Applies To:
Show VersionsBIG-IP AAM
- 12.1.4
BIG-IP APM
- 12.1.4
BIG-IP Link Controller
- 12.1.4
BIG-IP Analytics
- 12.1.4
BIG-IP LTM
- 12.1.4
BIG-IP AFM
- 12.1.4
BIG-IP PEM
- 12.1.4
BIG-IP DNS
- 12.1.4
BIG-IP ASM
- 12.1.4
BIG-IP Release Information
Version: 12.1.4
Build: 8.0
NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.
Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v12.1.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
671498-3 | CVE-2017-3143 | K02230327 | BIND zone contents may be manipulated |
724680-3 | CVE-2018-0732 | K21665601 | OpenSSL Vulnerability: CVE-2018-0732 |
643554-12 | CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 | K37526132 K44512851 K43570545 | OpenSSL vulnerabilities - OpenSSL 1.0.2k library update |
701785-3 | CVE-2017-18017 | K18352029 | Linux kernel vulnerability: CVE-2017-18017 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
734527-4 | 3-Major | BGP 'capability graceful-restart' for peer-group not properly advertised when configured | |
600385-1 | 3-Major | K43295141 | BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout |
597899-1 | 3-Major | K86025623 | Disabling all pool members may not be reflected in Virtual Server status |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
741423-1 | 2-Critical | Secondary blade goes offline when provisioning ASM/FPS on already established config-sync | |
738887-2 | 2-Critical | The snmpd daemon may leak memory when processing requests. | |
738119-3 | 2-Critical | SIP routing UI does not follow best practices | |
723722-3 | 2-Critical | MCPD crashes if several thousand files are created between config syncs. | |
723298-3 | 2-Critical | BIND upgrade to version 9.11.4 | |
700386-1 | 2-Critical | mcpd may dump core on startup | |
697424 | 2-Critical | iControl-REST crashes on /example for firewall address-lists | |
691589 | 2-Critical | When using LDAP client auth, tamd may become stuck | |
689437-2 | 2-Critical | K49554067 | icrd_child cores due to infinite recursion caused by incorrect group name handling |
638091-4 | 2-Critical | Config sync after changing named pool members can cause mcpd on secondary blades to restart | |
594366-1 | 2-Critical | K21271097 | Occasional crash of icrd_child when BIG-IP restarts |
748187-1 | 3-Major | 'Transaction Not Found' Error on PATCH after Transaction has been Created | |
720713-3 | 3-Major | TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail | |
720651-3 | 3-Major | Running Guest Changed to Provisioned Never Stops | |
720461-3 | 3-Major | qkview prompts for password on chassis | |
711249-2 | 3-Major | NAS-IP-Address added to RADIUS packet unexpectedly | |
707391-4 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
706354-1 | 3-Major | OPT-0045 optic unable to link | |
706104-2 | 3-Major | Dynamically advertised route may flap | |
705037-3 | 3-Major | K32332000 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart |
704449-4 | 3-Major | Orphaned tmsh processes might eventually lead to an out-of-memory condition | |
700827-2 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
700757-2 | 3-Major | vcmpd may crash when it is exiting | |
698619-1 | 3-Major | Disable port bridging on HSB ports for non-vCMP systems | |
693884-3 | 3-Major | ospfd core on secondary blade during network unstability | |
692189-3 | 3-Major | errdefsd fails to generate a core file on request. | |
689002-1 | 3-Major | Stackoverflow when JSON is deeply nested | |
676705-2 | 3-Major | do not run agetty on VE without serial port | |
673974-1 | 3-Major | K63225596 | agetty auto detects parity on console port incorrectly |
671447-2 | 3-Major | ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form | |
666884-2 | 3-Major | K27056204 | Message: Not enough free disk space to install! cpcfg cannot copy a configuration on a chassis platform★ |
658557-2 | 3-Major | The snmpd daemon may leak memory when processing requests. | |
653888-2 | 3-Major | BGP advertisement-interval attribute ignored in peer group configuration | |
652877-3 | 3-Major | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades | |
642923-2 | 3-Major | K01951295 | MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system |
639575-5 | 3-Major | Using libtar with files larger than 2 GB will create an unusable tarball | |
628402-4 | 3-Major | K79213220 | Operator users receive 'can't get object count from mcpd' error in response to certain commands |
613509-1 | 3-Major | K49101035 | platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve |
610449-2 | 3-Major | restarting mcpd on guest makes block-device-images disappear | |
602566-5 | 3-Major | sod daemon may crash during start-up | |
598289-4 | 3-Major | TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port> | |
598085-2 | 3-Major | Expected telemetry is not transmitted by sFlow on the standby-mode unit. | |
563905-2 | 3-Major | K62975642 | vCMP guest fails to go Active after the host system is rebooted |
491560-1 | 3-Major | Using proxy for IP intelligence updates | |
737389 | 4-Minor | kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed | |
674145-3 | 4-Minor | chmand error log message missing data | |
608348-4 | 4-Minor | Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system | |
530775-4 | 4-Minor | Login page may generate unexpected HTML output |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
744117-6 | 2-Critical | The HTTP URI is not always parsed correctly | |
740490-2 | 2-Critical | Configuration changes involving HTTP2 or SPDY may leak memory | |
739927-1 | 2-Critical | Bigd crashes after a specific combination of logging operations | |
737758-1 | 2-Critical | MPTCP Passthrough and VIP-on-VIP can lead to TMM core | |
727044-1 | 2-Critical | TMM may crash while processing compressed data | |
726239-3 | 2-Critical | interruption of traffic handling as sod daemon restarts TMM | |
724868-2 | 2-Critical | K11662998 | dynconfd memory usage increases over time |
716900-1 | 2-Critical | TMM core when using MPTCP | |
714181-3 | 2-Critical | TMM may crash while processing TCP traffic | |
663178-1 | 2-Critical | tmm may crash sometimes usng VPN | |
606035-1 | 2-Critical | csyncd crash | |
738521-2 | 3-Major | i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. | |
714559-1 | 3-Major | Removal of HTTP hash persistence cookie when a pool member goes down. | |
710028-4 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
708068-3 | 3-Major | Tcl commands like "HTTP::path -normalize" do not return normalized path. | |
706102-3 | 3-Major | SMTP monitor does not handle all multi-line banner use cases | |
701678-1 | 3-Major | Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded | |
695925-3 | 3-Major | tmm crash when showing connections for a CMP disabled virtual server | |
693910-2 | 3-Major | Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) | |
693582-3 | 3-Major | Monitor node log not rotated for icmp monitor types | |
680264 | 3-Major | K18653445 | HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags |
674591-2 | 3-Major | K37975308 | Packets with payload smaller than MSS are being marked to be TSOed |
672312-2 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
666595-2 | 3-Major | Monitor node log fd leak by bigd instances not actively monitoring node | |
662816-2 | 3-Major | K61902543 | Monitor node log fd leak for certain monitor types |
653930-2 | 3-Major | K69713140 | Monitor with description containing backslash may fail to load. |
613618-1 | 3-Major | The TMM crashes in the websso plugin. | |
611482-4 | 3-Major | K71450348 | Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) . |
610138-2 | 3-Major | STARTTLS in SMTPS filter does not properly restrict I/O buffering | |
605147-1 | 3-Major | No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections. | |
598707-4 | 3-Major | Path MTU does not work in self-IP flows | |
586621-7 | 3-Major | K36008344 | SQL monitors 'count' config value does not work as expected. |
628016-2 | 4-Minor | MP_JOIN always fails if MPTCP never receives payload data | |
618884-1 | 4-Minor | Behavior when using VLAN-Group and STP |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
750488 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
750484 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
750472 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
750457 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
749774-2 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
749675-2 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records | |
737332-2 | 3-Major | It is possible for DNSX to serve partial zone information for a short period of time | |
723792-3 | 3-Major | GTM regex handling of some escape characters renders it invalid |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
741108 | 2-Critical | tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses | |
745358-4 | 3-Major | ASM GUI does not follow best practices | |
744347-1 | 3-Major | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
739945-1 | 3-Major | JavaScript challenge on POST with 307 breaks application | |
738789-3 | 3-Major | ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog | |
738647-1 | 3-Major | Add the login detection criteria of 'status code is not X' | |
737998 | 3-Major | Brute Force end attack condition isn't satisfied for successful logins only | |
698757-1 | 3-Major | K58143082 | Standby system saves config and changes status after sync from peer |
664714-1 | 3-Major | Client-side challenge is changing POST parameter value under some circumstances | |
642185-1 | 3-Major | Add support for IBM AppScan scanner schema changes | |
613728-1 | 3-Major | Import/Activate Security policy with 'Replace policy associated with virtual server' option fails | |
569195-1 | 3-Major | A Set-Cookie for an existing ASM cookie without value change | |
542817-1 | 3-Major | K11619228 | Specific numbers that are not credit card numbers are being masked as such |
653895 | 4-Minor | Admin user cannot edit policy |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
616161-1 | 2-Critical | BD process crash and restarts | |
737597 | 3-Major | AVR DoS Attack report misses virtual server name in a specific config |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
740777-2 | 2-Critical | Secondary blades mcp daemon restart when subroutine properties are configured | |
737442-1 | 2-Critical | Error in APM Hosted Content when set to public access | |
672221 | 2-Critical | TMM cores if the certificate configured to validate message signature does not exist. | |
631060-1 | 2-Critical | BIG-IP may incorrectly reject serverside connection when REQLOG is configured. | |
745574-4 | 3-Major | URL is not removed from custom category when deleted | |
739744-2 | 3-Major | Import of Policy using Pool with members is failing | |
726592-2 | 3-Major | Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop | |
628712-1 | 3-Major | K53129098 | Advanced customization doesn't work for Profiles in non-common partition with . (period) with name |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
706642-3 | 2-Critical | wamd may leak memory during configuration changes and cluster events | |
603746-1 | 4-Minor | DCDB security hardening | |
603658-1 | 4-Minor | AAM security hardening |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
724532-1 | 2-Critical | SIG SEGV during IP intelligence category match in TMM | |
710755-2 | 2-Critical | K30572159 | Crash when cached route information becomes stale and the system accesses the information from it. |
699454-3 | 4-Minor | Web UI does not follow current best coding practices | |
699452-3 | 4-Minor | Web UI does not follow current best coding practices | |
627454 | 4-Minor | Trimming leading whitespaces at logging profile creation |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
744516-2 | 2-Critical | TMM panics after a large number of LSN remote picks | |
734446-3 | 2-Critical | TMM crash after changing LSN pool mode from PBA to NAPT | |
669645-1 | 2-Critical | K44021449 | tmm crashes after LSN pool member change |
663531-1 | 2-Critical | TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
746868 | 2-Critical | memory leakage when "apply to base domain" is enabled |
Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
739094-4 | CVE-2018-5546 | K54431371 | APM Client Vulnerability: CVE-2018-5546 |
737441-1 | CVE-2018-5546 | K54431371 | Disallow hard links to svpn log files |
726089-3 | CVE-2018-15312 | K44462254 | Modifications to AVR metrics page |
724339-2 | CVE-2018-15314 | K04524282 | Unexpected TMUI output in AFM |
724335-2 | CVE-2018-15313 | K21042153 | Unexpected TMUI output in AFM |
722091-2 | CVE-2018-15319 | K64208870 | TMM may crash while processing HTTP traffic |
717742-3 | CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 | K44923228 | Oracle Java SE vulnerability CVE-2018-2783 |
707990-3 | CVE-2018-15315 | K41704442 | Unexpected TMUI output in SSL Certificate Instance page |
704184-3 | CVE-2018-5529 | K52171282 | APM MAC Client create files with owner only read write permissions |
701253-3 | CVE-2018-15318 | K16248201 | TMM core when using MPTCP |
719554-3 | CVE-2018-8897 | K17403481 | Linux Kernel Vulnerability: CVE-2018-8897 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
715750-3 | 3-Major | The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. | |
652671-4 | 3-Major | K31326690 | Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
721924-3 | 2-Critical | bgpd may crash processing extended ASNs | |
716391-3 | 2-Critical | K76031538 | High priority for MySQL on 2 core vCMP may lead to control plane process starvation |
690793-2 | 2-Critical | K25263287 | TMM may crash and dump core due to improper connflow tracking |
688148-1 | 2-Critical | IKEv1 racoon daemon SEGV during phase-two SA list iteration | |
613476-2 | 2-Critical | IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion | |
704247-3 | 3-Major | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted | |
686124-3 | 3-Major | K83576240 | IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs |
678380-3 | 3-Major | K26023811 | Deleting an IKEv1 peer in current use could SEGV on race conditions. |
674486-5 | 3-Major | Expat Vulnerability: CVE-2017-9233 | |
671712 | 3-Major | The values returned for the ltmUserStatProfileStat table are incorrect. | |
670528-1 | 3-Major | K20251354 | Warnings during vCMP host upgrade. |
620746-1 | 3-Major | MCPD crash | |
580602-1 | 3-Major | Configuration containing LTM nodes with IPv6 link-local addresses fail to load. | |
551925-3 | 3-Major | Misdirected UDP traffic with hardware acceleration | |
464650-4 | 3-Major | Failure of mcpd with invalid authentication context. | |
689211-2 | 4-Minor | IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } | |
678254-2 | 4-Minor | Error logged when restarting Tomcat |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
722387-2 | 2-Critical | TMM may crash when processing APM DTLS traffic | |
716213-3 | 2-Critical | BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic | |
697259-1 | 2-Critical | K14023450 | Different versioned vCMP guests on the same chassis may crash. |
694656-3 | 2-Critical | K05186205 | Routing changes may cause TMM to restart |
666401-2 | 2-Critical | K03294104 | Memory might become corrupted when a Standby device transitions to Active during failover |
659709-1 | 2-Critical | Mirroring persistence records may cause a TMM memory leak | |
641869-1 | 2-Critical | K62744980 | Assertion "vmem_hashlist_remove not found" failed. |
635191-1 | 2-Critical | Under rare circumstances TMM may crash | |
618106-1 | 2-Critical | K74714343 | bigd core due to memory leak, especially with FQDN nodes |
615097-1 | 2-Critical | Incorrect use of HTTP::collect leads to TMM core. | |
513310-1 | 2-Critical | TMM might core when a profile is changed. | |
722677-3 | 3-Major | High-Speed Bridge may lock up | |
722363-1 | 3-Major | Client fails to connect to server when using PVA offload at Established | |
720293-1 | 3-Major | HTTP2 IPv4 to IPv6 fails | |
712664-4 | 3-Major | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | |
711981-3 | 3-Major | BIG-IP system accepts larger-than-egress MTU, PMTU update | |
700696-2 | 3-Major | SSID does not cache fragmented Client Certificates correctly via iRule | |
694697-3 | 3-Major | K62065305 | clusterd logs heartbeat check messages at log level info |
693308-3 | 3-Major | SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain | |
691224-1 | 3-Major | K59327001 | Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled |
671725-1 | 3-Major | K19920320 | Connection leak on standby unit |
661828-1 | 3-Major | TMM may consume excessive resources when processing SSL traffic | |
632968-2 | 3-Major | supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails | |
600812-1 | 3-Major | IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet. | |
578971-3 | 3-Major | When mcpd is restarted on a blade, cluster members may be temporarily marked as failed | |
572234-2 | 3-Major | When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. | |
716922-4 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
622148-5 | 4-Minor | flow generated icmp error message need to consider which side of the proxy they are | |
602708-2 | 4-Minor | Traffic may not passthrough CoS by default |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
718885-1 | 2-Critical | K25348242 | Under certain conditions, monitor probes may not be sent at the configured interval |
726255-3 | 3-Major | dns_path lingering in memory with last_access 0 causing high memory usage | |
719644-1 | 3-Major | If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★ | |
715448-1 | 3-Major | Providing LB::status with a GTM Pool name in a variable caused validation issues | |
710246-3 | 3-Major | DNS-Express was not sending out NOTIFY messages on VE | |
636790-3 | 3-Major | Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
739798 | 2-Critical | Massive number of log messages being generated and written to the bd.log. | |
734622 | 2-Critical | K83093212 | Policy change with newly enforced signatures causes sig collection failure in other policies |
721741-2 | 2-Critical | BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative | |
716788-3 | 2-Critical | TMM may crash while response modifications are being performed within DoSL7 filter | |
685230-1 | 2-Critical | memory leak on a specific server scenario | |
666221-2 | 2-Critical | K47152503 | tmm may crash from DoSL7 |
617391-1 | 2-Critical | K53345828 | Custom ASM Search Engines causing sync, offline, and upgrade issues★ |
721752-1 | 3-Major | Null char returned in REST for Suggestion with more than MAX_INT occurrences | |
713282-3 | 3-Major | Remote logger violation_details field does not appear when virtual server has more than one remote logger | |
701856-2 | 3-Major | Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart | |
701039 | 3-Major | Requests do not appear in local logging due to rare file descriptor exhaustion | |
676223-2 | 3-Major | Internal parameter in order not to sign allowed cookies | |
650070-2 | 3-Major | K23041827 | iRule that uses ASM violation details may cause the system to reset the request |
648639-3 | 3-Major | K92201230 | TS cookie name contains NULL or other raw byte |
646800-2 | 3-Major | A part of the request is not sent to ICAP server in a specific case | |
644725-4 | 3-Major | K01914292 | Configuration changes while removing ASM from the virtual server may cause graceful ASM restart |
614730-1 | 3-Major | Session opening log shows incorrect number of challenged responses. | |
564324-2 | 3-Major | ASM scripts can break applications | |
463314-2 | 4-Minor | Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
685741 | 3-Major | DoS Overview is very slow to load data, to the point of timeout | |
649177-2 | 3-Major | K54018808 | Testing for connection to SMTP Server always returns "OK" |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
722013-3 | 2-Critical | MCPD restarts on all secondary blades post config-sync involving APM customization group | |
631286-1 | 2-Critical | TMM Memory leak caused by APM URI cache entries | |
546489-1 | 2-Critical | VMware View USB redirection stops working after client reconnect | |
739144-1 | 3-Major | Domain logoff scripts runs after VPN connection is closed | |
738397-2 | 3-Major | SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. | |
726895-1 | 3-Major | VPE cannot modify subroutine settings | |
713655-3 | 3-Major | RouteDomainSelectionAgent might fail under heavy control plane traffic/activities | |
703793-1 | 3-Major | tmm restarts when using ACCESS::perflow get' in certain events | |
702873-3 | 3-Major | Windows Logon Integration feature may cause Windows logon screen freeze | |
631626 | 3-Major | Unable to delete an access profile which contains a route domain agent | |
631048-1 | 3-Major | Portal Access [PeopleSoft] 'My Preferences' page does not have content | |
596166-1 | 3-Major | Cannot create email using Address Book | |
565347-2 | 3-Major | Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction | |
721375 | 4-Minor | Export then import of config with RSA server in it might fail |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
603755-1 | 2-Critical | dwbld core dump when Auto Blacklisting is configured, in a rare scenario | |
698806-2 | 3-Major | Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
738669-3 | 3-Major | Login validation may fail for a large request with early server response | |
716318-4 | 3-Major | Engine/Signatures automatic update check may fail to find/download the latest update |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
726303 | 3-Major | Unlock 10 million custom db entry limit |
Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
716992-3 | CVE-2018-5539 | K75432956 | The ASM bd process may crash |
715923-3 | CVE-2018-15317 | K43625118 | When processing TLS traffic TMM may reset connections |
710244-1 | CVE-2018-5536 | K27391542 | Memory Leak of access policy execution objects |
709972-4 | CVE-2017-12613 | K52319810 | CVE-2017-12613: APR Vulnerability |
709688-5 | CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
K08306700 | dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 |
693744-3 | CVE-2018-5531 | K64721111 | CVE-2018-5531: vCMP vulnerability |
710705-3 | CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 | K34035645 | Multiple Wireshark vulnerabilities |
710314-2 | CVE-2018-5537 | K94105051 | TMM may crash while processing HTML traffic |
710148-4 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
705476-4 | CVE-2018-15322 | K28003839 | Appliance Mode does not follow design best practices |
703940-3 | CVE-2018-5530 | K45611803 | Malformed HTTP/2 frame consumes excessive system resources |
698813-3 | CVE-2018-5538 | K45435121 | When processing DNSX transfers ZoneRunner does not enforce best practices |
677088-4 | CVE-2018-15321 | K01067037 | BIG-IP tmsh vulnerability CVE-2018-15321 |
672124-3 | CVE-2018-5541 | K12403422 | Excessive resource usage when BD is processing requests |
714879-1 | CVE-2018-15326 | K34652116 | APM CRLDP Auth passes all certs |
708653-3 | CVE-2018-15311 | K07550539 | TMM may crash while processing TCP traffic |
673165 | CVE-2017-7895 | K15004519 | CVE-2017-7895: Linux Kernel Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
671999-2 | 3-Major | Re-extract the the thales software everytime the installation script is run | |
643034-1 | 3-Major | Turn off TCP Proxy ICMP forwarding by default | |
620445-4 | 3-Major | New SIP::persist keyword to set the timeout without changing key | |
613023-4 | 3-Major | Update SIP::Persist to support resetting timeout value. | |
441079-2 | 3-Major | K55242686 | BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved |
693007-3 | 4-Minor | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
700315-3 | 1-Blocking | K26130444 | Ctrl+C does not terminate TShark |
636774-1 | 1-Blocking | Potential TMM crash credits to BWC token distribution logic | |
723130-3 | 2-Critical | Invalid-certificate warning displayed when deploying BIG-IP VE OVA file | |
707003-2 | 2-Critical | Unexpected syntax error in TMSH AVR | |
706423-2 | 2-Critical | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | |
696113-1 | 2-Critical | Extra IPsec reference added per crypto operation overflows connflow refcount | |
692158-2 | 2-Critical | iCall and CLI script memory leak when saving configuration | |
690819-3 | 2-Critical | Using an iRule module after a 'session lookup' may result in crash | |
671314-4 | 2-Critical | K37093335 | BIG-IP system cores when sending SIP SCTP traffic |
665362-4 | 2-Critical | MCPD might crash if the AOM restarts | |
663197-3 | 2-Critical | Security hardening of files to prevent sensitive configuration from being stored in qkview. | |
626861-2 | 2-Critical | K31220138 | Ensure unique IKEv2 sequence numbers |
599223-1 | 2-Critical | Prevent static destructors in tmipsecd daemon | |
581851-2 | 2-Critical | K16234725 | mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands |
559980-1 | 2-Critical | Change console baud rate requires reboot to take effect | |
508113-3 | 2-Critical | tmsh load sys config base merge file <filename> fails | |
720880 | 3-Major | Attempts to license/re-license the BIG-IP system fail. | |
720756 | 3-Major | SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS | |
720104 | 3-Major | BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' | |
714848 | 3-Major | OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled | |
710827-4 | 3-Major | TMUI dashboard daemon stability issue | |
710602 | 3-Major | iCRD commands requiring 'root' user access fixed | |
707445 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover |
704336-3 | 3-Major | Updating 3rd party device cert not copied correctly to trusted certificate store | |
704282-3 | 3-Major | TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy | |
701900 | 3-Major | K55938217 | DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease. |
698947-1 | 3-Major | BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. | |
694740-1 | 3-Major | BIG-IP reboot during a TMM core results in an incomplete core dump | |
693106-2 | 3-Major | IKEv1 newest established phase-one SAs should be found first in a search | |
692179-3 | 3-Major | Potential high memory usage from errdefsd. | |
687905 | 3-Major | K72040312 | OneConnect profile causes CMP redirected connections on the HA standby |
687534-3 | 3-Major | If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page | |
686926-3 | 3-Major | IPsec: responder N(cookie) in SA_INIT response handled incorrectly | |
684391-1 | 3-Major | Existing IPsec tunnels reload. tmipsecd creates a core file. | |
680838-3 | 3-Major | IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator | |
679347-3 | 3-Major | K44117473 | ECP does not work for PFS in IKEv2 child SAs |
678925-4 | 3-Major | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | |
677928-2 | 3-Major | A wrong source MAC address may be used in the outgoing IPsec encapsulated packets. | |
676897-1 | 3-Major | IPsec keeps failing to reconnect | |
676092-1 | 3-Major | IPsec keeps failing to reconnect | |
675718-1 | 3-Major | IPsec keeps failing to reconnect | |
669268 | 3-Major | Failover in the same availability zone of AWS may fail when AWS services are intermittently available. | |
667223 | 3-Major | The merge option for the tmsh load sys config command removes existing nested objects | |
666035-1 | 3-Major | Obscuring secrets in files collected by qkview | |
621314-6 | 3-Major | K55358710 | SCTP virtual server with mirroring may cause excessive memory use on standby device |
617865-1 | 3-Major | Missing health monitor information for FQDN members | |
605270-5 | 3-Major | On some platforms the SYN-Cookie status report is not accurate | |
588929-2 | 3-Major | SCTP emits 'address conflict detected' log messages during failover | |
588794-2 | 3-Major | Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements | |
588771-2 | 3-Major | SCTP needs traffic-group validation for server-side client alternate addresses | |
586938-1 | 3-Major | K57360106 | Standby device will respond to the ARP of the SCTP multihoming alternate address |
586031-1 | 3-Major | K40453207 | Configuration with LTM policy may fail to load |
525580-1 | 3-Major | K51013874 | tmsh load sys config merge file filename.scf base command does not work as expected |
685475-3 | 4-Minor | K93145012 | Unexpected error when applying hotfix |
680856-3 | 4-Minor | IPsec config via REST scripts may require post-definition touch of both policy and traffic selector | |
679135-3 | 4-Minor | IKEv1 and IKEv2 cannot share common local address in tunnels | |
678388-3 | 4-Minor | K00050055 | IKEv1 racoon daemon is not restarted when killed multiple times |
658298-3 | 4-Minor | SMB monitor marks node down when file not specified | |
624484-2 | 4-Minor | K09023677 | Timestamps not available in bash history on non-login interactive shells |
573031-1 | 4-Minor | qkview may not collect certain configuration files in their entirety | |
720391-1 | 5-Cosmetic | BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' | |
713491-1 | 5-Cosmetic | IKEv1 logging shows spi of deleted SA with opposite endianess | |
651826-2 | 5-Cosmetic | SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
718071-3 | 2-Critical | HTTP2 with ASM policy not passing traffic | |
709334-2 | 2-Critical | Memory leak when SSL Forward proxy is used and ssl re-negotiates | |
708114-3 | 2-Critical | K33319853 | TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed |
707447-2 | 2-Critical | Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles. | |
707207-2 | 2-Critical | iRuleLx returning undefined value may cause TMM restart | |
703914-1 | 2-Critical | TMM SIGSEGV crash in poolmbr_conn_dec. | |
686685-1 | 2-Critical | LTM Policy internal compilation error | |
683631-1 | 2-Critical | TMM crashes during stress test | |
678722-2 | 2-Critical | In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources | |
676721-2 | 2-Critical | K33325265 | Missing check for NULL condition causes tmm crash. |
674004-1 | 2-Critical | K34448924 | tmm may crash when after deleting pool member in traffic |
670804-2 | 2-Critical | K03163260 | Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP |
656898-2 | 2-Critical | 'oops' 'bad transition' messages occur | |
613524-3 | 2-Critical | TMM crash when call HTTP::respond twice in LB_FAILED | |
598110-1 | 2-Critical | pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic. | |
586587-1 | 2-Critical | RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. | |
571651-3 | 2-Critical | K66544028 | Reset Nitrox3 crypto accelerator queue if it becomes stuck. |
440620-2 | 2-Critical | New connections may be reset when a client reuses the same port as it used for a recently closed connection | |
713951-3 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
713934-4 | 3-Major | Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response | |
712475-1 | 3-Major | K56479945 | DNS zones without servers will prevent DNS Express reading zone data |
712464-1 | 3-Major | Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate | |
712437-1 | 3-Major | K20355559 | Records containing hyphens (-) will prevent child zone from loading correctly |
711281-3 | 3-Major | nitrox_diag may run out of space on /shared | |
707951 | 3-Major | Stalled mirrored flows on HA next-active when OneConnect is used. | |
704381-3 | 3-Major | SSL/TLS handshake failures and terminations are logged at too low a level | |
703580 | 3-Major | TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. | |
702151-2 | 3-Major | HTTP/2 can garble large headers | |
700889-2 | 3-Major | K07330445 | Software syncookies without TCP TS improperly include TCP options that are not encoded |
700061-3 | 3-Major | Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file | |
700057-3 | 3-Major | LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved | |
698916-3 | 3-Major | TMM crash with HTTP/2 under specific condition | |
698379-3 | 3-Major | K61238215 | HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( |
693838 | 3-Major | Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors | |
691806-3 | 3-Major | K61815412 | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state |
688553-1 | 3-Major | SASP GWM monitor may not mark member UP as expected | |
685615-5 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
681757-1 | 3-Major | K32521651 | Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' |
678872-2 | 3-Major | Inconsistent behavior for virtual-address and selfip on the same ip-address | |
677525-3 | 3-Major | Translucent VLAN group may use unexpected source MAC address | |
676914-1 | 3-Major | The SSL Session Cache can grow indefinitely if the traffic group is changed. | |
676828-2 | 3-Major | K09012436 | Host IPv6 traffic is generated even when ipv6.enabled is false |
676355-2 | 3-Major | DTLS retransmission does not comply with RFC in certain resumed SSL session | |
675212-3 | 3-Major | The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication | |
673052-2 | 3-Major | On i-Series platforms, HTTP/2 is limited to 10 streams | |
671337-1 | 3-Major | NetHSM DNSSEC key creation can attempt to change the SELinux label on a file | |
668196-2 | 3-Major | Connection limit continues to be enforced with least-connections and pool member flap, member remains down | |
668006-1 | 3-Major | K12015701 | Suspended 'after' command leads to assertion if there are multiple pending events |
667707-2 | 3-Major | LTM policy associations with virtual servers are not ConfigSynced correctly | |
659519-1 | 3-Major | K42400554 | Non-default header-table-size setting on HTTP2 profiles may cause issues |
657883-2 | 3-Major | K34442339 | tmm cache resolver should not cache response with TTL=0 |
657626-2 | 3-Major | User with role 'Manager' cannot delete/publish LTM policy. | |
651541-2 | 3-Major | K83955631 | Changes to the HTTP profile do not trigger validation for virtual servers using that profile |
636289-2 | 3-Major | Fixed a memory issue while handling TCP::congestion iRule | |
633691-4 | 3-Major | HTTP transaction may not finish gracefully due to TCP connection is closed by RST | |
624846-1 | 3-Major | TCP Fast Open does not work for Responses < 1 MSS | |
604838-1 | 3-Major | TCP Analytics reports incorrectly reports entities as "Aggregated" | |
595281-1 | 3-Major | TCP Analytics reports huge goodput numbers | |
570277-1 | 3-Major | K16044231 | SafeNet client not able to establish session to all HSMs on all blades. |
367226-4 | 3-Major | Outgoing RIP advertisements may have incorrect source port | |
251162-3 | 3-Major | K11564 | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name |
248914-4 | 3-Major | K00612197 | ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address |
713533-3 | 4-Minor | list self-ip with queries does not work | |
708249-4 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
700433-2 | 4-Minor | K10870739 | Memory leak when attaching an LTM policy to a virtual server |
685467-2 | 4-Minor | K12933087 | Certain header manipulations in HTTP profile may result in losing connection. |
678801-2 | 4-Minor | WS::enabled returned empty string | |
677958-2 | 4-Minor | WS::frame prepend and WS::frame append do not insert string in the right place. | |
645729-1 | 4-Minor | SSL connection is not mirrored if ssl session cache is cleared and resume attempted | |
639970-3 | 4-Minor | GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error | |
627764-2 | 4-Minor | Prevent sending a 2nd RST for a TCP connection | |
627695-2 | 4-Minor | [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational | |
621379-2 | 4-Minor | TCP Lossfilter not enforced after iRule changes TCP settings | |
618024-2 | 4-Minor | software switched platforms accept traffic on lacp trunks even when the trunk is down | |
604272-1 | 4-Minor | SMTPS profile connections_current stat does not reflect actual connection count. | |
523814-3 | 4-Minor | When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections | |
522302-2 | 4-Minor | TCP Receive Window error messages are inconsistent on UI | |
495242-3 | 4-Minor | mcpd log messages: Failed to unpublish LOIPC object |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
713066-3 | 2-Critical | K10620131 | Connection failure during DNS lookup to disabled nameserver can crash TMM |
707310-1 | 2-Critical | DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs) | |
706128-1 | 3-Major | DNSSEC Signed Zone Transfers Can Leak Memory | |
705503-1 | 3-Major | Context leaked from iRule DNS lookup | |
680069-3 | 3-Major | K81834254 | zxfrd core during transfer while network failure and DNS server removed from DNS zone config★ |
675539-1 | 3-Major | Inter-system communications targeted at a Management IP address might not work in some cases. | |
672491-2 | 3-Major | K10990182 | net resolver uses internal IP as source if matching wildcard forwarding virtual server |
660263-4 | 3-Major | DNS transparent cache message and RR set activity counters not incrementing | |
653775-3 | 3-Major | K05397641 | Ampersand (&) in GTM synchronization group name causes synchronization failure. |
643813-2 | 3-Major | ZoneRunner does not properly process $ORIGIN directives | |
637227-4 | 3-Major | K60414305 | DNS Validating Resolver produces inconsistent results with DNS64 configurations. |
629421-1 | 3-Major | Big3d memory leak when adding/removing Wide IPs in a GTM sync pair. | |
609527-2 | 3-Major | DNS cache local zone not properly copying recursion desired (RD) flag in response | |
602300-1 | 3-Major | Zone Runner entries cannot be modified when sys DNS starts with IPv6 address | |
669262-2 | 4-Minor | [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record | |
638170-1 | 4-Minor | K36455356 | Pagination broken or missing while viewing pool statistics for GTM wideip |
605537-5 | 4-Minor | K03997964 | Error when resetting statistics on GSLB Pool Members |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
639767-2 | 2-Critical | Policy with Session Awareness Statuses may fail to export | |
606983-3 | 2-Critical | ASM errors during policy import | |
580862-1 | 2-Critical | Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes | |
712362-1 | 3-Major | ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase | |
710327-3 | 3-Major | Remote logger message is truncated at NULL character. | |
707888 | 3-Major | Some ASM operations delayed due to scheduled ASU update | |
707147-2 | 3-Major | High CPU consumed by asm_config_server_rpc_handler_async.pl | |
706845-1 | 3-Major | False positive illegal multipart violation | |
704143-2 | 3-Major | BD memory leak | |
700726-1 | 3-Major | Search engine list was updated, and fixing case of multiple entries | |
691897-1 | 3-Major | Names of the modified cookies do not appear in the event log | |
687759-2 | 3-Major | bd crash | |
686765-1 | 3-Major | Database cleaning failure may allow MySQL space to fill the disk entirely | |
683241-3 | 3-Major | K70517410 | Improve CSRF token handling |
674527-1 | 3-Major | TCL error in ltm log when server closes connection while ASM irules are running | |
666112-1 | 3-Major | K53708490 | TMM 'DoS Layer 7' memory leak during config load |
663396-1 | 3-Major | URL Method override is enforced incorrectly after upgrade | |
654996-1 | 3-Major | K50345236 | Closed connections remains in memory |
665470-1 | 4-Minor | Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised | |
700812-2 | 5-Cosmetic | asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
716747-4 | 2-Critical | TMM my crash while processing APM or SWG traffic | |
715250-2 | 2-Critical | TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED | |
681850-1 | 2-Critical | APMD process may fail to initialize on start either after upgrade or after adding certain configurations | |
671373-2 | 2-Critical | urldb core seen | |
632798-2 | 2-Critical | K30710317 | Double-free may occur if Access initialization fails |
720695-2 | 3-Major | Export then import of APM access Profile/Policy with advanced customization is failing | |
720030-3 | 3-Major | Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U) | |
718208-1 | 3-Major | Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO | |
715207-2 | 3-Major | coapi errors while modifying per-request policy in VPE | |
714542-1 | 3-Major | 'Always Connected Mode' text is missing in EdgeClient tray | |
712924 | 3-Major | In VPE SecurID servers list are not being displayed in SecurID authentication dialogue | |
712857-1 | 3-Major | SWG-Explicit rejects large POST bodies during policy evaluation | |
706374-2 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to memory corruption | |
704524-2 | 3-Major | [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries | |
684937-6 | 3-Major | K26451305 | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users |
683113-6 | 3-Major | K22904904 | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users |
658664-3 | 3-Major | K21390304 | VPN connection drops when 'prohibit routing table change' is enabled |
609793-1 | 3-Major | HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response. | |
602429-1 | 3-Major | DNS suffix is not restored after disconnecting Network Access | |
543344-3 | 3-Major | ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event | |
516736-1 | 3-Major | URLs with backslashes in the path may not be handled correctly in Portal Access |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
703515-5 | 2-Critical | K44933323 | MRF SIP LB - Message corruption when using custom persistence key |
698338-2 | 2-Critical | Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection | |
685708-3 | 2-Critical | Routing via iRule to a host without providing a transport from a transport-config created connection cores | |
669739-1 | 2-Critical | K71963740 | Potential core when using MRF SIP with SCTP |
659173-1 | 2-Critical | K76352741 | Diameter Message Length Limit Changed from 1024 to 4096 Bytes |
700571-2 | 3-Major | SIP MR profile, setting incorrect branch param for CANCEL to INVITE | |
696049-3 | 3-Major | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running | |
688942-3 | 3-Major | ICAP: Chunk parser performs poorly with very large chunk | |
679114-2 | 3-Major | Persistence record expires early if an error is returned for a BYE command | |
674747-2 | 3-Major | K30837366 | sipdb cannot delete custom bidirectional persistence entries. |
673814-4 | 3-Major | K37822302 | Custom bidirectional persistence entries are not updated to the session timeout |
642298-3 | 3-Major | Unable to create a bidirectional custom persistence record in MRF SIP | |
640384-3 | 3-Major | New iRule options for MR::message route command | |
620759-4 | 3-Major | Persist timeout value gets truncated when added to the branch parameter. | |
632658-4 | 4-Minor | Enable SIP::persist command to operate during SIP_RESPONSE event | |
617690-4 | 4-Minor | enable SIP::respond iRule command to operate during MR_FAILED event |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
677473-1 | 2-Critical | MCPD core is generated on multiple add/remove of Mgmt-Rules | |
663770-2 | 3-Major | K04025134 | AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699531-3 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
696294-3 | 2-Critical | TMM core may be seen when using Application reporting with flow filter in PEM | |
715090 | 3-Major | PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers | |
711570-1 | 3-Major | PEM iRule subscriber policy name query using subscriber ID, may not return applied policies | |
711093-2 | 3-Major | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | |
709610-1 | 3-Major | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | |
697718-3 | 3-Major | Increase PEM HSL reporting buffer size to 4K. | |
648802-3 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
667662-1 | 3-Major | K06579313 | Autolasthop does not work for PPTP-GRE traffic. |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
625114-2 | 2-Critical | K08062851 | Internal sync-change conflict after update to local users table |
Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
708956 | 1-Blocking | K51206433 | During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' |
696732 | 2-Critical | K54431534 | tmm may crash in a compression provider |
697616 | 3-Major | Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests | |
689730-2 | 3-Major | Software installations from v13.1.0 might fail★ | |
674455-7 | 3-Major | Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS | |
680388-2 | 4-Minor | f5optics should not show function name in non-debug log messages | |
653759-2 | 4-Minor | Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★ |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
701538-1 | 2-Critical | SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured | |
662078-1 | 2-Critical | Occasionally connections are dropped in response to timing errors | |
694778-2 | 3-Major | Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size | |
686631-1 | 3-Major | Deselect a compression provider at the end of a job and reselect a provider for a new job | |
679494-2 | 3-Major | Change the default compression strategy to speed | |
632824-1 | 3-Major | K00722715 | SSL TPS limit can be reached if the system clock is adjusted |
495443-10 | 3-Major | K16621 | ECDH negotiation failures logged as critical errors. |
679496-1 | 4-Minor | Add 'comp_req' to the output of 'tmctl compress' |
Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
695901-2 | CVE-2018-5513 | K46940010 | TMM may crash when processing ProxySSL data |
693312-2 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
688516-2 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
704580-3 | CVE-2018-5549 | K05018525 | apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP |
701359-2 | CVE-2017-3145 | K08613310 | BIND vulnerability CVE-2017-3145 |
688009-5 | CVE-2018-5519 | K46121888 | Appliance Mode TMSH hardening |
615269-1 | CVE-2016-2183 | K13167034 | CVE-2016-2183: AFM SSH Proxy Vulnerability |
603758-1 | CVE-2018-5540 | K82038789 | Big3D security hardening |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
680850-1 | 3-Major | K48342409 | Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. |
570570-5 | 3-Major | Default crypto failure action is now 'go-offline-downlinks'. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
711547 | 1-Blocking | Update cipher support for Common Criteria compliance | |
708054-3 | 2-Critical | Web Acceleration: TMM may crash on very large HTML files with conditional comments | |
706305-2 | 2-Critical | bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled | |
703761-1 | 2-Critical | Disable DSA keys for public-key and host-based authentication in Common Criteria mode | |
677937-1 | 2-Critical | APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets | |
673484-1 | 2-Critical | K85405312 | IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO |
664549-2 | 2-Critical | K55105132 | TMM restart while processing rewrite filter |
599423-1 | 2-Critical | K24584925 | merged cores and restarts |
583111-1 | 2-Critical | BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured | |
701626-1 | 3-Major | K16465222 | GUI resets custom Certificate Key Chain in child client SSL profile |
686029-1 | 3-Major | A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces | |
664737-2 | 3-Major | Do not reboot on ctrl-alt-del | |
655005-1 | 3-Major | K23355841 | "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync |
646890-1 | 3-Major | K12068427 | IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512 |
635703-1 | 3-Major | K14508857 | Interface description may cause some interface level commands to be removed |
614486-1 | 3-Major | BGP community lower bytes of zero is not allowed to be set in route-map | |
612721-4 | 3-Major | FIPS: .exp keys cannot be imported when the local source directory contains .key file | |
609967-2 | 3-Major | K55424912 | qkview missing some HugePage memory data |
586412-2 | 3-Major | BGP peer-group members address-family configuration not saved to configuration | |
583108-1 | 3-Major | Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart. | |
581101-1 | 3-Major | non-admin user running list cmd: can't get object count | |
557155-8 | 3-Major | K33044393 | BIG-IP Virtual Edition becomes completely unresponsive under very heavy load. |
421797-3 | 3-Major | ePVA continues to accelerate IP Forwarding VS traffic even in Standby | |
651413-2 | 4-Minor | K34042229 | tmsh list ltm node does not return an error when node does not exist |
598437-1 | 4-Minor | SNMP process monitoring is incorrect for tmm and bigd |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
706631 | 2-Critical | A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured. | |
705611-1 | 2-Critical | The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used | |
704666-2 | 2-Critical | memory corruption can occur when using certain certificates | |
701202-1 | 2-Critical | K35023432 | SSL memory corruption |
700862-2 | 2-Critical | K15130240 | tmm SIGFPE 'valid node' |
700393-2 | 2-Critical | K53464344 | Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash |
685254-1 | 2-Critical | K14013100 | RAM Cache Exceeding Watchdog Timeout in Header Field Search |
678416-2 | 2-Critical | Some tmm/umem_usage_stat counters may be incorrect under memory pressure. | |
676028-2 | 2-Critical | K09689143 | SSL forward proxy bypass may fail to release memory used for ssl_hs instances |
673951-4 | 2-Critical | K56466330 | Memory leak when using HTTP2 profile |
670814-2 | 2-Critical | Wrong SE Linux label breaks nethsm DNSSEC keys | |
665185-1 | 2-Critical | K20994524 | SSL handshake reference is not dropped if forward proxy certificate lookup failed |
657463-2 | 2-Critical | SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake. | |
648320-3 | 2-Critical | K38159538 | Downloading via APM tunnels could experience performance downgrade. |
647757-2 | 2-Critical | K96395052 | RATE-SHAPER:Fred not properly initialized may halt traffic |
613088-3 | 2-Critical | pkcs11d thread has session initialization problem. | |
452283-2 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
705794-1 | 3-Major | Under certain circumstances a stale HTTP/2 stream might cause a tmm crash | |
690042-3 | 3-Major | K43412307 | Potential Tcl leak during iRule suspend operation |
689449-3 | 3-Major | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | |
687205-3 | 3-Major | Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart | |
686972-1 | 3-Major | The change of APM log settings will reset the SSL session cache. | |
686395 | 3-Major | With DTLS version1, when client hello uses version1.2, handshake shall proceed | |
683697-3 | 3-Major | SASP monitor may use the same UID for multiple HA device group members | |
677962-3 | 3-Major | Invalid use of SETTINGS_MAX_FRAME_SIZE | |
677457 | 3-Major | K13036194 | HTTP/2 Gateway appends semicolon when a request has one or more cookies |
677400-3 | 3-Major | K82502883 | pimd daemon may exit on failover |
673399-1 | 3-Major | HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. | |
665652-2 | 3-Major | K41193475 | Multicast traffic not forwarded to members of VLAN group |
664528-1 | 3-Major | K53282793 | SSL record can be larger than maximum fragment size (16384 bytes) |
663551-1 | 3-Major | K14942957 | SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event |
662911-2 | 3-Major | K93119070 | SASP monitor uses same UID for all vCMP guests in a chassis or appliance |
654368-7 | 3-Major | ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require | |
654086-3 | 3-Major | Incorrect handling of HTTP2 data frames larger than minimal frame size | |
653976-2 | 3-Major | K00610259 | SSL handshake fails if server certificate contains multiple CommonNames |
651901-2 | 3-Major | Removed unnecessary ASSERTs in MPTCP code | |
640369-2 | 3-Major | TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan | |
633333-3 | 3-Major | During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent | |
619844-2 | 3-Major | Packet leak if reject command is used in FLOW_INIT rule | |
611691-5 | 3-Major | Packet payload ignored when DSS option contains DATA_FIN | |
608991-7 | 3-Major | BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed | |
605480-4 | 3-Major | BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection | |
604880-4 | 3-Major | tmm assert "valid pcb" in tcp.c | |
604549-7 | 3-Major | MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data | |
592731-1 | 3-Major | K34220124 | Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck. |
653746-2 | 4-Minor | K83324551 | Unable to display detailed CPU graphs if the number of CPU is too large |
569814-2 | 4-Minor | K30240351 | iRule "nexthop IP_ADDR" rejected by validator |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
710424-3 | 2-Critical | K00874337 | Possible SIGSEGV in GTMD when GTM persistence is enabled. |
699135-2 | 2-Critical | tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip | |
691287-3 | 2-Critical | tmm crashes on iRule with GTM pool command | |
682335-3 | 2-Critical | TMM can establish multiple connections to the same gtmd | |
699339-1 | 3-Major | K24634702 | Geolocation upgrade files fail to replicate to secondary blades |
696808-3 | 3-Major | Disabling a single pool member removes all GTM persistence records | |
687128-3 | 3-Major | gtm::host iRule validation for ipv4 and ipv6 addresses | |
679149-2 | 3-Major | TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] | |
663310-3 | 3-Major | named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★ | |
619158-1 | 3-Major | iRule DNS request with trailing dot times out with empty response | |
595293-4 | 3-Major | Deleting GTM links could cause gtm_add to fail on new devices. |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679221-1 | 1-Blocking | APMD may generate core file or appears locked up after APM configuration changed | |
702278-3 | 2-Critical | Potential XSS security exposure on APM logon page. | |
678715-1 | 2-Critical | Large volume of query result update to SessionDB fails and locks down ApmD | |
712315-1 | 3-Major | LDAP and AD Group Resource Assign are not displaying Static ACLs correctly | |
710211 | 3-Major | Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. | |
702490-4 | 3-Major | Windows Credential Reuse feature may not work | |
702487-1 | 3-Major | AD/LDAP admins with spaces in names are not supported | |
700780-4 | 3-Major | F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses | |
699267-1 | 3-Major | LDAP Query may fail to resolve nested groups | |
681415-1 | 3-Major | Copying of profile with advanced customization or images might fail | |
675775-2 | 3-Major | TMM crashes inside dynamic ACL building session db callback | |
672250-1 | 3-Major | SessionDB update from ApmD with large volume fails | |
671149-3 | 3-Major | Captive portal login page is not rendered until it is refreshed | |
669459-2 | 3-Major | Efect of bad connection handle between APMD and memcachd | |
639283-4 | 3-Major | Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate | |
569542-1 | 3-Major | After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★ | |
667237-3 | 4-Minor | Edge Client logs the routing and IP tables repeatedly |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
673463-2 | 2-Critical | K68275280 | SDD v3 symmetric deduplication may start performing poorly after a failover event |
685693 | 3-Major | APM AppTunnels memory leak |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
702738 | 3-Major | K32181540 | Tmm might crash activating new blob when changing firewall rules |
528499-3 | 4-Minor | AFM address lists are not sorted while trying to create a new rule. |
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
706086-1 | CVE-2018-5515 | K62750376 | PAM RADIUS authentication subsystem hardening |
704490 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
704483 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707226-2 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | |
704804-2 | 3-Major | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | |
704733-2 | 3-Major | NAS-IP-Address is sent with the bytes in reverse order | |
703869-1 | 3-Major | Waagent updated to 2.2.21 | |
701249-2 | 3-Major | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | |
699147 | 3-Major | Hourly billed cloud images are now pre-licensed | |
687098 | 3-Major | IPv6 RADIUS servers not supported for remote authentication | |
674288-2 | 3-Major | K62223225 | FQDN nodes - monitor attribute doesn't reliably show in GUI |
649465-1 | 3-Major | SELinux warning messages regarding nsm daemon |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
695117 | 2-Critical | K30081842 | bigd cores and sends corrupted MCP messages with many FQDN nodes |
668883 | 2-Critical | FQDN pool member status may become out-of-sync when enabled/disabled through GUI | |
707675 | 3-Major | FQDN nodes or pool members flap when DNS response received | |
701609 | 3-Major | Static member of pool with FQDN members may revert to user-disabled after being re-enabled | |
685344-2 | 3-Major | Monitor 'min 1 of' not working as expected with FQDN nodes/members | |
673075-1 | 3-Major | Reduced Issues for Monitors configured with FQDN | |
671228-1 | 3-Major | Multiple FQDN ephemeral nodes may be created with autopopulate disabled | |
667560-3 | 3-Major | K69205908 | FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed |
573602-1 | 3-Major | FQDN pool members not shown by tmsh show ltm monitor | |
573302-1 | 3-Major | FQDN pool member remains in disabled state after removing monitor | |
571095-1 | 3-Major | Monitor probing to pool member stops after FQDN pool member with same IP address is deleted | |
467709-1 | 4-Minor | FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN | |
699262-2 | 5-Cosmetic | FQDN pool member status remains in 'checking' state after full config sync |
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
700556-2 | CVE-2018-5504 | K11718033 | TMM may crash when processing WebSockets data |
698080-1 | CVE-2018-5503 | K54562183 | TMM may consume excessive resources when processing with PEM |
691504-3 | CVE-2018-5503 | K54562183 | PEM content insertion in a compressed response may cause a crash. |
686305-2 | CVE-2018-5534 | K64552448 | TMM may crash while processing SSL forward proxy traffic |
677193-2 | CVE-2017-6154 | K38243073 | ASM BD Daemon Crash. |
674189 | CVE-2016-0718 | K52320548 | iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0 |
673078-1 | CVE-2017-6150 | K62712037 | TMM may crash when processing FastL4 traffic |
670822-3 | CVE-2017-6148 | K55225440 | TMM may crash when processing SOCKS data |
668501-2 | CVE-2017-6151 | K07369970 | HTTP2 does not handle some URIs correctly |
630446-1 | CVE-2016-0718 | K52320548 | Expat vulnerability CVE-2016-0718 |
621233-1 | CVE-2018-5509 | K49440608 | FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm |
699455-3 | CVE-2018-5523 | K50254952 | SAML export does not follow best practices |
699346-2 | CVE-2018-5524 | K53931245 | NetHSM capacity reduces when handling errors |
694274-2 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 | K23565223 | [RHSA-2017:3195-01] Important: httpd security update - EL6.7 |
688625-2 | CVE-2017-11628 | K75543432 | PHP Vulnerability CVE-2017-11628 |
688011-5 | CVE-2018-5520 | K02043709 | Dig utility does not apply best practices |
676457-3 | CVE-2017-6153 | K52167636 | TMM may consume excessive resource when processing compressed data |
671638-4 | CVE-2018-5500 | K33211839 | TMM crash when load-balancing mptcp traffic |
670405-4 | CVE-2017-1000366 | K20486351 | K20486351: glibc vulnerability CVE-2017-1000366: |
662850-2 | CVE-2015-2716 | K50459349 | Expat XML library vulnerability CVE-2015-2716 |
662663-6 | CVE-2018-5507 | K52521791 | Decryption failure Nitrox platforms in vCMP mode |
652848-2 | CVE-2018-5501 | K44200194 | TCP DNS profile may impact performance |
643375-1 | CVE-2018-5508 | K10329515 | TMM may crash when processing compressed data |
631204-1 | CVE-2018-5521 | K23124150 | GeoIP lookups incorrectly parse IP addresses |
617273-7 | CVE-2016-5300 | K70938105 | Expat XML library vulnerability CVE-2016-5300 |
593139-9 | CVE-2014-9761 | K31211252 | glibc vulnerability CVE-2014-9761 |
572272-5 | CVE-2018-5506 | K65355492 | BIG-IP - Anonymous Certificate ID Enumeration |
673607-2 | CVE-2017-3169 | K83043359 | Apache CVE-2017-3169 |
672667-4 | CVE-2017-7679 | K75429050 | CVE-2017-7679: Apache vulnerability |
605579-8 | CVE-2012-6702 | K65460334 | iControl-SOAP expat client library is subjected to entropy attack |
578983-4 | CVE-2015-8778 | K51079478 | glibc: Integer overflow in hcreate and hcreate_r |
684033-1 | CVE-2017-9798 | K70084351 | CVE-2017-9798 : Apache Vulnerability (OptionsBleed) |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
686389-3 | 3-Major | APM does not honor per-farm HTML5 client disabling at the View Connection Server | |
685020-1 | 3-Major | Enhancement to SessionDB provides timeout | |
653772-2 | 3-Major | fastL4 fails to evict flows from the ePVA | |
639505-3 | 3-Major | BGP may not send all configured aggregate routes | |
587107-3 | 3-Major | Allow iQuery to negotiate up to version TLS1.2 |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
667148-1 | 1-Blocking | K02500042 | Config load or upgrade can fail when loading GTM objects from a non-/Common partition |
689577-1 | 2-Critical | K45800333 | ospf6d may crash when processing specific LSAs |
678833 | 2-Critical | IPv6 prefix SPDAG causes packet drop | |
676203-1 | 2-Critical | Inter-blade mpi connection fails, does not recover, and eventually all memory consumed. | |
667405-2 | 2-Critical | K61251939 | Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM. |
667404-2 | 2-Critical | K77576404 | Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts |
651362 | 2-Critical | eventd crashes during boot | |
631700-1 | 2-Critical | K72453283 | sod may kill bcm56xxd under heavy load |
617733-1 | 2-Critical | Error message: subscriber id response; Subscription not found | |
580753-1 | 2-Critical | K82583534 | eventd might core on transition to secondary. |
563661-2 | 2-Critical | Datastor may crash | |
694696-3 | 3-Major | On multiblade Viprion, creating a new traffic-group causes the device to go Offline | |
687658-2 | 3-Major | Monitor operations in transaction will cause it to stay unchecked | |
687353-3 | 3-Major | K35595105 | Qkview truncates tmstat snapshot files |
682213-3 | 3-Major | K31623549 | TLS v1.2 support in IP reputation daemon |
679480-1 | 3-Major | User able to create node when an ephemeral with the same IP already exists | |
674320-2 | 3-Major | K11357182 | Syncing a large number of folders can prevent the configuration getting saved on the peer systems |
672815-2 | 3-Major | Incorrect disaggregation on VIPRION B4200 blades | |
671082-1 | 3-Major | K85168072 | snmpd constantly restarting |
669888-2 | 3-Major | No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96 | |
669462-1 | 3-Major | Error adding /Common/WideIPs as members to GTM Pool in non-Common partition | |
669415-1 | 3-Major | Flow eviction for hardware-accelerated flow might fail | |
664894-1 | 3-Major | K11070206 | PEM sessions lost when new blade is inserted in chassis |
664057-2 | 3-Major | Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached | |
664017-3 | 3-Major | OCSP may reject valid responses | |
652968-2 | 3-Major | K88825548 | IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys |
645723-2 | 3-Major | K74371937 | Dynamic routing update can delete admin ip route from the kernel |
632366-1 | 3-Major | Prevent a spurious Broadcom switch driver failure. | |
631316 | 3-Major | K62532020 | Unable to load config with client-SSL profile error★ |
626990-1 | 3-Major | K64915164 | restjavad logs flooded with messages from ChildWrapper |
624362-1 | 3-Major | VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file | |
623803-2 | 3-Major | K12921801 | General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP' |
610122-1 | 3-Major | Hotfix installation fails: can't create /service/snmpd/run★ | |
598724-1 | 3-Major | Abandoned indefinite lifetime SessionDB entries on STANDBY devices. | |
586887-2 | 3-Major | K25883308 | SCTP tmm crash with virtual server destination. |
579760-3 | 3-Major | K55703840 | HSL::send may fail to resume after log server pool member goes down/up |
471237-2 | 3-Major | K12155235 | BIG-IP VE instances do not work with an encrypted disk in AWS. |
699281 | 4-Minor | Version format of hypervisor bundle matches Version format of ISO | |
669255-2 | 4-Minor | K20100613 | An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms |
660239-3 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present | |
655085-2 | 4-Minor | While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors | |
613275-2 | 4-Minor | K62581339 | SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up |
601168-1 | 4-Minor | Incorrect virtual server CPU utilization may be observed. | |
509980-1 | 4-Minor | Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
692970-3 | 2-Critical | Using UDP port 67 for purposes other than DHCP might cause TMM to crash | |
687603-1 | 2-Critical | K36243347 | tmsh query for dns records may cause tmm to crash |
686228-3 | 2-Critical | K23243525 | TMM may crash in some circumstances with VLAN failsafe |
682682-3 | 2-Critical | tmm asserts on a virtual server-to-virtual server connection | |
681175-1 | 2-Critical | K32153360 | TMM may crash during routing updates |
676982-2 | 2-Critical | K21958352 | Active connection count increases over time, long after connections expire |
674576-4 | 2-Critical | Outage may occur with VIP-VIP configurations | |
665924-1 | 2-Critical | K24847056 | The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios |
665732-2 | 2-Critical | FastHTTP may crash when receiving a fragmented IP packet | |
664461-3 | 2-Critical | K16804728 | Replacing HTTP payload can cause tmm restart |
658989-2 | 2-Critical | Memory leak when connection terminates in iRule process | |
639039-4 | 2-Critical | K33754014 | Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons |
614702-1 | 2-Critical | K24172560 | Race condition when using SSL Orchestrator can cause TMM to core |
704073-3 | 3-Major | K24233427 | Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm |
698000-1 | 3-Major | K04473510 | Connections may stop passing traffic after a route update |
689089-3 | 3-Major | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | |
686307-1 | 3-Major | K10665315 | Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later |
686065-1 | 3-Major | RESOLV::lookup iRule command can trigger crash with slow resolver | |
685955 | 3-Major | TMM hud_message_ctx leak | |
685110-3 | 3-Major | K05430133 | With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. |
683683-1 | 3-Major | ASN1::encode returns wrong binary data | |
682104-1 | 3-Major | HTTP PSM leaks memory when looking up evasion descriptions | |
680755-1 | 3-Major | K27015502 | max-request enforcement no longer works outside of OneConnect |
673621-2 | 3-Major | Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile. | |
670816-2 | 3-Major | K44519487 | HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters |
669974-1 | 3-Major | K90395411 | Encoding binary data using ASN1::encode may truncate result |
668522-1 | 3-Major | bigd might try to read from a file descriptor that is not ready for read | |
668419-1 | 3-Major | K53322151 | ClientHello sent in multiple packets results in TCP connection close |
666315 | 3-Major | Global SNAT sets TTL to 255 instead of decrementing | |
666160-1 | 3-Major | K63132146 | L7 Policy reconfiguration causes a slow memory leak |
665022-1 | 3-Major | Rateshaper stalls when TSO packet length exceeds max ceiling. | |
664769-1 | 3-Major | TMM may restart when using SOCKS profile and an iRule | |
663821-3 | 3-Major | K41344010 | SNAT Stats may not include port FTP traffic |
661881-2 | 3-Major | Memory and performance issues when using certain ASN.1 decoding formats in iRules | |
659648-2 | 3-Major | LTM Policy rule name migration doesn't properly handle whitespace | |
657795-1 | 3-Major | K51498984 | Possible performance impact on some SSL connections |
655432-7 | 3-Major | K85522235 | SSL renegotiation failed intermittently with AES-GCM cipher |
651681-4 | 3-Major | Orphaned bigd instances may exist (within multi-process bigd) | |
651135-4 | 3-Major | K41685444 | LTM Policy error when rule names contain slash (/) character★ |
645220-2 | 3-Major | bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs | |
645197-3 | 3-Major | Monitors receiving unique HTTP "success" response codes may stop monitoring after status change | |
640565-1 | 3-Major | K11564859 | Incorrect packet size sent to clone pool member |
636149-3 | 3-Major | Multiple monitor response codes to single monitor probe failure | |
628721-1 | 3-Major | In rare conditions, DNS cache resolver outbound TCP connections fail to expire. | |
627926-1 | 3-Major | K21211001 | Retrieving a server-side SSL session ID in iRules does not work |
584865-1 | 3-Major | Primary slot mismatch after primary cluster member leaves and then rejoins the cluster | |
582487-2 | 3-Major | K22210514 | 'merged.method' set to 'slow_merge,' does not update system stats |
574526-1 | 3-Major | K55542554 | HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter |
573366-4 | 3-Major | parking command used in the nesting script of clientside and serverside command can cause tmm core | |
692095-3 | 4-Minor | K65311501 | bigd logs monitor status unknown for FQDN Node/Pool Member |
625892-2 | 4-Minor | Nagle Algorithm Not Fully Enforced with TSO | |
530877-7 | 4-Minor | K13887095 | TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
692941-3 | 2-Critical | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | |
678861-3 | 2-Critical | DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★ | |
580537-1 | 2-Critical | The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data | |
562921-4 | 2-Critical | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | |
700527-1 | 3-Major | cmp-hash change can cause repeated iRule DNS-lookup hang | |
691498-1 | 3-Major | Connection failure during iRule DNS lookup can crash TMM | |
690166-3 | 3-Major | ZoneRunner create new stub zone when creating a SRV WIP with more subdomains | |
671326-2 | 3-Major | K81052338 | DNS Cache debug logging might cause tmm to crash. |
667469-1 | 3-Major | K35324588 | Higher than expected CPU usage when using DNS Cache |
665347-2 | 3-Major | K17060443 | GTM listener object cannot be created via tmsh while in non-Common partition |
636853-2 | 3-Major | Under some conditions, a change in the order of GTM topology records does not take effect. | |
621374-1 | 3-Major | "abbrev" argument in "whereis" iRule returns nothing | |
487144-2 | 3-Major | tmm intermittently reports that it cannot find FIPS key |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
701327-1 | 2-Critical | failed configuration deletion may cause unwanted bd exit | |
699720-3 | 2-Critical | ASM crash when configuring remote logger for WebSocket traffic with response-logging:all | |
691670-3 | 2-Critical | Rare BD crash in a specific scenario | |
684312-2 | 2-Critical | K54140729 | During Apply Policy action, bd agent crashes, causing the machine to go Offline |
681109-2 | 2-Critical | K46212485 | BD crash in a specific scenario |
679603-2 | 2-Critical | K15460886 | bd core upon request, when profile has sensitive element configured. |
678462-2 | 2-Critical | after chassis failover: asmlogd CPU 100% on secondary | |
678228-1 | 2-Critical | K27568142 | Repeated Errors in ASM Sync |
672301-2 | 2-Critical | ASM crashes when using a logout object configuration in ASM policy | |
664708-2 | 2-Critical | TMM memory leak when DoS profile is attached to VS | |
662281-2 | 2-Critical | Inconsistencies in Automatic sync ASM Device Group | |
637252-1 | 2-Critical | K73107660 | Rest worker becomes unreliable after processing a call that generated an error |
633070-1 | 2-Critical | Sync Inconsistencies when using Autosync ASM Group between Chassis devices | |
631609-1 | 2-Critical | ASM Centralized Management Infrastructure Sync issues | |
614441-4 | 2-Critical | K04950182 | False Positive for illegal method (GET) |
611154-1 | 2-Critical | BD crash | |
599221-1 | 2-Critical | ASM Policy cannot be created in non-default partition via the Import Policy Task | |
576123-3 | 2-Critical | K23221623 | ASM policies are created as inactive policies on the peer device |
702946-2 | 3-Major | Added option to reset staging period for signatures | |
701841-1 | 3-Major | Unnecessary file recovery_db/conf.tar.gz consumes /var disk space | |
700564-2 | 3-Major | JavaScript errors shown when debugging a mobile device with ASM deviceID enabled | |
700330 | 3-Major | AJAX blocking page isn't shown when a webpage uses jQuery framework. | |
700143-1 | 3-Major | ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages | |
698919-1 | 3-Major | Anti virus false positive detection on long XML uploads | |
697303-3 | 3-Major | BD crash | |
696265-3 | 3-Major | K60985582 | BD crash |
694922-4 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
691477-1 | 3-Major | ASM standby unit showing future date and high version count for ASM Device Group | |
685743-3 | 3-Major | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | |
685207-2 | 3-Major | DoS client side challenge does not encode the Referer header. | |
683508-3 | 3-Major | K00152663 | WebSockets: umu memory leak of binary frames when remote logger is configured |
682612 | 3-Major | Event Correlation is disabled on vCMP even though all the prerequisites are met. | |
679384-1 | 3-Major | K85153939 | The policy builder is not getting updates about the newly added signatures. |
678293-1 | 3-Major | K25066531 | Uncleaned policy history files cause /var disk exhaustion |
676416-2 | 3-Major | BD restart when switching FTP profiles | |
675232-3 | 3-Major | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction | |
674494-1 | 3-Major | K77993010 | BD memory leak on specific configuration and specific traffic |
671675-1 | 3-Major | Centralized Management Infrastructure: asm_config_server restart on device group change | |
668184-1 | 3-Major | Huge values are shown in the AVR statistics for ASM violations | |
668181-2 | 3-Major | Policy automatic learning mode changes to manual after failover | |
667922 | 3-Major | K44692860 | Alternative unicode encoding in JSON objects not being parsed correctly |
666986-2 | 3-Major | K50320144 | Filter by Support ID is not working in Request Log |
663535-1 | 3-Major | Sending ASM cookies with "secure" attribute even without client-ssl profile | |
654925-1 | 3-Major | K25952033 | Memory Leak in ASM Sync Listener Process |
654873-2 | 3-Major | ASM Auto-Sync Device Group | |
619516-1 | 3-Major | Inconsistencies in Automatic sync ASM Device Group | |
605982-1 | 3-Major | Policy settings change during export/import | |
434821-1 | 3-Major | Remote logging of staged signatures and staged sets | |
694073-1 | 4-Minor | All signature update details are shown in 'View update history from previous BIG-IP versions' popup | |
655159-1 | 4-Minor | K84550544 | Wrong XML profile name Request Log details for XML violation |
625602-3 | 4-Minor | ASM Auto-Sync Device Group Does Not Sync |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
658343-2 | 3-Major | K33043439 | AVR tcp-analytics: per-host RTT average may show incorrect values |
648242 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
582029-4 | 3-Major | AVR might report incorrect statistics when used together with other modules. | |
682105 | 4-Minor | Adding widget in Analytics Overview can cause measures list to empty out on Page change | |
649161-1 | 4-Minor | K42340304 | AVR caching mechanism not working properly |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
693739-3 | 2-Critical | VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled | |
660711-1 | 2-Critical | K05265457 | MCPd might crash when user trying to import a access policy |
649234-3 | 2-Critical | K64131101 | TMM crash from a possible memory corruption. |
639929-2 | 2-Critical | Session variable replace with value containing these characters ' " & < > = may case tmm crash | |
632178-1 | 2-Critical | LDAP Query agent creates only two session variables when required attributes list is empty | |
703984-2 | 3-Major | Machine Cert agent improperly matches hostname with CN and SAN | |
703429-1 | 3-Major | Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services | |
700783-3 | 3-Major | Machine certificate check does not check against all FQDN hostnames | |
692307-1 | 3-Major | User with 'operator' role may not be able to view some session variables | |
689826-2 | 3-Major | K95422068 | Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese) |
686282-1 | 3-Major | APMD intermittently crash when processing access policies | |
684325-3 | 3-Major | APMD Memory leak when applying a specific access profile | |
683389-1 | 3-Major | Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file | |
682500-1 | 3-Major | VDI Profile and Storefront Portal Access resource do not work together | |
680112-1 | 3-Major | K18131781 | SWG-Explicit rejects large POST bodies during policy evaluation |
678851-1 | 3-Major | Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() | |
676690-3 | 3-Major | Windows Edge Client sometimes crashes when user signs out from Windows | |
675866-1 | 3-Major | WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO | |
675399-3 | 3-Major | K14304639 | Network Access does not work when empty variables are assigned for WINS and DNS |
674593-1 | 3-Major | APM configuration snapshot takes a long time to create | |
674410-3 | 3-Major | K59281892 | AD auth failures due to invalid Kerberos tickets |
673748-1 | 3-Major | K19534801 | ng_export, ng_import might leave security.configpassword in invalid state |
672868-1 | 3-Major | Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly | |
672040-3 | 3-Major | Access Policy Causing Duplicate iRule Event Execution | |
671597-1 | 3-Major | Import, export, copy and delete is taking too long on 1000 entries policy | |
670910-2 | 3-Major | Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined | |
669510-2 | 3-Major | When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled. | |
669154-1 | 3-Major | K25342114 | Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases. |
668623-5 | 3-Major | K85991425 | macOS Edge client fails to detect correct system language for regions other than USA |
668503-3 | 3-Major | Edge Client fails to reconnect to virtual server after disabling Network Adapter | |
668129-1 | 3-Major | BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers. | |
666689-1 | 3-Major | Occasional "profile not found" errors following activate access policy | |
666058-2 | 3-Major | K86091857 | XenApp 6.5 published icons are not displayed on APM Webtop |
665416-3 | 3-Major | K02016491 | Old versions of APM configuration snapshots need to be reaped more aggressively if not used |
665330-1 | 3-Major | MSIE 11 should avoid compatibility mode | |
664507-3 | 3-Major | When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration | |
663127-1 | 3-Major | Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration. | |
655364-1 | 3-Major | Portal access rewriting window.opener causes JS exception | |
655146-2 | 3-Major | APM Profile access stats are not updated correctly | |
654508-2 | 3-Major | SharePoint MS-OFBA browser window displays Javascript errors | |
654046-1 | 3-Major | K22121533 | BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs. |
653771-2 | 3-Major | tmm crash after per-request policy error | |
653324-3 | 3-Major | K87979026 | On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly |
651910-2 | 3-Major | Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later | |
649613-3 | 3-Major | Multiple UDP/TCP packets packed into one DTLS Record | |
632646-4 | 3-Major | APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. | |
629921-4 | 3-Major | [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work. | |
621682-1 | 3-Major | Portal Access: problem with specific JavaScript code | |
616104-2 | 3-Major | VMware View connections to pool hit matching BIG-IP virtuals | |
613373-2 | 3-Major | Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page | |
610582-2 | 3-Major | Device Guard prevents Edge Client connections | |
601420-3 | 3-Major | Possible SAML authentication loop with IE and multi-domain SSO. | |
596083-1 | 3-Major | Error running custom APM Reports with "session creation time" on Viprion Platform | |
590992-3 | 3-Major | If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working | |
578413-1 | 3-Major | Missing reference to customization-group from connectivity profile if created via portal access wizard | |
575444-1 | 3-Major | Wininfo agent incorrectly reports OS version on Windows 10 in some cases | |
563135-3 | 3-Major | SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt | |
466068-1 | 3-Major | Allow setting of the AAA Radius server timeout value larger than 60 seconds | |
447565-5 | 3-Major | K33692321 | Renewing machine-account password does not update the serviceId for associated ntlm-auth. |
691017-1 | 4-Minor | Preventing ng_export hangs | |
684414-1 | 4-Minor | Retrieving too many groups is causing out of memory errors in TMUI and VPE | |
673717-1 | 4-Minor | VPE loading times can be very long | |
671627-1 | 4-Minor | K06424790 | HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. |
667304-1 | 4-Minor | K68108551 | Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled |
561892-2 | 4-Minor | K08121752 | Kerberos cache is not cleared when Administrator password is changed in AAA AD Server |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
662844 | 2-Critical | K87735013 | TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x. |
643785-3 | 2-Critical | diadb crashes if it cannot find pool name | |
699431 | 3-Major | Possible memory leak in MRF under low memory |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
456376-4 | 1-Blocking | K53153545 | BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32 |
671052-3 | 2-Critical | K50324413 | AFM NAT security RST the traffic with (FW NAT) dst_trans failed |
644822-2 | 2-Critical | K19245372 | FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned |
564058-1 | 2-Critical | K91467162 | AutoDoS daemon aborts intermittently after it's being up for several days |
620543-1 | 3-Major | Security Address Lists and Port Lists can't change Description field |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
696383-2 | 2-Critical | PEM Diameter incomplete flow crashes when sweeped | |
694717-3 | 2-Critical | Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. | |
616008-3 | 2-Critical | K23164003 | TMM core may be seen when using an HSL format script for HSL reporting in PEM |
696789-2 | 3-Major | PEM Diameter incomplete flow crashes when TCL resumed | |
695968-3 | 3-Major | Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. | |
694319-3 | 3-Major | CCA without a request type AVP cannot be tracked in PEM. | |
694318-3 | 3-Major | PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. | |
684333-3 | 3-Major | PEM session created by Gx may get deleted across HA multiple switchover with CLI command | |
678820-2 | 3-Major | Potential memory leak if PEM Diameter sessions are not created successfully. | |
678714-3 | 3-Major | After HA failover, subscriber data has stale session ID information | |
660187-3 | 3-Major | TMM core after intra-chassis failover for some instances of subscriber creation | |
642068-1 | 3-Major | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | |
638594-3 | 3-Major | TMM crash when handling unknown Gx messages. | |
627616-3 | 3-Major | CCR-U missing upon VALIDITY TIMER expiry when quota is zero | |
624231-5 | 3-Major | No flow control when using content-insertion with compression | |
680729-3 | 4-Minor | K64307999 | DHCP Trace log incorrectly marked as an Error log. |
678822-3 | 4-Minor | Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
663333-1 | 2-Critical | TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high | |
615432-1 | 2-Critical | Multiple TFTP data transfers cannot be initiated in a single session | |
663974-2 | 3-Major | TMM crash when using LSN inbound connections |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
692123-2 | 3-Major | GET parameter is grayed out if MobileSafe is not licensed | |
667892-2 | 3-Major | FPS: BLFN inheritance won't take effect until GUI refresh |
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
681710-4 | CVE-2017-6155 | K10930474 | Malformed HTTP/2 requests may cause TMM to crash |
673595-2 | CVE-2017-3167 CVE-2017-3169 | K34125394 | Apache CVE-2017-3167 |
648786-5 | CVE-2017-6169 | K31404801 | TMM crashes when categorizing long URLs |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
673129 | 3-Major | K41458656 | New feature: revoke license |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
682837 | 1-Blocking | Compression watchdog period too brief. | |
675921 | 1-Blocking | Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running | |
696468 | 2-Critical | Active compression requests can become starved from too many queued requests. | |
667173 | 2-Critical | 13.1.0 cannot join a device group with 13.1.0.1 | |
665656-1 | 2-Critical | BWC with iSession may memory leak | |
663366-3 | 2-Critical | SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms. | |
621386-1 | 2-Critical | K91988084 | restjavad spawns too many icrd_child instances |
683114-1 | 3-Major | Need support for 4th element version in Update Check | |
679959-1 | 3-Major | Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000 | |
672988-2 | 3-Major | K03433341 | MCP memory leak when performing incremental ConfigSync |
669288-3 | 3-Major | K76152943 | Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist. |
668352-2 | 3-Major | High Speed Logging unbalance in log distribution for multiple pool destination. | |
668048-1 | 3-Major | K02551403 | TMM memory leak when manually enabling/disabling pool member used as HSL destination |
663063-2 | 3-Major | Disabling pool member used in busy HSL TCP destination can result service disruption. | |
659057-1 | 3-Major | BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD | |
658636-2 | 3-Major | K51355172 | When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped. |
652691-1 | 3-Major | Installation fails if only .iso.384.sig (new format signature file) is present★ | |
652689-2 | 3-Major | K14243280 | Displaying 100G interfaces |
642952 | 3-Major | platform_check doesn't run PCI check on i11800 | |
640636-3 | 3-Major | F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade | |
638881-1 | 3-Major | Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances | |
628739-1 | 3-Major | BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD | |
628735-1 | 3-Major | Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles | |
604547-1 | 3-Major | K21551422 | Unix daemon configuration may lost or not be updated upon reboot |
674515 | 4-Minor | New revoke license feature for VE only implemented | |
663580-1 | 4-Minor | K31981624 | logrotate does not automatically run when /var/log reaches 90% usage |
644723-1 | 4-Minor | cm56xxd logs link 'DOWN' message when an interface is admin DISABLED | |
507206-1 | 4-Minor | Multicast Out stats always zero for management interface. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
689080 | 2-Critical | Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value | |
463097-3 | 3-Major | Clock advanced messages with large amount of data maintained in DNS Express zones |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
672504-1 | 2-Critical | K52325625 | Deleting zones from large databases can take excessive amounts of time. |
614788-1 | 2-Critical | zxfrd crash due to lack of disk space | |
655233-1 | 3-Major | K93338593 | DNS Express using wrong TTL for SOA RRSIG record in NoData response |
648766-1 | 3-Major | K57853542 | DNS Express responses missing SOA record in NoData responses if CNAMEs present |
645615-2 | 3-Major | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
433678-2 | 3-Major | K32401561 | A monitor removed from GTM link cannot be deleted: 'monitor is in use' |
646615-1 | 4-Minor | Improved default storage size for DNS Express database |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
652796-1 | 1-Blocking | When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled. | |
652792-1 | 2-Critical | When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled. | |
678976-2 | 3-Major | K24756214 | Do not print all HTTP headers to avoid printing user credentials to /var/log/apm. |
677058-3 | 3-Major | Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679440-2 | 2-Critical | K14120433 | MCPD Cores with SIGABRT |
591828-4 | 3-Major | K52750813 | For unmatched connection, TCP RST may not be sent for data packet |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
668252-2 | 2-Critical | K22784428 | TMM crash in PEM_DIAMETER component |
628311-3 | 2-Critical | K87863112 | Potential TMM crash due to duplicate installed PEM policies by the PCRF |
675928-2 | 3-Major | Periodic content insertion could add too many inserts to multiple flows if http request is outstanding | |
674686-2 | 3-Major | Periodic content insertion of new flows fails, if an outstanding flow is a long flow | |
673683-2 | 3-Major | Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener | |
673678-2 | 3-Major | Periodic content insertion fails, if http request/response get interleaved by second subscriber http request | |
673472-2 | 3-Major | After classification rule is updated, first periodic Insert content action fails for existing subscriber | |
639486-4 | 3-Major | TMM crash due to PEM usage reporting after a CMP state change. | |
634015-3 | 3-Major | K49315364 | Potential TMM crash due to a PEM policy content triggered buffer overflow |
572568-2 | 3-Major | Gy CCR-i requests are not being re-sent after initial configured re-transmits |
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
687193-1 | CVE-2018-5533 | K45325728 | TMM may leak memory when processing SSL Forward Proxy traffic |
684879-2 | CVE-2017-6164 | K02714910 | Malformed TLS1.2 records may result in TMM segmentation fault. |
662022-5 | CVE-2017-6138 | K34514540 | The URI normalization functionality within the TMM may mishandle some malformed URIs. |
653993-3 | CVE-2017-6132 | K12044607 | A specific sequence of packets to the HA listener may cause tmm to produce a core file |
653880 | CVE-2017-6214 | K81211720 | Kernel Vulnerability: CVE-2017-6214 |
652539 | CVE-2016-0634 CVE-2016-7543 CVE-2016-9401 |
K73705133 | Multiple Bash Vulnerabilities |
652516 | CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 | K31603170 | Multiple Linux Kernel Vulnerabilities |
651221-2 | CVE-2017-6133 | K25033460 | Parsing certain URIs may cause the TMM to produce a core file. |
650286-2 | CVE-2017-6167 | K24465120 | REST asynchronous tasks permissions issues |
650059-1 | CVE-2017-6129 | K20087443 | TMM may crash when processing VPN traffic |
649907-2 | CVE-2017-3137 | K30164784 | BIND vulnerability CVE-2017-3137 |
649904-2 | CVE-2017-3136 | K23598445 | BIND vulnerability CVE-2017-3136 |
644904-5 | CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486 |
K55129614 | tcpdump 4.9 |
644693-3 | CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 | K15518610 | Fix for multiple CVE for openjdk-1.7.0 |
638556-2 | CVE-2016-10045 | K73926196 | PHP Vulnerability: CVE-2016-10045 |
634779-1 | CVE-2017-6147 | K43945001 | TMM may crash will processing SSL Forward Proxy traffic |
625860-2 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on B4450 platform. |
624903-6 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms. |
600069-6 | CVE-2017-0301 | K54358225 | Portal Access: Requests handled incorrectly |
659791-2 | CVE-2017-6136 | K81137982 | TFO and TLP could produce a core file under specific circumstances |
655059-3 | CVE-2017-6134 | K37404773 | TMM Crash |
653224-1 | CVE-2016-8610 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337 |
K59836191 | Multiple GnuTLS Vulnerabilities |
653217-2 | CVE-2016-2125 CVE-2016-2126 |
K03644631 | Multiple Samba Vulnerabilities |
645480-3 | CVE-2017-6139 | K45432295 | Unexpected APM response |
645101-2 | CVE-2017-3731, CVE-2017-3732 | K44512851 | OpenSSL vulnerability CVE-2017-3732 |
642659-2 | CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540 | K34527393 | Multiple LibTIFF Vulnerabilities |
640768 | CVE-2016-10088 CVE-2016-9576 |
K05513373 | Kernel vulnerability: CVE-2016-10088 |
639729-2 | CVE-2017-0304 | K39428424 | Request validation failure in AFM UI Policy Editor |
637666-2 | CVE-2016-10033 | K74977440 | PHP Vulnerability: CVE-2016-10033 |
635314-5 | CVE-2016-1248 | K22183127 | vim Vulnerability: CVE-2016-1248 |
622178-1 | CVE-2017-6158 | K19361245 | Improve flow handling when Autolasthop is disabled |
597176-1 | CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE | K01837042 | Multiple Wireshark (tshark) vulnerabilities |
583678-1 | CVE-2016-3115 | K93532943 | SSHD session.c vulnerability CVE-2016-3115 |
582773-5 | CVE-2018-5532 | K48224824 | DNS server for child zone can continue to resolve domain names after revoked from parent |
567233-1 | CVE-2015-5252, CVE-2015-5296, CVE-2015-5299 | K92616530 | Multiple samba vulnerabilities |
353229-2 | CVE-2018-5522 | K54130510 | Buffer overflows in DIAMETER |
656912-4 | CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458 | K32262483 | Various NTP vulnerabilities |
632875-3 | CVE-2018-5516 | K37442533 | Non-Administrator TMSH users no longer allowed to run dig |
615226-5 | CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300 | K13074505 | Libarchive vulnerabilities: CVE-2016-8687 and others |
590840-2 | CVE-2015-8325 | K20911042 | OpenSSH vulnerability CVE-2015-8325 |
655021-2 | CVE-2017-3138 | K23598445 | BIND vulnerability CVE-2017-3138 |
652638-2 | CVE-2016-10167 | K23731034 | php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx() |
627203-1 | CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597 | K63427774 | Multiple Oracle Java SE vulnerabilities |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
654549-1 | 2-Critical | PVA support for uncommon protocols DoS vector | |
653729-2 | 2-Critical | Support IP Uncommon Protocol | |
653234 | 2-Critical | Many objects must be reconfigured before use when loading a UCS from another device.★ | |
652094-2 | 2-Critical | K49190243 | Improve traffic disaggregation for uncommon IP protocols |
643210-2 | 2-Critical | K45444280 | Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM |
643054-2 | 2-Critical | ARP and NDP packets should be CoS marked by the swtich on ingress | |
663521-2 | 3-Major | Intermittent dropping of multicast packets on certain BIG-IP platforms | |
651772-3 | 3-Major | IPv6 host traffic may use incorrect IPv6 and MAC address after route updates | |
643143-2 | 3-Major | ARP and NDP packets should be QoS/DSCP marked on egress | |
610710-2 | 3-Major | Pass IP TOS bits from incoming connection to outgoing connection | |
584545-2 | 3-Major | Failure to stabilize internal HiGig link will not trigger failover event | |
567177-1 | 4-Minor | Log all attempts of key export in ltm log | |
650074-1 | 5-Cosmetic | Changed Format of RAM Cache REST Status output. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
642703-2 | 1-Blocking | Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★ | |
619097 | 1-Blocking | iControl REST slow performace on GET request for virtual servers | |
539093-1 | 1-Blocking | K26104530 | VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface. |
697878 | 2-Critical | High crypto request completion time under some workload patterns | |
666790-2 | 2-Critical | K06619044 | Use HSB HiGig MAC reset to recover both FCS errors and link instability |
665354-2 | 2-Critical | K31190471 | Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log |
658574-2 | 2-Critical | K61847644 | An accelerated flow transmits packets to a stale (incorrect) destination MAC address. |
655357-2 | 2-Critical | K06245820 | Corrupted L2 FDB entries on B4450 blades might result in dropped traffic |
653376-5 | 2-Critical | bgpd may crash on receiving a BGP update with >= 32 extended communities | |
649866-1 | 2-Critical | fsck should not run during first boot on public clouds | |
638997-2 | 2-Critical | Reboot required after disk size modification in a running BIG-IP VE instance. | |
625456-5 | 2-Critical | Pending sector utility may write repaired sector incorrectly | |
624826-2 | 2-Critical | K36404710 | mgmt bridge takes HWADDR of guest vm's tap interface |
613415-2 | 2-Critical | K22750357 | Memory leak in ospfd when distribute-list is used |
609335-1 | 2-Critical | IPsec tmm devbuf memory leak. | |
604011-1 | 2-Critical | Sync fails when iRule or policy is in use★ | |
595783 | 2-Critical | Changing console baud rate for B2100, B2150 and B2250 blades does not work | |
593137-1 | 2-Critical | userDefined property for bot signatures is not shown in REST | |
579210-3 | 2-Critical | K11418051 | VIPRION B4400N blades might fail to go Active under rare conditions. |
471860-10 | 2-Critical | K16209 | Disabling interface keeps DISABLED state even after enabling |
412817-3 | 2-Critical | BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive. | |
671920-1 | 3-Major | Accessing SNMP over IPv6 on non-default route domains | |
669818-2 | 3-Major | K64537114 | Higher CPU usage for syslog-ng when a syslog server is down |
667278-3 | 3-Major | DSC connections between BIG-IP units may fail to establish | |
667138-1 | 3-Major | LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★ | |
664829-1 | 3-Major | BIG-IP sometimes performs unnecessary reboot on first boot | |
662331-1 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
661764-2 | 3-Major | K53762147 | It is possible to configure a number of CPUs that exceeds the licensed throughput |
660532-2 | 3-Major | K21050223 | Cannot specify the event parameter for redirects on the policy rule screen. |
655671-1 | 3-Major | Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced | |
655649-2 | 3-Major | K88627152 | BGP last update timer incorrectly resets to 0 |
654011-2 | 3-Major | K33210520 | Pool member's health monitors set to Member Specific does not display the active monitors |
651155-1 | 3-Major | HSB continually logs 'loopback ring 0 tx not active' | |
650349 | 3-Major | K50168519 | Creation or reconfiguration of iApps fails if high speed logging is configured |
650002-1 | 3-Major | tzdata bug fix and enhancement update | |
649949-1 | 3-Major | Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★ | |
647988-3 | 3-Major | K15331432 | HSL Balanced distribution to Two-member pool may not be balanced correctly. |
647944-2 | 3-Major | MCP may crash when making specific changes to a FIX profile attached to more than one virtual server | |
645179-6 | 3-Major | Traffic group becomes active on more than one BIG-IP after a long uptime | |
644404-1 | 3-Major | Extracting SSD from system leads to Emergency LCD alert★ | |
644184-4 | 3-Major | K36427438 | ZebOS daemons hang while AgentX SNMP daemon is waiting. |
643294 | 3-Major | IGMP and PIM not in self-allow default list when upgrading from 10.2.x★ | |
643121-1 | 3-Major | Failed installation volumes cannot be deleted in the GUI. | |
643013 | 3-Major | DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3 | |
642982-3 | 3-Major | K23241518 | tmrouted may continually restart after upgrade, adding or renaming an interface★ |
642314-2 | 3-Major | K24276198 | CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★ |
638825-2 | 3-Major | SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD | |
637561-1 | 3-Major | Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice | |
636744-1 | 3-Major | K16918340 | IKEv1 phase 2 SAs not deleted |
631866-2 | 3-Major | Cannot access LTM policy rules in the web UI when the name contains certain characters | |
631172-4 | 3-Major | K54071336 | GUI user logged off when idle for 30 minutes, even when longer timeout is set |
624692-3 | 3-Major | Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying | |
623391-5 | 3-Major | cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★ | |
622619-5 | 3-Major | BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD | |
622133-1 | 3-Major | VCMP guests may incorrectly obtain incorrect MAC addresses | |
621259-3 | 3-Major | Config save takes long time if there is a large number of data groups | |
619060 | 3-Major | Reduction in boot time in BIG-IP Virtual Edition platforms | |
612752-1 | 3-Major | UCS load or upgrade may fail under certain conditions.★ | |
610442-2 | 3-Major | K75051412 | vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★ |
607961-1 | 3-Major | Secondary blades restart when modifying a virtual server's route domain in a different partition. | |
605792-1 | 3-Major | Installing a new version changes the ownership of administrative users' files★ | |
601709-2 | 3-Major | K02314881 | I2C error recovery for BIG-IP 4340N/4300 blades |
590938-3 | 3-Major | The CMI rsync daemon may fail to start | |
583475-1 | 3-Major | The BIG-IP may core while recompiling LTM policies | |
577474-3 | 3-Major | K35208043 | Users with auditor role are unable to use tmsh list sys crypto cert |
569100-1 | 3-Major | Virtual server using NTLM profile results in benign Tcl error | |
544906-2 | 3-Major | K07388310 | Issues when using remote authentication when users have different partition access on different devices |
507240-4 | 3-Major | K13811263 | ICMP traffic cannot be disaggregated based on IP addresses |
480983-4 | 3-Major | tmrouted daemon may core due to daemon_heartbeat | |
471029-2 | 3-Major | If the configuration contains a filename with the $ character, then saving the UCS fails. | |
656900-1 | 4-Minor | Blade family migration may fail | |
655314 | 4-Minor | When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★ | |
653225-1 | 4-Minor | coreutils security and bug fix update | |
645717 | 4-Minor | UCS load does not set directory owner | |
644975-4 | 4-Minor | K09554025 | /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost |
644799-1 | 4-Minor | K42882011 | TMM may crash when the BIG-IP system processes CGNAT traffic. |
642723-3 | 4-Minor | Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect | |
634371-2 | 4-Minor | Cisco ethernet NIC driver | |
530927-8 | 4-Minor | Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed | |
530530-6 | 4-Minor | K07298903 | tmsh sys log filter is displayed in UTC time |
527720-1 | 4-Minor | Rare 'No LopCmd reply match found' error in getLopReg | |
448409-1 | 4-Minor | K15491 | 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle |
626596 | 5-Cosmetic | Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
670011-2 | 1-Blocking | SSL forward proxy does not create the server certchain when ignoring server certificates | |
621452-1 | 1-Blocking | K58146172 | Connections can stall with TCP::collect iRule |
659899-1 | 2-Critical | K10589537 | Rare, intermittent system instability observed in dynamic load-balancing modes |
657713-5 | 2-Critical | K05052273 | Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. |
655628-1 | 2-Critical | TCP analytics does not release resources under specific sequence of packets | |
655211-1 | 2-Critical | bigd crash (SIGSEGV) when running FQDN node monitors | |
650317-3 | 2-Critical | The TMM on the next-active panics with message: "Missing oneconnect HA context" | |
649171-4 | 2-Critical | tmm core in iRule with unreachable remote address | |
648037-2 | 2-Critical | LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash | |
646643-2 | 2-Critical | K43005132 | HA standby virtual server with non-default lasthop settings may crash. |
646604-5 | 2-Critical | K21005334 | Client connection may hang when NTLM and OneConnect profiles used together |
645663 | 2-Critical | Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus. | |
644112-2 | 2-Critical | K56150996 | Permanent connections may be expired when endpoint becomes unreachable |
643631 | 2-Critical | K70938130 | Serverside connections on virtual servers using VDI may become zombies. |
635274-1 | 2-Critical | K21514205 | SSL::sessionid command may return invalid values |
634265-2 | 2-Critical | K34688632 | Using route pools whose members aren't directly connected may crash the TMM. |
632552-2 | 2-Critical | K08634156 | tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event |
629178-1 | 2-Critical | K42206046 | Incorrect initial size of connection flow-control window |
611704-5 | 2-Critical | tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event | |
605983-1 | 2-Critical | tmrouted may crash when being restarted in debug mode | |
604926-3 | 2-Critical | K50041125 | The TMM may become unresponsive when using SessionDB data larger than ~400K |
604223-2 | 2-Critical | pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM" | |
583700-3 | 2-Critical | K32784801 | tmm core on out of memory |
583355-1 | 2-Critical | The TMM may crash when changing profiles associated with plugins | |
566071-5 | 2-Critical | network-HSM may not be operational on secondary slots of a standby chassis. | |
559030-1 | 2-Critical | K65244513 | TMM may core during ILX RPC activity if a connflow closes before the RPC returns |
677119 | 3-Major | HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE | |
676471-1 | 3-Major | Insufficient space for core files on i11x00-series platforms | |
672008-1 | 3-Major | K22122208 | NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds |
671935-2 | 3-Major | Possible uneven ephemeral port reuse. | |
669025-1 | 3-Major | K11425420 | Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate |
668521-2 | 3-Major | Bigd might stall while waiting for an external monitor process to exit | |
666032-3 | 3-Major | K05145506 | Secure renegotiation is set while data is not available. |
663326-2 | 3-Major | Thales HSM: "fipskey.nethsm --export" fails to make stub keys | |
662881-2 | 3-Major | K10443875 | L7 mirrored packets from standby to active might cause tmm core when it goes active. |
662085-1 | 3-Major | iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages | |
658214-2 | 3-Major | K20228504 | TCP connection fail intermittently for mirrored fastl4 virtual server |
655793-1 | 3-Major | K04178391 | SSL persistence parsing issues due to SSL / TCP boundary mismatch |
654109-2 | 3-Major | K01102467 | Configuration loading may fail when iRules calling procs in other iRules are deleted |
653511-2 | 3-Major | Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve | |
652535-1 | 3-Major | K54443700 | HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented. |
652445-2 | 3-Major | K87541959 | SAN with uppercase names result in case-sensitive match or will not match |
651651-3 | 3-Major | K54604320 | bigd can crash when a DNS response does not match the expected value |
650292-2 | 3-Major | DNS transparent cache can return non-recursive results for recursive queries | |
650152-1 | 3-Major | Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms | |
648954-5 | 3-Major | K01102467 | Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls |
647137 | 3-Major | bigd/tmm con vCMP guests | |
646443-1 | 3-Major | K54432535 | Ephemeral Node may be errantly created in bigd, causing crash |
645058-3 | 3-Major | Modifying SSL profiles in GUI may fail when key is protected by passphrase | |
645036-3 | 3-Major | K85772089 | Removing pool from virtual server does not update its status |
644873-2 | 3-Major | K97237310 | ssldump can fail to decrypt captures with certain TCP segmenting |
644851-2 | 3-Major | Websockets closes connection on receiving a close frame from one of the peers | |
644418-2 | 3-Major | Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate | |
643777-2 | 3-Major | K27629542 | LTM policies with more than one IP address in TCP address match may fail |
643582-2 | 3-Major | Config load with large ssl profile configuration may cause tmm restart | |
641491-2 | 3-Major | K37551222 | TMM core while running iRule LB::status pool poolname member ip port |
640376-3 | 3-Major | STPD leaks memory on 2000/4000/i2000/i4000 series | |
638715-3 | 3-Major | K77010072 | Multiple Diameter monitors to same server ip/port may race on PID file |
632001-1 | 3-Major | For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys | |
627574-1 | 3-Major | After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft. | |
626434-6 | 3-Major | K65283203 | tmm may be killed by sod when a hardware accelerator does not work |
624805-1 | 3-Major | ILX node.js process may be restarted if a single operation takes more than 15 seconds | |
623940-3 | 3-Major | SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello | |
622017-8 | 3-Major | K54106058 | Performance graph data may become permanently lost after corruption. |
621736-6 | 3-Major | statsd does not handle SIGCHLD properly in all cases | |
620788-1 | 3-Major | K05232247 | FQDN pool created with existing FQDN node has RED status |
618161-1 | 3-Major | SSL handshake fails when clientssl uses softcard-protected key-certs. | |
618121 | 3-Major | "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★ | |
607246-10 | 3-Major | Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires | |
603609-2 | 3-Major | Policy unable to match initial path segment when request-URI starts with "//" | |
602040-3 | 3-Major | Truncated support ID for HTTP protocol security logging profile | |
600614-5 | 3-Major | External crypto offload fails when SSL connection is renegotiated | |
596433-3 | 3-Major | Virtual with lasthop configured rejects request with no route to client. | |
596242-1 | 3-Major | K17065223 | [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record |
595275-5 | 3-Major | Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN | |
593390-4 | 3-Major | Profile lookup when selected via iRule ('SSL::profile') might cause memory issues. | |
589006-5 | 3-Major | SSL does not cancel pending sign request before the handshake times out or is canceled. | |
587705-5 | 3-Major | K98547701 | Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools. |
578573-1 | 3-Major | SSL Forward Proxy Forged Certificate Signature Algorithm | |
563933-4 | 3-Major | [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs | |
536563-7 | 3-Major | Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets. | |
484542-1 | 3-Major | QinQ tag-mode can be set on unsupported platforms | |
668802-3 | 4-Minor | K83392557 | GTM link graphs fail to display in the GUI |
667318-3 | 4-Minor | BIG-IP DNS/GTM link graphs fail to display in the GUI. | |
584210-1 | 4-Minor | TMM may core when running two simultaneous WebSocket collect commands | |
578415-2 | 4-Minor | Support for hardware accelerated bulk crypto SHA256 missing | |
513288-7 | 4-Minor | Management traffic from nodes being health monitored might cause health monitors to fail. | |
462043-2 | 4-Minor | DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
620903-1 | 2-Critical | Decreased performance of ICMP attack mitigation. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
636541-3 | 1-Blocking | DNS Rapid Response filters large datagrams | |
667028-1 | 2-Critical | DNS Express does not run on i11000 platforms with htsplit disabled. | |
649564-2 | 2-Critical | Crash related to GTM monitors with long RECV strings | |
663073-1 | 3-Major | GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list. | |
659912-1 | 3-Major | K81210772 | GSLB Pool Member Manage page display issues and error message |
655807-5 | 3-Major | K40341291 | With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score |
655445-2 | 3-Major | Provide the ability to globally specifiy a DSCP value. | |
654599-1 | 3-Major | K74132601 | The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed |
648286-2 | 3-Major | GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button. | |
644447-2 | 3-Major | sync_zones script increasingly consumes memory when there is network connectivity failure | |
626141-3 | 3-Major | DNSX Performance Graphs are not displaying Requests/sec" | |
615222-1 | 3-Major | GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★ | |
605260-1 | 3-Major | [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0 | |
659969-1 | 4-Minor | tmsh command for gtm-application disabled contexts does not work with none and replace-all-with | |
644220-3 | 4-Minor | Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page | |
604371-1 | 4-Minor | Pagination controls missing for GSLB pool members |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
653014-1 | 2-Critical | Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name | |
652200-1 | 2-Critical | K81349220 | Failure to update ASM enforcer about account change. |
651001-1 | 2-Critical | massive prints in tmm log: "could not find conf for profile crc" | |
638629-2 | 2-Critical | Bot can be classified as human | |
619110-1 | 2-Critical | Slow to delete URLs, CPU spikes with Automatic Policy Builder | |
672695-1 | 3-Major | Internal perl process listening on all interfaces when ASM enabled | |
665905 | 3-Major | K83305000 | Signature System corruption from specific ASU prevents ASU load after upgrade |
664930-2 | 3-Major | Policy automatic learning mode changes to manual after failover | |
655617-1 | 3-Major | K36442669 | Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge |
650081-1 | 3-Major | K53010710 | FP feature causes the blank page/delay on IE11 |
648617 | 3-Major | JavaScript challenge repeating in loop when URL has path parameters | |
644855-2 | 3-Major | irules with commands which may suspend processing cannot be used with proactive bot defense | |
631444-2 | 3-Major | Bot Name for ASM Search Engines is case sensitive | |
630356-1 | 3-Major | JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge | |
628351-1 | 3-Major | Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled | |
618656-2 | 3-Major | JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters | |
606521-1 | 3-Major | Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade | |
605616-1 | 3-Major | Creating 256 Fundamental Security policies will result in an out of memory error | |
602975-1 | 3-Major | Unable to update the HTTP URL's "Header-Based Content Profiles" values | |
596685-1 | 3-Major | K76841626 | Request Log failure on request with XML format violation |
595900-4 | 3-Major | K11833633 | Cookie Signature overrides may be ignored after Signature Update |
563727-1 | 3-Major | Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked' | |
534247-1 | 3-Major | Issue a Body in Get sub violation for GET request with content type header | |
519612-1 | 3-Major | JavaScript challenge fails when coming within iframe with different domain than main page |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
604191-1 | 2-Critical | AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★ | |
629573-1 | 3-Major | K66001885 | No drill-down filter for virtual-servers is mentioned on exported reports when using partition |
603875-2 | 3-Major | The statistic ASM memory Utilization - bd swap size: stats are wrong | |
601536-1 | 3-Major | Analytics load error stops load of configuration★ | |
639395-2 | 4-Minor | K91614278 | AVR does not display 'Max read latency' units. |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
647108-1 | 1-Blocking | Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction | |
679235-5 | 2-Critical | Inspection Host NPAPI Plugin for Safari can not be installed | |
669341 | 2-Critical | Category Lookup by Subject.CN will result in a reset | |
666454-2 | 2-Critical | K05520115 | Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update |
663506-7 | 2-Critical | K30533350 | apmd crash during ldap cache initialization |
652004-2 | 2-Critical | K45320415 | Show /apm access-info all-properties causes memory leaks in tmm |
662639-2 | 3-Major | Policy Sync fails when policy object include FIPS key | |
659371-2 | 3-Major | K54310201 | apmd crashes executing iRule policy evaluate |
658852-5 | 3-Major | Empty User-Agent in iSessions requests from APM client on Windows | |
654513-6 | 3-Major | K11003951 | APM daemon crashes when the LDAP query agent returns empty in its search results. |
649929-1 | 3-Major | saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it | |
648053-1 | 3-Major | K94477320 | Rewrite plugin may crash on some JavaScript files |
646928-1 | 3-Major | Landing URI incorrect when changing URI | |
645684-2 | 3-Major | Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting. | |
618957-1 | 3-Major | Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates | |
601919-2 | 3-Major | Custom categories and custom url filter assignment must be specific to partition instead of global lookup | |
583272-2 | 3-Major | "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth | |
580567-1 | 3-Major | LDAP Query agent failed to resolve nested group membership | |
551795-1 | 3-Major | Portal Access: corrections to CORS support for XMLHttpRequest | |
550547-2 | 3-Major | URL including a "token" query fails results in a connection reset |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
664535-1 | 2-Critical | Diameter failure: load balancing fails when all pool members use same IP Address | |
640407-1 | 2-Critical | Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF | |
568545-2 | 2-Critical | K17124802 | iRules commands that refer to a transport-config will fail validation |
559953-1 | 2-Critical | tmm core on long DIAMETER::host value | |
662364-2 | 3-Major | MRF DIAMETER: IP ToS not passing through with DIAMETER | |
644946-2 | 3-Major | K05053251 | Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation |
644565-1 | 3-Major | MRF Message metadata lost when routing message to a connection on a different TMM | |
634078-2 | 3-Major | MRF: Routing using a virtual with SNAT set to none may select a source port of zero | |
624155-2 | 3-Major | MRF Per-Client mode connections unable to return responses if used by another client connection | |
620929-4 | 3-Major | New iRule command, MR::ignore_peer_port | |
651640-3 | 4-Minor | queue full dropped messages incorrectly counted as responses |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
670400-3 | 2-Critical | SSH Proxy public key authentication can be circumvented in some cases | |
655470 | 2-Critical | K79924625 | IP Intelligence logging publisher removal can cause tmm crash |
618902-4 | 3-Major | PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
658261-2 | 2-Critical | K12253471 | TMM core after HA during GY reporting |
658148-2 | 2-Critical | K23150504 | TMM core after intra-chassis failover for some instances of subscriber creation |
657632-4 | 2-Critical | Rarely if a subscriber delete is performed following HA switchover, tmm may crash | |
653285-1 | 2-Critical | PEM rule deletion with HSL reporting may cause tmm coredump | |
652973-2 | 2-Critical | Coredump observed at system bootup time when many DHCP packets arrive | |
650422-2 | 2-Critical | TMM core after a switchover involving GY quota reporting | |
659567-1 | 3-Major | K94685557 | iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions |
652052-3 | 3-Major | PEM:sessions iRule made the order of parameters strict | |
635257-2 | 3-Major | K41151808 | Inconsistencies in Gx usage record creation. |
623037-2 | 3-Major | delete of pem session attribute does not work after a update |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
676808-2 | 2-Critical | FPS: tmm may crash on response with large payload from server | |
669364-1 | 2-Critical | TMM core when server responds fast with server responses such as 404. | |
669359 | 2-Critical | WebSafe might cause connections to hang | |
674931 | 3-Major | FPS modified responses/injections might result in a corrupted response | |
674909-3 | 3-Major | Application CSS injection might break when connection is congested | |
667872-1 | 3-Major | Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports | |
658321-2 | 3-Major | Websafe features might break in IE8 | |
657502-2 | 3-Major | JS error when leaving page opened for several minutes | |
644694 | 3-Major | FPS security update check ends up with an empty page when error occurs. | |
618185-1 | 3-Major | Mismatch in URL CRC32 calculation | |
643602-2 | 4-Minor | 'Select All' checkbox selects items on hidden pages |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
605123-1 | 2-Critical | IAppLX objects fail to sync after establishing HA in auto-sync mode★ |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
606316-4 | 1-Blocking | HTTPS request to F5 licensing server fails | |
665778-1 | 2-Critical | K34503519 | Non-admin BIG-IP users can now view/re-deploy iApps through TMUI. |
599424-2 | 2-Critical | iApps LX fails to sync★ | |
632060-1 | 4-Minor | restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★ |
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
693211-3 | CVE-2017-6168 | K21905460 | CVE-2017-6168 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
664063-1 | 2-Critical | K03203976 | Azure displays failure for deployment of BIG-IP from a Resource Manager template |
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
652151-1 | CVE-2017-6131 | K61757346 | Azure VE: Initialization improvement |
623885-4 | CVE-2016-9251 | K41107914 | Internal authentication improvements |
621371-2 | CVE-2016-9257 | K43523962 | Output Errors in APM Event Log |
648865-2 | CVE-2017-6074 | K82508682 | Linux kernel vulnerability: CVE-2017-6074 |
643187-2 | CVE-2017-3135 | K80533167 | BIND vulnerability CVE-2017-3135 |
641445-1 | CVE-2017-6145 | K22317030 | iControl improvements |
641360-2 | CVE-2017-0303 | K30201296 | SOCKS proxy protocol error |
641256-1 | CVE-2016-9257 | K43523962 | APM access reports display error |
636702-3 | CVE-2016-9444 | K40181790 | BIND vulnerability CVE-2016-9444 |
636699-5 | CVE-2016-9131 | K86272821 | BIND vulnerability CVE-2016-9131 |
631582 | CVE-2016-9250 | K55792317 | Administrative interface enhancement |
630475-5 | CVE-2017-6162 | K13421245 | TMM Crash |
628836-4 | CVE-2016-9245 | K22216037 | TMM crash during request normalization |
626360 | CVE-2017-6163 | K22541983 | TMM may crash when processing HTTP2 traffic |
624570-1 | CVE-2016-8864 | K35322517 | BIND vulnerability CVE-2016-8864 |
624526-3 | CVE-2017-6159 | K10002335 | TMM core in mptcp |
624457-5 | CVE-2016-5195 | K10558632 | Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195 |
623093-1 | CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320 | K38871451 | TIFF vulnerability CVE-2015-7554 |
620400-1 | CVE-2017-6141 | K21154730 | TMM crash during TLS processing |
610255-1 | CVE-2017-6161 | K62279530 | CMI improvement |
596340-8 | CVE-2016-9244 | K05121675 | F5 TLS vulnerability CVE-2016-9244 |
580026-5 | CVE-2017-6165 | K74759095 | HSM logging error |
648879-2 | CVE-2016-6136 CVE-2016-9555 | K90803619 | Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555 |
641612-2 | CVE-2017-0302 | K87141725 | APM crash |
638137 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 | K51201255 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 |
635412 | CVE-2017-6137 | K82851041 | Invalid mss with fast flow forwarding and software syn cookies |
635252-1 | CVE-2016-9256 | K47284724 | CVE-2016-9256 |
631688-7 | CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 | K55405388 K87922456 K63326092 K51444934 K80996302 | Multiple NTP vulnerabilities |
630150-1 | CVE-2016-9253 | K51351360 | Websockets processing error |
627916-1 | CVE-2017-6144 | K81601350 | Improve cURL Usage |
627907-1 | CVE-2017-6143 | K11464209 | Improve cURL usage |
627747-1 | CVE-2017-6142 | K20682450 | Improve cURL Usage |
625372-5 | CVE-2016-2179 | K23512141 | OpenSSL vulnerability CVE-2016-2179 |
623119 | CVE-2016-4470 | K55672042 | Linux kernel vulnerability CVE-2016-4470 |
622496 | CVE-2016-5829 | K28056114 | Linux kernel vulnerability CVE-2016-5829 |
622126-1 | CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 | K54308010 | PHP vulnerability CVE-2016-7124 |
621337-6 | CVE-2016-7469 | K97285349 | XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469 |
618261-6 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
615267-2 | CVE-2016-2183 | K13167034 | OpenSSL vulnerability CVE-2016-2183 |
613225-7 | CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
606710-10 | CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 | K15479471 | Mozilla NSS vulnerability CVE-2016-2834 |
605420-5 | CVE-2016-5387, CVE-2007-6750 | K80513384 | httpd security update - CVE-2016-5387 |
600232-9 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
600223-2 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
599858-7 | CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240 | K68785753 | ImageMagick vulnerability CVE-2015-8898 |
635933-3 | CVE-2004-0790 | K23440942 | The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable |
628832-4 | CVE-2016-6161 | K71581599 | libgd vulnerability CVE-2016-6161 |
622662-7 | CVE-2016-6306 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
617901-1 | CVE-2018-5525 | K00363258 | GUI to handle file path manipulation to prevent GUI instability. |
609691-1 | CVE-2014-4617 | K21284031 | GnuPG vulnerability CVE-2014-4617 |
600205-9 | CVE-2016-2178 | K53084033 | OpenSSL Vulnerability: CVE-2016-2178 |
600198-2 | CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
599285-2 | CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 | K51390683 | PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095 |
598002-10 | CVE-2016-2178 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
621937-1 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
621935-6 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
606771-2 | CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 | K35799130 | Multiple PHP vulnerabilities |
601268-5 | CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 | K43267483 | PHP vulnerability CVE-2016-5766 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
653453 | 2-Critical | ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs. | |
628972-2 | 2-Critical | BMC version 2.51.7 for iSeries appliances | |
624831-2 | 2-Critical | BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps | |
616918-1 | 2-Critical | BMC version 2.50.3 for iSeries appliances | |
633723-3 | 3-Major | New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot | |
633391-1 | 3-Major | GUI Error trying to modify IP Data-Group | |
609614-3 | 3-Major | Yafuflash 4.25 for iSeries appliances | |
597797-4 | 3-Major | K78449695 | Allow users to disable enforcement of RFC 7057 |
584471-1 | 3-Major | K34343741 | Priority order of clientssl profile selection of virtual server. |
581840-5 | 3-Major | K46576869 | Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ. |
564876-2 | 3-Major | New DB variable log.lsn.comma changes CGNAT logs to CSV format | |
609084-2 | 4-Minor | K03808942 | Max number of chunks not configurable above 1000 chunks |
597270-2 | 4-Minor | tcpdump support missing for VXLAN-GPE NSH |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
655500 | 1-Blocking | Rekey SSH sessions after one hour | |
642058-1 | 1-Blocking | CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances | |
641390-5 | 1-Blocking | K00216423 | Backslash removal in LTM monitors after upgrade |
627433-1 | 1-Blocking | HSB transmitter failure on i2x00 and i4x00 platforms | |
602830-1 | 1-Blocking | BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode | |
648056-2 | 2-Critical | K16503454 | bcm56xxd core when configuring QinQ VLAN with vCMP provisioned. |
645805 | 2-Critical | K92637255 | LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses |
641248 | 2-Critical | IPsec-related tmm segfault | |
641013-5 | 2-Critical | GRE tunnel traffic pinned to one TMM | |
638935-3 | 2-Critical | Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
636918-2 | 2-Critical | Fix for crash when multiple tunnels use the same traffic selector | |
636290 | 2-Critical | vCMP support for B4450 blade | |
627898-2 | 2-Critical | K53050234 | tmm leaks memory in the ECM subsystem |
625824-1 | 2-Critical | iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory | |
624263-4 | 2-Critical | iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response | |
618779-1 | 2-Critical | Route updates during IPsec tunnel setup can cause tmm to restart | |
616059-1 | 2-Critical | K19545861 | Modifying license.maxcores Not Allowed Error |
614296-1 | 2-Critical | Dynamic routing process ripd may core | |
613536-5 | 2-Critical | tmm core while running the iRule STATS:: command | |
610295-1 | 2-Critical | K32305923 | TMM may crash due to internal backplane inconsistency after reprovisioning |
583516-2 | 2-Critical | tmm ASSERT's "valid node" on Active, after timer fire.. | |
567457-2 | 2-Critical | TMM may crash when changing the IKE peer config. | |
652484-2 | 3-Major | tmsh show net f5optics shows information for only 1 chassis slot in a cluster | |
649617-2 | 3-Major | qkview improvement for OVSDB management | |
648544-5 | 3-Major | K75510491 | HSB transmitter failure may occur when global COS queues enabled |
646760 | 3-Major | Common Criteria Mode Disrupts Administrative SSH Access | |
644490-1 | 3-Major | Finisar 100G LR4 values need to be revised in f5optics | |
637559-1 | 3-Major | Modifying iRule online could cause TMM to be killed by SIGABRT | |
636535 | 3-Major | K24844444 | HSB lockup in vCMP guest doesn't generate core file |
635961-1 | 3-Major | gzipped and truncated files may be saved in qkview | |
635129 | 3-Major | Chassis systems in HA configuration become Active/Active during upgrade★ | |
635116-1 | 3-Major | K34100550 | Memory leak when using replicated remote high-speed logging. |
634115-1 | 3-Major | Not all topology records may sync. | |
633879-1 | 3-Major | K52833014 | Fix IKEv1 md5 phase1 hash algorithm so config takes effect |
633512-1 | 3-Major | HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION. | |
633413-1 | 3-Major | IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI | |
631627-4 | 3-Major | Applying BWC over route domain sometimes results in tmm not becoming ready on system start | |
630622-1 | 3-Major | tmm crash possible if high-speed logging pool member is deleted and reused | |
630610-5 | 3-Major | K43762031 | BFD session interface configuration may not be stored on unit state transition |
630546-1 | 3-Major | Very large core files may cause corrupted qkviews | |
629499-9 | 3-Major | tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found" | |
629085-1 | 3-Major | K55278069 | Any CSS content truncated at a quoted value leads to a segfault |
628202-4 | 3-Major | Audit-forwarder can take up an excessive amount of memory during a high volume of logging | |
628164-3 | 3-Major | K20766432 | OSPF with multiple processes may incorrectly redistribute routes |
628009-1 | 3-Major | f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800 | |
627961-3 | 3-Major | K15130343 | nic_failsafe reboot doesn't trigger if HSB fails to disable interface |
627914-1 | 3-Major | Unbundled 40GbE optics reporting as Unsupported Optic | |
627214-3 | 3-Major | BGP ECMP recursive default route not redistributed to TMM | |
626839 | 3-Major | sys-icheck error for /var/lib/waagent in Azure. | |
626721-5 | 3-Major | "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart | |
625703-2 | 3-Major | SELinux: snmpd is denied access to tmstat files | |
625085 | 3-Major | lasthop rmmod causes kernel panic | |
624361-1 | 3-Major | Responses to some of the challenge JS are not zipped. | |
623930-3 | 3-Major | vCMP guests with vlangroups may loop packets internally | |
623401-1 | 3-Major | Intermittent OCSP request failures due to non-optimal default TCP profile setting | |
623336-4 | 3-Major | After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★ | |
623055-1 | 3-Major | Kernel panic during unic initialization | |
622183-5 | 3-Major | The alert daemon should remove old log files but it does not. | |
621909-4 | 3-Major | K23562314 | Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members |
621273-1 | 3-Major | DSR tunnels with transparent monitors may cause TMM crash. | |
620659-3 | 3-Major | The BIG-IP system may unecessarily run provisioning on successive reboots | |
620366-4 | 3-Major | Alertd can not open UDP socket upon restart | |
617628-1 | 3-Major | SNMP reports incorrect value for sysBladeTempTemperature OID | |
615934-1 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
615107-1 | 3-Major | Cannot SSH from AOM/SCCP to host without password (host-based authentication). | |
613765-3 | 3-Major | Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors. | |
612809-1 | 3-Major | Bootup script fails to run on on a vCMP guest due to a missing reference file. | |
611658-3 | 3-Major | "less" utility logs an error for remotely authenticated users using the tmsh shell | |
611512-1 | 3-Major | AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name. | |
611487-3 | 3-Major | vCMP: VLAN failsafe does not trigger on guest | |
610417-1 | 3-Major | K54511423 | Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported. |
609119-7 | 3-Major | Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3: | |
608320-3 | 3-Major | iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response | |
604727-1 | 3-Major | Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★ | |
604237-3 | 3-Major | Vlan allowed mismatch found error in VCMP guest | |
604061-2 | 3-Major | Link Aggregation Control Protocol May Lose Synchronization after TMM Crash | |
602376-1 | 3-Major | qkview excludes files | |
598498-7 | 3-Major | Cannot remove Self IP when an unrelated static ARP entry exists. | |
598134-1 | 3-Major | Stats query may generate an error when tmm on secondary is down | |
596067-2 | 3-Major | GUI on VIPRION hangs on secondary blade reboot | |
590211-2 | 3-Major | jitterentropy-rngd quietly fails to start | |
583754-7 | 3-Major | When TMM is down, executing 'show ltm persist persist-records' results in a blank error message. | |
575027-1 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. | |
562928-2 | 3-Major | Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled | |
559080-5 | 3-Major | High Speed Logging to specific destinations stops from individual TMMs | |
557471-3 | 3-Major | LTM Policy statistics showing zeros in GUI | |
543208-1 | 3-Major | Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★ | |
534520-1 | 3-Major | qkview may exclude certain log files from /var/log | |
424542-5 | 3-Major | tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments | |
418349-2 | 3-Major | Update/overwrite of FIPS keys error | |
643404-2 | 4-Minor | K30014507 | 'tmsh system software status' does not display properly in a specific cc-mode situation★ |
636520-3 | 4-Minor | K88813435 | Detail missing from power supply 'Bad' status log messages |
633181-1 | 4-Minor | A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section | |
632668-5 | 4-Minor | When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds | |
632069-3 | 4-Minor | Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076 | |
621957-2 | 4-Minor | Timezone data on AOM not syncing with host | |
609107-1 | 4-Minor | mcpd does not properly validate missing 'sys folder' config in bigip_base.conf | |
599191-2 | 4-Minor | One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card | |
589379-2 | 4-Minor | K20937139 | ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route. |
585097-1 | 4-Minor | Traffic Group score formula does not result in unique values. | |
541550-3 | 4-Minor | Defining more than 10 remote-role groups can result in authentication failure | |
541320-10 | 4-Minor | K50973424 | Sync of tunnels might cause restore of deleted tunnels. |
500452-8 | 4-Minor | K28520025 | PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware |
642015-2 | 5-Cosmetic | SSD Manufacturer "unavailable" | |
524277-2 | 5-Cosmetic | Missing power supplies issue warning message that should be just a notice message. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
651476 | 2-Critical | bigd may core on non-primary bigd when FQDN in use | |
648715-2 | 2-Critical | BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0 | |
643396-2 | 2-Critical | K34553627 | Using FLOW_INIT iRule may lead to TMM memory leak or crash |
642400-2 | 2-Critical | Path MTU discovery occasionally fails | |
640352-2 | 2-Critical | K01000259 | Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet |
639744-1 | 2-Critical | K84228882 | Memory leak in STREAM::expression iRule |
637181-4 | 2-Critical | VIP-on-VIP traffic may stall after routing updates | |
632685 | 2-Critical | bigd memory leak for FQDN nodes on non-primary bigd instance | |
630306-1 | 2-Critical | TMM crash in DNS processing on UDP virtual server with no available pool members | |
629145-1 | 2-Critical | External datagroups with no metadata can crash tmm | |
628890-1 | 2-Critical | Memory leak when modifying large datagroups | |
627403-2 | 2-Critical | HTTP2 can can crash tmm when stats is updated on aborting of a new connection | |
626311-2 | 2-Critical | K75419237 | Potential failure of DHCP relay functionality credits to incorrect route lookup. |
625198-1 | 2-Critical | TMM might crash when TCP DSACK is enabled | |
622856-1 | 2-Critical | BIG-IP may enter SYN cookie mode later than expected | |
621870-2 | 2-Critical | Outage may occur with VIP-VIP configurations | |
619663-3 | 2-Critical | K49220140 | Terminating of HTTP2 connection may cause a TMM crash |
619528-4 | 2-Critical | TMM may accumulate internal events resulting in TMM restart | |
619071-3 | 2-Critical | OneConnect with verified accept issues | |
614509-1 | 2-Critical | iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart | |
609027-1 | 2-Critical | TMM crashes when SSL forward proxy is enabled. | |
608304-1 | 2-Critical | K55292305 | TMM crash on memory corruption |
603667-2 | 2-Critical | TMM may leak or corrupt memory when configuration changes occur with plugins in use | |
603082-3 | 2-Critical | Ephemeral pool members are getting deleted/created over and over again. | |
602136-5 | 2-Critical | iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server. | |
601828-1 | 2-Critical | K13338433 | An untrusted certificate can cause tmm to crash. |
600982-5 | 2-Critical | TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0" | |
599720-2 | 2-Critical | TMM may crash in bigtcp due to null pointer dereference | |
597828-1 | 2-Critical | SSL forward proxy crashes in some cases | |
596450-1 | 2-Critical | TMM may produce a core file after updating SSL session ticket key | |
594642-3 | 2-Critical | Stream filter may require large allocations by Tcl leading TMM to core on allocation failure. | |
581746-1 | 2-Critical | K42175594 | MPTCP or SSL traffic handling may cause a BIG-IP outage |
557358-5 | 2-Critical | TMM SIGSEGV and crash when memory allocation fails. | |
423629-3 | 2-Critical | K08454006 | bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted |
653201 | 3-Major | Update the default CA certificate bundle file to the latest version and remove expiring certificates from it | |
651106 | 3-Major | memory leak on non-primary bigd with changing node IPs | |
649571-1 | 3-Major | Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello | |
648990 | 3-Major | Serverside SSL renegotiation does not occur after block cipher data limit is exceeded | |
641512-4 | 3-Major | K51064420 | DNSSEC key generations fail with lots of invalid SSL traffic |
632324-2 | 3-Major | PVA stats does not show correct connection number | |
629412-3 | 3-Major | BIG-IP closes a connection when a maximum size window is attempted | |
627246-1 | 3-Major | K09336400 | TMM memory leak when ASM policy configured on virtual server |
626386-1 | 3-Major | K28505256 | SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled |
626106-3 | 3-Major | LTM Policy with illegal rule name loses its conditions and actions during upgrade★ | |
625106-2 | 3-Major | Policy Sync can fail over a lossy network | |
624616-1 | 3-Major | Safenet uninstall is unable to remove libgem.so | |
620625-2 | 3-Major | K38094257 | Changes to the Connection.VlanKeyed DB key may not immediately apply |
620079-3 | 3-Major | Removing route-domain may cause monitors to fail | |
619849-4 | 3-Major | In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled. | |
618430-2 | 3-Major | iRules LX data not included in qkview | |
618428 | 3-Major | iRules LX - Debug mode does not function in dedicated mode | |
618254-4 | 3-Major | Non-zero Route domain is not always used in HTTP explicit proxy | |
617858-2 | 3-Major | bigd core when using Tcl monitors | |
616022-2 | 3-Major | K46530223 | The BIG-IP monitor process fails to process timeout conditions |
613326-1 | 3-Major | SASP monitor improvements | |
612694-5 | 3-Major | TCP::close with no pool member results in zombie flows | |
610429-5 | 3-Major | X509::cert_fields iRule command may memory with subpubkey argument | |
610302-1 | 3-Major | Link throughput graphs might be incorrect. | |
609244-4 | 3-Major | tmsh show ltm persistence persist-records leaks memory | |
608551-3 | 3-Major | Half-closed congested SSL connections with unclean shutdown might stall. | |
607152-1 | 3-Major | Large Websocket frames corrupted | |
604496-4 | 3-Major | SQL (Oracle) monitor daemon might hang. | |
603979-4 | 3-Major | Data transfer from the BIG-IP system self IP might be slow | |
603723-2 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
603550-1 | 3-Major | K63164073 | Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats. |
600827-8 | 3-Major | K21220807 | Stuck Nitrox crypto queue can erroneously be reported |
600593-1 | 3-Major | Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests | |
600052-1 | 3-Major | GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system | |
599121-2 | 3-Major | K24036315 | Under heavy load, hardware crypto queues may become unavailable. |
592871-3 | 3-Major | Cavium Nitrox PX/III stuck queue diagnostics missing. | |
591666-3 | 3-Major | TMM crash in DNS processing on TCP virtual with no available pool members | |
589400-1 | 3-Major | K33191529 | With Nagle disabled, TCP does not send all of xfrags with size greater than MSS. |
586738-4 | 3-Major | The tmm might crash with a segfault. | |
584310-1 | 3-Major | K83393638 | TCP:Collect ignores the 'skip' parameter when used in serverside events |
584029-6 | 3-Major | Fragmented packets may cause tmm to core under heavy load | |
582769-1 | 3-Major | K99405272 | WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual |
579926-1 | 3-Major | HTTP starts dropping traffic for a half-closed connection when in passthrough mode | |
568543-4 | 3-Major | Syncookie mode is activated on wildcard virtuals | |
562267-3 | 3-Major | FQDN nodes do not support monitor alias destinations. | |
517756-6 | 3-Major | Existing connections can choose incorrect route when crossing non-strict route-domains | |
509858-5 | 3-Major | K36300805 | BIG-IP FastL4 profile vulnerability |
419741-3 | 3-Major | Rare crash with vip-targeting-vip and stale connections on VIPRION platforms | |
352957-4 | 3-Major | K03005026 | Route lookup after change in route table on established flow ignores pool members |
660170-1 | 4-Minor | K28505910 | tmm may crash at ~75% of VLAN failsafe timeout expiration |
631862-1 | 4-Minor | K32107573 | Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk |
618517-1 | 4-Minor | K61255401 | bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring |
611161-3 | 4-Minor | K28540353 | VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default. |
587966-1 | 4-Minor | K77283304 | LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port |
583943-1 | 4-Minor | K27491104 | Forward proxy does not work when netHSM is configured on TMM interfaces |
574020-5 | 4-Minor | Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}') |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
621115-1 | 2-Critical | IP/IPv6 TTL/hoplimit may not be preserved for host traffic |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
642039-2 | 2-Critical | TMM core when persist is enabled for wideip with certain iRule commands triggered. | |
584374-2 | 2-Critical | K67622400 | iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address. |
642330-2 | 3-Major | GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
640903-1 | 3-Major | Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen | |
632423-4 | 3-Major | K40256229 | DNS::query can cause tmm crash if AXFR/IXFR types specified. |
629530-2 | 3-Major | K53675033 | Under certain conditions, monitors do not time out. |
628897-1 | 3-Major | Add Hyperlink to gslb server and vs on the Pool Member List Page | |
625671-4 | 3-Major | The diagnostic tool dnsxdump may crash with non-standard DNS RR types. | |
624876-1 | 3-Major | Response Policy Zones can trigger even after entry removed from zone | |
624193-2 | 3-Major | Topology load balancing not working as expected | |
623023-1 | 3-Major | Unable to set DNS Topology Continent to Unknown via GUI | |
621239-2 | 3-Major | Certain DNS queries bypass DNS Cache RPZ filter. | |
620215-5 | 3-Major | TMM out of memory causes core in DNS cache | |
619398-7 | 3-Major | TMM out of memory causes core in DNS cache | |
612769-1 | 3-Major | K33842313 | Hard to use search capabilities on the Pool Members Manage page. |
601180-2 | 3-Major | K73505027 | Link Controller base license does not allow DNS namespace iRule commands.★ |
567743-2 | 3-Major | K70663134 | Possible gtmd crash under certain conditions. |
557434-4 | 3-Major | After setting a Last Resort Pool on a Wide IP, cannot reset back to None | |
366695-1 | 5-Cosmetic | Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
646511-1 | 2-Critical | BD crashes repeatedly after interrupted roll-forward upgrade★ | |
636397-1 | 2-Critical | bd cores when persistent storage configuration and under some memory conditions. | |
634001-2 | 2-Critical | ASM restarts after deleting a VS that has an ASM security policy assigned to it | |
627117-1 | 2-Critical | crash with wrong ceritifcate in WSS | |
625783-1 | 2-Critical | Chassis sync fails intermittently due to sync file backlog | |
618771-1 | 2-Critical | Some Social Security Numbers are not being masked | |
601378-2 | 2-Critical | Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons | |
584082-3 | 2-Critical | BD daemon crashes unexpectedly | |
540928-1 | 2-Critical | Memory leak due to unnecessary logging profile configuration updates. | |
640824-1 | 3-Major | K20770267 | Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★ |
635754-1 | 3-Major | K65531575 | Wildcard URL pattern match works inncorectly in Traffic Learning |
632344-2 | 3-Major | POP DIRECTIONAL FORMATTING causes false positive | |
632326-2 | 3-Major | K52814351 | relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation |
631737-1 | 3-Major | K61367823 | ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations |
630929-1 | 3-Major | K69767100 | Attack signature exception list upload times-out and fails |
627360-1 | 3-Major | Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★ | |
626438-1 | 3-Major | Frame is not showing in the browser and/ or an error appears | |
625832-4 | 3-Major | A false positive modified domain cookie violation | |
622913-2 | 3-Major | Audit Log filled with constant change messages | |
621524-2 | 3-Major | Processing Timeout When Viewing a Request with 300+ Violations | |
620635-2 | 3-Major | Request having upper case JSON login parameter is not detected as a failed login attempt | |
614563-3 | 3-Major | AVR TPS calculation is inaccurate | |
611151-2 | 3-Major | An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive | |
608245 | 3-Major | Reporting missing parameter details when attack signature is matched against parameter value | |
583024-1 | 3-Major | TMM restart rarely during startup | |
581406-1 | 3-Major | SQL Error on Peer Device After Receiving ASM Sync in a Device Group | |
580168-4 | 3-Major | Information missing from ASM event logs after a switchboot and switchboot back | |
576591-6 | 3-Major | Support for some future credit card number ranges | |
572885-1 | 3-Major | Policy automatic learning mode changes to manual after failover | |
392121-3 | 3-Major | TMSH Command to retrieve the memory consumption of the bd process | |
642874-1 | 4-Minor | K15329152 | Ready to be Enforced filter for Policy Signatures returns too many signatures |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
634215-1 | 2-Critical | False detection of attack after restarting dosl7d | |
573764-1 | 2-Critical | In some cases, only primary blade retains it's statistics after upgrade on multi bladed system | |
642221-2 | 3-Major | Incorrect entity is used when exporting TCP analytics from GUI | |
641574 | 3-Major | K06503033 | AVR doesn't report on virtual and client IP in DNS statistics |
635561-1 | 3-Major | Heavy URLs statistics are not shown after upgrade. | |
631722 | 3-Major | Some HTTP statistics not displayed after upgrade | |
631131-3 | 3-Major | Some tmstat-adapters based reports stats are incorrect | |
605010-1 | 3-Major | Thrift::TException error | |
560114-6 | 3-Major | Monpd is being affected by an I/O issue which makes some of its threads freeze |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
645339-2 | 1-Blocking | TMM may crash when processing APM data | |
637308-8 | 2-Critical | K41542530 | apmd may crash when HTTP Auth agent is used in an Access Policy |
632005-1 | 2-Critical | BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes | |
622244-2 | 2-Critical | Edge client can fail to upgrade when always connected is selected | |
617310-2 | 2-Critical | Edge client can fail to upgrade when Always Connected is selected★ | |
614322-1 | 2-Critical | K31063537 | TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway |
608424-2 | 2-Critical | Dynamic ACL agent error log message contains garbage data | |
608408-2 | 2-Critical | TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library | |
593078-1 | 2-Critical | CATEGORY::filetype command may cause tmm to crash and restart | |
643547-1 | 3-Major | K43036745 | APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP |
638799-1 | 3-Major | Per-request policy branch expression evaluation fails | |
638780-3 | 3-Major | Handle 302 redirects for VMware Horizon View HTML5 client | |
636044-1 | 3-Major | K68018520 | Large number of glob patterns affects custom category lookup performance |
634576 | 3-Major | K48181045 | TMM core in per-request policy |
634252 | 3-Major | K99114539 | TMM crash with per-request policy in SWG explicit |
632504-1 | 3-Major | K31277424 | APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list |
632499-1 | 3-Major | K70551821 | APM Policy Sync: Resources under webtop section are not sync'ed automatically |
632472-1 | 3-Major | Frequently logged "Silent flag set - fail" messages | |
632386-1 | 3-Major | EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists | |
630571-1 | 3-Major | K35254214 | Edge Client on Mac OSX Sierra stuck in a reconnect loop |
629801-2 | 3-Major | Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain. | |
629698-1 | 3-Major | Edge client stuck on "Initializing" state | |
629069-2 | 3-Major | Portal Access may delete scripts from HTML page in some cases | |
628687-2 | 3-Major | Edge Client reconnection issues with captive portal | |
628685-2 | 3-Major | K79361498 | Edge Client shows several security warnings after roaming to a network with Captive Portal |
627972-2 | 3-Major | K11327511 | Unable to save advanced customization when using Exchange iApp |
627059-1 | 3-Major | In some rare cases TMM may crash while handling VMware View client connection | |
626910-1 | 3-Major | Policy with assigned SAML Resource is exported with error | |
625474-1 | 3-Major | POST request body is not saved in session variable by access when request is sent using edge client | |
625159-1 | 3-Major | Policy sync status not shown on standby device in HA case | |
624966-2 | 3-Major | Edge client starts new APM session when Captive portal session expire | |
623562-3 | 3-Major | Large POSTs rejected after policy already completed | |
622790-1 | 3-Major | EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP | |
621976-4 | 3-Major | OneDrive for Business thick client shows javascript errors when rendering APM logon page | |
621974-4 | 3-Major | Skype For Business thick client shows javascript errors when rendering APM logon page | |
621447-1 | 3-Major | In some rare cases, VDI may crash | |
621210-2 | 3-Major | Policy sync shows as aborted even if it is completed | |
621126-2 | 3-Major | Import of config with saml idp connector with reuse causes certificate not found error | |
620829-2 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
620801-3 | 3-Major | Access Policy is not able to check device posture for Android 7 devices | |
620614-4 | 3-Major | Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account | |
619879-1 | 3-Major | HTTP iRule commands could lead to WEBSSO plugin being invoked | |
619811-2 | 3-Major | Machine Cert OCSP check fails with multiple Issuer CA | |
619486-3 | 3-Major | Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self | |
619473-2 | 3-Major | Browser may hang at APM session logout | |
618170-3 | 3-Major | Some URL unwrapping functions can behave bad | |
617063-1 | 3-Major | After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel | |
617002-1 | 3-Major | SWG with Response Analytics agent in a Per-Request policy fails with some URLs | |
616838-3 | 3-Major | Citrix Remote desktop resource custom parameter name does not accept hyphen character | |
615970-1 | 3-Major | SSO logging level may cause failover | |
615254-2 | 3-Major | Network Access Launch Application item fails to launch in some cases | |
612419-1 | 3-Major | APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable)) | |
611968-3 | 3-Major | JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow | |
611669-4 | 3-Major | Mac Edge Client customization is not applied on macOS 10.12 Sierra | |
610180-2 | 3-Major | SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin. | |
597214-5 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
595819-1 | 3-Major | Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached, | |
595272-1 | 3-Major | Edge client may show a windows displaying plain text in some cases | |
591246-1 | 3-Major | Unable to launch View HTML5 connections in non-zero route domain virtual servers | |
584582-1 | 3-Major | JavaScript: 'baseURI' property may be handled incorrectly | |
570217-2 | 3-Major | BIG-IP APM now uses Airwatch v2 API to retreive device posture information | |
533956-3 | 3-Major | K30515450 | Portal Access: Space-like characters in EUC character sets may be handled incorrectly. |
503842-4 | 3-Major | Microsoft WebService HTML component does not work after rewriting | |
640521-1 | 4-Minor | EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices | |
636254-2 | 4-Minor | Cannot reinitiate a sync on a target device when sync is completed | |
618404-1 | 4-Minor | Access Profile copying might be invalid if policies are named series of names. | |
606257-3 | 4-Minor | K56716107 | TCP FIN sent with Connection: Keep-Alive header for webtop page resources |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
630661-2 | 3-Major | K30241432 | WAM may leak memory when a WAM policy node has multiple variation header rules |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
644970-1 | 2-Critical | Editing a virtual server config loses SSL encryption on iSession connections | |
644489-1 | 3-Major | K14899014 | Unencrypted iSession connection established even though data-encrypt configured in profile |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
639236-1 | 2-Critical | K66947004 | Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute |
624023-3 | 2-Critical | TMM cores in iRule when accessing a SIP header that has no value | |
569316-1 | 2-Critical | Core occurs on standby in MRF when routing to a route using a transport config | |
649933-1 | 3-Major | Fragmented RADIUS messages may be dropped | |
629663-1 | 3-Major | K23210890 | CGNAT SIP ALG will drop SIP INVITE |
625542-1 | 3-Major | SIP ALG with Translation fails for REGISTER refresh. | |
625098-3 | 3-Major | SCTP::local_port iRule not supported in MRF events | |
601255-4 | 3-Major | RTSP response to SETUP request has incorrect client_port attribute |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
632731-2 | 2-Critical | K21964367 | specific external logging configuration can cause TMM service restart |
628623-1 | 2-Critical | tmm core with AFM provisioned | |
639193-1 | 3-Major | K03453591 | BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail. |
631025-1 | 3-Major | 500 internal error on inline rule editor for certain firewall policies | |
610129-3 | 3-Major | K43320840 | Config load failure when cluster management IP is not defined, but instead uses address-list. |
592113-5 | 3-Major | tmm core on the standby unit with dos vectors configured | |
590805-4 | 3-Major | Active Rules page displays a different time zone. | |
431840-3 | 3-Major | Cannot add vlans to whitelist if they contain a hyphen |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
627257-2 | 2-Critical | Potential PEM crash during a Gx operation | |
626851-2 | 2-Critical | K37665112 | Potential crash in a multi-blade chassis during CMP state changes. |
624744-1 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. | |
624733-1 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. | |
624228-1 | 2-Critical | Memory leak when using insert action in pem rule and flow gets aborted | |
623922-5 | 2-Critical | K64388805 | TMM failure in PEM while processing Service-Provider Disaggregation |
641482-2 | 3-Major | Subscriber remains in delete pending state until CCR-t ack has success as result code is received | |
640510-3 | 3-Major | BWC policy category attachment may fail during a PEM policy update for a subscriber. | |
640457-2 | 3-Major | Session Creation failure after HA | |
635233-3 | 3-Major | K80902149 | Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages |
630611-1 | 3-Major | K84324392 | PEM module crash when subscriber not fund |
627798-3 | 3-Major | Buffer length check for quota bucket objects | |
627279-2 | 3-Major | Potential crash in a multi-blade chassis during CMP state changes. | |
623927-2 | 3-Major | K41337253 | Flow entry memory leaked after DHCP DORA process |
564281-3 | 3-Major | TMM (debug) assert seen during Failover with Gy | |
628869-4 | 4-Minor | Unconditional logs seen due to the presence of a PEM iRule. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
609788 | 2-Critical | PCP may pick an endpoint outside the deterministic mapping | |
642284 | 3-Major | Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption. | |
629871-2 | 3-Major | FTP ALG deployment should not rewrite PASV response 464 XLAT cases |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
639750-1 | 2-Critical | username aliases are not supported | |
636370 | 3-Major | Application Layer Encryption AJAX support | |
629627-1 | 3-Major | FPS Log Publisher is not grouped nor filtered by partition | |
629127-1 | 3-Major | Parent profiles cannot be saved using FPS GUI | |
628348-1 | 3-Major | Cannot configure any Mobile Security list having 11 records or more via the GUI | |
628337-1 | 3-Major | Forcing a single injected tag configuration is restrictive | |
625275-1 | 3-Major | Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI | |
624198-1 | 3-Major | Unable to add multiple User-Defined alerts with the same search category | |
623518-1 | 3-Major | Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition | |
594127-2 | 3-Major | Pages using Angular may hang when Websafe is enabled | |
635541 | 4-Minor | "Application CSS Locations" is not inherited if changing parent profile |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
625172-1 | 2-Critical | tmm crashes when classification is enabled and ftp traffic is flowing trough the box | |
631472-1 | 3-Major | Reseting classification signatures to default may result in non-working configuration |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
606518-3 | 2-Critical | iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username. | |
642983-1 | 3-Major | K94534313 | Update to max message size limit doesn't work sometimes |
629845-2 | 3-Major | Disallowing TLSv1 connections to HTTP causes iControl/REST issues | |
626542-2 | 3-Major | Unable to set maxMessageBodySize in iControl REST after upgrade★ |
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
618306-2 | CVE-2016-9247 | K33500120 | TMM vulnerability CVE-2016-9247 |
616864-1 | CVE-2016-2776 | K18829561 | BIND vulnerability CVE-2016-2776 |
613282-2 | CVE-2016-2086, CVE-2016-2216, CVE-2016-1669 | K15311661 | NodeJS vulnerability CVE-2016-2086 |
611469-3 | CVE-2016-7467 | K95444512 | Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector |
597394-2 | CVE-2016-9252 | K46535047 | Improper handling of IP options |
591328-7 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
591325-8 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K75152412 | OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 |
591042-17 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K23230229 | OpenSSL vulnerabilities |
560109-7 | CVE-2017-6160 | K19430431 | Client capabilities failure |
618549-1 | CVE-2016-9249 | K71282001 | Fast Open can cause TMM crash CVE-2016-9249 |
618263-1 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
614147-1 | CVE-2017-6157 | K02692210 | SOCKS proxy defect resolution |
614097-1 | CVE-2017-6157 | K02692210 | HTTP Explicit proxy defect resolution |
607314-1 | CVE-2016-3500 CVE-2016-3508 | K25075696 | Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508 |
605039-3 | CVE-2016-2775 | K92991044 | lwresd and bind vulnerability CVE-2016-2775 |
601059-6 | CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 | K14614344 | libxml2 vulnerability CVE-2016-1840 |
599536-1 | CVE-2017-6156 | K05263202 | IPsec peer with wildcard selector brings up wrong phase2 SAs |
597023-1 | CVE-2016-4954 | K82644737 | NTP vulnerability CVE-2016-4954 |
595242-1 | CVE-2016-3705 | K54225343 | libxml2 vulnerabilities CVE-2016-3705 |
595231-1 | CVE-2016-3627 | K54225343 | libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705 |
594496-1 | CVE-2016-4539 | K35240323 | PHP Vulnerability CVE-2016-4539 |
593447-1 | CVE-2016-5024 | K92859602 | BIG-IP TMM iRules vulnerability CVE-2016-5024 |
592485 | CVE-2015-5157 CVE-2015-8767 | K17326 | Linux kernel vulnerability CVE-2015-5157 |
592001-1 | CVE-2016-4071 CVE-2016-4073 | K64412100 | CVE-2016-4073 PHP vulnerabilities |
591455-7 | CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 | K24613253 | NTP vulnerability CVE-2016-2516 |
591447-1 | CVE-2016-4070 | K42065024 | PHP vulnerability CVE-2016-4070 |
591358-1 | CVE-2016-3425 CVE-2016-0695 CVE-2016-3427 | K81223200 | Oracle Java SE vulnerability CVE-2016-3425 |
585424-1 | CVE-2016-1979 | K20145801 | Mozilla NSS vulnerability CVE-2016-1979 |
580747-1 | CVE-2016-0739 | K57255643 | libssh vulnerability CVE-2016-0739 |
557190-3 | CVE-2017-6166 | K65615624 | 'packet_free: double free!' tmm core |
597010-1 | CVE-2016-4955 | K03331206 | NTP vulnerability CVE-2016-4955 |
596997-1 | CVE-2016-4956 | K64505405 | NTP vulnerability CVE-2016-4956 |
591767-8 | CVE-2016-1547 | K11251130 | NTP vulnerability CVE-2016-1547 |
591438-7 | CVE-2015-8865 | K54924436 | PHP vulnerability CVE-2015-8865 |
575629-3 | CVE-2015-8139 | K00329831 | NTP vulnerability: CVE-2015-8139 |
573343-1 | CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 | K01324833 | NTP vulnerability CVE-2015-8158 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
615377-3 | 3-Major | Unexpected rate limiting of unreachable and ICMP messages for some addresses. | |
590122-2 | 3-Major | Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification. | |
581438-2 | 3-Major | Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision. | |
561348-7 | 3-Major | krb5.conf file is not synchronized between blades and not backed up | |
541549-2 | 3-Major | AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination. | |
530109-3 | 3-Major | OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled. | |
246726-1 | 3-Major | K8940 | System continues to process virtual server traffic after disabling virtual address |
599839-3 | 4-Minor | Add new keyords to SIP::persist command to specify how Persistence table is updated | |
591733-4 | 4-Minor | K83175883 | Save on Auto-Sync is missing from the configuration utility. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
625784 | 1-Blocking | TMM crash on i4x00 and i2x00 platforms with large ASM configuration. | |
617622 | 1-Blocking | In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure | |
621422 | 2-Critical | i2000 and i4000 series appliances do not warn when an incorrect optic is in a port | |
620056-1 | 2-Critical | Assert on deletion of paired in-and-out IPsec traffic selectors | |
617935 | 2-Critical | IKEv2 VPN tunnels fail to establish | |
617481-1 | 2-Critical | TMM can crash when HTML minification is configured | |
614865-5 | 2-Critical | Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors. | |
610354-1 | 2-Critical | TMM crash on invalid memory access to loopback interface stats object | |
605476-3 | 2-Critical | statsd can core when reading corrupt stats files. | |
601527-4 | 2-Critical | mcpd memory leak and core | |
600894-1 | 2-Critical | In certain situations, the MCPD process can leak memory | |
598748 | 2-Critical | IPsec AES-GCM IVs are now based on a monotonically increasing counter | |
598697-1 | 2-Critical | vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★ | |
595712-1 | 2-Critical | Not able to add remote user locally | |
591495-2 | 2-Critical | VCMP guests sflow agent can crash due to duplicate vlan interface indices | |
591104-1 | 2-Critical | ospfd cores due to an incorrect debug statement. | |
588686 | 2-Critical | High-speed logging to remote logging node stops sending logs after all logging nodes go down | |
587698-3 | 2-Critical | bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured | |
585745-2 | 2-Critical | sod core during upgrade from 10.x to 12.x. | |
583936-5 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM | |
557680-4 | 2-Critical | Fast successive MTU changes to IPsec tunnel interface crashes TMM | |
355806-7 | 2-Critical | Starting mcpd manually at the command line interferes with running mcpd | |
622877-1 | 3-Major | i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away | |
622199 | 3-Major | sys-icheck reports error with /var/lib/waagent | |
622194 | 3-Major | sys-icheck reports error with ssh_host_rsa_key | |
621423 | 3-Major | sys-icheck reports error with /config/ssh/ssh_host_dsa_key | |
621242-1 | 3-Major | Reserve enough space in the image for future upgrades. | |
621225 | 3-Major | LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0" | |
620782 | 3-Major | Azure cloud now supports hourly billing | |
619410-1 | 3-Major | TMM hardware accelerated compression not registering for all compression levels. | |
617986-2 | 3-Major | Memory leak in snmpd | |
617229-1 | 3-Major | K54245014 | Local policy rule descriptions disappear when policy is re-saved |
616242-3 | 3-Major | K39944245 | basic_string::compare error in encrypted SSL key file if the first line of the file is blank★ |
614530-2 | 3-Major | Dynamic ECMP routes missing from Linux host | |
614180-1 | 3-Major | ASM is not available in LTM policy when ASM is licensed as the main active module | |
610441-3 | 3-Major | When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received. | |
610352-1 | 3-Major | sys-icheck reports error with /etc/sysconfig/modules/unic.modules | |
610350-1 | 3-Major | sys-icheck reports error with /config/bigpipe/defaults.scf | |
610273-3 | 3-Major | Not possible to do targeted failover with HA Group configured | |
605894-3 | 3-Major | Remote authentication for BIG-IP users can fail | |
603149-2 | 3-Major | Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy | |
602854-8 | 3-Major | Missing ASM control option from LTM policy rule screen in the Configuration utility | |
602502-2 | 3-Major | Unable to view the SSL Cert list from the GUI | |
601989-3 | 3-Major | K88516119 | Remote LDAP system authenticated username is case sensitive★ |
601893-2 | 3-Major | TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero. | |
601502-4 | 3-Major | Excessive OCSP traffic | |
600558-5 | 3-Major | Errors logged after deleting user in GUI | |
599816-2 | 3-Major | Packet redirections occur when using VLAN groups with members that have different cmp-hash settings. | |
598443-1 | 3-Major | Temporary files from TMSH not being cleaned up intermittently. | |
598039-6 | 3-Major | MCP memory may leak when performing a wildcard query | |
597729-5 | 3-Major | Errors logged after deleting user in GUI | |
596104-1 | 3-Major | K84539934 | HA trunk unavailable for vCMP guest★ |
595773-4 | 3-Major | Cancellation requests for chunked stats queries do not propagate to secondary blades | |
594426-2 | 3-Major | Audit forwarding Radius packets may be rejected by Radius server | |
592870-2 | 3-Major | Fast successive MTU changes to IPsec tunnel interface crashes TMM | |
592320-5 | 3-Major | ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1 | |
589083-2 | 3-Major | TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. | |
586878-4 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★ | |
585833-3 | 3-Major | Qkview will abort if /shared partition has less than 2GB free space | |
585547-1 | 3-Major | NTP configuration items are no longer collected by qkview★ | |
585485-3 | 3-Major | inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system | |
584583-3 | 3-Major | K18410170 | Timeout error when using the REST API to retrieve large amount of data |
583285-5 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
582084-1 | 3-Major | BWC policy in device sync groups. | |
580500-1 | 3-Major | /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed. | |
578551-5 | 3-Major | bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot | |
576305-7 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code | |
575649-5 | 3-Major | MCPd might leak memory in IPFIX destination stats query | |
575591-6 | 3-Major | Potential MCPd leak in IKE message stats query code | |
575589-5 | 3-Major | Potential MCPd leak in IKE event stats query code | |
575587-7 | 3-Major | Potential MCPd leak in BWC policy class stats query code | |
575176-1 | 3-Major | Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic | |
575066-1 | 3-Major | Management DHCP settings do not take effect | |
570818-4 | 3-Major | Address lease-pool in IKEv2 might interfere with IKEv2 negotiations. | |
568672-1 | 3-Major | Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI | |
566507-4 | 3-Major | Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment | |
553795-7 | 3-Major | Differing cert/key after successful config-sync | |
547479-5 | 3-Major | Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted | |
546145-1 | 3-Major | Creating local user for previously remote user results in incomplete user definition. | |
540872-1 | 3-Major | Config sync fails after creating a partition. | |
527206-5 | 3-Major | Management interface may flap due to LOP sync error | |
393270-1 | 3-Major | Configuration utility may become non-responsive or fail to load. | |
618421 | 4-Minor | Some mass storage is left un-used | |
617124 | 4-Minor | Cannot map hardware type (12) to HardwareType enumeration | |
581835-1 | 4-Minor | Command failing: tmsh show ltm virtual vs_name detail. | |
567546-1 | 4-Minor | Files with file names larger than 100 characters are omitted from qkview | |
564771-1 | 4-Minor | cron sends purge_mysql_logs.pl email error on LTM-only device | |
564522-2 | 4-Minor | K40547220 | cron is configured with MAILTO=root but mailhost defaults to 'mail' |
559837-4 | 4-Minor | Misleading error message in catalina.out when listing certificates. | |
551349-5 | 4-Minor | K80203854 | Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★ |
460833-5 | 4-Minor | MCPD sync errors and restart after multiple modifications to file object in chassis | |
572133-5 | 5-Cosmetic | tmsh save /sys ucs command sends status messages to stderr | |
442231-4 | 5-Cosmetic | Pendsect log entries have an unexpected severity |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
618905-1 | 1-Blocking | tmm core while installing Safenet 6.2 client | |
616215-4 | 2-Critical | TMM can core when using LB::detach and TCP::notify commands in an iRule | |
615388-1 | 2-Critical | L7 policies using normalized HTTP URI or Referrer operands may corrupt memory | |
612229-1 | 2-Critical | TMM may crash if LTM a disable policy action for 'LTM Policy' is not last | |
609628-2 | 2-Critical | CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session | |
609199-6 | 2-Critical | Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join | |
608555-1 | 2-Critical | Configuring asymmetric routing with a VE rate limited license will result in tmm crash | |
607724-2 | 2-Critical | K25713491 | TMM may crash when in Fallback state. |
607524-2 | 2-Critical | Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down. | |
607360-5 | 2-Critical | Safenet 6.2 library missing after upgrade★ | |
606573-3 | 2-Critical | FTP traffic does not work through SNAT when configured without Virtual Server★ | |
605865-4 | 2-Critical | Debug TMM produces core on certain ICMP PMTUD packets | |
604133-2 | 2-Critical | Ramcache may leave the HTTP Cookie Cache in an inconsistent state | |
603032-1 | 2-Critical | clientssl profiles with sni-default enabled may leak X509 objects | |
602326-1 | 2-Critical | Intermittent pkcs11d core when stopping or restarting pkcs11d service | |
599135-2 | 2-Critical | B2250 blades may suffer from high TMM CPU utilisation with tcpdump | |
588959-2 | 2-Critical | K34453301 | TMM may crash or behave abnormally on a Standby BIG-IP unit |
588351-5 | 2-Critical | IPv6 fragments are dropped when packet filtering is enabled. | |
586449-1 | 2-Critical | Incorrect error handling in HTTP cookie results in core when TMM runs out of memory | |
584213-1 | 2-Critical | Transparent HTTP profiles cannot have iRules configured | |
575011-1 | 2-Critical | K21137299 | Memory leak. Nitrox3 Hang Detected. |
574880-3 | 2-Critical | Excessive failures observed when connection rate limit is configured on a fastl4 virtual server. | |
549329-3 | 2-Critical | K02020031 | L7 mirrored ACK from standby to active box can cause tmm core on active |
545810-3 | 2-Critical | K14304373 | TMM halts and restarts |
459671-4 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. | |
617862-2 | 3-Major | Fastl4 handshake timeout is absolute instead of relative | |
617824-3 | 3-Major | "SSL::disable/enable serverside" + oneconnect reuse is broken | |
615143-1 | 3-Major | VDI plugin-initiated connections may select inappropriate SNAT address | |
613429-2 | 3-Major | Unable to assign wildcard wide IPs to various BIG-IP DNS objects. | |
613369-4 | 3-Major | Half-Open TCP Connections Not Discoverable | |
613079-4 | 3-Major | Diameter monitor watchdog timeout fires after only 3 seconds | |
613065-1 | 3-Major | User can't generate netHSM key with Safenet 6.2 client using GUI | |
612040-4 | 3-Major | Statistics added for all crypto queues | |
611320-3 | 3-Major | Mirrored connection on Active unit of HA pair may be unexpectedly torndown | |
610609-3 | 3-Major | Total connections in bigtop, SNMP are incorrect | |
608024-3 | 3-Major | Unnecessary DTLS retransmissions occur during handshake. | |
607803-3 | 3-Major | K33954223 | DTLS client (serverssl profile) fails to complete resumed handshake. |
607304-5 | 3-Major | TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap. | |
606940-3 | 3-Major | Clustered Multiprocessing (CMP) peer connection may not be removed | |
606575-6 | 3-Major | Request-oriented OneConnect load balancing ends when the server returns an error status code. | |
606565-2 | 3-Major | K52231531 | TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection |
604977-2 | 3-Major | K08905542 | Wrong alert when DTLS cookie size is 32 |
603236-1 | 3-Major | 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware | |
602385-1 | 3-Major | Add zLib compression | |
602366-1 | 3-Major | Safenet 6.2 HA performance | |
602358-5 | 3-Major | BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version | |
601496-4 | 3-Major | iRules and OCSP Stapling | |
601178-6 | 3-Major | HTTP cookie persistence 'preferred' encryption | |
598874-2 | 3-Major | GTM Resolver sends FIN after SYN retransmission timeout | |
597978-2 | 3-Major | GARPs may be transmitted by active going offline | |
597879-1 | 3-Major | CDG Congestion Control can lead to instability | |
597532-1 | 3-Major | iRule: RADIUS avp command returns a signed integer | |
597089-8 | 3-Major | Connections are terminated after 5 seconds when using ePVA full acceleration | |
593530-6 | 3-Major | In rare cases, connections may fail to expire | |
592784-2 | 3-Major | Compression stalls, does not recover, and compression facilities cease. | |
592497-1 | 3-Major | Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state. | |
591659-5 | 3-Major | K47203554 | Server shutdown is propagated to client after X-Cnection: close transformation. |
591476-7 | 3-Major | K53220379 | Stuck crypto queue can erroneously be reported |
591343-5 | 3-Major | K03842525 | SSL::sessionid output is not consistent with the sessionid field of ServerHello message. |
589223-1 | 3-Major | TMM crash and core dump when processing SSL protocol alert. | |
588115-1 | 3-Major | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw | |
588089-3 | 3-Major | SSL resumed connections may fail during mirroring | |
587016-3 | 3-Major | SIP monitor in TLS mode marks pool member down after positive response. | |
585813-3 | 3-Major | SIP monitor with TLS mode fails to find cert and key files. | |
585412-4 | 3-Major | SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines | |
583957-6 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. | |
582465-1 | 3-Major | Cannot generate key after SafeNet HSM is rebooted | |
580303-5 | 3-Major | When going from active to offline, tmm might send a GARP for a floating address. | |
579843-1 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states | |
579371-4 | 3-Major | K70126130 | BIG-IP may generate ARPs after transition to standby |
578951-2 | 3-Major | TCP Fast Open connection timeout during handshake does not decrement pre_established_connections | |
572281-5 | 3-Major | Variable value in the nesting script of foreach command get reset when there is parking command in the script | |
570057-2 | 3-Major | Can't install more than 16 SafeNet HSMs in its HA group | |
569288-6 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures | |
565799-4 | 3-Major | CPU Usage increases when using masquerade addresses | |
551208-6 | 3-Major | Nokia alarms are not deleted due to the outdated alert_nokia.conf. | |
550161-4 | 3-Major | Networking devices might block a packet that has a TTL value higher than 230. | |
545796-5 | 3-Major | [iRule] [Stats] iRule is not generating any stats for executed iRules. | |
545450-5 | 3-Major | Log activation/deactivation of TM.TCPMemoryPressure | |
537553-8 | 3-Major | tmm might crash after modifying virtual server SSL profiles in SNI configuration | |
534457-4 | 3-Major | Dynamically discovered routes might fail to remirror connections. | |
530266-7 | 3-Major | Rate limit configured on a node can be exceeded | |
506543-5 | 3-Major | Disabled ephemeral pool members continue to receive new connections | |
483953-1 | 3-Major | Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value. | |
472571-7 | 3-Major | Memory leak with multiple client SSL profiles. | |
464801-3 | 3-Major | Intermittent tmm core | |
423392-6 | 3-Major | tcl_platform is no longer in the static:: namespace | |
371164-1 | 3-Major | BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs. | |
225634-1 | 3-Major | K12947 | The rate class feature does not honor the Burst Size setting. |
598860-4 | 4-Minor | IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address | |
587676-2 | 4-Minor | SMB monitor fails due to internal configuration issue | |
560471-1 | 4-Minor | Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down | |
544033-5 | 4-Minor | K30404012 | ICMP fragmentation request is ignored by BIG-IP |
222034-4 | 4-Minor | K9456 | HTTP::respond in LB_FAILED with large header/body might result in truncated response |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
510631-1 | 3-Major | B4450 L4 No ePVA or L7 throughput lower than expected |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
603598-3 | 2-Critical | big3d memory under extreme load conditions | |
587656-2 | 2-Critical | GTM auto discovery problem with EHF for ID574052 | |
587617-1 | 2-Critical | While adding GTM server, failure to configure new IP on existing server leads to gtmd core | |
615338-2 | 3-Major | The value returned by "matchregion" in an iRule is inconsistent in some cases. | |
613576-1 | 3-Major | QOS load balancing links display as gray | |
613045-7 | 3-Major | Interaction between GTM and 10.x LTM results in some virtual servers marked down | |
607658-1 | 3-Major | GUI becomes unresponsive when managing GSLB Pool | |
589256-1 | 3-Major | K71283501 | DNSSEC NSEC3 records with different type bitmap for same name. |
588289-1 | 3-Major | GTM is Re-ordering pools when adding pool including order designation | |
584623-2 | 3-Major | Response to -list iRules command gets truncated when dealing with MX type wide IP | |
574052-4 | 3-Major | GTM autoconf can cause high CPU usage for gtmd | |
370131-4 | 3-Major | Loading UCS with low GTM Autoconf Delay drops pool Members from config |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
609499-1 | 2-Critical | Compiled signature collections use more memory than prior versions | |
603945-2 | 2-Critical | BD config update should be considered as config addition in case of update failure | |
588087-1 | 2-Critical | Attack prevention isn't escalating under some conditions in session opening mitigation | |
587629-2 | 2-Critical | IP exceptions may have issues with route domain | |
575133-1 | 2-Critical | asm_config_server_rpc_handler_async.pl SIGSEGV and core | |
622386-1 | 3-Major | Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled | |
621808-1 | 3-Major | Proactive Bot Defense failing in IE11 with Compatibility View enabled | |
616169 | 3-Major | ASM Policy Export returns HTML error file | |
613459-1 | 3-Major | Non-common browsers blocked by Proactive Bot Defense | |
613396-1 | 3-Major | Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs | |
611385-1 | 3-Major | "Learn Explicit Entities" may continue to work as if it is 'Add All Entities' | |
610857-1 | 3-Major | DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver. | |
610830-1 | 3-Major | FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page. | |
609496-2 | 3-Major | Improved diagnostics in BD config update (bd_agent) added | |
608509-1 | 3-Major | Policy learning is slow under high load | |
606875-1 | 3-Major | DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page | |
604923-5 | 3-Major | REST id for Signatures change after update | |
604612-1 | 3-Major | K20323120 | Modified ASM cookie violation happens after upgrade to 12.1.x★ |
602221-2 | 3-Major | Wrong parsing of redirect Domain | |
601924-1 | 3-Major | Selenium detection by ports scanning doesn't work even if the ports are opened | |
596502-1 | 3-Major | Unable to force Bot Defense action to Allow in iRule | |
584642-1 | 3-Major | Apply Policy Failure | |
584103-2 | 3-Major | FPS periodic updates (cron) write errors to log | |
582683-2 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan | |
582133-1 | 3-Major | Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.) | |
581315-1 | 3-Major | Selenium detection not blocked | |
579917-1 | 3-Major | User-defined signature set cannot be created/updated with Signature Type = "All" | |
579495-1 | 3-Major | Error when loading Upgrade UCS★ | |
521204-2 | 3-Major | Include default values in XML Policy Export | |
501892-1 | 3-Major | Selenium is not detected by headless mechanism when using client version without server |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
602654-2 | 2-Critical | TMM crash when using AVR lookups | |
602434-1 | 2-Critical | Tmm crash with compressed response | |
601056 | 2-Critical | TCP-Analytics, error message not using rate-limit mechanism can halt TMM | |
622735 | 3-Major | TCP Analytics statistics does not list all virtual servers | |
618944-1 | 3-Major | AVR statistic is not save during the upgrade process | |
601035 | 3-Major | TCP-Analytics can fail to collect all the activity |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
618506 | 2-Critical | TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual. | |
618324-1 | 2-Critical | Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor | |
592868-3 | 2-Critical | Rewrite may crash processing HTML tag with HTML entity in attribute value | |
591117-3 | 2-Critical | APM ACL construction may cause TMM to core if TMM is out of memory | |
569563-3 | 2-Critical | Sockets resource leak after loading complex policy | |
619250-1 | 3-Major | Returning to main menu from "RSS Feed" breaks ribbon | |
617187-1 | 3-Major | APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate | |
614891-2 | 3-Major | Routing table doesn't get updated when EDGE client roams among wireless networks | |
613613-2 | 3-Major | Incorrect handling of form that contains a tag with id=action | |
611922-1 | 3-Major | Policy sync fails with policy that includes custom CA Bundle. | |
611240-3 | 3-Major | Import of config with securid might fail | |
610224-3 | 3-Major | APM client may fetch expired certificate when a valid and an expired certificate co-exist | |
608941-1 | 3-Major | AAA RADIUS system authentication fails on IPv6 network | |
604767-1 | 3-Major | Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object. | |
601905-1 | 3-Major | POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server | |
600119-3 | 3-Major | DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions | |
598981-3 | 3-Major | K06913155 | APM ACL does not get enforced all the time under certain conditions |
598211-1 | 3-Major | Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode. | |
597431-2 | 3-Major | VPN establishment may fail when computer wakes up from sleep | |
596116-3 | 3-Major | LDAP Query does not resolve group membership, when required attribute(s) specified | |
595227-1 | 3-Major | SWG Custom Category: unable to have a URL in multiple custom categories | |
594288-1 | 3-Major | Access profile configured with SWG Transparent results in memory leak. | |
592414-4 | 3-Major | IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed | |
591840-1 | 3-Major | encryption_key in access config is NULL in whitelist | |
591590-1 | 3-Major | APM policy sync results are not persisted on target devices | |
591268-1 | 3-Major | VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions | |
590820-3 | 3-Major | Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser. | |
588888-3 | 3-Major | K80124134 | Empty URI rewriting is not done as required by browser. |
586718-1 | 3-Major | Session variable substitutions are logged | |
586006-1 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present | |
585562-3 | 3-Major | VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari | |
583113-1 | 3-Major | NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event | |
582752-3 | 3-Major | Macrocall could be topologically not connected with the rest of policy.★ | |
582526-3 | 3-Major | Unable to display and edit huge policies (more than 4000 elements) | |
580893-2 | 3-Major | K08731969 | Support for Single FQDN usage with Citrix Storefront Integration mode |
573643-3 | 3-Major | flash.utils.Proxy functionality is not negotiated | |
572558-1 | 3-Major | Internet Explorer: incorrect handling of document.write() to closed document | |
569309-3 | 3-Major | Clientside HTML parser does not recognize HTML event attributes without value | |
562636-2 | 3-Major | K05489319 | Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases. |
525429-11 | 3-Major | DTLS renegotiation sequence number compatibility | |
455975-1 | 3-Major | Separate MIBS needed for tracking Access Sessions and Connectivity Sessions | |
389484-6 | 3-Major | OAM reporting Access Server down with JDK version 1.6.0_27 or later | |
386517-1 | 3-Major | Multidomain SSO requires a default pool be configured | |
238444-3 | 3-Major | K14219 | An L4 ACL has no effect when a layered virtual server is used. |
605627 | 4-Minor | Selinux denial seen for apmd when it is being shutdown. | |
584373-2 | 4-Minor | AD/LDAP resource group mapping table controls are not accessible sometimes | |
573611-1 | 4-Minor | Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs | |
557411-1 | 4-Minor | Full Webtop resources appear overlapping in IE11 compatibility mode |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
619757-1 | 2-Critical | iSession causes routing entry to be prematurely freed |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
613297-3 | 2-Critical | Default generic message routing profile settings may core | |
612135-3 | 2-Critical | Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic | |
603397-2 | 2-Critical | tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config | |
596631-2 | 2-Critical | SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later | |
609575-5 | 3-Major | BIG-IP drops ACKs containing no max-forwards header | |
609328-3 | 3-Major | K53447441 | SIP Parser incorrectly parsers empty header |
607713-3 | 3-Major | SIP Parser fails header with multiple sequential separators inside quoted string. | |
603019-3 | 3-Major | Inserted SIP VIA branch parameter not unique between INVITE and ACK | |
599521-5 | 3-Major | Persistence entries not added if message is routed via an iRule | |
598854-3 | 3-Major | sipdb tool incorrectly displays persistence records without a pool name | |
598700-6 | 3-Major | MRF SIP Bidirectional Persistence does not work with multiple virtual servers | |
597835-3 | 3-Major | K12228503 | Branch parameter in inserted VIA header not consistent as per spec |
583010-4 | 3-Major | Sending a SIP invite with 'tel' URI fails with a reset | |
578564-4 | 3-Major | ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response | |
573075-4 | 3-Major | ADAPT recursive loop when handling successive iRule events | |
566576-6 | 3-Major | ICAP/OneConnect reuses connection while previous response is in progress | |
401815-1 | 3-Major | BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic | |
585807-2 | 4-Minor | 'ICAP::method <method>' iRule is documented but is read-only | |
561500-4 | 4-Minor | ICAP Parsing improvement |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
612874-1 | 2-Critical | iRule with FLOW_INIT stage execution can cause TMM restart | |
609095-1 | 2-Critical | mcpd memory grows when updating firewall rules | |
622281-1 | 3-Major | Network DoS logging configuration change can cause TMM crash | |
614284-2 | 3-Major | Performance fix to not reset a data structure in the packet receive hotpath. | |
608566-1 | 3-Major | The reference count of NW dos log profile in tmm log is incorrect | |
605427-1 | 3-Major | TMM may crash when adding and removing virtual servers with security log profiles | |
594869-4 | 3-Major | AFM can log DoS attack against the internal mpi interface and not the actual interface | |
594075-2 | 3-Major | Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically | |
586070 | 3-Major | 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings | |
585823-1 | 3-Major | FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode) |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
609005-2 | 1-Blocking | Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67). | |
611467-3 | 2-Critical | TMM coredump at dhcpv4_server_set_flow_key(). | |
608009-1 | 2-Critical | Crash: Tmm crashing when active system connections are deleted from cli | |
603825-2 | 2-Critical | Crash when a Gy update message is received by a debug TMM | |
593070-2 | 2-Critical | TMM may crash with multiple IP addresses per session | |
472860-5 | 2-Critical | RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented. | |
623491-2 | 3-Major | After receiving the first Gx response from the PCRF, the BWC action against a rule is lost. | |
622220-2 | 3-Major | Disruption during manipulation of PEM data with suspected flow irregularity | |
618657-4 | 3-Major | Bogus ICMP unreachable messages in PEM with ipother profile in use | |
617014-3 | 3-Major | tmm core using PEM | |
608742-2 | 3-Major | K48561135 | DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode. |
608591-1 | 3-Major | Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers | |
592070-5 | 3-Major | DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied | |
588456-3 | 3-Major | K60250444 | PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed). |
577863-5 | 3-Major | K56504204 | DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
606066-2 | 2-Critical | LSN_DELETE messages may be lost after HA failover | |
605525-1 | 2-Critical | Deterministic NAT combined with NAT64 may cause a TMM core | |
587106-1 | 2-Critical | Inbound connections are reset prematurely when zombie timeout is configured. | |
602171-1 | 3-Major | TMM may core when remote LSN operations time out |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
617648 | 2-Critical | Surfing with IE8 sometimes results with script error | |
603234-3 | 2-Critical | Performance Improvements | |
597471 | 2-Critical | Some Alerts are sent with outdated username value | |
617688 | 3-Major | Encryption is not activated unless "real-time encryption" is selected | |
613671-2 | 3-Major | Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation | |
610897-2 | 3-Major | FPS generated request failure throw "unspecified error" error in old IE. | |
609098-1 | 3-Major | Improve details of ajax failure | |
604885-1 | 3-Major | Redirect/Route action doesn't work if there is an alert logging iRule | |
601083-1 | 3-Major | FPS Globally Forbidden Words lists freeze in IE 11 | |
588058-3 | 3-Major | False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer | |
609114-1 | 4-Minor | Add the ability to control dropping of alerts by before-load-function | |
605125-2 | 4-Minor | Sometimes, passwords fields are readonly | |
592274-3 | 4-Minor | RAT-Detection alerts sent with incorrect duration details |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
588405-1 | 3-Major | BADOS - BIG-IP Self-protection during (D)DOS attack | |
608826-1 | 4-Minor | Greylist (bad actors list) is not cleaned when attack ends |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
624370-1 | 2-Critical | tmm crash during classification hitless upgrade if virtual server configuration is modified |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
621401 | 3-Major | When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
615824-1 | 3-Major | REST API calls to invalid REST endpoint log level change |
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
613127-3 | CVE-2016-5696 | K46514822 | Linux TCP Stack vulnerability CVE-2016-5696 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
612564 | 1-Blocking | mysql does not start | |
618382-4 | 2-Critical | qkview may cause tmm to restart or may take 30 or more minutes to run | |
614766-1 | 3-Major | lsusb uses unknown ioctl and spams kernel logs | |
612952-1 | 3-Major | PSU FW revision not displayed correctly | |
611352 | 3-Major | K68092141 | Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms |
610307 | 3-Major | Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber | |
609325 | 3-Major | Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported | |
606807-1 | 3-Major | i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error | |
604459-1 | 3-Major | On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up | |
597309-2 | 3-Major | Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms | |
561444-1 | 3-Major | LCD might display incorrect output. | |
521270-1 | 3-Major | Hypervisor might replace vCMP guest SYN-Cookie secrets | |
434573-6 | 3-Major | K25051022 | Tmsh 'show sys hardware' displays Platform ID instead of platform name |
609677-1 | 4-Minor | Dossier warning 14 | |
607857-1 | 4-Minor | Some information displayed in "list net interface" will be stale for interfaces that change bundle state | |
607200-1 | 4-Minor | Switch interfaces may seem up after bcm56xxd goes down | |
602061 | 4-Minor | i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages | |
601309 | 4-Minor | Locator LED no longer persists across reboots | |
592716-1 | 4-Minor | BMC timezone value was not being synchronized by BIG-IP |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
597708-4 | 3-Major | Stats are unavailable and vCMP state and status are incorrect |
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
598294-1 | CVE-2016-7472 | K17119920 | BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472 |
601938-2 | CVE-2016-7474 | K52180214 | MCPD stores certain data incorrectly |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
542097-4 | 2-Critical | Update to RHEL6 kernel | |
601927-1 | 4-Minor | K52180214 | Security hardening of control plane |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
602653-1 | 2-Critical | TMM may crash after updating bot-signatures | |
599769 | 2-Critical | TMM may crash when managing APM clients. | |
605682-2 | 3-Major | With forward proxy enabled, sometimes the client connection will not complete. | |
599054-2 | 3-Major | LTM policies may incorrectly use those of another virtual server |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
585120-1 | 2-Critical | Memory leak in bd under rare scenario |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
596674-2 | 2-Critical | High memory usage when using CS features with gzip HTML responses. | |
575170-2 | 2-Critical | Analytics reports may not identify virtual servers correctly | |
590074-1 | 3-Major | Wrong value for TCP connections closed measure |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
603997 | 2-Critical | Plugin should not inject nonce to CSP header with unsafe-inline | |
594910-1 | 3-Major | FPS flags no cookie when length check fails | |
590608-1 | 3-Major | Alert is not redirected to alert server when unseal fails | |
590578-4 | 3-Major | False positive "URL error" alerts on URLs with GET parameters | |
593355 | 4-Minor | FPS may erroneously flag missing cookie | |
589318-1 | 4-Minor | Clicking 'Customize All' checkbox does not work. |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
603605-1 | 2-Critical | Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active | |
608373-2 | 3-Major | Some iApp LX packages will not be saved during upgrade or UCS save/restore |
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
596488-1 | CVE-2016-5118 | K82747025 | GraphicsMagick vulnerability CVE-2016-5118. |
579955-6 | CVE-2016-7475 | K01587042 | BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 |
587077-1 | CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 | K37603172 | Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118 |
579220-1 | CVE-2016-1950 | K91100352 | Mozilla NSS vulnerability CVE-2016-1950 |
570697-1 | CVE-2015-8138 | K71245322 | NTP vulnerability CVE-2015-8138 |
580340-1 | CVE-2016-2842 | K52349521 | OpenSSL vulnerability CVE-2016-2842 |
580313-1 | CVE-2016-0799 | K22334603 | OpenSSL vulnerability CVE-2016-0799 |
579829-7 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability CVE-2016-0702 |
579085-6 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
578570-1 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
569355-1 | CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 | K50118123 | Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 |
565895-1 | CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210 | K17235 | Multiple PCRE Vulnerabilities |
570667-2 | CVE-2016-0701 CVE-2015-3197 | K64009378 | OpenSSL vulnerabilities |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
600811-2 | 3-Major | CATEGORY::lookup command change in behaviour★ |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
606509-4 | 2-Critical | Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★ | |
595605 | 2-Critical | Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★ | |
591119 | 2-Critical | OOM with session messaging may result in TMM crash | |
601076 | 3-Major | Fix watchdog event for accelerated compression request overflow | |
597303 | 3-Major | "tmsh create net trunk" may fail | |
595693 | 3-Major | Incorrect PVA indication on B4450 blade | |
591261 | 3-Major | BIG-IP VPR-B4450N shows "unknown" SNMP Object ID | |
590904-1 | 3-Major | New HA Pair created using serial cable failover only will remain Active/Active | |
589661 | 3-Major | PS2 power supply status incorrect after removal | |
588327 | 3-Major | Observe "err bcm56xxd' liked log from /var/log/ltm | |
587735 | 3-Major | False alarm on LCD indicating bad fan | |
587668 | 3-Major | LCD Checkmark button does not always bring up clearing prompt on VIPRION blades. | |
585332 | 3-Major | Virtual Edition network settings aren't pinned correctly on startup★ | |
584670 | 3-Major | Output of tmsh show sys crypto master-key | |
584661 | 3-Major | Last good master key | |
584655 | 3-Major | platform-migrate won't import password protected master-keys from a 10.2.4 UCS file | |
583177 | 3-Major | LCD text truncated by heartbeat icon on VIPRION | |
581945-2 | 3-Major | Device-group 'datasync-global-dg' becomes out-of-sync every hour | |
581811 | 3-Major | The blade alarm LED may not reflect the warning that non F5 optics is used. | |
579529 | 3-Major | Stats file descriptors kept open in spawned child processes | |
578064 | 3-Major | tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade | |
578036-1 | 3-Major | incorrect crontab can cause large number of email alerts | |
573584 | 3-Major | CPLD update success logs at the same error level as an update failure | |
563592 | 3-Major | Content diagnostics and LCD | |
559655 | 3-Major | Post RMA, system does not display correct platform name regardless of license | |
555039-4 | 3-Major | K24458124 | VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration |
539360 | 3-Major | Firmware update that includes might take over 15 minutes. Do not turn off device. | |
526708 | 3-Major | system_check shows fan=good on removed PSU of 4000 platform | |
433357 | 3-Major | Management NIC speed reported as 'none' | |
400778 | 3-Major | Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete | |
400550 | 3-Major | LCD listener error during shutdown | |
587780 | 4-Minor | warning: HSBe2 XLMAC initial recovery failed after 11 retries. | |
478986 | 4-Minor | Powered down DC PSU is treated as not-present | |
418009 | 5-Cosmetic | Hardware data display inaccuracies |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
603700 | 2-Critical | tmm core on multiple SSL::disable calls | |
598052-1 | 2-Critical | SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails | |
591139 | 2-Critical | TMM QAT segfault after zlib/QAT compression conflation. | |
585654 | 2-Critical | Enhanced implementation of AES in Common Criteria mode | |
579953 | 2-Critical | Updated the list of Common Criteria ciphersuites | |
584926-1 | 3-Major | Accelerated compression segfault when devices are all in error state. | |
566342 | 3-Major | Cannot set 10T-FD or 10T-HD on management port |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
599803 | 1-Blocking | TMM accelerated compression incorrectly destroying in-flight contexts. | |
588879-2 | 2-Critical | apmd crash under rare conditions with LDAP |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
581824-2 | 3-Major | "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
588049-1 | 2-Critical | Improve detection of browser capabilities | |
585352-2 | 2-Critical | bruteForce record selfLink gets corrupted by change to brute force settings in GUI | |
585054-1 | 2-Critical | BIG-IP imports delay violations incorrectly, causing wrong policy enforcement | |
583686-2 | 3-Major | High ASCII meta-characters can be disallowed on UTF-8 policy via XML import | |
581991-1 | 3-Major | Logging filter for remote loggers doesn't work correctly with more than one logging profile | |
521370-1 | 3-Major | Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8 | |
518201-4 | 3-Major | ASM policy creation fails with after upgrading |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
587419-1 | 3-Major | TMM may restart when SAML SLO is performed after APM session is closed | |
585442-2 | 3-Major | Provisioning APM to 'none' creates a core file |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
596809-1 | 3-Major | It is possible to create ssh rules with blank space for auth-info | |
593925-1 | 3-Major | ssh profile should not contain rules that begin and end with spaces (cannot be deleted) | |
593696-1 | 3-Major | Sync fails when deleting an ssh profile |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
584921-1 | 2-Critical | Inbound connections fail to keep port block alive |
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
600662-9 | CVE-2016-5745 | K64743453 | NAT64 vulnerability CVE-2016-5745 |
599168-7 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
598983-7 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
580596-1 | CVE-2013-0169 CVE-2016-6907 | K14190 K39508724 | TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
604211-1 | 2-Critical | K72931250 | License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★ |
600859-2 | 2-Critical | Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★ | |
599033-5 | 2-Critical | Traffic directed to incorrect instance after network partition is resolved | |
595394-3 | 2-Critical | Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★ | |
606110-2 | 3-Major | BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets. | |
596814-4 | 3-Major | HA Failover fails in certain valid AWS configurations | |
596603-2 | 3-Major | AWS: BIG-IP VE doesn't work with c4.8xlarge instance type. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
600357-2 | 3-Major | bd crash when asm policy is removed from virtual during specific configuration change |
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
569467-5 | CVE-2016-2084 | K11772107 | BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084. |
591806-8 | CVE-2016-3714 | K03151140 | ImageMagick vulnerability CVE-2016-3714 |
591918-2 | CVE-2016-3718 | K61974123 | ImageMagick vulnerability CVE-2016-3718 |
591908-2 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
591894-2 | CVE-2016-3715 | K10550253 | ImageMagick vulnerability CVE-2016-3715 |
591881-1 | CVE-2016-3716 | K25102203 | ImageMagick vulnerability CVE-2016-3716 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
583631-2 | 1-Blocking | ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers. | |
590993 | 3-Major | Unable to load configs from /usr/libexec/aws/. | |
576478 | 3-Major | Enable support for the Purpose-Built DDoS Hybrid Defender Platform | |
544477 | 3-Major | New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
591039 | 2-Critical | DHCP lease is saved on the Custom AMI used for auto-scaling VE | |
590779 | 2-Critical | Rest API - log profile in json return does not include the partition but needs to | |
588140 | 2-Critical | Pool licensing fails in some KVM/OpenStack environments | |
587791-1 | 2-Critical | Set execute permission on /var/lib/waagent | |
565137 | 2-Critical | K12372003 | Pool licensing fails in some KVM/OpenStack environments. |
554713-2 | 2-Critical | Deployment failed: Failed submitting iControl REST transaction | |
592363 | 3-Major | Remove debug output during first boot of VE | |
592354 | 3-Major | Raw sockets are not enabled on Cloud platforms |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
592699-3 | 2-Critical | IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance | |
594302-1 | 3-Major | Connection hangs when processing large compressed responses from server | |
592854-1 | 3-Major | Protocol version set incorrectly on serverssl renegotiation | |
592682-1 | 3-Major | TCP: connections may stall or be dropped | |
531979-6 | 3-Major | SSL version in the record layer of ClientHello is not set to be the lowest supported version. |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
582629-1 | 2-Critical | User Sessions lookups are not cleared, session stats show marked as invalid |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
590601-2 | 3-Major | BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed | |
590428-1 | 3-Major | The "ACCESS::session create" iRule command does not work | |
590345-1 | 3-Major | ACCESS policy running iRule event agent intermittently hangs | |
585905-1 | 3-Major | Citrix Storefront integration mode with pass-through authentication fails | |
581834-5 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
588399-1 | 3-Major | BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated | |
582374-1 | 3-Major | Multiple 'Loading state for virtual server' messages in admd.log | |
569121-1 | 3-Major | Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low | |
547053-1 | 4-Minor | Bad actor quarantining |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
590795-1 | 2-Critical | tmm crash when loading default signatures or updating classification signature★ |
Cumulative fix details for BIG-IP v12.1.4 that are included in this release
750488 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.
Conditions:
Responses to queries with EDNS0 record to DNS Cache do not contain the RFC-required EDNS0 record.
Impact:
Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
Corrected EDNS OPT record handling in DNS Cache.
Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:
example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa
These types of responses are expected when running the validation tool against DNS Cache.
750484 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.
Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.
Impact:
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC.
Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:
example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa
These types of responses are expected when running the validation tool against DNS Cache.
750472 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express drops a DNS query that contains an EDNS OPT Record that it does not understand.
Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.
Impact:
DNS Express drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
When a query with an invalid EDNS OPT version is received by DNS Express, send a response with the BADVERS error code as stipulated by the RFC.
Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:
example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok
750457 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.
Conditions:
Queries to DNS Express containing an ENDS0 record it does not understand.
Impact:
DNS Express responses might not contain the RFC-required ENDS0 record. Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
Corrected EDNS OPT record handling in DNS Express.
Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:
example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok
749774-2 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
None.
Fix:
In this release, responses are now consistent when caching is enabled.
749675-2 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
748187-1 : 'Transaction Not Found' Error on PATCH after Transaction has been Created
Component: TMOS
Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.
Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.
Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.
Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.
Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.
746868 : memory leakage when "apply to base domain" is enabled
Component: Fraud Protection Services
Symptoms:
Memory leakage when "apply to base domain" is enabled. this can result in a crash or aggressive sweeper mode.
Conditions:
"apply to base domain" is enabled in the anti-fraud profile
Impact:
Aggressive connections sweeper mode, and traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
745574-4 : URL is not removed from custom category when deleted
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.
745358-4 : ASM GUI does not follow best practices
Component: Application Security Manager
Symptoms:
When processing requests to the administrative webUI, ASM does not follow best practices.
Conditions:
ASM provisioned and enabled.
Authenticated user with Administrator, Resource Administrator, or ASM Administrator roles.
Impact:
Unexpected HTML output.
Workaround:
None.
Fix:
When processing webUI requests ASM now follows best practices.
744516-2 : TMM panics after a large number of LSN remote picks
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion "nexthop ref valid" failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
A LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
Fix:
TMM no longer panics regardless of the number of remote picks.
744347-1 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
744117-6 : The HTTP URI is not always parsed correctly
Component: Local Traffic Manager
Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.
Conditions:
-- HTTP profile is configured.
-- The URI is inspected.
Impact:
If the URI is used for security checks, then those checks might be bypassed.
Workaround:
None.
Fix:
The HTTP URI is parsed in a more robust manner.
741423-1 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
Component: TMOS
Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.
The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.
Conditions:
-- Cluster devices are joined in the trust for HA or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.
Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.
Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):
1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.
For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:
tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }
2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.
Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established HA or config-sync configurations.
741108 : tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses
Component: Application Security Manager
Symptoms:
tmm memory leak can lead to tmm out-of-memory state.
Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has device ID enabled.
-- HTTP profile accept_xff enabled.
Impact:
Unexpected tmm out-of-memory state can be reached, causing sweeper activity and disrupting traffic.
Workaround:
Disable accept_xff in HTTP profile that is assigned to a virtual server along with ASM policy.
Fix:
The leak is now fixed.
740777-2 : Secondary blades mcp daemon restart when subroutine properties are configured
Component: Access Policy Manager
Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.
Conditions:
When a subroutine is configured in the access policy.
Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.
Workaround:
There is no workaround other than to not use subroutine in the access policy.
Fix:
You can now use subroutines in the access policy.
740490-2 : Configuration changes involving HTTP2 or SPDY may leak memory
Component: Local Traffic Manager
Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.
Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.
Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.
Workaround:
None.
Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.
739945-1 : JavaScript challenge on POST with 307 breaks application
Component: Application Security Manager
Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.
Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.
Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.
Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.
Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.
739927-1 : Bigd crashes after a specific combination of logging operations
Component: Local Traffic Manager
Symptoms:
Bigd crashes. Bigd core will be generated.
Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.
Impact:
Bigd crashes.
Workaround:
None.
Fix:
Bigd no longer crashes under these conditions.
739798 : Massive number of log messages being generated and written to the bd.log.
Component: Application Security Manager
Symptoms:
Log messages regarding parameters might fill the bd.log file. The system logs messages appear similar to the following:
deleting job-> converterd key
deleting p_node
Conditions:
No special conditions are required to cause this to occur.
Impact:
Lots of I/O processing. Potentially large bd.log file.
Workaround:
None.
Fix:
Fixed a scenario that resulted in a massive number of log messages being generated and written to the bd.log.
739744-2 : Import of Policy using Pool with members is failing
Component: Access Policy Manager
Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)
Conditions:
Policy has pool attached to it with resource assign or chained objects
Impact:
Policy is not being imported on the same box
Workaround:
There is no workaround at this time.
Fix:
ng-import is now importing policy correctly.
739144-1 : Domain logoff scripts runs after VPN connection is closed
Component: Access Policy Manager
Symptoms:
APM Network Access option: 'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.
Conditions:
Following options configured for Microsoft Windows clients:
* Synchronize with Active Directory policies on connection establishment.
and
* Execute logoff scripts on connection termination.
-- Windows client is part of a domain.
-- Domain logoff script is not available without VPN connection.
Impact:
'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.
Workaround:
None.
Fix:
Changes in APM client allow it to wait until domain logoff script execution completes before closing VPN connection, so this issue no longer occurs.
739094-4 : APM Client Vulnerability: CVE-2018-5546
Solution Article: K54431371
738887-2 : The snmpd daemon may leak memory when processing requests.
Component: TMOS
Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.
Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.
Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.
Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:
bigstart restart snmpd
Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.
738789-3 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
Component: Application Security Manager
Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii"
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM handles xml traffic with encoding="us-ascii" (this is very unlikely, the common case is encoding="utf-8")
Impact:
Blocked xml requests
Workaround:
Remove xml profile from a url in asm policy or disable XML malformed document detection via asm policy blocking settings
Fix:
xml parser is fixed and now allows encoding="us-ascii"
738669-3 : Login validation may fail for a large request with early server response
Component: Fraud Protection Services
Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.
Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.
Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.
Workaround:
None.
Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.
738647-1 : Add the login detection criteria of 'status code is not X'
Component: Application Security Manager
Symptoms:
There is a criterion needed to detect successful login.
Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).
Impact:
Cannot configure login criteria.
Workaround:
None.
Fix:
This release adds a new criterion to the login criteria.
738521-2 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
Component: Local Traffic Manager
Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.
Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.
Impact:
Trunks are brought down by upstream switch.
Workaround:
There is no workaround other than disabling LACP.
Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.
738397-2 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
Component: Access Policy Manager
Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.
The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.
Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
+ The IdP has a Per-Request policy (in addition to a V1 policy).
+ That Per-Request policy has a subroutine or a subroutine macro with a logon page.
Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.
Workaround:
None.
Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.
738119-3 : SIP routing UI does not follow best practices
Component: TMOS
Symptoms:
The SIP routing UI does not follow best practices.
Conditions:
Administrative access to the SIP Profile web UI.
Impact:
Unexpected HTML output.
Workaround:
None.
Fix:
The SIP routing UI does now follows best practices.
737998 : Brute Force end attack condition isn't satisfied for successful logins only
Component: Application Security Manager
Symptoms:
When brute force attack is detected and prevented by asm, asm continue to prevent login attempts even the attacking traffic has stopped 5 minutes ago.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM Brute Force protection enabled in the asm policy
- There is an ongoing brute force attack on the backend server.
Impact:
ASM doesn't report that brute force attack is finished and logins mitigation continues to occur.
Workaround:
While ongoing endless brute force attack, change an arbitrary field in brute force configuration and apply policy. Brute force attack end event will be triggered and the system will stop brute force prevention, if the attacking traffic still being sent, new brute force attack event will be raised and the mitigation will reoccur.
Fix:
Fix brute force end condition check for a case when only successful logins are sent.
737758-1 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.
Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.
Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.
737597 : AVR DoS Attack report misses virtual server name in a specific config
Component: Application Visibility and Reporting
Symptoms:
DoS AVR Report GUI page is under:
Navigate to Security :: Reporting : DoS : Network
The report shows the attack, but categorizes the attack under 'Aggregated' in the Virtual Server name value, rather than the actual name of the Virtual Server on which the attack is happening.
Conditions:
-- A Virtual Server is configured with a IP/Subnet range.
For example,
-- Virtual Server with Destination Address: 10.10.10.0/27 (meaning the destination range is 10.10.10.32 - 10.10.10.63).
-- Destination Address of the Client Traffic and Attack: 10.10.10.63
View AVR Reporting, which does not resolve the to any specific Virtual Server, but instead categorizes the attack as 'Aggregate'.
Impact:
AVR report missing the Virtual Server information.
Workaround:
None.
737442-1 : Error in APM Hosted Content when set to public access
Component: Access Policy Manager
Symptoms:
Error when rendering APM Hosted content when set to public access.
Conditions:
APM enabled
Hosted content enabled
Hosted content set to public access
Impact:
Unexpected HTML output in webtop pages
Workaround:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/vdesk/resource_info_v2.xml?" && [URI::decode [HTTP::query]] contains "<"} {
HTTP::uri [HTTP::path]
}
}
Fix:
None.
737441-1 : Disallow hard links to svpn log files
Solution Article: K54431371
737389 : kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed
Component: TMOS
Symptoms:
There may be a large number of messages in /var/log/kern.log similar to the following:
Tracklist initialized
Tracklist destroyed
Conditions:
This can happen when vCMP is provisioned, which enables SR-IOV mode.
Impact:
It causes messages to show up in /var/log/kern.log, but does not affect traffic. This is a cosmetic issue and does not indicate a functionality issue.
Workaround:
None.
Fix:
Tracklist is now disabled, so this issue no longer occurs.
737332-2 : It is possible for DNSX to serve partial zone information for a short period of time
Component: Global Traffic Manager (DNS)
Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.
Conditions:
-- Two zones being transferred during the same time period
+ zone1.example.net
+ zone2.example.net
-- Transfer of zone1 has started, but not finished.
-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.
Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.
Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.
Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.
734622 : Policy change with newly enforced signatures causes sig collection failure in other policies
Solution Article: K83093212
Component: Application Security Manager
Symptoms:
An ASM policy change with newly enforced signatures causes a signature collection failure in all other policies.
Conditions:
An ASM policy is changed by adding newly enforced signatures.
Impact:
Signature collection failures are logged for all other policies.
Workaround:
For each other policy on the device, make a spurious change (such as modifying policy description and saving) and apply the policy. Alternatively, a new user-defined signature which would be included in enforcement can be spuriously added and then immediately removed.
734527-4 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured
Component: TMOS
Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.
Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.
Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.
Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.
Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.
Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.
734446-3 : TMM crash after changing LSN pool mode from PBA to NAPT
Component: Carrier-Grade NAT
Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.
Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.
The PBA pool can be deleted after the virtual servers are no longer using it.
Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.
727044-1 : TMM may crash while processing compressed data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing compressed data.
Conditions:
Compression enabled
Hardware compression disabled
Impact:
TMM crash leading to a failover event.
Workaround:
No workaround.
Fix:
TMM now correctly processes compressed traffic
726895-1 : VPE cannot modify subroutine settings
Component: Access Policy Manager
Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.
Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors.
Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.
Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE
Workaround:
Use tmsh to modify these values, for example:
tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }
Fix:
The issue has been fixed; it is now possible to view and modify subroutine settings in the VPE.
726592-2 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
Component: Access Policy Manager
Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.
Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.
Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.
Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.
Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.
726303 : Unlock 10 million custom db entry limit
Component: Traffic Classification Engine
Symptoms:
Cannot add more than 10 million custom db entries.
Conditions:
This happens when you try to add more than 10 million custom db entries.
Impact:
Not able to add more than 10 million entries.
Workaround:
There is no workaround at this time.
Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.
726255-3 : dns_path lingering in memory with last_access 0 causing high memory usage
Component: Global Traffic Manager (DNS)
Symptoms:
dns_path not released after exceeding the inactive path ttl.
Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.
Impact:
High memory usage.
Workaround:
There is no workaround at this time.
Fix:
dns_path memory will be released after ttl.
726239-3 : interruption of traffic handling as sod daemon restarts TMM
Component: Local Traffic Manager
Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.
Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when TCP persist timer is active.
726089-3 : Modifications to AVR metrics page
Solution Article: K44462254
724868-2 : dynconfd memory usage increases over time
Solution Article: K11662998
Component: Local Traffic Manager
Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.
Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.
Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.
Fix:
dynconfd no longer leaks memory when processing messages.
724680-3 : OpenSSL Vulnerability: CVE-2018-0732
Solution Article: K21665601
724532-1 : SIG SEGV during IP intelligence category match in TMM
Component: Advanced Firewall Manager
Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.
Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.
724339-2 : Unexpected TMUI output in AFM
Solution Article: K04524282
724335-2 : Unexpected TMUI output in AFM
Solution Article: K21042153
723792-3 : GTM regex handling of some escape characters renders it invalid
Component: Global Traffic Manager (DNS)
Symptoms:
The memory footprint of big3d increases.
Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.
723722-3 : MCPD crashes if several thousand files are created between config syncs.
Component: TMOS
Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.
Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.
Impact:
Traffic is disrupted while the MCPD process restarts.
Workaround:
Run a config sync operation after every ~5000 files created.
Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.
723298-3 : BIND upgrade to version 9.11.4
Component: TMOS
Symptoms:
The BIG-IP system is running BIND version 9.9.9.
Conditions:
BIND on BIG-IP system.
Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.
Workaround:
None.
Fix:
BIND version has been upgraded to 9.11.4.
723130-3 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
Component: TMOS
Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.
Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).
Note: Existing BIG-IP VE instances are not subject to this issue.
Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.
Workaround:
The expired OVA signing certificate has been replaced with a valid signing certificate.
Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.
722677-3 : High-Speed Bridge may lock up
Component: Local Traffic Manager
Symptoms:
Under certain conditions, hardware systems with a High-Speed Bridge and using Layer 2 forwarding configurations may experience a lockup of the High-Speed Bridge.
Conditions:
Hardware platform with High-Speed Bridge.
Layer 2 forwarding enabled.
vlangroup.flow.allocate disabled.
Impact:
High-Speed Bridge lockup, leading to a failover event.
Workaround:
The vlangroup.flow.allocate DB variable is enabled by default.
Ensure that vlangroup.flow.allocate is enabled with the command:
modify /sys db vlangroup.flow.allocate value enable
722387-2 : TMM may crash when processing APM DTLS traffic
Component: Local Traffic Manager
Symptoms:
When processing DTLS traffic for APM, TMM may crash.
Conditions:
APM provisioned and configured.
DTLS enabled in APM configuration.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
DTLS traffic is now processed as expected.
722363-1 : Client fails to connect to server when using PVA offload at Established
Component: Local Traffic Manager
Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.
When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.
Conditions:
A FastL4 virtual server is configured with offload_state = EST.
Impact:
Clients fail to connect to the server.
Workaround:
There is no workaround other than to disable PVA acceleration.
722091-2 : TMM may crash while processing HTTP traffic
Solution Article: K64208870
722013-3 : MCPD restarts on all secondary blades post config-sync involving APM customization group
Component: Access Policy Manager
Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.
Each affected blade will log an error message similar to the following example:
-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1
Conditions:
This issue occurs when all of the following conditions are met:
- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).
- Systems are provisioned for APM.
- The device-group is configured for incremental manual synchronizations.
- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.
- You synchronize the configuration from the source_system to the device-group.
- On the source_system, you create a new configuration object of any kind (for example, an LTM node).
- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).
- The MCPD daemon restarts on all secondary blades of the source_system.
Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.
-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.
-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.
Workaround:
None.
Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.
721924-3 : bgpd may crash processing extended ASNs
Component: TMOS
Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.
Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled
Impact:
Dynamic routing disrupted while bgpd restarts.
Fix:
bgpd now processes extended ASNs as expected.
721752-1 : Null char returned in REST for Suggestion with more than MAX_INT occurrences
Component: Application Security Manager
Symptoms:
Unable to view ASM event log details for a majority of violations.
Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.
Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.
Workaround:
Use the following sql command:
UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;
Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.
721741-2 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
Component: Application Security Manager
Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------
Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.
Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives
Workaround:
There is no workaround at this time.
Fix:
System no longer generates these false positive/negative log entries.
721375 : Export then import of config with RSA server in it might fail
Component: Access Policy Manager
Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.
Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.
Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.
Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.
Fix:
You can now successfully import an exported policy containing an RSA server as well as both sdconf.rec and sdstatus.12 files.
720880 : Attempts to license/re-license the BIG-IP system fail.
Component: TMOS
Symptoms:
Attempts to activate or reactivate the license on the BIG-IP system results in failure messages.
Conditions:
No specific configurations are associated with this issue, but license activation/reactivation requests that include add-ons are more likely to fail.
This occurs under random conditions.
Impact:
The system is either unusable or very difficult to activate.
Workaround:
Because the conditions under which this issue occurs are random, additional licensing attempts might succeed.
Fix:
The source of the underlying problem has been corrected. No additional logs, error message, or user-interaction is involved.
720756 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
Component: TMOS
Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.
Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.
Impact:
Cannot tell the actual platform name in the SNMP query.
Workaround:
There is no workaround at this time.
Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.
720713-3 : TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail
Component: TMOS
Symptoms:
When a i10600/i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.
Note: Management port traffic to/from the device is unaffected.
Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.
The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.
Conditions:
This issue occurs when all of the following conditions apply:
- i10600/i10800 device in vCMP host mode.
- At least one vCMP guest is deployed or was deployed, at some point.
Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.
Workaround:
None.
Fix:
The vCMP host continues to handle traffic correctly once a guest is started.
720695-2 : Export then import of APM access Profile/Policy with advanced customization is failing
Component: Access Policy Manager
Symptoms:
An exported policy containing advanced customization fails to import.
Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.
Impact:
Import fails.
Workaround:
None.
Fix:
Access policy import containing advanced customization now succeeds.
720651-3 : Running Guest Changed to Provisioned Never Stops
Component: TMOS
Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.
Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.
Impact:
Guests do not stop and change status until vcmpd process is restarted.
Workaround:
There is no workaround.
Fix:
The guest now stops when the state is changed from deployed to provisioned.
720461-3 : qkview prompts for password on chassis
Component: TMOS
Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.
Conditions:
SSH auth keys are missing or corrupted.
Impact:
This blocks collecting qkview.
Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:
$date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;
Fix:
The qkview is no longer blocked with a password prompt.
720391-1 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.
Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.
Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.
Workaround:
None.
Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.
720293-1 : HTTP2 IPv4 to IPv6 fails
Component: Local Traffic Manager
Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.
Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.
Impact:
Traffic connection does not establish; no traffic passes.
Workaround:
None.
Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.
720104 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.
Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.
Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.
Workaround:
There is no workaround at this time.
Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.
720030-3 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.
Conditions:
APM end users using Kerberos SSO to access backend resources.
Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.
Workaround:
For BIG-IP software v12.x and later,
Edit the /etc/resolv.conf file to add an EDNS0 option.
There is no workaround if you are running a version earlier than 12.x.
Fix:
Kerberos DNS SRV requests now support EDNS0, so that UDP responses greater than 512 bytes can be received correctly, eliminating the need to re-send the request on TCP while communicating to the internal DNS server (dnscached).
719644-1 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
Component: Global Traffic Manager (DNS)
Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.
Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.
Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.
Workaround:
There is no workaround at this time.
Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.
719554-3 : Linux Kernel Vulnerability: CVE-2018-8897
Solution Article: K17403481
718885-1 : Under certain conditions, monitor probes may not be sent at the configured interval
Solution Article: K25348242
Component: Global Traffic Manager (DNS)
Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.
Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.
Impact:
Monitor probes are not consistently performed at the configured interval.
Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.
The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.
For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:
-- Change the interval for 10 of the monitors to a different value.
-- Set the monitor interval to 40.
Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.
Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.
718208-1 : Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO
Component: Access Policy Manager
Symptoms:
When using Firefox v52 ESR to install SVPN client, the SVPN client keeps prompting to enter SUDO credentials.
Conditions:
Using Firefox v52 ESR to install SVPN client.
Impact:
Cannot install SVPN client using Firefox v52 ESR browser
Workaround:
Follow this procedure to workaround this problem:
1. Delete the NPAPI plugin from the browser.
2. Install SVPN client manually.
3. Use Firefox v52 ESR to connect to APM.
Fix:
This issue has been fixed, and now you can install the SVPN client using SUDO successfully.
718071-3 : HTTP2 with ASM policy not passing traffic
Component: Local Traffic Manager
Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.
Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.
Impact:
Traffic does not pass.
Workaround:
No workaround.
Fix:
HTTP2 and ASM now work correctly together.
717742-3 : Oracle Java SE vulnerability CVE-2018-2783
Solution Article: K44923228
716992-3 : The ASM bd process may crash
Solution Article: K75432956
716922-4 : Reduction in PUSH flags when Nagle Enabled
Component: Local Traffic Manager
Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.
Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.
Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.
Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.
Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.
Mote: To take advantage of some of the Nagle benefits, use 'Auto'.
Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.
716900-1 : TMM core when using MPTCP
Component: Local Traffic Manager
Symptoms:
In some cases TMM may crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
716788-3 : TMM may crash while response modifications are being performed within DoSL7 filter
Component: Application Security Manager
Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.
Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts, failover may occur.
Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.
Fix:
Response modification handler has been modified so that this issue no longer occurs.
716747-4 : TMM my crash while processing APM or SWG traffic
Component: Access Policy Manager
Symptoms:
Under certain circumstances, TMM may crash when processing APM or SWG.
There will be a log message in /var/log/apm near the time of crash with this:
err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.
Conditions:
APM or SWG enabled.
Impact:
TMM crash, leading to a failover event.
Workaround:
There is no workaround at this time.
Fix:
TMM now processes APM and SWG traffic as expected.
716391-3 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation
Solution Article: K76031538
Component: TMOS
Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.
Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.
Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.
Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.
716318-4 : Engine/Signatures automatic update check may fail to find/download the latest update
Component: Fraud Protection Services
Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.
Note: This issue is relevant only for engineering hotfixes.
Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.
Impact:
Automatic update check will detect the wrong update file.
Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.
Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.
716213-3 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
Component: Local Traffic Manager
Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).
Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.
Impact:
A blank page is observed due to the TCP reset.
Workaround:
No workaround is available.
Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.
715923-3 : When processing TLS traffic TMM may reset connections
Solution Article: K43625118
715750-3 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
Component: Local Traffic Manager
Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.
For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.
Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.
Conditions:
This issue occurs when the following conditions are met:
-- A standard virtual server with the clientssl and serverssl profiles in use.
-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.
Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.
For example, if the original FIN was received by the BIG-IP system on the clientside:
-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.
-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.
Workaround:
There is no workaround at this time.
Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
715448-1 : Providing LB::status with a GTM Pool name in a variable caused validation issues
Component: Global Traffic Manager (DNS)
Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.
Conditions:
LB::status pool a <Variable containing string>.
Impact:
Unable to use LB::status iRule.
Workaround:
There is no workaround at this time.
Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.
715250-2 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
Component: Access Policy Manager
Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.
Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.
Impact:
System instability, failover, traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
715207-2 : coapi errors while modifying per-request policy in VPE
Component: Access Policy Manager
Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).
err coapi: PHP: requested conversion of uninitialized member.
Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.
Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.
Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.
Fix:
Now per-request access policies can be simultaneously used and edited without causing spurious 'coapi' log errors.
715090 : PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers
Component: Policy Enforcement Manager
Symptoms:
Policy and Charging Rules Function (PCRF) policy actions will have no effect on the subscribers' traffic.
Conditions:
PEM creates a traffic generated subscriber that has PCRF-provided policies associated with it.
Impact:
Potential loss of service depending on the policy actions that do not take effect.
Workaround:
There is no workaround at this time.
Fix:
This issue has been fixed.
714879-1 : APM CRLDP Auth passes all certs
Solution Article: K34652116
714848 : OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled
Component: TMOS
Symptoms:
DDM transmit power too low warning continually appear in /var/log/ltm, and in SNMP traps. Messages appear similar to the following:
DDM interface:3/1.0 transmit power too low warning. Transmit power(mWatts) 0.0001 0.0001 0.0001 0.0001
A single warning message is expected, not repeating messages.
Conditions:
This occurs when all of the following conditions are met:
-- The interface is disabled.
-- DDM is enabled.
-- OPT-0031 or OPT-0036.
Impact:
There are multiple messages in /var/log/ltm, and SNMP DDM traps. There is no impact on traffic.
Workaround:
There is no workaround other than to enable the interface or disable DDM.
Fix:
DDM errors no longer continually appear on disabled interfaces containing OPT-0031 or OPT-0036.
714559-1 : Removal of HTTP hash persistence cookie when a pool member goes down.
Component: Local Traffic Manager
Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.
Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.
Impact:
Connected clients must establish a new session.
Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:
when CLIENT_ACCEPTED {
persist cookie hash JSESSIONID
}
Fix:
HTTP hash persistence cookie is no longer removed when a pool member goes down.
If you need to remove the cookie, use an iRule similar to the following:
when PERSIST_DOWN {
HTTP::cookie remove JSESSIONID
}
714542-1 : 'Always Connected Mode' text is missing in EdgeClient tray
Component: Access Policy Manager
Symptoms:
When right-clicking the EdgeClient tray icon, the pop-up menu shows a grey box instead of the 'Always Connected Mode' text.
Conditions:
EdgeClient installed in 'Always Connected Mode' with 'Allow' traffic when VPN is disconnected.
Impact:
No functional impact. Previously, the message appeared only for blocked mode.
Workaround:
None.
Fix:
Now, when a user right-clicks the Edge Client tray icon in Always Connected mode, the <uicontrol>Always Connected Mode</uicontrol> text is displayed on the tray icon pop-up menu.
714181-3 : TMM may crash while processing TCP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may crash while processing TCP data
Conditions:
TCP profile enabled
TCP Segment Offload enabled
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none
Fix:
TMM now processes TCP traffic as expected
713951-3 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.
713934-4 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
Component: Local Traffic Manager
Symptoms:
Received malformed Truncated DNS response.
Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.
Impact:
DNS request might not be resolved correctly.
Workaround:
There is no workaround at this time.
Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.
713655-3 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
Component: Access Policy Manager
Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.
Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.
Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.
Workaround:
None.
Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.
713533-3 : list self-ip with queries does not work
Component: Local Traffic Manager
Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.
Conditions:
list net self always returns all Self IPs
Impact:
You are unable to filter the Self IP list using a regex pattern.
Fix:
You can now use pattern matching to list Self IPs
713491-1 : IKEv1 logging shows spi of deleted SA with opposite endianess
Component: TMOS
Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).
Conditions:
When an SA is deleted.
Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.
Workaround:
There is no workaround at this time.
Fix:
The spi values are shown in the correct endianness now.
713282-3 : Remote logger violation_details field does not appear when virtual server has more than one remote logger
Component: Application Security Manager
Symptoms:
Remote logger violation_details field appears empty.
Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.
Impact:
Violation_details field appears empty in logs.
Workaround:
There is no workaround at this time.
Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.
713066-3 : Connection failure during DNS lookup to disabled nameserver can crash TMM
Solution Article: K10620131
Component: Global Traffic Manager (DNS)
Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.
Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.
This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
Verify connectivity to nameserver.
As an alternative, refrain from using RESOLV::lookup in iRules.
Fix:
This issue is now fixed.
712924 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
Component: Access Policy Manager
Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.
Conditions:
Always when adding SecureID authentication action.
Impact:
Inability to (re)configure SecureId via VPE.
Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:
tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>
712857-1 : SWG-Explicit rejects large POST bodies during policy evaluation
Component: Access Policy Manager
Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 128 KB limit on POST bodies while the policy is being evaluated.
The system posts an error message similar to the following in /var/log/apm:
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048
Conditions:
This applies only during policy evaluation. After the policy has been set to 'Allow', there is no limit to the POST body.
Impact:
Unable to start an SWG-Explicit policy with a large POST body.
Workaround:
None.
Fix:
This release introduces a db variable 'tmm.access.maxrequestbodysize'. You can now avoid this issue by setting a value larger than the 128 KB POST body size. The maximum supported value is 25000000 (25 MB).
712664-4 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting
Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address
Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.
Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.
Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.
712475-1 : DNS zones without servers will prevent DNS Express reading zone data
Solution Article: K56479945
Component: Local Traffic Manager
Symptoms:
DNS Express does not return dig requests.
Conditions:
DNS Express is configured a zone without a server.
Impact:
DNS Express does not return dig requests.
Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.
Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.
712464-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
Component: Local Traffic Manager
Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.
Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs is usually in the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.
Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.
Impact:
Clients cannot access the web server due to SSL handshake failure.
Workaround:
There is no workaround at this time.
Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.
712437-1 : Records containing hyphens (-) will prevent child zone from loading correctly
Solution Article: K20355559
Component: Local Traffic Manager
Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.
Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
myzone.com -- parent
foo.myzone.com -- child
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com
Impact:
DNS can not resolve records correctly.
Workaround:
None.
Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.
712362-1 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
Component: Application Security Manager
Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.
The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.
Impact:
WebSocket frames stalls.
Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:
HTTP/1.1 101 Switching Protocols
#2 Use an irRule:
when SERVER_CONNECTED {
TCP::collect 15
}
when SERVER_DATA {
if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
}
}
Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.
712315-1 : LDAP and AD Group Resource Assign are not displaying Static ACLs correctly
Component: Access Policy Manager
Symptoms:
In VPE LDAP and AD Group Resource Assign are not displaying static acls when they are configured.
Conditions:
While attempting to assign Static ACls via AD or LDAP Group Resource assign (aka Group Mapping) Static ACLs are not displayed.
Impact:
Users are not able to assign Static ACLs with AD and LDAP Group Mapping via VPE.
Workaround:
Static ACLs are assignable with TMSH.
Fix:
Functionality is restored and Static ACLs are being displayed in AD and Ldap Group Resource Assign aka Group Mapping
use:
tmsh modify apm policy agent resource-assign
711981-3 : BIG-IP system accepts larger-than-egress MTU, PMTU update
Component: Local Traffic Manager
Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.
Conditions:
A valid PMTU message.
Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.
Workaround:
None.
Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.
711570-1 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
Component: Policy Enforcement Manager
Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names
Conditions:
PEM iRule using subscriber ID to get policy name.
Impact:
Subscriber policy names are not returned.
Workaround:
Use PEM::subscriber config policy get <IP address> instead.
Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.
711547 : Update cipher support for Common Criteria compliance
Component: TMOS
Symptoms:
Default cipher selection may not be compliant with Common Criteria requirements. Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.
Conditions:
Common Criteria mode active
Impact:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.
Workaround:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.
Fix:
Improved Common Criteria compliance in default cipher strings.
711281-3 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.
711249-2 : NAS-IP-Address added to RADIUS packet unexpectedly
Component: TMOS
Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.
Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.
Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.
Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.
711093-2 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.
Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).
Impact:
PEM sessions remain in marked-for-delete state.
Workaround:
None.
Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete
710827-4 : TMUI dashboard daemon stability issue
Component: TMOS
Symptoms:
Some dashboard requests may cause a crash of TMUI dashboard daemons, affecting the TMUI dashboard.
Conditions:
Request sent to BIG-IP dashboard.
Impact:
Only the TMUI dashboard goes offline. Other TMUI functionality is not affected by this issue.
Workaround:
None available.
Fix:
Setup a correct exception handling prevented TMUI dashboard service failure.
710755-2 : Crash when cached route information becomes stale and the system accesses the information from it.
Solution Article: K30572159
Component: Advanced Firewall Manager
Symptoms:
The crash happens intermittently when the cached route information becomes stale and the system accesses the information from it.
Conditions:
Use stale cached route information.
Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access.
Workaround:
None.
Fix:
The system now fetches the latest egress route/interface information before accessing it.
710705-3 : Multiple Wireshark vulnerabilities
Solution Article: K34035645
710602 : iCRD commands requiring 'root' user access fixed
Component: TMOS
Symptoms:
Some of the iCRD calls that run commands on the base operating system that require elevated permissions fail because iCRD was not correctly executing the commands in the right context.
Conditions:
Use an iCRD endpoint that requires elevated permissions to succeed.
Impact:
Only impacts iCRD endpoints which run commands that require root access.
Workaround:
There is no workaround at this time.
Fix:
This fix resolves this issue by running the commands with the correct user context.
710424-3 : Possible SIGSEGV in GTMD when GTM persistence is enabled.
Solution Article: K00874337
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.
Conditions:
GTM persistence is enabled.
Impact:
GTMD may occasionally restart.
Workaround:
Disable GTM persistence.
Fix:
GTMD will no longer crash and restart when persistence is enabled.
710327-3 : Remote logger message is truncated at NULL character.
Component: Application Security Manager
Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.
Impact:
Partial request is logged at the remote logger destination.
Workaround:
None.
Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.
710314-2 : TMM may crash while processing HTML traffic
Solution Article: K94105051
710246-3 : DNS-Express was not sending out NOTIFY messages on VE
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).
Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.
Impact:
DNS secondary servers serving stale data.
Workaround:
There is no workaround at this time.
Fix:
DNS Express now sends out NOTIFY messages on VE.
710244-1 : Memory Leak of access policy execution objects
Solution Article: K27391542
710211 : Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.
Component: Access Policy Manager
Symptoms:
Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. The system posts a message similar to the following:
Unable to execute transaction because of: 01071203:3: Caption (XYZ1) of the rule in macrocall (/Common/abc_macro) must be identical to the caption (XYZ2) of terminalout.
Conditions:
-- Using Access Policy.
-- Policy includes one or more macros.
-- There is a macrocall on one of the macros.
-- You attempt to add a new terminal to that macro.
Impact:
Cannot edit macro terminals.
Workaround:
None.
Fix:
Can now edit Terminals of Macro if one or more Macrocalls point to a given Macro.
710148-4 : CVE-2017-1000111 & CVE-2017-1000112
Solution Article: K60250153
710028-4 : LTM SQL monitors may stop monitoring if multiple monitors querying same database
Component: Local Traffic Manager
Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.
When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:
[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'
then multiple, periodic instances of the following message, referencing the same connection string:
Abandoning hung SQL query: '<query string>' for: '<connection string>'
or:
<connection string>(<thread-number>): Hung SQL query; abandoning
Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.
And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.
Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.
Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.
To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.
Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.
709972-4 : CVE-2017-12613: APR Vulnerability
Solution Article: K52319810
709688-5 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
Solution Article: K08306700
709610-1 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
Component: Policy Enforcement Manager
Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.
Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}
-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.
-- The time interval between steps 1 and 2 is very small (less than ~1ms).
Impact:
Subscriber session creation via PEM may fail.
Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.
Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.
709334-2 : Memory leak when SSL Forward proxy is used and ssl re-negotiates
Component: Local Traffic Manager
Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.
Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening
Impact:
Eventually memory reaper will kick in.
Workaround:
There is no workaround at this time.
Fix:
ssl_compat now properly releases connections on re-negotiation.
708956 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
Solution Article: K51206433
Component: TMOS
Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.
Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.
Impact:
System does not come up.
Workaround:
Reboot system.
Because this condition only happens occasionally, rebooting typically corrects the issue.
Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.
708653-3 : TMM may crash while processing TCP traffic
Solution Article: K07550539
708249-4 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.
Conditions:
Run the nitrox_diag command.
Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.
Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0
Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.
708114-3 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
Solution Article: K33319853
Component: Local Traffic Manager
Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.
Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.
708068-3 : Tcl commands like "HTTP::path -normalize" do not return normalized path.
Component: Local Traffic Manager
Symptoms:
When using HTTP::path with the -normalized parameter:
"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)
Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.
Impact:
Unexpected result.
Workaround:
There is no workaround.
Fix:
The TCL command HTTP::path -normalize should return normalized path.
708054-3 : Web Acceleration: TMM may crash on very large HTML files with conditional comments
Component: TMOS
Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.
Conditions:
- HTML file with conditional comments inside:
<!--[if condition...]> ... <![endif]-->
- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.
Impact:
TMM crash interrupts all active sessions.
Workaround:
There is no workaround at this time.
Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.
707990-3 : Unexpected TMUI output in SSL Certificate Instance page
Solution Article: K41704442
707951 : Stalled mirrored flows on HA next-active when OneConnect is used.
Component: Local Traffic Manager
Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.
Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.
Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.
Workaround:
Disable OneConnect.
Fix:
Stalled mirrored flows no longer appear when OneConnect is used.
707888 : Some ASM operations delayed due to scheduled ASU update
Component: Application Security Manager
Symptoms:
Some ASM operations (such as Apply Policy) are delayed while a scheduled ASU update is in progress. This issue affects only 12.1.3.x from 12.1.3.2 and later.
Conditions:
A scheduled ASM update is in progress on systems running v12.1.3.x.
Impact:
Some ASM operations, such as Apply Policy, are delayed.
Workaround:
There is no workaround at this time.
Fix:
Other ASM operations are no longer blocked by scheduled ASU update.
707675 : FQDN nodes or pool members flap when DNS response received
Component: Local Traffic Manager
Symptoms:
When an LTM pool is configured with FQDN nodes or pool members, the LTM pool and associated virtual server(s) may transition from an UP to DOWN state and back over a period of a few seconds.
Such an event is accompanied by log messages similar to the following:
-- notice mcpd[#]: 01071682:5: SNMP_TRAP: Virtual /Common/vs_test has become unavailable
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from GREEN to RED.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from UP to DOWN.
-- err mcpd[#]: 01020066:3: The requested Pool Member (/Common/Test_Pool /Common/test-dummy.com-12.34.56.78 443) already exists in partition Common.
-- notice bigd[##]: 01060144:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 session status enabled by monitor
-- notice bigd[##]: 01060145:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 monitor status up. [ /Common/mon_test_https: UP ] [ was checking for 0hr:0min:2sec ]
-- notice mcpd[#]: 01071681:5: SNMP_TRAP: Virtual /Common/vs_test has become available
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from RED to GREEN.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from DOWN to UP.
This symptom repeats each time a DNS query is performed to resolve the FQDN node/pool-member name to its IP addresses, based on the 'interval' value configured for the FQDN node.
This symptom occurs only when the 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.
Conditions:
-- LTM pool is configured with FQDN nodes or pool members.
-- The 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.
Impact:
LTM pool and virtual server are briefly and periodically marked DOWN. Traffic may be impacted.
Workaround:
Either of the following methods can be used to work around this issue:
-- Configure static IP addresses instead of FQDN nodes/pool-members.
-- Set the 'autopopulate' value to 'disabled' for the FQDN node/pool-member, if possible (that is, if only one IP address is required/expected to be returned for the FQDN name, which means that the 'autopopulate' feature of FQDN nodes/pool-members is not required).
Fix:
FQDN node/pool-member and corresponding pool and virtual server are no longer briefly marked DOWN when the DNS server is queried to resolve the FQDN name, with the 'autopopulate' feature enabled for the FQDN node/pool-member. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
707447-2 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
Component: Local Traffic Manager
Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default NI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).
The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.
Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.
707445 : Nitrox 3 compression hangs/unable to recover
Solution Article: K47025244
Component: TMOS
Symptoms:
LTM logs show the following message:
Nitrox 3, Hang Detected: compression device was reset
When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.
Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.
Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.
Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.
Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.
There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:
A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).
Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.
Fix:
Compression device reset recovery made more robust for some compression failures.
707391-4 : BGP may keep announcing routes after disabling route health injection
Component: TMOS
Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.
Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.
Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.
Workaround:
Workaround would be to restart the dynamic routing process.
Fix:
BGP may no longer keeps announcing routes after disabling route health injection
707310-1 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.
Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.
Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.
Workaround:
There is no workaround at this time.
Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.
707226-2 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
Component: TMOS
Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.
Impact:
Meltdown/PTI mitigations may negatively impact performance.
Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.
To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:
tmsh modify sys db kernel.pti value disable
Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
707207-2 : iRuleLx returning undefined value may cause TMM restart
Component: Local Traffic Manager
Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".
Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.
Impact:
Traffic is interrupted.
Workaround:
There is no workaround at this time.
Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.
707147-2 : High CPU consumed by asm_config_server_rpc_handler_async.pl
Component: Application Security Manager
Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.
Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered
Impact:
A process may consume high CPU even after the high traffic period is finished.
Workaround:
Kill asm_config_server.pl (This will not affect traffic)
Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual
707003-2 : Unexpected syntax error in TMSH AVR
Component: TMOS
Symptoms:
The following tmsh command does not work: tmsh show analytics http report view-by virtual measures { transactions } drilldown
It fails with the following error message: 'Syntax Error: "drilldown" property requires at least one of (device device-list) to be specified before using.'
Conditions:
Whenever the affected tmsh command is run.
Impact:
The following tmsh command will not run: tmsh show analytics http report view-by virtual measures { transactions } drilldown
Workaround:
There is no workaround besides not running the affected command.
Fix:
The following command now works as expected: tmsh show analytics http report view-by virtual measures { transactions } drilldown
706845-1 : False positive illegal multipart violation
Component: Application Security Manager
Symptoms:
A false positive multipart violation.
Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.
Impact:
A false positive violation, request rejected.
Workaround:
Might be workaround using an irule
Fix:
Corrected ASM multipart parsing.
706642-3 : wamd may leak memory during configuration changes and cluster events
Component: WebAccelerator
Symptoms:
wamd memory consumption increases over time.
Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.
Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.
Workaround:
No workaround available.
Fix:
wamd n longer leaks memory during configuration changes and cluster events.
706631 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
Component: Local Traffic Manager
Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.
Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.
-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.
-- Common Criteria mode licensed and configured.
Impact:
A TLS connection succeeds which should fail.
Workaround:
There is no workaround at this time.
Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.
706423-2 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
Component: TMOS
Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.
Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.
A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.
Impact:
TMM restarts, disrupting traffic and causing HA failover.
Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)
Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.
Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.
706374-2 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
Component: Access Policy Manager
Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.
Workaround:
There is no workaround.
Fix:
Stability problems in DNS lookups in APM Kerberos SSO (S4U) have been corrected.
706354-1 : OPT-0045 optic unable to link
Component: TMOS
Symptoms:
The OPT-0045 optical transceiver when inserted into a 40G port would not function. The following error appeared in /var/log/ltm:
Invalid module for bundle configuration of interface <portNumber>.0
Conditions:
OPT-0045 in a 40G port
Impact:
Optic was not usable, interface would not come up.
Workaround:
There is no workaround at this time.
Fix:
BIG-IP now supports the OPT-0045 optical transceiver.
706305-2 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
Component: TMOS
Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.
Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.
Impact:
Inability for the unit to use BGP
Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.
Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled
706128-1 : DNSSEC Signed Zone Transfers Can Leak Memory
Component: Global Traffic Manager (DNS)
Symptoms:
TMM might leak memory when performing DNSSEC signed zone transfers. You can detect this issue by examining system memory before and after performing zone transfers.
For example:
tmsh show sys memory raw | grep dnssec
Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc) or from DNS Express.
Impact:
TMM leaks memory related to the signed zone transfer.
Workaround:
There is no workaround at this time.
Fix:
TMM no longer leaks DNSSEC zone transfer related memory.
706104-2 : Dynamically advertised route may flap
Component: TMOS
Symptoms:
ZebOS may repeatedly add and delete the routes from protocol daemons. This may cause the protocol daemons to delete and re-advertise the default route.
Conditions:
- Dynamic routing in use
- Kernel routes redistributed into a routing protocol
- Static route configure in TMOS
- Route advertisement enabled on the virtual-address that's the same as the static route
Impact:
Route flapping may cause instability in the network, including inability to reach the default network advertised by the BIG-IP.
Workaround:
Since the static route will be redistributed in the same way as the virtual-address, there is no need to enable route-advertisement on the VIP virtual-address. Disabling this will resolve the problem.
The problem will also be resolved by moving the route from tmsh into ZebOS.
- In imish config mode, "ip route <route> <gateway>"
- In tmsh, "delete net route <route>"
Fix:
Configuring a static route in TMOS and enabling route-advertisement on the same virtual-address no longer causes route flapping in ZebOS.
706102-3 : SMTP monitor does not handle all multi-line banner use cases
Component: Local Traffic Manager
Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.
Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.
Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.
Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.
Fix:
An SMTP monitor handles all use cases that include a multi-line banner.
706086-1 : PAM RADIUS authentication subsystem hardening
Solution Article: K62750376
705794-1 : Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
Component: Local Traffic Manager
Symptoms:
A HTTP/2 stream is getting overlooked when cleaning up a HTTP/2 flow.
Conditions:
The only known condition is that the closing_stream is not empty. Exact entrance conditions are not clear.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
HTTP/2 flows are now properly cleaned up to prevent a tmm crash.
705611-1 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
Component: Local Traffic Manager
Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.
Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.
Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.
705503-1 : Context leaked from iRule DNS lookup
Component: Global Traffic Manager (DNS)
Symptoms:
The memory usage increases, and stats are inaccurate.
Conditions:
Call RESOLV::lookup from an iRule.
Impact:
Memory leak that accumulates over time and inaccurate stats.
Workaround:
There is no workaround other than not using RESOLV::lookup in an iRule.
Fix:
Memory leak no longer occurs.
705476-4 : Appliance Mode does not follow design best practices
Solution Article: K28003839
705037-3 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
Solution Article: K32332000
Component: TMOS
Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.
Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.
Impact:
-- Unreliable or confusing statistics via SNMP polling.
-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.
Workaround:
None.
Fix:
System no longer exhibits duplicate if_index statistics.
704804-2 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
Component: TMOS
Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.
Conditions:
This applies to remote authentication for the control plane, not APM.
Impact:
Login may be impacted.
Workaround:
There is no workaround at this time.
Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.
704733-2 : NAS-IP-Address is sent with the bytes in reverse order
Component: TMOS
Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).
Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.
Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.
Workaround:
There is no workaround at this time.
Fix:
This has been corrected.
704666-2 : memory corruption can occur when using certain certificates
Component: Local Traffic Manager
Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.
Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.
Impact:
TMM could crash.
Workaround:
Do not use certificates with extremely long common names
Fix:
A length check has been added to avoid corruption when using extremely long common names.
704580-3 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
Solution Article: K05018525
704524-2 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.
Workaround:
There is no workaround at this time.
Fix:
Kerberos DNS SRV requests now support EDNS0 so that UDP responses greater than 512 bytes can be received correctly, eliminating delays caused by TCP retransmission.
704490 : CVE-2017-5754 (Meltdown)
Solution Article: K91229003
704483 : CVE-2017-5753 (Spectre Variant 1)
Solution Article: K91229003
704449-4 : Orphaned tmsh processes might eventually lead to an out-of-memory condition
Component: TMOS
Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.
An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:
/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh
If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.
Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.
Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.
Workaround:
There are several workarounds for this issue:
-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.
Fix:
tmsh processes are no longer orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects under these conditions.
704381-3 : SSL/TLS handshake failures and terminations are logged at too low a level
Component: Local Traffic Manager
Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).
Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.
Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.
Workaround:
There is no workaround.
Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).
704336-3 : Updating 3rd party device cert not copied correctly to trusted certificate store
Component: TMOS
Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.
Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.
Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.
Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.
Fix:
The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.
704282-3 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
Component: TMOS
Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.
Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.
For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.
For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
F5 does not recommend running the BWC under 64Kbps.
Either decrease the number of subscribers or increase the max-rate of dynamic policy.
Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.
704247-3 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
Component: TMOS
Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.
Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.
Impact:
Installation attempt of the remaining image(s) might fail.
Workaround:
Restart the lind process, so the installation can continue.
Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted
704184-3 : APM MAC Client create files with owner only read write permissions
Solution Article: K52171282
704143-2 : BD memory leak
Component: Application Security Manager
Symptoms:
A BD memory leak.
Conditions:
websocket traffic with specific configuration
Impact:
Resident memory increases, swap getting used.
Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.
704073-3 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
Solution Article: K24233427
Component: Local Traffic Manager
Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.
Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.
Impact:
Log pollution and potential for performance degradation.
Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent
Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.
703984-2 : Machine Cert agent improperly matches hostname with CN and SAN
Component: Access Policy Manager
Symptoms:
MacOS Machine certificate agent matches the configured hostname with the actual hostname upon a beginning partial string match.
Conditions:
MacOS APM client using Machine Certificate Check agent.
Impact:
Hostname match may be incorrect in these cases.
Workaround:
There is no workaround at this time.
Fix:
The MacOS machine certificate check agent now matches on the whole host string rather than a sub string.
703940-3 : Malformed HTTP/2 frame consumes excessive system resources
Solution Article: K45611803
703914-1 : TMM SIGSEGV crash in poolmbr_conn_dec.
Component: Local Traffic Manager
Symptoms:
TMM cores in poolmbr_conn_dec function.
Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.
Impact:
TMM core, traffic interruption, possible failover.
Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.
Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.
703869-1 : Waagent updated to 2.2.21
Component: TMOS
Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.
Conditions:
Using Microsoft Azure.
Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.
Workaround:
None.
Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.
703793-1 : tmm restarts when using ACCESS::perflow get' in certain events
Component: Access Policy Manager
Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.
Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).
Impact:
tmm cores and traffic flow will be interrupted while it restarts.
Workaround:
None.
Fix:
Initialization of certain variables was reworked so that the iRule command will not cause a core anymore if the per-flow value is unavailable due to the per-request policy not having been started yet.
703761-1 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode
Component: TMOS
Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.
Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.
Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.
Workaround:
There is no workaround at this time.
Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.
703580 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
Component: Local Traffic Manager
Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)
Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.
Impact:
TLS1.1 handshake fails on the guest.
Workaround:
Use the same software version on the vCMP host and vCMP guests.
Fix:
TLS1.1 handshake no longer fails running v12.x/v13.x vCMP guest with earlier BIG-IP software version on vCMP host.
703515-5 : MRF SIP LB - Message corruption when using custom persistence key
Solution Article: K44933323
Component: Service Provider
Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.
Conditions:
Custom persistence key is not a multiple of 3 bytes
Impact:
The SIP request message may be corrupted when the via header is inserted.
Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.
Fix:
All persistence key lengths work as expected.
703429-1 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
Component: Access Policy Manager
Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.
Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.
Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.
Workaround:
None.
Fix:
System now provides valid data to Citrix Receiver for Android client.
702946-2 : Added option to reset staging period for signatures
Component: Application Security Manager
Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.
Conditions:
Staging enabled for signatures in policy.
Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.
Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.
Note: Apply policy is required between actions.
Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.
702873-3 : Windows Logon Integration feature may cause Windows logon screen freeze
Component: Access Policy Manager
Symptoms:
Windows Logon Integration feature might cause a Microsoft Windows logon screen freeze, making Windows OS unresponsive to any client end user actions.
Conditions:
-- Client user putting laptop into sleep mode and waking it up multiple times.
-- Possibly, only Windows 10 is affected.
Impact:
Logon screen may hang, not allowing client user to type in credentials.
Workaround:
Reinstall EdgeClient without the Windows Logon Integration Feature.
Fix:
Previously, the Windows Logon Integration feature sometimes caused the Windows Logon screen to freeze. Now, this issue has been fixed.
As a side effect of the fix, the Logon screen now shows duplicates of the pre-logon VPN Entries, which might be confusing for client users. One duplicate comes from the Microsoft Credentials Provider. For information on how to disable the default Microsoft Credentials Provider, see the Microsoft Windows article: How to disable additional credential providers :: https://social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b-4b71-9f19-83ee3df0848b/how-to-disable-additional-credential-providers.
702738 : Tmm might crash activating new blob when changing firewall rules
Solution Article: K32181540
Component: Advanced Firewall Manager
Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.
Conditions:
Updating, removing, or adding firewall rules.
Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.
Impact:
Data traffic processing stops.
Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).
Option B
Modify all the rules simultaneously.
For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }
4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.
Fix:
TMM no longer crashes when changing firewall rules.
702490-4 : Windows Credential Reuse feature may not work
Component: Access Policy Manager
Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).
The logterminal.txt file contains messages similar to the following:
<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted
Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.
Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.
Workaround:
There is no workaround at this time.
Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.
702487-1 : AD/LDAP admins with spaces in names are not supported
Component: Access Policy Manager
Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.
Note: Names containing spaces are not supported on BIG-IP systems.
Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.
Impact:
VPE, import/export/copy/delete do not work.
Workaround:
There is no workaround other than to not use admin names containing spaces.
Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.
702278-3 : Potential XSS security exposure on APM logon page.
Component: Access Policy Manager
Symptoms:
Potential XSS security exposure on APM logon page.
Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.
Impact:
Potential XSS security exposure.
Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:
369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----
Fix:
Potential security exposure has been removed from APM logon page.
702151-2 : HTTP/2 can garble large headers
Component: Local Traffic Manager
Symptoms:
The HTTP/2 filter may incorrectly encode large headers.
Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.
Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.
Fix:
The HTTP/2 filter correctly encodes large HTTP headers.
701900 : DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.
Solution Article: K55938217
Component: TMOS
Symptoms:
DHCP-configured domain-name-servers (DNS) unavailable after reboot when there are more than two domain-name-servers in the lease.
Conditions:
- DHCP is enabled on the mgmt interface.
- DHCP server provides more than 2 domain-name-servers in its lease.
Impact:
Name resolution on mgmt interface fails due to misconfiguration in DNS information for mgmt interface.
Workaround:
No workaround at this time.
Fix:
This release corrects the handling of multiple DNS name-servers.
701856-2 : Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
Component: Application Security Manager
Symptoms:
In rare circumstance, when Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm), ASM-config Event Dispatcher memory usage grows uncontrollably.
Conditions:
In rare circumstances, Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm).
Impact:
ASM-config Event Dispatcher memory usage grows continuously until the device eventually fails over.
Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl
Fix:
ASM-config Event Dispatcher memory usage remains stable even upon multiple Policy Builder restarts.
701841-1 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
Component: Application Security Manager
Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.
Conditions:
UCS file is saved.
Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.
Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.
Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.
701785-3 : Linux kernel vulnerability: CVE-2017-18017
Solution Article: K18352029
701678-1 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
Component: Local Traffic Manager
Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limited value is exceeded.
Conditions:
-- Virtual configured with rate-limit.
-- Uses a UDP profile (i.e., not using TCP or FastL4).
-- The idle-timeout is set to immediate.
Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.
Workaround:
None.
Fix:
UDP rate-limited virtual server now correctly sends packets to the server.
701626-1 : GUI resets custom Certificate Key Chain in child client SSL profile
Solution Article: K16465222
Component: TMOS
Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).
Conditions:
This happens in the following scenario:
1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.
Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.
Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.
You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..
Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.
701609 : Static member of pool with FQDN members may revert to user-disabled after being re-enabled
Component: Local Traffic Manager
Symptoms:
Within an LTM pool containing both FQDN members and members configured with static IP addresses; a statically-configured member that had been disabled (session = user-disabled) and then re-enabled (session = user-enabled) may become disabled again after making other changes affecting the state of other FQDN members of the pool.
Conditions:
This may occur under the following conditions:
- An LTM pool containing a mix of FQDN and statically-configured members.
- A statically-configured pool member is disabled (session = user-disabled) and then re-enabled (session = user-enabled).
- Other changes occur which affect the availability of FQDN pool members.
For example, if a route to an FQDN pool member is deleted and recreated, a previously-disabled statically-configured member may revert to a disabled state.
Depending on circumstances, the issue may only occur once after BIG-IP, TMM, bigd, or a related daemon restarts.
Impact:
A pool member may be unexpectedly disabled after being re-enabled, and thus would not receive traffic.
Workaround:
It may be possible to work around this issue by disabling and re-enabling the statically-configured pool member again.
Fix:
Statically-configured pool members of a pool that also contains FQDN members remain enabled after being manually disabled then re-enabled. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
701538-1 : SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured
Component: Local Traffic Manager
Symptoms:
SSL handshake fails if the client initiates the handshake with TLS false start (specifically, client SSL sends the SSL record data to the server before the Server sends out the CSS is FINISHED notification).
Conditions:
1. Client initiates the SSL handshake with False Start.
2. The BIG-IP system has SSL hardware acceleration enabled (which is default for for non-virtual edition (VE) versions).
Impact:
The BIG-IP system sends the RST to tear down the connection in TLS false start.
Workaround:
There are no true workarounds. You must disable one of the conditions to workaround the issue:
-- Disable TLS False Start. (Note: this might not be feasible because it needs to be done on all clients.)
-- Disable SSL acceleration.
-- Disable AES-GCM ciphers in the client SSL profile. Without AES-GCM, clients do not try to use TLS false start and still be able to use (EC)DHE.
Fix:
The system no longer processes application data before verifying that the finished message arrives and handshake is complete.
701359-2 : BIND vulnerability CVE-2017-3145
Solution Article: K08613310
701327-1 : failed configuration deletion may cause unwanted bd exit
Component: Application Security Manager
Symptoms:
Immediately after the deletion of a configuration fails, bd exists.
Conditions:
When deleting a configuration fails.
Impact:
Unwanted bd restart.
Workaround:
None.
Fix:
bd will exit upon a failed configuration only when configured to exit on failure.
701253-3 : TMM core when using MPTCP
Solution Article: K16248201
701249-2 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
Component: TMOS
Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.
The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.
Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.
Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.
Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.
Workaround:
There is no workaround.
701202-1 : SSL memory corruption
Solution Article: K35023432
Component: Local Traffic Manager
Symptoms:
In some instances random memory can be corrupted causing TMM core.
Conditions:
SSL is configured (either client-ssl or server-ssl) and SNI is used to select a non-default profile.
Impact:
TMM crash, disrupting traffic.
Workaround:
There is no workaround at this time.
Fix:
The memory corruption issue has been fixed.
701039 : Requests do not appear in local logging due to rare file descriptor exhaustion
Component: Application Security Manager
Symptoms:
In an extremely rare circumstance, requests do not appear in local logging due to file descriptor exhaustion in asmlogd.
Conditions:
-- ASM configured.
-- ASM policy with an associated 'Log all requests' logging profile.
-- Requests sent to virtual server.
-- View Request Log.
Impact:
Requests do not appear in local logging.
Workaround:
Restart ASM, or pkill -f asmlogd.
Fix:
Requests appear in local logging correctly.
700889-2 : Software syncookies without TCP TS improperly include TCP options that are not encoded
Solution Article: K07330445
Component: Local Traffic Manager
Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.
Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.
Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.
Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.
Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.
700862-2 : tmm SIGFPE 'valid node'
Solution Article: K15130240
Component: Local Traffic Manager
Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.
Conditions:
The host is unreachable.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when the host is unreachable.
700827-2 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command: tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.
For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8… 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.
Workaround:
Randomize source ports when connecting via a BIG-IP system.
Fix:
This release introduces a new variable mhdag.pu.table.size.multiplier. Setting it to 2 or 3 mitigates the issue.
700812-2 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview
Component: Application Security Manager
Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.
Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.
Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.
Workaround:
n/a
Fix:
asmrepro now handles the version number properly.
700783-3 : Machine certificate check does not check against all FQDN hostnames
Component: Access Policy Manager
Symptoms:
macOS machine can be on multiple networks simultaneously, so it might have multiple hostnames. Machine certificate check does not check against all FQDN hostnames. This causes failure in certain scenarios.
Conditions:
-- macOS configuration with multiple hostnames.
-- The 'match FQDN with subject alt name' option is specified for machine certificate check.
Impact:
Machine cert check might fail.
Workaround:
No workaround at this time.
Fix:
Previously, with a macOS system that had multiple hostnames, the machine certificate check could not check against all hostnames, causing failures in some scenarios. Now, the machine certificate check compares all hostnames on macOS devices.
700780-4 : F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses
Component: Access Policy Manager
Symptoms:
F5 DNS Relay Proxy service does not support DNS-over-TCP requests, so if, in some configuration, the client resolver decides to use TCP for DNS resolution, this packet is not re-routed/proxied by the DNS Relay Proxy service, and may be causing DNS to be resolved using an incorrect DNS server (where the system decides to send it).
Typically, if a client receives DNS response with the TC flag set, it retries using TCP. Clearing the TC flag makes client resolver not use TCP at all, preventing DNS packets leakage.
Conditions:
-- DNS server responds with TC flag set in DNS response packet.
-- Windows only is affected.
Impact:
DNS resolution may not work as designed, as the system might send a packet to an incorrect DNS server.
Workaround:
None.
Fix:
Now F5 DNS Relay Proxy service clears TC flag in all proxied packets, preventing client DNS resolvers from using TCP. An appropriate log entry is printed into the service's log.
700757-2 : vcmpd may crash when it is exiting
Component: TMOS
Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:
err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create
It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:
umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy
Conditions:
vCMP must be in use.
Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.
Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:
tmsh restart sys service vcmpd
Fix:
Prevented vcmpd from crashing when exiting.
700726-1 : Search engine list was updated, and fixing case of multiple entries
Component: Application Security Manager
Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily. Part of the issue is that when adding custom search engines, there may be multiple search engines which match the User-Agent header, and this causes the match to fail.
Conditions:
Site accessed by search engines.
Impact:
Traffic from search engines is blocked unnecessarily.
Workaround:
Manually add search engines.
Fix:
Search engine list has been updated to reflect current common search engine usage. Also, this version removes the check of multiple search engines, so that now when multiple Search Engines are matched, the Search Engine bypasses the challenges.
700696-2 : SSID does not cache fragmented Client Certificates correctly via iRule
Component: Local Traffic Manager
Symptoms:
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.
Conditions:
-- Client Authentication is enabled.
-- A very large Client Certificate is supplied (typically greater than 16,384 bytes).
-- SSL Session ID Persistence is enabled.
-- The iRule CLIENTSSL_CLIENTCERT is enabled.
Impact:
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.
Workaround:
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.
Fix:
This release supports caching of fragmented client certificates in the SSL Session ID (SSID) persistence feature to properly cache very large-size client certificates (typically exceeding 16,384 bytes).
700571-2 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE
Component: Service Provider
Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.
Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL
Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.
Workaround:
None.
Fix:
The branch parameter value calculation now remains consistent throughout the connection.
700564-2 : JavaScript errors shown when debugging a mobile device with ASM deviceID enabled
Component: Application Security Manager
Symptoms:
When debugging a mobile device with ASM Device ID enabled, the Google Chrome browser console log contains JavaScript errors similar to the following: net::ERR_UNKNOWN_URL_SCHEME.
Note: In order to view the Chrome browser console log, you must use BrowserStack from a developer's console, or physically connect the phone by cable, enable 'usb debug',
enable 'device discovery' on Chrome on the desktop, and view the console from there.
Conditions:
-- ASM policy is attached on a virtual server with deviceID enabled.
-- Device ID collection request has been sent from a mobile device.
-- Chrome browser console log is opened.
Impact:
Mobile device app developers might be concerned about the errors, potentially asking about why the ASM JavaScript code attempts to access UNKNOWN_URL_SCHEME in a mobile device.
The errors occur because Device ID enabled on an ASM policy uses the JavaScript request URI argument 'chrome-extension' to detect the existence of malicious browser extension. However, Chrome on Android/iOS does not support 'chrome-extension'.
Workaround:
Disable Device ID in ASM policy.
Fix:
The system now avoids checking Chrome extensions on mobile devices, so no UNKNOWN_URL_SCHEME errors occur.
700556-2 : TMM may crash when processing WebSockets data
Solution Article: K11718033
700527-1 : cmp-hash change can cause repeated iRule DNS-lookup hang
Component: Global Traffic Manager (DNS)
Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.
Conditions:
-- iRule is in the middle of a call to RESOLV::lookup.
-- A change is made to VLAN cmp-hash configuration.
Impact:
The iRule call can hang repeatedly.
Workaround:
Restart the TMM. This will interrupt client traffic while TMM restarts.
Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.
700433-2 : Memory leak when attaching an LTM policy to a virtual server
Solution Article: K10870739
Component: Local Traffic Manager
Symptoms:
BIG-IP LTM policies may cause an mcpd process memory leak.
As a result of this issue, you may encounter one or more of the following symptoms:
-- Latency when configuring the BIG-IP system.
-- Error messages logged in /var/log/ltm similar to the following example:
01140029:4: HA daemon_heartbeat mcpd fails action is restart.
-- The mcpd process may generate a core file in the /var/core directory.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your configuration includes one or more virtual servers with an associated BIG-IP LTM policy.
-- The BIG-IP LTM policy has at least one rule.
Note: Rules with actions or conditions can leak increased amounts of memory.
-- You delete and add BIG-IP LTM policies that are associated with the virtual server.
Note: This modification causes the memory leak to increase over time.
Impact:
The mcpd process might run slower as memory is consumed, and can fail when all system memory is exhausted. Devices in a high availability (HA) configuration may experience a failover event.
Workaround:
None.
Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.
700393-2 : Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
Solution Article: K53464344
Component: Local Traffic Manager
Symptoms:
Tmm might crash due to a stale/stalled HTTP/2 stream.
Conditions:
HTTP/2 profile in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.
700386-1 : mcpd may dump core on startup
Component: TMOS
Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.
Conditions:
This can happen only at startup.
Impact:
mcpd restarts, but resumes normal operation.
Workaround:
None.
Fix:
mcpd no longer generates a core on startup.
700330 : AJAX blocking page isn't shown when a webpage uses jQuery framework.
Component: Application Security Manager
Symptoms:
Request is blocked by an ASM policy, but the ASM end user does not see the blocking page with a unique support id for the blocked request.
Conditions:
1. ASM policy Asynchronous JavaScript and XML (AJAX) blocking page enabled.
2. ASM policy is working in blocking mode.
3. ASM policy attached to a virtual server.
4. AJAX request has been sent and blocked.
Impact:
ASM end user has no visual indication that there has been a blocked AJAX request.
Workaround:
None.
Fix:
The system now handles Ajax requests being sent via the JQuery framework.
700315-3 : Ctrl+C does not terminate TShark
Solution Article: K26130444
Component: TMOS
Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.
Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.
Impact:
TShark does not exit as expected when pressing CTRL+C.
Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'
Fix:
Ctrl+C now terminates TShark as expected.
700143-1 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
Component: Application Security Manager
Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.
Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.
Impact:
Only the latest 10,000 events are deleted.
Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.
Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.
700061-3 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
Component: Local Traffic Manager
Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'
Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.
Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'
Workaround:
There is no workaround at this time.
Fix:
Fix made sure restart of service MCPD and reboot of device does not change key files Unix read permissions from '-rw-r-----' to
'-rw-r--r--'
700057-3 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
Component: Local Traffic Manager
Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.
Conditions:
Upgrade or load a .ucs with SSL keys configured.
Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.
Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config
Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.
699720-3 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
Component: Application Security Manager
Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.
Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.
Impact:
ASM crash; system goes offline.
Workaround:
Use either of the following workarounds:
-- Remove remote logger.
-- Have response logging for illegal requests only.
Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.
699531-3 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.
For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.
Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.
699455-3 : SAML export does not follow best practices
Solution Article: K50254952
699454-3 : Web UI does not follow current best coding practices
Component: Advanced Firewall Manager
Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.
Conditions:
ASM provisioned.
Impact:
UI does not respond as intended.
Workaround:
None.
Fix:
The web UI now follows current best coding practices while processing URL DB updates.
699452-3 : Web UI does not follow current best coding practices
Component: Advanced Firewall Manager
Symptoms:
The web UI does not follow current best coding practices while processing PEM configuration updates.
Conditions:
PEM provisioned.
Impact:
UI does not respond as intended.
Workaround:
None.
Fix:
The web UI now follows current best coding practices while processing PEM configuration updates.
699431 : Possible memory leak in MRF under low memory
Component: Service Provider
Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.
Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.
Impact:
The table entry will be remain until the box resets.
Workaround:
There is no workaround at this time.
Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.
699346-2 : NetHSM capacity reduces when handling errors
Solution Article: K53931245
699339-1 : Geolocation upgrade files fail to replicate to secondary blades
Solution Article: K24634702
Component: Global Traffic Manager (DNS)
Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.
Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.
Impact:
Geoip database is not updated to match primary blade.
Workaround:
Use either of the following workarounds:
-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.
-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.
To edit /etc/csyncd.conf:
Merge the following two terms:
monitor dir /shared/GeoIP {...)
monitor dir /shared/GeoIP/v2 {...}
into one term, as follows:
monitor dir /shared/GeoIP {
queue geoip
pull pri2sec
recurse yes
defer no
lnksync yes
md5 no
post "/usr/local/bin/geoip_reload_data"
}
Fix:
Geolocation upgrade files now correctly replicate to secondary blades.
699281 : Version format of hypervisor bundle matches Version format of ISO
Component: TMOS
Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.
Conditions:
Applies to hypervisor bundles (for example ova files for vmware).
Impact:
Version format in names of hypervisor bundles matches version format of ISO file
Workaround:
Version format in names of hypervisor bundles matches version format of ISO file
Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).
699267-1 : LDAP Query may fail to resolve nested groups
Component: Access Policy Manager
Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).
Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled
Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.
Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups
699262-2 : FQDN pool member status remains in 'checking' state after full config sync
Component: Local Traffic Manager
Symptoms:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) shows FQDN pool members stuck in the 'checking' state.
Conditions:
This occurs after a full config sync is forced between peers using FQDN pool members:
tmsh modify cm device-group <dg_name> devices modify { <local_member> { set-sync-leader } }
Impact:
Affected pools show an Availability state of 'unknown', although pool members are available and can pass traffic.
Workaround:
Restart bigd on the affected peer after the config sync.
Fix:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) no longer shows FQDN pool members stuck in the 'checking' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
699147 : Hourly billed cloud images are now pre-licensed
Component: TMOS
Symptoms:
Hourly billed images in cloud environments require outbound internet access to the F5 public license server in order to retrieve a license. This causes some sites with strict network access policies to fail to license.
Conditions:
Using hourly billing.
Impact:
Hourly instances do not receive licenses and thus could not pass traffic without outbound internet access.
Workaround:
Enable outbound internet access when the guest instance is created to allow it to license, then revoke it.
Fix:
Hourly billed cloud images are now pre-licensed and so do not require internet access to receive a license.
699135-2 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.
Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.
Impact:
tmm cores.
Workaround:
Don't use host command for non type A/AAAA wideips.
698947-1 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
Component: TMOS
Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.
Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.
Impact:
The decapsulated packets may be dropped in the BIG-IP system.
Fix:
The BIG-IP system correctly processes decapsulated packets from a GRE point-to-point tunnel.
698919-1 : Anti virus false positive detection on long XML uploads
Component: Application Security Manager
Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.
Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.
Impact:
Violation is detected where no violation has occurred (false positive violation).
Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.
Note: This workaround will affect the amount of logged data from ASM.
Fix:
Fixed a false positive virus-detected violation related to long XML uploads.
698916-3 : TMM crash with HTTP/2 under specific condition
Component: Local Traffic Manager
Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.
Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.
Impact:
TMM crash, leading to a failover event.
Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.
Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.
698813-3 : When processing DNSX transfers ZoneRunner does not enforce best practices
Solution Article: K45435121
698806-2 : Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces
Component: Advanced Firewall Manager
Symptoms:
Egress Interfaces are not checked in the Source Translation page even if they are configured.
Conditions:
Create a source translation object with egress Interfaces set to 'Enabled on...', select Egress Interfaces from the list, and hit 'Finished'. Egress Interfaces will not be checked with the originally configured values.
Impact:
Egress Interfaces will not be checked even if they are configured.
Workaround:
Use tmsh to check if the object is actually configured with Egress Interfaces
Fix:
Egress Interfaces will be selected whenever a user tries to create a source Translation object with Egress Interfaces.
698757-1 : Standby system saves config and changes status after sync from peer
Solution Article: K58143082
Component: Application Security Manager
Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.
Conditions:
-- Manual sync device-group configuration.
-- Modify existing policy encoding to uppercase (via tmsh).
-- ASM configuration.
Impact:
The high availability (HA) configuration goes out of SYNC.
Workaround:
Use either of the following workarounds:
-- Push the sync back from the Standby device to the Active device, and then again from the Active to Standby.
-- Put the device group into auto-sync state and push the config from the Active to the Standby. After the Sync state resolves and the ASM configuration is finished loading, the device group can be put back to Manual sync.
Fix:
Change requested encoding to lowercase.
698619-1 : Disable port bridging on HSB ports for non-vCMP systems
Component: TMOS
Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.
Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).
Impact:
This triggers a FDB flush and can result in packet flooding back to the HSB and potential network saturation.
Workaround:
None.
Fix:
Port bridging on HSB interfaces in the switch for non-vCMP systems is now disabled, so this issue no longer occurs.
698379-3 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
Solution Article: K61238215
Component: Local Traffic Manager
Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.
Conditions:
HTTP2 virtual server configured.
Impact:
Uploads for the HTTP2 virtual server might fail intermittently.
Workaround:
None.
Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.
698338-2 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
Component: Service Provider
Symptoms:
The system may core.
Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.
Impact:
The system cores and will restart.
Workaround:
None.
Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.
698080-1 : TMM may consume excessive resources when processing with PEM
Solution Article: K54562183
698000-1 : Connections may stop passing traffic after a route update
Solution Article: K04473510
Component: Local Traffic Manager
Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.
Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.
Impact:
Connections may fail after routing updates. New connections will not be affected.
Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.
Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.
697878 : High crypto request completion time under some workload patterns
Component: TMOS
Symptoms:
The tmctl tmm/crypto table shows heavily loaded bulk crypto queues backed up into associated waiting queue. The crypto requests continue to complete, but are significantly delayed.
Conditions:
High crypto usage often in conjunction with high compression usage.
Impact:
Crypto requests can be delayed as long as 1.5 seconds.
Workaround:
Disable hardware crypto by setting the "crypto.hwacceleration" DB key to "disable":
tmsh modify sys db crypto.hwacceleration value disable
Fix:
Improve accelerated crypto poll-timing calculation.
697718-3 : Increase PEM HSL reporting buffer size to 4K.
Component: Policy Enforcement Manager
Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.
Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.
Impact:
Part of PEM HSL flow reporting information will be lost.
Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.
697616 : Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests
Component: TMOS
Symptoms:
Failure in SSL traffic in vCMP configurations. The system logs the following device error:
-- crit tmm[17083]: 01010025:2: Device error: crypto codec qat-crypto0-0 queue is stuck.
-- warning sod[7759]: 01140029:4: HA crypto_failsafe_t qat-crypto0-0 fails action is failover.
Conditions:
-- vCMP guests when performing crypto operations.
-- i5600, i5800, i7600, i7800, i10600, i10800, i12600, i12800, i15600, i15800 platforms.
Impact:
The 'crypto queue stuck' message is reported, and failover will be triggered.
Workaround:
None.
Fix:
The 'crypto queue stuck' issue on vCMP platforms no longer occurs.
697424 : iControl-REST crashes on /example for firewall address-lists
Component: TMOS
Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.
Conditions:
Making a call to /example on firewall address-list.
Impact:
The icrd_child process crashes.
Workaround:
There is no workaround other than not calling /example on firewall address-lists.
697303-3 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.
Impact:
BD crash, failover, and traffic disturbance.
Workaround:
Turn off the internal parameter relax_unicode_in_json.
Fix:
BD no longer crashes under these conditions.
697259-1 : Different versioned vCMP guests on the same chassis may crash.
Solution Article: K14023450
Component: Local Traffic Manager
Symptoms:
The vCMP guest TMM crashes soon after startup.
Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.
Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Different versioned vCMP guests on the same chassis no longer crash.
696808-3 : Disabling a single pool member removes all GTM persistence records
Component: Global Traffic Manager (DNS)
Symptoms:
Disabling a single pool member removes all GTM persistence records.
Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.
Impact:
All GTM persistence records are accidently cleared.
Workaround:
Set drain-persistent-requests yes.
Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.
696789-2 : PEM Diameter incomplete flow crashes when TCL resumed
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.
Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.
Impact:
The tmm will restart and all flows will reset.
Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.
696732 : tmm may crash in a compression provider
Solution Article: K54431534
Component: TMOS
Symptoms:
TMM may crash with the following panic message in the log files:
panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.
Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.
Impact:
TMM crashes, Traffic disrupted while tmm restarts.
Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:
tmsh modify sys db compression.strategy value softwareonly
696468 : Active compression requests can become starved from too many queued requests.
Component: TMOS
Symptoms:
From the "tmctl compress" table: the cur_ctx value for QAT is equal or higher than 512, and the cur_active remains at zero.
CPU utilization per tmm in this condition may be quite high.
Conditions:
At least 512 contexts with no traffic wait in the compression queue and prevent new requests from getting compression service.
Impact:
Compression on a per-tmm basis can stop servicing new requests.
Workaround:
Switch to software compression.
Fix:
Soften the restriction so that accumulated contexts with no traffic cannot not prevent busy contexts from getting compression time.
696383-2 : PEM Diameter incomplete flow crashes when sweeped
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.
Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.
Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.
696294-3 : TMM core may be seen when using Application reporting with flow filter in PEM
Component: Policy Enforcement Manager
Symptoms:
TMM core with flow filter when Application reporting action is enabled
Conditions:
If Application reporting is enabled along with flow filter
Impact:
TMM restart causing service interruption
Fix:
Initialize the application start buffer so as to prevent the TMM core
696265-3 : BD crash
Solution Article: K60985582
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.
Impact:
Potential traffic disturbance and failover.
Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.
Fix:
Fixed a BD crash scenario.
696113-1 : Extra IPsec reference added per crypto operation overflows connflow refcount
Component: TMOS
Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.
Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.
Impact:
Unexpected tmm failover after refcount overflow.
Workaround:
There is no workaround at this time.
Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.
696049-3 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
Component: Service Provider
Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.
Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.
Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.
Workaround:
None.
Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.
695968-3 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
Component: Policy Enforcement Manager
Symptoms:
Memory leak resulting in a potential OOM scenario.
Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM
Impact:
Potential loss of service.
Workaround:
There is no workaround at this time.
Fix:
Freed Diameter messages appropriately.
695925-3 : tmm crash when showing connections for a CMP disabled virtual server
Component: Local Traffic Manager
Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.
Conditions:
This occurs when all of the following conditions are met:
-- There is a CMP-disabled virtual server.
-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).
-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').
Impact:
tmm crashes and restarts impacting traffic.
Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.
Avoid using tmsh show sys connection
695901-2 : TMM may crash when processing ProxySSL data
Solution Article: K46940010
695117 : bigd cores and sends corrupted MCP messages with many FQDN nodes
Solution Article: K30081842
Component: Local Traffic Manager
Symptoms:
When configured to monitor large numbers of nodes and/or pool members including FQDN nodes and/or pool members, the following symptoms may occur:
- bigd may core (aborted by sod due to missed heartbeat).
- bigd may produce corrupted MCP messages.
- FQDN nodes and/or pool members may remain in a Checking state indefinitely.
Conditions:
These symptoms may occur on affected versions of BIG-IP when a large number of nodes and/or pool members including FQDN nodes and/or pool members are configured. Depending on the capabilities of the platform in use, approximately one thousand (1,000) or more total nodes and/or pool members may be required to produce these symptoms.
FQDN nodes and/or pool members generate a more significant workload for the bigd daemon than nodes and/or pool members with statically-configured IP addresses. This additional load contributes to high CPU usage and the other observed symptoms.
Impact:
This issue produces the following impacts:
- bigd may core.
- nodes and/or pool members may remain in a Checking state indefinitely.
- bigd may produce corrupted MCP messages, which generate error messages in the LTM log of the following form:
... err mcpd[####]: 01070712:3: Caught configuration exception (0), Can't parse MCP message, ...
Examination of the corrupted MCP message shows objects at the point of corruption that have no hierarchical relationship with the objects referenced at the beginning of the message.
Workaround:
To work around this issue, use the following approaches singly or in combination:
1. Reduce the number of nodes and/or pool members configured for a given BIG-IP system.
2. Configure nodes and/or pool members with statically-configured IP addresses.
Fix:
bigd no longer produces corrupted MCP messages, resulting in nodes and/or pool members remaining in a 'checking' state, with up to 2,000 nodes and/or pool members including FQDN nodes and/or pool members configured. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
694922-4 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.
Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device
Impact:
ASM configuration is not correctly synchronized between devices
Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic
Fix:
Devices no longer spuriously enter an untrusted state
694778-2 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
Component: Local Traffic Manager
Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).
Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.
Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).
Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable
Fix:
SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.
694740-1 : BIG-IP reboot during a TMM core results in an incomplete core dump
Component: TMOS
Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.
Fix:
Reboot is delayed until TMM core file is completed.
694717-3 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
Component: Policy Enforcement Manager
Symptoms:
TMM crashes
Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.
694697-3 : clusterd logs heartbeat check messages at log level info
Solution Article: K62065305
Component: Local Traffic Manager
Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.
-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)
Conditions:
log.clusterd.level set to info.
Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.
Workaround:
Set log.clusterd.level to notice.
Fix:
The log level of clusterd logs heartbeat check messages has changed. For 'Skipping heartbeat check' messages, the log level is now debug, and 'Checking heartbeat of peer slot' messages log level is verbose and now reports on which bp the heartbeat was received.
694696-3 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline
Component: TMOS
Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.
Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.
Impact:
Traffic to all other traffic-groups is disrupted for several seconds.
Workaround:
There is no workaround at this time.
Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.
694656-3 : Routing changes may cause TMM to restart
Solution Article: K05186205
Component: Local Traffic Manager
Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).
Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.
-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.
-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).
Impact:
TMM restarts, resulting in a failover and/or traffic outage.
Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.
If dynamic routing is in use, there is no workaround.
Fix:
TMM now properly manages routing information for active connections.
694319-3 : CCA without a request type AVP cannot be tracked in PEM.
Component: Policy Enforcement Manager
Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.
Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP
Impact:
May hamper effective diagnostics.
Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.
Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type
694318-3 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
Component: Policy Enforcement Manager
Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.
Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.
Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.
Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.
Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.
694274-2 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7
Solution Article: K23565223
694073-1 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup
Component: Application Security Manager
Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.
Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).
Impact:
Low and incorrect visibility of signature update details.
Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.
Fix:
Signature updates are now shown correctly for all versions.
693910-2 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
Component: Local Traffic Manager
Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.
Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.
Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.
Workaround:
None.
Fix:
FDB entries are now flushed by interface whenever an interface transitions to a STP block state.
693884-3 : ospfd core on secondary blade during network unstability
Component: TMOS
Symptoms:
ospfd core on secondary blade while network is unstable.
Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.
Impact:
Dynamic routing process ospfd core on secondary blade.
Workaround:
None.
693838 : Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors
Component: Local Traffic Manager
Symptoms:
Member of pool is not marked down when response time exceeds hard limit.
Conditions:
Adaptive monitoring enabled for UDP monitor and server response time exceeds hard limit.
Impact:
Member remains in pool despite exceeding hard limit which may result in degraded services.
Workaround:
None.
693744-3 : CVE-2018-5531: vCMP vulnerability
Solution Article: K64721111
693739-3 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
Component: Access Policy Manager
Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.
Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.
Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.
Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.
Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.
693582-3 : Monitor node log not rotated for icmp monitor types
Component: Local Traffic Manager
Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.
Conditions:
This occurs if Monitor Logging is enabled for an LTM node or pool member and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp
Impact:
Depending on the affected BIG-IP version in use, affects may include:
1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).
2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).
3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.
Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool member(s).
If symptom #1 (from Impact section above) occurs, Monitor Logging can be re-enabled after log rotation has occurred.
To address symptom #2 or #3 (from Impact section above), Monitor Logging can be re-enabled immediately.
For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors
693312-2 : vCMPd may crash when processing bridged network traffic
Solution Article: K03165684
693308-3 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
Component: Local Traffic Manager
Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.
Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.
Impact:
The backend server will not be securely accessible via SSL because the connection hangs
Workaround:
Disable SSL Session Persistence.
Fix:
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.
693211-3 : CVE-2017-6168
Solution Article: K21905460
693106-2 : IKEv1 newest established phase-one SAs should be found first in a search
Component: TMOS
Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.
If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.
Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.
If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.
Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.
Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.
Fix:
At the momenet a new IKE-SA is established, we now move that SA to the head of the hashmap bucket searched for that remote peer in the future. This makes us more likely to use the newest SA from the perspective of a remote peer, the next time we initiate another phase two negotiation ourselves.
693007-3 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC
Component: Global Traffic Manager (DNS)
Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.
Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.
Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.
Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.
Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.
Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.
692970-3 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash
Component: Local Traffic Manager
Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.
Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.
Impact:
TMM restart causes traffic interruption or failover.
Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.
Fix:
TMM no longer crashes with DHCP flow validation.
692941-3 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
Component: Global Traffic Manager (DNS)
Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.
Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.
Impact:
gtmd and/or tmm core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.
692307-1 : User with 'operator' role may not be able to view some session variables
Component: Access Policy Manager
Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.
Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.
Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.
Workaround:
Find this data via clicking on the session ID.
Fix:
User with 'operator' role can now view all expected session variables
692189-3 : errdefsd fails to generate a core file on request.
Component: TMOS
Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.
Conditions:
Forcing errdefsd to core for diagnostic purposes.
Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.
Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd
Fix:
errdefsd now generates a core file when forced to core.
692179-3 : Potential high memory usage from errdefsd.
Component: TMOS
Symptoms:
errdefsd memory usage grows with each config-sync or config update.
Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.
Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.
Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.
Fix:
The changes in this bug force errdefsd to check for config changes once every second in addition to checking whenever management-port destination logs come in.
692158-2 : iCall and CLI script memory leak when saving configuration
Component: TMOS
Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device leaks memory.
Conditions:
Use of iCall or CLI scripts to save the configuration.
Impact:
Repeated invocation might cause the system to run out of memory eventually, causing tmm to restart and disrupting traffic.
Workaround:
There is no workaround other than not saving the configuration from iCall or CLI scripts.
Fix:
scriptd process on the device no longer leaks memory when iCall and CLI scripts are used to save the configuration.
692123-2 : GET parameter is grayed out if MobileSafe is not licensed
Component: Fraud Protection Services
Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.
Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.
Impact:
In FPS Parameter's list, the GET method is always grayed out.
Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.
Fix:
The GET method is not grayed out if MobileSafe is not licensed.
692095-3 : bigd logs monitor status unknown for FQDN Node/Pool Member
Solution Article: K65311501
Component: Local Traffic Manager
Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]
Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.
Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.
Workaround:
None.
Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.
691897-1 : Names of the modified cookies do not appear in the event log
Component: Application Security Manager
Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.
Conditions:
A modified domain cookies violation happens.
Note: This can happen only if there are also non-modified or staged cookies.
Impact:
Expected violation details are not displayed.
Workaround:
There is no workaround at this time.
Fix:
Issue with modified domain cookie violation details is now fixed.
691806-3 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
Solution Article: K61815412
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.
Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.
Impact:
The BIG-IP system resets connection with RST.
Workaround:
None.
Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.
691670-3 : Rare BD crash in a specific scenario
Component: Application Security Manager
Symptoms:
BD crash or False reporting of signature ID 200023003.
Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).
Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.
Workaround:
Removing attack signature 200023003 from the security policy stops the issue.
Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.
A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.
691589 : When using LDAP client auth, tamd may become stuck
Component: TMOS
Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.
Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.
Impact:
Authentication to the virtual server fails until tamd is restarted.
Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd
Fix:
tamd no longer becomes stuck when using LDAP client auth.
691504-3 : PEM content insertion in a compressed response may cause a crash.
Solution Article: K54562183
691498-1 : Connection failure during iRule DNS lookup can crash TMM
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes in the DNS response cache periodic sweep.
Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.
Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.
Workaround:
No known workaround.
Fix:
The reference counting of the resolver connection was fixed.
691477-1 : ASM standby unit showing future date and high version count for ASM Device Group
Component: Application Security Manager
Symptoms:
Policy builder is changing configuration of standby unit.
Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).
Impact:
Unexpected changes are made to the policy on standby device (CID increment).
Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):
killall -s SIGHUP pabnagd
Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.
691287-3 : tmm crashes on iRule with GTM pool command
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes with a SIGSEGV when a GTM iRule executes a 'pool' command against Tcl variables that have internal string representations, which can occur when a value is a result of (some) string commands (e.g., 'string tolower') or if the value comes from a built-in iRules command (such as 'class').
For example:
when DNS_REQUEST {
pool [string tolower "Test.com"]
}
or:
when DNS_REQUEST {
pool [class lookup pool-dg key-value]
}
Conditions:
GTM iRule executes a 'pool' command against Tcl variables that have internal string representations.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Pass the 'pool' argument through 'string trim'. For instance:
when DNS_REQUEST {
pool [string trim [class lookup pool-dg key-value]]
}
Fix:
tmm no longer crashes on GTM iRules that use the 'pool' command.
691224-1 : Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
Solution Article: K59327001
Component: Local Traffic Manager
Symptoms:
Node Server rejects received-and-incomplete ClientHello message and connection terminates.
Conditions:
This occurs when the following conditions are met:
-- SSL Persistence is enabled.
-- There is no ClientSSL and ServerSSL profile.
-- The BIG-IP device receives fragments of a ClientHello message (typically, 11 bytes each) from an SSL front-end client.
Impact:
With Session Persistence enabled
-- The parser fails to reassemble fragmented ClientHello messages prior to passing it on to the backend server.
-- As a result, the backend server responds as if it has received an incomplete ClientHello message, rejects the handshake, and terminates the connection.
Workaround:
The issue disappears when SSL Persistence is disabled.
691017-1 : Preventing ng_export hangs
Component: Access Policy Manager
Symptoms:
Sometimes ng_export is stuck while reading tmsh thru the pipe because of buffer issues. Export is trying to read more data from tmsh while data is lost in the middle of the read operation.
Conditions:
-- ng_export receives tmsh replies through buffer of constant size x.
-- During the read operation, tmsh returns a buffer size of x minus k, where k is a very small random number (less than 50).
Note: K is a very small random number, which makes this issue difficult to describe.
Impact:
The export operation hangs.
Workaround:
There is no workaround at this time.
Fix:
APM access policy export now uses non-blocking socket and loops to wait for data or terminate gracefully.
690819-3 : Using an iRule module after a 'session lookup' may result in crash
Component: TMOS
Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.
Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.
Impact:
The system may core, or result in undefined and/or undesired behavior.
Workaround:
Check the return value of 'session lookup' before using another iRule module.
If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.
690793-2 : TMM may crash and dump core due to improper connflow tracking
Solution Article: K25263287
Component: TMOS
Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.
Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.
While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.
Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.
Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.
However, this does not eliminate entirely the chances of running into this issue.
Fix:
The system now checks for HSB flow status update data and prevents false positive matches to virtual servers with non-FastL4 profiles.
690166-3 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
Component: Global Traffic Manager (DNS)
Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.
Conditions:
Creating SRV wideip with three more layers than existing zone.
Impact:
Unnecessary stub zones created.
690042-3 : Potential Tcl leak during iRule suspend operation
Solution Article: K43412307
Component: Local Traffic Manager
Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.
Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.
Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer leaks memory.
689826-2 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
Solution Article: K95422068
Component: Access Policy Manager
Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.
Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.
Impact:
Proxy settings are not applied on client side after VPN is established.
Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.
Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:
1. Set the custom variable name to the following value:
config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
Note: <network access resource name> is the name of the network access resource.
2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.
3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.
Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.
689730-2 : Software installations from v13.1.0 might fail★
Component: TMOS
Symptoms:
Installation terminates with the following final log messages:
info: updating shared filesystem directories...
progress: 10/100
error: mkdir /mnt/tm_install/3543.JENFeQ/core failed - File exists
Terminal error: Failed to install.
Conditions:
-- BIG-IP Virtual Editions, or the following appliances:
+ i2600
+ i2800
+ i4600
+ i4800
+ i5600
+ i5800
+ i5820
+ i7600
+ i7800
+ i7820
+ i10600
+ i10800
+ i11600
+ i11800
-- Running BIG-IP software v13.1.0 or earlier.
-- Installing BIG-IP software with --instslot option.
Impact:
Installation of new software cannot proceed.
Workaround:
Remove the '/shared/core' symlink, the restart the installation.
Fix:
The installer now properly detects the symlink and proceeds without error.
689577-1 : ospf6d may crash when processing specific LSAs
Solution Article: K45800333
Component: TMOS
Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.
Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.
Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.
Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.
Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.
689449-3 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.
Conditions:
- VIP configured with spdy/http2 and http with fallback-host.
Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.
Workaround:
No workaround at this time.
Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.
689437-2 : icrd_child cores due to infinite recursion caused by incorrect group name handling
Solution Article: K49554067
Component: TMOS
Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.
Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.
Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.
Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.
Fix:
icrd_child parsing logic update is needed to not enter recursion.
689211-2 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
Component: TMOS
Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.
Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.
Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.
Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.
Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
bigstart restart
Fix:
Added check for the IPv6 flag in the packet, in addition to testing for a v4-in-v6 address; this corrects the corner case of an address containing all zero when forwarded.
689089-3 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
Component: Local Traffic Manager
Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.
Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:
"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"
Where "N" is the number of physical slots in the chassis (2, 4, or 8).
Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.
Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.
Fix:
The configuration file update logic has been changed to prevent file corruption during update.
689080 : Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value
Component: Local Traffic Manager
Symptoms:
When a software encoding algorithm is being used by tmm to generate syn cookies in a SYN/ACK packet, there is a chance that HSB might mistakenly identify the ACK response to the SYN/ACK as valid syncookie response and stamp a SYNCOOKIE_VALID flag on the packet. In that case, software processes try to extract the MSS (maximum segment size) value encoded in the syncookie, which would be a wrong value. This may cause connection to fail in subsequent transactions, or cause performance degradation.
Conditions:
When software syncookie protection mode is activated and a software encoding algorithm is being used.
Impact:
Connections either fail, or the smaller, incorrect MSS value causes performance degradation.
Workaround:
None.
Fix:
If a software syncookie encoding algorithm is being used, tmm now ignores the SYNCOOKIE_VALID flag stamped by HSB, so the correct MSS value is calculated.
689002-1 : Stackoverflow when JSON is deeply nested
Component: TMOS
Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.
Conditions:
Deeply nested JSON returned from iControl-REST.
Impact:
icrd_child process coredumps.
Workaround:
None.
Fix:
The fix changes the destruction mechanism into an iterative solution, to completely avoid the stack overflow.
688942-3 : ICAP: Chunk parser performs poorly with very large chunk
Component: Service Provider
Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.
Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).
Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.
Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).
Fix:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system streams content back to the HTTP client or server as it arrives, without undue memory use or performance impact.
688625-2 : PHP Vulnerability CVE-2017-11628
Solution Article: K75543432
688553-1 : SASP GWM monitor may not mark member UP as expected
Component: Local Traffic Manager
Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.
Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).
This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).
This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).
Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.
Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.
688516-2 : vCMPd may crash when processing bridged network traffic
Solution Article: K03165684
688148-1 : IKEv1 racoon daemon SEGV during phase-two SA list iteration
Component: TMOS
Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.
Conditions:
Deleting phase-two SAs, either manually or in response to notifications.
Impact:
IKEv1 tunnel outage until the racoon daemon restarts.
Workaround:
None.
Fix:
Fixed list iteration to use the correct list linkage, so iterating one phase-one SAs list does not instead visit the global list of phase-two SAs.
688011-5 : Dig utility does not apply best practices
Solution Article: K02043709
688009-5 : Appliance Mode TMSH hardening
Solution Article: K46121888
687905 : OneConnect profile causes CMP redirected connections on the HA standby
Solution Article: K72040312
Component: TMOS
Symptoms:
When virtual server uses OneConnect profile in HA setup, it can cause Clustered Multiprocessing (CMP) redirected connections and memory leak on high availability (HA) standby systems, including high memory usage on standby units.
Conditions:
-- Virtual server uses OneConnect profile in HA configuration.
-- Mirroring is enabled.
-- BIG-IP platform supports CMP.
Impact:
Redirected connections and memory leak on a standby device.
Workaround:
Remove OneConnect profile from the virtual server.
687759-2 : bd crash
Component: Application Security Manager
Symptoms:
A bd crash.
Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).
Impact:
bd crashes; system fails over; traffic disturbance occurs.
Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache
687658-2 : Monitor operations in transaction will cause it to stay unchecked
Component: TMOS
Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.
Conditions:
This only happens within transactions.
Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.
Impact:
Monitor state never returns to its correct value.
Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.
687603-1 : tmsh query for dns records may cause tmm to crash
Solution Article: K36243347
Component: Local Traffic Manager
Symptoms:
tmm experiences segmentation fault.
Conditions:
Run 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.
Impact:
Core file / system outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm experiences segmentation fault when running the 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.
687534-3 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
Component: TMOS
Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool
Conditions:
This issue occurs when a pool name contains .. in the name.
Impact:
Cannot add a Member to the pool using the GUI.
Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
tmsh modify ltm pool <pool name> members add { <member info> }
Fix:
For pools with '..' in the name, it is now possible to add members after pool creation using the GUI Local Traffic :: Pools : Member List page.
687353-3 : Qkview truncates tmstat snapshot files
Solution Article: K35595105
Component: TMOS
Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.
Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).
Note: 5 MiB is qkview utility's default maximum file size value.
Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.
Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0
687205-3 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
Component: Local Traffic Manager
Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.
Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.
Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.
Workaround:
None.
687193-1 : TMM may leak memory when processing SSL Forward Proxy traffic
Solution Article: K45325728
687128-3 : gtm::host iRule validation for ipv4 and ipv6 addresses
Component: Global Traffic Manager (DNS)
Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.
Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.
Impact:
Incorrect host information was being returned.
Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.
Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.
687098 : IPv6 RADIUS servers not supported for remote authentication
Component: TMOS
Symptoms:
Authenticating against an IPv6 RADIUS server is not supported, only an IPv4 server.
Conditions:
This applies to remote authentication to log on to the BIG-IP system for management purposes.
Impact:
Logon operation will time out, as if the server did not respond.
Workaround:
Use an IPv4 server. If you have an IPv6 management IP, then you will need to have the IPv4 server reachable over a dataplane VLAN.
Fix:
Support for IPv6 RADIUS servers has been added.
686972-1 : The change of APM log settings will reset the SSL session cache.
Component: Local Traffic Manager
Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.
Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.
Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.
Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.
Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.
686926-3 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly
Component: TMOS
Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.
Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.
Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.
Workaround:
None.
Fix:
The BIG-IP system now correctly tracks a need to receive a SECOND response with message_id zero, to finish the SA_INIT exchange, whenever the first SA_INIT response caused the BIG-IP system to resend the first request with the cookie included.
686765-1 : Database cleaning failure may allow MySQL space to fill the disk entirely
Component: Application Security Manager
Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.
In /var/log/ts/asm_config_server.log you might see these errors repeatedly:
Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full
Conditions:
This occurs if database cleaning failures occur.
Impact:
Disk will fill up, and you will be unable to modify ASM policies.
686685-1 : LTM Policy internal compilation error
Component: Local Traffic Manager
Symptoms:
To enable maximum performance, LTM Policies undergo a compilation process, where they are transformed to a compact binary representation. An issue was discovered where the transformation is being done incorrectly under certain circumstances.
Conditions:
While not common, certain LTM Policy combinations will be transformed to binary representation where certain internal parameters are incorrect.
Impact:
The tmm process may experience an unexpected restart, or a policy action may not run as expected.
Workaround:
None.
Fix:
LTM Policies are correctly transformed to their high-performance, compact binary representations.
686631-1 : Deselect a compression provider at the end of a job and reselect a provider for a new job
Component: Local Traffic Manager
Symptoms:
The system might potentially retain a compression context, even though there is no data to be compressed or decompressed. This can affect the calculation of the load of the compression provider.
Conditions:
-- A connection is up.
-- Compression context is active.
-- There is no data for the compression provider.
Impact:
It affects the compression provider selection.
Workaround:
None.
Fix:
The system now deselects a provider at the end of a compression/decompression operation, and reselects a provider at the beginning of another compression/decompression operation.
686395 : With DTLS version1, when client hello uses version1.2, handshake shall proceed
Component: Local Traffic Manager
Symptoms:
With DTLS version1, when client hello uses version1.2, handshake fails with error of :unsupported version".
Conditions:
DTLS version1 handshake:
Handshake version 1.0 . (0xfeff)
Client hello version 1.2(0xfefd)
Impact:
DTLS functionalities.
Workaround:
N/A
Fix:
In this case, we shall still proceed to perform handshake instead of bailing out with "unsupported version" error.
686389-3 : APM does not honor per-farm HTML5 client disabling at the View Connection Server
Component: Access Policy Manager
Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.
With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.
Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.
Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.
Workaround:
There is no workaround at this time.
Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.
Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.
686307-1 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
Solution Article: K10665315
Component: Local Traffic Manager
Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.
Note: Without LTM policies in the configuration, monitors upgrade without problem.
Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.
Impact:
Monitors may not work after upgrade.
Workaround:
No workaround at this time.
Fix:
This release addresses the underlying problem so the issue no longer occurs.
686305-2 : TMM may crash while processing SSL forward proxy traffic
Solution Article: K64552448
686282-1 : APMD intermittently crash when processing access policies
Component: Access Policy Manager
Symptoms:
APMD process may crash intermittently (rare) when processing access policies.
Conditions:
This rarely encountered issue occurs when any one of the following conditions exist:
-- iRule is configured with 'ACCESS::policy evaluate'.
-- NTLM authentication configured and ECA plugin is involved (for example VDI RDG).
-- Kerberos authentication is configured with RBA enabled.
Impact:
APM end users cannot pass access policy, cannot login.
Workaround:
None.
Fix:
APMD no longer intermittently crashes when processing access policies.
686228-3 : TMM may crash in some circumstances with VLAN failsafe
Solution Article: K23243525
Component: Local Traffic Manager
Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms
Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.
Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.
Workaround:
Relax the timer to the default VLAN failsafe timer setting.
Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.
686124-3 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
Solution Article: K83576240
Component: TMOS
Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.
Conditions:
Events causing deletion of phase one IKE SAs.
Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.
Workaround:
None.
Fix:
Phase one and phase two SA relationships are now more robust, tolerating operations that occur in any order, so tearing down old data structures will be done safely.
686065-1 : RESOLV::lookup iRule command can trigger crash with slow resolver
Component: Local Traffic Manager
Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.
Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove RESOLV::lookup from the workflow if it is not required.
Fix:
The scenario now works as expected and no longer results in a crash.
686029-1 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
Component: TMOS
Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.
Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.
Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.
Workaround:
None.
Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.
685955 : TMM hud_message_ctx leak
Component: Local Traffic Manager
Symptoms:
There is a TMM memory issue caused by leaked hud_message_ctx objects, each holding a websockets_frame.
Conditions:
Running WebSocket traffic that needs to be processed by a plugin like ASM.
Impact:
Increasing TMM memory usage leading to eventual service outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The memory leak in TMM has been fixed.
685743-3 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported
Component: Application Security Manager
Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.
Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.
Impact:
Requests might be blocked, and no reason is reported.
Workaround:
Reset internal 'request_buffer_size' to default.
Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.
685741 : DoS Overview is very slow to load data, to the point of timeout
Component: Application Visibility and Reporting
Symptoms:
When logs contains more than 1 million records, loading of attacks data is extremely slow and requires many SQL queries.
Conditions:
N/A
Impact:
DoS Overview page is unusable
Workaround:
N/A
Fix:
The fix revolved around combining all the required data into a couple of queries instead of sending distinct queries for every attack.
685708-3 : Routing via iRule to a host without providing a transport from a transport-config created connection cores
Component: Service Provider
Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.
Fix:
The system will no longer core.
685693 : APM AppTunnels memory leak
Component: Wan Optimization Manager
Symptoms:
Using APM AppTunnels causes a slow memory leak.
Conditions:
Use of APM AppTunnels.
Impact:
The slow memory leak exhaust tmm memory over time. Traffic disrupted when tmm restarts.
Workaround:
None.
Fix:
The memory leak has been corrected.
685615-5 : Incorrect source mac for TCP Reset with vlangroup for host traffic
Solution Article: K24447043
Component: Local Traffic Manager
Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.
Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.
Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.
Workaround:
Use transparent mode on the VLAN group.
Fix:
source-mac-address for host traffic is correctly set.
685475-3 : Unexpected error when applying hotfix
Solution Article: K93145012
Component: TMOS
Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIG-IP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.
Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.
For example, to apply 'Hotfix-BIG-IP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIG-IP-11.6.1.0.0.317.iso'.
Here is another example: on multi-bladed VIPRION systems, where it is resolved by running 12.1.3.6.
1) Install and boot into 12.0.0 on the VIPRION system:
-- install /sys software image 12.0.0.iso create-volume volume HD1.test
-- reboot volume HD1.test
2) Install and boot into 12.1.2.0.402.249:
-- install /sys software hotfix Hotfix-BIG-IP-12.1.2.0.402.249-ENG.iso create-volume volume HD1.test2
-- reboot volume HD1.test2
3) Delete 12.0.0.iso and volume HD1.test:
-- delete sys software image 12.0.0.iso
-- delete sys software volume HD1.test
4) Copy over Hotfix-BIG-IP-13.1.0.7.0.17.1-ENG.iso without the 13.1.0.7 base image.
5) Check the /var/log/ltm logs for the following message:
-- lind[6288]: 013c0006:5: Image (BIG-IP-12.0.0.0.0.606.iso) has a software image entry in MCP database but does not exist on the filesystem.
Impact:
Cannot apply hotfix until the full base image is present.
Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation operation again.
Fix:
Issuing a 'install hotfix' command when the base image is not available sends the system into a 'wait' state. The process status is 'waiting for base image', which should make clear what needs to be done. When the base image becomes available (in the images directory), the hotfix installation proceeds.
685467-2 : Certain header manipulations in HTTP profile may result in losing connection.
Solution Article: K12933087
Component: Local Traffic Manager
Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.
Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).
Impact:
TCP connection is reset, and no response is provided to a client.
Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.
Fix:
An issue of a resetting connections due to configuration options 'Insert X-Forwarded-For' and 'Request Header Erase' in HTTP profile no longer happens.
685344-2 : Monitor 'min 1 of' not working as expected with FQDN nodes/members
Component: Local Traffic Manager
Symptoms:
A pool with a monitor configured as 'min 1 of {...}' may be unavailable when one or more members configured with FQDN are down, rather than remain available as long as at least one pool member remains up.
Conditions:
-- Pool nodes/members are configured with FQDN.
-- At least one associated monitor is defined with the 'min 1 of {...}' feature.
Impact:
The pool may be seen as 'offline' when one or more members are down, rather than remaining available as long as a single pool member is 'UP'.
Workaround:
To configure a pool with 'min 1 of{...}', specify static pool members, do not use FQDN to configure pool members.
Fix:
A pool with FQDN configured nodes/members and specified with a monitor of 'min 1 of {...}' remains available as long as a single pool member remains up.
This issue is resolved by the FQDNv2 feature re-implementation.
685254-1 : RAM Cache Exceeding Watchdog Timeout in Header Field Search
Solution Article: K14013100
Component: Local Traffic Manager
Symptoms:
SOD halts TMM while RAM cache is processing a header.
Conditions:
When RAM cache is attempting to match an ETag and fails to find it in the header field.
Impact:
The search continues until a match is found in memory, or a NUL byte is encountered. If the search takes too long, sod kills RAM cache on a watchdog timeout violation.
Workaround:
No workaround at this time.
Fix:
SOD no longer halts TMM while RAM cache is processing a header.
685230-1 : memory leak on a specific server scenario
Component: Application Security Manager
Symptoms:
The bd process memory increases.
Conditions:
A specific server scenario of handling the traffic.
Impact:
Swap may be used. The kernel OOM killer may be invoked. Possible traffic disturbance.
Workaround:
There is no workaround at this time.
Fix:
A memory leaked related to a specific server scenario was fixed.
685207-2 : DoS client side challenge does not encode the Referer header.
Component: Application Security Manager
Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.
Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.
Impact:
The XSS reflection occurs after triggering the DoS attack.
Workaround:
None.
Fix:
DoS client side challenge now encodes the Referer header.
685110-3 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
Solution Article: K05430133
Component: Local Traffic Manager
Symptoms:
1. FQDN Node/pools fails to populate with members.
2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:
err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.
Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.
Impact:
Unable to use FDQN nodes/pool members with non-LTM license.
Workaround:
None.
Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.
685020-1 : Enhancement to SessionDB provides timeout
Component: TMOS
Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.
Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.
Impact:
Calls made to SessionDB never return from the remote TMM.
Workaround:
None.
Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT.
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.
# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|
Behavior Change:
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.
# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|
684937-6 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
Solution Article: K26451305
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.
Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.
684879-2 : Malformed TLS1.2 records may result in TMM segmentation fault.
Solution Article: K02714910
684414-1 : Retrieving too many groups is causing out of memory errors in TMUI and VPE
Component: Access Policy Manager
Symptoms:
Retrieving too many groups might cause out-of-memory errors in TMUI and VPE. TMUI might end up with HTTP 502 and VPE fails with HTTP 500
Conditions:
LDAP/AD server with over 20,000 groups.
Impact:
It's hard to perform LDAP/AD group mapping because there are no group names in the dialog box, which complicates work on such a large number of groups.
Workaround:
The only solution is to remove /shared/tmp/gmcache folder and use manual groupmapping.
Fix:
Retrieving too many groups no longer results in memory errors in TMUI and VPE, even on LDAP/AD servers with over 20,000 groups.
684391-1 : Existing IPsec tunnels reload. tmipsecd creates a core file.
Component: TMOS
Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.
Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.
Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.
Workaround:
None.
Fix:
Exception handling in tmipsecd has been improved so that tmipsecd will not reload when encountering some unusual conditions.
684333-3 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.
Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.
Impact:
PEM session created using Gx may get deleted.
Workaround:
Initiate failover using alternate commands, such as the following:
tmm big start restart.
684325-3 : APMD Memory leak when applying a specific access profile
Component: Access Policy Manager
Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.
Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.
Impact:
APMD process stops after repeated application of the script.
Workaround:
None.
Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.
684312-2 : During Apply Policy action, bd agent crashes, causing the machine to go Offline
Solution Article: K54140729
Component: Application Security Manager
Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------
Causing bd and bd_agent processes restart, and causing the machine to go Offline.
Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.
Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..
Workaround:
None.
Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.
684033-1 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)
Solution Article: K70084351
683697-3 : SASP monitor may use the same UID for multiple HA device group members
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.
The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.
As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.
The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.
Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.
It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).
Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.
Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.
It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.
Fix:
The SASP monitor reliably uses a unique UID across HA group members, allowing all HA group members to successfully connect to the SASP GWM.
683683-1 : ASN1::encode returns wrong binary data
Component: Local Traffic Manager
Symptoms:
ASN1::encode returns incorrect data for certain integer values. For example, for integer 49280, ASN1::encode returns 02030000.
Conditions:
The problem happens in an implicit UTF encoding/decoding, and it is not obvious what data triggers the error.
This is because it implicitly converts the Tcl object type from byte array to string and later back to byte array, but because of the UTF de-coding algorithm, certain bytes get changed.
Impact:
The returned binary is wrong.
Workaround:
Use binary scan for the value that is incorrectly encoded by the command.
Fix:
ASN1::encode ENCODE mode now works so that it avoids the implicit type-conversion byte array to string back to byte array, which gets the original byte array changed during UTF-8 decoding.
683631-1 : TMM crashes during stress test
Component: Local Traffic Manager
Symptoms:
During stress/load testing, with a large number of connections which triggers flow sweeping, TMM restarts.
Conditions:
A large number of connections are seen, which triggers an expansion of the connflow hash table at the same time the connflow sweeper is active.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Connflow removal from the internal hash table is deferred until the entire bucket is processed.
683508-3 : WebSockets: umu memory leak of binary frames when remote logger is configured
Solution Article: K00152663
Component: Application Security Manager
Symptoms:
ASM out of memory error messages in /var/log/asm.
Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.
Impact:
ASM out of memory, memory leak.
Workaround:
Remove ASM remote logging profile from a virtual server.
Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.
683389-1 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
Component: Access Policy Manager
Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.
Conditions:
Attempt to create local SharedObject.
Impact:
Affected Flash applications are not working when accessed through Portal Access.
Workaround:
None.
Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.
683241-3 : Improve CSRF token handling
Solution Article: K70517410
Component: Application Security Manager
Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.
Conditions:
CSRF is configured.
Impact:
CSRF token handling does not follow current best practices.
Workaround:
None.
Fix:
CSRF token handling now follows current best practices.
683114-1 : Need support for 4th element version in Update Check
Component: TMOS
Symptoms:
Previously, there was no 4th element version Update Check functionality.
Conditions:
Using Update Check.
Impact:
No 4th element version support provided.
Workaround:
None.
Fix:
There is now 4th element version support in Update Check.
683113-6 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
Solution Article: K22904904
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.
Websso CPU usage is very high.
The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.
Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.
682837 : Compression watchdog period too brief.
Component: TMOS
Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.
Conditions:
Very high sustained system-wide compression request traffic.
Impact:
Accelerated compression throughput can drop significantly; some flows dropped.
Workaround:
Switch to software compression.
Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.
682682-3 : tmm asserts on a virtual server-to-virtual server connection
Component: Local Traffic Manager
Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.
Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.
Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.
Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.
682612 : Event Correlation is disabled on vCMP even though all the prerequisites are met.
Component: Application Security Manager
Symptoms:
In GUI screen,
Security ›› Event Logs : Application : Event Correlation
It shows "Event Correlation is not supported on this platform.".
Conditions:
Multi bladed vCMP guest, running on a BIG-IP with SSD drives, having only one available Slot (other Slots appear offline/unavailable).
Impact:
Multi bladed vCMP guest, running on a BIG-IP with SSD drives, having only one available Slot have Event Correlation disabled.
Workaround:
The following workaround does not survive ASM restart.
Thus, it has to be executed after every restart of ASM:
------------------------
# perl -MF5::ASMReady -MF5::Cfg -e 'while (! F5::ASMReady::is_asm_ready()) { print "Waiting for ASM to be ready.\n"; sleep 5; }; print "ASM is ready, patching Event Correlation cfg file\n"; F5::Cfg::cfg_set_config_item(qw{/etc/ts/correlation/correlation.cfg}, qw{General}, qw{Idle}, 0)'
# pkill -f correlation
------------------------
Event Correlation should start with in ~15 seconds, after the execution of this workaround:
------------------------
# ps -elf | grep correlation
0 S root ... /usr/share/ts/bin/correlation
------------------------
682500-1 : VDI Profile and Storefront Portal Access resource do not work together
Component: Access Policy Manager
Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.
Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.
Impact:
Citrix Storefront portal access resource cannot be used to launch applications.
Workaround:
None.
Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.
682335-3 : TMM can establish multiple connections to the same gtmd
Component: Global Traffic Manager (DNS)
Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.
Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed, if there is an existing connflow, don't start another connection.
682213-3 : TLS v1.2 support in IP reputation daemon
Solution Article: K31623549
Component: TMOS
Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.
Conditions:
This occurs when using IP reputation.
Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.
Workaround:
None.
Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.
In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.
682105 : Adding widget in Analytics Overview can cause measures list to empty out on Page change
Component: Application Visibility and Reporting
Symptoms:
When adding a new widget on Analytics Overview page with multiple modules (e.g., vCMP, Security), it is possible to reach a state in which the list of available measures is empty.
Conditions:
-- All 'available measurements' is selected (moved left).
-- A page should be changed.
Impact:
In some cases (like in vCMP when changing from Network to SynCookies), the list of available measurements will remain empty. Unable to select measures to display in new widget.
Workaround:
To reset the list of measures so that all measures are visible again, switch to another page and return to the previous one right away.
682104-1 : HTTP PSM leaks memory when looking up evasion descriptions
Component: Local Traffic Manager
Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.
Conditions:
When PSM looks up evasion descriptions.
Impact:
Memory leaked each time might eventually cause out of memory to the TMM.
Workaround:
None.
Fix:
This fix will stop the memory leakage.
681850-1 : APMD process may fail to initialize on start either after upgrade or after adding certain configurations
Component: Access Policy Manager
Symptoms:
APMD process may fail at initialization time with errors similar to the following:
-- createAgent - initInstance() failed for agent xxx_saml_auth_ag type (46)
-- Exiting due to failure in loading access policy objects
Conditions:
-- BIG-IP system is configured as SAML SP.
-- Certificate used by configured SAML Agent was imported onto BIG-IP system in DER format.
Impact:
APMD service may become unresponsive, dropping all traffic protected by APM access policies.
Workaround:
Convert DER encoded certificate used by SAML SP agent into PEM format.
Fix:
DER certificate no longer cause APMD process errors at initialization time.
681757-1 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
Solution Article: K32521651
Component: Local Traffic Manager
Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.
The system records an error message similar to the following in the ltm log file:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.
Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.
Impact:
Configuration fails to load on upgrade.
Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.
Fix:
Upon upgrade to v12.1.0 or later, policies that perform the action 'forward - select - member' will be automatically changed to 'forward - select - node', and configuration will load successfully.
681710-4 : Malformed HTTP/2 requests may cause TMM to crash
Solution Article: K10930474
681415-1 : Copying of profile with advanced customization or images might fail
Component: Access Policy Manager
Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar
Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.
Impact:
Unable to copy policy.
Workaround:
None.
Fix:
Copying of profile with advanced customization or images now succeeds as expected.
681175-1 : TMM may crash during routing updates
Solution Article: K32153360
Component: Local Traffic Manager
Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.
Conditions:
-- Dynamic routing.
-- ECMP routes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.
Fix:
TMM no longer crashes on routing updates when ECMP is in use.
681109-2 : BD crash in a specific scenario
Solution Article: K46212485
Component: Application Security Manager
Symptoms:
BD crash occurs.
Conditions:
A specific, non-default configuration with specific traffic.
The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.
For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
Content-Type :: *xml* :: form-data
This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.
Impact:
Failover, traffic disturbance.
Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.
A correctly configured header-based-content-profile property on URLs appears as follows:
In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
Content-Type :: *form* :: Form Data
Content-Type :: *json* :: JSON
Content-Type :: *xml* :: XML
Fix:
Added a check to prevent a crash in a specific scenario.
680856-3 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
Component: TMOS
Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):
info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy
Conditions:
A new IPsec tunnel is configured over REST.
Impact:
The newly configured IPsec tunnel does not start.
Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.
Fix:
A traffic selector can no longer use a deleted policy by name, and if recreated after deletion, the policy is correctly constructed.
680850-1 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
Solution Article: K48342409
Component: Global Traffic Manager (DNS)
Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.
Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug
Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.
Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.
Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.
Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.
Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.
This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.
With this fix, setting log.zxfrd.level debug no longer outputs this information.
Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.
Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.
680838-3 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
Component: TMOS
Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.
A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.
Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM will no longer restart due to assertion failure.
680755-1 : max-request enforcement no longer works outside of OneConnect
Solution Article: K27015502
Component: Local Traffic Manager
Symptoms:
max-request enforcement does not work when OneConnect is not configured.
Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.
Impact:
max-request enforcement does not work.
Workaround:
Always use OneConnect.
Fix:
max-request enforcement now works when OneConnect is not configured.
680729-3 : DHCP Trace log incorrectly marked as an Error log.
Solution Article: K64307999
Component: Policy Enforcement Manager
Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.
Impact:
Possible clutter in the TMM logs.
Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical
Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
680388-2 : f5optics should not show function name in non-debug log messages
Component: TMOS
Symptoms:
For logging thresholds other than debug, the function name appears in log messages created by f5optics.
Conditions:
-- BIG-IP is running.
-- Logging thresholds is set to a value other than debug.
Impact:
Log files contain unexpected data.
Workaround:
There is no workaround at this time.
Fix:
With the fix, f5optics is not displaying function names in non-debug logging messages.
680264 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
Solution Article: K18653445
Component: Local Traffic Manager
Symptoms:
Intermittently, HTTP2 experiences protocol resets.
Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.
For example, the following returns the incorrect header length:
(0xFF BYTE1) next byte, http2_arbint_read.
Impact:
Unexpected loss of HTTP2 frames due to protocol resets.
Workaround:
No effective workaround.
Fix:
HTTP2 now parses the request, regardless of its xfrags distribution.
680112-1 : SWG-Explicit rejects large POST bodies during policy evaluation
Solution Article: K18131781
Component: Access Policy Manager
Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 64 KB limit on POST bodies while the policy is being evaluated.
==> /var/log/apm <==
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048
Conditions:
This applies only during the policy evaluation. After the policy has been set to 'Allow', there is no limit.
Impact:
Unable to start an SWG-Explicit policy with a large POST body.
Workaround:
None.
Fix:
Modify the db variable 'tmm.access.maxrequestbodysize' with a value larger than the maximum post body size you would like to support. The maximum supported value is 25000000 (25 MB).
680069-3 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config★
Solution Article: K81834254
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd cores and restarts.
Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.
Impact:
zxfrd cores.
Workaround:
None.
Fix:
zxfrd no longer cores during transfer while network failure and DNS server removed from DNS zone config.
679959-1 : Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000
Component: TMOS
Symptoms:
Unable to the ping self IP of VCMP guests configured on i5000, i7000, or i10000.
Conditions:
Running TMOS v12.1.3 and VCMP guests configured on i5000, i7000 or i10000.
Impact:
Unable to process client traffic.
Workaround:
No workaround at this time.
Fix:
This issue is fixed.
679603-2 : bd core upon request, when profile has sensitive element configured.
Solution Article: K15460886
Component: Application Security Manager
Symptoms:
bd crash, system goes offline.
Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.
Impact:
System goes offline/fails over.
Workaround:
Remove sensitive elements from the json profile in the ASM policy.
Fix:
ASM now handles this condition so the crash no longer occurs.
679496-1 : Add 'comp_req' to the output of 'tmctl compress'
Component: Local Traffic Manager
Symptoms:
The output of 'tmctl compress' displays the total numbers of requests (tot_req), but does not distinguish between deflate (compression) requests and inflate (decompression) requests.
Conditions:
Viewing the output of the 'tmctl compress' command.
Impact:
Cannot determine the different types of requests.
Workaround:
There is no workaround at this time.
Fix:
This release now distinguishes between deflate (compression) requests and inflate (decompression) requests, as follows: there is an indicator, 'comp_req', for compression requests. The number of decompression request is tot_req - comp_req.
679494-2 : Change the default compression strategy to speed
Component: Local Traffic Manager
Symptoms:
The current default compression.strategy is 'latency', which does not perform properly, i.e., the provider selection algorithm does not react to load change fast enough.
Conditions:
Using compression.strategy to distribute workload among hardware and software compression providers.
Impact:
The work load may not be distributed evenly among hardware and software compression providers when compression.strategy is 'latency'.
Workaround:
Modify the tmsh sys db variable compression.strategy to 'speed'.
Fix:
The default compression strategy is now set to 'speed'.
679480-1 : User able to create node when an ephemeral with the same IP already exists
Component: TMOS
Symptoms:
If an FQDN ephemeral node exists for a given IP address, the user is still able to create a real node for the same IP address.
Conditions:
This can only be done by the GUI, not by tmsh or iControl REST.
Impact:
This should be prevented, but is allowed.
Workaround:
Avoid creating such a node.
Fix:
Validation now prevents this from happening.
679440-2 : MCPD Cores with SIGABRT
Solution Article: K14120433
Component: Advanced Firewall Manager
Symptoms:
MCPD cores with SIGABRT.
Conditions:
This occurs while the dynamic white/black daemon (dwbld) processes auto-blacklisted IP addresses.
Impact:
MCPD core.
Workaround:
Run the following command:
tmsh modify sys db debug.afm.shun.notify_peers value disable
Fix:
MCPD no longer cores with SIGABRT if the auto-blacklisting feature is enabled.
679384-1 : The policy builder is not getting updates about the newly added signatures.
Solution Article: K85153939
Component: Application Security Manager
Symptoms:
The policy builder is not getting updates about the newly added signatures.
Conditions:
When ASU is installed or user-defined signatures are added/updated.
Impact:
No learning suggestions for some of the newly added signatures.
Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
killall -s SIGHUP pabnagd
-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).
Fix:
After the fix, Policy Builder will be aware of all newly added signatures.
679347-3 : ECP does not work for PFS in IKEv2 child SAs
Solution Article: K44117473
Component: TMOS
Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).
Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.
Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.
Note: The first child SA is negotiated successfully.
Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.
Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.
Fix:
Full support for ECP as PFS has now been added, so a new child-SA negotiated in a IKEV2EXCH_CREATE_CHILD_SA exchange works as expected for ecp256, ecp384, and ecp512.
679235-5 : Inspection Host NPAPI Plugin for Safari can not be installed
Component: Access Policy Manager
Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.
Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.
Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.
Workaround:
There is no workaround at this time.
Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.
679221-1 : APMD may generate core file or appears locked up after APM configuration changed
Component: Access Policy Manager
Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.
Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.
Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.
Workaround:
None.
Fix:
APMD now processes the configuration changes correctly during 'modify apm profile access <profile name> generation-action increment' (TMSH) or 'Apply Access Policy' (GUI), and no service interruption occurs.
679149-2 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may crash or LB::server returns unexpected result.
Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.
Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
GTM rule command LB::server is now executed at the correct time, so TMM does not crash and LB::server returns expected results.
679135-3 : IKEv1 and IKEv2 cannot share common local address in tunnels
Component: TMOS
Symptoms:
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish.
Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.
Conditions:
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2.
-- Try to create competing listeners.
Impact:
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.
Workaround:
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate.
Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.
Fix:
Logging in /var/log/ltm now reveals failure to establish listener, along with a suggestion to avoid sharing one local address across IKEv1 and IKEv2 tunnels.
679114-2 : Persistence record expires early if an error is returned for a BYE command
Component: Service Provider
Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.
Conditions:
An error is returned for a any SIP command.
Impact:
The persistence record will expire early when the call has not been ended.
Workaround:
None.
Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.
678976-2 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
Solution Article: K24756214
Component: Access Policy Manager
Symptoms:
VDI debug logs print user credentials to /var/log/apm.
Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.
Impact:
User credentials are written to /var/log/apm.
Workaround:
Set VDI debug level to Notice.
Fix:
The system no longer prints user credentials to VDI debug logs.
678925-4 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
Component: TMOS
Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.
Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.
Then, a connection using the tunnel may cause a TMM crash.
Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.
Impact:
The TMM crashes and traffic is disrupted.
Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.
Fix:
The TMM no longer crashes.
678872-2 : Inconsistent behavior for virtual-address and selfip on the same ip-address
Component: Local Traffic Manager
Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.
Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.
Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.
Workaround:
No workaround.
Fix:
This implements the initialization-order-independent set of rules of whether particular IP address should have ARP/ICMP enabled for multiple maching vaddrs. The lookup is performed from the most fine netmask to the most coarse netmask. If for particular netmask there is no maching vaddr then more coarse netmask is lookedup. Otherwise if any machnig vaddr for particular netmask have ARP/ICMP enabled then IP address will have ARP/ICMP enabled. If none of matching vaddrs for particular netmask have ARP/ICMP enabled the then IP address will have ARP/ICMP disabled.
The rule above have one exception, due to the performance optimizations. If the vaddr have both ARP and ICMP disabled then the vaddr is considered deleted.
678861-3 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
Component: Global Traffic Manager (DNS)
Symptoms:
Upgrade fails with a message similar to the following.
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.
Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.
Impact:
Upgrade fails.
Workaround:
Remove DNS:: commands from procs before upgrade.
Or use AFM instead of iRules.
678851-1 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
Component: Access Policy Manager
Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.
Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool
Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().
Impact:
Affected Java applets cannot be started through Portal Access.
Workaround:
None.
Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.
678833 : IPv6 prefix SPDAG causes packet drop
Component: TMOS
Symptoms:
If IPv6 prefix SPDAG is turned on, on systems running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3, it can cause packet drops.
Conditions:
Turn on IPv6 prefix DAG.
-- Assign a value other than 128 to sys db tmm.pem.session.ipv6.prefix.len.
-- Running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3.
Impact:
Packet drops.
Workaround:
Turn off IPv6 prefix SPDAG.
678822-3 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed
Component: Policy Enforcement Manager
Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.
Conditions:
If the route to PCRF/OCS is missing or not reachable.
Impact:
Non-Zero stats for provision pending sessions
Workaround:
Disable the Gx/Gy profile if not required or configure the route.
Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.
678820-2 : Potential memory leak if PEM Diameter sessions are not created successfully.
Component: Policy Enforcement Manager
Symptoms:
Memory leak resulting in reduction in available memory.
Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.
Impact:
Loss of service
Workaround:
There is no workaround at this time.
Fix:
Diameter context is freed in case of a failed Diameter session creation.
678801-2 : WS::enabled returned empty string
Component: Local Traffic Manager
Symptoms:
WS::enabled command returned empty string instead of 0 or 1 for status.
Conditions:
-- WS::enabled command is used to query the status of WebSocket processing.
-- WebSocket and HTTP profiles are configured on the virtual server.
Impact:
Unable to determine the status of WebSocket processing using iRule commands.
Workaround:
There is no workaround at this time.
Fix:
Invoke appropriate method via WebSocket Tcl code.
678722-2 : In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources
Component: Local Traffic Manager
Symptoms:
in SSL-O, due to race condition, TMM may core when SSL forward proxy tries to free up memory usage by releasing certificate resources.
Conditions:
This only happens in SSL-O with SSL forward proxy configured.
Impact:
TMM may restart due to using the wrong free function. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores under these conditions.
678715-1 : Large volume of query result update to SessionDB fails and locks down ApmD
Component: Access Policy Manager
Symptoms:
While writing large query results from AD server to sessionDB using memcache API, write operation fails with partial write.
Conditions:
Large volumes of AD query (with Required 'All Attributes') results from AD server while writing to SessionDB.
Impact:
Operation fails with partial write. All worker threads performing authentication eventually gets locks down. Session watchdog thread eventually make a forced abort to recover from the situation. Apmd restarts in this situation.
Workaround:
Make query for specific attributes not the option 'All Attributes'.
Fix:
Partial write failure has been fixed, by writing remaining parts of the query results in several iterations, till the entire result is written.
678714-3 : After HA failover, subscriber data has stale session ID information
Component: Policy Enforcement Manager
Symptoms:
After a failover in a high availability (HA) configuration, subscriber local data is populated with stale session id information
Conditions:
-- HA failover.
-- PEM subscriber.
Impact:
Subscriber data with stale session ID information might cause invalid reference to incorrect subscriber data.
Workaround:
None.
Fix:
Subscriber local data is now populated with new, generated session ID information.
678462-2 : after chassis failover: asmlogd CPU 100% on secondary
Component: Application Security Manager
Symptoms:
After a failover in a chassis:
- asmlogd CPU 0% on primary slot (which was secondary before the failover).
- asmlogd CPU 100% on secondary (which was primary before the failover).
Without traffic running through the chassis.
Conditions:
-- ASM provisioned.
-- Chassis with at least two active slots.
-- Chassis failover after some traffic was passed through the chassis.
Impact:
asmlogd CPU shows 100% on secondary (which was primary before the failover), and vice versa.
Workaround:
There is no workaround at this time.
Fix:
The asmlogd process now better handles chassis failovers during which the chassis slots change roles (primary/secondary), so this issue no longer occurs.
678416-2 : Some tmm/umem_usage_stat counters may be incorrect under memory pressure.
Component: Local Traffic Manager
Symptoms:
After the BIG-IP system experiences severe memory pressure, the 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table incorrectly show extremely high values.
Conditions:
The BIG-IP system experiences enough memory pressure that slabs are transferred between threads.
Impact:
The 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table do not reflect actual values. However, there is no functionality issue as a result. This is a cosmetic issue only.
Workaround:
None.
Fix:
The system now manages better under memory pressure so that the tmm/umem_usage_stat counters correctly reflect actual values.
678388-3 : IKEv1 racoon daemon is not restarted when killed multiple times
Solution Article: K00050055
Component: TMOS
Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.
Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.
Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.
Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd
Fix:
Fixed tmipsecd so it correctly tracks whether the IKEv1 racoon daemon is still running or needs a restart. This also covers odd timing, such as killing racoon right after it starts.
678380-3 : Deleting an IKEv1 peer in current use could SEGV on race conditions.
Solution Article: K26023811
Component: TMOS
Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.
Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.
Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.
Workaround:
None.
Fix:
The system now checks whether the old peer definition is valid when navigating from phase-one SAs to the IKEv1 peer definition.
678293-1 : Uncleaned policy history files cause /var disk exhaustion
Solution Article: K25066531
Component: Application Security Manager
Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.
Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.
Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.
Impact:
/var disk usage is high.
Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:
----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------
Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.
In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.
678254-2 : Error logged when restarting Tomcat
Component: TMOS
Symptoms:
An error is logged after restarting Tomcat and using the web UI.
Conditions:
Using the web UI to restart tomcat.
Impact:
An error is logged after restarting Tomcat and using the web UI.
Workaround:
There is no workaround.
Fix:
When restarting Tomcat and using the web UI, and error will be logged only if the debug flag is enabled.
678228-1 : Repeated Errors in ASM Sync
Solution Article: K27568142
Component: Application Security Manager
Symptoms:
If an error is encountered when building a full sync file for an ASM enabled Device Group, any future attempts at building a sync file will continue to fail.
Conditions:
An error such as a full disk or out of memory occurs when attempting to build a sync file for an ASM enabled Device Group
Impact:
Any future attempts at building a sync file will continue to fail.
Workaround:
Restart the ASM Config processes, or clear out /ts/var/sync.
Fix:
Remnants of failed sync files are now correctly cleaned up before building a new one.
677962-3 : Invalid use of SETTINGS_MAX_FRAME_SIZE
Component: Local Traffic Manager
Symptoms:
When BIG-IP negotiates settings over HTTP/2 connection, it adopts a value of peer's SETTINGS_MAX_FRAME_SIZE parameter as its own.
Conditions:
A virtual is configured with HTTP/2 profile.
Impact:
BIG-IP may accept a DATA frame with size above 16,384 bytes violating RFC.
Workaround:
There is no workaround at this time.
Fix:
BIG-IP no longer accepts DATA frames with sizes exceeding a default value of 16,384 bytes.
677958-2 : WS::frame prepend and WS::frame append do not insert string in the right place.
Component: Local Traffic Manager
Symptoms:
When WS::frame prepend and WS::frame append are used together in the same event, the strings are not inserted in the right place.
Conditions:
-- Both WS::frame prepend and WS::frame append commands are present in the same iRule event.
-- WebSocket and HTTP profile are configured on the virtual.
-- Client/server send and receive WebSocket frames.
Impact:
The user-supplied string is not inserted in the right place when sent to the end-point.
Workaround:
None.
Fix:
Separate buffers were now used for append and prepend, instead of reusing the same buffer.
677937-1 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
Component: TMOS
Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.
Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).
Impact:
No connectivity between the client and the server.
Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)
Fix:
APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.
677928-2 : A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.
Component: TMOS
Symptoms:
A wrong source MAC address may be used in the outgoing IPsec encapsulated packets when the BIG-IP VE system is operated in Azure.
Conditions:
The BIG-IP VE system is first deployed in Azure with a single NIC. After the first reboot and then power off, a second NIC is added to the BIG-IP system. Then, an IPsec tunnel is configured to associate with a selfip on the second NIC.
Impact:
The Azure environment or a remote device may drop the outgoing IPsec encapsulated packets from the BIG-IP system because the source MAC address of the packets is wrong.
Fix:
The source MAC address of the outgoing IPsec encapsulated packets from the BIG-IP system is set correctly.
677525-3 : Translucent VLAN group may use unexpected source MAC address
Component: Local Traffic Manager
Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.
Conditions:
VLAN group in translucent mode.
Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.
Workaround:
No workaround at this time.
Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.
677473-1 : MCPD core is generated on multiple add/remove of Mgmt-Rules
Component: Advanced Firewall Manager
Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.
Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).
Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
MCP no longer crashes, and other dependent daemons no longer restart. The BIG-IP system remains operational in both control-plane (tmsh/GUI) and data traffic processing.
677457 : HTTP/2 Gateway appends semicolon when a request has one or more cookies
Solution Article: K13036194
Component: Local Traffic Manager
Symptoms:
With an HTTP/2 profile, a virtual server on a BIG-IP system receives requests and handles cookies converting those into a cookie-string. The BIG-IP system concatenates the cookie pairs with semicolon (%3B) and a space (%20) in the cookie-string. This delimiters pair also is appended to the last cookie pair.
Conditions:
HTTP/2 profile is configured on a virtual server and a request contains one or more cookies.
Impact:
The request forwarded to a backend server contains an extra semicolon at the end of cookie-string.
Workaround:
Use an iRule to remove an extra delimiter if it negatively impacts backend server performance.
For example:
when HTTP_REQUEST {
if {[HTTP::header value "Cookie"] contains ";"}
{
set new_header [string range [HTTP::header "Cookie"] 0 end-2]
log local0.notice "$new_header"
HTTP::header replace "Cookie" $new_header
}
}
Fix:
Virtual server with HTTP/2 profile no longer appends extra delimiter to a cookie-string when it forwards the request to HTTP/1.x backend server.
677400-3 : pimd daemon may exit on failover
Solution Article: K82502883
Component: Local Traffic Manager
Symptoms:
When multicast traffic is passing on a high availability (HA) pair, the pimd daemon on the unit that transitions to standby may exit and drop a core file.
Conditions:
-- Multicast routing configured.
-- PIM-Sparse Mode configured.
-- HA failover configuration.
Impact:
None. The system that goes active will reconverge, and multicast traffic will resume.
Workaround:
No workaround required.
Fix:
The pimd daemon no longer exits when an HA failover occurs.
677193-2 : ASM BD Daemon Crash.
Solution Article: K38243073
677119 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
Component: Local Traffic Manager
Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. The BIG-IP system incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.
Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.
Impact:
The BIG-IP system does not accept the value, and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.
Workaround:
None.
Fix:
The BIG-IP system no longer generates an error due to this issue, and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.
677088-4 : BIG-IP tmsh vulnerability CVE-2018-15321
Solution Article: K01067037
677058-3 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text
Component: Access Policy Manager
Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.
Conditions:
This occurs when following conditions are met:
- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.
Impact:
APM logs plain text password when debug logging is turned on for access policy.
Workaround:
None.
Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.
676982-2 : Active connection count increases over time, long after connections expire
Solution Article: K21958352
Component: Local Traffic Manager
Symptoms:
- Number of active connections is increasing over time.
- Memory used by TMM increases over time.
- Potential TMM restart is possible.
Conditions:
This issue arises only when all the following conditions occur:
- Hardware is chassis type.
- There is more than one blade in service.
- A fastL4 profile is configured (e.g., using bigproto).
- SessionDB is used either by iRules or by native profile
functionality.
Impact:
- Service may be impacted after a period.
- TMM instances may restart.
Workaround:
None.
Fix:
SessionDB-related accesses initiated via iRules are now properly cleaned up and no longer hang.
676914-1 : The SSL Session Cache can grow indefinitely if the traffic group is changed.
Component: Local Traffic Manager
Symptoms:
If there are entries in the SSL Session Cache, and the traffic group is changed, the cache might grow indefinitely.
Conditions:
-- SSL is configured.
-- Session cache has a limit on the number of entries. --
After entries are made into the session cache, the traffic group is then changed.
Impact:
Eventually all memory will be consumed causing TMM to restart. Traffic disrupted while tmm restarts.
Workaround:
Disable the session cache.
As an alternative, after changing the traffic group, restart TMM.
Fix:
Changing the traffic group no longer causes the session cache to grow.
676897-1 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
Fix:
This release corrects this issue.
676828-2 : Host IPv6 traffic is generated even when ipv6.enabled is false
Solution Article: K09012436
Component: Local Traffic Manager
Symptoms:
Observing IPv6 traffic from the BIG-IP system, even when ipv6.enabled is set to false.
Conditions:
sys db ipv6.enabled is false.
Impact:
Extraneous IPv6 traffic from the the BIG-IP system.
Workaround:
None.
Fix:
IPv6 traffic now properly observes the ipv6.enabled sys db variable.
676808-2 : FPS: tmm may crash on response with large payload from server
Component: Fraud Protection Services
Symptoms:
A request to a unprotected FPS URL may cause tmm crash if response payload is large and the URL was configured via live update.
Conditions:
1. Page is not protected.
2. Large response payload (e.g.,50 KB).
3. FPS registered for response event (this will happen if a global URL (configured via live update) was matched).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
FPS will check for fast response situation and will act accordingly.
676721-2 : Missing check for NULL condition causes tmm crash.
Solution Article: K33325265
Component: Local Traffic Manager
Symptoms:
Missing check for NULL condition causes tmm crash.
Conditions:
This issue occurs when all of the following conditions are met:
1) The BIG-IP system receives a new connection request and attempts to select a pool member.
2) All pool members are unresponsive. This may be due to one of the following reasons:
a) The pool members have reached their configured connection limit.
b) There is no route to the pool members.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM correctly checks for NULL condition to prevent the crash.
676705-2 : do not run agetty on VE without serial port
Component: TMOS
Symptoms:
The init process spawns the /sbin/agetty over and over, filling the log file daemon.log
Conditions:
VE without serial port
Impact:
high disk usage.
Workaround:
Change "respawn" to "off" in /etc/init/serial-ttySX.conf
Fix:
Serial ports are now correctly detected.
676690-3 : Windows Edge Client sometimes crashes when user signs out from Windows
Component: Access Policy Manager
Symptoms:
In rare cases Windows Edge Client may crash when user signs out from Windows
Conditions:
User signs out from Windows or restarts Windows while EdgeClient is running and VPN is established
Impact:
No functional impact, user see a message box with error block sign out process. When the user closes the message box, sign out process continues.
Fix:
Previously, in some instances, the Edge Client on Windows would crash when the user signed out of Windows. This has been fixed.
676471-1 : Insufficient space for core files on i11x00-series platforms
Component: Local Traffic Manager
Symptoms:
The default location for core files is '/var/core'. On i11000 Series platforms, there is insufficient space in this directory for core files. When a process generates a core file, or when a core file is created manually, the system truncates the core file's content.
Conditions:
-- A process encounters a condition that leads to a core file being generated, or a core file is produced manually.
-- Using one of the following platforms:
+ i11400-DS
+ i11600 / i11800
+ i11600-DS / i11800-DS
Impact:
Core file content is truncated. Further analysis of the problem that created the core cannot proceed.
Workaround:
Change the location where the kernel places core files. For example, you might use '/appdata' as the destination.
Change /proc/sys/kernel/core_pattern to define the pathname used to generate the core file.
For more information about core files, refer to the core man page, available by running the following command in tmsh: man core
Fix:
More space has been made available in '/var/core'. Core files are no longer truncated.
676457-3 : TMM may consume excessive resource when processing compressed data
Solution Article: K52167636
676416-2 : BD restart when switching FTP profiles
Component: Application Security Manager
Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.
Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.
Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.
Workaround:
There is no workaround at this time.
Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.
676355-2 : DTLS retransmission does not comply with RFC in certain resumed SSL session
Component: Local Traffic Manager
Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.
Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.
Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.
Workaround:
None.
Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.
676223-2 : Internal parameter in order not to sign allowed cookies
Component: Application Security Manager
Symptoms:
ASM TS cookies may get big (up to 4k).
Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.
Impact:
This increases web site throughput.
Workaround:
N/A
Fix:
Parameter to not to sign allowed cookies added.
676203-1 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
Component: TMOS
Symptoms:
TMM memory usage suddenly increases rapidly.
Conditions:
The inter-blade mpi connection fails and does not recover.
Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.
Workaround:
None.
Fix:
Inter-blade mpi connection now continues as expected, without memory issues.
676092-1 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
Fix:
The system now correctly handles these conditions so the issue no longer occurs.
676028-2 : SSL forward proxy bypass may fail to release memory used for ssl_hs instances
Solution Article: K09689143
Component: Local Traffic Manager
Symptoms:
TMM leaks memory used for ssl_hs instances when using SSL forward proxy when bypass is enabled.
Conditions:
The leak can be triggered by iRules, where a duplicate forward proxy lookup is initiated and interferes with the initial asynchronous lookup.
Impact:
TMM will core after running out of memory, which impacts availability.
Workaround:
None.
Fix:
Resolved by preventing duplicate forward proxy lookup.
675928-2 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
Component: Policy Enforcement Manager
Symptoms:
Multiple flows of the same subscriber could get insert content enabled frequently, if the requests from those flows are outstanding
Conditions:
If the http request from the subscriber is outstanding when the new flow is triggered
Impact:
PEM insert content pem_acton will be enabled on multiple flows till the first response is received
Fix:
Throttle insert content action on new flows only to periodic interval if the transaction is outstanding.
675921 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
Component: TMOS
Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status of 'running'.
Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.
Impact:
5th guest and beyond result in an error.
Workaround:
There is no workaround other than not creating more than 4 'ssl-mode dedicated' vCMP guests when provisioning vCMP guests on the i5800 platform.
Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.
675866-1 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
Component: Access Policy Manager
Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.
Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.
Impact:
Cannot access the Kerberos-protected resources.
Workaround:
None.
Fix:
Kerberos SSO (S4U) tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.
675775-2 : TMM crashes inside dynamic ACL building session db callback
Component: Access Policy Manager
Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.
Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Guard against NULL pointer dereference for dynamic ACL build.
675718-1 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
Fix:
Corrected an environmental problem with the racoon daemon.
675539-1 : Inter-system communications targeted at a Management IP address might not work in some cases.
Component: Global Traffic Manager (DNS)
Symptoms:
Inter-system communications fail to connect to a BIG-IP system using the Management IP address.
Conditions:
This occurs if the device connection is configured between a Self IP address on one BIG-IP system and the Management IP address on another.
This occurs because the big3d daemon acts as a proxy, listening on the Management IP address and will send proper SSL connections (using SNI) to TMM (since TMM does not listen on the Management IP address).
This is not an issue if either of the following is true:
-- If the source of the connection is coming from the Management IP,
the connection is clear text. (Not SSL encrypted and thus does not use SNI)
-- The destination of the connection is a Self IP address, because TMM (via an iRule) will
handle the connection.
Impact:
Device sync operations do not work.
Workaround:
Do not use the Management IP address for between-device communications.
Fix:
The big3d proxy properly handles SSL SNI connections on the Management IP address.
675399-3 : Network Access does not work when empty variables are assigned for WINS and DNS
Solution Article: K14304639
Component: Access Policy Manager
Symptoms:
Network Access does not work when empty variables are assigned for WINS and DNS.
Conditions:
If the admin configures empty values for WINS or DNS in the Variable Assign agent in the VPE.
Impact:
The system does not parse the XML tags correctly. Users may not be able establish VPN tunnel.
Workaround:
Do not leave the DNS or WINS values empty in the Variable assign Agent.
Fix:
APM now correctly handles the condition where an empty string is assigned for WINS and/or DNS in the Variable Assign policy agent.
675232-3 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
Component: Application Security Manager
Symptoms:
Errors encountered -
In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.
Impact:
The policy is created but the modify action cannot find the policy.
Workaround:
iApps are built to work with ASM Policy Templates.
A new ASM Policy Template can be created from the desired ASM Policy.
That can be done via GUI and starting from from v13.0 via REST as well.
Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------
Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.
675212-3 : The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication
Component: Local Traffic Manager
Symptoms:
Under specific conditions, the BIG-IP system allows clients through (that otherwise should be rejected) as part of SSL Client Certificate Authentication.
Conditions:
This issue occurs when the Trusted Certificate Authority specified in the Client-SSL profile is expired.
Note: The client's certificate must be valid and trusted for the SSL handshake to continue.
This issue purely deals with how the BIG-IP system treats the validity period of the signing Certificate Authority.
Impact:
F5 has reviewed this issue and has not classified it as a Vulnerability. However, F5 recognizes this issue may have a Security Exposure depending on how the BIG-IP system is utilized.
Please observe that the issue here is not validation of the expiration time in the client's certificate. The issue here is handling of the expiration field in the certificate the BIG-IP system explicitly trusts, the so-called 'trust anchor'. In most cases, the trust anchor is a self-signed certificate.
It is important to understand that the expiration field in trust anchors has no clear meaning, and even utilities such as OpenSSL historically treated this field in different ways.
After completing its review, F5 has decided the correct and best behavior for the BIG-IP system is to reject the SSL handshake when the Trusted Certificate Authority has expired.
The impact of this issue will vary greatly based on your deployment and type of business. In most cases, continuing to allow clients through past the validity of the Certificate Authority may be the behavior you expect or one that carries no negative consequences.
However, if you obtained the Certificate Authority from a third party and expected the client certificates signed by that authority to stop working when its validity period expires, this will not happen because of this issue.
Workaround:
F5 recommends that you renew (or obtain renewed copies of) Certificate Authorities that are about to expire and that you want the BIG-IP system to continue trusting.
F5 recommends that you remove from the BIG-IP system Certificate Authorities that are about to expire and that you do not plan to renew or continue trusting.
This will ensure the BIG-IP system behaves optimally on versions affected by this issue.
Fix:
The BIG-IP system now correctly handles the validity period of Trusted Certificate Authorities used for SSL Client Certificate Authentication.
674931 : FPS modified responses/injections might result in a corrupted response
Component: Fraud Protection Services
Symptoms:
in case a connection was congested and FPS tries to send additional egress (modifying the response, e.g. injections) the order of the response sending might break if this send is successful (i.e congestion just ended). instead of sending the buffered data first (response part that was buffered due to congestion), FPS tries to send the new data first and only than will send the buffered data.
Conditions:
- congested connection
- FPS sends modified response (e.g. injections)
- sending egress succeeded (congestion ended)
Impact:
response is corrupted - order of data has erroneously changed
Workaround:
N/A
Fix:
FPS will handle this case correctly, first sending buffered data then sending the new egress.
674909-3 : Application CSS injection might break when connection is congested
Component: Fraud Protection Services
Symptoms:
Large CSS files configured for phishing protection injection in FPS (not fictive websafe CSS files) may be truncated upon response to client.
Conditions:
Inject into Application CSS enabled in Anti-Fraud Profile » Advanced » Phishing Detection
Large CSS file such as bootstrap files configured for Application CSS Locations.
Network congestion engaging TMM flow control.
Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. May break application functionality.
Workaround:
1) Remove affected large files from Application CSS Locations.
or
2) Disable Inject into Application CSS entirely.
Fix:
FPS now handles the case where injecting to application css was interrupted by congestion.
674747-2 : sipdb cannot delete custom bidirectional persistence entries.
Solution Article: K30837366
Component: Service Provider
Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.
Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.
Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.
Workaround:
None.
Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.
674686-2 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow
Component: Policy Enforcement Manager
Symptoms:
If an outstanding flow with periodic insertion pem_action is very long, it prevents new flow matching the same rule from adding inert content pem_action even for a new periodic interval
Conditions:
If the outstanding flow with insert content pem_action spans multiple periodic interval.
Impact:
No content insertion during the time the long flow is outstanding for new flows matching the same rule as the long flow.
Workaround:
Long flows and short flows need to have separate rule configured
Fix:
New flows will add content insertion, if the new flow request falls in the new periodic interval.
674593-1 : APM configuration snapshot takes a long time to create
Component: Access Policy Manager
Symptoms:
It takes a long time to create the configuration snapshot for a file. This may be accompanied by MEMCACHED related log message, as shown below.
notice apmd[12928]: 0149016a:5: Initiating snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 0149016f:5: Waiting for MEMCACHED to be ready
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1273 Msg: Unable to connect to tmm (sessiondb). Trying again...
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1280 Msg: Successfully connected to tmm (sessiondb)...
notice apmd[12928]: 0149016b:5: Completed snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 01490171:5: MEMCACHED is up
Conditions:
The issue happens if an access profile contains many resources, the resulting configuration
snapshot will have even more configuration variables.
Impact:
TMM will run out of memory If the issue persists. User will not be able to log in due to profile not found error similar to the following:
err apmd[13681]: 01490114:3: /Common/workspace-acess2:Common:a6b495ce: process_request(): Profile '/Common/workspace-acess2' was not found
Workaround:
None.
Fix:
APM policy configuration snapshot generation performance for very large configurations has been improved.
674591-2 : Packets with payload smaller than MSS are being marked to be TSOed
Solution Article: K37975308
Component: Local Traffic Manager
Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.
Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.
Impact:
TCP Packets are dropped.
Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.
Fix:
Packets less than MSS are not sent as TSO packets, so there is no performance degradation.
674576-4 : Outage may occur with VIP-VIP configurations
Component: Local Traffic Manager
Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.
Conditions:
VIP-VIP configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround at this time.
Fix:
TMM no longer produces a core with a 'no trailing data' assert.
674527-1 : TCL error in ltm log when server closes connection while ASM irules are running
Component: Application Security Manager
Symptoms:
TCL error in ltm log, for example:
TCL error: /Common/bug <ASM_REQUEST_DONE> - plugin_tcl_command_execute: Command error. invoked from within "ASM::severity"
Conditions:
1. ASM irules are attached.
2. There was already one request passed to the web-server
3. Server closes connection.
Impact:
Error in ltm log.
674515 : New revoke license feature for VE only implemented
Component: TMOS
Symptoms:
Prior to this version, the license revoke feature was not implemented/available.
Conditions:
With out revoke implemented, the feature is simply not available.
Impact:
Licenses cannot be revoked and hence re-used.
Fix:
With this feature implemented, VE licenses can be revoked and then re-used on different VE.
674494-1 : BD memory leak on specific configuration and specific traffic
Solution Article: K77993010
Component: Application Security Manager
Symptoms:
RSS memory of the bd grows.
Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.
Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.
Workaround:
None.
Fix:
Freeing up the remote loggers data when deciding not to log remotly.
674486-5 : Expat Vulnerability: CVE-2017-9233
Component: TMOS
Symptoms:
An infinite loop vulnerability due to malformed XML in external entity was found in entityValueInitProcessor function affecting versions of Expat 2.2.0 and earlier.
Conditions:
Version of expat in use on BIG-IP is v2.2.0 or earlier.
Impact:
BIG-IP is vulnerable to CVE-2017-9233 via the administrative interface.
Fix:
Expat updated to v2.2.0 or later
674455-7 : Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
Component: TMOS
Symptoms:
When booted into the Maintenance OS image from the grub boot menu, running tmidiag -r drops the serial console from the grub kernel line, which causes a loss of communication on the serial console after rebooting.
Conditions:
-- Booted into Maintenance OS.
-- Running the command: tmidiag -r
Impact:
Serial console baud rate settings are incorrect. Uses the bios baud rate on the console.
Workaround:
When booting, edit the grub kernel line to include console=ttyS0.
Note: The value is "tty", an uppercase "S" character, and zero, so ttyS0.
Fix:
tmidiag has been fixed to not strip out console=ttyS0.
674410-3 : AD auth failures due to invalid Kerberos tickets
Solution Article: K59281892
Component: Access Policy Manager
Symptoms:
User can not login.
Conditions:
- AAA AD server is configured on BIG-IP.
- AD Auth/Query agent is used in Access Policy.
- Cached Kerberos ticket is invalid or backend AD server is not reachable for some reason
Impact:
AD Auth/Query fails. APM end user won't be able to take successful branch in Access Policy.
Workaround:
None.
Fix:
Invalid Kerberos tickets for AD Query are now automatically renegotiated by APM.
674320-2 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems
Solution Article: K11357182
Component: TMOS
Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:
notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59
Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)
Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).
Impact:
Configuration on peer systems in a device group does not get saved after a sync.
Workaround:
Manually save the configuration on peer systems after a sync.
Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.
674288-2 : FQDN nodes - monitor attribute doesn't reliably show in GUI
Solution Article: K62223225
Component: TMOS
Symptoms:
When creating more than one node with FQDN configured with monitors, monitors are not displayed in the GUI properly.
Conditions:
Create more than one node with FQDN configured.
Impact:
The previously created FQDN node does not display monitors in the GUI. However, the subsequently created FQDN node does display the correct monitors.
Workaround:
Use tmsh to view monitors for Nodes with FQDN configured.
Fix:
Node page now displays the correct monitors for nodes configured with FQDN.
674189 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
Solution Article: K52320548
674145-3 : chmand error log message missing data
Component: TMOS
Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.
Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP
The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.
Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.
Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.
Fix:
The expected data values are properly printed in the log message.
674004-1 : tmm may crash when after deleting pool member in traffic
Solution Article: K34448924
Component: Local Traffic Manager
Symptoms:
tmm may crash when after deleting pool member that is processing traffic.
Conditions:
-- Two or more pools share the same node as pool member.
-- A pool member (with the shared node) is deleted while traffic is passing.
-- A One-Connect profile is configured on the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes when after deleting pool member while traffic is passing.
673974-1 : agetty auto detects parity on console port incorrectly
Solution Article: K63225596
Component: TMOS
Symptoms:
With a BIG-IP system configured for a console baud rate that is different from the baud rate of the serial terminal that is plugged in to the console port, he system returns garbled characters on the screen. Changing the terminal setting to match the console baud rate has no effect after that: the BIG-IP system continues to send garbage.
Conditions:
BIG-IP system with a console at certain baud rate.
-- Plug in a serial terminal with a different baud rate.
-- Press enter several times.
Impact:
The parity detection code selects the wrong setting, leaving the console port unusable until reboot of the BIG-IP system, or after killing and restarting agetty.
Workaround:
To recover from this condition, log on to the BIG-IP system via ssh, force parity off, and kill the agetty process (assuming the console is not logged in, and is therefore running agetty).
via ssh:
# stty -F /dev/ttyS0 -parenb ; killall agetty
However, this is not an ideal workaround, as a frequent reason to use the serial console is lack of network access to the device.
In that situation, you can log on by setting the terminal to Mark parity (8 data bits, Mark parity, 1 stop bit).
Note: There is no way to mitigate the issue from the console connection itself, as agetty doesn't run while the console is logged in.
You can also reboot the BIG-IP system, reset the terminal speed on the laptop to match the console speed set on the BIG-IP system, and reconnect the laptop.
Fix:
This issue has been corrected.
673951-4 : Memory leak when using HTTP2 profile
Solution Article: K56466330
Component: Local Traffic Manager
Symptoms:
Memory continues to grow despite reduced volume of traffic. Large number of spdy_frame and xdata allocated.
Conditions:
Virtual server configured with HTTP2 profile.
Impact:
Memory leak, which might eventually trigger aggressive sweeper and potential crash, resulting in failover.
Workaround:
None.
Fix:
Virtual server configured with HTTP2 profile no longer leaks memory.
673814-4 : Custom bidirectional persistence entries are not updated to the session timeout
Solution Article: K37822302
Component: Service Provider
Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.
Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.
Impact:
The persistence timeout will prematurely time out.
Workaround:
Set the transaction timeout to the session timeout value.
Fix:
The persistence timeout is correctly updated to the session timeout value when a successful response message is received.
673748-1 : ng_export, ng_import might leave security.configpassword in invalid state
Solution Article: K19534801
Component: Access Policy Manager
Symptoms:
If import/export of Access Profile or Access Policy results in an error, security.configpassword may retain temporary not <null> state, which can cause problems when the config is saved or loaded using the sys save config or sys load config commands.
Conditions:
Import or export of Access Profile or Access Policy fails with an error.
Impact:
Passwords in .conf might get mangled.
Workaround:
Set the security.configpassword db variable using the following command:
modify sys db security.configpassword value "<null>"
Fix:
Error handling for access policy import failures has been improved.
673717-1 : VPE loading times can be very long
Component: Access Policy Manager
Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.
Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.
Impact:
Policies with thousands of entries can take tens of seconds or more to load.
Workaround:
None.
Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.
673683-2 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
Component: Policy Enforcement Manager
Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.
Conditions:
When a subscriber action list have Insert content added and if pem and classification profiles are detached and re-attached to the Listener, periodic insertion may fail to insert the content. This happens when more than one subscriber is using the same policy rule and the listener.
Impact:
Periodic insert content action will fail to insert the content
Workaround:
Delete and recreate the subscriber for which insert content action no longer working
Fix:
For subscriber content insertion record lookup, use the right session id storage associated with the subscriber
673678-2 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
Component: Policy Enforcement Manager
Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.
Conditions:
When a subscriber action list have Insert content added and if the request/response for that http transaction get interleaved by another subscriber request. This happens when more than one subscriber is using the same policy rule
Impact:
Periodic insert content action will fail to insert the content
Workaround:
Delete and recreate the subscriber for which insert content action no longer working
Fix:
For subscriber content insertion record lookup, use the correct session id storage associated with the subscriber.
673621-2 : Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
Component: Local Traffic Manager
Symptoms:
Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
Conditions:
Set ca-file to 'none' in the clientssl profile.
Impact:
Chain is still sent.
Workaround:
None.
Fix:
Chain certificate is no longer sent to the client when both ca-file and chain certificate are removed from the clientssl profile.
673607-2 : Apache CVE-2017-3169
Solution Article: K83043359
673595-2 : Apache CVE-2017-3167
Solution Article: K34125394
673484-1 : IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO
Solution Article: K85405312
Component: TMOS
Symptoms:
IPsec IKEv2 tunnels cannot be established when the remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child Security Association (SA) establishment. This parameter is commonly sent by ASA devices.
Conditions:
-- IPsec IKEv2 with ASA peer.
-- Remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child SA establishment.
Impact:
IKEv2 IPsec tunnels cannot be established with ASA peer.
Workaround:
Use IKEv1.
Fix:
During IPsec IKEv2 child SA establishment, the BIG-IP will ignore the NON_FIRST_FRAGMENTS_ALSO notification and will continue to establish the SA.
673472-2 : After classification rule is updated, first periodic Insert content action fails for existing subscriber
Component: Policy Enforcement Manager
Symptoms:
Immediately after the classification rule associated with a static subscriber is updated and if the action list has Insert content, the first periodic insert content action fails for the subscribers. Subsequent Insert content action will proceed as expected
Conditions:
Update of the classification rule associated with the subscribers.
Impact:
First periodic Insert content action, immediately succeeding after the update of the classification rule will fail.
Workaround:
bigstart restart tmm, after updating the classification rule with insert content action will fix the issue
Fix:
Update the record count associated with the subscriber during eval.
673463-2 : SDD v3 symmetric deduplication may start performing poorly after a failover event
Solution Article: K68275280
Component: Wan Optimization Manager
Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may start performing poorly for some file transfers.
Conditions:
This issue occurs when all of the following conditions are met:
1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) The far side BIG-IP HA configuration (from the perspective of the client performing the download) is failed over.
4) Clients attempt to download files that had previously been transferred through the BIG-IP units.
Impact:
Symmetric deduplication is severely impacted (virtually no hits) for files that had previously been transferred through the units. This causes the amount of data transmitted over the WAN to increase. Files that were not transferred previously through the units are not affected by this issue.
Workaround:
To eliminate the impacted symmetric deduplication condition, restart the receiving (i.e., the near) side.
Fix:
SDD v3 symmetric deduplication no longer performs poorly after a failover event.
673399-1 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
Component: Local Traffic Manager
Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.
Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.
Impact:
Connection is reset.
Workaround:
Disable Websockets profile on the virtual server.
Fix:
We now check whether the Websockets filter is on the virtual server before attempting an insert.
673165 : CVE-2017-7895: Linux Kernel Vulnerability
Solution Article: K15004519
673129 : New feature: revoke license
Solution Article: K41458656
Component: TMOS
Symptoms:
A different license is required for each Virtual Edition (VE) instance.
Conditions:
Creating new instances of VE.
Impact:
Cannot reuse an existing VE license.
Workaround:
None.
Fix:
For Virtual Edition (VE) BIG-IP systems, licenses can now reused by other VE instances by revoking an active license on one and installing it on another.
Behavior Change:
Revoke license is a new feature so that licenses can be reused for other virtual edition configurations.
To revoke a license using tmsh, run the following command:
tmsh revoke sys license registration-key <reg-key-number>
The system responds with the following confirmation prompt:
Revoking the license will return this BIG-IP to an unlicensed state. It will stop processing traffic. Are you sure? Y/N:
When you type y, the system revokes the license and returns a response similar to the following:
License successfully revoked
[root@bigip11:LICENSE INOPERATIVE:Standalone] config # Jul 17 12:04:28 bigip11 emerg mcpd[5144]: 01070608:0: License is not operational (expired or digital signature does not match contents).
673078-1 : TMM may crash when processing FastL4 traffic
Solution Article: K62712037
673075-1 : Reduced Issues for Monitors configured with FQDN
Component: Local Traffic Manager
Symptoms:
Monitors configured using FQDN might experience several edge cases in some deployment environments. For example, you might experience issues with FQDN-configured monitors when used in environments with volatile/unstable DNS servers, or when network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'. In such cases, the monitor may experiences delay in rotating to the next available DNS server. This is due to complex edge cases that exist within the initial FQDN monitor implementation, where anomalous behavior is aggravated through some network configurations.
Conditions:
Monitors are configured using FQDN, and one-or-more environment conditions exist such as: Unstable DNS servers (i.e., 'flapping' DNS), or the network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'.
Impact:
The monitor will not be updated with information from the (new) DNS server when the previous DNS server becomes unavailable. Other monitor behavior will continue to function normally.
Workaround:
In some cases network configuration can be changed to avoid these edge cases, such as: Ensuring stable DNS servers with only periodic rollovers to backup DNS servers; ensure network ICMP packets are routable back to 'bigd'. Alternatively, monitors may be configured without using FQDN.
Fix:
Monitors configured using FQDN behave as expected in volatile environments, such as those with flapping DNS servers and where ICMP packets for unreachable DNS servers are non-routable back to 'bigd'.
673052-2 : On i-Series platforms, HTTP/2 is limited to 10 streams
Component: Local Traffic Manager
Symptoms:
On i-Series platforms, HTTP/2 is limited to 10 streams by licensing.
"HTTP2 limited to 10 concurrent streams: Web Accelerator feature not licensed." appears in /var/log/ltm
Conditions:
Using an i-Series platform where WAM is unlicensable.
Impact:
HTTP/2 performance may be less than desired
Fix:
It is possible to configure HTTP/2 with more than 10 streams on i-Series platforms.
672988-2 : MCP memory leak when performing incremental ConfigSync
Solution Article: K03433341
Component: TMOS
Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.
This leak occurs on the device that is sending the configuration.
Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.
Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.
Workaround:
None.
Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.
672868-1 : Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly
Component: Access Policy Manager
Symptoms:
Portal Access server-side JavaScript parser may work incorrectly if JavaScript code includes non-whitespace control characters inside text constants.
Conditions:
JavaScript code with non-whitespace control characters (0x00..0x08, 0x0E..0x1B, 0x7F..0x9F) inside text constants.
Impact:
Web application may not work correctly.
Workaround:
There is no workaround at this time.
Fix:
Now JavaScript code with non-whitespace control characters can be processed by Portal Access.
672815-2 : Incorrect disaggregation on VIPRION B4200 blades
Component: TMOS
Symptoms:
During startup of the bcm56xxd daemon, the LTM log shows BCM SDK errors containing the string 'SDK error Invalid parameter'. IP fragments fail to be reassembled. The reassembly time out triggers and the flow is killed.
Conditions:
-- After startup as long as the SDK errors occur.
-- Running on VIPRION B4200 blades.
Impact:
TCP connections and UDP datagrams which have fragmented packets are killed or dropped.
Workaround:
There is no workaround that will process fragments correctly.
Fix:
Incorrect disaggregation on VIPRION B4200 blades has been corrected.
672695-1 : Internal perl process listening on all interfaces when ASM enabled
Component: Application Security Manager
Symptoms:
ASM configuration processes are available on unprotected network interfaces.
Conditions:
ASM provisioned
Impact:
Connections to the ASM configuration processes may interfere with normal ASM operations, leading to reduced performance
Workaround:
None
Fix:
ASM-config Event Dispatcher now listens only on protected interfaces
672667-4 : CVE-2017-7679: Apache vulnerability
Solution Article: K75429050
672504-1 : Deleting zones from large databases can take excessive amounts of time.
Solution Article: K52325625
Component: Global Traffic Manager (DNS)
Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.
Conditions:
With a significantly sized database, deletes might be very time-intensive.
Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests
Workaround:
None.
Fix:
Dramatically improved algorithm, to remove significant delay in deletions.
672491-2 : net resolver uses internal IP as source if matching wildcard forwarding virtual server
Solution Article: K10990182
Component: Global Traffic Manager (DNS)
Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.
Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.
Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.
Impact:
Failed DNS queries as a result of incorrect source IP address.
Workaround:
None.
Fix:
This issue was resolved by ensuring listener lookup only matches the exact IP addresses, no-wildcards.
672312-2 : IP ToS may not be forwarded to serverside with syncookie activated
Component: Local Traffic Manager
Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.
Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.
Impact:
IP ToS header is not forwarded to the serverside.
Workaround:
None.
Fix:
The BIG-IP system now forwards IP ToS in syncookie mode.
672301-2 : ASM crashes when using a logout object configuration in ASM policy
Component: Application Security Manager
Symptoms:
bd daemon crash and writes a core file in the /shared/core directory.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Logout object configured in the policy.
-- System receives a POST request.
Impact:
System goes offline for a few seconds, failover occurs.
Workaround:
Remove logout object configuration from ASM policy.
Fix:
The system now handles this condition.
672250-1 : SessionDB update from ApmD with large volume fails
Component: Access Policy Manager
Symptoms:
While writing large amounts of data to sessionDB using memcache API, the write operation fails with partial write.
Conditions:
Large volumes data writing to SessionDB via memcache API.
Impact:
All worker threads performing authentication eventually get locked down. Session watchdog thread eventually makes a forced abort to recover from the situation. ApmD restarts in this situation.
Workaround:
Control write to sessionDB with a smaller data size.
Fix:
Partial write failure has been fixed, by writing remaining part(s) of query results in several iteration(s), until entire result is written.
672221 : TMM cores if the certificate configured to validate message signature does not exist.
Component: Access Policy Manager
Symptoms:
TMM cores if the SAML message signature verification certificate cannot be found in the configuration.
Conditions:
-- SAML is configured with an invalid certificate in the message signature validation setting.
-- The control-plane is unable to detect such misconfiguration.
Note: This is an unlikely occurrence if the usual control-plane is used to configure the SSO/SAML object. In this particular case, the certificate-key was passed in as the certificate which triggered a certificate-not-found error.
Impact:
The issue can lead to momentary service interruption. Traffic disrupted while tmm restarts.
Workaround:
Make sure the certificate configured for use with the SAML message signature verification is correctly configured and the configuration loads successfully.