS chip is locked up.

Conditions:
Creating a FIPS certificate while the system is handling a high FIPS traffic load.

Impact:
Possible failover from active to standby, or an outage if there is no standby system, or if the certificate creation causes both active and standby systems to time out.

Workaround:
Setting crypto.queue.timeout to 2000 will avoid this problem. The actual timeout needed depends on the system type and how heavily loaded the FIPS chip is. 2000 should be more than sufficient for all currently supported BIG-IP platforms under high load.

671025 : File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured

Component: TMOS

Symptoms:
devmgmtd exhausting file descriptors when state-mirroring peer-address is misconfigured:
err devmgmtd[8301]: 015a0000:3: [evConnMgr.tcc:29 evIncomingConn] Incoming connection failed: Too many open files

Conditions:
State-mirroring peer-address is misconfigured or configured to a self-ip with port lockdown misconfigured.

Impact:
devmgmtd has too many open files causing iControl issues as it is unable to communicate with devmgmtd.

Workaround:
None.

670893-1 : Sensitive monitor parameters recorded in monitor logs

Component: Local Traffic Manager

Symptoms:
When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration, including:
- user-account password
- radius/diameter secret
- snmp community string

Conditions:
This may occur under the following conditions:

1. LTM monitor type is one of the following:
ldap
mssql
mysql
nntp
oracle
postgresql
radius
radius-accounting
smb
snmp-dca
snmp-dca-base
wap

On BIG-IP versions prior to v11.6.0, the LTM monitor type is one of the above, or one of the following:
ftp
imap
pop3
smtp

2. Monitor instance logging or monitor debug logging is enabled by one of the following methods:

a. Monitor instance logging is enabled by setting the 'logging' element to 'enabled' for an LTM node or pool member using the monitor.

b. Monitor debug logging is enabled by setting the 'debug' element to 'yes' for an applicable LTM monitor.

Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.

2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.

670691 : Unable to list ntlm profile in different root folder or partition

Solution Article: K02331705

Component: TMOS

Symptoms:
Unable to list NTLM profiles when they are in a different root folder or partition than the currently active folder or partition.

Conditions:
This occurs when attempting to list a partition that exists in another folder or partition.

For example:
-- The active folder or partition is /Common.
-- The NTLM profile 'my_ntlm' exists in the '/NTLM_Profile' folder or partition.
-- You run a command similar to the following to show details of an NTLM profile: list ltm profile ntlm /NTLM_Profile/my_ntlm.

Impact:
Unable to display NTLM profiles that reside outside of the active folder or partition. The system posts error messages similar to the following:

Error in ntlm: "/NTLM_Profile/my_ntlm" not found.
01020036:3: The requested Config Instance ( /NTLM_Profile/my_ntlm) was not found.

Workaround:
Change folders or partition before listing NTLM profiles.

670528-1 : Warnings during vCMP host upgrade.

Solution Article: K20251354

Component: TMOS

Symptoms:
- Log message repeats every 5 seconds in /var/log/ltm
slot<#>/<host> warning vcmpd[<pid>]: 01510005:4: Failed to find value for enum::cli_id (ha_feature_t::provisioning-failed).

Conditions:
- Configure vCMP host in 12.1.x or 11.6.x.
- Deploy 13.x guest.
- Monitor /var/log/ltm.

Impact:
Warning message displayed every 5 seconds.

Workaround:
Run the following command:
tmsh create sys log-config filter stop_vcmpd_log message-id 01510005 publisher none

670520-3 : FastL4 not sending keepalive at proper interval when other side gets response

Component: Local Traffic Manager

Symptoms:
FastL4 not sending keepalive at proper interval when other side gets response. With FastL4, when a response to an LTM-initiated keepalive is received from a device on one side is received, it is forwarded to the other.

It appears that causes a keepalive to not be sent on that other side. The keepalive interval is 20 seconds. If the LTM is scheduled to send a keepalive to the server, but receives a keepalive response on the client side, before it sends the serverside keepalive, the client side keepalive response is forwarded, but the actual keepalive is not sent to the server.

Conditions:
FastL4 and keepalive.

Impact:
Potential for failure as in FastL4: the timeout timer is not updated unless a response is returned. Since the LTM does not send the keepalive, there is not going to be a response for that interval.

Workaround:
None.

670501-5 : ASM policies are either not (fully) created or not (fully) deleted on the HA peer device

Solution Article: K85074430

Component: Application Security Manager

Symptoms:
Policies are either not (fully) created or not (fully) deleted on the peer device

Conditions:
-- Device Service Clustering configured.
-- High availability (HA) configuration with Sync-Only (no failover) device group (Auto, incremental) with ASM sync enabled.
-- Create/delete active/inactive ASM policies via TMSH/GUI.

Impact:
Policies are either not created/deleted, or not fully created/deleted.

Note: Fully created and fully deleted meaning that the following commands agree with each other:
# tmsh list asm policy one-line all-properties
# tmsh list asm policy one-line

Workaround:
Issue a forced full sync from the originating device to the device group.

670456-3 : Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number

Component: Access Policy Manager

Symptoms:
Flash AS3 mx.core::CrossDomainRSLItem() wrapper fails when being called with a number of arguments different than 7.

Conditions:
Any flash that have a call of mx.core::CrossDomainRSLItem() with a number of arguments different than 7.

Impact:
Flash application malfunction.

670367-2 : On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.

Solution Article: K39391280

Component: Access Policy Manager

Symptoms:
On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.

The limit of customization group object that the BIG-IP Virtual Edition (VE) can load is approximately 13 KB.

Conditions:
Large number of policies (thousands) and customization objects (tens of thousands).

Impact:
Unable to load configuration.

Workaround:
Turn off watchdog for mcpd via tmsh using the following command:
tmsh modify sys daemon-ha mcpd heartbeat disabled

Important! Remember to re-enable tmsh watchdog after the config loads successfully. To do so, run the following command:
tmsh modify sys daemon-ha mcpd heartbeat enabled

670258-2 : Multicast pings not forwarded by TMM

Component: Local Traffic Manager

Symptoms:
When multicast routing is configured, ICMP or ICMP6 pings are not forwarded by TMM even though UDP and other protocol traffic to the same group addresses works.

Conditions:
Multicast routing configured, VIP configured to forward ICMP traffic.

Impact:
Multicast group addresses cannot be reached with ICMP or ICMP6 echo requests.

Workaround:
n/a

669978-4 : SIP monitor - Via header's branch parameter collision.

Solution Article: K15204204

Component: Service Provider

Symptoms:
When there is a failover in a high availability (HA) setup with SIP monitors, the SIP backend servers start flapping on both units. The reason this occurs is that after the failover, the two BIG-IP systems send SIP monitoring messages to the pool members with the same branch parameter on their Via headers. The backend server internal logic gets confused by the request coming from LB2 because it uses the same branch parameters of the request coming from LB1.

Conditions:
SIP branch hash string length is small enough that when sufficient SIP monitor messages were inundated, possible branch collision.

Impact:
This causes the backend server erroneously to send a response message to LB1 instead of LB2.

Workaround:
None.

669645-1 : tmm crashes after LSN pool member change

Solution Article: K44021449

Component: Carrier-Grade NAT

Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.

Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.

Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.

Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.

669241-1 : Cannot create stateless virtual servers with ip-protocol set to 'gre'.

Component: TMOS

Symptoms:
Stateless virtual servers can be used only for UDP traffic.

Conditions:
Attempt to create a stateless virtual server with ip-protocol set to 'gre'.

Impact:
Operation does not succeed. Cannot create stateless virtual servers with ip-protocol set to 'gre'.

Workaround:
None.

668964-2 : 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group

Solution Article: K81873940

Component: TMOS

Symptoms:
When running the 'bgp neighbor <peer IP> update-source <IP>' command to a single peer, the changes may be applied to all peers in peer-group, if the peer IP belongs to a peer group.

Conditions:
- Using BGP with peer-groups.
- Run 'bgp neighbor <peer IP> update-source <IP>', where <peer IP> is an IP of a peer in a peer-group.

Impact:
Changes may apply to all peers in the group.

Workaround:
Depending on the network setup, it may be possible to workaround the issue using the interface version of the command:
bgp neighbor <peer IP> update-source <vlan name>.

668849-1 : Upgrade failure for apm-log-setting objects★

Component: Access Policy Manager

Symptoms:
After upgrade to 13.1.0, the configuration will fail to load with error: 01070734:3: Configuration error: In apm log-config (/p1/f1/sso-log-setting-Critical) there can only be one instance of access log configuration
Unexpected Error: Loading configuration process failed.

Conditions:
If before upgrade, you have sso form-basedv2 object or saml sso config objects in your configuration

Impact:
mcpd will fail to start

Workaround:
manually edit the bigip.conf and remove all the sso form-basedv2 objects and saml sso config objects and then do tmsh load sys config

667661-4 : Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'

Solution Article: K69015104

Component: Device Management

Symptoms:
Adding a secondary HA device to Access Group fails with error 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'.

Conditions:
Fails when adding a HA device to Access Group.

Impact:
Device cannot be added to Access Group.

Workaround:
None.

667518 : SSO Configurations update is failing from UI

Component: Access Policy Manager

Symptoms:
SSO Configurations update is failing from the GUI.

Conditions:
While creating SSO form with SSO configuration, Update is failing with UI Javascript error.

Impact:
From UI user not able to update the SSO Configurations, with SSO Form creation.

Workaround:
Create separate SSO form and assign to SSO configuration. Or use TMSH to create both.

667476 : Upgrade and config load can fail if a data group record of type string contains a tab character

Component: TMOS

Symptoms:
When a datagroup record is of type 'string' and contains a tab (\t) the record loads but when the configuration is saved the record is not save with enclosing quotes.

Conditions:
-- Data group whose type is string.
-- Record entry that contains a tab character along with other non-whitespace characters.

Note: If other whitespace characters are present the string will have enclosing quotes and this issue will occur.

Impact:
Saved config does not load when running the command: tmsh load /sys config.

Upgrade fails to load the configuration.

Workaround:
In order to either load the configuration or upgrade, you must manually edit the bigip.conf file and enclose the string in quotation marks, as shown in the following example:

Existing config
==================
ltm data-group internal /Common/sample_dg {
  records {
    entry1 {
      data /BIG-IP BAD
    ...

Modified config:
ltm data-group internal /Common/sample_dg {
  records {
    entry1 {
      data "/BIG-IP BAD"
   ...

667295-1 : 'RTSP::header exists' iRule command always returns True

Solution Article: K51601122

Component: Carrier-Grade NAT

Symptoms:
Using the 'RTSP::header exists' command in an iRule returns true even if the header is not present.

Conditions:
Using the 'RTSP::header exists' command in an iRule, e.g., [RTSP::header exists "Transmitting"].

Impact:
Returns 1 (TRUE) even if the header is not present. Should return 2 (ERR_NOT_FOUND) on failure.

Workaround:
None.

667257-2 : CPU Usage Reaches 100% After Traffic Flowed Into CGNAT

Component: TMOS

Symptoms:
CPU usage reaches 100% after traffic flowed Into CGNAT. Issue with re-offloading to ePVA.

Conditions:
-- CGNAT configured.
-- Most traffic is FastL4 forwarding deterministic LDNS.
-- ePVA hardware is in use.

Impact:
Default configurations may suddenly show higher CPU performance profile usage after upgrade.

Workaround:
None.

667114-1 : TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.

Solution Article: K32622880

Component: TMOS

Symptoms:
TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.

Conditions:
-- BWC policy applied.
-- TCP traffic passes through the IP forwarding or L2 forwarding virtual server.

Impact:
Lower throughput than expected.

Workaround:
When using BWC, use a proxy virtual server instead of IP forwarding or L2 forwarding virtual servers.

667082-2 : Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.

Solution Article: K21090061

Component: TMOS

Symptoms:
Failure occurs when attempting to configure or load OSPF configurations in imish using an interface-level command similar to the following:
ip ospf <IP> message-digest-key <key index> md5 <password>.

Conditions:
This occurs when using the following command:
ip ospf <IP> message-digest-key.

Impact:
The command causes an error and cannot be used or loaded. This may cause OSPFv2 adjacencies to fail.

Workaround:
If possible, use the non-IP version of the interface-level command, similar to the following:
ip ospf message-digest-key <key index> md5 <password>.

666889-1 : Deleting virtual server may cause tmm to segfault

Solution Article: K25769531

Component: Local Traffic Manager

Symptoms:
Deleting virtual server may cause tmm to segfault.

Conditions:
-- Virtual server is rate-limited.
-- In-progress connections exist.
-- Virtual server is deleted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

666884-2 : cpcfg cannot copy a configuration on a chassis platform★

Solution Article: K27056204

Component: TMOS

Symptoms:
cpcfg fails with errors similar to:

info: Getting configuration from HD1.3
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
error: status 256 returned by command: F5_INSTALL_MODE=install F5_INSTALL_SESSION_TYPE=hotfix chroot /mnt/tm_install/23102.e3MAZU /usr/local/bin/im -force /var/local/ucs/config.ucs
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /shared: Not enough free space
info: 6144 bytes required
info: 0 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.

Conditions:
Only on a chassis platform running 13.0.x.

Impact:
You cannot use cpcfg on a chassis platform.

Workaround:
Save a UCS from the source volume, reboot to the destination volume, then load that UCS file.

666595-2 : Monitor node log fd leak by bigd instances not actively monitoring node

Component: Local Traffic Manager

Symptoms:
Each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis opens a file descriptor for each node or pool member that has monitor logging enabled. However, only one instance of bigd is actively monitoring each individual node, and actively logging health monitor events to the node log. When LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool, or pool member configuration.

Note: This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool or pool member configuration.

Conditions:
This may occur when the following conditions are met:
1. An LTM health monitor is assigned to an LTM node, pool or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool or pool member configuration while logging is still enabled ('monitor' value set to 'none').

Impact:
When this problem occurs, the instance of bigd that is actively monitoring a particular node will close its file descriptor to that node's log file (under /var/log/monitors), but other instances of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis will leak their file descriptor to the node log.

File descriptors that are opened by the bigd daemon and not closed will count against bigd's internal file descriptor limit. This may result in file descriptor exhaustion and failure of LTM health monitoring.

Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.

666505-2 : Gossip between VIPRION blades

Component: iApp Technology

Symptoms:
The REST framework's 'gossip' mechanism does not appear to run between VIPRION blades in a device service cluster.

Conditions:
-- VIPRION systems.
-- Configured with device service clustering and a high availability (HA) group.
-- The REST framework's 'gossip' mechanism is configured on the non-primary blade.

Impact:
Gossip being enabled on the non-primary VIPRION blade interferes with communication between the primary and the remote peer.

Workaround:
None.

666497-2 : Some of the Korean translations in Windows Edge Client were incorrect

Component: Access Policy Manager

Symptoms:
Some of the Korean translations in Microsoft Windows Edge Client's main windows are incorrect.

Conditions:
User uses Edge Client application on Windows.

Impact:
Confusion due to inaccurate translation.

Workaround:
None.

666401-2 : Memory might become corrupted when a Standby device transitions to Active during failover

Component: Local Traffic Manager

Symptoms:
When a failover event occurs with connection mirroring enabled, it is possible for memory to be corrupted when the Standby device transitions to Active.

Conditions:
-- Active-Standby high availability configuration.
-- Virtual server configured with the type set to 'Standard'.
-- Connection mirroring enabled.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
None.

666258-2 : GTM/DNS manual resume pool member not saved to config when disabled

Component: Global Traffic Manager (DNS)

Symptoms:
manual-resume disabled pool member becomes available after reboot.

Conditions:
GTM pool is configured with manual-resume enabled and its pool member was once unavailable.

Impact:
Unexpected available pool member which should be disabled.

Workaround:
After the pool member becomes disabled, manually run:
# tmsh save sys config gtm-only

666221-2 : tmm may crash from DoSL7

Solution Article: K47152503

Component: Advanced Firewall Manager

Symptoms:
tmm crash.

Conditions:
A virtual server configured with the following:
compression profile configuration, HTTP/DoSL7 with DoSL7 iRule, RamCache.

Impact:
SIGSEGV. Traffic disrupted while tmm restarts.

Workaround:
None.

666127-1 : Flows are incorrectly processed on a standby system.

Component: Local Traffic Manager

Symptoms:
Standby system incorrectly processes flows, even if there is no other traffic group active on that system.

Conditions:
-- Spanning is enabled for a virtual address.
-- No other traffic group active on a standby system.

Impact:
Flows are incorrectly processed.

Workaround:
None.

666117-4 : Network failover without a management address causes active-active after unit1 reboot

Component: TMOS

Symptoms:
An appliance in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.

Conditions:
Device Service Cluster with only self-ips configured for the failover network.

Impact:
Unexpected failover may cause traffic interruption.

Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.

665777 : TMM0 on the secondary blade sends out extra ARP replies

Component: Local Traffic Manager

Symptoms:
TMM0 on the secondary blade can send out more than one ARP reply when it receives an ARP request.

Conditions:
ARP request is received by TMM0 on the secondary blade.

Impact:
The BIG-IP system sends out extra ARP replies.

Workaround:
None.

665425-3 : AVR Max metrics shows wrong values

Solution Article: K24182390

Component: Application Visibility and Reporting

Symptoms:
In the AVR HTTP Page, metrics Max TPS and Max Throughput display incorrect values.

Conditions:
The root-cause is 32bit overflow, so the incorrect values are displayed when there are high volumes of traffic.

Impact:
Displayed metrics do not correctly show activity.

Workaround:
There is no workaround at this time.

665117-2 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping

Solution Article: K33318158

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Server status flapping from red-green-red.

Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.

Impact:
Server status flaps from red to green and back.

Workaround:
Check Transparent for these monitors.

664714-1 : Client-side challenge is changing POST parameter value under some circumstances

Component: Application Security Manager

Symptoms:
A parameter arrives with a different value to the server than was sent from the client. Happens while a brute force attack or web scraping challenge or web scraping session client-side mitigation is happening,

Conditions:
-- POST request with URL-decoded parameters.
-- A parameter is escaped.
-- A client-side challenge is returned for this request.

Impact:
The wrong parameter arrives to the application. In response, the application may stop working or have other errors.

Workaround:
N/A

664000 : TMM restart/core possible if key/cert is modified while SSL handshakes are ongoing

Component: Local Traffic Manager

Symptoms:
Dynamic configuration changes with live traffic may have or cause complicated issue or unpredictable behaviors. TMM might restart and generate a core file when modifying key/cert on a profile while ongoing SSL handshakes are using it. System posts messages similar to the following:

-- crit tmm3[13499]: 01010260:2: Hardware Error(Co-Processor): cn3 request queue stuck
-- warning sod[6005]: 01140029:4: HA crypto_failsafe_t cn-crypto-3 fails action is failover.

Conditions:
The key/cert on a profile is modified while ongoing SSL handshakes are holding it.

In one case, OCSP was removed from all the SSL profiles at some point after the handshake started, so the handshake picked up the new profile without refreshing or invalidating the handshake's copy of the key_cert.

Impact:
Normal functionality might be disrupted. Traffic disrupted while tmm restarts.

Note: There is no support currently for dynamic profile configuration changes while there are ongoing connections using the profile.

Workaround:
Do not try to modify key/certs on a profile while there are a lot of ongoing connections using it.

663946-2 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments

Solution Article: K92111062

Component: Advanced Firewall Manager

Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.

Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).

Impact:
May result in lower than expected DNS load test results.

Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.

Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.

663924-2 : Qkview archives includes Kerberos keytab files

Component: TMOS

Symptoms:
Qkview captures Kerberos keytab files used for APM dataplane services.

Conditions:
APM provisioned with Kerberos authentication.

Impact:
Private security key exposure.

Workaround:
There is no workaround.

663911-2 : When running out of memory, MCP can report an incorrect allocation size

Component: TMOS

Symptoms:
If MCP runs out of memory, it may attempt to log how much memory it was allocating when this happened, with a message similar to the following:

Failed to allocate memory for size 260 at clone_message:952.

The memory size indicated in the message may be incorrect.

Conditions:
MCP runs out of memory while attempting an allocation.

Impact:
Misleading logs that make it more difficult to troubleshoot mcpd memory issues.

Workaround:
None.

663531-1 : TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when PPTP finds a matching non-PPTP-GRE flow when checking for an existing tunnel.

Conditions:
PPTP-ALG and CGNAT on a BIG-IP system when a GRE tunnel matches a PPTP-GRE flow

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Possible mitigation by not using a forwarding virtual for non-PPTP GRE traffic.

663178-1 : tmm may crash sometimes usng VPN

Component: Local Traffic Manager

Symptoms:
tmm crash and BIG-IP fail over

Conditions:
VPN is used

Impact:
tmm crash and BIG-IP fail over. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

662905 : Rate class configured at very low rate (under packet size per second) cannot pass traffic.

Component: Local Traffic Manager

Symptoms:
When rate class is configured at very low rate (under packet size per second) it cannot pass traffic.

Note: Rate class ceiling and rate are equally divided between each core, so the minimum bandwidth to pass traffic for 4 core system is 4(2 KB * 8) = 64k and for 8 core system it is 128 KB, making each core get about 2 KB per second. If the system is expected to pass jumbo packets, then the system must be configured accordingly.

Conditions:
-- BIG-IP 2000/4000 Series platforms.
-- Rate class is configured at very low rate.

Impact:
BIG-IP does not pass traffic.

Workaround:
None.

662816-2 : Monitor node log fd leak for certain monitor types

Solution Article: K61902543

Component: Local Traffic Manager

Symptoms:
When certain types of LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool or pool member configuration.

Conditions:
This may occur when:
1. One of the below-listed LTM health monitor types is assigned to an LTM node, pool, or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool, or pool member configuration while logging is still enabled ('monitor' value set to 'none').

Affected LTM health monitor types include:
diameter, external, firepass, ftp, gateway_icmp, icmp, imap, ldap, module_score, mssql, mysql, nntp, oracle, pop3, postgresql, radius, radius_accounting, real_server, rpc, sasp, scripted, sip, smb, smtp, snmp_dca, snmp_dca_base, soap, virtual_location, wap, wmi.

This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool, or pool member configuration.

The following LTM health monitor types are not affected:
dns, http, https, inband, mqtt, tcp, tcp_echo, tcp_half_open

Impact:
When this problem occurs, each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis leaks one file descriptor for each node or pool member with monitor logging enabled.

File descriptors that are opened by the bigd daemon and not closed count against bigd's internal file descriptor limit. This can result in file descriptor exhaustion and failure of LTM health monitoring.

662372-1 : Uploading a new device certificate file via the GUI might not update the device certificate

Solution Article: K41250179

Component: TMOS

Symptoms:
After uploading a new device certificate via the 'Upload File' option in the GUI, the device certificate remains unchanged.

Conditions:
-- Upload a new device certificate file via the GUI.
-- There is already a file called /tmp/server.crt.

Impact:
The device certificate is not updated and no error is shown.

Workaround:
Use the 'Paste Text' option to import the certificate.

662296-1 : Under heavy traffic load tcpdump -i 0.0 can impact the VIPRION management cluster IP address

Component: Local Traffic Manager

Symptoms:
Management connectivity loss over the management cluster IP address. This is caused by a secondary blade temporarily taking over the cluster primary due to starvation of clusterd on the blade running tcpdump.

Conditions:
-- A multi-bladed configuration with full traffic load.
-- Run tcpdump -i 0.0.

Impact:
Loss of connectivity to the cluster floating IP address. The /var/log/ltm clusterd shows timeouts and temporary change of primaryship.

Workaround:
Mitigation:
-- Judicious use of tcpdump -i 0.0.

Workaround:
-- Kill tcpdump from the SSH session to the slot IP address directly or using the console.
-- Restart tmm to fix the issue with MPI stream connection loss.

660826-1 : BIG-IQ Deployment fails with customization-templates

Component: Access Policy Manager

Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.

Conditions:
Simulation by tmsh for what's done in BIG-IQ:

1) Add a log-on agent in your policy.

2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.

3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc

4) tmsh

5) create /cli transaction

6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }

7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }

8) submit /cli transaction

Impact:
BIG IQ operation failed with scenario involving change to customization group.

Workaround:
There is no workaround.

660807 : Clientside command with parking command crashes TMM

Component: Local Traffic Manager

Symptoms:
iRule parking command 'table lookup' inside clientside crashes TMM.

Conditions:
iRule parking command 'table lookup' inside clientside.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If possible, move the parking command outside clientside/serverside.

660760-1 : DNS graphs fail to display in the GUI

Solution Article: K75105750

Component: TMOS

Symptoms:
Can no longer view the DNS graphs in the GUI after upgrading from an earlier release. The system reports the following error in the GUI when visiting GUI Statistic :: Performance :: DNS: Error trying to access the database.

Conditions:
This occurs when the BIG-IP system is licensed for the GTM module (mod_gtm) instead of the DNS module (mod_dnsgtm). This might occur in the case where the system is upgraded from an earlier release such as v10.2.4 (where the module was GTM) to a later release such as v12.1.1 (where the module is DNS).

Impact:
Accessing the DNS graphs in the GUI fails.

Workaround:
None.

660327-2 : Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.

Component: Application Security Manager

Symptoms:
Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.

This happens only if before the upgrade, there was an ASM logging profile which had both remote logging and local logging enabled on it.

In the case of a single logging profile with local-plus-remote ASM enabled on it, upon an upgrade, the logging profile is split into two profiles. One has the '_local' extension added to it. Another attempt to load the config of the pre-upgrade system will fail. This only happens when using 'load sys config' or 'load sys config file', and does not happen when using 'load sys ucs'.

Upon failure, the following error is seen on the terminal:
01070710:3: Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127
Unexpected Error: Loading configuration process failed.

And in /var/log/ltm:
err mcpd[6618]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127.

Conditions:
-- Using a configuration that contains a Log Profile with ASM enabled and both Remote Log and Local Log enabled.
-- Upgrade to 12.1.2 or later (Use roll-forward upgrade, or instead use clean install and afterwards load the saved config file).

Impact:
Config load fails. Upgrade fails.

Workaround:
Use one of the following Workarounds:
1.
Save the new configuration before editing and re-loading, using the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all

(Note: Saving the UCS also saves the configuration.)

2.
Instead of loading the full configuration directly, first load the base and then load the full configuration:
tmsh -c 'load sys config partitions all base; load sys config partitions all'

660326-2 : Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★

Component: Application Security Manager

Symptoms:
Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.

Conditions:
-- Websecurity profile assigned to a virtual server.
-- ASM not provisioned.
-- Upgrade to v12.1.0 or later.

Impact:
Upgrade fails.

Note: Although this is an invalid configuration, upgrade should not fail.

Workaround:
There are two workarounds.
-- Provision ASM.
-- Remove all websecurity profiles (and LTM policies that control ASM) from all virtual servers

Note: The first workaround must be done before the update. The second can be done before the upgrade, or by editing the config files and re-loading config (first base, then all) using the following command:

tmsh -c 'load sys config partitions all base; load sys config partitions all'

660119-1 : Monitor configured with timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.

Solution Article: K36005385

Component: Local Traffic Manager

Symptoms:
When the monitor is configured with a timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.

Conditions:
Monitor configured with timeout plus interval larger than 86400.

Impact:
Periodically service taken offline which may result in persistence issues or impact service availability.

Workaround:
Reduce the monitor's timeout to less than (86400 - interval).

659930-1 : Enterprise Manager may receive malformed data if there are multiple monitors on a pool

Component: Global Traffic Manager (DNS)

Symptoms:
Enterprise Manager (EM) may receive malformed data if there are multiple monitors on a pool. big3d returns malformed xml. Messages similar to the following appear in /var/log/em:
Could not parse xml for device.

Conditions:
-- Flapping pool monitor has more than two HTTP-type monitors.
-- iControl data returned from big3d LTM is malformed xml.

Impact:
Malformed data causes EM to not be able to gather stats from big3d.

Workaround:
None.

659888-1 : Profiles with names that contain percentage signs cannot be accessed in TMUI

Component: TMOS

Symptoms:
Clicking profiles on the list page in the Configuration Utility (GUI) with names that contain a percentage sign does not take you to the profile page.

Conditions:
-- Clicking profile names with percentage signs.
-- The profiles list page in the GUI.

Impact:
The profile pages cannot be accessed from the profiles list page in the GUI.

Workaround:
Use tmsh or rename your profiles so their name does not include a percentage sign.

659709-1 : Memory leak under rare conditions

Solution Article: K80024155

Component: Local Traffic Manager

Symptoms:
Memory leak

Conditions:
-- Mirrored flow.
-- Persistence used.
-- Another error condition such as high availability (HA) channel down.

Impact:
Memory leak.

Workaround:
None.

658943 : Errors when platform-migrate loading UCS using trunks on vCMP guest

Component: TMOS

Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use either of the following Workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.

658850 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP

Component: TMOS

Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.

If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.

Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate

Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.

Workaround:
If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:

tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>

658278-3 : Network Access configuration with Layered-VS does not work with Edge Client

Component: Access Policy Manager

Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.

Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.

Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.

Workaround:
None.

658103 : TMM core while adding logging action to APM SWG

Solution Article: K00652162

Component: Access Policy Manager

Symptoms:
TMM core while adding logging action to APM SWG.

Conditions:
-- Use of an application lookup perflow variable (perflow.application_lookup.result.*) in an SWG per-request Logging Agent.
-- No Application Lookup Agent found prior in the chain.

For example
- The following example will crash:
start : logging : allow

- The following will succeed:
start : application lookup : logging : allow

Impact:
TMM core. Traffic disrupted while tmm restarts.

Workaround:
There are two possible workarounds:

-- Remove the applicable perflow variables from the logging agent.
-- Add an application lookup before trying to log application lookup perflow variables.

658036-2 : Honoring negotiated MSS for TCP segmentation

Solution Article: K04651090

Component: TMOS

Symptoms:
Following are the symptoms:

1. When the BIG-IP system's MTUs are larger than the smallest MTU in the end-to-end path:
-- The BIG-IP system does not mark coalesced packets larger than egress MSS but smaller than egress MTU in the BIG-IP system for segmentation. Therefore, the BIG-IP system receives 'ICMP fragmentation needed' messages from an intermediate router which drops the packets when the Don't Fragment (DF) bit is set in IP header.

2. When the BIG-IP system's MTUs are less than 1500:
-- On ingress, the BIG-IP system rejects coalesced packets larger than ingress MTU and less than 1500 and having DF bit set in IP header. the BIG-IP system sends 'ICMP fragmentation needed' message to sender.

Conditions:
* Generic Receive Offload (GRO) and Large Receive Offload (LRO) for data plane interfaces are supported and enabled (both in host and guest).

* Packets are sent with DF bit set.

* For #1:
-- FastL4 profile in use.
-- The BIG-IP system's VLAN MTUs are larger than the smallest MTU in the end-to-end path.

* For #2:
-- The BIG-IP system's MTUs are set to a value that is less than 1500.
-- The packets' DF bits are set.

Impact:
No traffic or very low throughput.

Workaround:
Disable LRO and GRO for data plane interfaces using the following command:

tmsh modify sys db tm.tcplargereceiveoffload value disable.

Note: For KVM virtio devices, LRO/GRO need to be turned off in host NIC.

657912-1 : PIM can be configured to use a floating self IP address

Component: TMOS

Symptoms:
Using PIM-Sparse Mode for multicast traffic with BGP for unicast routing/reverse path filtering may prevent PIM neighbor routers from switching from the RPT to the SPT.

Conditions:
-- PIM-Sparse Mode.
-- BGP.
-- Floating self IP address.

Impact:
Routers upstream and including BIG-IP will never receive PIM JOIN messages from the rendezvous point, which is required for traffic to switch from the RPT to the SPT. The sender's DR may continue to send traffic to the RP in register messages indefinitely.

Workaround:
Remove the floating self IP address from the traffic group or select a routing protocol that does not use it, such as OSPF.

657834-2 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent

Solution Article: K45005512

Component: TMOS

Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.

Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.

Note: The greater the number of routes flapping, the more likely to see the condition.

Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.

However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.

Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.

657727-2 : Running tcpdump from TMSH cannot capture the local "tmm" interface

Solution Article: K39694060

Component: TMOS

Symptoms:
Cannot run tcpdump against the "tmm" interface. System posts errors similar to the following:
tcpdump: pcap_loop: Device /Common/tmm not found
tcpdump: ioctl: No such device

This occurs because the 'tmm0' interface was renamed to 'tmm' beginning in v12.1.0, but the libbigpacket conditional logic to handle "special device names" still references 'tmm0'.

Conditions:
-- When running tmsh, an environment variable ("TMOS_PATH") is set.
-- The user logs in to the CLI with a default shell of tmsh (either as configured, or with a role assigned via remote-roles), or tries to run tcpdump via tmsh.

Impact:
Cannot run tcpdump on the 'tmm' internal interface.

Workaround:
Unset the 'TMOS_PATH' environment variable before running tcpdump.

657531-2 : High memory usage when using the ICAP server

Solution Article: K02310615

Component: Application Security Manager

Symptoms:
High UMU memory when using the ICAP server.

Conditions:
-- ICAP is in use.
-- There are long requests (requests longer than 128 KB) that should get to the ICAP server.

Impact:
UMU memory goes up.

Workaround:
-- Decrease the max concurrent long requests.
-- Decrease the size for the long requests buffer size.
-- Make sure the ICAP server is up and running and responding quickly (the issue will be more visible when the ICAP server is lagging).

656784-2 : Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM

Solution Article: K98510679

Component: Access Policy Manager

Symptoms:
After upgrading to Windows 10 Creators Update (version 1703), when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect.

Windows 10 Version 1703 RDP client is using Negotiate HTTP authentication scheme, while APM requires NTLM scheme for RD Gateway.

Conditions:
- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature.
- You upgrade to Windows 10 Creators Update (version 1703).

Impact:
Remote desktop client is not able to authenticate and connect to the desktop.

Workaround:
Use either of the following workarounds:

-- Force the Windows RDP client to use NTLM authentication scheme (instead of Negotiate) by setting Group Policy 'User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway\Set RD Gateway authentication method' to 'Ask for credentials, use NTLM protocol'.

-- Use the following iRule to convert Negotiate to NTLM:
when HTTP_REQUEST {
    set is_rdg_request [expr { [HTTP::method] starts_with "RDG_" }]
    if {!$is_rdg_request} { return; }

    set auth [HTTP::header Authorization]
    set is_nego_auth [expr { $auth contains "Negotiate" }]

    if { $is_nego_auth } {
        set auth [string map {"Negotiate" "NTLM"} $auth]
        HTTP::header replace Authorization $auth
    }
}
when HTTP_RESPONSE_RELEASE {
    if {!$is_rdg_request || !$is_nego_auth} { return; }

    catch {
        set auth [HTTP::header WWW-Authenticate]
        if { $auth contains "NTLM" } {
            set auth [string map {"NTLM" "Negotiate"} $auth]
            HTTP::header replace WWW-Authenticate $auth
        }
    }
}

655767-3 : MCPD does not prevent deleting an iRule that contains in-use procedures

Component: Local Traffic Manager

Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.

MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:

01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).

However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.

Conditions:
Must be using iRules that call into other iRules.

Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.

Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.

655724-3 : MSRDP persistence does not work across route domains.

Solution Article: K15695

Component: Local Traffic Manager

Symptoms:
MSRDP persistence doesn't work with non-default route domains.

Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.

Impact:
MSRDP persistence does not work.

Workaround:
Implement MSRDP persistence using iRules.

655484-1 : GUI LTM Pool Statistics Page running out of memory with large number of Pools

Solution Article: K69912019

Component: TMOS

Symptoms:
When there is a large number of configured Pools, it can adversely affect Pool Statistics Page display, causing an Out of Memory error.

Conditions:
Configure 2200 or more pools, and go to the Pool Statistics page.

Impact:
The page does not display because it causes Tomcat to run out of memory and restart automatically.

Workaround:
You can increase the memory allocated to Tomcat. For more information, see K9719: Error Message: java.lang.OutOfMemoryError, available at https://support.f5.com/csp/article/K9719

654981-2 : Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action

Component: Local Traffic Manager

Symptoms:
Local Traffic Policies configured for First Match mode may not stop executing after the first matched rule.

Conditions:
This happens when the first matched rule has no action (i.e. is set to ignore).

Impact:
This may cause Local Traffic Policies to execute an unintended action.

Workaround:
Rework the rules in your affected Local Traffic Policies so that every rule has at least one associated action.

654915-3 : Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address

Component: Application Visibility and Reporting

Symptoms:
For traffic capturing, if a pool member is assigned a special name (e.g., 'for internal activity'), the external AVR log will report the internal IP address instead of the pool member name.

Conditions:
1. Assign name to internal pool member.
2. Enable HTTP traffic capturing.
3. Allow AVR to collect HTTP statistics.
4. View pool member name in external AVR log.

Impact:
External log reports internal IP address instead of pool member name.

Workaround:
There is no workaround at this time.

653930-2 : Monitor with description containing backslash may fail to load.

Solution Article: K69713140

Component: Local Traffic Manager

Symptoms:
When a monitor description contains a \ (backslash) character, the system adds another backslash for every save-load operation. After enough saves/loads, the description eventually hits the maximum length, causing an error message: '01020057:3: The string with more than 65535 characters cannot be stored in a message' upon loading the config.

Conditions:
Monitor with description containing backslash.

Impact:
Configuration changes without human intervention. Potential load failure.

Workaround:
Don't use backslashes in monitor descriptions.

653928 : On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed with Conflicting configuration error.★

Component: TMOS

Symptoms:
On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed due to an incorrect configuration. The system posts a Conflicting configuration message in response to the error.

Conditions:
There are multiple ways to encounter this:

-- The BIG-IP system has a working configuration and is running normally. If the configuration becomes invalid, due to hardware configuration changes, a configuration mistake, or a typo in one of the configuration files, the MCPD never reaches the running state due to the configuration load error.

-- If the BIG-IP system is managed by a BIG-IQ device, and the BIG-IQ device revokes the BIG-IP system's license, the configuration load might start failing if the BIG-IP system's configuration contains advanced features that require an active license.

Impact:
If the misconfiguration occurs during a upgrade from 10.2.4 to 12.1.x, the operation fails with the DHCP error.

In these cases, when you try to load the default configuration through 'tmsh load sys config default', the configuration load fails with this error:

/Common/management-ip: Conflicting configuration. Management-ip can't be created manually while DHCP is enabled. Within tmsh run 'modify sys global-settings mgmt-dhcp disabled' before manually changing the management-ip.

MCPD never reaches the running state and the BIG-IP system does not function as expected.

Workaround:
Once this problem occurs, there is no way to force 'load sys config default' without first resolving the 'base config load failure' mcpd status, which requires repairing the configuration errors that caused the initial base configuration load failure.

To do so, review the log files to determine the specific misconfiguration and remove it from the corresponding configuration file. Then try the configuration load operation again.

653895 : Admin user cannot edit policy

Component: Application Security Manager

Symptoms:
While logged into the active device, you are unable to edit a policy. The Save and Reconfigure buttons are grayed out. The standby device allows you to edit the policy and you can deploy the change to the active device, but you occasionally can't edit it from the active device.

Conditions:
It is not known what triggers this intermittent problem.

Impact:
Admin users are unable to edit a policy on the active device.

Workaround:
You can edit the policy on the standby device and deploy it to the active device.

653888-2 : BGP advertisement-interval attribute ignored in peer group configuration

Component: TMOS

Symptoms:
BGP peer-group advertisement-interval attribute may be ignored with default settings set on individual peers belonging to the peer-group.

Conditions:
- BGP configured with peer-groups.
- advertisement-interval configured with a non-default value

Impact:
The BGP peer will have an additional statement added indicating a default value of the advertisement-interval.

Workaround:
Manually set the advertisement-interval of the peer, instead of using the peer-group for this particular setting.

653573 : ADMd not cleaning up child rsync processes

Component: Anomaly Detection Services

Symptoms:
ADMd daemon on device is spinning up rsync processes and not cleaning them up properly, causing tons of this zombie processes

Conditions:
If rsync process ends via exit (in the case of some trouble)

Impact:
No technical impact, but there are many zombie processes

Workaround:
Restart admd (bigstart restart admd) to remove all existing rsync zombies.

653273 : "Unexpected Error" showing traffic-selector default-traffic-selector

Component: TMOS

Symptoms:
Running this tmsh command results in "Unexpected error":
tmsh show net ipsec ipsec-sa traffic-selector default-traffic-selector-interface

Conditions:
This occurs when running tmsh show net ipsec ipsec-sa traffic-selector default-traffic-selector-interface

Impact:
The result is not return, the only output is "unexpected error".

653228-2 : SNAT does not work properly on FTP VIP2VIP

Solution Article: K34312110

Component: Local Traffic Manager

Symptoms:
SNAT does not work properly on FTP VIP2VIP.

Conditions:
-- FTP communicates VIP2VIP to second virtual server.
-- SNAT is configured on second virtual server.

Impact:
SNAT does not work properly on FTP VIP2VIP on data channel.

Workaround:
Do not configure SNAT on second virtual server.

653137-1 : Virtual flaps when FQDN node and pool configured with autopopulate

Component: Local Traffic Manager

Symptoms:
Virtual address status flaps (RED :: BLUE :: DOWN :: UNCHECKED) when the FQDN node and pool are configured with autopopulate enabled, and the FQDN DNS response returns the same addresses.

Conditions:
-- FQDN node and pool are configured with autopopulate enabled.
-- FQDN DNS response returns the same addresses.

Impact:
The virtual server becomes unavailable, and later switches to unchecked.

Workaround:
None.

653017-2 : Bot signatures cannot be created after upgrade with DoS profile in non-Common partition

Component: Application Security Manager

Symptoms:
Bot signatures cannot be created after roll-forward upgrade of configuration with only a DoS profile in non-Common partition.

Conditions:
A DoS profile in non-Common partition has Proactive Bot Defense enabled

Impact:
Bot signatures are not created.

Workaround:
Delete DoS Profile before upgrade, and re-create after upgrade is successful.

Alternatively, another DoS Profile can be created in /Common, even if unused.

652877-3 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades

Component: TMOS

Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:

-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.

In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.

Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.

You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.

Impact:
MCPD restart on all secondary blades results in partial service outage.

Workaround:
Reactivate the license only on a system that is standby/offline.

652671-4 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.

Solution Article: K31326690

Component: TMOS

Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.

Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.

Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.

Workaround:
None.

652577-2 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.

Conditions:
- HA pair
- Traffic-group with a MAC set in the MAC Masquerading setting.
- Floating Self-IP using the above traffic-group
- Make a change to the MAC Masquerading MAC address on the Active unit.
- Run a config-sync from Active to Standby

Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.

Workaround:
Reboot or restart TMM.

652530 : Parameter names are case sensitive in Internet Explorer 9 only

Component: Fraud Protection Services

Symptoms:
Mis-configured parameter names with incorrect case will work as if they were configured correctly in all browsers except for Internet Explorer 9

Conditions:
Parameter names configured in the wrong case

Impact:
Encryption and data integrity features will appear to work as expected in all browsers except Internet Explorer 9.

In Internet Explorer 9, encryption and data integrity will not be activated on the misconfigured parameter.

Workaround:
Reconfigure the parameter name to use the correct case.

652523 : TMM may restart while processing timers

Component: Local Traffic Manager

Symptoms:
TMM restarts during timer processing due to post-free memory usage.

Conditions:
Full-proxy TCP functionality in use. Additional conditions are not well defined, currently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround available.

652370-1 : The persist cookie insert iRule command may leak memory

Component: Local Traffic Manager

Symptoms:
In some situations, the persist cookie insert iRule command may leak memory.

Conditions:
The persist cookie insert iRule command is used.

Impact:
Eventually, the TMM will run out of memory due to the leak.

652223-1 : BWC: Non-TCP data going through Category can make policy active

Solution Article: K50325308

Component: TMOS

Symptoms:
When category is set at lower rate than 100% of the user rate, and traffic going through the category is non-TCP, and the amount of data is 150% of the instance rate, then that can create policy to be active, lowering the overall bandwidth.

Conditions:
This occurs when all of the following conditions are met:
-- Category rate is less than max-user-rate
-- Traffic is non-TCP data.
-- Amount of data passing is 150% of max-user-rate.

Impact:
BWC dynamic policy cannot achieve 100% of max-rate.

Workaround:
Increase the max-rate of any dynamic policy, and add an additional static policy set to the max-rate expected from the dynamic policy.

Note: There is no actual fix for this issue except for not using UDP traffic in categories, if the amount of traffic on that UDP category is expected to exceed 150%, or over to the maximum fair rate provided by the BWC instance. Note that the PEM subscriber and BWC instance have 1-1 relationship.

652222-1 : Sending scheduled-reports will fail due to lack of backend support

Component: Application Visibility and Reporting

Symptoms:
Using the scheduled report from GUI fails and causes some orphan file descriptors every time scheduled report runs.

Conditions:
Using the scheduled report from GUI.

Impact:
Scheduled-reports won't work and cause the system to have more orphan opened file-descriptors every time it tries to send the report.

Workaround:
None.

651889-2 : persist record may be inconsistent after a virtual hit rate limit

Component: Local Traffic Manager

Symptoms:
persist record may be inconsistent after a virtual hit rate limit

Conditions:
A virtual with rate limit set.
persist is enabled.

Impact:
persist behavior will be impacted.

Workaround:
disable rate limit on virtual

651886-1 : Certain FIX messages are dropped

Component: Service Provider

Symptoms:
When a FIX message is received with a length, checksum, or message type field containing leading zeros, the message may be dropped.

Conditions:
This bug affects all FIX messages having a length (tag 9), checksum (tag 10) or message type (tag 35) field that contains at least one leading zero. Certain third-party FIX protocol implementations are known to insert leading zeros in these fields.

Impact:
FIX messages from these products cannot be processed by the FIX profile in BIG-IP.

651169-3 : The Dashboard does not show an alert when a power supply is unplugged

Component: Advanced Firewall Manager

Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.

Conditions:
One of the power supplies is unplugged.

Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.

Workaround:
None.

651136-2 : ReqLog profile on FTP virtual server with default profile can result in service disruption.

Solution Article: K36893451

Component: TMOS

Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.

Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.

Impact:
Service disruption, fail-over event.

Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.

651005-3 : FTP data connection may use incorrect auto-lasthop settings.

Component: Local Traffic Manager

Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.

Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'

(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'

With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'

(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'

Impact:
FTP data connection may fail to be established.

Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.

650070-2 : iRule that uses ASM violation details may cause the system to reset the request

Solution Article: K23041827

Component: Application Security Manager

Symptoms:
When an iRule attempts to use the violation details such as attackSignature or MaliciousFingerprint, in some cases a legal request will be reset.

Conditions:
-- An ASM iRule that uses violation details is attached to the virtual server.
-- The request contains the violation

Impact:
A legal request is being reset.

Workaround:
None.

650019-2 : The commented-out sample functions in audit_forwarder.tcl are incorrect

Component: TMOS

Symptoms:
The commented-out sample "Transform" functions in audit_forwarder.tcl are not correct and should not be used.

Conditions:
Attempting to write your own Transform function in audit_forwarder.tcl using the examples.

Impact:
The Transform function may not work if the examples are followed.

Workaround:
Use the default Transform function as a starting point instead of one of the examples.

649897 : Using the REST API, making a change to an FQDN pool causes the pool member availability to become unknown.

Component: Local Traffic Manager

Symptoms:
Using iControl REST, making a change to an FQDN pool member causes the pool member availability to become 'unknown'.

Conditions:
Using iControl REST, modify an existing pool member configured with an FQDN name.

Note: This issue does not affect pool members configured to point directly at an IP address.

Impact:
The pool member status will show 'unknown'.

Workaround:
None.

649441-2 : Classification memory allocation

Component: Traffic Classification Engine

Symptoms:
Classification library ('CE') allocates an extra 2 KB of memory per flow and never used it.

Conditions:
Classification and HTTP profile attached to Virtual Server.

Impact:
High memory footprint for heavily loaded systems.

Workaround:
Install latest Classification Update Package ('IM Package').

649177-2 : Testing for connection to SMTP Server always returns "OK"

Solution Article: K54018808

Component: Application Visibility and Reporting

Symptoms:
When you click the SMTP GUI config "Test Connection" button it always gives green "OK" response, even if there is no network, or if the DNS response is NXDomain.

Conditions:
This is encountered when testing the SMTP connection using the GUI.

Impact:
Validation of SMTP server availability is incorrect

Workaround:
You can test SMTP at the command line by attempting to send a test email, as in this example (substitute user@example.com with your valid email address):

# echo "ssmtp test mail" | mail -vs "Test email" user@example.com

648873-3 : Traffic-group failover-objects cannot be retrieved via iControl REST

Solution Article: K93513131

Component: TMOS

Symptoms:
When issuing a GET you get the following error message:
List property is not implemented! Detail [cm traffic-group failover-objects {...}].

(The ... represents the data that was presented as a list property.)

Conditions:
Trying to use iControl REST for getting failover-objects associated to floating traffic-groups

Impact:
No access to list of failover-objects associated to an specific floating traffic-group via the iControl REST interface

Workaround:
Use a different user interface (tmsh or GUI).

648806-1 : Invalid "with the first highest ratio counter" logging for pool member ratio load balance

Component: Global Traffic Manager (DNS)

Symptoms:
Invalid value for "with the first highest ratio counter" for wideip load balancing decision is logged.

Conditions:
Enabled logging for wideip load balancing decision.

Impact:
Invalid value is logged for "with the first highest ratio counter".

648639-3 : TS cookie name contains NULL or other raw byte

Solution Article: K92201230

Component: Application Security Manager

Symptoms:
The TS cookie name may intermittently contain NULL.

Conditions:
This can occur intermittently when ASM is provisioned and has a unique combination of security policy name and the server's cookie attributes (path and domain).

Impact:
False positives triggered on modified domain cookies.

Workaround:
To resolve this, change the policy security name.

648621-1 : SCTP: Multihome connections may not expire

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.

648316-3 : Flows using DEFLATE decompresion can generate error message during flow tear-down.

Solution Article: K10776106

Component: TMOS

Symptoms:
Repeated entries in the ltm log will show a completion-code error (comp_code=4) as in the following:

Zip engine ctx eviction (comp_code=4): ctx dropped.

Conditions:
The problem occurs when a flow that requests DEFLATE decompression is terminated when the compression engine is still in the middle of working on an incomplete DEFLATE block.

Impact:
False errors can appear:
o In fields of tmctl rst_cause_stat table, false stats counters will increment for compression and packet errors.
o Log entries with the "Zip engine... (comp_code=4)" appear in ltm log.

Monitors observing the ltm log or stats in the tmctl rst_cause_stat table will see false positives.

Workaround:
Disable hardware acceleration.

647834-4 : Failover DB variables do not correctly implement 'reset-to-default'

Component: TMOS

Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.

Conditions:
This is known to affect at least the following failover-related DB variables:

log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary

Impact:
The configuration change does not take effect.

Workaround:
Explicitly set the DB variable to the desired value.

647812-3 : /tmp/wccp.log file grows unbounded

Component: TMOS

Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.

Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.

Impact:
/tmp/wccp.log grows unbounded, filling up the disk.

647158-3 : Internal virtual server inherits CMP hash mode from parent virtual server

Solution Article: K76581555

Component: Service Provider

Symptoms:
An internal virtual server might behave in unexpected ways, such as abort a client connection before connecting to the server.

Conditions:
Virtual server with request-adapt or response-adapt profile and a vlan with 'cmp-hash' mode 'src-ip'.
Internal virtual server without a VLAN or 'cmp-hash' setting.

Impact:
The internal virtual server might sometimes abort when attempting to make a connection to the server. This occurs after a successful load-balance pick indicated by the LB_SELECTED event, but before a TCP SYN packet is sent to the server. As a result the parent virtual performs the service-down-action configured in the request-adapt or response-adapt profile.

Workaround:
If possible, do not use the cmp-hash mode 'src-ip'.

647151-1 : CPU overtemp condition threshold is 75C

Component: TMOS

Symptoms:
A CPU overtemp condition is logged when a B4450 CPU reaches 75C.

Conditions:
CPU temperature is only 75C and ambient temperature in the blade is in the normal range.

Impact:
Since the temperature threshold is set too low, the warning does not indicate an actual problem.

Workaround:
None.

646800-2 : A part of the request is not sent to ICAP server in a specific case

Component: Application Security Manager

Symptoms:
The portion of the request that is not sent is not checked for viruses

Conditions:
ICAP is configured.

Impact:
There might be a false negative on anti-virus check

Workaround:
N/A

646495-2 : BIG-IP may send oversized TCP segments on traffic it originates

Component: Local Traffic Manager

Symptoms:
Traffic from the Linux host on BIG-IP may send TCP segments larger than the advertised TCP MSS of a remote host.

Conditions:
Received TCP MSS (plus protocol overhead) smaller than configured MTU of interface.
Linux host sending large TCP segments, such as SNMP getbulk replies.

Impact:
TMM may send traffic to a TCP host that exceeds the host's advertised MTU.

Workaround:
disable segmentation offload for the nvic

646440 : TMSH allows mirror for persistence even when no mirroring configuration exists

Solution Article: K52140275

Component: Local Traffic Manager

Symptoms:
When no mirroring is configured between the peers TMUI correctly hides the mirror option for the persistence profiles, however, TMSH allows enabling it.

Conditions:
-- Mirroring is configured.
-- Persistence profile.
-- Using TMSH.

Impact:
TMSH does not hide the mirror option for persistence profile, but TMUI correctly hides the mirror option. This might lead to a memory leak and degraded performance.

Workaround:
Use TMUI.

645635-2 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests

Component: Local Traffic Manager

Symptoms:
VCMP clusters without configured slot-specific management-ip addresses will report 0.0.0.0 for: sFlow (Agent Address), High Speed Logging (in certain log messages), and IPFIX (domain ID).

When creating VCMP guests, the cluster's floating IP address is configured on the host using a command of the form: 'tmsh modify vcmp guest guest0 management-ip 10.1.2.3/24'; however, this will leave the slot-specific management IP address unconfigured. In this case, the affected services (sFlow, HSL, and IPFIX) will report 0.0.0.0 as their management IP address.

Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow and/or HSL and/or IPFIX configured.

Impact:
sflow, HSL, and IPFIX may incorrectly use 0.0.0.0 when identifying the BIG-IP system by management IP address. For sFlow, this is the default Agent Address. For HSL, certain log messages which identify the origin BIG-IP system by its management IP address will use this default value. For IPFIX, the domain ID will use this default value.

Workaround:
Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a VCMP guest which runs on a single slot, use a command similar to the following:

tmsh modify sys cluster default members { 1 { address 10.1.2.3 } }

645206-4 : Missing cipher suites in outgoing LDAP TLS ClientHello★

Solution Article: K23105004

Component: TMOS

Symptoms:
BIG-IP drops all SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). The same behavior is also seen for BIG-IP system auth via LDAP or AD when TLS is used.

Conditions:
You have LDAP servers requiring SHA256 and SHA384 ciphers for LDAP/TLS authentication.

Impact:
Servers requiring SHA for LDAP/TLS authentication will no longer be able to authenticate. This could suddenly break LDAP auth if you are upgrading from version 11.x where SHA256 and SHA384 existed.

Workaround:
Configure LDAP servers not to be dependent on SHA256 and SHA384 ciphers.

644979-2 : Errors not logged from hourly 1k key generation cron job

Component: TMOS

Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.

Conditions:
This occurs during hourly generation of ephemeral keys.

Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.

Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.

644725-4 : Configuration changes while removing ASM from the virtual server may cause graceful ASM restart

Solution Article: K01914292

Component: Application Security Manager

Symptoms:
Configuration changes while removing ASM from the virtual server may cause graceful ASM restart.

Conditions:
A reconfiguration / headers configuration happens while the ASM is removed from a VIP. This may happen especially in scripts that create a config or remove a config.

Impact:
ASM restarts. The system goes offline. A failover may happen.

Workaround:
Ensure that there is some time between setting a configuration to removing ASM from the VIP.

644135 : 12.1.1-hf1 does not support module tuning for Finisar 100G LR4 optics

Solution Article: K53342451

Component: TMOS

Symptoms:
12.1.1-hf1 only supports module tuning for Source Photonics 100G LR4 optics. It does not support Finisar 100G LR4 optics via f5optics.

Conditions:
This is relevant only if you are running 12.1.1-hf1, and are using Finisar 100G optics.

Impact:
FCS errors may be observed on interfaces using Finisar 100G LR4 optics.

Workaround:
The only workaround is to update the software you are running with an engineering hotfix or software version that supports module tuning for Finisar 100G LR4 optics.

Note: This issue applies only to 12.1.1-hf1. This issue is addressed in other versions using a mechanism different from 12.1.1-hf1. For version 12.1.1-hf1, there is an engineering hotfix available to support Finisar 100G LR4 optics.

643860-4 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly

Component: Local Traffic Manager

Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:

-- In /var/log/tmm:
notice MCP connection expired early in startup; retrying.

In/var/log/ltm:
mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.

Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.

Impact:
The TMM processes will restart and fail to come up properly.

Workaround:
To recover, reboot the system.

Note: Do not perform file open operations on /dev/vnic. There is no need to.

643799-1 : Deleting a partition may cause a sync validation error

Component: TMOS

Symptoms:
Deleting a partition may cause the sync to peers to fail.

For example, on BIG-IP1:

tmsh delete auth partition P1
tmsh show cm sync-status
     Sync Summary
     Status Sync Failed
     Summary A validation error occurred while syncing to a remote device
     Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)

Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.

Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.

Impact:
The sync of this change may fail on peers.

Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.

643459-3 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy

Solution Article: K81809012

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.

643041-4 : Less than optimal interaction between OneConnect and proxy MSS

Solution Article: K64451315

Component: Local Traffic Manager

Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.

Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.

Impact:
Decreased throughput, possible congestion due to small segments.

Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.

642923-2 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system

Solution Article: K01951295

Component: TMOS

Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.

Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.

There are a number of ways that this issue may manifest.

For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).

*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.

Impact:
mcpd restarts, which causes a system to go offline and restart services.

Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:

modify sys daemon-ha mcpd heartbeat disable

Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.

Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.

To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.

642786-3 : TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.

Solution Article: K01833444

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may drop tunneled traffic destined for it, even though the corresponding tunnel is created correctly.

Conditions:
The local-address of a tunnel is resided in a non-default route-domain and the sys db variable 'connection.vlankeyed' is set to 'disable'. Note that the default setting of that sys db variable is 'enable'.

Impact:
The BIG-IP system may drop tunneled traffic.

Workaround:
None.

642422-2 : BFD may not remove dependant static routes when peer sends BFD Admin-Down

Component: TMOS

Symptoms:
As a result of a known issue, the BFD feature used in an Dynamic routing configuration, may not remove static routes when configured to be dependant on the liveliness of the BFD peer.

Conditions:
- BFD configured and up.
- Static route configured and dependant on the BFD status of the BFD peer.
- BFD peer enters maintenance mode by user configuration, setting the BFD session to admin-down.

Impact:
Static route may not be removed on BFD session configured by peer to be and traffic may still be routed.

642211-2 : Warning logged when GENERICMESSAGE::message drop iRule command used

Component: Service Provider

Symptoms:
When submitting an iRule script using GENERICMESSAGE::message drop iRule command, a warning message is returned.

Conditions:
This occurs when saving an iRule that contains GENERICMESSAGE::message drop.

Impact:
A warning message is returned.

Workaround:
NA

641869-1 : Assertion "vmem_hashlist_remove not found" failed.

Solution Article: K62744980

Component: Local Traffic Manager

Symptoms:
TMM cores with the following assertion: "vmem_hashlist_remove not found" failed.

Conditions:
It is unknown what leads to that situation directly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

641582-1 : Rarely, an HSB transmitter failure occurs

Component: TMOS

Symptoms:
A very rare HSB transmitter failure occurs. This is indicated by the following message in the tmm logs:
panic: hsb interface 1 DMA lockup on transmitter failure.

Conditions:
Although the exact conditions for this issue are unknown, this might be related to a 5250 platform or to a configuration containing a vCMP guest.

Impact:
Reboot of the unit.

Workaround:
None.

Note: Although there is no workaround, beginning in v13.0.0, there is an internal counter that tracks occurrences of these types of HSB transmitter failures, which enables better understanding of the issue and a more thorough investigation into its cause.

641543-1 : bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled.

Component: TMOS

Symptoms:
If you have a custom bind-timeout value set for ldap system-auth, the custom value is honored for anonymous users but is ignored for explicit users.

Conditions:
ldap auth configured for remote authentication, and a custom bind timeout value is specified.

Impact:
The default timeout value of 10 seconds will be enforced for ldap auth.

Workaround:
None.

641450 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Solution Article: K30053855

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.

641001 : BWC: dynamic policy category sees lower bandwidth than expected in Congested policies

Component: TMOS

Symptoms:
When BWC policy is configured with category that is configured at lower rate than max-user-rate, when the system is congested, the system might experience lower bandwidth and is not able to fill the pipe.

Conditions:
BWC dynamic policy configured with category.
The number of sessions created is greater than max-rate/max-user-rate, utilizing all the policies.

For example: max-rate=10mbps, max user rate=5mbps, cat rate=3mbps.

Impact:
Lower bandwidth is seen.

Workaround:
Configure categories at the same rate as that of max-user-rate.

640924-1 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.

Conditions:
macOS Sierra (10.12.x) and Edge client application.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
None.

640863-2 : Disabling partition selector in DNS Resolver's Forward Zones

Solution Article: K29231946

Component: TMOS

Symptoms:
The partition selector is enabled in DNS Resolver's Forward Zones.

Conditions:
Having Forward Zones in DNS Resolvers inside different partitions.

Impact:
Changing the partition in the Forward Zones page may error out.

Workaround:
Change the partition in the DNS Resolver List or use tmsh.

640751-2 : No PCRE Validation Performed For Regular Expression Parameters

Component: Application Security Manager

Symptoms:
If a Parameter is configured to match a specified regular expression, but the regular expression is misconfigured, there is no error presented to the user, and there is no regexp enforcement for the parameter.

The following log can be observed in bd.log
"PCRE compilation failed at offset 12: PCRE does not support \L, \l, \N, \U, or \u"

Conditions:
A non-PCRE regular expression is configured for a Parameter.

Impact:
No Regular Expression enforcement is performed.

640704 : A BIG-IP HA pair upgraded directly from 10.2.x to 12.1.x may lose the primary and secondary mirror IP addresses★

Solution Article: K20418658

Component: Local Traffic Manager

Symptoms:
When upgrading a BIG-IP HA pair directly from version 10.2.x to version 12.1.x, the devices may fail to retain their primary and secondary mirror IP addresses after the upgrade.

Conditions:
This will only occur during a direct upgrade from 10.2.x to 12.1.x. This will not occur, for instance, when upgrading to 12.0.x.

Impact:
The devices will not be performing any mirroring after the upgrade to version 12.1.x as a result of this issue.

Workaround:
You can work around this issue by either:

A) Performing an intermediate upgrade to BIG-IP version 12.0.x first.

or

B) Manually reconfiguring the mirror IP addresses after the devices have been upgraded to 12.1.x (for more information on how to do so, refer to K13478: Overview of connection and persistence mirroring (11.x - 12.x) https://support.f5.com/csp/article/K13478).

640548-1 : In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked.

Component: Policy Enforcement Manager

Symptoms:
In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked and PEM doesn't do re-try.

Conditions:
In Gy delayed binding mode, concurrent flows hits another rating group before the CCA-I for the first rating groups comes back.

Impact:
Quota management service will not be active for those concurrent flows.

640489 : iSeries LCD alerts screen returns to splash screen intermittently

Solution Article: K53571714

Component: TMOS

Symptoms:
If there is a pending alert and the LCD remains on the alerts screen for an extended period of time, when you attempt to view the alerts for a particular severity (critical, error, warning, etc), the system re-directs to the splash screen instead of to the screen with a list of alerts.

Conditions:
-- An alert is pending.
-- The LCD remains on the alerts screen for a long time (e.g., 1-2 minutes).
-- Navigate to one of the alert levels to view the pending alerts.
-- The LCD displays the splash screen instead of a list of alerts.

Impact:
The system returns to the splash screen instead of a list of alerts.

Workaround:
Navigate back to the alerts screen and select an alert severity to get a list of alerts.

640395-1 : When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly

Component: Local Traffic Manager

Symptoms:
When upgrading from 10.x to version 12.1.0 or later, a network virtual address that had ARP disabled will not have spanning automatically enabled.

Conditions:
Upgrading from 10.x to 12.1.0 or later. Must have a network virtual address configured with ARP disabled when upgrading.

Impact:
If you are not actually using the spanning feature, there is no impact.

If you are using the spanning feature, it will no longer work until it is explicitly enabled. This can result in the loss of traffic, as the upstream router will be sending packets to standby systems that will now refuse to process that traffic.

Workaround:
Upgrade to an intermediate version that implements the explicit ICMP-Echo setting for virtual addresses (e.g. 11.x) and then upgrade to the desired version.

Alternatively, you can manually set the spanning property on their virtual addresses as desired (after the upgrade).

640054-1 : Selective ICMP-echo behavior is inconsistent, depending on where the virtual address is disabled

Component: TMOS

Symptoms:
When a virtual address is using selective ICMP-echo and the virtual address is disabled, it will sometimes respond to ICMP echo requests, and sometimes not.

Conditions:
The difference appears to depend on where the virtual address is disabled.

1) If the virtual address is disabled in the virtual address settings page in the GUI: [Local Traffic :: Virtual Servers : Virtual Address List :: <address>] it stops responding to pings.

2) If the virtual address is disabled on the virtual address list page in the GUI: [Local Traffic :: Virtual Servers : Virtual Address List] it responds to pings.

3) If the virtual address is disabled with TMSH: 'modify ltm virtual-address <address> enabled no' it responds to pings.

In addition, on a BIG-IP Virtual Edition (VE), case #1 also responds to pings.

Impact:
The ICMP echo behavior is different depending on where the virtual address is disabled.

Workaround:
None.

639774-5 : mysqld.err rollover log files are not collected by qkview

Solution Article: K30598276

Component: TMOS

Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.

Conditions:
This occurs when generating a qkview.

Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.

Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.

639764-2 : Crash when searching external data-groups with records that do not have values

Component: Local Traffic Manager

Symptoms:
The TMM may crash when search through an external data-group that has at least one value with empty value.

Conditions:
For example, this occurs if data-group is defined as follows:
the key for network 10.40.0.0/13 has no value:
network 10.0.0.0/9 := "network 10.0.0.0/9",
network 10.40.0.0/13,
network 10.10.0.0/17 := "network 10.10.0.0/17",

A search in the data-group above with -value or -element options where at least one of the result records has no value will most likely result in a TMM crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Make sure that every record in the external data-groups has a value.

639575-5 : Using libtar with files larger than 2 GB will create an unusable tarball

Solution Article: K63042400

Component: TMOS

Symptoms:
Programs such as qkview will create a .tar file (tarball) using libtar and if any of the files collected is greater than 2 GB, the output tar file cannot be read by /bin/tar.

Conditions:
The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.

Impact:
You will be unable to submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.

Workaround:
The qkview tarball can be extracted with /usr/bin/libtar, but the offending file will be a zero-length file. Alternatively, the offending file that is greater than 2 GB must be removed from the system prior to running qkview or other program that uses libtar.

638960-2 : A subset of the BIG-IP default profiles can be incorrectly deleted

Component: TMOS

Symptoms:
On the BIG-IP system, default profiles should not be deletable. However, the system incorrectly allows a subset of them to be deleted. Known affected profiles include all default persistence and http profiles.

Conditions:
The issue occurs when someone attempts to delete a susceptible profile via TMSH, iControl SOAP or iControl REST. The issue does not occur when using the WebUI (where susceptible profiles are not selectable for deletion).

Impact:
If a default profile is missing from the configuration, several issues may arise. For instance, the configuration may fail to load or save, and the WebUI may fail to display certain screens.

638893-1 : Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command

Component: TMOS

Symptoms:
Error message references solution number instead of Knowledgebase number:
err mcpd[6492]: 01071ab6:3: The requested media 100TX-FD for interface 1.0 is invalid. Valid settings are: auto, 1000T-FD. Please see SOL14556 for details.

Conditions:
Incorrectly configure net interface media, e.g.,
modify net interface 1.0 media 100TX-FD.

Impact:
Posted message references SOL14556. The Ask F5 site now uses K numbers instead of SOL numbers. At some point, the previously used SOL numbers might no longer redirect, and the information originally in that article would be lost.

Workaround:
View knowledgebase article K14556: Copper 1 Gbps modules configured with media other than the 'auto' setting may not function, https://support.f5.com/csp/article/K14556.

638091-4 : Config sync after changing named pool members can cause mcpd on secondary blades to restart

Component: TMOS

Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:

01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>

Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create

Impact:
Secondary blades do not process traffic as they restart

Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).

To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.

1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.

638089-1 : LACP and CMP state simultaneous fail on A112 and A113 platform

Component: TMOS

Symptoms:
An internal traffic stoppage occurs and causes LACP ACTIVE trunk members to go down, and CMP state changes for the HOST and VCMP guests (if configured) on the impacted blade. The tmctl detailed statistics show sustained TX pause generated by HSB on one or more links and matching RX Pause received in interface_stat (on 4.1, 4.2, 4.3).

Conditions:
This happens when an internal FPGA device runs into a bad state under heavy traffic load. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Traffic no longer functions on the blade where stoppage occurs.

Workaround:
Reboot blade.

637979-1 : IPsec over isession not working

Component: TMOS

Symptoms:
User cannot send IPsec encrypted application data traffic through a secured iSession connection, just by configuring symmetric optimization to use IPsec for IP encapsulation.

Conditions:
Configure IPSec with iSession through the Quick Start screen and/or under the "Local Endpoint" configuration. Do not create any new IKE peers or traffic selectors.

Impact:
User is unable to send encrypted traffic using IPsec over the tunnel without additional configuration required for a typical IPSec setup.

Workaround:
Configuration needed for a typical IPsec setup should be made explicitly.
isession encapsulation should be set to "none", and proper IKE-peer, IPsec policy, and traffic selectors should be configured to capture isession traffic between the isession endpoints.

BIG-IP1 GUI:
[Local Endpoint]
Acceleration->Symmetric Optimization : Local Endpoint->Properties
WAN Self IP Address: <BIG-IP1-local-endpoint-ipaddress>
IP Encapsulation Type: None

[Remote Endpoint]
Acceleration > Symmetric Optimization : Remote Endpoints >New Remote Endpoint...
IP Address: <BIG-IP2-local-endpoint-ipaddress>

[IKE peer]
Network->IPsec : IKE Peers->New IKE Peer...
Remote Address: <BIG-IP2-local-endpoint-ipaddress>
Version: Version1
Presented ID Value: <BIG-IP1-local-endpoint-ipaddress>
Verified ID Value: <BIG-IP2-local-endpoint-ipaddress>

[IPsec policy]
Network->IPsec : IPsec Policies->New IPsec Policy…
Name:<isession_policy_name>
Mode: Tunnel
Tunnel Local Address: <BIG-IP1-local-endpoint-ipaddress>
Tunnel Remote Address: <BIG-IP2-local-endpoint-ipaddress>

[Traffic selector]
Network ->IPsec : Traffic Selectors ->New Traffic Selector...
IPsec Policy Name: <isession_policy_name>
Source IP Address: <BIG-IP1-local-endpoint-ipaddress>
Destination IP Address: <BIG-IP2-local-endpoint-ipaddress>

BIG-IP2 GUI: Analogous--just swap the local and remote endpoint addresses where they appear above

637613-3 : Cluster blade being disabled immediately returns to enabled/green

Solution Article: K24133500

Component: Local Traffic Manager

Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.

Conditions:
This can occur intermittently under these conditions:

- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.

Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.

Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.

637279 : Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS.

Component: TMOS

Symptoms:
Pool member discovery does not work and produces the following error: as-describe-auto-scaling-groups: Refused: The security token included in the request is invalid.

Conditions:
This occurs in the eu-central-1 region only. Does not apply for failover. Note: This error might happen even when correct IAM credentials are specified.

Impact:
Pool member discovery cannot be run in eu-central-1 region.

Workaround:
Create autoscale configuration in regions other than eu-central-1.

636823-3 : Node name and node address

Component: TMOS

Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.

Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1

Impact:
When you attempt to add the node to a pool, an error will occur:

Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1

Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.

636790-3 : Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.

Component: Global Traffic Manager (DNS)

Symptoms:
While logged in as a Manager role, if a user attempts to modify an object this role does not have access to, the GUI will post a validation error.

Conditions:
This occurs when users in the Manager role make changes to Datacenter links/servers/prober-pool/Topology.

Impact:
The system posts generic validation errors when Create, Update, Delete actions are initiated by a user without proper permissions. These permissions are not allowed for the Manager, but the GUI makes it appear as if they are.

Workaround:
None.

636669-3 : bd log are full of 'Can't run patterns' messages

Solution Article: K37300224

Component: Application Security Manager

Symptoms:
The bd log are getting filled up with 'Can't run patterns' messages. A core might occur due to the i/o outage. General traffic disturbance/slowness might occur.

Conditions:
Configuration change that relates to attack patterns happens while there is heavy traffic.

Impact:
Potential traffic outage/slowness. 'Can't run patterns' messages filling up the bd log file.

Workaround:
None.

636412-1 : ASM start process fail with 'Protobuf message exceeds max defined size' on machines with thousands of ASM configuration entities

Component: Application Security Manager

Symptoms:
ASM start process fails on machines with thousands of ASM configuration entities.

The log file contains error messages similar to the following:
Protobuf message exceeds max defined size. Table: CONFIG_TYPE_DYNAMIC_TABLES.

Conditions:
Issue is very rarely reproducible and requires thousands of ASM policy entities on the machine.

Impact:
ASM may report legitimate request traffic as a violation.

Workaround:
There is no workaround at this time.

636348-3 : BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.

Component: Local Traffic Manager

Symptoms:
In the /var/log/ltm file you may observe an error message similar to the following example

01071837:3: The pool (/Common/http_pool) contains a reference to a gateway failsafe device (/Common/bigip1.f5.com), which does not exist on the system. Please specify a valid device for this configuration. Unexpected Error: Loading configuration process failed.

Conditions:
This issue occurs when all the following conditions are met:

-You have multiple BIG-IP systems in a High Availability (HA) configuration.
-You have configured System Gateway Failsafe
-You reset device trust
-You attempt to reload the configuration or reboot the device before recreating the device trust

Impact:
Configuration may fail to load

Workaround:
Remove Gateway Failsafe before resetting device trust

636164 : Remote IP not working in IE 8

Component: TMOS

Symptoms:
Adding a Remote IP in System :: Logs : Configuration : Remote Logging has no effect in Microsoft Internet Explorer (IE) version 8.

Conditions:
Using IE 8.

Impact:
Remote IP does not work.

Workaround:
BIG-IP version 12.x and later do not support IE 8. Use a later version of IE, or use another browser.

636163 : Certificate Key Chain not working in IE 8

Component: TMOS

Symptoms:
Certificate Key Chain not working in Microsoft Internet Explorer (IE) version 8.

Conditions:
Using IE 8.

Impact:
Certificate Key Chain does not work.

Workaround:
BIG-IP version 12.1.0 and later do not support IE 8. Use a later version of IE, or use another browser.

636104-2 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.

Component: Application Visibility and Reporting

Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.

Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.

Impact:
Not seeing the pool member under the HTTP "pool" dimension.

Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.

636031-4 : GUI LTM Monitor Configuration String adding CR for type Oracle

Solution Article: K23313837

Component: TMOS

Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.

Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.

Impact:
The /config/bigip.conf file contains CR characters in the file.

Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.

635871-1 : tmsh validation of hash persistence timeout setting is incorrect

Component: Local Traffic Manager

Symptoms:
The permitted hash persistence timeout value is a range from 1 - 4294967295. But in tmsh you can set the value to 0 without error

Conditions:
This occurs when running the following tmsh command:
tmsh modify ltm persistence hash <profile_name> timeout <number>
where <number> = 0

The GUI will report a validation error if you try to set it to 0 in the GUI.

Impact:
The value of 0 will be saved but the minimum value should be 1.

Workaround:
If you accidentally set a timeout to 0 you can set it back to the correct range using the following tmsh command:
tmsh modify ltm persistence hash <profile>name> timeout <1-4294967295>

635191-1 : Under rare circumstances TMM may crash

Component: Local Traffic Manager

Symptoms:
tmm crash and BIG-IP failover.

Conditions:
There are no known, reproducible conditions under which this occurs. However, the tmm restart happens once, and then does not recur. The only way to determine that the issue exists is through a review of the core stack, which must be completed by F5 Support.

Impact:
tmm restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

635173-1 : Standby BIG-IP TMM uses unexpectedly large amount of memory

Component: Local Traffic Manager

Symptoms:
TMM memory usage on a BIG-IP standby device might be substantially higher than an active device, and it recovers each time when the high availability (HA) connection is lost and re-established.

Conditions:
The problem happens only on Standby device with L7 mirroring traffic in effect.

Impact:
The standby device may not be able to take over traffic when failover happens.

Workaround:
There is no workaround at this time.

634369-2 : Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes

Component: Local Traffic Manager

Symptoms:
Bigd crash (SIGABRT) while running iControl REST scripts against monitor configurations with FQDN nodes.

Conditions:
-- Bigd configured with FQDN nodes.
-- iControl REST calls are used to interact with system.

Impact:
Bigd crashes and restarts. Monitoring correctly resumes after the restart period.

Workaround:
None.

634014 : Absolute timers may fire one second early during the leap second event

Component: TMOS

Symptoms:
Absolute timers that expire at midnight UTC may fire one second early when the leap second is inserted.

Conditions:
This occurs if an absolute timer is used to trigger a task, and the leap second occurs during the timer window. For example if an absolute timer of 60 seconds is scheduled and the leap second event occurs midway through that interval, the event will appear to fire one second earlier than expected.

Impact:
Impact to applications unknown. The system stays stable, and a timer may be fired off earlier than expected

Workaround:
None.

633824-2 : Cannot add pool members containing a colon in the node name

Solution Article: K39319200

Component: TMOS

Symptoms:
You are allowed to create nodes that contain a colon in the node name. If you later try to add the named node (e.g. 10.1.20.10:80), adding the node will fail and you will get an error similar to the following:

0107003a:3: Pool member node (/Common/10.1.20.10) and existing node (/Common/10.1.20.10:80) cannot use the same IP Address (10.1.20.10).

Conditions:
This occurs when attempting to add a node to a pool where the node name contains a colon in it

Impact:
You are unable to add the node to the pool and will get a validation error.

Workaround:
First rename the node to not contain a colon in it, then you can add the node to the pool without error.

633568 : Pool statistics page doesn't show all pool members in IE8 with compatibility view

Component: TMOS

Symptoms:
While accessing the pool statistics page with IE8 with compatibility view mode, pool member expand/collapse icons do not work properly. Specifically, one of the pool members is displayed as blank.

Conditions:
This occurs when accessing the BIG-IP GUI using IE8; navigate to Statistics :: Module Statistics : Local Traffic. Select "Pool" and press "collapse (plus)" icon to expand pool members.

Impact:
You will see that one pool member will displayed as blank row.

633495 : Cannot switch between partitions in Local Traffic :: Policies

Component: TMOS

Symptoms:
When you are in the Local Traffic :: Policies page, you are unable to change partitions.

Conditions:
This occurs when multiple admin partitions exist and there are policies in each partition, and you wish to change partitions.

Impact:
You are unable to change partitions from the Local Traffic :: Policies page.

Workaround:
Change to another page in the GUI and change the partition, then visit the Policies page again.

633464-2 : Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.

Component: Local Traffic Manager

Symptoms:
Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.

Conditions:
HTTP/2 profile is attached to the virtual. Content-length header is sent by the server.

Impact:
If a client application requires the content length for HTTP/2, the application does not function as expected.

Workaround:
None.

633454-1 : Older versions of Chrome get blocked when Proactive Bot Defense is enabled.

Component: Advanced Firewall Manager

Symptoms:
Older versions of Chrome get blocked when Proactive Bot Defense is enabled.

Conditions:
-- Versions of Chrome older than version 53.
-- Proactive Bot Defense is enabled.

Impact:
Browser gets blocked.

Workaround:
Use one of the following workarounds:

-- Use a version of Chrome that is version 53 or later.
-- Use a different browser.

633349-3 : localdbmgr hangs and eventually crashes

Solution Article: K86613330

Component: Access Policy Manager

Symptoms:
localdbmgr hangs, consumes a lot of CPU and eventually crashes due to a rare condition where the program's execution halts, upon logging configuration changes.

Conditions:
Rare condition upon changing log settings configuration, or when localdbmgr process loads existing log config settings upon start / restart.

Impact:
localdbmgr hangs, consume a lot of CPU and will eventually crash.

Workaround:
localdbmgr should restart and recover from this crash. If it doesn't, perform a "bigstart restart localdbmgr"

633172 : External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command

Solution Article: K12473201

Component: TMOS

Symptoms:
The REST call to install a key from a local file fails when the user is external (e.g., LDAP), even when its role is Administrator.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is configured to allow access to external LDAP users.
-- The external LDAP user is assigned an Administrator role.
-- The external LDAP user uses the tm/sys/crypto/key iControl REST command to import a key from a local file.

For example, you use the tm/sys/crypto/key iControl REST command with external LDAP user f5user that is assigned with the Administrator role, as follows:

restcurl -u f5user:f5user -X POST https://localhost/tm/sys/crypto/key -d '{"command":"install","name":"/Common/my-key.key","from-local-file":"/var/config/rest/downloads/my_key.key"}'

Impact:
Key install operation fails.

Workaround:
To work around this issue, you can use the sys/file/ssl-key iControl REST command to import a key file instead. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

Log in to the command line on the system from which you want to import the key file.
Note: The system must be able to support the command line version of the curl command.

Import the key file using the following command syntax:
curl -k -u <username:password> -H "Content-Type: application/json" -X POST https://<BIG-IP device>/tm/sys/file/ssl-key/ -d '{"name":"<key file name>","source-path":"<full path to key file>"}'

For example:

curl -k -u f5user:f5user -H "Content-Type: application/json" -X POST https://localhost/tm/sys/file/ssl-key/ -d '{"name":"f5user1.key","source-path":"file:///shared/my_key.key"}'

Note: Ensure that the key file name includes the file suffix, as the tm/sys/file/ssl-key iControl REST command does not automatically append .key in the key name.

633110-2 : Literal tab character in monitor send/receive string causes config load failure, unknown property

Solution Article: K09293022

Component: Local Traffic Manager

Symptoms:
BIG-IP allows you to paste in monitor send or receive strings that contains tabs, but the tabs do not get quoted when it gets saved to the configuration. This will cause the configuration load to fail, with this error signature:

Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf
Syntax Error:(/config/bigip.conf at line: <line>) "<text>" unknown property

Conditions:
This can occur if you copy/paste a monitor send or receive string and paste it into the send/recv string field in tmsh or the GUI.

Impact:
The monitor will not work as expected, and subsequent config loads will fail on unknown property.

Workaround:
Since you are still able to use the BIG-IP GUI, you can update the monitor send or receive string using \t to represent the tab, and save the changes.

632968-2 : supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails

Solution Article: K46042053

Component: Local Traffic Manager

Symptoms:
Clients are unable to establish an SSL session.

If the backend server sends a Certificate Request with Signature Hash Algorithms set to SHA256, the serverssl profile responds with Certificate + Certificate Verify containing signature signed by SHA1 when ssl-sign-hash in that profile is set to 'ANY'.
Since the backend server does not expect SHA1 the handshake fails.

Conditions:
* BIG-IP is communicating with a TLS server (applies to serverssl profile).
* TLS server is requesting client authentication (this is less common).
* TLS client using the supported_signature_algorithms extension (this is very common)
* TLS 1.2 is likely needed. TLS 1.0 doesn't support extensions.

Impact:
BIG-IP will sign the TLS handshake with the SHA1 algorithm, which will fail on the server.

Note that this issue is orthogonal to the issue of hash algorithm in X.509 certificates, e.g. "SHA1 in X.509 certificates".

Workaround:
No mitigation is known.

632958-2 : APM MIB gauges not reset on standby device

Component: Access Policy Manager

Symptoms:
The following MIB gauges are not reset after the device transitions from active to standby:

F5-BIG-IP-APM-MIB::apmAccessStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmAccessStatCurrentEndedSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentPendingSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentCompletedSessions

Conditions:
After failover happens

Impact:
Since these gauges represent current session counts, administrator may not be able to identify the active device by looking at these gauges.

632901-1 : JET documentation incorrect for RESOLV::lookup

Solution Article: K03112333

Component: Local Traffic Manager

Symptoms:
JET documentation for the iRule command RESOLV::lookup contains a description of a bug where PTR records are not being cached. The documentation includes a workaround for this bug. However, the bug no longer exists.

Conditions:
tmsh help ltm rule command RESOLV::lookup | grep "Note: The results" -A6

Impact:
Jet documentation mentions a resolution to a bug that no longer exists.

Workaround:
None. This is a cosmetic issue that you can safely ignore.

632839 : UDP Flood does not get detected if the vector limits are infinite

Component: Advanced Firewall Manager

Symptoms:
If the UDP_flood AFM DoS vector is configured as 'infinite' for both detection-threshold-pps and default-internal-rate-limit then it will not get detected. Even per-virtual server and Sweep/Flood will not detect UDP_Flood. If they are not infinite, they should work as expected, and the default value for detection-threshold-pps is 400000.

Conditions:
-- Settings of 'infinite' for UDP_flood device-dos vector.
-- Running v12.1.1, 12.1.2, or 12.1.3.

Impact:
You might expect UDP_flood vector to be detected at the per-virtual server and Sweep/Flood level, but if it is configured at infinite at the global device level, then it will not be detected at any level at all.

Workaround:
To enable the system to detect UDP_Flood at the various levels, set the global device-dos level for UDP_flood to be 4294967294 (1 less than MAX_UINT32).

Note: With this workaround, the system still cannot detect UDP_flood vector still at the global device-level because the number is too high.

632838-1 : Deterministic NAT performance may be degraded

Component: Performance

Symptoms:
Deterministic NAT performance may be degraded compared to performance in 12.1.x.

Conditions:
Deterministic NAT configuration in use in version 13.0.

Impact:
CPU utilization will be higher, and the system may pass traffic with less speed.

Workaround:
Enable the db variable pva.fwdaccel to see DNAT performance improve with a fastL4 profile.

632825-5 : bcm56xxd crash following 'silent' port-mirror configuration failure

Component: TMOS

Symptoms:
A port-mirror configuration can fail 'silently', that is, no error from MCPD yet the following is logged in /var/log/ltm:

err bcm56xxd: 012c0011:3: Trunk port trouble with bcm_mirror_port_set() Entry exists bs_mirror.c(598).
err bcm56xxd: 012c0010:3: Trouble committing mirror settings to hardware: 0:21 bs_mirror.c(671).
err bcm56xxd: 012c0010:3: Trouble setting port mirror from 2.1 to 2.6 bsx.c(5173).

Once this happens, any subsequent port-mirror configuration will result in a deadlock condition and SOD will restart bcm56xxd.

If the port-mirror interfaces are part of a trunk, any trunk configuration will cause this condition. For example, adding a vCMP guest.

Conditions:
Prior 'silent' port-mirror configuration error followed by a subsequent port-mirror configuration command.

Impact:
bcm56xxd continuously restarts until the bad port-mirror configuration is removed.

Workaround:
None.

632723-1 : tmm core with remote logging pool in non-zero route domain

Solution Article: K05079458

Component: Advanced Firewall Manager

Symptoms:
tmm cores every minute with a security log profile set to send log messages to pool members in a different route domain.

Conditions:
Remote logging pool configured, and the pool members are in a non-zero route domain that is different than that of the forwarding virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the logging pool members are in the zero route domain.

632604-1 : SSL::sessionid iRule command returns incorrect result

Component: Local Traffic Manager

Symptoms:
SSL::sessionid iRule command returns incorrect result

Conditions:
An iRule is used to retrieve the session ID.

Impact:
The session ID might not be reliable.

Workaround:
None.

632553-2 : DHCP: OFFER packets from server are intermittently dropped

Solution Article: K14947100

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
You may be able to work around this condition by issuing the following tmsh command:

tmsh delete sys connection cs-server-addr 255.255.255.255 cs-server-port 67

632246-1 : Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades.

Component: Advanced Firewall Manager

Symptoms:
pvasyncookies db variable does not disable/enable HW syn-cookies on secondary blades, and does not persist across MCPD restart/reboot.

Conditions:
Non-default setting for the pvasyncookies db variable.

Impact:
Setting does not persist across MCPD restart/reboot.

Workaround:
None.

631715-1 : ASM::disable does not disable client side challenges

Component: Application Security Manager

Symptoms:
ASM::disable command was run but a challenge was still sent.

Conditions:
irule with ASM::disable. CS or DID challenge is configured.

Impact:
An unexpected JS challenge arrives

Workaround:
N/A

631626 : Unable to delete an access profile which contains a route domain agent

Component: Access Policy Manager

Symptoms:
If an Access profile contains a policy with a route domain agent, the policy cannot be copied or deleted from the GUI or command line tools.

The GUI and CLI both fail with the following message:
Operation error: getHash failed

Conditions:
Access profile contains a route domain agent.

Impact:
Cannot delete or copy the Access profile.

Workaround:
Delete the route domain agent from the VPE and then copy/delete the Access profile.

631286-1 : URI cache entries should be replaced /expired for euie hash table

Component: Access Policy Manager

Symptoms:
Tmctl stats for "access_uri_info" gradually grows and can lead to TMM memory exhaustion.

Conditions:
APM or SWG use case.

Impact:
TMM memory exhaustion.

Workaround:
Restart tmm.

631048-1 : Portal Access [PeopleSoft] 'My Preferences' page does not have content

Component: Access Policy Manager

Symptoms:
IN PeopleSoft (PS) web-application 'My Preferences' page contains no content.

Conditions:
Steps to Reproduce:

1. Navigate and login to PS Portal through reverse proxy.
2. Click on 'My Preferences' item in 'Action list' button.

Impact:
Page contains no content. Web-application does not work as expected.

Workaround:
To work around this issue, use an iRule.

631046 : Unable to generate a FIPS key using the GUI

Component: TMOS

Symptoms:
While generating a FIPS key from the BIG-IP GUI, you get the following error:
Key management library returned bad status: -4, FIPS security is not licensed, FIPS key security type is not allowed.

Generating a FIPS key from tmsh works properly.

Conditions:
This occurs on FIPS-licensed 12.1.1 HF1 and HF2, when using the GUI to generate the FIPS key.

Impact:
Unable to generate a FIPS key using the GUI.

Workaround:
Use the following tmsh command to generate a FIPS key:
tmsh create sys crypto key <key_object_name> security-type fips.

630795-1 : No guestagentd entry in merged.conf

Component: TMOS

Symptoms:
There is no entry in guestagentd in merged.conf. This results in this error in the ltm log whenever merged starts up:

"Process managed by runsv is not in /config/merged.conf: guestagentd"

Conditions:
This is encountered whenever merged starts.

Impact:
In addition, for stats purposes, the proc_stat and plane_proc_stat tables are affected. If the pid changes (for whatever reason) BIG-IP will not have the assignments to the right process information.

Workaround:
Add guestagentd entry to merged.conf

630257-1 : Monitor send/receive strings cannot end with trailing single-backslash★

Component: Local Traffic Manager

Symptoms:
A monitor with a 'send' or 'receive' string is not supported with a single trailing backslash, such as "GET /\r\n\" (note the single-trailing backslash that "escapes" the trailing double-quotes).

Conditions:
A monitor 'send' or 'receive' string ends with a single trailing backslash; and the configuration is saved, and then a load is attempted.

Impact:
When configuration is saved and then loaded, the single-trailing backslash will escape the trailing double-quotes and the configuration will fail to load.

Workaround:
A double-trailing backslash is supported, where the trailing double-quotes will not be escaped, for example:
"GET /\\r\\n"

629834-4 : istatsd high CPU utilization with large number of entries

Component: TMOS

Symptoms:
With a large number of istats entries, statsd uses a large amount of CPU time to process istats.

Conditions:
This occurs when there is a large number of istats entries in iRules.

Impact:
istats processing is slow. CPU utilization by istatsd is high.

Workaround:
Reduce the number of istats entries. Periodically purge the the istats entries if possible.

628696-1 : Under rare circumstances, all blades in cluster claim not primary during start up

Component: Local Traffic Manager

Symptoms:
All blades in cluster claim not primary during startup

Conditions:
during TMM startup

Impact:
The cluster (even if standalone) appears Standby, and ready-for-world is never reached.

Workaround:
Restart tmm on primary blade

628402-4 : Operator users receive 'can't get object count from mcpd' error in response to certain commands

Solution Article: K79213220

Component: TMOS

Symptoms:
Operator users receive the following error in response to certain commands:
Unexpected Error: Can't display all items, can't get object count from mcpd.

Conditions:
-- The user is 'Operator' level.
-- The command is a top-level list or show command, such as the 'show running-config' command.

Impact:
Operator-level users are unable to issue 'show' and 'list' commands on top-level objects, but can 'show' and 'list' specific configuration objects.

Workaround:
Issue commands for specific configuration objects.

628180-1 : DNS Express may fail after upgrade★

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may not answer DNSX zones without TMM restart / DNSX zone refresh on upgrade.

Conditions:
Upgrading from previous version.

Impact:
DNS Express may fail after TMM.

Workaround:
Restart TMM, or force TMM to reload the DNS express database by running "tmsh load ltm dns dns-express-db".

628016-2 : MP_JOIN always fails if MPTCP never receives payload data

Component: Local Traffic Manager

Symptoms:
MP_JOIN during an MPTCP connection always fails if the BIG-IP never receives payload data.

Conditions:
A virtual server is configured with a TCP profile attached and "Multipath TCP" is enabled.
An MPTCP connection is established where payload data is never sent to the BIG-IP.

Impact:
Unidirectional data connections receiving data from the BIG-IP (like with FTP) cannot join additional subflows.

Workaround:
There is no workaround at this time.

627760-3 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card

Component: TMOS

Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.

Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.

Impact:
No DNSSEC key of that name is present on FIPS card.

Workaround:
None.

627447 : Sync fails after firewall policy deletion

Component: Advanced Firewall Manager

Symptoms:
When deleting a firewall policy and then creating a new one, sync to standby fails.

Conditions:
Delete firewall policy then create a new one. Sync to Standby.

Impact:
Sync fails.

Workaround:
None.

627384-1 : eamtest tool fails with Segmentation fault after initialization.

Component: Access Policy Manager

Symptoms:
Tests done with eamtest tool fail with Segmentation fault after initialization.

Conditions:
Run eamtest tool.

Impact:
eamtest tool fails, which affects troubleshooting using the tool.

Workaround:
Run eamtest with LD_PRELOAD=libeam_asdk_preload.so prefix.

627341-1 : TMUI loginProviderName is invalid when requesting a REST token

Component: Device Management

Symptoms:
Requests for X-F5-Auth-Token fail when a TMUI view is loaded that requires a X-F5-Auth-Token used for REST requests.

Conditions:
On startup if the tmos login provider takes too long to become available it will cause the login provider to be unavailable, and requests for auth tokens will fail. This is a race condition and happens intermittently. Typically on lower end devices.

Impact:
GUI cannot retrieve F5-Auth-Token for REST requests

Workaround:
bigstart restart restjavad

627144 : Two users cannot create policies at the same time.

Component: Application Security Manager

Symptoms:
Two users cannot create policies at the same time.

Conditions:
-- Two users with admin authority are logged onto the GUI.
-- Both begin creating separate ASM policies with distinct options.
For instance:
- User 'wafadmin1' logs in first.
- User 'wafadmin2' logs in second.
- Both are creating policies.
- When wafadmin2 submits the policy, it's being overwritten by policy details given by wafadmin1.
- Only user wafadmin1 can de-activate a policy; for other users the option itself is grayed out.

Impact:
Policy from one user can overwrite another's. Can also affect who can de-activate a policy.

Workaround:
None.

626589-6 : iControl-SOAP prints beyond log buffer

Solution Article: K73230273

Component: TMOS

Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.

Conditions:
Logging for iControl SOAP is turned on with trace level.

Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.

Workaround:
Do not enable logging with trace level, which is not turned on by default.

626279-1 : After reboot LCD reports "unit going standby" even if it has gone active.

Component: TMOS

Symptoms:
After a reboot, the LCD and the tmsh show sys alert command reports "unit going standby" even though the device has become active.

Conditions:
This can occur intermittently on system startup.

Impact:
LCD and tmsh show sys alert erroneously report "unit going standby". The /var/log/ltm log will have messages from sod indicating that it has become active.

625428-1 : SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit

Component: TMOS

Symptoms:
The F5 BIG-IP local mib has the wrong value definitions for
F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
allowed(0),disallowed(1)
instead of
disabled(0),enabled(1)

Conditions:
This occurs on any platform that supports this MIB field and has LTM Pool configurations.

Impact:
Information mismatch

625166-1 : Suspended iRules cannot complete on aborted flows

Component: Local Traffic Manager

Symptoms:
An suspended iRule does not resume if the connection aborts in the interim.

Conditions:
an iRule suspends, connection aborts.

Impact:
Not all business logic may execute.

Workaround:
None

625165-2 : Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.

Component: Access Policy Manager

Symptoms:
-Routes to local DNS that get added due to 'allow local DNS' option in Network Access config do not get removed once network changes after VPN is established.

Conditions:
- 'Allow local DNS' option is selected in Network Access config.
- BIG-IP administrator changes the network configuration after VPN is connected.

Impact:
If the BIG-IP administrator changes the network after a VPN is connected, and if DNS servers have changed, then routes to old DNS servers (which may or may not be reachable) will be left in the routing table.

Workaround:
None.

624917 : First few handshakes fail after chassis/appliance reboot when using HSM

Component: Local Traffic Manager

Symptoms:
After rebooting with an HSM configured, you notice the first few handshakes fail, with the following error signature in /var/log/ltm:

warning tmm3[13085]: 01260009:4: Connection error: info tmm3[13085]: 01260013:6: ssl_hs_vfy_sign_srvkeyxchg:9921: sign_srvkeyxchg (80)
1260013:6: SSL Handshake failed for TCP <src> -> <dest>

Conditions:
This occurs on the first few connections after reboot when an HSM is configured, and seems to occur if the device does not immediately pass traffic after reboot.

Impact:
The initial SSL connections will fail, then normal operation will resume.

Workaround:
None.

624909-2 : Static route create validation is less stringent than static route delete validation

Component: TMOS

Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.

Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.

Impact:
Unable to delete certain self-IPs.

Workaround:
In order to delete the self-IPs you can either:

1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.

624626-3 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility

Component: TMOS

Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:

01020036:3: The requested Certificate File (/Common/example.crt) was not found

Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.

Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.

Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:

tmsh delete sys crypto cert example
tmsh delete sys crypto key example

624314-1 : AVR reports incorrect 'actions' in ACL reports

Component: Advanced Firewall Manager

Symptoms:
AVR reports incorrect 'actions' in ACL reports:
-- 'Default" reports as 'Drop'.
-- 'Drop" reports as 'Reject'.
-- 'Reject" reports as 'Accept'.
-- 'Accept" reports as 'Accept decisively'.
-- 'Accept decisively' reports as "Default'.

Conditions:
AVR reporting on ACL statistics.

Impact:
The system reports incorrect actions.

Workaround:
There is no workaround.

624187-1 : Relocate TUC AVP to group AVP USU

Component: Policy Enforcement Manager

Symptoms:
Current implementation sends Traffic Change Usage (TCU) in MSCC at the same level as USU.

Conditions:
Anytime there is a TCU.

Impact:
Interoperability with ZTE OCS, which requires it as a child USU (Used-Service-Unit)

624044-1 : LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load★

Solution Article: K42806722

Component: Local Traffic Manager

Symptoms:
If LTM monitor configuration parameters have custom strings that end with backslash, the saved configuration will fail to load.

Conditions:
Any of the "recv", "send", or "recv-disable" parameters having a backslash at the end, and the configuration is saved.

Impact:
The new configuration fails upon reload.

Workaround:
Do not end custom strings with backslashes.

623779-2 : Adding a client side challenge whitelist URL wildcard list

Component: Application Security Manager

Symptoms:
There is no way to tell that a URL wildcard is always qualified for client side challenges. Thus dynamic URLs system can't use the CS defense to dos attack or the proactive bot defense.

Conditions:
dynamic URLs are running in a dos attack and the system has cs mitigation enabled.

Impact:
the cs mitigation is not effective and the dos mitigation moves to the rate limit.

Workaround:
N/A

623536-2 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent

Component: TMOS

Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.

Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable

Impact:
snmp traps are not sent

Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:

alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode $all VIP\/SNAT\/Proxy connections disabled$" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}

623488-4 : Custom adaptive reaper settings may be lost at upgrade time★

Component: TMOS

Symptoms:
Beginning in 11.6.0, the adaptive-reaper was changed to use the default-eviction policy. The configuration migration script does not migrate the adaptive-reaper settings, so after upgrade the reaper settings are reset to their default.

Conditions:
Upgrade from 10.x to 11.6.0 or later.

Impact:
Settings may be unexpectedly changed as part of upgrade.

Workaround:
Inspect the values after upgrade and reconfigure them.

623371-1 : After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed

Component: TMOS

Symptoms:
When attempting to ssh in as a nonexistent user using SSH keypair, the connection closes.

Conditions:
1. Configure SSH keypair for passwordless login.
2. Set auth source to a remote type such as RADIUS, TACACS+, LDAP, Active Directory.
3. Set auth source back to local.
4. Attempt to ssh to BIG-IP using keypair as a user that does not exist in the BIG-IP local user directory.

Impact:
User does not see expected password prompt.

This can be used to check which usernames are valid on the BIG-IP system, but it requires SSH keys.

Workaround:
None known.

623367-1 : When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.

Solution Article: K57879554

Component: TMOS

Symptoms:
Able to login to BIG-IP using root's keypair as a user which does not exist on either the BIG-IP or the RADIUS server.

Conditions:
1. Configure SSH keypair for passwordless login on the BIG-IP system.
2. Enable RADIUS auth on the BIG-IP system.
3. Attempt to ssh in to the BIG-IP as a user which does not exist on either the BIG-IP or the RADIUS server, using the keypair.

Impact:
With root SSH keys, can login as nonexistent user.

Workaround:
Set the default remote role to something other than admin.

623313 : After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default.★

Component: TMOS

Symptoms:
After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default. For example, in response to the 'tmsh list sys snmp' command, output in 10.2.x contains the following strings:
community-name public
source default

in 12.1.x, the output does not contain the string 'source default', only the string 'community-name public'.

Conditions:
Upgrade from 10.2.x.

Impact:
Cannot determine the SNMP community name if it is the default.

Workaround:
None.

623265-4 : UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★

Solution Article: K15645547

Component: TMOS

Symptoms:
Inconsistent CA certificate chain creation, or certificate validation/verification when verification occurs against /config/ssl/ssl.crt/ca-bundle.crt.

Conditions:
A system is upgraded from v10.x to v11.x/v12.x, or a v10.x UCS is restored onto a v11.x/v12.x system.

Impact:
Inconsistent ca-bundle.crt upgrade/UCS load handling can lead to odd / non-deterministic behavior between devices, even an HA pair / cluster of devices. Non-determinism increases because ca-bundle.crt does not ConfigSync (and appears not to sync across blades in a chassis).

For example, on one device, the BIG-IP system might construct and send a full certificate chain in an SSL Server Hello, when ca-bundle.crt is specified as a Client SSL profile's 'chain', but on its peer, if the peer is using an older/inconsistent ca-bundle, the peer might be unable to construct a full certificate chain.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to AskF5 article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030), but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

623084-2 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★

Component: Local Traffic Manager

Symptoms:
mcpd fails to load the configuration if a pre-11.6.0 configuration has a DHCP virtual server configured using any profile that is not /Common/udp.

The following messages appears in /var/log/ltm:

01070095:3: Virtual server /Common/dhcp_relay-p-rd101 lists incompatible profiles.

This is because the profile in this case is /Common/fastL4 and is not 'converted' to a DHCP profile.

Conditions:
-- A pre 11.6.0.
-- DHCP-type virtual server configured with a profile other than /Common/udp.
-- Upgrade to 11.6.0 or later.

Impact:
mcpd fails to load the configuration. The BIG-IP system will not be operational until the configuration is changed and loaded.

Workaround:
Before the upgrade, change the profile to /Common/udp.

If you have already upgraded, manually change the bigip.conf file and load the config using the following command: tmsh load /sys config

622876-1 : Certificate serial number is not displayed properly in OCSP Stapling logs.

Component: Local Traffic Manager

Symptoms:
The certificate serial number is not displayed properly in OCSP Stapling logs.

Conditions:
These logs are seen when there are any errors when fetching and validating an OCSP response, and/or when SSL debug logs are enabled.

Impact:
Certificate serial number is not displayed properly.

Workaround:
None.

622870 : When using a Thales key, SSL handshake failed after restarting pkcs11d

Component: Local Traffic Manager

Symptoms:
With a Thales key, SSL handshake failed after restarting pkcs11d daemon.

Conditions:
Thales netHSM is used and pkcs11d daemon is restarted.

Impact:
SSL traffic is failed.

Workaround:
bigstart restart tmm

after

bigstart restart pkcs11d

622204-1 : If a virtual server's name has a "." in it then a DoS profile cannot be attached to it

Solution Article: K14141640

Component: Advanced Firewall Manager

Symptoms:
For virtual servers with a . (dot, or period) in the name and a DoS profile attached, a crash might occur when attacks are detected/stopped.

Conditions:
Virtual server with a name that includes a . and an attached DoS profile, and then a DoS attack is detected.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the . in the virtual server name.

622148-5 : flow generated icmp error message need to consider which side of the proxy they are

Component: Local Traffic Manager

Symptoms:
when generating an error message from a flow, the icmp6 code does not check which side the messages needs to be crafted for.

Conditions:
error handling

Impact:
As a result generated ICMP error message might contain the wrong addressing

Workaround:
no workaround

621843-1 : the ipother proxy is sending icmp error messages to the wrong side

Component: Local Traffic Manager

Symptoms:
the ipother proxy error handling sends ICMP error messages down the wrong side of the proxy. when a client-side error occurs, the error message is being sent to the server side

Conditions:
error handling of the ipother proxy

Impact:
ICMP error messages show up on the wrong side

Workaround:
no workaround

621284-5 : Incorrect TMSH help text for the 'max-response' RAMCACHE attribute

Component: WebAccelerator

Symptoms:
The TMSH help text for the 'max-response' RAMCACHE attribute incorrectly states that for the default value of 0 (zero) unlimited cache entries are allowed. In reality the number of cache entries is limited to 10.

Conditions:
Invoking the TMSH man/help page on RAMCACHE.

Impact:
Incorrect TMSH help text

Workaround:
N/A

621158-1 : f5vpn does not close upon closing session

Component: Access Policy Manager

Symptoms:
f5vpn does not close upon closing session.

Conditions:
-- With Network Access started and connected to BIG-IP using browser.
-- Clicking 'Logout' button on webtop.

Impact:
Session closes. Network Access window does not close, but instead remains in disconnected state.

Workaround:
None.

620969-3 : iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.

Component: TMOS

Symptoms:
Using the get_valid_key_sizes() for querying the valid key sizes, 1024 is returned, which is not valid when the FIPS firmware is version 2.2 or above.

Conditions:
FIPS firmware is version 2.2 or above.

Impact:
Unsupported key-size is returned.

620954-3 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable

Component: TMOS

Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent authentication failure results in users not being able to login.

Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.

620844-1 : DoS: tmm core after delete packet type from Device Sweep vector

Component: Advanced Firewall Manager

Symptoms:
During the config change of Sweep vector, when all tmm threads delete the rate tracker, a race condition might occur that could prevent the tracker from being deleted. As a result, some tmm threads might see the new instance, which causes the tmm thread to abort.

Conditions:
This potential race condition occurs after delete packet type from Device Sweep vector.

Impact:
tmm thread might abort if a race condition occurs. Traffic disrupted while tmm restarts.

Workaround:
None.

620556-1 : Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule

Component: Local Traffic Manager

Symptoms:
Fragmented packets may be transmited to clone pool members of virtual server, which is also forwarding its traffic to another virtual server.

Conditions:
One virtual server should be configured to forward traffic to another one using iRule, i. e.

when CLIENT_ACCEPTED {
virtual another_virtual
}

This forwarding virtual should also have clone pool configured.

Impact:
Fragmented packet are transmitted to pool members, which affects performance and may trigger some intrusion detection systems.

620311-1 : GUI Failover Unicast Address information incorrect

Component: TMOS

Symptoms:
In the GUI, the Failover Unicast Address information for the peer device shows the Management IP of the local device, instead of the peer's Management address.

Conditions:
Failover Device group with failover unicast addresses configured with management addresses.

Impact:
GUI displays incorrect address. *Mgmt addresses listed incorrectly show local mgmt addresses in the following locations:
-- Device management :: Devices :: <peer device>
-- Device Connectivity: Failover Unicast Configuration

Workaround:
None.

620053-1 : Gratuitous ARPs may be transmitted by active unit going offline

Component: Local Traffic Manager

Symptoms:
When cluster's active goes offline, the non-primary blades may send gratuitous ARPs.

Conditions:
Cluster's active goes offline.

Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.

Workaround:
Failover the cluster before forcing offline or configure mac masquerading.

619706-1 : tmsh appears to allow password change for internal lcd admin user

Component: TMOS

Symptoms:
The 'tmsh modify auth password' command appears to allow the password to be changed for the f5hubblelcdadmin user.

Conditions:
Using the 'modify auth password' command under tmsh, and manually specifying the 'f5hubblelcdadmin' user (which does not appear among the list of available users, such as via tab-completion).

Impact:
This operation appears to succeed, but has no actual effect on BIG-IP operations.
This is an internal user account which provides the context for communication with the lcd front panel display on newer BIG-IP appliances. Changing the stored password for this user account does not affect these operations.

619667-1 : Allow Local DNS Servers is not honored on Mac OS X

Solution Article: K34751151

Component: Access Policy Manager

Symptoms:
In some cases of split tunnel local DNS resolution on client does not work.
Its "emulated" full tunnel mode i.e. split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0 and don't allow local subnet access.

Conditions:
Configure Allow Local DNS Servers is not honored on Mac OS X.
Configure split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0.
Disable local subnet access.
System has only one physical adapter (ethernet or wifi) available for networking.

Impact:
DNS resolution fails for some split tunnel deployment cases.

Workaround:
Specify "*" in DNS included address space to forward all DNS traffic over the tunnel.

619419 : Workaround for Software Installation Failures in TMUI★

Component: TMOS

Symptoms:
A software installation fails for one of several reasons (unsupported software versions, lack of disk space, etc). This failure leaves the software volume in a state where future installations cannot be completed.

Conditions:
Software installation fails.

Impact:
You cannot install software on the failed volume. You will see "Previous installation not complete" message if you attempt to install software on this failed volume.

Workaround:
1. Installation fails.
2. Navigate to System >> Disk Management. Click on HD1 (for example)
3. Under Contained Software Volumes, you can see the reason for failure on the failed volume.
4. Select the failed volume and click Delete. Confirm you want to delete the failed volume.
5. Once the volume is deleted successfully, return to System >> Software Management : Image List
6. Select a valid image and click the Install button.
7. Under Volume Set Name enter a valid name and click the Install button.

619397 : LCD shows error screen on boot or after license expires

Solution Article: K04055706

Component: Device Management

Symptoms:
The LCD on BIG-IP iSeries appliances may display an error screen.

Conditions:
This occurs if the appliance has just finished booting, or if the license has just expired.

Impact:
This may cause an unexpected error and subsequent navigation back to the LCD splash page.

Workaround:
Wait one minute and try to navigate the LCD screens again. If the system has already been licensed and is in the 'Active' state, subsequent attempts should work.

619099 : 'General Database Error' while changing the Admin UI authentication type

Component: Access Policy Manager

Symptoms:
Failed to choose Authentication type from Local to other BIG-IP-supported authentication type.

Conditions:
-- User Directory is Remote - APM Based.
-- Authentication Type is RADIUS, AD, LDAP or TACACS+.
-- All needed information about the AAA Server is specified.

Impact:
GUI error: 'General Database Error'.

Workaround:
None.

618982-1 : IPSEC + chassis behavior for case secondary blades on-off switch.

Component: TMOS

Symptoms:
After cmp_state change (secondary blade restart), some flows will fail

Conditions:
Adding-removing blades causes DAG flow redistribution and redistribution IKE/IPSEC SA's and IPSEC data flows between existing blades. It makes some flows interrupted and IPSEC peer disconnect.

Impact:
Some users may lose their connections and have difficulty restoring them.

Workaround:
None

618889-1 : Clicking the policies list tab does not refresh the policies list on click.

Component: TMOS

Symptoms:
Clicking the policies list tab does not refresh the policies list on click.

Conditions:
This occurs on the policy list page

Impact:
If the policy list changed, the updates will not be displayed.

Workaround:
Refresh the browser or click the menu Local Traffic > Policy List in order to refresh the page

618884-1 : Behavior when using VLAN-Group and STP

Component: Local Traffic Manager

Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.

Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.

Note: This issue is a constraint to soft switched platforms.

Impact:
May not see ICMP response traffic.

Workaround:
None.

618693-3 : Web Scraping session_opening_anomaly reports the wrong route domain for the source IP

Component: Application Security Manager

Symptoms:
When generating a web scraping attack of session opening anomaly type, there is an attack start/end event shown in the /var/log/asm and GUI: Security :: Event Logs : Application : Web Scraping Statistics. The event has a "source ip" field which should come along with the route domain. In the case of "session opening anomaly" the route domain is always zero. (For example: 127.0.0.1%0). Even there is a non-zero route domain configured.

Conditions:
Route domain is configured and a web scraping attack event triggers.

Impact:
Incorrect route domain field is shown in the GUI and /var/log/asm.

Workaround:
None. This is a cosmetic error. The system uses the correct route domain

618637-1 : Sometimes f5fpc cannot establish Network Access connection and incorrectly reports 'Session timed out' error

Component: Access Policy Manager

Symptoms:
Sometimes f5fpc cannot establish Network Access connection. Successfully established Network Access connection and subsequent login retries will fail with 'Session timed out' error.

Conditions:
This intermittent issue might occur after there has been a successfully established Network Access connection, and a user retries to login once or multiple times.

Impact:
Network Access cannot be established and 'Session timed out' error is presented to the user.

Workaround:
1) Find all processes with regex f5std, svpn and manually kill them.
2) Restart host OS.

618463-2 : artificial low route mtu can cause SIGSEV core from monitor traffic

Component: Local Traffic Manager

Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.

Conditions:
see above

Impact:
Traffic disrupted while tmm restarts.

Workaround:
configure correct MTU

618319-5 : HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked

Solution Article: K58255321

Component: TMOS

Symptoms:
All members of a Sync/Failover Device Group report 'Active' for all traffic-groups, and 'Offline' for all peers. Configuration sync works appropriately.

Conditions:
This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026).

If this port is blocked, the devices cannot exchange failover status information.

Impact:
When devices cannot reach the failover address of their peer devices, failover traffic is not processed correctly and the device become active for all traffic groups. This results in duplicate IP addresses on the network for the objects in the traffic groups, which causes a disruption of service.

Workaround:
Ensure that the 'allow-service' parameter for the self-IP address includes the configured network-failover port.

Normally this is done with 'allow-service { default }' if using the default default-list, or an explicit entry can be used with 'allow-service { udp:1026 }'.

618131-1 : Latency for Thales key population to the secondary slot after reboot

Component: Local Traffic Manager

Symptoms:
It may take a significant amount of time for the Thales key to populate from the primary slot to the secondary slot after a reboot. The latency can be a few minutes.

Conditions:
This occurs for Thales netHSM installed on Chassis.

Impact:
The key can't be found at secondary slot and the ssl traffic may fail.

Workaround:
If SSL handshakes fail on secondary blades for newly created Thales keys, you may check secondary blades with

nfkminfo -l

to see if the file is there. If not the file can be synchronized with rfs-sync --U.

618106-1 : bigd core due to memory leak, especially with FQDN nodes

Solution Article: K74714343

Component: Local Traffic Manager

Symptoms:
The bigd daemon may core due to excessive memory consumption caused by a slow memory leak that occurs when creating or updating an LTM node or pool member.

This memory leak occurs much more quickly on BIG-IP v12.1.3.2 and earlier when using FQDN nodes/pool members with the 'autopopulate' feature enabled.

Conditions:
The bigd memory leak occurs slowly with non-FQDN nodes/pool members, but much more quickly on BIG-IP v12.1.3.2 and earlier when using FQDN nodes/pool members with the 'autopopulate' feature enabled.

On BIG-IP v12.1.3.2 and earlier, an additional leak occurs each time an FQDN name is resolved for an FQDN node or pool member. The rate of the leak in this case is determined by the number of FQDN nodes/pool members configured with the 'autopopulate' feature enabled, and the FQDN name resolution interval (determined by the 'interval' setting of the 'fqdn' configuration for the FQDN node).

Impact:
The bigd daemon may core due to excessive memory consumption.

Workaround:
It is possible to work around this issue by one of the following methods:
1. Restart the bigd daemon before memory consumption becomes excessive. (Note that this may interrupt traffic to configured pool members.)

On BIG-IP v12.1.3.2 and earlier:
2. Configure a longer 'interval' value in the 'fqdn' configuration for configured FQDN nodes.
3. Configure FQDN nodes/pool members without the 'autopopulate' setting enabled.

618104-1 : Connection Using TCP::collect iRule May Not Close

Component: Local Traffic Manager

Symptoms:
The BIG-IP never sends a TCP FIN in response to a client FIN.

Conditions:
A finite TCP::collect iRule is in progress.

This is repeatable in the debug kernel; in the default kernel, there has to be execution delay in a CLIENT_DATA iRule.

Impact:
The connection does not close until the sweeper causes a RST.

Workaround:
Adding a TCP::close command to a CLIENT_DATA iRule may work.

617643-1 : iControl.ForceSessions enabled results in GUI error on certain pages

Component: TMOS

Symptoms:
GUI pages display "An error has occurred while trying to process your request."

Conditions:
Visiting pages related to PKI (cert/key), SNMP, AFM or licensing tasks when iControl.ForceSessions is enabled.

Impact:
Unable to use GUI for certain tasks when iControl.ForceSessions is enabled.

Workaround:
Use shell for related administrative tasks or if feature is not used, disable with the following command:

tmsh# modify sys db icontrol.forcesessions value disable

617629-1 : Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab

Component: Access Policy Manager

Symptoms:
If you click on the "export csv" button and then switch to another report, the same csv file will be download again when you click on the tab of another report.

Conditions:
Creating multiple reports in Access Report page and clicking on the "export csv" button in one report.

Impact:
Same file will be downloaded repeatedly.

Workaround:
Refresh the page before switching to another report.

617578-2 : Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware

Component: TMOS

Symptoms:
On a BIG-IP provisioned with LTM only, the radius profile called radiusLB-subscriber-aware displays inconsistent information between tmsh and configuration utility

Conditions:
This occurs when looking at the radiusLB-subscriber-aware profile in both tmsh and the GUI.

Impact:
On a device that does not have PEM licensed:
root@(v12)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list ltm profile radius radiusLB-subscriber-aware
ltm profile radius radiusLB-subscriber-aware {
app-service none
defaults-from radiusLB
}

However, viewing the profile in the configuration utility Local Traffic :: Profiles : Services : RADIUS : radiusLB-subscriber-aware
Settings field Custom checkbox
Persist Attribute disabled
Subscriber Discovery enabled
Client Spec disabled
Protocol Profile(_sys_radius_proto_imsi) enabled

On a device which does not PEM licensed, the Protocol profile should be set to None but shows as enabled.

617324-2 : Service health calculation creates unjustified CPU utilization

Component: Anomaly Detection Services

Symptoms:
When ASM provisioned service health is calculated and published to all VSs with security profile, even if stress-based detection is not configured

Conditions:
AFM provisioned and configured hundreds of VSs with security profile

Impact:
High CPU utilization

Workaround:
No

617161-1 : Cosmetic: duplicated partition names in the "Resource Management" window when assigning iRules to Virtual Servers.

Component: TMOS

Symptoms:
There is a cosmetic issue that results in duplicated partition names in the "Resource Management" window when assigning iRules to Virtual Servers (in Local Traffic ›› Virtual Servers : Virtual Server List ›› Virtual_Server_name).

Conditions:
1) Go to Local Traffic :: Virtual Servers : Virtual Server List :: Virtual_Server_name --: Resources --: Manage iRules).
2) Move any 2 available iRules (created in Common partition) left to the "Enabled" column.
3) Select the bottom iRule from the "Enabled" column and click the "Up" button.
4) Add an additional iRule (created in Common partition) to the "Enabled" column.

Impact:
Instead of showing all iRules under one partition name (Common), the system is duplicating the partition name.

Workaround:
None. This is cosmetic.

616021-1 : Name Validation missing for some GTM objects

Solution Article: K93089152

Component: Performance

Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, the BIG-IP system fails to load GTM configurations where objects containing control characters are referenced by other objects.

The following GTM objects are susceptible to this control character issue:

gtm datacenter
gtm prober-pool
gtm device
gtm application
gtm region entry
gtm virtual server
gtm server
gtm link
gtm pool

Conditions:
-- A GTM object with a control character in the name.
-- That object is referenced by another object.

Reproduction example:

create gtm datacenter "start^Mend"
create gtm server test datacenter "start^Mend" address add { 1.2.3.4 }
save sys config gtm-only
load sys config gtm-only

Impact:
Causes the config to fail to load.

Workaround:
Remove control characters prior to creating GTM objects.

615303-2 : bigd crash with Tcl monitors

Solution Article: K47381511

Component: Local Traffic Manager

Symptoms:
bigd crashes after logging an error similar to the following:

emerg bigd: PID: 38611 Received invalid magic '1213486160' in the stream

Conditions:
-- Tcl Monitors: FTP, SMTP, POP3, IMAP.

-- This issue might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.

-- May be particularly likely if the monitor is configured with an interval value of 1 second.

Note: Although less frequent, this issue might still occur with proper monitor configurations (timeout: 3*interval + 1).

Impact:
bigd crashes and error messages.

Possible interruption of monitoring status, pool members going down, interruption of traffic.

Workaround:
For the case where a Tcl monitor is configured with a 1-second interval value, increase the interval value to 2 seconds. Also increase the timeout value to 7 seconds (3*interval + 1). This reduces the chances of this issue occurring but does not eliminate it entirely.

615097-1 : Incorrect use of HTTP::collect leads to TMM core.

Component: Local Traffic Manager

Symptoms:
Incorrect use of HTTP::collect leads to TMM hang. Watchdog kills TMM on timeout leading to core.

Conditions:
If the iRule requests non-incremental HTTP::collect or amount greater than content-length when the whole-body has already been received, then this leads to TMM hang.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add an HTTP::release after the HTTP::payload instruction;
Or
Use incremental HTTP::collect commands.

614493-1 : BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.

Component: TMOS

Symptoms:
Reset sent by BIG-IP system on ePVA accelerated active flows might contain stale sequence number and ACK number, which might be out of the receiver's valid RST window.

Conditions:
For example, server side pool member down events lead to BIG-IP reset of all client flows on the pool member. If these flows are actively offloaded in ePVA with heavy traffic at the time of pool member down and reset sending out time, the SEQ/ACK number for the sending RST by BIG-IP SW might not be recent, and therefore a RST with most SW aware SEQ/ACK will be encoded.

Impact:
These RST might be ignored by the receiver if it is out of the valid window. The receiver must rely on the idle or alive timeout to clean this up. Although the receiver must rely on its TCP alive or idle timeout to activate in order to clean up these connections, this is the standard TCP stack behavior.

Workaround:
None.

614410-3 : Unexpected handling of TCP timestamps in HA configuration

Component: Local Traffic Manager

Symptoms:
Despite TCP timestamps being configured, the BIG-IP system fails to present timestamp option during TCP negotiation.

The BIG-IP system calculates invalid round trip time which might result in delayed retransmission.

Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- Virtual server configured with connection mirroring.

Impact:
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.

614364-1 : Linux client NA components cannot be installed neither using sudo password nor root password

Component: Access Policy Manager

Symptoms:
Linux client Network Access components cannot be installed neither using sudo password nor root password on firefox browser. Issue occurs because version reported is incorrect and post installation version on the machine still doesn't match with version reported by the server.

Conditions:
Firefox web browser, NPAPI plugins, Network Access on Linux distributions

Impact:
Installation and update of web browser plugin for network access fails

614072-1 : Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session.

Component: Access Policy Manager

Symptoms:
All SWG session maps to SNAT pool IP and many requests will get stuck.

Conditions:
SWG virtual with Source Address Translation to SNAT pool, create session and send traffic for expired session

Impact:
Request will get stuck in ACCESS filter and browser will keep looping..

Workaround:
Change source address translation to AUTOMAP instead of SNAT Pool.

613844 : iApp may fail to install if AFM is provisioned

Component: Advanced Firewall Manager

Symptoms:
When you try to deploy the f5.microsoft_sharepoint_2016.v1.0.0rc1 iApp from the GUI, the install may fail when AFM is provisioned. A similar error occurs when deploying f5.http iApp. The failure to deploy might not be related to a specific iApp.

Conditions:
-- AFM provisioned.
-- Using the GUI to deploy the iApp, f5.microsoft_sharepoint_2016.v1.0.0rc1, f5.http, and others.

Impact:
Deployment fails.

Workaround:
None.

613618-1 : The TMM crashes in the websso plugin.

Component: Local Traffic Manager

Symptoms:
The TMM core and plugins operate asynchronously. A connection may abort and the TMM may deallocate connection context before the plugin has finished processing asynchronous events. The TMM crashes when a plugin accesses deallocated connection context.

Conditions:
Events raised during normal use of the sessiondb store may be processed after the connection context has been deallocated.

Impact:
Traffic disrupted while tmm restarts.

613542-2 : tmm core while running the iRule STATS:: command

Solution Article: K81463390

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED

613509-1 : 2000/4000 platforms reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve

Solution Article: K49101035

Component: TMOS

Symptoms:
The BIG-IP system attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are running on a BIG-IP 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.

Impact:
Traffic throughput may be degraded.

Workaround:
Set source-port to change.

613483-2 : Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec.

Solution Article: K18133264

Component: Local Traffic Manager

Symptoms:
For PKCS#1, the SHA256 header should be:
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20.

However, there might also be this alternate header:
30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20,

Some implementation use the alternate. According to PKCS#1, the first one is used when producing signature, but both should be accepted when verifying signatures.

In BIG-IP, SSL uses the 1st header: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20, whereas crypto uses the 2nd header format for some cert verification: 30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20, which causes the inconsistent and signature verification fail.

Conditions:
For some particular certificates, crypto uses alternative SHA prefix for verification.

Impact:
SSL handshake fails because of certificate verification failure.

Workaround:
None.

613476-2 : IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion

Component: TMOS

Symptoms:
The IKEv1 racoon daemon can crash and restart when a v1 ike-peer is removed entirely from the config, or simply changed from v1 to v2.

Conditions:
When you remove an ike-peer whose version is v1, including any change from version v1 to v2 (since this has the effect of changing who handles that peer from the racoon daemon to tmm).

Impact:
IKEv1 racoon daemon restart that causes tunnel outage until re-established by future traffic.

Workaround:
None.

612584-1 : Server side blocking/asm cookie setting may not work under some circumstances

Solution Article: K34500121

Component: Application Security Manager

Symptoms:
ASM Cookies are not set, blocking doesn't happen due to server side violation (such as HTTP status or attack signature in response), or data guard masking/blocking doesn't happen.

Conditions:
CSRF or web scraping is configured.

Impact:
False negative - missing blocking.
False positives due to possible missing cookies.

Workaround:
Add the following iRule to the web server:

when HTTP_REQUEST {
  if { [HTTP::uri] contains "TSbd"} {
    HTTP::header remove "Connection"
    HTTP::header insert "connection" "close"
  }
}

612143-2 : Potential tmm core when two connections add the same persistence record simultaneously.

Component: Service Provider

Symptoms:
If two messages processed on different connections with the same persistence key add a persistence record at the same time, one add operation is returned a non-fatal error, stating the 'a' record exists. The error might cause the message to be sent to both the destination and the originator, which fails.

Conditions:
Two messages processed on different connections with the same persistence key add a persistence record at the same time.

Impact:
A potential core occurs. The error might cause the message to be sent to both the destination and the originator, which fails. Traffic disrupted while tmm restarts.

Workaround:
None.

612086-3 : Virtual server CPU stats can be above 100%

Solution Article: K32857340

Component: Advanced Firewall Manager

Symptoms:
The CPU usage is reported as above 100%.

Conditions:
It is not known exactly what triggers this.

Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.

Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.

612083 : Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors.

Component: TMOS

Symptoms:
One or more of the following messages appear in the system event log:

CPU0 HW Correctable Error
CPU 0 Corrected Error: Port 1a PCIe* logical port has detected an error.
CPU 0 PCI/DMI Error B:D:F 0x8: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x8: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: multiple_correctable_error_received
CPU 0 Corrected Error: DMI Error Status
CPU 0 PCI/DMI Error B:D:F 0x0: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x0: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: multiple_correctable_error_received

Conditions:
The error messages may appear following an AC power cycle of the BIG-IP i-Series platforms: i2000, i2800 and i4000.

Impact:
The system detected an error on an internal bus and was able to correct it. There is no data loss or functional impact.

Workaround:
There is no mitigation or workaround for this.

611652-3 : iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.

Component: Local Traffic Manager

Symptoms:
While saving an iRule containing HTTP::cookie without the value parameter, you get a validation warning: 'warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. 'unexpected end of arguments;expected argument spec:COOKIE_NAME"160 25][HTTP::cookie $cookie_name]'.

The offending iRule command looks similar to this:
[HTTP::cookie $cookie_name]

Conditions:
iRules containing HTTP::cookie, but missing the optional value parameter, e.g. [HTTP::cookie $cookie_name].

Impact:
Validation warning incorrectly occurs if the optional 'value' parameter is left off. Note that the iRule is still loaded into the configuration.

Workaround:
Use the 'value' parameter in the HTTP::cookie command:
[HTTP::cookie value $cookie_name].

611485-1 : APM AAA RADIUS server address cannot be a multicast IPv6 address.★

Component: Access Policy Manager

Symptoms:
In the 13.0.0 release, support for AAA RADIUS direct IPv6 is added. However, validation will prevent using a multicast address for AAA radius IPv6 address. If you upgrade from a previous version to this version, you will see a validation error when the configuration loads.

Conditions:
The validation error occurs if APM AAA RADIUS address is an IPv6 multicast address on BIG-IP version 13.0.0 and beyond.

Impact:
Support for AAA RADIUS direct IPV6 is added in BIG-IP version 13.0.0. And the new validation affects only IPv6 multicast address. So any working IPv4 configuration will not be affected by this validation.

Workaround:
Multicast IPv6 addresses are not supported for direct IPv6 RADIUS, ensure you are using unicast addresses.

611482-4 : Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .

Component: Local Traffic Manager

Symptoms:
Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule).

Conditions:
Universal persistence is configured. A loop of HTTP request is sent to tmm which doesn't own the record. Persistence lookup is performed, but finally the pool command is used for load-balancing pick.

Impact:
Discrepancy between persistence records.

Workaround:
Use persist, not pool command, to bind persistence record to a flow.

611327-1 : Using an established app tunnel may display a Java exception error message.

Solution Article: K35559723

Component: Access Policy Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

When users attempt to use the established access session app tunnel, their Mac OS X device displays a Java exception error message similar to the following example:

An uncaught exception was raised. Choose "Continue" to continue running in an inconsistent state. Choose "Crash" to halt the application and file a bug with Crash Reporter. Choosing "Crash" will result in the loss of all unsaved data.

When the user selects Continue, the exception error message is immediately displayed again (loop).

When the user selects Crash, the established app tunnel is terminated.

Though the Java exception error message is displayed, the app tunnel functions as expected.

Conditions:
This issue occurs when all of the following conditions are met:

-- The local user device is running Mac OS X 10.12 (Sierra).
-- The BIG-IP APM system is configured with an app tunnel that is Java Tunnel-enabled.
-- The user established an access session using the Safari 10 web browser.
-- The user launches an app tunnel session.
-- The user attempts to use the established app tunnel.

Impact:
Cannot use Safari 10 web browser for an app tunnel that is Java Tunnel-enabled.

Workaround:
To work around this issue, you can use an alternate browser, or Apple Safari browser, or ignore the system generated error message while using the app tunnel.

611054-1 : Network failover "enable" setting is sometimes ignored on chassis systems

Component: TMOS

Symptoms:
The failover device group network-failover attribute has an effect on chassis systems. The high availability subsystem will continue to send network failover packets, and continue to operate normally, even if this is set to "disable".

Conditions:
This only affects chassis systems. On appliances, the setting takes effect, causing all devices to become Active simultaneously.

Impact:
System appears to failover normally even when the configuration is incorrect; however, if the system contains more than one traffic-group, the next-active calculation and other failover features do not function correctly.

Workaround:
Enable network-failover in the sync-failover device-group.

610682-2 : LTM Policy action to reset connection only works for requests

Component: Local Traffic Manager

Symptoms:
The LTM Policy forwarding action 'reset', which forcibly terminates the client connection, works for requests, but gives an error when used with a response event.

Conditions:
Issue occurs in an LTM Policy rule where one or more of the conditions is associated with HTTP response, for example, checking the HTTP status code in the response from a backend server.

Impact:
LTM Policy action does not work. System posts error message similar to the following: transaction failed:010716e2:3: Policy '/Common/Drafts/mypolicy', rule 'rule-1'; an action precedes its conditions.

Workaround:
None.

610449-2 : restarting mcpd on guest makes block-device-images disappear

Component: TMOS

Symptoms:
tmsh list sys software block-device-images typically shows available BIG-IP images saved on the platform which are available for install via tmsh install sys software ...

When running BIG-IP on a vcmp guest, GuestAgentDaemon is responsible for fetching from the host these available images and displaying them to the user.

When mcpd goes down, GuestAgentDaemon loses the connection required to fetch and display this information.

If mcpd has gone down since GuestAgentDaemon came up, running "(tmos)# show sys software block-device-image" a second time will no longer display the BIG-IP images available for install.

Restarting GuestAgentDaemon when mcpd restart ensures that GuestAgentDaemon will reestablish the required connection. With this fix, GuestAgentDaemon will restart only in response to mcpd going down and subsequently coming back up. Once both daemons are up and running again, the command '(tmos)# list sys software block-device-image' will again function as designed.

Conditions:
vCMP is provisioned to level dedicated.
One or more guests is provisioned and deployed.
The user is operating inside a deployed guest.
The user attempts to use a block-device-image,
but mcpd has restarted since GuestAgentDaemon began execution.
No block-device-images are shown by GuestAgentDaemon

Impact:
tmsh list sys software block-device-images returns nothing from inside the guest.

Workaround:
Restart GuestAgentDaemon in response to mcpd successfully restarting.

610436-3 : DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.

Solution Article: K13222132

Component: Access Policy Manager

Symptoms:
DNS resolution does not work in a particular case of DNS Relay Proxy Service, when two adapters have the same DNS Server address on Microsoft Windows version 10.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP APM configuration uses a network access profile.
-- The user device is running Windows 10 and is connected to two networks through two network interfaces.
-- The Windows user has installed the BIG-IP Edge Client that includes the DNS Relay Proxy Service.
-- Prior to establishing an access session, the lower index network interface of the Windows device is disconnected.
-- The Windows user establishes an access session using BIG-IP Edge Client.
-- The Windows device's lower index network interface is reconnected.
-- The Windows user attempts a DNS resolution.

Impact:
DNS resolution completely stops working on client systems until the VPN is disconnected.

Workaround:
To work around this issue, add the following registry key:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient with DWORD EnableMultiHomedRouteConflicts set to 0.

This reverts the Windows DNS client behavior to pre-Windows 10 behavior, so the DNS relay proxy creates listeners on loopback for incoming requests, and the driver redirects DNS requests to the listener on the loopback.

Important: Use extreme care when editing Windows registry keys. Incorrect modification of keys might cause unexpected behavior.

For step-by-step instructions for adding this registry key, see K13222132: The DNS Relay Proxy Service may fail to resolve DNS requests :: https://support.f5.com/csp/article/K13222132.

609200-2 : Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★

Component: TMOS

Symptoms:
Hotfix installation fails using certain version 11.x software to host incremental hotfix application of version 12.x software.

Conditions:
This issue occurs when the following conditions are met:
-- Active software is v11.x.
-- Target software is v12.x.
-- This is the first attempt install a hotfix to the installation target.

Impact:
Cannot install hotfix.

Workaround:
Delete the target location, and perform the hotfix installation again.

Subsequent attempts to install the hotfix will automatically install the base release first, which includes the needed DB hash type, and the hotfix will succeed.

609186-5 : TMM or MCP might core while getting connections via iControl.

Component: TMOS

Symptoms:
When getting the connections list over iControl using System.Connections.get_list(), TMM or MCP cores or exits.

Conditions:
Using iControl to view all connections, and there is a very large number of connections (1 million or more) in the list.

Impact:
TMM or MCP may core or exit. Traffic disrupted while tmm restarts.

Workaround:
None.

608453-1 : Shrink/Expand imgs of Webtop Section is customizable

Component: Access Policy Manager

Symptoms:
Changing images for Shrink/Expand of Webtop Section in Webtop Customization does not actually change images on client; users see default images instead

Conditions:
This is encountered when using Webtop Customization.

Impact:
The default image is displayed instead of the customized image.

Workaround:
None.

608348-4 : Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system

Component: TMOS

Symptoms:
After deleting an iApp build from the f5.citrix_vdi.v2.3.0 template then running a config sync, the system that received the sync could have a tunnel object left over which should have been deleted.

Running 'tmsh load sys config verify' after this sync would give the following error.
01070734:3: Configuration error: The object (Tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect) is owned by a non-existent application (/Common/test-citrix-app-svc.app/test-citrix-app-svc).
Unexpected Error: Validating configuration process failed.

Conditions:
This occurs when the iApp has been deployed in a sync group, then the iApp is deleted, then a config sync is initiated.

Impact:
Config validation fails, and you must delete the tunnel manually.

Workaround:
On the system that received the sync, edit /config/BIG-IP_base.conf to remove the following objects (replace "test-citrix-app-svc" with the name of the deleted iApp):
a. vlan from net route-domain: /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
b. net fdb tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
c. net tunnels tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect

607684 : tmsh provides option to delete all URLs from a custom category, which is not possible

Component: Access Policy Manager

Symptoms:
tmsh provides a command option for admin to delete all URLs from a custom category. However, this is not a valid option, and an error will be displayed. The system presents the following error:
Configuration error: Cannot delete url (http://www.example.com*). This occurs because because url-category (/Common/ex) is a custom category. A custom category must have at least one URL.

Conditions:
Running the following command:
tmsh modify sys url-db url-category pattern urls delete { all }

Impact:
No URLs are deleted. Each URL must be deleted individually.

Workaround:
Delete URLs individually.

607410-1 : In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible

Solution Article: K81239824

Component: Local Traffic Manager

Symptoms:
When using an iRule to output X509 Certificate's subject and issuer, the display is not OpenSSL compatible.

Conditions:
Using iRule command 'X509::subject' and 'X509::issuer' to get the Cert's subject and issuer, and then using log to display them.

Impact:
The iRule output of X509 Certificate's subject and issuer is not OpenSSL compatible which might cause confusion.

Workaround:
None.

607166-1 : Hidden directories and files are not synchronized to secondary blades

Component: Local Traffic Manager

Symptoms:
Hidden directories and files (those whose filenames start with '.') that are created on primary blade are not synced to secondary blades.

Existing hidden files that are edited on the primary blade are not synced to secondaries.

Conditions:
Multi-bladed system.

Impact:
The most common uses of hidden files are per-user shell configuration and history.

Workaround:
Manually copy configuration files onto other blades.

606799-1 : GUI total number of records not correctly initialized with search string on several pages.

Solution Article: K16703796

Component: TMOS

Symptoms:
GUI total number of records not correctly initialized with search string on several pages.

Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.

Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.

Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.

606330-4 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.

Component: TMOS

Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.

Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.

Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.

Workaround:
Clear the BGP neighbor after changing the configuration.

606035-1 : csyncd crash

Component: Local Traffic Manager

Symptoms:
csyncd crashes and dumps core under certain conditions. You might see messages such as the following: emerg logger: Re-starting csyncd.

Conditions:
csyncd handles filenames that contain certain exotic characters or symbols, or files with very long filenames.

Impact:
csyncd will crash and dump core. csyncd retarts continuously.

Workaround:
None.

606032-2 : Network Failover-based HA in AWS may fail

Component: TMOS

Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.

Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.

Impact:
Configuration of HA in AWS cannot be completed.

Workaround:
The current workaround is to configure HA in AWS with at least 2 network interfaces.

605891-1 : Enable ASM option disappears from L7 policy actions

Component: TMOS

Symptoms:
ASM cannot be enabled if 'Application Security Manager' is used in the license string instead of 'ASM'.

Conditions:
'Application Security Manager' is used in the license string instead of 'ASM'.

Impact:
The ASM module cannot be enabled using the GUI under certain licenses where ASM is licensed.

Workaround:
Enable ASM using tmsh instead of the GUI.

605840-5 : HSB receive failure lockup due to unreceived loopback packets

Component: TMOS

Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***

Conditions:
Unknown.

Impact:
The unit is rebooted.

Workaround:
None.

605800-3 : Web GUI submits changes to multiple pool members as separate transactions

Component: TMOS

Symptoms:
You notice an unusually high amount of sync traffic when changing many pool members at once. In extreme cases, mcpd may run out of memory and crash.

Conditions:
When looking at a list of pool members, it is possible to choose to view many pool members at once, and you can then select them all and enable or disable them with one press of a button. Rather than sending all of the operations in a single transaction, the GUI code updates each pool member one by one. When there are a lot of pool members and auto-sync is being used, this can cause race conditions that can generate a large number of transactions going from the local machine to the remote machine.

Impact:
This can cause an unusually high amount of sync traffic to occur between devices in the sync group with auto-sync enabled. In extreme cases this can cause mcpd to crash and traffic is disrupted while mcpd restarts.

Workaround:
If you frequently need to enable/disable many pool members at once, there are a couple of options:
1. You can switch to manual sync during this operation.
2. You can minimize the number of pool members that are altered at once. The issue was observed when changing over 300 pool members at once.

605649-3 : The cbrd daemon runs at 100% CPU utilization

Solution Article: K28782793

Component: Application Security Manager

Symptoms:
The cbrd daemon runs at 100% CPU utilization.

You may notice this issue while inspecting:

- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.

Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.

Conditions:
This is a rarely occurring event whose cause is not known.

Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).

Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd

As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.

605175-1 : Backslashes in monitor send and receive strings

Component: Local Traffic Manager

Symptoms:
After creating a monitor using the GUI containing a recv parameter with a backslash such as '\* OK', loading the configuration generates a validation error:

01070753:3: Monitor /Common/test recv parameter contains an invalid regular expression (Invalid preceding regular expression).
Unexpected Error: Loading configuration process failed.

Attempting to configure the same monitor via tmsh throws the validation error before creating the monitor, but the GUI allows the single backslash. Two backslashes are required in this case.

Conditions:
Using the GUI to configure a monitor, whose receive string needs to look for a backslash, and only a single backslash is entered in the GUI.

Impact:
Configuration fails to load after it is successfully created via the GUI. The GUI accepts this when it should throw a validation error: two backslashes are required.

Workaround:
When configuring the monitor via the GUI, use two backslashes instead of one.

605147-1 : No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections.

Component: Local Traffic Manager

Symptoms:
New connections made when a BIG-IP flow is in TCP TIME-WAIT state are not mirrored. New TCP flows after high availability (HA) reconnections may not be mirrored correctly.

Conditions:
This occurs when a TCP profile is used, along with one of the following:
-- A BIG-IP flow is in TCP TIME-WAIT state.
-- HA connection is reestablished and a mirrored BIG-IP flow has lost some packets.

Impact:
The connections affected are not mirrored.

Workaround:
Disable TIME-WAIT for the TCP profile.

605018-2 : Citrix StoreFront integration mode with pass through authentication fails for browser access

Solution Article: K47516511

Component: Access Policy Manager

Symptoms:
Citrix StoreFront integration mode with pass through authentication fails for browser access. After providing the credentials, browser access continuously asks for 'Can not complete the request', press 'OK'.

Conditions:
This occurs when the following conditions are met:
- APM is configured in integration mode with StoreFront.
- External access virtual server IP is used in Citrix gateway configuration 'Subnet IP address' column.
- (Request Header Insert) :: [X-Citrix-Via-Vip:10.10.10.10], 10.10.10.10 is the virtual server IP address. Request Header Insert is configured on the HTTP profile of the same virtual server.

Impact:
No browser access to StoreFront.

Workaround:
StoreFront combines multiple headers of the same name and cannot use the resulting value. You can workaround this issue by stripping multiple headers of type x-citrix-via-vip.
Make 10.10.10.10 the corresponding External access virtual IP address.

when HTTP_REQUEST {
   if { [HTTP::header count "X-Citrix-Via-Vip"] >= 2 } {
        HTTP::header remove "X-Citrix-Via-Vip"
        HTTP::header insert "X-Citrix-Via-Vip" "10.10.10.10"
    }
}

604050 : Failed to get master key (ERR_NOT_FOUND) in apm log on first boot

Component: Access Policy Manager

Symptoms:
After booting a new platform for the first time, you may see the following log entry in /var/log/apm:
err tmm1[17340]: 01490563:3: (null):Common:00000000: Access stats encountered error: Failed to get master key (ERR_NOT_FOUND)

Conditions:
Viewing /var/log/ltm after first boot

Impact:
This is a residual log entry and is benign and can be safely ignored

603772-1 : Floating tunnels with names more than 15 characters may cause issues during config-sync.

Component: TMOS

Symptoms:
Floating tunnels with names more than 15 characters may cause issues in config-sync, because such a long name is truncated when creating a corresponding Linux tunnel interface.

Conditions:
The BIG-IP system consists of both floating and non-floating tunnels and their names are longer than 15 characters.

Impact:
When the config-sync happens, the following error may occur:

Caught configuration exception (0), Cannot create tunnel 'g123456789abc~1' in rd0 - ioctl failed: File exists.

Workaround:
Some workarounds are available:

- Make sure that tunnel names are less than 16 characters; or

- Make sure that the names of floating and non-floating tunnels do not share a common prefix in the first 15 characters; or

- Make sure that the BIG-IP system does not have a mixture of floating and non-floating tunnels.

603690-2 : CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.

Solution Article: K82210057

Component: Local Traffic Manager

Symptoms:
CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.

Conditions:
APM Edge Client over VPN tunnel. The issue tends to occur when CPR Saver is configured on the Edge Client on devices where hardware compression cannot perform the specific type of compression/decompression being requested.

Impact:
Edge Client shows the VPN tunnel as 'Connected' but no traffic flow. This is an intermittent issue.

Workaround:
You can use either of the following workarounds:

-- Enable CPU Saver in the secure connectivity profile.
  + To do so in the GUI:
    1. Navigate to GUI: Access Policy :: Secure Connectivity :: profile_name :: Compression Settings :: Network Access.
    2. Check the CPU Saver checkbox.

  + To do so in tmsh, run the following command:
tmsh modify apm profile connectivity dummy compress-cpu-saver true

-- Configure compression strategy to 'speed' (from 'latency'). To do so, run the following command:
tmsh modify sys db compression.strategy value "speed".

603380-6 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.

Component: Local Traffic Manager

Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.

Conditions:
You have a DNS virtual server with DNS resolver cache configured. The virtual server receives ICMP unreachable in response to the DNS query.

Impact:
You will see messages similar to the following in /var/log/ltm.

err tmm[5021]: comm_point_tmm_recv_from failed: Software caused connection abort

Workaround:
None.

603093 : AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system

Component: TMOS

Symptoms:
The BIG-IP i-Series platform (i2600, i2800, i4600, i4800) 250W AC power supply PWR-0334-01 and PWR-0334-02 will show differences in their LED behavior when hot swap or hot plug or whenever power is removed from the supply. This includes redundant systems and systems with a single supply.

Conditions:
PWR-0334-01
When the input ramps below 80Vac, the input LED Green Blinking, output LED Amber Blinking.
When the input ramps below 72VAC, the input LED OFF, output LED Amber Blinking.
If the AC cord is removed with 1 or 2 supplies in the system the input LED OFF, output OFF.

PWR-0334-02
When the input ramps below 75VAC + 1VAC, the input LED Green Blinking, output LED Amber Blinking
When the input ramps below 70VAC + 1VAC, the input LED OFF, output LED OFF immediately

Impact:
LED behavior may be inconsistent between revisions of power supply on early platform shipments with PWR-0334-02

Workaround:
N/A

603092-5 : "displayservicenames" does not apply to show ltm pool members

Component: TMOS

Symptoms:
The db variable bigpipe.displayservicenames does not apply to the 'show ltm pool members' tmsh command.

Conditions:
This occurs when running tmsh show ltm pool members with bigpipe.displayservicenames enabled.

Impact:
The the IP address but not the service name is displayed.

602708-2 : Traffic may not passthrough CoS by default

Solution Article: K84837413

Component: Local Traffic Manager

Symptoms:
Traffic being forwarded by TMM may not passthrough the Class of Service (CoS) received.

Conditions:
-- IP forwarding Virtual server.
-- Traffic received with priority other than 3.

Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.

Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.

602566-5 : sod daemon may crash during start-up

Component: TMOS

Symptoms:
sod daemon produces core file during start-up

Conditions:
sod encounters an error during start-up and attempts to recover.

Impact:
sod restarts

602390-2 : Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.

Solution Article: K87506901

Component: TMOS

Symptoms:
Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.

Conditions:
Customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.

Impact:
Can use only English language characters to customize these fields.

Workaround:
None.

602193-4 : iControl REST call to get certificate fails if

Component: TMOS

Symptoms:
While using the iControl REST API, a call to /mgmt/tm/sys/crypto/cert results in a 400 or 500 error. The call to /mgmt/tm/sys/crypto/key works.

Conditions:
This can occur if any of the certificates contain non utf-8 characters.

Impact:
iControl REST API call will fail.

Workaround:
If possible, generate the certificate to only contain utf-8 characters.

601414-5 : Combined use of session and table irule commands can result in intermittent session lookup failures

Component: TMOS

Symptoms:
[session lookup] commands do not return the expected result.

Conditions:
An iRule which combines use of [table] and [session lookup] commands.

Impact:
Intermittent session functionality.

Workaround:
If possible, use table commands in lieu of session commands.

601189-2 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.

Conditions:
-- Fastl4 VS.
-- syncookie mode.

Impact:
TCP packet are sent out of order.

Workaround:
None.

600944-1 : tmsh does not reset route domain to 0 after cd /Common and loading bash

Component: TMOS

Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common

Conditions:
Attempting to see the route table from the /Common partition after leaving another parition

Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.

Workaround:
Quit tmsh and restart.

600872-1 : Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.

Component: Access Policy Manager

Symptoms:
APM end user sessions start successfully, but end within a few minutes and they are forced to logon again.

The default timeout is 900 seconds.

Conditions:
- An HTTP/2-capable browser is in use on a Microsoft Windows platform.
- APM and HTTP/2 are enabled on the same virtual server.

Impact:
APM sessions time out at the configured inactivity timeout (default is 900 seconds) regardless of activity, and APM end users must restart their sessions.

Workaround:
Remove HTTP/2 profile from the affected virtual server.

600732-2 : IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description

Component: TMOS

Symptoms:
The IKEv1 racoon daemon can crash when a security association (SA) is deleted (which can be done either explicitly on the command line, or indirectly by changing the ike-peer definition in config via tmsh). Usually this crash also requires that the ike-peer be altered or removed at the same time.

Note: Merely altering a v1 ike-peer causes the racoon daemon to first delete the old ike-peer, and then add a new one. So 'modify' effectively means 'delete' in this bug context.

Conditions:
When a v1 ike-peer is changed in any way while the racoon daemon actually has a valid security association in current use.

Impact:
IKEv1 racoon daemon restarts, and then tunnel outage until new SAs are negotiated.

Workaround:
No workaround is known at this time.

600634-2 : Schedule-reports can break the upgrade process★

Component: Application Visibility and Reporting

Symptoms:
A scheduled report (of predefined type) that is created via GUI can cause validation error on upgrade and thus might cause the upgrade process to fail. You may see this error in /var/log/ltm:

Syntax Error:(/config/bigip.conf at line: 86) "predefined-report-name" may not be specified with "multi-leveled-report.time-diff"

Conditions:
Creating predefined-scheduled-report from GUI

Impact:
Upgrade process can fail

Workaround:
If the config load fails, you can get the configuration to load by manually removing the scheduled report(s).

Impact of mitigation: this will remove scheduled reports from the configuration.

Edit bigip.conf, and look for analytics objects that have the scheduled-report in the declaration:
analytics application-security scheduled-report /Common/... {

Remove the object and the configuration will load.

600431-6 : DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP

Component: Service Provider

Symptoms:
TCL error in /var/log/ltm that looks like 'error Buffer error invoked from within "DIAMETER::avp data get 257 ip4 index 0"'

Conditions:
iRule that extracts ip address from a diameter avp.

Impact:
The iRule ends with an error.

Workaround:
Instead of
set data [DIAMETER::avp data get 257 ip4]

use an iRule such as

if { [DIAMETER::avp count 257] > 0 } {
        set data [DIAMETER::avp data get 257]
       binary scan $data S family
        switch $family {
            1 {
                # ipv4 should contains 4 bytes
                set ip [IP::addr parse -ipv4 $data 2]
                log local0. "ip = $ip"
            }
            2 {
                # ipv6 should contains 16 bytes
                set ip [IP::addr parse -ipv6 $data 2]
                log local0. "ip = $ip"
            }
            default {
                log local0.alert "address family $family is not supported"
            }
        }
    }

600385-1 : BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout

Solution Article: K43295141

Component: Local Traffic Manager

Symptoms:
When configuring BIG-IP LTM and BIG-IP DNS monitors, administrators can set the interval value be larger than the timeout value.

Conditions:
Setting interval value to be larger than the timeout value.

Impact:
The misconfigured monitor setting might result in unexpected monitor behavior.

Workaround:
Set the interval value lower than the timeout value.

599567 : APM assumes snat automap, does not use snat pool

Component: Local Traffic Manager

Symptoms:
With a virtual configured to use a snat pool is also associated with APM (for example when configured as a RDP gateway), the snat pool setting is not honored.
Also snat configuration of "None" does not work. It always works as if it is configured with Automap

Conditions:
Snat pool configured, APM configured (one example is deploying Horizon View iApp for ApM).

Impact:
The VLAN Self IP address is used instead of the snat pool addresses.

599543-3 : Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile

Component: TMOS

Symptoms:
When PKCS#12 cert and key are in use by SSL profiles, importing key/cert fails with the below error message:

Import Failed: Exception caught in Management::urn:iControl:Management/KeyCertificate::pkcs12_import_from_file_v2()
0107160f:3: Profile /Common/z-cssl's SSL forward proxy CA key and certificate do not match

Conditions:
1. When the cert and key are in the PKCS#12 format.
2. When the cert and key are in use by SSL profiles.

Impact:
When PKCS#12 cert and key are in use by SSL profiles, they can not be directly updated (overwritten) using key/cert import.

Workaround:
Use tmsh to install the PKCS#12 key. For example, suppose the key/cert to be replaced is called orig.key and orig.crt, it can be overwritten using the below command:

tmsh install sys crypto pkcs12 orig from-local-file /shared/eee.pfx

599048-1 : BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option

Component: Local Traffic Manager

Symptoms:
As part of the OCSP Stapling feature, the BIG-IP periodically connects to an OCSP server to certify to its clients that an SSL certificate has not been revoked. It was discovered that these side connections to OCSP servers incorrectly do not use the TCP TIMESTAMPS option.

Conditions:
Use of the OCSP Stapling feature.

Impact:
Usage of the TCP TIMESTAMPS option can help reduce the time a previously used tuple remains in TIME_WAIT on the OCSP server. Therefore, this can help ensure a new connection from the BIG-IP system to the OCSP server re-using a recent tuple is not rejected by the OCSP server. Note that there is little impact even if sporadically a single connection to the OCSP server fails. The BIG-IP will quickly try again, and clients that receive non-stapled SSL SERVER HELLO messages can perform their own validation of the returned SSL certificate.

Workaround:
None

598707-4 : Path MTU does not work in self-IP flows

Component: Local Traffic Manager

Symptoms:
While performing an Update Check, the network connection fails. Path MTU is not working in self-IP initiated flows.

Conditions:
Network flows initiated by the Self IP address (in this case it was encountered while running Update Check)

Impact:
If the downstream router sends ICMP Path MTU messages back to the Self IP, the messages will be ignored and MTU will not be adjusted.

598650-1 : apache-ssl-cert objects do not support certificate bundles

Component: TMOS

Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.

Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.

Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.

598289-4 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>

Component: TMOS

Symptoms:
In TMSH, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, TMSH gives an error. It also corrupts bigip.conf.

Conditions:
-- Use TM Shell to load configuration.
-- ltm pools have members that have names in the format of <ipv4>:<number>:<service port>

Impact:
TMSH fails to load system configuration file

Workaround:
None.

598204-3 : In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.

Solution Article: K54284420

Component: Local Traffic Manager

Symptoms:
In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.

Conditions:
This occurs when the following conditions are met:
-- TCP profile.
-- syncookie mode.

Impact:
A TCP virtual server might use bigger MSS in syncookie mode and not honor the MSS specified in the profile. Some configurations require a smaller MSS for certain virtual servers, rather than using the VLAN's MTU to calculate the MSS.

Workaround:
None.

597899-1 : Disabling all pool members may not be reflected in Virtual Server status

Solution Article: K86025623

Component: Local Traffic Manager

Symptoms:
When all pool members are set to session-disable, the expectation is that persistent connections will be drained, and the Virtual Server should not accept new incoming connections.
- Simply disabling (not forcing down) a node does not bubble up to Pool status, because it switches from Green-Enabled to Green-Disabled (staying green is seen as a non-change).
- Since the Pool enabled/disabled state is not updated, this does not bubble up to the Virtual Server, which also stays Green-Enabled.

Conditions:
-- All pool members are set to session-disable.
-- Persistent connections existing on the associated Virtual Server.
-- New connections to associated Virtual Server.
-- Viewing Virtual Server status.

Impact:
Disabling all members of a Pool may not be reflected in Virtual Server status, indicating it is Green-Enabled when in fact it has been disabled indirectly by disabling all members of the related pool.

Workaround:
N/A

597818-2 : Unable to configure IPsec NAT-T to "force"

Component: TMOS

Symptoms:
When configuring IPsec NAT traversal to "Force", the behavior is as if the setting is "Off".

Conditions:
Configuring IPsec NAT Traversal to Force

Impact:
NAT-T does not work

Workaround:
Configure NAT-T to On instead.

597564-3 : 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items

Component: TMOS

Symptoms:
The 'tmsh load sys config' command incorrectly allows users to manually remove the 'app-service' statement from configuration items. For example, if a user is manually editing the bigip.conf file, and they remove the 'app-service' statement from a virtual server, 'tmsh load sys config' will not fail to load the config, which is incorrect.

Conditions:
A user manually edits a BIG-IP configuration file and improperly removes the 'app-service' statement from an object.

Impact:
The lack of the 'app-service' statement effectively disassociates the object from its Application Service. This can lead to further issues down the line. For example, if the object is then updated on a multi-blade VIPRION system, secondary blades will restart with an error similar to the following example:

May 6 08:18:27 slot2/VIP2400-R16-S10 err mcpd[32420]: 01070734:3: Configuration error: Configuration from primary failed validation: 010715bd:3: The parent folder is owned by application service (/Common/dummy.app/dummy), the object ownership cannot be changed to ().... failed validation with error 17241533.

Workaround:
Exercise caution when manually editing BIG-IP configuration files.

597253-1 : HTTP::respond tcl command may incorrectly identify parameters as ifiles

Component: Local Traffic Manager

Symptoms:
The HTTP::respond iRule command may incorrectly identify parameters as an iFile parameter when attaching the iRule to a Virtual Server.

Conditions:
HTTP::respond command making use of a variable as a header name. For instance:

HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"

Configure a HTTP/TCP virtual server and attach the iRule.

Impact:
1070151:3: Rule [/Common/example_rule] error: Unable to find ifile (header_value_text) referenced at line 3: [HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"]

Workaround:
Ensure the offending header name and value are either both literal strings or variables.

596826-5 : Don't set the mirroring address to a floating self IP address

Component: TMOS

Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address

It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address. The tmsh command will complete without error.

Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.

Impact:
Mirroring does not work in this case. If you configured it this way using tmsh, the GUI will show the primary and secondary mirroring address as "None".

Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.

For more information about mirroring, see K13478: Overview of connection and persistence mirroring at https://support.f5.com/csp/#/article/K13478

596815-1 : System DNS nameserver and search order configuration does not always sync to peers

Component: TMOS

Symptoms:
Modifying the System DNS nameserver and search order configuration does not always sync during an incremental sync if modified in the GUI or tmsh modify sys db.

Conditions:
The device is in a failover device group with incremental sync turned on.

In the GUI, modify the DNS Lookup Server List or the DNS Search Domain List fields under System >> Configuration : Device : DNS.

In tmsh, tmsh modify sys db dns.nameserver (or dns.domainname), and in some cases tmsh modify sys dns name-servers (or search)

Impact:
Modifications will not change the sync status nor sync the change to peers.

Workaround:
Perform a full sync or use 'tmsh modify sys dns name-servers replace-all-with' or 'tmsh modify sys dns search replace-all-with'.

Optionally, to get this setting to sync, modify the file /config/BigDB.dat to set realm=common for [DNS.NameServers] and [DNS.DomainName] and restart mcpd on all devices in the failover device group. However, this file may get overridden on a hotfix or upgrade.

596278 : ILX workspace created by iApp made from template not deleted when iApp deleted

Component: Local Traffic Manager

Symptoms:
Any ILX workspace created by an iApp from a template (and possibly otherwise) remains even after the iApp is deleted.

You can check for them under tmsh's ltm/ilx/workspace, on the file system in /var/ilx/workspaces, or in the GUI at Local Traffic :: iRules : LX Workspace.

Conditions:
This occurs when using iApps which create ILX workspaces.

Impact:
Configuration which was supposed to be deleted stays on the box.

Workaround:
Delete the left over workspace manually.

596020-3 : Devices in a device-group may report out-of-sync after one of the devices is rebooted

Component: TMOS

Symptoms:
Devices in a device-group may report out-of-sync after one of the devices is rebooted.

As a result of this issue, you may encounter the following symptoms:

- After the reboot, the config-sync originator reports 'Not All Devices Synced'.
- After the reboot, the other devices in the device-group report 'Changes Pending'.

Conditions:
This issue occurs when all of the following conditions are met:

- You have a Sync or Sync-Failover device-group with multiple devices in it.
- On a device (the config-sync originator, you modify the configuration, triggering the devices to become out of synchronization.
- Using the Overwrite Configuration option in the GUI, you manually initiate a synchronization of the configuration from the device where the configuration was modified, to the device-group.
- The devices in the device-group display that they are in the synchronized state.
- You reboot the config-sync originator device.

Impact:
After the reboot, the devices report out-of-sync.

Note: This issue is purely cosmetic; no configuration is lost as result of this issue.

Workaround:
You can work around this issue by not using the Overwrite Configuration option in the Configuration utility if you know you will have to reboot the device soon.

Also note that once the issue occurs, you can restore normal config-sync status on the devices by performing a new config-sync operation.

595921-1 : VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.

Component: Local Traffic Manager

Symptoms:
VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.

Conditions:
Configuration of a virtual server on a VLAN group that does not have a Self-IP configured.

Impact:
Traffic destined for the virtual server might be rejected with an ICMP unreachable sourced from a loopback address.

Workaround:
Use a Self IP address on the VLAN group.

595868-1 : HSB TX HGM lockup on 3900, 8900, and 10000-series platforms.

Component: TMOS

Symptoms:
HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. Tmm cores with the following error message in /var/log/ltm: notice panic: hsb interface 2 DMA lockup on transmitter failure.

Conditions:
It is not known what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

595617-1 : Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.

Solution Article: K40420553

Component: TMOS

Symptoms:
When modifying the ipsec-tunnel-profile, the BIG-IP system deletes the IKEv1 phase 2 SAs locally, but does not inform the remote IPsec peer.

Conditions:
- Configuration uses both IPsec 'interface' mode tunnel(s) and IKEv1.
- A user modifies ipsec-tunnel-profile. Namely found here:
-- web UI 'Network : Tunnels : Profiles : IPsec Interface : ipsec-tunnel-profile'.
-- tmsh 'net tunnels ipsec ipsec-tunnel-profile'.

Impact:
A traffic outage on one tunnel when the remote IPsec peer is generally plays the role of Initiator. The remote system, will not attempt to establish a new tunnel because it believes that a valid SA exists.

Workaround:
Delete the defunct IPsec SA from the remote peer. If the remote IPsec peer is also a BIG-IP system, then restarting tmipsecd can be employed, however this will cause all IPsec tunnels to restart.

595317-4 : Forwarding address for Type 7 in ospfv3 is not updated in the database

Component: TMOS

Symptoms:
The ospf nssa-external database is not updated when the global address on an interface that is used as a forwarding address is changed

Conditions:
remove the global address on the forwarding interface

Impact:
the packets will be sent to an incorrect interface.

Workaround:
clear ipv6 ospf process

594751-3 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN

Solution Article: K90535529

Component: Local Traffic Manager

Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.

Conditions:
1. LLDP is enabled globally and per interface.

2. Interfaces are added to a trunk after it has already been assigned to a VLAN.

For instance, assume the following protocol were followed for creating an LLDP trunk:

tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }

The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.

Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.

Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.

If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
bigstart restart lldpd

594547 : LTM policy TCP address selector offers only "match any of" condition

Component: Local Traffic Manager

Symptoms:
In the graphical UI, the user can create a condition on a TCP address where a list of user-specified addresses are considered for a match. But the negated version is not available.

Conditions:
Using only the GUI, it is not possible to create an LTM policy condition which checks for addresses that do not match the user-specified list.

Impact:
Users my not use the GUI to specify conditions in a policy where the TCP address does-not-match a list of specified addresses.

Workaround:
Using tmsh it is possible to create or modify a policy to negate a condition on tcp address.

For example, in tmsh:
root@(mybigip# modify ltm policy my_policy rules modify { my_rule { conditions replace-all-with { 0 { tcp address not matches values { 10.10.4.0/0 } } } } }

594366-1 : Occasional crash of icrd_child when BIG-IP restarts

Solution Article: K21271097

Component: TMOS

Symptoms:
When BIG-IP restarts (bigstart restart), or when restjavad restarts (bigstart restart restjavad), there is an occasional crash of the icrd_child thread.

Conditions:
When BIG-IP restarts (bigstart restart), or when restjavad restarts. No other specific conditions.

Impact:
Occasional crash/SEGV exception.

Workaround:
Restart restjavad (bigstart restart restjavad).

Impact of workaround: The iControl REST API for making queries or modifications is temporarily unavailable while the restjavad service restarts.

594064-2 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.

Solution Article: K57004151

Component: Local Traffic Manager

Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.

Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.

Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>

Typical examples of missing packets include:
-- Serverside syn and syn-ack from FastL4 TCP traffic.
-- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.

Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').

593845-3 : VE interface limit

Solution Article: K24093205

Component: TMOS

Symptoms:
TMM fails to bootup successfully.

Conditions:
More than 10 interfaces assigned to Virtual Edition (VE).

Impact:
BIG-IP fails to pass traffic as TMM fails to load successfully.

Workaround:
Make sure VE is assigned 10 or fewer interfaces.

593396-5 : Stateless virtual servers may not work correctly with route pools or ECMP routes

Component: Local Traffic Manager

Symptoms:
Stateless virtual servers might not work correctly if the configured poolmember is reachable via a route pool or via several ECMP routes learned via dynamic routing.

Conditions:
- Stateless virtual server.
- Pool reachable via route pool or via ECMP routes.

Impact:
Traffic might be dropped.

Workaround:
Use other virtual server types to process this traffic.

593361-1 : The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.

Component: TMOS

Symptoms:
The target platform implementation need to be ensure that it is update to date with draft and additionally tested with other open sources and commercial implementations to deem stable. If not a stable and production version as in case below, sender packets can be with a dummy MAC which is not recognized by BIG-IP.

Conditions:
Target platforms which may be unstable and untested in VXLAN-GPE.

Impact:
BIG-IP drop packets since it does not recognize inner pkt MAC.

Workaround:
Ensure target platform is stable, tested and production version wrt VXLAN-GPE and NSH.

592819-2 : Enabling of whitelists on a protected object requires disabling DoS protection support in hardware

Component: Advanced Firewall Manager

Symptoms:
On certain platforms, DDoS protection support in hardware prevents configuration of a whitelist for a protected object.

Conditions:
-- Configuration of a whitelist on a protected object.
-- Hardware acceleration is configured on 5xxx/7xxx/10xxx/12xxx appliances, and all blades other than B2250/B4450.

Impact:
Cannot configure whitelist on a protected object.

Workaround:
Disable hardware support for DDoS protection from the command line using the following command:

modify sys db dos.forceswdos value true.

Note: Disabling DDoS hardware support might impact the performance of the device because then, all DDoS protection mechanisms are managed in software.

592620-1 : iRule validation does not catch incorrect 'after' syntax

Component: Local Traffic Manager

Symptoms:
iRule validation does not catch iRule with incorrect 'after' syntax, allowing an invalid iRule to be saved.

Conditions:
iRule with incorrect 'after' syntax. For example "after 5000 periodic" should be "after 5000 -periodic" (with a hyphen)

Impact:
Traffic handled by the iRule fails, generating the Tcl error 'invalid command name 'periodic' while executing 'periodic LB::reselect''.

Workaround:
Correct the syntax error.

592211-1 : Stress CPU on BIG-IP will also take into the packets dropped by hardware.

Component: Advanced Firewall Manager

Symptoms:
Rate limit is directly proportional to CPU stress seen by the BIG-IP system. DoS will rate-limit traffic in hardware (HW) when the BIG-IP system is under stress (CPU is high), then if packets are dropped by HW and CPU of the system will come down and hence DOS will stop rate-limiting. SO this kind of behavior could result in toggling of DOS rate-limit state.

Conditions:
-- DoS in HW starts rate-limit in HW.
-- DoS has autodos enabled.

Impact:
The BIG-IP system may see that one second, DoS is rate-limiting packets and next second, it is allowing packets, and then next second it starts rate-limiting again, and so on. So there will be toggling of DoS vector mitigation state.

Workaround:
The workaround is to disable autodosd for that vector.

591732-2 : Local password policy not enforced when auth source is set to a remote type.

Component: TMOS

Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.

Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.

2) The auth source is set to a remote source, such as LDAP, AD, TACACS.

Impact:
The system does not enforce any of the non-default local password policy options.

For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.

Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Workaround:
None.

591505-1 : Policy may become unsyncable after changing contexts

Component: Advanced Firewall Manager

Symptoms:
This is a known issue due to internal framework in MCPD which marks configurable objects as either synced and non-synced. If the user applies the policy to a non-syncing context (non-floating self-IP), then that policy won't be synced across HA devices anymore.

Conditions:
A config with standalone firewall policy applied to synced and non synced context.

Impact:
A policy that is assigned to otherwise non-syncing context, e.g. non-floating self-IP, the attached policy will no longer be synced even if attached to a syncing object later.

Workaround:
Create a "local" policy for non-floating self-IP only.

591305 : Audit log messages with "user unknown" appear on install

Component: TMOS

Symptoms:
Multiple log entries in /var/log/audit similar to

May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]

Conditions:
This happens on initial install, it is not yet known what triggers it.

Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.

590851-4 : "never log" IPs are still reported to AVR

Component: Application Security Manager

Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag

Conditions:
Always

Impact:
Extra, unwanted logging for IP addresses flagged as "never log"

Workaround:
N/A

590415-1 : Partition can be removed when remote role info entries refer to it

Component: TMOS

Symptoms:
If you have a partition, and a remote-role info that mentions the partition, then you can delete the partition and the role info will not be modified. Once this configuration is saved, future loads will fail with an error like the following:

01070829:5: Input error: Invalid partition ID request, partition does not exist (your-partition-name)

Conditions:
A partition has been deleted, but the remote role configuration still names the partition.

Impact:
Load will fail.

Workaround:
Before removing a partition, ensure that any role-info entries mentioning the partition are also removed.

If you already have encountered a failure to load such a configuration, edit /config/bigip.conf to remove the offending entries in "auth remote-role".

590399-1 : Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.

Solution Article: K11304001

Component: TMOS

Symptoms:
Unnecessary logging during startup: err errdefsd[5106]: 01940019:3: Unable to connect to MCPD, will try again in 30 seconds. err errdefsd[5106]: 0194001d:3: Errdefsd is starting. Old shared memory arena is now deprecated.

Conditions:
This occurs during system startup.

Impact:
No to low impact. This message is benign, and you can safely ignore it.

Workaround:
None needed.

590156-3 : Connections to an APM virtual server may be reset and fail on appliance and VE platforms.

Component: Local Traffic Manager

Symptoms:
APM connections failing when mac masquerade is in use and source-port preserve-strict is enabled on the APM virtual server.

Conditions:
The traffic-group has mac-masquerade configured and source-port preserve-strict is in use on the APM virtual server

Impact:
Connections to an APM virtual server may be reset and fail on appliance and VE platforms.

Workaround:
Disable either mac-masquerade or source-port preserve-strict (or both)

589862-6 : HA Grioup percent-up display value is truncated, not rounded

Component: TMOS

Symptoms:
The value displayed in "show sys ha-group detail" and "list sys ha-group" is shown as only the integer portion of the actual percent-up value.

Conditions:
When the number of "up" members in an HA Group results in a percent-up value that is not a whole number, the displayed value is truncated, not rounded.

Impact:
Incorrect display of the percent-up value. The score contribution is correct, and displayed rounded properly.

589856-2 : iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients

Component: TMOS

Symptoms:
When 2 iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction id. This completely messes up both the client code execution.

Conditions:
Client requests to create transaction are close to each other in time.

Impact:
Transaction semantics are not followed, and unintended errors may occur

589367-2 : Some Edge Client's German translations are incorrect

Component: Access Policy Manager

Symptoms:
Some Edge Client's German translations are incorrect.

Conditions:
APM end-user's system using German locale.

Impact:
Conversion results in confusing text.

Workaround:
None.

588720-1 : Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.

Component: Local Traffic Manager

Symptoms:
Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.

Conditions:
-- TMM is overloaded.
-- UDP datagram load-balancing is used.

Impact:
UDP packets are dropped.

Workaround:
There is no workaround other than to disable datagram-load-balancing in the affected UDP profile. To do so, run the following command:

tmsh modify ltm profile udp <profile_name> datagram-load-balancing disabled

588646-1 : Use of Standard access list remarks in imish may causes later entries to fail on add

Component: TMOS

Symptoms:
The use of remarks in standard access lists in dynamic routing shell causes subsequent filters in the same ACL to fail to load.

Conditions:
Create a standard access list with a remark.
Add to the same list another entry to permit or deny a IP/range.

Impact:
The ACL does not load and error is returned.

Workaround:
No not use remarks in standard access lists or use an access list in the extended or named ranges.

588626 : Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member).

Component: Application Visibility and Reporting

Symptoms:
While configuring an alert for Maximum TPS on an Analytics profile, you get an error: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member)

Conditions:
This occurs when attempting to add an Analytics alert that triggers on Max TPS, and the alert is configured to run against a pool member or an application (the default is Virtual Server, not pool member or application).

Impact:
You cannot configure Max TPS alerts at the pool member level. The GUI appears to allow you to do this, but validation rules will prevent you from adding the alert.

The full list of alerts that cannot be configured at the pool or application level include all rules with the word Maximum in them:

- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput

588229-1 : DNS protocol default profiles can be deleted after being modified.

Component: Global Traffic Manager (DNS)

Symptoms:
A protocol default profile can be deleted in some cases.

Conditions:
The protocol default profile is not a parent to any other profile and has been modified.

Impact:
Default protocol profile can be deleted. If a default profile has been deleted, the config might get into an invalid state, and a config reload might be necessary.

Workaround:
Do not attempt to delete a protocol default profile.

588028-1 : Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up

Component: TMOS

Symptoms:
If the LCD visible alerts are cleared using the LCD menu while the Host is down, then when the host is brought back up the LCD will re-display any alerts that were generated after the host went down.

Alerts generated after a the Host is down are persistent and when the host comes up it will harvest those alerts and re-display them on the LCD. Alarm LED may be re-initialized to an unexpected state.

Conditions:
Alerts generated while the host is down and alerts are cleared using the LCD menu interface.

Impact:
Alerts are re-displayed on the LCD when the host comes back up. And the alarm LED may indicate an alarm that was thought previously cleared.

Workaround:
Do not clear the alerts from the LCD interface while the host is down.

587821-5 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Solution Article: K91818030

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.

587804-1 : Symmetric Unit Key decrypt failure on base load

Component: TMOS

Symptoms:
On initial boot of VIPRION blade, before the blade is licensed, you may see the following error message in /var/log/ltm:

err mcpd[5015]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure

Conditions:
It is not yet known what the conditions are that trigger this error.

Impact:
This occurs on initial boot of the VIPRION blade, prior to licensing the device. After licensing, this error does not occur.

Workaround:
None. If this error is reported on first boot, but can otherwise be licensed, it can be safely ignored. If this occurred after loading a ucs file, see SOL13132: Backing up and restoring BIG-IP configuration files at https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13132.html for more information on this error.

586862-2 : Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule.

Solution Article: K30859144

Component: Local Traffic Manager

Symptoms:
Tcl expression evaluations (outside of an iRule) can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule. A couple of examples where Tcl expressions are evaluated outside the context of an iRule include the tcl-setvar action of LTM Policy and the Request Header Insert feature of the HTTP profile.

Conditions:
Issue has been found on a virtual server with both an attached iRule and LTM Policy. The iRule calls TCP::collect when connection is accepted, and calls TCP::release at the CLIENT_DATA event. The LTM Policy has a single action to set a tcl set-variable expression.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

586660-1 : HTTP/2 and RAM Cache are not compatible.

Component: Local Traffic Manager

Symptoms:
A virtual server fails some requests where the response is served from cache.

Conditions:
This might occur in any of the following circumstances:

1.
-- Virtual server has either SPDY or HTTP/2 enabled
-- Requests that would normally served from RAM cache.

2.
-- HTTP virtual server has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event.
-- Tcl commands attempt to access the response headers.

3.
Certain filters and plugins that require access to the response headers.

Impact:
Errors in certain Tcl commands or failed requests. These correlate to Conditions as follows:

1. If a virtual server has either SPDY or HTTP/2 enabled, it might fail requests that would normally be served from RAM cache.

2. An HTTP virtual server that has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event might give errors to Tcl commands that attempt to access the response headers.

3. Certain filters and plugins that require access to the response headers might also fail in unexpected ways.

Workaround:
Disable CACHE via an iRule:

when HTTP_REQUEST {
if {[HTTP2::active]} {
CACHE::disable
}
}

586621-7 : SQL monitors 'count' config value does not work as expected.

Solution Article: K36008344

Component: Local Traffic Manager

Symptoms:
SQL monitors 'count' config value does not work as expected.

Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.

Impact:
SQL monitor might use a 'count' value that is incorrect.

Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.

586348-1 : Network Map Pool Member Parent Node Name display and Pool Member hyperlink

Component: TMOS

Symptoms:
The Network Map was not displaying the correct node name and the link was taking you to an incorrect pool member.

Conditions:
Create a pool and pool member from a FQDN node. Add that pool to a virtual server. From the Network Map page the pool member link does not show the FQDN making it hard to tell what pool member it is. When you click on the pool member hyperlink it takes you to the incorrect pool member.

Impact:
This causes confusion because the pool members are difficult to identify without the FQDN and the link takes you to the incorrect pool member.

586138-1 : Inconsistent display of route-domain information in administrative partitions.

Solution Article: K84112154

Component: Local Traffic Manager

Symptoms:
When IpAddress is displayed in GUI and TMSH, there exists some inconsistencies on how the route-domain of the address is displayed. This occurs for virtual servers and pool members.

Conditions:
IpAddresses configured for virtual servers and pool members outside the default-route-domain of the administrative partition.

Impact:
Although this is only a cosmetic issue, there might be confusion associated with the display inconsistencies.

Workaround:
None.

585248-1 : Resetting crypto client statistics can crash TMM and disrupt traffic handling.

Component: Local Traffic Manager

Symptoms:
TMM crashes when the statistics of the crypto client is reset when the External Crypto Offload feature is not licensed and the client configured with an unreachable crypto server. The command to reset the statistics of a crypto client is below:

tmsh reset-stats sys crypto client [<client name>]

Conditions:
With a crypto client configured to target an invalid or unreachable crypto server and the External Crypto Offload (ECO) feature is not licensed, reset the statics of the crypto client.

Impact:
Traffic is temporarily disrupted while TMM restarts.

Workaround:
Ensure the External Crypto Offload feature is licensed and/or target a valid crypto server when creating the crypto client.

584948-5 : Safenet HSM integration failing after it completes.

Component: Local Traffic Manager

Symptoms:
tmm cannot load the Safenet library, and the following log entry is found in /var/log/auditd/audit.log:

denied { read } for pid=4936 comm="tmm" name="libCryptoki2_64.so" dev=dm-1 ino=1441838 scontext=system_u:system_r:tmm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file.

Conditions:
This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory.

The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions.

Impact:
Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM.

Workaround:
Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly.

For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so.

584788-1 : Directed failover of HA pair using only hardwire failover will fail

Component: TMOS

Symptoms:
Units configured in a HA pair using only hardwire failover will not be able to use a targeted failover.

Conditions:
HA pair configured without network failover but with a hardwire failover.
Failover is attempted using one of the 2 following methods:

Via GUI
Device Management -> Traffic Groups
  check <traffic group>
    click "force to standby"
      again click "force to standby"

via tmsh
tmsh run sys failover standby device <peer device> traffic-group <traffic group name>

Impact:
Failover may fail with the following logs in /var/log/ltm
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c0044:5: Command: go standby <traffic group name> <device name> GUI.
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c002b:5: Traffic group <traffic group name> received a targeted failover command for <peer mgmt IP>.
Mar 15 10:28:00 <hostname> notice sod[8214]: 010c004b:5: Target device <traffic group name> is not responding, cannot failover.

Workaround:
Use an alternative failover method:
  - Device Management > Devices > Force to Standby
  - Device Management > Traffic Groups > [traffic Group name] > Force to Standby
  - tmsh run sys failover standby # without device

584772 : ssldump may crash when decrypting bad records

Component: Local Traffic Manager

Symptoms:
ssldump crashes while decrypting.

Conditions:
Using ssldump to decrypt SSL which contains bad records.

Impact:
ssldump crashes making it difficult to decrypt SSL data.

584504-2 : Allowing non-English characters on login screen

Solution Article: K36912228

Component: TMOS

Symptoms:
Passwords can contain non-English characters but it fails when logging in.

Conditions:
Passwords contain non-English characters.

Impact:
Users entering these characters on the login screen are unable to log in.

Workaround:
Make sure passwords contain only English characters.

584414 : Deleting persistence-records via tmsh may result in persistence being created to different nodes

Component: Local Traffic Manager

Symptoms:
After deleting the persistence records, a connection may use persistent records to two different nodes breaking persistence.

Conditions:
Deleting persistence records when there is high concurrency for particular persistence records (e.g., load testing).

Impact:
Client fails to persist to a particular node.

Workaround:
Avoid removing persistence records from tmsh or use iRules to remove persistence records.

584041 : forward slash '/' is used in the description field, admin user will be demoted to guest.

Component: TMOS

Symptoms:
When creating a new admin user, if a forward slash '/' is used in the description field, the user will be demoted to guest.

Conditions:
Creating a new admin user with a forward slash in the description text.

Impact:
mcp user's admin group demotion to guest.

Workaround:
Do not use forward slashes in the users description.

583777-5 : [TMSH] sys crypto cert missing tab completion function

Solution Article: K33230520

Component: TMOS

Symptoms:
When pressing the tab key for the tmsh command "sys crypto cert", it does not display existing certificate names. You must manually type the certificate name that you want to operate.

Conditions:
This occurs in tmsh:

root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.

Impact:
Not possible to select a certificate using tab complete.

Workaround:
Manually type the certificate name.

583402-1 : ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work

Component: Application Security Manager

Symptoms:
The 'Overridden Characters in Value' and 'Overridden Attack Signatures' filter options on the Parameters List screen doesn't work correctly. These filter options appear after you set 'Parameter Value Type' to 'User-input value' and 'Data Type' to 'Alpha-Numeric'.

Conditions:
Attempting to filter parameters by settings the 'Value Type' to 'User-input value', 'Data Type' to 'Alpha-Numeric', and searching for 'At least one' signature override.

Impact:
Search fails.

Workaround:
None.

583101-2 : ADAPT::result bypass after continue causes bad state transition

Component: Service Provider

Symptoms:
Tcl command 'ADAPT::result bypass' does not work in ADAPT_REQUEST_RESULT when the ICAP server has previously returned 100-continue.

Conditions:
iRules exist on a VS with an adapt profile, containing:

when ADAPT_REQUEST_RESULT {
ADAPT::result bypass
}

or

when ADAPT_RESPONSE_RESULT {
ADAPT::result bypass
}

Impact:
ADAPT logs an unexpected state transition and resets the connection, making it impossible for iRules to replace the ICAP response.

Workaround:
Avoid 'ADAPT::result bypass' commands in cases where there is no preview (either configured for no preview, or after the preview has been dropped due to a 100-continue or 200-ok ICAP response).

583084-5 : iControl produces 404 error while creating records successfully

Solution Article: K15101680

Component: TMOS

Symptoms:
iControl produces 404 error while creating gtm topology record successfully.

Conditions:
Creating gtm topology record without using full path via iControl.

Impact:
Result code/information is not compatible with actual result.

Workaround:
Use full path while creating gtm topology record using iControl.

582606-1 : IPv6 downloads stall when NA IPv4&IPv6 is used.

Component: Access Policy Manager

Symptoms:
When downloading large files through network access, downloads can appear to stall for a period of time and then resume.

Conditions:
This occurs when Network Access is configured with an IPv4&IPv6 resource

Impact:
Downloads occasionally stall with download speed going to 0, and then they resume.

Workaround:
It is possible that disabling large receive offload will work as a mitigation. To do so, run the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.

582595-2 : default-node-monitor is reset to none for HA configuration.

Solution Article: K52029952

Component: TMOS

Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.

Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
* ltm node with a monitor.
* ltm default-node-monitor with a different monitor.

Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.

Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.

Workaround:
Reconfigure a default-node-monitor.

582440-4 : Linux client does not restore route to the default GW on Ubuntu 15.10

Component: Access Policy Manager

Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.

Conditions:
Ubuntu 15.10, network access tunnel connect and then disconnect

Impact:
User will not be able to reach internet after disconnecting from network access.

Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.

582331-1 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.

582234-6 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Component: Local Traffic Manager

Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it

Impact:
Monitoring does not resume when pool member is re-enabled via config merge.

Workaround:
You can re-enable monitoring by running the following commands:

tmsh save sys config
tmsh load sys config

582207-7 : MSS may exceed MTU when using HW syncookies

Component: Local Traffic Manager

Symptoms:
Packets larger than the interface's MTU can be transmitted.

Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.

Impact:
Potential packet loss.

Workaround:
Disable HW syncookie mode.

582127-1 : VE OVA logrotate max-file-size too big for /var/log partition size

Solution Article: K55138704

Component: TMOS

Symptoms:
Virtual Edition (VE) OVA logrotate max-file-size is too big for the /var/log partition size.

Conditions:
This occurs on 11.5.0 and later, where the partition size was reduced from 6 GB to 500 MB, to better manage disk space.

This can also happen on Micro instance on a fixed version

Impact:
The BIG-IP VE system runs out of disk space due to increased logging. In this instance, logrotate should run and potentially free up space by rotating and compressing the actively written logs. With the current setting for max-file-size, however, that cannot happen, thus leading to increased likelihood of running out of space in /var/log.

Workaround:
You can extend the disk space for logs by performing the following procedure. (From K14952: Extending disk space on BIG-IP Virtual Edition, available here: https://support.f5.com/csp/article/K14952#proc3.)

Impact of procedure: You need to shut down the BIG-IP VE system during the disk provisioning steps, and the system will not be available for traffic processing. You should perform this procedure during a suitable maintenance window. Increasing the disk size on the VE system is irreversible, since F5 does not support disk shrinking.

1. Log in to the command line on the BIG-IP VE system.

2. Shut down the system by typing the following command:
shutdown -h now

3. Provision the desired disk space for the VE system on the hypervisor. For information about disk provisioning on the hypervisor, refer to the documentation from your hypervisor vendor.

4. Start up the BIG-IP VE guest instance on your hypervisor. For information about starting a guest instance on the hypervisor, refer to the documentation from your hypervisor vendor.

5. When the BIG-IP VE system is up, log in to the command line on the VE system.

6. Extend the /var/log directory by using the following command syntax:
tmsh modify /sys disk directory /var/log new-size <desired value in KB>.

--For example you would type the following command to extend the /var/log directory to 10 GB:
tmsh modify /sys disk directory /var/log new-size 10485760.

7. Save the configuration by typing the following command:
tmsh save /sys config.

8. Reboot the VE system by typing the following command:
reboot.

9. When the BIG-IP VE system is up, log in to the command line on the VE system.

10. Verify that the /var/log directory is successfully extended to the size you have specified in step 6 by typing the following command:
tmsh show /sys disk directory.

581865-2 : 6900, 8900, 8950, or 11050 platforms missing swap storage★

Solution Article: K11053914

Component: TMOS

Symptoms:
No swap is available; observable via 'cat /proc/swaps'.

Conditions:
A 6900, 8900, 8950, or 11050 platform with RAID LVM, directly upgraded from a pre-10.2.4 version to version 11.x/12.x.

Impact:
No swap space is created during upgrade. Multiple unexpected issues might occur because there is no swap space available.

Workaround:
Newer systems have the swap storage created during initial format. You might also be able to first upgrade to version 10.2.4. Then, when upgrading to version 11.x/12.x, the process creates the swap during upgrade.

581668 : DNS/SIP whitelisted packets not reported

Component: Advanced Firewall Manager

Symptoms:
If a DNS/SIP packet hits DOS whitelist then this packet is not being reported to AVR.

Conditions:
The packet has to be DNS or SIP packet and has to hit the whitelist.

Impact:
There is no functional impact but AVR tables will not have the whitelisted packets in their count.

580602-1 : Configuration containing LTM nodes with IPv6 link-local addresses fail to load.

Component: TMOS

Symptoms:
As a result of a known issue a configuration containing LTM nodes with IPv6 link-local addresses may fail to load.

Conditions:
Attempt to load a configuration containing a LTM node with a IPv6 link-local address.

Impact:
Configuration fails to load.

Workaround:
Use IPv6 global addresses instead.

580499-2 : Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled.

Solution Article: K34082034

Component: TMOS

Symptoms:
Configuring alternate admin user fails on multi-blade VIPRION chassis and will prevent newly added blades from being available to process traffic. If default admin on primary is disabled and you are on a chassis with at least two blades. After disabling the default admin on the primary and configuring an alternate, mcpd on secondary blades goes into a restart loop, and posts error messages similar to the following in /var/log/ltm:

warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-primary2.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary1.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary2.
err mcpd[26012]: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.
err mcpd[26012]: 01070734:3: Configuration error: Configuration from primary failed validation: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.... failed validation with error 17242343.

In this example, admin-primary1 is the default admin user set in the GUI under System :: Platform :: Admin Account, admin-primary2, admin-secondary1 and admin-secondary2 are other admin users on the device, but they are not configured as the default admin user.

Conditions:
Chassis with multiple blades; alternate primary admin is set on the primary blade.

Impact:
mcpd in a restart loop on secondaries.

Workaround:
There is no workaround that will allow you to use a different primary admin user on BIG-IP software versions affected by this issue. To stop secondary blades from restarting in a loop, issue the following commands on your primary blade, which should be stable at this time:

# tmsh modify sys db systemauth.primaryadminuser value admin
# tmsh save sys config

579652-1 : Multidomain SSO Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.

Component: Access Policy Manager

Symptoms:
When URLs from multiple browser tabs start an access policy, the session is created with the landing URL from the first tab that started the session, not with URL the second tab that continued and finished establishing the access session.

For example, an end user opens browser and sends GET to /first_url resource. Access initiates session, and renders logon page. Then end user opens another tab, and sends GET to /second_url resource. Access returns an error message "Access policy evaluation is already in progress for your current session." with a link to start new session. If the end user selects the "click here", the new session will start with /first_url, and not with /second_url as would be expected.

Conditions:
Using Multidomain SSO, and accessing two different resources before the access policy has been created. This causes the access policy to run from two different landing URLs

Impact:
This may cause BIG-IP as SAML SP unable to establish a session with IdP. In the case of LTM and APM, the user is always redirected to the URL from first tab after policy execution finishes.

Workaround:
None.

579252-3 : Traffic can be directed to a less specific virtual during virtual modification

Component: Local Traffic Manager

Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.

Conditions:
net self external-ipv4 {
    address 10.124.0.19/16
    traffic-group traffic-group-local-only
    vlan external
  }
  net self internal-ipv4 {
    address 10.125.0.19/16
    traffic-group traffic-group-local-only
    vlan internal
  }

  ltm pool redirect-echo {
    members { 10.125.0.17:7 }
  }
  ltm virtual fw {
    description "less-specific virtual"
    destination 10.125.0.0:any
    ip-forward
    mask 255.255.255.0
    profiles { fastL4 }
    translate-address disabled
    translate-port disabled
    vlans-disabled
  }
  ltm virtual redirect-echo {
    description "enable/disable this one"
    destination 10.125.0.20:echo
    ip-protocol udp
    mask 255.255.255.255
    pool redirect-echo
    profiles { udp }
    vlans { external }
    vlans-enabled
  }

Impact:
Traffic can be directed to less specific virtual server

Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.

579035-5 : Config sync error when a key with passphrase is converted into FIPS.

Solution Article: K46145454

Component: TMOS

Symptoms:
When a key with passphrase is converted to a FIPS key (that is, imported into the FIPS card) and a config sync is done, sync fails with an error saying that passphrase is specified but the key is not passphrase protected.

Conditions:
Converting a private key with a passphrase to FIPS key and then performing a config-sync.

Impact:
Config sync will fail.

Workaround:
Ensure that you only import FIPS keys that are not encrypted with a passphrase. For more information, see K15720: Certain tasks related to the management of SSL certificates do not support encrypted private keys (11.x) at https://support.f5.com/csp/#/article/K15720

578989-5 : Maximum request body size is limited to 25 MB

Component: Access Policy Manager

Symptoms:
When a POST request with body size exceeds 25 MB is sent to APM virtual server, the request fails.

Conditions:
POST request body size exceeded 25 MB.

Impact:
The POST request fails. The maximum request body size is limited to 25 MB

Workaround:
There is no workaround at this time.

578971-3 : When mcpd is restarted on a blade, cluster members may be temporarily marked as failed

Component: Local Traffic Manager

Symptoms:
When mcpd is restarted on a blade, the clusterd process on that blade may become blocked for some time. This may result in cluster member heartbeat timeouts, which are seen in the /var/log/ltm log file with messages that include:

"Slot 1 suffered heartbeat timeout ..."

This causes cluster members to be marked failed. The condition resolves itself within one minute, and the cluster fully recovers on its own.

Conditions:
Mcpd is restarted on a blade.

Impact:
Though all blades recover on their own, the cluster members being marked fail may result in a failover.

Workaround:
There is no workaround for this issue. It is recommended to avoid restarting mcpd on any blade belonging to the active unit of an HA group. The issue resolves itself within about a minute, and all cluster members will be marked as up again.

575919-3 : Running concurrent TMSH instances can result in error in access to history file

Component: TMOS

Symptoms:
TMSH writes to the ~/.tmsh-history-username file whenever a command is issued. Running concurrent instances of TMSH can result in a race condition in writing this file.

Conditions:
Running multiple instances can cause one instance of TMSH to lock the history file while the other is trying to access it, resulting in an error.

Impact:
Updating the history file fails, so the file does not reflect the actual history of the commands that have been issued.

Workaround:
Only run a single instance of TMSH.

575642-1 : rst_cause of "Internal error"

Component: Local Traffic Manager

Symptoms:
The rst_cause may be logged as "Internal Error". rst_cause of "Internal error" does not give a narrow reason for the reset. It means that one of the other reset causes was not matched but the exact issue cannot be determined from this generic error.

Conditions:
Heavy/normal production network usage.

Impact:
System problem diagnosis is more difficult.

Workaround:
N/A

575372 : BIG-IQ Discovery may fail due to an invalid passphrase.

Component: TMOS

Symptoms:
BIG-IQ Local Traffic & Management discovery may fail due to an invalid passphrase. Log messages might include the error: Failed to transform secure field value.

Conditions:
-- The BIG-IP systems are configured in a DSC configuration.
-- There is one or more profiles configured with a passphrase.

Impact:
As a result, the LTM service cannot be managed for that BIG-IP system.

Workaround:
Run the following command on the BIG-IP system:
bigstart restart restjavad

575368-5 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card

Component: TMOS

Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.

Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.

574318-3 : Unable to resume session when switching to Protected Workspace

Component: Access Policy Manager

Symptoms:
Clients logging into Protected Workspace are unable to view the page. The client's log file may have the following signature: HandlePwsCmd, detoured.dll signature validation error

Conditions:
This occurs infrequently on certain Windows clients logging into Protected Workspace

Impact:
Client browser cannot render the protected workspace

574113-2 : Block All - Session Tracking Status is not persisted across an auto-sync device group

Component: Application Security Manager

Symptoms:
Users, IP addresses, and Sessions that are meant to be blocked due to their traffic patterns, are not being synchronized to the peer device in an auto-sync device group with ASM sync enabled.

This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.

Conditions:
1) Devices are in an auto-sync device group with ASM sync enabled.
2) Session Tracking is enabled.

Impact:
This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.

Workaround:
Force a full sync to propagate the session tracking information.

572519-1 : More than one header name/value pair not accepted by ACCESS::respond

Component: Access Policy Manager

Symptoms:
An error is seen when ACCESS::respond command is used, for example, in an iRule with multiple header name/value pairs.

Conditions:
When ACCESS::respond command is used with multiple header name/value pairs.

Impact:
An error is generated when the command is used.

Workaround:
Let the command take only one name/value pair.

572234-2 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.

Component: Local Traffic Manager

Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.

Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.

The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.

The return route is a pool route.

The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.

Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.

Workaround:
Increase the lasthop module's TCP idle timeout.

echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp

572142-2 : Config sync peer may fail to monitor newly added pool member after it is added via sync

Component: Local Traffic Manager

Symptoms:
If a pool member in a sync group is removed and another member added and then synced to the peer, the monitor state on the peer may be erroneous.

Conditions:
2 or more devices in a device group
A pool member is deleted, and another is added, then a full config sync is performed

Impact:
Monitoring does not happen. If the pool member should be marked down by the monitor, it may indicate as being up. You may need to do a system restart to get monitoring to resume properly.

Workaround:
Suggested workaround:

Here’s a way that should avoid any possible downtime:

1. Do the node replacement on box A. Do not sync.
2. Do the node replacement on box B. Do not sync.
3. This will cause a sync conflict, and its resolution will require a full load. This is intentional. Force a sync.

The result of that final sync will be that mcpd sends no changes to the relevant nodes on the receiving device.

571727-1 : 'force-full-load-push' is not tab expandable

Solution Article: K52707821

Component: TMOS

Symptoms:
The 'force-full-load-push' option for 'run cm config-sync' is not tab expandable unless it's the first option given.

Conditions:
This is encountered when trying to use tab complete in tmsh for the 'run cm config-sync' command.

Impact:
The keyword 'force-full-load-push' has to be typed out in full or used as the first option.

Workaround:
Use 'force-full-load-push' as the first option, or type it out in full.

571634-1 : tmstat CPU values can be incorrect

Component: TMOS

Symptoms:
The CPU values returned by blades in a chassis may not be sorted correctly and so the returned values might appear confusing or invalid.

Conditions:
Retrieving values for a chassis using the following command: tmstat cpu.

Impact:
Incorrect reporting of TMM CPU utilization using tmstat command.

Workaround:
No workaround.

571622-1 : "Exceeding pool member limit" error with FQDN pool members and non-LTM license

Component: Local Traffic Manager

Symptoms:
When configuring FQDN pool members on a BIG-IP system with a license that does not include the LTM module, an error similar to the following may be logged by mcpd:

01071732:3: Exceeding pool member limit (3). Cannot add pool member to pool:(/Common/pool_name).

Conditions:
This may occur if:
1. The active BIG-IP license does not include the LTM module. Specifically, the active license defines a pool member limit (ltm_lb_pool_member_limit) other than 'unlimited'. This currently applies to AFM, APM and ASM licenses.
2. FQDN pool members are configured with 'autopopulate' set to 'enabled'.
Under these conditions, the ephemeral FQDN pool members are counted against the pool member limit (ltm_lb_pool_member_limit) defined in the LTM license.

Impact:
Unable to configure FQDN pool members with autopopulate enabled on BIG-IP system without an LTM license.

Workaround:
To work around this issue:
1.a. Configure FQDN pool members with autopopulate disabled; and
1.b. Do not attempt to configure more pool members than are permitted by the active license.
OR
2. Add the LTM module to the license configuration.

571503-1 : Windows Edge client cannot detect local LAN in some cases

Component: Access Policy Manager

Symptoms:
If Edge client is configured in Always Connected mode with option to "Allow Traffic" without VPN, it will continue to establish VPN even when location awareness is configured.

Conditions:
1) Edge client was installed using a package that was created without setting DNS suffix list in connectivity profile
2) DNS suffix list to identify enterprise LAN was set in the connectivity profile after client package was created.

Impact:
Edge client will fail to detect Enterprise LAN and continue to establish VPN even when machine is connected to enterprise LAN.

571333-8 : fastL4 TCP handshake timeout not honored for offloaded flows

Solution Article: K36155089

Component: TMOS

Symptoms:
When a virtual server is configured with a fastl4 profile that enables full acceleration and offload state set to 'embryonic', and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the 'idle timeout' value of the fastl4 profile, but it should be set to the 'tcp handshake timeout' instead.

Conditions:
-- Virtual server is configured with a fastl4 profile that enables full acceleration and offload state of 'embryonic'.
-- A flow is offloaded for hardware acceleration.

Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.

Workaround:
Set the offload state to 'established'.

571017-1 : Extra log messages seen on optics removal.

Component: TMOS

Symptoms:
Following message may appear in /var/log/ltm when optics are removed:
soc_phy_i2c_read_devtype - eeprom soc_phy_i2c_read_bytes failed port(28)

Conditions:
Optics removal.

Impact:
This is a cosmetic message and does not indicate a problem with the system.

Workaround:
None needed.

570013 : TCP Analytics Profile section in virtual server UI has erroneous caption

Component: TMOS

Symptoms:
In TMUI: Local Traffic: Virtual Server:: Create: advanced, TCP Analytics profile section has a erroneous caption for HTTP Analytics profile.

Conditions:
This occurs when creating a TCP Analytics profile in the GUI when AVR is not provisioned.

Impact:
The screen posts a warning similar to the following: Warning: The Application Visibility and Reporting (AVR) module is not provisioned. Assigning an HTTP Analytics profile is not recommended.

However, it should be TCP Analytics profile.

Workaround:
None. The message is correct the AVR is not provisioned. However, the warning should reference the TCP Analytics profile instead of the HTTP Analytics profile.

569968 : snmpd core during startup

Component: TMOS

Symptoms:
sod reanimates (with core dump) snmpd due to heartbeat timeout during BIG-IP system startup and configuration load.

Conditions:
During startup and configuration load, snmpd sometimes blocks while waiting for certain system resources to become available. If snmpd blocks longer than its configured heartbeat timeout, sod reanimates it (with a core dump).

Impact:
Only impact is the generation of a core file.

Workaround:
Increase the snmpd heartbeat timeout to 300 seconds or more.

The 11.5.1 default timeout of 60 seconds might be too short for certain platforms and configurations. The default timeout for later releases is 300 seconds.

569331-3 : Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP

Component: TMOS

Symptoms:
Traffic will not pass to virtual servers of a traffic group

Conditions:
BIG-IP AWS
High Availability
AWS network outage

Impact:
Some of virtual addresses end up associated with the standby BIG-IP; traffic will not pass to their virtual servers.

Workaround:
If the desired BIG-IP is standby, failover to the BIG-IP.
If the desired BIG-IP is already active, failover from this BIG-IP and then failover back to this BIG-IP.

569281-6 : L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot

Solution Article: K33242855

Component: TMOS

Symptoms:
Several 'kernel: BUG: soft lockup' messages from kernel leading to TMM. Eventual blade reboot

Conditions:
-- Using vCMP.
-- Network to which the BIG-IP management port is connected has a Layer 2 loop.

Impact:
The BIG-IP system is unusable and eventually reboots.

Workaround:
Avoid L2 loops in the network to which the BIG-IP management port is connected.

569195-1 : A Set-Cookie for an existing ASM cookie without value change

Component: Application Security Manager

Symptoms:
A Set-Cookie command appears for an ASM cookie (TS cookie) where the value has not changed and the set-cookie command is not needed.

Conditions:
-- The policy building is automatic or manual mode.
-- Additional features may also cause TS cookie setting, but usually these will also include cookie changes.

Impact:
The unneeded cookie may disturb caching and cause additional unnecessary bandwidth consumption.

Workaround:
If possible, turn off the policy builder.

568458 : DoS vectors must be enabled in both DoS Profile and Device Configuration

Component: Advanced Firewall Manager

Symptoms:
In order for a DoS vector in a DoS Profile to detect a you must enable that same vector in the DoS Device Configuration.

Conditions:
DoS vector configured at the per-virtual server level, but not at the device level.

Impact:
Might result in false negatives.

Workaround:
You can use the following workaround:
1. Enable the vector in Security : DoS Protection : DoS Profiles.
To do so, click Network Protection, click Enabled, and enable the DoS Vector for the DoS Profile.
2. Enable the vector in the Device Configuration.
To do so, go to Security : Dos Protection : Device Configuration, select the vector, and then configure the vector either manually, or with the auto-configuration option.

567503-1 : ACCESS::remove can result in confusing ERR_NOT_FOUND logs

Solution Article: K03293396

Component: Access Policy Manager

Symptoms:
When using the iRule command ACCESS::remove, ERR_NOT_FOUND messages may appear in /var/log/apm. Theses are not real errors. ACCESS is trying to insert a session variable, but it is not able to find the session because the iRule already deleted the session.

The logs in /var/log/apm look something like this:
err tmm1[15932]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_save_init_req_to_sessiondb, Line: 14823.

Conditions:
An iRule using the command ACCESS::remove, and the end-user does a POST.

Impact:
No functional impact, the iRule correctly deletes the session, and BIG-IP does not send a reset. But the log messages can be alarming or confusing.

Workaround:
None.

567490-2 : db.proxy.iter value is overwritten if it's manually set

Component: TMOS

Symptoms:
When setting the "BIND Forwarder Server List" on the "Configuration : Device : DNS" page, the system stores the values in the sysdb variable db.proxy.__iter__. When changing the value using tmsh or iControl, the db.proxy.__iter__ value is overwritten when subsequently viewing the value in the GUI.

Conditions:
When setting these values in sysdb via tmsh or REST, the values are set, but then upon re-visiting Configuration : Device : DNS in the GUI, the values in the sysdb variable are reset to their former values.

Impact:
BIND Forwarder Server List values do not persist.

Workaround:
Use the GUI to change the BIND Forwarder Server List values.

567330-1 : tmsh show sys memory on secondaries will generate innocuous error

Component: Local Traffic Manager

Symptoms:
The ltm log file contains these errors: err mcpd[9011]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).

Conditions:
This occurs when logged into secondary member of a cluster (VIPRION blade or vCMP guest) and running the command: tmsh show sys memory.

Impact:
The error indicates that the secondary member cannot display information that is only presented on a primary. This is a spurious error, and you can safely ignore it.

Workaround:
Ignore the specific error with this signature:

0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).

565755 : Dashboard does not work when custom port is used for management port.

Component: TMOS

Symptoms:
BIG-IP v12.0.0 introduced the ability to change the management port, but the dashboard was not changed to support that. Dashboard does not work when a port is used for management port other than the default port 443.

Conditions:
Using the dashboard when the management address is configured to use a port other than port 443.

Impact:
The dashboard reports a connection error and asks you to log back in.

Workaround:
None.

565347-2 : Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction

Component: Access Policy Manager

Symptoms:
Rewrite engine behaves improperly in case of AS2 SWF with a string in 'push' instruction longer than the instruction length itself.

Conditions:
Any AS2 SWF with a string in 'push' instruction longer than the instruction length.

Impact:
Rewrite coredump.

Workaround:
It can be worked around by adding an Portal Access profile resource item with Flash patcher turned off for improper SWF content.

564634-5 : Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool

Component: Local Traffic Manager

Symptoms:
Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool.

Conditions:
Remove a monitor from a pool using tmsh edit commands.

Impact:
bigd still monitors the pool.

Workaround:
None.

564431-3 : Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail

Component: Policy Enforcement Manager

Symptoms:
Subscriber lines terminated with an EOL that occur before the line without an EOL are loaded.

Conditions:
At least one line in the static subscriber file is not terminated with an EOL character.

Impact:
Impact to support staff in diagnosing the root cause for failure while importing a subscriber file.

Workaround:
Save the file in unix format that appends EOL characters to the each line.
While editing the file make sure lines are terminated with an EOL character.

564324-2 : ASM scripts can break applications

Component: Application Security Manager

Symptoms:
ASM originated scripts are injected into places where they are not supposed to be, causing the script not to work and/or the application to break.

Conditions:
ASM is in front of a single page application, where injection is possible only for the main page. \
ASM has the CSRF or web scraping feature enabled.

Impact:
Application malfunctions, shows javascrip errors

Workaround:
Turn off the relevant feature that causes the injection.

563905-2 : vCMP guest fails to go Active after the host system is rebooted

Solution Article: K62975642

Component: TMOS

Symptoms:
A vCMP guest fails to go Active after the host system is rebooted. When this occurs, the system posts the following message: confpp[9184]: rollback FAILED for 'unix_config_syslog'

Conditions:
The host of a vCMP guest is rebooted.

Impact:
The guest will not become active.

Workaround:
None.

563651-2 : Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★

Component: Access Policy Manager

Symptoms:
Web application does not work/works intermittently via Portal Access after BIG-IP upgrading to any new software version.

Conditions:
-- Web application via Portal Access.
-- any modern browser like Chrome, Firefox, Safari or MS Edge.
-- After upgrading of BIG-IP.

Impact:
Various unexpected behaviors. For example, a custom intranet application link might experience intermittent failures through rewrite. This occurs because Portal Access does not support Storage areas (localStorage, sessionStorage). This might impact web-applications with content previously populated in Storage areas.

Workaround:
Possible workaround:
-- Clear browser cache manually after upgrading.

560601-1 : HTML5 File API and MediaSource URLs are blocked in Portal Access

Component: Access Policy Manager

Symptoms:
Web Application is not working and a message similar to following is logged to the developer tools console in the browser:
"Refused to load media from 'blob:https://...' because it violates the following Content Security Policy directive: ..."

Conditions:
This occurs on web applications that are using the HTML5 file API

Impact:
Applications with usage of HTML5 File API could stop working when accessed via APM Portal Access.

Workaround:
when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header exists Content-Security-Policy] } {
        HTTP::header replace Content-Security-Policy \
            [string map {"data:" "data: blob: mediasource: mediastream:"} [HTTP::header Content-Security-Policy]]
    }
}

559402-4 : Client initiated form based SSO fails when username and password not replaced correctly while posting the form

Component: Access Policy Manager

Symptoms:
Client initiated form based SSO fails when the username and password are not replaced correctly in post request. The reason for this is that client initiated form based SSO and browser urlencode special character in username/password differently. and the case sensitive comparison fails to find match between both these urlencoded values. So sso module adds the username password to the token again. This results in password attribute/value pair appears twice with both the f5-sso-token and the real password and so it fails

Conditions:
When the password contains special charaters like [ or ]

Impact:
SSO fails with password attribute/value pair appears twice with both the f5-sso-token and the real password in the token and so it fails

Workaround:
No workaround

559082-2 : Tunnel details are not shown for MAC Edge client

Component: Access Policy Manager

Symptoms:
Tunnel details are not shown for MAC Edge client.
Tunnel details are located in Edge client :: View details :: Connection :: Tunnel details

Conditions:
MAC Edge client and established network access connection.

Impact:
Minor. Only diagnostic information is missing, otherwise tunnel works fine.

Workaround:
None.

557322-1 : Sensitive monitor parameters recorded in bigd and monitor logs

Component: Local Traffic Manager

Symptoms:
When bigd debug logging is enabled, the resulting bigd debug log may contain sensitive parameters from the monitor configuration.

When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration.

In each case, the monitor parameters logged may include:
- user-account password
- radius/diameter secret
- snmp community string

Conditions:
This may occur under either of the following conditions:

1. bigd debug logging is enabled:
tmsh modify sys db bigd.debug value enabled

2. Monitor instance logging is enabled for one of the following LTM monitor types:
ftp
imap
pop3
smtp

Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the bigd debug log (/var/log/bigdlog) or in the monitor instance logs under /var/log/monitors.

Workaround:
1. Do not enable bigd debug logging.

2. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.

3. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.

554504 : Client OS version not logged in Browser/OS Reports for iOS client devices

Component: Access Policy Manager

Symptoms:
When an iOS device is used to login with APM, the client OS version is not logged and is not correctly reported in the Browser/OS Report.

Conditions:
Client device must run iOS.

Impact:
Devices running different versions of iOS are not differentiated in the Browser/OS Report.

Workaround:
None.

552988-2 : Cannot enable MPTCP on some profiles in GUI.

Component: Local Traffic Manager

Symptoms:
Version 12.1 Cannot enable MPTCP on some profiles in GUI. Get error message: 01070734:3: Configuration error: In profile /Common/proxy-client to enable MPTCP, Hardware SYN Cookie must be disabled.

Conditions:
Version 12.1 Enabling MPTCP on some profiles in GUI.

Impact:
Version 12.1 Cannot enable MPTCP.

Workaround:
Use tmsh to enable MPTCP on some profiles.

552444-1 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD

Component: Access Policy Manager

Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.

Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"

Impact:
Dynamic drive mapping may not function.

Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.

homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]

547692-3 : Firewall-blocked KPASSWD service does not cause domain join operation to fail

Component: Access Policy Manager

Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.

As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.

However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.

Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.

Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.

Workaround:
Allow KPASSWD to reach ActiveDirectory server

546489-1 : VMware View USB redirection stops working after client reconnect

Component: Access Policy Manager

Symptoms:
VMware View USB redirection stops working

Conditions:
VMware View client reconnects due to network interruptions

Impact:
VMware View USB redirection stops working

544568-5 : Flows for a FastL4 profile that are forwarded may now be accelerated.

Component: TMOS

Symptoms:
Forwarded FastL4 profiles are not accelerated.

Conditions:
This occurs when any of the following conditions is met:
-- Using a preserve-strict setting on a virtual server.
-- Using the "snat" command in an iRule.
-- Using CGNAT with few available endpoints.

Impact:
Forwarded FastL4 flows are not accelerated.

Workaround:
None.

542347-2 : Denied message in audit log on first time boot

Component: TMOS

Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:

type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.

Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.

Impact:
This error message is benign and can be ignored.

Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.

542104-2 : In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

Solution Article: K33458192

Component: Local Traffic Manager

Symptoms:
In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

TCP monitors may fail because the server fails to respond to the initial TCP SYN.

TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN.

Conditions:
A server with tcp_tw_recycle enabled.

A multi-blade BIG-IP chassis.

Impact:
Monitor failures or traffic disruption.

Workaround:
After confirming that the time is properly synchronized across the chassis, reboot the chassis.

Alternatively, if your servers do not require tcp_tw_recycle to be enabled, it is recommended that you disable this setting on your servers.

541622-2 : APD/APMD Crashes While Verifying CAPTCHA

Component: Access Policy Manager

Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA

Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.

Impact:
Authentication service will be disrupted until APD/APMD is up again.

539026-5 : Stats refinements for reporting Unhandled Query Actions :: Drops

Component: Local Traffic Manager

Symptoms:
There are five drop down sections for Unhandled Query Actions:
Allow
Drop
Reject
Hint
No Error

but in statistics page, there are only four Unhandled Query Actions:
Drops
Rejects
Hints
No Errors

Drops refers to the dropped packets for the system, not specifically for Unhandled Query Actions. It would be more clear if there were one dropped packets stats for the system, and another specifically for Unhandled. And also add stats for Allow packets under Unhandled.

Conditions:
Statistics pages for Unhandled Query Actions :: Drops.

Impact:
May be confusing to determine what the statistics mean.

Workaround:
None.

537209-5 : Fastl4 profile sends RST packet when idle timeout value set to 'immediate'

Component: Local Traffic Manager

Symptoms:
When a virtual is configured with a Fastl4 profile and the idle timeout value is set to 'immediate', traffic is handled improperly and a RST is issued.

Conditions:
A virtual is processing traffic that contains a Fastl4 profile with idle timeout set to 'immediate'.

Impact:
Traffic is Reset on a virtual where it should properly handle the traffic.

Workaround:
Avoid using the 'immediate' setting for the idle timeout value on a Fastl4 profile.

535122-8 : [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects

Component: TMOS

Symptoms:
Using iControl REST's process (iCRD) with 'sys crypto' always fails, and the GUI does not work with SSL file objects created without extensions using tmsh (with 'sys file') during the create process.

Conditions:
-- Creating SSL certificates/keys/CRL/CSR objects using iControl (with 'sys crypto') or tmsh (with 'sys file').
-- Specifying the file extension associated with the object: .crt/.key/.crl/.csr.

Impact:
The system creates a file with two extensions, for example, specifying the filename csrname.crt creates a file named csrname.crt.csr in folder /config/ssl/ssl.csr/.

-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
   + Inconsistently manages those files improperly.
   + May return errors (e.g., 'An error has occurred while trying to process your request.' or 'No certificate.').
   + May confuse two objects (e.g., 'web-server' and 'web-server.crt').
   + GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing one of these files, and reports an error similar to the following: Key management library returned bad status: -2, Not Found.

Workaround:
When creating SSL-related file objects via tmsh 'sys file' or iCRD with 'sys crypto', do include a file extension (.crt/.key/.crl/.csr) in the object name, even if it is the extension associated with the type of object. This is because the system explicitly adds the appropriate file extension during the create operation for ('sys crypto') but does not add extensions for ('sys file').

535119-1 : APM log tables initial rotation in MySQL may be wrong

Component: Access Policy Manager

Symptoms:
APM uses local MySQL to store logs and automatically rotate the log tables when the log table size exceeds a limit, which removes the oldest log table and make room for a new current log table.

However, the initial timestamps of those log tables may be very close--or the same in 1-second granularity of MySQL timestamps--right after the installation that initially creates those log tables. Due to the timestamp granularity, it may be wrong for APM to choose the oldest log table to remove in the first round of rotation, resulting in removal of log data that are not the oldest.

After the first rotation, the log table rotation should work as normal.

Conditions:
The first round of log table rotation after installation

Impact:
Log data that are not the oldest may be removed at the first round of log table rotation.

530092-2 : AD/LDAP groupmapping is overencoding group names with backslashes

Component: Access Policy Manager

Symptoms:
Adding a group value that contains space(s) manually in AD/LDAP Group Resource Assign actions will result in the space(s) being escaped and thus invalidating match attempts. For example, adding group 'Foo Bar' (without the quotes) will result in an expression found in bigip.conf as follows:

expression "expr { [mcget -decode {session.ldap.last.attr.memberOf}] contains \"CN=Foo\\\\ Bar\" }"

The value '\"CN=Foo\\\\ Bar\"' will not match a memberOf group returned that contains 'CN=Foo Bar,...'.

Conditions:
Spaces are encoded with backslashes.

Impact:
Matching for memberOf group will not working.

Workaround:
N/A

528295-7 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.

Solution Article: K40735404

Component: TMOS

Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.

Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.

Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.

Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.

527119-4 : Iframe document body could be null after iframe creation in rewritten document.

Component: Access Policy Manager

Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.

Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
    iframe.contentDocument.write(html);
    iframe.contentDocument.close();
    <any operation with iframe.contentDocument.body>

One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.

526519-1 : APM sessiondump command can produce binary data

Component: Access Policy Manager

Symptoms:
New session variable "session.access.scope" includes a null character after the value. This will result in piped grep commands from sessiondump such as:
sessiondump <args> | grep <search value>

returning the text:
Binary file (standard input) matches

instead of the expected output.

Note that this problem exists in APM version 12.

Conditions:
Using sessiondump command with pipe to grep.

Impact:
Administrator cannot use "grep" command with sessiondump.

Workaround:
Use "-a" option with grep. For example:
sessiondump <args> | grep -a <search value>

525378 : iRule commands do not validate session scope

Component: Access Policy Manager

Symptoms:
Assume that a user establishes a session on one virtual server. If the user learns his session ID, he may attempt to reuse that session ID to gain access to resources guarded by a different virtual server. When this happens, the iRule access session commands like [ACCESS::session sid] and [ACCESS::session exists] do not validate the scope of the session. The iRules consider sessions from other virtual servers to be valid, which can cause unintended results and potentially lead to end-users gaining higher privileges than administrators intended.

Conditions:
There may be multiple access profiles assigned to multiple virtual servers, but the iRule session commands will treat all sessions the same.

Impact:
If the administrator is not careful with how the iRule session commands are used, it can result in a user bypassing the access policy and receiving higher privileges than the administrator intended.

Workaround:
Care must be used to ensure that iRules using the session commands do not result in unintended behavior. An iRule similar to one below can be used to restrict a session to the virtual server on which it was created:

when ACCESS_ACL_ALLOWED {
  set sessionlistener [ACCESS::session data get "session.server.listener.name"]
  set virtualname [virtual name]

  if { [HTTP::cookie MRHSession] != "" } {
    if { not ($sessionlistener equals $virtualname) } {
      # enter whatever command you wish to use to prevent the connection
      reject
    }
  }
}

524193-5 : Multiple Source addresses are not allowed on a TMSH SNMP community

Component: TMOS

Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.

Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.

Impact:
The command is accepted, but only the first address will be allowed snmp access.

Workaround:
Add an additional source address to another snmp community object that has the same community string.

524123-1 : iRule ISTATS::remove does not work

Component: TMOS

Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.

Conditions:
Invoking the ISTATS::remove command from an iRule.

Impact:
The value of the iStat remains defined.

Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.

523797-2 : Upgrade: file path failure for process name attribute in snmp.★

Component: TMOS

Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.

Conditions:
Upgrade from 10.x. to 11.5.1 or later.

Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.

Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.

523158-1 : In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails

Component: Access Policy Manager

Symptoms:
In rare case when dn is returned with cn= in lower case VPE is failing to match groupnames

Conditions:
Server that returns cn in low case

Impact:
Group mapping doesn't work

Workaround:
No workaround.

520877-1 : Alerts sent by the lcdwarn utility are not shown in tmsh

Component: TMOS

Symptoms:
Beginning in BIG-IP version 12.1.0, the 'tmsh show sys alert lcd' command displays the list of alerts sent to the LCD front panel display.

The command-line utility lcdwarn can be used to send alert messages to the LCD front panel display.

Alert messages sent to the LCD front panel display by the lcdwarn utility are not included in the list of alerts shown by the 'tmsh show sys alert lcd' command.

Conditions:
This occurs when using the lcdwarn utility to send alert messages to the LCD front panel display. Such messages are typically sent for testing purposes.

This problem occurs on affected BIG-IP software versions running on all BIG-IP and VIPRION hardware platforms.

Impact:
The 'tmsh show sys alert lcd' command may not include all alert messages sent to the LCD front panel display. Messages sent by the lcdwarn utility are not shown.

Workaround:
None. This is a cosmetic issue.

517609-3 : GTM Monitor Needs Special Escape Character Treatment

Solution Article: K77005041

Component: Global Traffic Manager (DNS)

Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.

Conditions:
Any running GTM monitor.

Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.

Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.

For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.

516280-4 : bigd process uses a large percentage of CPU

Component: Local Traffic Manager

Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.

Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.

Impact:
bigd process uses a large percentage of CPU.

Workaround:
None.

516167-2 : TMSH listing with wildcards prevents the child object from being displayed

Solution Article: K21382264

Component: TMOS

Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.

For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.

Conditions:
tmsh list with a wildcard character specified for parent object.

Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier

Workaround:
None.

514703-1 : gtm listener cannot be listed across partitions

Component: TMOS

Symptoms:
Unable to reference (perform operations: list, create, modify ...) gtm listeners across partitions.

Conditions:
-- In one partition.
-- Listener in another partition.
-- Attempt to perform operations on the listener in the other partition.

For example, the current partition is /Common, and a listener exists in /DifferentPartition, and you try to perform operations on the listener under /DifferentPartition.

Impact:
Cannot perform any operations on that listener. The listener will be listed as non-existent.

Workaround:
Change to the partition where the listener exists before performing any operations on it.

513887-8 : The audit logs report that there is an unsuccessful attempt to install a mysql user on the system

Component: Application Security Manager

Symptoms:
There are "/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'

Conditions:
Provisioning AFM and/or APM after ASM is already provisioned.

Impact:
"/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'

no other impact

Workaround:
none

513310-1 : TMM might core when a profile is changed.

Component: Local Traffic Manager

Symptoms:
TMM might core when a profile is changed.

Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.

Impact:
TMM might core. Traffic disrupted while tmm restarts.

Workaround:
None.

510395-5 : Disabling some events while in the event, then running some commands can cause tmm to core.

Solution Article: K17485

Component: Local Traffic Manager

Symptoms:
If an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed, TMM can core.

Conditions:
An event is disabled from inside the event, and then a parking command is issued.
Example:
when HTTP_REQUEST {
   if { $a == $b } {
       event disable HTTP_REQUEST
   }
   after 100
   log local0. "foo"
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable events as the last command before exiting the event. For example:

when HTTP_REQUEST {
   if { $a == $b } {
       event disable HTTP_REQUEST
       return
    }

}

509596-1 : iFrames with 'javascript:' scheme in SRC may not work

Solution Article: K44043455

Component: Access Policy Manager

Symptoms:
Some applications do not work with Portal Access, resulting in an error 'F5_Invoke_write is not defined' on JavaScript Console.

Conditions:
Web application that uses IFrames with 'javascript:' scheme in SRC attribute runs through Portal Access.

Impact:
Web application does not work through Portal Access.

Workaround:
There is no workaround at this time.

509497-1 : VCMP guests on a specific host may be restarted when that host system experiences large date/time changes

Component: TMOS

Symptoms:
After a large (> 7 months) change in system date/time, either manually or via NTPD, VCMP guests may be killed and restarted.

Impact:
Temporary loss of service of data path elements, until killed guests are restarted.

Workaround:
Avoid large changes in system time during critical hours of operation.

It may be better to bring down guests administratively, make the date/time change, and then bring the guest back up rather than allowing them to be killed/restarted automatically due to heartbeat timer expiration.

501258-2 : Unable to modify 'gtm region region-members' via iControl REST

Component: TMOS

Symptoms:
Unable to modify 'gtm region region-members' via iControl REST. The system posts error 400 Invalid region type messages.

Conditions:
Attempt to modify gtm region region-members via iControl REST.

Impact:
Unable to use iControl REST to configure this portion of the GTM/DNS configuration.

Workaround:
Use tmsh to modify GTM Regions.

499404-7 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies

Solution Article: K15457342

Component: Local Traffic Manager

Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.

Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.

Impact:
The wrong MSS value is advertised during 3WHS.

Workaround:
None.

499348-5 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:

-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).

-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:

-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.

2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge.

496621-1 : Portal Access incorectly rewrites expressions with JavaScript typeof operator

Component: Access Policy Manager

Symptoms:
The Portal Access module transforms intranet web application code to make it accessible via an APM virtual server. One of these transformations might incorrectly rewrite expressions with 'typeof' operator, though you might not see any immediate visible effect.

Conditions:
The issue affects expressions like 'typeof something' where 'something' is expected to be transformed by Portal Access.
For example, with the original code similar to 'var l = window.location; if (typeof l.href) {...}' unrewritten typeof argument causes condition to fail.

Impact:
When Portal Access accesses the intranet application containing such code, expressions with typeof operator may have wrong value, leading application to incorrect code paths. As a result, the application might fail with a very obscure and difficult to diagnose errors.

Workaround:
Use an iRule for each specific case. There is no global workaround.

494135-1 : HTML Event handlers may not work if 'eval' is redefined

Solution Article: K43101043

Component: Access Policy Manager

Symptoms:
If 'eval' JavaScript call is redefined in HTML page, event handlers may not work correctly.

Conditions:
There may be many ways to re-define 'eval'. For example:

<form>
<button name=eval onclick="someFunction();">Button</button>
</form>

In this case 'onclick' event handler will not work through Portal Access.

Impact:
Web application may not work correctly. In the worst case scenario, the browser (Internet Explorer 9 or later) may crash.

Workaround:
There is no workaround at this time.

493524 : ASM attack appear ongoing forever if restarting dosl7d during an attack

Component: Application Visibility and Reporting

Symptoms:
If dosl7d is restarted during an attack it doesn't write the "end attack" event to logdb.

Conditions:
Restarting dosl7d in the middle of an ASM attack (including actions that implicitly cause dosl7d restart like tmm restart or reboot).

Impact:
Attack appears ongoing in Dos Overview page (even though it should be marked "ended").

Workaround:
No workaround.

489499-3 : chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd

Component: TMOS

Symptoms:
chmand fails to register for unsolicited LOP events, meaning that asynchronous alerts from lopd will not seen or reported by chmand. A message is seen in /var/log/ltm that contains the phrase, "failed to register for LOP at <address>"

Conditions:
Occurs when chmand has been re-started after it has already synchronized once with lopd.

Impact:
Asynchronous events from lopd will not be reported or handled, such as fan tray removal/insertion and PSU removal/insertion. Alerts that are driven by system_check through polling sensor values and comparing them to specified limits, however, will still be operational.

Workaround:
Re-start lopd:
# bigstart restart lopd

486735-5 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.

482625-1 : Pages with utf-8 Content-Type and utf-16 META tag do not render

Component: Access Policy Manager

Symptoms:
Some pages cannot be displayed. A page has a Content-type header with charset utf-8. The payload has a META tag with charset utf-16. Actual data appears to be utf-8. Rewriting the page inserts a utf-16 BOM in the response, causing the page to not load.

Conditions:
Pages that contain utf-8 Content-Type headers but utf-16 META tags

Impact:
Web-application cannot display some pages.

Workaround:
An iRule can be used to fix the META charset and allow the page to load.

479471-1 : CPU statistics reported by the tmstat command may spike or go negative

Solution Article: K00342205

Component: TMOS

Symptoms:
On bladed systems, the results from the 'tmstat' and 'tmstat cpu' commands may spike high or go negative due to a issue with how per-blade statistics are collected.

Conditions:
Error in the timing of statistics collection such that display is incorrect.

Impact:
Incorrect display of CPU statistics.

Workaround:
There is no workaround.

479262-4 : 'readPowerSupplyRegister error' in LTM log

Component: TMOS

Symptoms:
The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power.

Conditions:
When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power.

Impact:
The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages.

Workaround:
None. You can safely ignore this error message in this case.

477992-3 : Instance-specific monitor logging fails for pool members created in iApps

Solution Article: K07450534

Component: Local Traffic Manager

Symptoms:
Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp.

Conditions:
Create pool members via an iApp, and attempt to enable logging on the pool member.

Impact:
Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened.

Workaround:
If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.

476544-2 : mcpd core during sync

Component: TMOS

Symptoms:
mcpd can run out of memory and core when a device in a sync group is sending an extremely high volume of sync messages.

Conditions:
The exact cause of this is unknown, and it has been seen very rarely with a large sync in a sync group. Large incremental syncs could be a symptom of other things happening between the devices which could trigger the core.

Impact:
mcpd cores and restarts if it runs out or memory. Only through inspection of the core file can this condition be detected.

Workaround:
None.

474901-1 : Profiles with a large number of regexps can cause excessive memory usage.

Component: Local Traffic Manager

Symptoms:
tmm crashes on out of memory.

Conditions:
This can occur if you are using a lot of profiles that rely on regular expressions, such as compression or deflate.

Impact:
Traffic disrupted while tmm restarts.

473755-1 : It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side

Component: Application Visibility and Reporting

Symptoms:
It's possible to open a connection to monpd's Thrift server and if the client does not actively close it, the connection will persist indefinitely (even if it's idle). As a result of this issue, you might experience the following symptoms: -- Cannot access event logs or reports.
-- Cannot run tmsh analytics commands.

Conditions:
Client system opens a connection to monpd's Thrift server (port 9090 or 9091), and does not close it.

Impact:
If the number of allowed connections to monpd's Thrift server is reached, monpd will not receive new connections. Since the idle connections can persist indefinitely this will deny service from monpd.

Workaround:
No workaround (except for manually killing open idle connections).

469366-3 : ConfigSync might fail with modified system-supplied profiles

Solution Article: K16237

Component: TMOS

Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.

Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.

Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'

Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.

467589-4 : Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.

Component: WebAccelerator

Symptoms:
The /usr/share/mysql/purge_mysql_logs.pl script that ships with the new install (and is run hourly via cron) throws an error. The script is meant to be exited if AAM, ASM and PSM are not provisioned, but the check is not done appropriately and it continues execution, failing later.

Conditions:
BIG-IP system with no AAM, ASM, and PSM provisioned, when running the script /etc/cron.hourly/purge_mysql_logs.pl (linked to /usr/share/mysql/purge_mysql_logs.pl)

Impact:
The script gives false output and attempts to execute invalid actions. The system posts the following error: Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27.

Workaround:
Provision AAM, ASM, or PSM. Or modify the script using the following procedure:

Remount /usr partition as RW:
# mount -o remount -rw /usr

Edit /usr/share/mysql/purge_mysql_logs.pl and change the original check:

unless( $provisioned_am || $provisioned_asm || $provisioned_psm ) {
exit 0;
}

to:

unless( $provisioned_am == 1 || $provisioned_asm == 1 || $provisioned_psm == 1 ) {
exit 0;
}

464650-4 : Failure of mcpd with invalid authentication context.

Component: TMOS

Symptoms:
MCPd cores.

Conditions:
It is not known what triggers this core.

Impact:
Mcpd restarts

Workaround:
None.

455066-2 : Read-only account can save system config

Component: TMOS

Symptoms:
A read-only user can run the tmsh save sys config command, which saves the configuration including changes made by other read/write users.

Conditions:
This occurs when logged in as a read-only user and running save sys config in tmsh.

Impact:
Read-only users are able to run save sys config in tmsh.

Workaround:
None.

450136-3 : Occasionally customers see chunk boundaries as part of HTTP response

Component: Access Policy Manager

Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.

Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.

Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.

Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.

438574-1 : Web UI: iSession Profile properties page displays incorrect parent profile name.

Component: TMOS

Symptoms:
Local Traffic :: Profiles :: iSession Profile properties page displays incorrect parent profile name.

Conditions:
-- Viewing parent profile for an iSession profile.
-- 'iSession' is set as parent profile .
-- Another profile exists with name beginning from 'a' to 'h'.

Impact:
Incorrect information is displayed on the GUI even though the database has the correct information.

Workaround:
View the properties of iSession profile from tmsh.

436116-1 : The tcpdump utility may fail to capture packets

Solution Article: K43726131

Component: TMOS

Symptoms:
Although packets are flowing correctly through the BIG-IP system, the tcpdump utility may capture no packets when certain command options are used.

Conditions:
This issue occurs when all of the following conditions are met:

- You configure tcpdump to listen for packets on a physical interface (e.g., -i 1.1).

- You configure tcpdump to save the packets to a file in binary format (e.g., -w /var/tmp/example.pcap).

- You configure tcpdump to produce verbose output while capturing packets (e.g., -v, -vv or -vvv).

Impact:
The tcpdump utility does not capture any packets, which may create confusion for a BIG-IP Administrator performing troubleshooting on the system. This issue does not affect the traffic-passing abilities of the system, however.

Workaround:
You can work around this issue by starting the tcpdump utility without the -v, -vv or -vvv verbose output options.

435419-4 : Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.

Solution Article: K10402225

Component: Access Policy Manager

Symptoms:
Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.

Conditions:
-- Attempt to upload a current EPSEC file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.

Impact:
mcpd crashes, followed by multiple cores.

Workaround:
Upload the EPSEC file completely, and try the installation again.

433572-4 : DTLS does not work with rfcdtls cipher on the B2250 blade

Component: Local Traffic Manager

Symptoms:
DTLS does not work with rfcdtls cipher on the B2250 blade.

Conditions:
This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP.

Impact:
DTLS does not work with rfcdtls cipher on the B2250 blade

Workaround:
None.

431480-1 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message

Component: Local Traffic Manager

Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.

Conditions:
The exact conditions that result in this error are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time, but the system recovers without any user action.

417819-2 : APM - when Edge Clients, some JS contents are different causing warning

Solution Article: K69046914

Component: Access Policy Manager

Symptoms:
Intermittent JS Error in sesstimeout.js during access to full webtop by Edge Clients.

Conditions:
-- At least two different Edge Clients with User Agent strings based on Internet Explorer version 11 (IE11).
-- A version of IE earlier that IE11 is used to access full webtop resource.

Impact:
If 'Display notification about all script errors' is enabled in IE (Internet Options :: Advanced tab) IE displays JS error messages. One client might encounter a JS Syntax error, depending on TMM count and APM RAMCACHE content.

Note: There is no impact on product functionality, because Edge Clients do not call JS code from sesstimeout.js. The error is cosmetic only and can be ignored.

Workaround:
Special APM resource assignment branch for standalone Edge Clients can be configured in VPE to access 'webtop-type network', (NA_only_webtop resource does not include /vdesk/sesstimeout.js and /vdesk/hometab.js).

405898-2 : If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected

Component: Local Traffic Manager

Symptoms:
If the maximum transmission unit (MTU) for a network running OSPF is different from ZebOS, or if its neighbor router has configured for its interface MTU, OSPF adjacencies may not form, or some datagrams may be rejected.

Conditions:
TMM has cached a reduced path MTU for a network that is smaller than the configured MTU of the interface. OSPF running on that interface.

Impact:
OSPF adjacencies never fully form and routes are not exchanged.

Workaround:
Restarting TMM clears the cached maximum transmission unit (MTU), and allowing all interface MTUs to function with default values should prevent a mismatch.

396273-2 : Error message in dmesg and kern.log: vpd r/w failed

Component: TMOS

Symptoms:
When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update.
This error can be seen in /var/log/kern.log as well.

Conditions:
This can occur whenever 'lspci -vv' (or 'lspci -vvv', e.g., during qkview generation) is executed.

Impact:
This is a benign firmware message, and you can safely ignore it.

Workaround:
There is no workaround, but this is not a functional issue.

375434-6 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.

Component: TMOS

Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.

Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.

Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.

Workaround:
None.

374067-7 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections

Solution Article: K14098

Component: Local Traffic Manager

Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.

Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.

Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.

Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.

369640-1 : Folder path objects in iRules can have only a single context per script

Solution Article: K17195

Component: Local Traffic Manager

Symptoms:
If an iRule is assigned to two different virtual servers in different contexts, the first time the rule runs any internal object conversions/lookups will be performed in the first context. When the second virtual runs the same rule, it will assume that the objects that have been looked up are correct, and point to the wrong members.

Conditions:
Two virtual servers in different folder paths use short names for objects like pools, procs, nodes and virtual servers.

Impact:
iRule can point to objects outside the current folder path.

Workaround:
Give each virtual servers its own copy of the iRule (it is not necessary to provide complete folder paths).

369407-3 : Access policy objects are created inconsistently depending on whether created using wizard or manually.

Component: Access Policy Manager

Symptoms:
Network Access (NA) wizard policy incorrectly labels 'Advanced Resource Assign' as 'Resource Assign' in VPE.

Conditions:
This is evident when viewing the label following completion of the NA wizard.

Impact:
The label in the VPE is 'Resource Assign', where it should be 'Advanced Resource Assign'.

Workaround:
None.

362511 : HTML entities in inline CSS style attributes may cause incorrect rewriting of URLs

Solution Article: K52162658

Component: Access Policy Manager

Symptoms:
Portal Access can incorrectly rewrite CSS in HTML style attributes if it contains HTML entities.

Conditions:
Inline CSS style attributes contains HTML entities.

For example,
<div style="background:url('image.jpg')">
becomes
<div style="background:url(&#39?F5CH=I;image.jpg')">
which cannot be interpreted correctly by a browser. As a result, the image won't be displayed.

Impact:
Some images on the page accessed through Portal Access may fail to load.

Workaround:
Before rewriting, use an iRule to substitute HTML entities in positions significant for parser (i.e., keywords, attribute names, quotes, brackets, colons, etc.) with the corresponding characters.

247527-2 : Mgmt interface cannot be disabled via tmsh

Solution Article: K14890

Component: TMOS

Symptoms:
Issuing a tmsh command to disable the management interface of a blade or appliance appears to succeed, but the management interface is not actually disabled.

Conditions:
This problem occurs on the following hardware platforms:
BIG-IP 1500, 3400, 3410, 6400, 6800, 8400, and 8800 appliances.

This problem does not occur on the following hardware platforms:
BIG-IP 1600, 3600, 3900, 6900, 8900-series and 11000-series appliances.

Impact:
After using the tmsh utility to set the mgmt interface to a disabled state, the tmsh utility will show the mgmt interface as disabled. However, the mgmt interface still responds to network traffic, including ping and ssh.

Workaround:
There are three possible ways to work around this issue:

1) Unplug the management interface if it is not intended to be used.

2) Bring down the switch interface to which the management port connects.

3) Disable the management interface using the following information below.

Important: This workaround might cause unintended consequences. Only use this option as a last resort, as disabling the management interface may remove the ability for the Linux host to communicate with several of the BIG-IP subsystems. As a result of this loss of communication, certain BIG-IP features may not function as expected or at all.

For platforms that expose a 'mgmt' interface via ifconfig, run the command: ifconfig mgmt down. To bring the 'mgmt' interface back up, run the command ifconfig mgmt up.

For platforms that do not expose a 'mgmt' interface via ifconfig, run the command: ifconfig eth0 down. To bring 'eth0' interface back up, run the command ifconfig eth0 up.

224665-2 : Proxy Exclusion List setting is not aware of administrative partitions

Solution Article: K12711

Component: TMOS

Symptoms:
The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group.

Conditions:
Using VLAN groups and proxy exclusion.

Impact:
Results in issues for the VLAN group.

Workaround:
None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here: http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12711.html.

222409-6 : The HTTP::path iRule command may return more information than expected

Solution Article: K9952

Component: Local Traffic Manager

Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.

The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:

GET /dir1/dir2/file.ext HTTP/1.1

In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:

GET http://www.example.org:80/dir1/dir2/file.ext

In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Impact:
The HTTP::path iRule command should return the following path value for both requests:

/dir1/dir2/file.ext

However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:

www.example.org:80/dir1/duir2/file.ext

Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.

Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.

Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:

when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::uri]][URI::basename [HTTP::uri]]"
}

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade

*********************** NOTICE ***********************

For additional support resources and technical documentation, see:

The F5 Networks Technical Support web site: http://www.f5.com/support/
The AskF5 web site: https://support.f5.com/csp/#/home
The F5 DevCentral web site: http://devcentral.f5.com/

******************************************************

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IP AAM

BIG-IP APM

BIG-IP Analytics

BIG-IP Link Controller

BIG-IP LTM

BIG-IP PEM

BIG-IP AFM

BIG-IP DNS

BIG-IP ASM

Cumulative fix details for BIG-IP v12.1.3.6 that are included in this release

720880 : Attempts to license/re-license the BIG-IP system fail.

720756 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS

720695-2 : Export then import of Profile/Policy with advanced customization is failing

720391-1 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'

720104 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'

720030-3 : Enable EDNS flag for internal Kerberos DNS SRV queries

718208-1 : Unable to install Network Access plugin on Linux Ubuntu 16.04 w/ Firefox v52 ESR using SUDO

718071-3 : HTTP2 with ASM policy not passing traffic

716992-3 : The ASM bd process may crash

716747-4 : TMM core with SWG Transparent

715923-3 : When processing TLS traffic TMM may reset connections

715250-2 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED

715207-2 : coapi errors while modifying per-request policy in VPE

715090 : PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers

714879-1 : APM CRLDP Auth passes all certs

714848 : OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled

714542-1 : 'Always Connected Mode' text is missing in EdgeClient tray

713951-3 : tmm core files produced by nitrox_diag may be missing data

713934-4 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

713533-3 : list self-ip with queries does not work

713491-1 : IKEv1 logging shows spi of deleted SA with opposite endianess

713066-3 : Connection failure during DNS lookup to disabled nameserver can crash TMM

712924 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue

712857-1 : SWG-Explicit rejects large POST bodies during policy evaluation

712475-1 : DNS zones without servers will prevent DNS Express reading zone data

712464-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

712437-1 : Records containing hyphens (-) will prevent child zone from loading correctly

712362-1 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

712315-1 : LDAP and AD Group Resource Assign are not displaying Static ACLs correctly

711570-1 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies

711547 : Update cipher support for Common Criteria compliance

711281-3 : nitrox_diag may run out of space on /shared

711093-2 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

710827-4 : TMUI dashboard daemon stability issue

710705-3 : Multiple Wireshark vulnerabilities

710602 : iCRD commands requiring 'root' user access fixed

710424-3 : Possible SIGSEGV in GTMD when GTM persistence is enabled.

710327-3 : Remote logger message is truncated at NULL character.

710314-2 : TMM may crash while processing HTML traffic

710244-1 : Memory Leak of access policy execution objects

710211 : Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.

710148-4 : CVE-2017-1000111 & CVE-2017-1000112

709972-4 : CVE-2017-12613: APR Vulnerability

709688-5 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733

709610-1 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

709334-2 : Memory leak when SSL Forward proxy is used and ssl re-negotiates

708956 : During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

708653-3 : TMM may crash while processing TCP traffic

708249-4 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

708114-3 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed

708054-3 : Web Acceleration: TMM may crash on very large HTML files with conditional comments

707951 : Stalled mirrored flows on HA next-active when OneConnect is used.

707888 : Some ASM operations delayed due to scheduled ASU update

707675 : FQDN nodes or pool members flap when DNS response received

707447-2 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.

707445 : Nitrox 3 compression hangs/unable to recover

707310-1 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)

707226-2 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

707207-2 : iRuleLx returning undefined value may cause TMM restart

707147-2 : High CPU consumed by asm_config_server_rpc_handler_async.pl

706845-1 : False positive illegal multipart violation

706631 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.

706423-2 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

706374-2 : [Kerberos SSO] krb5 library need to use threadsafe res_ninit, res_nsearch instead of res_init, res_search