Applies To:
Show Versions
BIG-IP AAM
- 12.1.5
BIG-IP APM
- 12.1.5
BIG-IP Analytics
- 12.1.5
BIG-IP Link Controller
- 12.1.5
BIG-IP LTM
- 12.1.5
BIG-IP AFM
- 12.1.5
BIG-IP PEM
- 12.1.5
BIG-IP DNS
- 12.1.5
BIG-IP ASM
- 12.1.5
BIG-IP Release Information
Version: 12.1.5.3
Build: 5.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
Important: Memory leak after upgrade
F5 has uncovered a memory leak that occurs after upgrading to 12.1.5.3 that may affect configurations with HTTPS monitors. This occurs as a result of bug 625156.
To download a hotfix that addresses this issue, go to the F5 Downloads site here (login required).
For information about this issue, see K50524736: Bigd process memory leak after updating to BIG-IP 12.1.5.3.
and K02024500: Pool-members with HTTPS monitors go down after upgrade to 12.1.5.3.
Cumulative fixes from BIG-IP v12.1.5.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.5 that are included in this release
Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v12.1.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
933741-6 | CVE-2021-22979 | K63497634 | Security hardening in FPS GUI |
932065-5 | CVE-2021-22978 | K87502622 | iControl REST framework exception handling hardening |
921337-4 | CVE-2021-22976 | K88230177 | ASM processes some web-sockets requests longer than usual |
917509-6 | CVE-2020-27718 | K58102101 | ASM processes some requests longer than usual |
911761-6 | CVE-2020-5948 | K42696541 | F5 TMUI XSS vulnerability CVE-2020-5948 |
908673-1 | CVE-2020-27717 | K43850230 | TMM may crash while processing DNS traffic |
879745-7 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic |
846917-6 | CVE-2019-10744 | K47105354 | lodash Vulnerability: CVE-2019-10744 |
837773-5 | CVE-2020-5912 | K12936322 | Restjavad Storage and Configuration Hardening |
750292-3 | CVE-2019-6592 | K54167061 | TMM may crash when processing TLS traffic |
904937-6 | CVE-2020-27725 | K25595031 | Excessive resource consumption in zxfrd |
898949-5 | CVE-2020-27724 | K04518313 | APM may consume excessive resources while processing VPN traffic |
880361-5 | CVE-2021-22973 | K13323323 | TMM may crash while processing iRules LX commands |
859089-2 | CVE-2020-5907 | K00091341 | TMSH allows SFTP utility access |
842717-2 | CVE-2020-5855 | K55102004 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 |
832757-2 | CVE-2017-18551 | K48073202 | Linux kernel vulnerability CVE-2017-18551 |
811789-5 | CVE-2020-5915 | K57214921 | Device trust UI hardening |
751036-4 | CVE-2020-27721 | K52035247 | Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone |
734177 | CVE-2012-6701 CVE-2015-8830 CVE-2016-8650 CVE-2017-2671 CVE-2017-6001 CVE-2017-7308 CVE-2017-7616 CVE-2017-7889 CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 CVE-2017-12190 CVE-2017-15121 CVE-2017-18203 CVE-2018-1130 CVE-2018-3639 CVE-2018-5803 |
K42142782 | CVE-2019-12190 : RHEL6 Kernel Vulnerability |
693360-6 | CVE-2020-27721 | K52035247 | A virtual server status changes to yellow while still available |
681535 | CVE-2017-2628 | K35453761 | CVE-2015-3148 in curl was incomplete. |
818177-7 | CVE-2019-12295 | K06725231 | CVE-2019-12295 Wireshark Vulnerability |
746091-4 | CVE-2019-19151 | K21711352 | TMSH Vulnerability: CVE-2019-19151 |
717276-3 | CVE-2020-5930 | K20622530 | TMM Route Metrics Hardening |
954381-5 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
955145-5 | CVE-2021-22986 | K03009991 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 |
950077-5 | CVE-2021-22987, CVE-2021-22988 | K18132488 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 |
953677-5 | CVE-2021-22987, CVE-2021-22988 | K18132488 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 |
953729-5 | CVE-2021-22989, CVE-2021-22990 | K56142644 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 |
973333-1 | CVE-2021-22991 | K56715231 | TMM buffer-overflow vulnerability CVE-2021-22991 |
981169-5 | CVE-2021-22994 | K66851119 | F5 TMUI XSS vulnerability CVE-2021-22994 |
743105-5 | CVE-2021-22998 | K31934524 | BIG-IP SNAT vulnerability CVE-2021-22998 |
932697 | CVE-2021-23000 | K34441555 | BIG-IP TMM vulnerability CVE-2021-23000 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
724556-1 | 2-Critical | icrd_child spawns more than maximum allowed times (zombie processes) | |
657912-1 | 3-Major | PIM can be configured to use a floating self IP address | |
760234-3 | 4-Minor | Configuring Advanced shell for Resource Administrator User has no effect |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
860517-5 | 2-Critical | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | |
841953-2 | 2-Critical | A tunnel can be expired when going offline, causing tmm crash | |
841333-2 | 2-Critical | TMM may crash when tunnel used after returning from offline | |
780817-3 | 2-Critical | TMM can crash on certain vCMP hosts after modifications to VLANs and guests. | |
769817-5 | 2-Critical | BFD fails to propagate sessions state change during blade restart | |
737322-1 | 2-Critical | tmm may crash at startup if the configuration load fails | |
706521-6 | 2-Critical | K21404407 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password |
648270-4 | 2-Critical | mcpd can crash if viewing a fast-growing log file through the GUI | |
948769-2 | 3-Major | TMM panic with SCTP traffic | |
888497-6 | 3-Major | Cacheable HTTP Response | |
887089-6 | 3-Major | Upgrade can fail when filenames contain spaces | |
871657-4 | 3-Major | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | |
842189-1 | 3-Major | Tunnels removed when going offline are not restored when going back online | |
814585-6 | 3-Major | PPTP profile option not available when creating or modifying virtual servers in GUI | |
810957-6 | 3-Major | Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core | |
807005-6 | 3-Major | Save-on-auto-sync is not working as expected with large configuration objects | |
800185-1 | 3-Major | Saving a large encrypted UCS archive may fail and might trigger failover | |
794501-5 | 3-Major | Duplicate if_indexes and OIDs between interfaces and tunnels | |
783113-2 | 3-Major | BGP sessions remain down upon new primary slot election | |
760950-1 | 3-Major | Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment | |
760439-1 | 3-Major | After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status | |
759596-4 | 3-Major | Tcl errors in iRules 'table' command | |
757520 | 3-Major | After a software upgrade, the BIG-IP system does not use the correct hostname for logging.★ | |
749785-3 | 3-Major | nsm can become unresponsive when processing recursive routes | |
749007-4 | 3-Major | South Sudan, Sint Maarten, and Curacao country missing in GTM region list | |
745261-3 | 3-Major | The TMM process may crash in some tunnel cases | |
742628-6 | 3-Major | K53843889 | Tmsh session initiation adds increased control plane pressure |
739872-3 | 3-Major | The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover | |
738943-1 | 3-Major | imish command hangs when ospfd is enabled | |
724109-5 | 3-Major | Manual config-sync fails after pool with FQDN pool members is deleted | |
720569-2 | 3-Major | Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition | |
699091-1 | 3-Major | SELinux denies console access for remote users. | |
698429-3 | 3-Major | Misleading log error message: Store Read invalid store addr 0x3800, len 10 | |
688399-5 | 3-Major | HSB failure results in continuous TMM restarts | |
687115-1 | 3-Major | SNMP performance can be impacted by a long list of allowed-addresses | |
680917-2 | 3-Major | Invalid monitor rule instance identifier | |
678456-2 | 3-Major | ZebOS BGP peer-group configuration not fixed up on upgrade★ | |
672063-1 | 3-Major | K38335326 | Misconfigured GRE tunnel and route objects may cause an ill-formed routing loop inside the TMM, resulting in a TMM crash. |
626589-6 | 3-Major | K73230273 | iControl-SOAP prints beyond log buffer |
620311-1 | 3-Major | GUI Failover Unicast Address information incorrect | |
605675-1 | 3-Major | Sync requests can be generated faster than they can be handled | |
600732-2 | 3-Major | IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description | |
489572-2 | 3-Major | K60934489 | Sync fails if file object is created and deleted before sync to peer BIG-IP |
933461-1 | 4-Minor | BGP multi-path candidate selection does not work properly in all cases. | |
931837-4 | 4-Minor | NTP has predictable timestamps | |
902417-1 | 4-Minor | Configuration error caused by Drafts folder in a deleted custom partition★ | |
831293-1 | 4-Minor | SNMP address-related GET requests slow to respond. | |
801637-2 | 4-Minor | Cmp_dest on C2200 platform may give incorrect results | |
721526-1 | 4-Minor | tcpdump fails to write verbose packet data to file | |
685582-5 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
664524 | 4-Minor | CVE-2017-2636: A race condition was found in the N_HLDC Linux kernel driver that can lead to double free CVE-2016-7910:A flaw was found in the Linux kernel's implementation of seq_file which can lead to memory corruption |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
715032-6 | 1-Blocking | K73302459 | iRulesLX Hardening |
941089-5 | 2-Critical | TMM core when using Multipath TCP | |
842937-1 | 2-Critical | TMM crash due to failed assertion 'valid node' | |
743950-3 | 2-Critical | TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled | |
740228-3 | 2-Critical | TMM crash while sending a DHCP Lease Query to a DHCP server | |
949145-2 | 3-Major | Improve TCP's response to partial ACKs during loss recovery | |
915281-7 | 3-Major | Do not rearm TCP Keep Alive timer under certain conditions | |
879413-5 | 3-Major | Statsd fails to start if one or more of its *.info files becomes corrupted | |
851789-1 | 3-Major | SSL monitors flap with client certs with private key stored in FIPS | |
851045-5 | 3-Major | LTM database monitor may hang when monitored DB server goes down | |
814761-4 | 3-Major | PostgreSQL monitor fails on second ping with count != 1 | |
807821-1 | 3-Major | ICMP echo requests occasionally go unanswered | |
805017-4 | 3-Major | DB monitor marks pool member down if no send/recv strings are configured | |
796993-2 | 3-Major | Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs | |
785481-5 | 3-Major | A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached | |
770477-4 | 3-Major | SSL aborted when client_hello includes both renegotiation info extension and SCSV | |
755997-3 | 3-Major | Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address | |
753805-2 | 3-Major | BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. | |
750473-2 | 3-Major | VA status change while 'disabled' are not taken into account after being 'enabled' again | |
724824-5 | 3-Major | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | |
722707-1 | 3-Major | mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall | |
687887-4 | 3-Major | Unexpected result from multiple changes to a monitor-related object in a single transaction | |
686059-1 | 3-Major | FDB entries for existing VLANs may be flushed when creating a new VLAN. | |
608952-5 | 3-Major | MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 | |
604811-3 | 3-Major | Under certain conditions TMM may crash while processing OneConnect traffic | |
516307-2 | 3-Major | K35152864 | Multiple Relay in DHCP relay is not working. |
409340-1 | 3-Major | K63086108 | https/ssl monitor closes immediately (rather than awaiting remote close-notify) |
822025-5 | 4-Minor | HTTP response not forwarded to client during an early response | |
808409-2 | 4-Minor | Unable to specify if giaddr will be modified in DHCP relay chain | |
781225-4 | 4-Minor | HTTP profile Response Size stats incorrect for keep-alive connections | |
769309-4 | 4-Minor | DB monitor reconnects to server on every probe when count = 0 | |
746077-2 | 4-Minor | If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified | |
726983-5 | 4-Minor | Inserting multi-line HTTP header not handled correctly | |
939841-5 | 2-Critical | BIG-IP MPTCP vulnerability CVE-2021-23003 | |
939845-5 | 3-Major | Invalid MPTCP JOIN messages not immediately dropped |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
702457-3 | 3-Major | DNS Cache connections remain open indefinitely |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
927617-5 | 2-Critical | "Illegal Base64 value" violation is detected for cookie with valid base64 value | |
943125-5 | 3-Major | Web-Socket request with JSON payload causing core during the payload parsing | |
941853-4 | 3-Major | Logging Profiles do not disassociate from virtual server when multiple changes are made | |
918933-5 | 3-Major | K88162221 | Some ASM attack signatures do not match on cookies |
848445-5 | 3-Major | K86285055 | Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★ |
833685-2 | 3-Major | Idle async handlers can remain loaded for a long time doing nothing | |
712336-3 | 3-Major | bd daemon restart loop | |
686763-2 | 3-Major | asm_start is consuming too much memory | |
630355-3 | 3-Major | K57041868 | Local Logs Missing Or Recorded Found For Incorrect Policy |
975233-5 | 1-Blocking | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 | |
935401-6 | 3-Major | BIG-IP ASM iControl REST vulnerability CVE-2021-23001 |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
727031-2 | 1-Blocking | TMM disruption from disaggregation in vCMP systems | |
760629-1 | 3-Major | Remove Obsolete APM keys in BigDB | |
739570-1 | 3-Major | Unable to install EPSEC package★ | |
766017-5 | 4-Minor | [APM][LocalDB] Local user database instance name length check inconsistencies★ |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
621284-5 | 3-Major | Incorrect TMSH help text for the 'max-response' RAMCACHE attribute |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
939529-5 | 3-Major | Branch parameter not parsed properly when topmost via header received with comma separated values | |
747909-2 | 4-Minor | GTPv2 MEI and Serving-Network fields decoded incorrectly |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
726154-1 | 3-Major | TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
753014-2 | 3-Major | PEM iRule action with RULE_INIT event fails to attach to PEM policy |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
940401-5 | 5-Cosmetic | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
913441-1 | 2-Critical | Tmm cores while doing Hitless Upgrade while there are active flows | |
949861 | 3-Major | Wr_urldbd returns unknown results for customdb on some blades | |
741994 | 4-Minor | Cleanup Webroot database files when database fail to download | |
674795-1 | 4-Minor | tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours. |
Cumulative fixes from BIG-IP v12.1.5.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
895525-6 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
909237-2 | CVE-2020-8617 | K05544642 | CVE-2020-8617: BIND Vulnerability |
909233-2 | CVE-2020-8616 | K97810133 | DNS Hardening |
905905-5 | CVE-2020-5904 | K31301245 | TMUI CSRF vulnerability CVE-2020-5904 |
895993-6 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
895981-6 | CVE-2020-5902 | K52145254 | TMUI RCE vulnerability CVE-2020-5902 |
895881-5 | CVE-2020-5903 | K43638305 | BIG-IP TMUI XSS vulnerability CVE-2020-5903 |
883717-5 | CVE-2020-5914 | K37466356 | BD crash on specific server cookie scenario |
882185-3 | CVE-2020-5897 | K20346072 | BIG-IP Edge Client Windows ActiveX |
879025-7 | CVE-2020-5913 | K72752002 | When processing TLS traffic, LTM may not enforce certificate chain restrictions |
841577-7 | CVE-2020-5922 | K20606443 | iControl REST hardening |
839453-1 | CVE-2019-10744 | K47105354 | lodash library vulnerability CVE-2019-10744 |
830401-6 | CVE-2020-5877 | K54200228 | TMM may crash while processing TCP traffic with iRules |
819197-7 | CVE-2019-13135 | K20336394 | BIGIP: CVE-2019-13135 ImageMagick vulnerability |
819189-6 | CVE-2019-13136 | K03512441 | BIGIP: CVE-2019-13136 ImageMagick vulnerability |
788057-6 | CVE-2020-5921 | K00103216 | MCPD may crash while processing syncookies |
626360 | CVE-2017-6163 | K22541983 | TMM may crash when processing HTTP2 traffic |
886085-7 | CVE-2020-5925 | K45421311 | BIG-IP TMM vulnerability CVE-2020-5925 |
883097-3 | CVE-2020-5924 | K11400411 | Radius authentication may consume excessive resources |
881445-3 | CVE-2020-5898 | K69154630 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 |
872673-5 | CVE-2020-5918 | K26464312 | TMM can crash when processing SCTP traffic |
870273-1 | CVE-2020-5936 | K44020030 | TMM may consume excessive resources when processing SSL traffic |
860477-7 | CVE-2020-5906 | K82518062 | SCP hardening |
858025-6 | CVE-2021-22984 | K33440533 | Proactive Bot Defense does not validate redirected paths |
848405-7 | CVE-2020-5933 | K26244025 | TMM may consume excessive resources while processing compressed HTTP traffic |
838881-6 | CVE-2020-5853 | K73183618 | APM Portal Access Vulnerability: CVE-2020-5853 |
837837-6 | CVE-2020-5917 | K43404629 | F5 SSH server key size vulnerability CVE-2020-5917 |
832885-6 | CVE-2020-5923 | K05975972 | Self-IP hardening |
829121-6 | CVE-2020-5886 | K65720640 | State mirroring default does not require TLS |
829117-6 | CVE-2020-5885 | K17663061 | State mirroring default does not require TLS |
888493-6 | CVE-2020-5928 | K40843345 | ASM GUI Hardening |
852929-4 | CVE-2020-5920 | K25160703 | AFM WebUI Hardening |
838909-2 | CVE-2020-5893 | K97733133 | BIG-IP APM Edge Client vulnerability CVE-2020-5893 |
823893-5 | CVE-2020-5890 | K03318649 | Qkview may fail to completely sanitize LDAP bind credentials |
749324-4 | CVE-2012-6708 | K62532311 | jQuery Vulnerability: CVE-2012-6708 |
760723-4 | CVE-2015-4037 | K64765350 | Qemu Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
858229-1 | 3-Major | K22493037 | XML with sensitive data gets to the ICAP server |
858189-6 | 3-Major | Make restnoded/restjavad/icrd timeout configurable with sys db variables. | |
643459-3 | 3-Major | K81809012 | Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
767013-5 | 2-Critical | Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch | |
749388-4 | 2-Critical | 'table delete' iRule command can cause TMM to crash | |
743082-3 | 2-Critical | Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★ | |
737055-3 | 2-Critical | Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy | |
795649-1 | 3-Major | Loading UCS from one iSeries model to another causes FPGA to fail to load | |
788577-2 | 3-Major | BFD sessions may be reset after CMP state change | |
762073-3 | 3-Major | Continuous TMM restarts when HSB drops off the PCI bus | |
754460 | 3-Major | No failover on HA Dual Chassis setup using HA score | |
741902-4 | 3-Major | sod does not validate message length vs. received packet length | |
725791-3 | 3-Major | K44895409 | Potential HW/HSB issue detected |
722380-3 | 3-Major | The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core. | |
648621-1 | 3-Major | SCTP: Multihome connections may not expire | |
619873-2 | 3-Major | Secure Vault: Key cleanup for 5000-, 7000-series, and i-Series platforms★ | |
559001-1 | 3-Major | Unable to clear LCD messages and Alarm LED state on non-iSeries platforms | |
743815-4 | 4-Minor | vCMP guest observes connflow reset when a CMP state change occurs. | |
722230-6 | 4-Minor | Cannot delete FQDN template node if another FQDN node resolves to same IP address | |
660760-1 | 4-Minor | K75105750 | DNS graphs fail to display in the GUI |
550526 | 4-Minor | K84370515 | Some time zones prevent configuring trust with a peer device using the GUI. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
831325-4 | 2-Critical | K10701310 | HTTP PSM detects more issues with Transfer-Encoding headers |
757578-5 | 2-Critical | RAM cache is not compatible with verify-accept | |
747617-4 | 2-Critical | TMM core when processing invalid timer | |
705768-4 | 2-Critical | The dynconfd process may core and restart with multiple DNS name servers configured | |
860005-5 | 3-Major | Ephemeral nodes/pool members may be created for wrong FQDN name | |
858301-5 | 3-Major | K27551003 | HTTP RFC compliance now checks that the authority matches between the URI and Host header |
858297-5 | 3-Major | K27551003 | HTTP requests with multiple Host headers are rejected if RFC compliance is enabled |
803233-5 | 3-Major | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | |
784565-5 | 3-Major | VLAN groups are incompatible with fast-forwarded flows | |
766169-1 | 3-Major | Replacing all VLAN interfaces resets VLAN MTU to a default value | |
755727-4 | 3-Major | Ephemeral pool members not created after DNS flap and address record changes | |
720440 | 3-Major | Radius monitor marks pool members down after 6 seconds | |
704450-2 | 3-Major | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | |
689361-3 | 3-Major | Configsync can change the status of a monitored pool member | |
655724-3 | 3-Major | K15695 | MSRDP persistence does not work across route domains. |
640809-1 | 3-Major | K79892782 | Merged constantly restarts★ |
582207-7 | 3-Major | MSS may exceed MTU when using HW syncookies | |
575642-1 | 3-Major | rst_cause of "Internal error" | |
594064-2 | 4-Minor | K57004151 | tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
760471-5 | 3-Major | GTM iQuery connections may be reset during SSL key renegotiation. | |
746348-3 | 3-Major | On rare occasions, gtmd fails to process probe responses originating from the same system. | |
708421-1 | 3-Major | K52142743 | DNS::question 'set' options are applied to packet, but not to already parsed dns_msg |
704198-1 | 3-Major | K29403988 | Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
681010-1 | 3-Major | K33572148 | 'Referer' is not masked when 'Query String' contains sensitive parameter |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
866021-5 | 3-Major | Diameter Mirror connection lost on the standby due to "process ingress error" | |
815877-5 | 3-Major | Information Elements with zero-length value are rejected by the GTP parser | |
747187-4 | 3-Major | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | |
745404-3 | 3-Major | MRF SIP ALG does not reparse SDP payload if replaced | |
741951-3 | 3-Major | Multiple extensions in SIP NOTIFY request cause message to be dropped. | |
651886-1 | 3-Major | Certain FIX messages are dropped | |
836357-2 | 4-Minor | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 | |
788513-5 | 4-Minor | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
816529 | 3-Major | If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart. |
Cumulative fixes from BIG-IP v12.1.5.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
852445-6 | CVE-2019-6477 | K15840535 | Big-IP : CVE-2019-6477 BIND Vulnerability |
818709-5 | CVE-2020-5858 | K36814487 | TMSH does not follow current best practices |
818429-1 | CVE-2020-5857 | K70275209 | TMM may crash while processing HTTP traffic |
805837-5 | CVE-2019-6657 | K22441651 | REST does not follow current design best practices |
795437-1 | CVE-2019-6677 | K06747393 | Improve handling of TCP traffic for iRules |
795197-4 | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | K26618426 | Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 |
781377-3 | CVE-2019-6681 | K93417064 | tmrouted may crash while processing Multicast Forwarding Cache messages |
780601-5 | CVE-2020-5873 | K03585731 | SCP file transfer hardening |
778077-2 | CVE-2019-6680 | K53183580 | Virtual to virtual chain can cause TMM to crash |
767373-4 | CVE-2019-8331 | K24383845 | CVE-2019-8331: Bootstrap Vulnerability |
759343-3 | CVE-2019-6668 | K49827114 | MacOS Edge Client installer does not follow best security practices |
737731-3 | CVE-2019-6622 | K44885536 | iControl REST input sanitization |
809165-5 | CVE-2020-5854 | K50046200 | TMM may crash will processing connector traffic |
805557-5 | CVE-2020-5882 | K43815022 | TMM may crash while processing crypto data |
795797-5 | CVE-2019-6658 | K21121741 | AFM WebUI Hardening |
788773-5 | CVE-2019-9515 | K50233772 | HTTP/2 Vulnerability: CVE-2019-9515 |
788769-5 | CVE-2019-9514 | K01988340 | HTTP/2 Vulnerability: CVE-2019-9514 |
782529-5 | CVE-2019-6685 | K30215839 | iRules does not follow current design best practices |
773673-5 | CVE-2019-9512 | K98053339 | HTTP/2 Vulnerability: CVE-2019-9512 |
768981-5 | CVE-2019-6670 | K05765031 | VCMP Hypervisor Hardening |
761144-2 | CVE-2019-6684 | K95117754 | Broadcast frames may be dropped |
761112-6 | CVE-2019-6683 | K76328112 | TMM may consume excessive resources when processing FastL4 traffic |
761014-5 | CVE-2019-6669 | K11447758 | TMM may crash while processing local traffic |
725551-5 | CVE-2019-6682 | K40452417 | ASM may consume excessive resources |
857669 | CVE-2020-5908 | K33023560 | BIG-IP Edge Client may log sensitive data on Linux client |
811109 | CVE-2020-5861 | K22113131 | TMM RAM Cache Vulnerability: CVE-2020-5861 |
789893-5 | CVE-2019-6679 | K54336216 | SCP file transfer hardening |
779177-5 | CVE-2019-19150 | K37890841 | Apmd logs "client-session-id" when access-policy debug log level is enabled |
773653-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
773649-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
773641-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
773637-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
773633-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
773621-3 | CVE-2019-6656 | K23876153 | APM Client Logging |
738236-3 | CVE-2019-6688 | K25607522 | UCS does not follow current best practices |
712876-4 | CVE-2017-8824 | K15526101 | CVE-2017-8824: Kernel Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
819397-4 | 1-Blocking | K50375550 | TMM does not enforce RFC compliance when processing HTTP traffic |
769193-3 | 3-Major | Added support for faster congestion window increase in slow-start for stretch ACKs | |
557322-1 | 3-Major | Sensitive monitor parameters recorded in bigd and monitor logs |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
765533-5 | 2-Critical | K58243048 | Sensitive information logged when DEBUG logging enabled |
621260-5 | 2-Critical | mcpd core on iControl REST reference to non-existing pool | |
812981-1 | 3-Major | MCPD: memory leak on standby BIG-IP device | |
809205-2 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | |
641450 | 3-Major | K30053855 | A transaction that deletes and recreates a virtual may result in an invalid configuration |
625901-1 | 3-Major | SNAT pools allow members in different partitions to be assigned, but this causes a load failure | |
620954-3 | 3-Major | Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable | |
618137-1 | 3-Major | Native IXLV: New tagged VLAN does not work after several restarts of tmm | |
614808-1 | 3-Major | Running qkview with option -c (--complete) fails if there is an encrypted key | |
600944-1 | 3-Major | tmsh does not reset route domain to 0 after cd /Common and loading bash | |
596815-1 | 3-Major | System DNS nameserver and search order configuration does not always sync to peers | |
595317-4 | 3-Major | Forwarding address for Type 7 in ospfv3 is not updated in the database | |
584041 | 3-Major | forward slash '/' is used in the description field, admin user will be demoted to guest. | |
516167-2 | 3-Major | K21382264 | TMSH listing with wildcards prevents the child object from being displayed |
503482-2 | 3-Major | BGP cannot redistribute IPv4 routes learned from OSPFv3. | |
638960-2 | 4-Minor | A subset of the BIG-IP default profiles can be incorrectly deleted | |
638893-1 | 4-Minor | Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command | |
625428-1 | 4-Minor | SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit | |
624909-2 | 4-Minor | Static route create validation is less stringent than static route delete validation | |
623536-2 | 4-Minor | SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent | |
620522-1 | 4-Minor | Some expected command output are missing in qkview | |
591732-2 | 4-Minor | Local password policy not enforced when auth source is set to a remote type. | |
590415-1 | 4-Minor | Partition can be removed when remote role info entries refer to it | |
589862-6 | 4-Minor | HA Grioup percent-up display value is truncated, not rounded | |
590399-1 | 5-Cosmetic | K11304001 | Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'. |
571634-1 | 5-Cosmetic | tmstat CPU values can be incorrect |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
826601-2 | 2-Critical | Prevent receive window shrinkage for looped flows that use a SYN cookie | |
787825-4 | 2-Critical | K58243048 | Database monitors debug logs have plaintext password printed in the log file |
639764-2 | 2-Critical | Crash when searching external data-groups with records that do not have values | |
616298-1 | 2-Critical | Loading the configuration fails when a virtual server uses HTTP Strict Transport Security (HSTS). | |
615303-2 | 2-Critical | K47381511 | bigd crash with Tcl monitors |
788325-5 | 3-Major | K39794285 | Header continuation rule is applied to request/response line |
773421-5 | 3-Major | Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied | |
761185-5 | 3-Major | K50375550 | Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic |
663730-1 | 3-Major | Bigd prematurely kills child/external monitor process if WIFCONTINUED signal received | |
643041-4 | 3-Major | K64451315 | Less than optimal interaction between OneConnect and proxy MSS |
636842-1 | 3-Major | K51472519 | A FastL4 virtual server may drop a FIN packet when mirroring is enabled |
601189-2 | 3-Major | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode | |
594751-3 | 3-Major | K90535529 | LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN |
567330-1 | 5-Cosmetic | tmsh show sys memory on secondaries will generate innocuous error |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
662308-1 | 2-Critical | BD core | |
636669-3 | 2-Critical | K37300224 | bd log are full of 'Can't run patterns' messages |
635977-1 | 2-Critical | Bd core on specific out of memory scenario | |
620301-4 | 2-Critical | Policy import fails due to missing signature System in associated Signature Set | |
854177-1 | 3-Major | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | |
850673-5 | 3-Major | BD sends bad ACKs to the bd_agent for configuration | |
832205-2 | 3-Major | ASU cannot be completed after Signature Systems database corruption following binary Policy import | |
831661-5 | 3-Major | ASMConfig Handler undergoes frequent restarts | |
809125-4 | 3-Major | CSRF false positive | |
793149-1 | 3-Major | Adding the Strict-transport-Policy header to internal responses | |
785009-1 | 3-Major | Binary policy import fails with a user-defined Signature Set containing only non-existent signatures | |
783505-1 | 3-Major | ASU is very slow on device with hundreds of policies due to table checksums | |
765809 | 3-Major | Memory increases for the bd daemon on cluster environment primary blade | |
725879 | 3-Major | Internet Explorer running on Windows phone 8.1 gets CAPTCHA during legitimate browsing | |
755005-4 | 4-Minor | Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations | |
747560-2 | 4-Minor | ASM REST: Unable to download Whitehat vulnerabilities |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
825049-2 | 1-Blocking | Windows code signing certificate update 2019 | |
685862-2 | 3-Major | BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
642211-2 | 3-Major | Warning logged when GENERICMESSAGE::message drop iRule command used |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
602098-1 | 3-Major | Translation object created in non-Common partition is visible in the policy created for Common partition |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
627341-1 | 3-Major | TMUI loginProviderName is invalid when requesting a REST token |
Cumulative fixes from BIG-IP v12.1.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
807477-4 | CVE-2019-6650 | K04280042 | ConfigSync Hardening |
797885-5 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
796469-1 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
810557-5 | CVE-2019-6649 | K05123525 | ASM ConfigSync Hardening |
799617-5 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
799589-5 | CVE-2019-6649 | K05123525 | ConfigSync Hardening |
794389-5 | CVE-2019-6651 | K89509323 | iControl REST endpoint response inconsistency |
771873-2 | CVE-2019-6642 | K40378764 | TMSH Hardening |
762453-4 | CVE-2020-5872 | K63558580 | Hardware cryptography acceleration may fail |
758065-3 | CVE-2019-6667 | K82781208 | TMM may consume excessive resources while processing FIX traffic |
757023-5 | CVE-2018-5743 | K74009656 | BIND vulnerability CVE-2018-5743 |
756538-2 | CVE-2019-6645 | K15759349 | Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. |
739971-3 | CVE-2018-5391 | K74374841 | Linux kernel vulnerability: CVE-2018-5391 |
737574-3 | CVE-2019-6621 | K20541896 | iControl REST input sanitization★ |
737565-3 | CVE-2019-6620 | K20445457 | iControl REST input sanitization |
726393-5 | CVE-2019-6643 | K36228121 | DHCPRELAY6 can lead to a tmm crash |
715923-3 | CVE-2018-15317 | K43625118 | When processing TLS traffic TMM may terminate connections unexpectedly |
794413-5 | CVE-2019-6471 | K10092301 | BIND vulnerability CVE-2019-6471 |
758018-2 | CVE-2019-6661 | K61705126 | APD/APMD may consume excessive resources |
757455-4 | CVE-2019-6647 | K87920510 | Excessive resource consumption when processing REST requests |
745257-4 | CVE-2018-14634 | K20934447 | Linux kernel vulnerability: CVE-2018-14634 |
702469-4 | CVE-2019-6633 | K73522927 | Appliance mode hardening in scp |
679861-2 | CVE-2019-6655 | K31152411 | Weak Access Restrictions on the AVR Reporting Interface |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
744937-4 | 3-Major | K00724442 | BIG-IP DNS and GTM DNSSEC security exposure |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707509-3 | 1-Blocking | Initial vCMP guest creations can fail if certain hotfixes are used | |
769809-1 | 2-Critical | The vCMP guests 'INOPERATIVE' after upgrade | |
750586-3 | 2-Critical | HSL may incorrectly handle pending TCP connections with elongated handshake time. | |
748205-2 | 2-Critical | SSD bay identification incorrect for RAID drive replacement★ | |
744331-1 | 2-Critical | OpenSSH hardening | |
743790-4 | 2-Critical | BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus | |
734539-2 | 2-Critical | The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads | |
726487-1 | 2-Critical | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | |
710277-2 | 2-Critical | IKEv2 further child_sa validity checks | |
693996-3 | 2-Critical | K42285625 | MCPD sync errors and restart after multiple modifications to file object in chassis |
685458-5 | 2-Critical | K44738140 | merged fails merging a table when a table row has incomplete keys defined. |
671741-4 | 2-Critical | LCD on iSeries devices can lock at red 'loading' screen. | |
653152-1 | 2-Critical | Support RSASSA-PSS-SIGN in F5 crypto APIs. | |
788301-2 | 3-Major | K58243048 | SNMPv3 Hardening |
777261-1 | 3-Major | When SNMP cannot locate a file it logs messages repeatedly | |
758527-5 | 3-Major | K39604784 | BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode |
758119-3 | 3-Major | K58243048 | qkview may contain sensitive information |
747592-4 | 3-Major | PHP vulnerability CVE-2018-17082 | |
746266-4 | 3-Major | A vCMP guest VLAN MAC mismatch across blades. | |
745405 | 3-Major | Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover | |
743803-5 | 3-Major | IKEv2 potential double free of object when async request queueing fails | |
738445-1 | 3-Major | IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup | |
737437-1 | 3-Major | IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages | |
663924-2 | 3-Major | Qkview archives includes Kerberos keytab files | |
641753-2 | 3-Major | Syncookies activated on a genuine connection gets reset almost 30-50% of the time | |
599543-3 | 3-Major | Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile | |
575919-3 | 3-Major | Running concurrent TMSH instances can result in error in access to history file | |
523797-2 | 3-Major | Upgrade: file path failure for process name attribute in snmp.★ | |
726317-3 | 4-Minor | Improved debugging output for mcpd | |
692165-2 | 4-Minor | A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token | |
662372-1 | 4-Minor | K41250179 | Uploading a new device certificate file via the GUI might not update the device certificate |
631334-4 | 4-Minor | K69038629 | TMSH does not preserve \? for config save/load operations |
520877-1 | 4-Minor | Alerts sent by the lcdwarn utility are not shown in tmsh | |
479471-1 | 4-Minor | K00342205 | CPU statistics reported by the tmstat command may spike or go negative |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
759968-1 | 1-Blocking | Distinct vCMP guests are able to cluster with each other. | |
757391-1 | 2-Critical | Datagroup iRule command class can lead to memory corruption | |
756450-3 | 2-Critical | Traffic using route entry that's more specific than existing blackhole route can cause core | |
752930 | 2-Critical | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | |
740963-3 | 2-Critical | VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart | |
738046-3 | 2-Critical | SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby | |
724214-2 | 2-Critical | TMM core when using Multipath TCP | |
671714-2 | 2-Critical | Empty persistence cookie name inserted from policy can cause TMM to crash | |
667779-2 | 2-Critical | iRule commands may cause the TMM to crash in very rare situations. | |
474797-7 | 2-Critical | Nitrox crypto hardware may attempt soft reset while currently resetting | |
760550-2 | 3-Major | Retransmitted TCP packet has FIN bit set | |
759480-1 | 3-Major | HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash | |
758872-1 | 3-Major | TMM memory leak | |
758631-1 | 3-Major | ec_point_formats extension might be included in the server hello even if not specified in the client hello | |
756270-1 | 3-Major | SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle | |
749414-1 | 3-Major | Invalid monitor rule instance identifier error | |
749294-1 | 3-Major | TMM cores when query session index is out of boundary | |
742237-1 | 3-Major | CPU spikes appear wider than actual in graphs | |
740959-1 | 3-Major | User with manager rights cannot delete FQDN node on non-Common partition | |
739963-1 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
727292-2 | 3-Major | SSL in proxy shutdown case does not deliver server TCP FIN | |
726232-1 | 3-Major | iRule drop/discard may crash tmm | |
720219-1 | 3-Major | K13109068 | HSL::log command can fail to pick new pool member if last picked member is 'checking' |
715467-3 | 3-Major | Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY | |
702450-4 | 3-Major | The validation error message generated by deleting certain object types referenced by a policy action is incorrect | |
699598-4 | 3-Major | HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR | |
688629-3 | 3-Major | K52334096 | Deleting data-group in use by iRule does not trigger validation error |
617382-1 | 3-Major | Csyncd memory leak on multi-bladed systems | |
599567 | 3-Major | APM assumes SNAT automap, does not use SNAT pool | |
576311-1 | 3-Major | K41335027 | HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present |
511324-12 | 3-Major | K23159242 | HTTP::disable does not work after the first request/response. |
504522-2 | 3-Major | Trailing space present after 'tmsh ltm pool members monitor' attribute value | |
747585-1 | 4-Minor | TCP Analytics supports ANY protocol number | |
624168-2 | 4-Minor | DATA_ACK and DATA_FIN ignored on a subflow not currently used for transmission |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
735832-2 | 2-Critical | RAM Cache traffic fails on B2150 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
750213-1 | 3-Major | K25351434 | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
723790-4 | 2-Critical | Idle asm_config_server handlers consumes a lot of memory | |
773553-5 | 3-Major | ASM JSON parser false positive. | |
761231-5 | 3-Major | K79240502 | Bot Defense Search Engines getting blocked after configuring DNS correctly |
760878-1 | 3-Major | Incorrect enforcement of explicit global parameters | |
727107-1 | 3-Major | Request Logs are not stored locally due to shmem pipe blockage | |
721399-3 | 3-Major | Signature Set cannot be modified to Accuracy = 'All' after another value | |
695878-5 | 3-Major | Signature enforcement issue on specific requests | |
685164-3 | 3-Major | K34646484 | In partitions with default route domain != 0 request log is not showing requests |
660327-2 | 3-Major | Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded. | |
653017-2 | 3-Major | Bot signatures cannot be created after upgrade with DoS profile in non-Common partition | |
605649-3 | 3-Major | K28782793 | The cbrd daemon runs at 100% CPU utilization |
758336-2 | 4-Minor | Incorrect recommendation in Online Help of Proactive Bot Defense |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
774301-1 | 3-Major | Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList | |
766577-5 | 3-Major | APMD fails to send response to client and it already closed connection. | |
755507-1 | 3-Major | [App Tunnel] 'URI sanitization' error |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
709670-5 | 3-Major | iRule triggered from RADIUS occasionally fails to create subscribers. |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
757088 | 2-Critical | TMM clock advances and cluster failover happens during webroot db nightly updates | |
754257 | 3-Major | URL lookup queries not working |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
658417-1 | 2-Critical | REST: Failure to authenticate/renew user who is using expired password |
Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
757025-4 | CVE-2018-5744 | K00040234 | BIND Update |
756774-3 | CVE-2019-6612 | K24401914 | Aborted DNS queries to a cache may cause a TMM crash |
754944-4 | CVE-2019-6626 | K00432398 | AVR reporting UI does not follow best practices |
754345-4 | CVE-2019-6625 | K79902360 | WebUI does not follow best security practices |
754103-3 | CVE-2019-6644 | K75532331 | iRulesLX NodeJS daemon does not follow best security practices |
753776-3 | CVE-2019-6624 | K07127032 | TMM may consume excessive resources when processing UDP traffic |
749879 | CVE-2019-6611 | K47527163 | Possible interruption while processing VPN traffic |
748502-4 | CVE-2019-6623 | K72335002 | TMM may crash when processing iSession traffic |
744035-3 | CVE-2018-15332 | K12130880 | APM Client Vulnerability: CVE-2018-15332 |
739970-3 | CVE-2018-5390 | K95343321 | Linux kernel vulnerability: CVE-2018-5390 |
739947-3 | CVE-2019-6610 | K42465020 | TMM may crash while processing APM traffic |
757027-4 | CVE-2019-6465 | K01713115 | BIND Update |
757026-4 | CVE-2018-5745 | K25244852 | BIND Update |
753796-3 | CVE-2019-6640 | K40443301 | SNMP does not follow best security practices |
750460-4 | CVE-2019-6639 | K61002104 | Subscriber management configuration GUI |
750187-4 | CVE-2019-6637 | K29149494 | ASM REST may consume excessive resources |
745713-2 | CVE-2019-6619 | K94563344 | TMM may crash when processing HTTP/2 traffic |
745387-4 | CVE-2019-6618 | K07702240 | Resource-admin user roles can no longer get bash access |
745371-3 | CVE-2019-6636 | K68151373 | AFM GUI does not follow best security practices |
745165-4 | CVE-2019-6617 | K38941195 | Users without Advanced Shell Access are not allowed SFTP access |
742226-3 | CVE-2019-6635 | K11330536 | TMSH platform_check utility does not follow best security practices |
737910-1 | CVE-2019-6609 | K18535734 | Security hardening on the following platforms |
710857-4 | CVE-2019-6634 | K64855220 | iControl requests may cause excessive resource usage |
703835-4 | CVE-2019-6616 | K82814400 | When using SCP into BIG-IP systems, you must specify the target filename |
702472-4 | CVE-2019-6615 | K87659521 | Appliance Mode Security Hardening |
698376-4 | CVE-2019-6614 | K46524395 | Non-admin users have limited bash commands and can only write to certain directories |
673842-3 | CVE-2019-6632 | K01413496 | VCMP does not follow best security practices |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
666505-2 | 2-Critical | Gossip between VIPRION blades | |
667257-2 | 3-Major | CPU Usage Reaches 100% With High FastL4 Traffic | |
607410-1 | 3-Major | K81239824 | In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible |
600811-2 | 3-Major | CATEGORY::lookup command change in behavior★ |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
752835-1 | 2-Critical | K46971044 | Mitigate mcpd out of memory error with auto-sync enabled. |
756153-1 | 3-Major | Add diskmonitor support for MySQL /var/lib/mysql | |
749153 | 3-Major | Cannot create LTM policy from GUI using iControl | |
735565-3 | 3-Major | BGP neighbor peer-group config element not persisting | |
726409-3 | 3-Major | Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 | |
723794-4 | 3-Major | PTI (Meltdown) mitigation should be disabled on AMD-based platforms | |
722682-1 | 3-Major | Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★ | |
720819-1 | 3-Major | Certain platforms may take longer than expected to detect and recover from HSB lock-ups | |
720269-3 | 3-Major | TACACS audit logging may append garbage characters to the end of log strings | |
720110-4 | 3-Major | 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session. | |
716166-3 | 3-Major | Dynamic routing not added when conflicting self IPs exist | |
714986-1 | 3-Major | Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot | |
714903-1 | 3-Major | Errors in chmand | |
714654-3 | 3-Major | Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM | |
709544-4 | 3-Major | VCMP guests in HA configuration become Active/Active during upgrade★ | |
707740-3 | 3-Major | Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination | |
693388-1 | 3-Major | Log additional HSB registers when device becomes unresponsive | |
678488-3 | 3-Major | K59332320 | BGP default-originate not announced to peers if several are peering over different VLANs |
639619-3 | 3-Major | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | |
582792-7 | 3-Major | iRules are not updated in transactions through TMSH or iControl | |
581921-2 | 3-Major | K22327083 | Required files under /etc/ssh are not moved during a UCS restore |
508302-2 | 3-Major | Auto-sync groups may revert to full sync | |
671044-3 | 4-Minor | K78612407 | FIPS certificate creation can cause failover to standby system |
668964-2 | 4-Minor | K81873940 | 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group |
619706-1 | 4-Minor | tmsh appears to allow password change for internal lcd admin user | |
436116-1 | 4-Minor | The tcpdump utility may fail to capture packets |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
753912-1 | 2-Critical | K44385170 | UDP flows may not be swept |
747968-4 | 2-Critical | DNS64 stats not increasing when requests go through DNS cache resolver | |
744269-3 | 2-Critical | dynconfd restarts if FQDN template node deleted while IP address change in progress | |
741919-1 | 2-Critical | HTTP response may be dropped following a 100 continue message. | |
738945-1 | 2-Critical | SSL persistence does not work when there are multiple handshakes present in a single record | |
727206-4 | 2-Critical | Memory corruption when using SSL Forward Proxy on certain platforms | |
718210-3 | 2-Critical | Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused | |
746922-3 | 3-Major | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | |
744536 | 3-Major | HTTP/2 may garble large headers | |
742078-1 | 3-Major | Incoming SYNs are dropped and the connection does not time out. | |
739638-1 | 3-Major | BGP failed to connect with neighbor when pool route is used | |
738523-3 | 3-Major | SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages | |
721621-2 | 3-Major | Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node | |
720799-3 | 3-Major | Virtual Server/VIP flaps with FQDN pool members when all IP addresses change | |
717896-1 | 3-Major | Monitor instances deleted in peer unit after sync | |
717100-4 | 3-Major | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | |
716716-3 | 3-Major | Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core | |
710564-3 | 3-Major | DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0 | |
710355-1 | 3-Major | High CPU when using HTTP::collect for large chunked payloads | |
705112-1 | 3-Major | DHCP server flows are not re-established after expiration | |
685519-3 | 3-Major | Mirrored connections ignore the handshake timeout | |
651889-2 | 3-Major | persist record may be inconsistent after a virtual hit rate limit | |
625166-1 | 3-Major | Suspended iRules cannot complete on aborted flows | |
588720-1 | 3-Major | K44907534 | Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled. |
273104-2 | 3-Major | Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps | |
751586-1 | 4-Minor | Http2 virtual does not honour translate-address disabled | |
684319-2 | 4-Minor | iRule execution logging | |
664618-3 | 4-Minor | Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block' | |
658382-1 | 5-Cosmetic | Large numbers of ERR_UNKNOWN appearing in the logs |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
756094-1 | 2-Critical | DNS express in restart loop, 'Error writing scratch database' in ltm log | |
739846-4 | 2-Critical | Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection | |
749508-4 | 3-Major | LDNS and DNSSEC: Various OOM conditions need to be handled properly | |
748902-8 | 3-Major | Incorrect handling of memory allocations while processing DNSSEC queries | |
746877-4 | 3-Major | Omitted check for success of memory allocation for DNSSEC resource record | |
744707-1 | 3-Major | Crash related to DNSSEC key rollover | |
723288-3 | 3-Major | DNS cache replication between TMMs does not always work for net dns-resolver | |
721895-1 | 3-Major | Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) | |
748177-4 | 4-Minor | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character | |
726412-1 | 4-Minor | Virtual server drop down missing objects on pool creation |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
691945-2 | 3-Major | Security Policy Configuration Changes When Disabling Learning | |
690215-1 | 3-Major | Missing requests in request log | |
641307-2 | 3-Major | Response Page contents are corrupted by XML policy import for non-UTF-8 policies | |
641083-2 | 3-Major | Policy Builder Persistence is not saved while config events are received | |
754365-2 | 4-Minor | Updated flags for countries that changed their flags since 2010 | |
583402-1 | 4-Minor | ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
747192-3 | 2-Critical | Small memory leak while creating Access Policy items | |
714716-3 | 2-Critical | K10248311 | Apmd logs password for acp messages when in debug mode |
660913-1 | 2-Critical | For ActiveSync client type, browscap info provided is incorrect.★ | |
597674-1 | 2-Critical | TunnelServer may crash due to division by zero under unknown circumstances while establishing AppTunnels. | |
758764-5 | 3-Major | APMD Core when CRLDP Auth fails to download revoked certificate | |
747725-1 | 3-Major | Kerberos Auth agent may override settings that manually made to krb5.conf | |
746768-2 | 3-Major | APMD leaks memory if access policy policy contains variable/resource assign policy items | |
745654-1 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | |
722969-1 | 3-Major | Access Policy import with 'reuse' enabled instead rewrites shared objects | |
672818-2 | 3-Major | When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established | |
656784-2 | 3-Major | K98510679 | Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
674367-1 | 3-Major | K20983428 | SDD v3 symmetric deduplication may stop working indefinitely |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
701680-1 | 3-Major | MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
747104-4 | 1-Blocking | K52868493 | LibSSH: CVE-2018-10933 |
686376-1 | 3-Major | Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon | |
624314-1 | 3-Major | AVR reports incorrect 'actions' in ACL reports |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
726647-1 | 3-Major | PEM content insertion in a compressed response may truncate some data |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
744959-2 | 3-Major | SNMP OID for sysLsnPoolStatTotal not incremented in stats | |
708830-1 | 3-Major | Inbound or hairpin connections may get stuck consuming memory. |
Cumulative fixes from BIG-IP v12.1.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
738119-3 | CVE-2019-6589 | K23566124 | SIP routing UI does not follow best practices |
714181-3 | CVE-2019-6603 | K14632915 | TMM may crash while processing TCP traffic |
671498-3 | CVE-2017-3143 | K02230327 | BIND zone contents may be manipulated |
745358-4 | CVE-2019-6607 | K14812883 | ASM GUI does not follow best practices |
737442-1 | CVE-2019-6591 | K32840424 | Error in APM Hosted Content when set to public access |
724680-3 | CVE-2018-0732 | K21665601 | OpenSSL Vulnerability: CVE-2018-0732 |
716900-1 | CVE-2019-6594 | K91026261 | TMM core when using MPTCP |
699452-3 | CVE-2019-6597 | K29280193 | Web UI does not follow current best coding practices |
658557-2 | CVE-2019-6606 | K35209601 | The snmpd daemon may leak memory when processing requests. |
643554-12 | CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 | K37526132 K44512851 K43570545 | OpenSSL vulnerabilities - OpenSSL 1.0.2k library update |
603658-1 | CVE-2019-6601 | K25359902 | AAM security hardening |
530775-4 | CVE-2019-6600 | K23734425 | Login page may generate unexpected HTML output |
701785-3 | CVE-2017-18017 | K18352029 | Linux kernel vulnerability: CVE-2017-18017 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
734527-4 | 3-Major | BGP 'capability graceful-restart' for peer-group not properly advertised when configured | |
700827-2 | 3-Major | B2250 blades may lose efficiency when source ports form an arithmetic sequence. | |
600385-1 | 3-Major | K43295141 | BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout |
597899-1 | 3-Major | Disabling all pool members may not be reflected in Virtual Server status |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
741423-1 | 2-Critical | Secondary blade goes offline when provisioning ASM/FPS on already established config-sync | |
738887-2 | 2-Critical | BIG-IP SNMPD vulnerability CVE-2019-6608 | |
723722-3 | 2-Critical | MCPD crashes if several thousand files are created between config syncs. | |
723298-3 | 2-Critical | BIND upgrade to version 9.11.4 | |
700386-1 | 2-Critical | mcpd may dump core on startup | |
697424 | 2-Critical | iControl-REST crashes on /example for firewall address-lists | |
691589 | 2-Critical | When using LDAP client auth, tamd may become stuck | |
689437-2 | 2-Critical | K49554067 | icrd_child cores due to infinite recursion caused by incorrect group name handling |
638091-4 | 2-Critical | Config sync after changing named pool members can cause mcpd on secondary blades to restart | |
594366-1 | 2-Critical | K21271097 | Occasional crash of icrd_child when BIG-IP restarts |
748187-1 | 3-Major | 'Transaction Not Found' Error on PATCH after Transaction has been Created | |
720713-3 | 3-Major | TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail | |
720651-3 | 3-Major | Running Guest Changed to Provisioned Never Stops | |
720461-3 | 3-Major | qkview prompts for password on chassis | |
711249-2 | 3-Major | NAS-IP-Address added to RADIUS packet unexpectedly | |
707391-4 | 3-Major | BGP may keep announcing routes after disabling route health injection | |
706354-1 | 3-Major | OPT-0045 optic unable to link | |
706104-2 | 3-Major | Dynamically advertised route may flap | |
705037-3 | 3-Major | K32332000 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart |
704449-4 | 3-Major | Orphaned tmsh processes might eventually lead to an out-of-memory condition | |
700757-2 | 3-Major | vcmpd may crash when it is exiting | |
698619-1 | 3-Major | Disable port bridging on HSB ports for non-vCMP systems | |
693884-3 | 3-Major | ospfd core on secondary blade during network unstability | |
692189-3 | 3-Major | errdefsd fails to generate a core file on request. | |
689002-1 | 3-Major | Stackoverflow when JSON is deeply nested | |
676705-2 | 3-Major | Agetty should not run on VE that lack serial port | |
673974-1 | 3-Major | K63225596 | agetty auto detects parity on console port incorrectly |
671447-2 | 3-Major | ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form | |
666884-2 | 3-Major | K27056204 | Message: Not enough free disk space to install! cpcfg cannot copy a configuration on a chassis platform★ |
653888-2 | 3-Major | BGP advertisement-interval attribute ignored in peer group configuration | |
652877-3 | 3-Major | Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades | |
642923-2 | 3-Major | MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system | |
639575-5 | 3-Major | Using libtar with files larger than 2 GB will create an unusable tarball | |
628402-4 | 3-Major | Operator users receive 'can't get object count from mcpd' error in response to certain commands | |
613509-1 | 3-Major | K49101035 | Platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve |
610449-2 | 3-Major | restarting mcpd on guest makes block-device-images disappear | |
602566-5 | 3-Major | sod daemon may crash during start-up | |
598289-4 | 3-Major | TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port> | |
598085-2 | 3-Major | Expected telemetry is not transmitted by sFlow on the standby-mode unit. | |
563905-2 | 3-Major | Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades. | |
491560-1 | 3-Major | Using proxy for IP intelligence updates | |
737389 | 4-Minor | Kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed | |
674145-3 | 4-Minor | chmand error log message missing data | |
608348-4 | 4-Minor | Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
744117-6 | 2-Critical | K18263026 | The HTTP URI is not always parsed correctly |
740490-2 | 2-Critical | Configuration changes involving HTTP2 or SPDY may leak memory | |
739927-1 | 2-Critical | Bigd crashes after a specific combination of logging operations | |
737758-1 | 2-Critical | MPTCP Passthrough and VIP-on-VIP can lead to TMM core | |
727044-1 | 2-Critical | TMM may crash while processing compressed data | |
726239-3 | 2-Critical | interruption of traffic handling as sod daemon restarts TMM | |
724868-2 | 2-Critical | dynconfd memory usage increases over time | |
663178-1 | 2-Critical | tmm may crash sometimes usng VPN | |
606035-1 | 2-Critical | csyncd crash | |
738521-2 | 3-Major | i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag. | |
714559-1 | 3-Major | Removal of HTTP hash persistence cookie when a pool member goes down. | |
710028-4 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
708068-3 | 3-Major | Tcl commands like "HTTP::path -normalize" do not return normalized path. | |
706102-3 | 3-Major | SMTP monitor does not handle all multi-line banner use cases | |
701678-1 | 3-Major | Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded | |
695925-3 | 3-Major | Tmm crash when showing connections for a CMP disabled virtual server | |
693910-2 | 3-Major | Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) | |
693582-3 | 3-Major | Monitor node log not rotated for certain monitor types | |
680264 | 3-Major | HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags | |
674591-2 | 3-Major | K37975308 | Packets with payload smaller than MSS are being marked to be TSOed |
672312-2 | 3-Major | IP ToS may not be forwarded to serverside with syncookie activated | |
666595-2 | 3-Major | Monitor node log fd leak by bigd instances not actively monitoring node | |
662816-2 | 3-Major | K61902543 | Monitor node log fd leak for certain monitor types |
653930-2 | 3-Major | K69713140 | Monitor with description containing backslash may fail to load. |
613618-1 | 3-Major | The TMM crashes in the websso plugin. | |
611482-4 | 3-Major | K71450348 | Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) . |
610138-2 | 3-Major | K23284054 | STARTTLS in SMTPS filter does not properly restrict I/O buffering |
605147-1 | 3-Major | No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections. | |
598707-4 | 3-Major | Path MTU does not work in self-IP flows | |
586621-7 | 3-Major | K36008344 | SQL monitors 'count' config value does not work as expected. |
628016-2 | 4-Minor | MP_JOIN always fails if MPTCP never receives payload data | |
618884-1 | 4-Minor | Behavior when using VLAN-Group and STP |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
750488 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
750484 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
750472 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
750457 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
749774-2 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
749675-2 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records | |
737332-2 | 3-Major | It is possible for DNSX to serve partial zone information for a short period of time | |
723792-3 | 3-Major | GTM regex handling of some escape characters renders it invalid |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
741108 | 2-Critical | tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses | |
744347-1 | 3-Major | Protocol Security logging profiles cause slow ASM upgrade and apply policy | |
739945-1 | 3-Major | JavaScript challenge on POST with 307 breaks application | |
738789-3 | 3-Major | ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog | |
738647-1 | 3-Major | Add the login detection criteria of 'status code is not X' | |
737998 | 3-Major | Brute Force end attack condition isn't satisfied for successful logins only | |
698757-1 | 3-Major | K58143082 | Standby system saves config and changes status after sync from peer |
664714-1 | 3-Major | Client-side challenge is changing POST parameter value under some circumstances | |
642185-1 | 3-Major | Add support for IBM AppScan scanner schema changes | |
613728-1 | 3-Major | Import/Activate Security policy with 'Replace policy associated with virtual server' option fails | |
569195-1 | 3-Major | K41874435 | A Set-Cookie for an existing ASM cookie without value change |
542817-1 | 3-Major | K11619228 | Specific numbers that are not credit card numbers are being masked as such |
653895 | 4-Minor | Admin user cannot edit policy |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
616161-1 | 2-Critical | BD process crash and restarts | |
737597 | 3-Major | AVR DoS Attack report misses virtual server name in a specific config |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
740777-2 | 2-Critical | Secondary blades mcp daemon restart when subroutine properties are configured | |
672221 | 2-Critical | TMM cores if the certificate configured to validate message signature does not exist. | |
631060-1 | 2-Critical | BIG-IP may incorrectly reject serverside connection when REQLOG is configured. | |
745574-4 | 3-Major | URL is not removed from custom category when deleted | |
739744-2 | 3-Major | Import of Policy using Pool with members is failing | |
726592-2 | 3-Major | Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop | |
628712-1 | 3-Major | K53129098 | Advanced customization doesn't work for Profiles in non-common partition with . (period) with name |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
706642-3 | 2-Critical | wamd may leak memory during configuration changes and cluster events | |
603746-1 | 4-Minor | DCDB security hardening |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
724532-1 | 2-Critical | SIG SEGV during IP intelligence category match in TMM | |
710755-2 | 2-Critical | TMM crash when route information becomes stale and the system accesses stale information. | |
699454-3 | 4-Minor | Web UI does not follow current best coding practices | |
627454 | 4-Minor | Trimming leading whitespaces at logging profile creation |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
744516-2 | 2-Critical | TMM panics after a large number of LSN remote picks | |
734446-3 | 2-Critical | TMM crash after changing LSN pool mode from PBA to NAPT | |
669645-1 | 2-Critical | tmm crashes after LSN pool member change | |
663531-1 | 2-Critical | TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
746868 | 2-Critical | memory leakage when "apply to base domain" is enabled |
Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
739094-4 | CVE-2018-5546 | K54431371 | APM Client Vulnerability: CVE-2018-5546 |
737441-1 | CVE-2018-5546 | K54431371 | Disallow hard links to svpn log files |
726089-3 | CVE-2018-15312 | K44462254 | Modifications to AVR metrics page |
724339-2 | CVE-2018-15314 | K04524282 | Unexpected TMUI output in AFM |
724335-2 | CVE-2018-15313 | K21042153 | Unexpected TMUI output in AFM |
722677-3 | CVE-2019-6604 | K26455071 | BIG-IP HSB vulnerability CVE-2019-6604 |
722387-2 | CVE-2019-6596 | K97241515 | TMM may crash when processing APM DTLS traffic |
722091-2 | CVE-2018-15319 | K64208870 | TMM may crash while processing HTTP traffic |
717742-3 | CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 | K44923228 | Oracle Java SE vulnerability CVE-2018-2783 |
707990-3 | CVE-2018-15315 | K41704442 | Unexpected TMUI output in SSL Certificate Instance page |
704184-3 | CVE-2018-5529 | K52171282 | APM MAC Client create files with owner only read write permissions |
701253-3 | CVE-2018-15318 | K16248201 | TMM core when using MPTCP |
721924-3 | CVE-2018-17539 | K17264695 | BIG-IP ARM BGP vulnerability CVE-2018-17539 |
719554-3 | CVE-2018-8897 | K17403481 | Linux Kernel Vulnerability: CVE-2018-8897 |
674486-5 | CVE-2017-9233 | K03244804 | Expat Vulnerability: CVE-2017-9233 |
661828-1 | CVE-2019-6590 | K55101404 | TMM may consume excessive resources when processing SSL traffic |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
715750-3 | 3-Major | K41515225 | The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection. |
652671-4 | 3-Major | K31326690 | Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
716391-3 | 2-Critical | K76031538 | High priority for MySQL on 2 core vCMP may lead to control plane process starvation |
690793-2 | 2-Critical | K25263287 | TMM may crash and dump core due to improper connflow tracking |
688148-1 | 2-Critical | IKEv1 racoon daemon SEGV during phase-two SA list iteration | |
613476-2 | 2-Critical | IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion | |
704247-3 | 3-Major | BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted | |
686124-3 | 3-Major | K83576240 | IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs |
678380-3 | 3-Major | K26023811 | Deleting an IKEv1 peer in current use could SEGV on race conditions. |
671712 | 3-Major | The values returned for the ltmUserStatProfileStat table are incorrect. | |
670528-1 | 3-Major | K20251354 | Warnings during vCMP host upgrade. |
620746-1 | 3-Major | MCPD crash | |
580602-1 | 3-Major | Configuration containing LTM nodes with IPv6 link-local addresses fail to load. | |
551925-3 | 3-Major | Misdirected UDP traffic with hardware acceleration | |
464650-4 | 3-Major | Failure of mcpd with invalid authentication context. | |
689211-2 | 4-Minor | IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 } | |
678254-2 | 4-Minor | Error logged when restarting Tomcat |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
716213-3 | 2-Critical | BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic | |
697259-1 | 2-Critical | K14023450 | Different versioned vCMP guests on the same chassis may crash. |
694656-3 | 2-Critical | K05186205 | Routing changes may cause TMM to restart |
666401-2 | 2-Critical | K03294104 | Memory might become corrupted when a Standby device transitions to Active during failover |
659709-1 | 2-Critical | Mirroring persistence records may cause a TMM memory leak | |
641869-1 | 2-Critical | K62744980 | Assertion "vmem_hashlist_remove not found" failed. |
635191-1 | 2-Critical | Under rare circumstances TMM may crash | |
618106-1 | 2-Critical | K74714343 | bigd core due to memory leak, especially with FQDN nodes |
615097-1 | 2-Critical | Incorrect use of HTTP::collect leads to TMM core. | |
513310-1 | 2-Critical | TMM might core when a profile is changed. | |
722363-1 | 3-Major | Client fails to connect to server when using PVA offload at Established | |
720293-1 | 3-Major | HTTP2 IPv4 to IPv6 fails | |
713690-1 | 3-Major | IPv6 cache route metrics are locked | |
712664-4 | 3-Major | IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address | |
711981-3 | 3-Major | BIG-IP system accepts larger-than-egress MTU, PMTU update | |
700696-2 | 3-Major | SSID does not cache fragmented Client Certificates correctly via iRule | |
694697-3 | 3-Major | K62065305 | clusterd logs heartbeat check messages at log level info |
693308-3 | 3-Major | SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain | |
691224-1 | 3-Major | K59327001 | Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled |
671725-1 | 3-Major | K19920320 | Connection leak on standby unit |
632968-2 | 3-Major | supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails | |
600812-1 | 3-Major | IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet. | |
578971-3 | 3-Major | When mcpd is restarted on a blade, cluster members may be temporarily marked as failed | |
572234-2 | 3-Major | When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. | |
716922-4 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
622148-5 | 4-Minor | flow generated icmp error message need to consider which side of the proxy they are | |
602708-2 | 4-Minor | K84837413 | Traffic may not passthrough CoS by default |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
718885-1 | 2-Critical | K25348242 | Under certain conditions, monitor probes may not be sent at the configured interval |
726255-3 | 3-Major | dns_path lingering in memory with last_access 0 causing high memory usage | |
719644-1 | 3-Major | If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★ | |
715448-1 | 3-Major | Providing LB::status with a GTM Pool name in a variable caused validation issues | |
710246-3 | 3-Major | DNS-Express was not sending out NOTIFY messages on VE | |
636790-3 | 3-Major | Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
739798 | 2-Critical | Massive number of log messages being generated and written to the bd.log. | |
734622 | 2-Critical | K83093212 | Policy change with newly enforced signatures causes sig collection failure in other policies |
721741-2 | 2-Critical | BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative | |
716788-3 | 2-Critical | TMM may crash while response modifications are being performed within DoSL7 filter | |
685230-1 | 2-Critical | memory leak on a specific server scenario | |
666221-2 | 2-Critical | K47152503 | tmm may crash from DoSL7 |
617391-1 | 2-Critical | K53345828 | Custom ASM Search Engines causing sync, offline, and upgrade issues★ |
721752-1 | 3-Major | Null char returned in REST for Suggestion with more than MAX_INT occurrences | |
713282-3 | 3-Major | Remote logger violation_details field does not appear when virtual server has more than one remote logger | |
701856-2 | 3-Major | Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart | |
701039 | 3-Major | Requests do not appear in local logging due to rare file descriptor exhaustion | |
676223-2 | 3-Major | Internal parameter in order not to sign allowed cookies | |
650070-2 | 3-Major | K23041827 | iRule that uses ASM violation details may cause the system to reset the request |
648639-3 | 3-Major | K92201230 | TS cookie name contains NULL or other raw byte |
646800-2 | 3-Major | A part of the request is not sent to ICAP server in a specific case | |
644725-4 | 3-Major | K01914292 | Configuration changes while removing ASM from the virtual server may cause graceful ASM restart |
614730-1 | 3-Major | Session opening log shows incorrect number of challenged responses. | |
564324-2 | 3-Major | ASM scripts can break applications | |
463314-2 | 4-Minor | Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
685741 | 3-Major | DoS Overview is very slow to load data, to the point of timeout | |
649177-2 | 3-Major | K54018808 | Testing for connection to SMTP Server always returns "OK" |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
722013-3 | 2-Critical | MCPD restarts on all secondary blades post config-sync involving APM customization group | |
631286-1 | 2-Critical | TMM Memory leak caused by APM URI cache entries | |
546489-1 | 2-Critical | VMware View USB redirection stops working after client reconnect | |
739144-1 | 3-Major | Domain logoff scripts runs after VPN connection is closed | |
738397-2 | 3-Major | SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails. | |
726895-1 | 3-Major | K02205915 | VPE cannot modify subroutine settings |
713655-3 | 3-Major | RouteDomainSelectionAgent might fail under heavy control plane traffic/activities | |
703793-1 | 3-Major | tmm restarts when using ACCESS::perflow get' in certain events | |
702873-3 | 3-Major | Windows Logon Integration feature may cause Windows logon screen freeze | |
631626 | 3-Major | Unable to delete an access profile which contains a route domain agent | |
631048-1 | 3-Major | Portal Access [PeopleSoft] 'My Preferences' page does not have content | |
596166-1 | 3-Major | Cannot create email using Address Book | |
565347-2 | 3-Major | Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction | |
721375 | 4-Minor | Export then import of config with RSA server in it might fail |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
603755-1 | 2-Critical | dwbld core dump when Auto Blacklisting is configured, in a rare scenario | |
698806-2 | 3-Major | Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
738669-3 | 3-Major | Login validation may fail for a large request with early server response | |
716318-4 | 3-Major | Engine/Signatures automatic update check may fail to find/download the latest update |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
726303 | 3-Major | Unlock 10 million custom db entry limit |
Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
716992-3 | CVE-2018-5539 | K75432956 | The ASM bd process may crash |
710244-1 | CVE-2018-5536 | K27391542 | Memory Leak of access policy execution objects |
709972-4 | CVE-2017-12613 | K52319810 | CVE-2017-12613: APR Vulnerability |
709688-5 | CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 |
K08306700 | dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733 |
693744-3 | CVE-2018-5531 | K64721111 | CVE-2018-5531: vCMP vulnerability |
710827-4 | CVE-2019-6598 | K44603900 | TMUI dashboard daemon stability issue |
710705-3 | CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 | K34035645 | Multiple Wireshark vulnerabilities |
710314-2 | CVE-2018-5537 | K94105051 | TMM may crash while processing HTML traffic |
710148-4 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
705476-4 | CVE-2018-15322 | K28003839 | Appliance Mode does not follow design best practices |
703940-3 | CVE-2018-5530 | K45611803 | Malformed HTTP/2 frame consumes excessive system resources |
698813-3 | CVE-2018-5538 | K45435121 | When processing DNSX transfers ZoneRunner does not enforce best practices |
677088-4 | CVE-2018-15321 | K01067037 | BIG-IP tmsh vulnerability CVE-2018-15321 |
672124-3 | CVE-2018-5541 | K12403422 | Excessive resource usage when BD is processing requests |
714879-1 | CVE-2018-15326 | K34652116 | APM CRLDP Auth passes all certs |
708653-3 | CVE-2018-15311 | K07550539 | TMM may crash while processing TCP traffic |
673165 | CVE-2017-7895 | K15004519 | CVE-2017-7895: Linux Kernel Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
671999-2 | 3-Major | Re-extract the the thales software everytime the installation script is run | |
643034-1 | 3-Major | K52510343 | Turn off TCP Proxy ICMP forwarding by default |
620445-4 | 3-Major | New SIP::persist keyword to set the timeout without changing key | |
613023-4 | 3-Major | Update SIP::Persist to support resetting timeout value. | |
441079-2 | 3-Major | K55242686 | BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved |
693007-3 | 4-Minor | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
700315-3 | 1-Blocking | K26130444 | Ctrl+C does not terminate TShark |
636774-1 | 1-Blocking | Potential TMM crash credits to BWC token distribution logic | |
723130-3 | 2-Critical | K13996 | Invalid-certificate warning displayed when deploying BIG-IP VE OVA file |
707003-2 | 2-Critical | Unexpected syntax error in TMSH AVR | |
706423-2 | 2-Critical | tmm may restart if an IKEv2 child SA expires during an async encryption or decryption | |
696113-1 | 2-Critical | Extra IPsec reference added per crypto operation overflows connflow refcount | |
692158-2 | 2-Critical | iCall and CLI script memory leak when saving configuration | |
690819-3 | 2-Critical | Using an iRule module after a 'session lookup' may result in crash | |
671314-4 | 2-Critical | K37093335 | BIG-IP system cores when sending SIP SCTP traffic |
665362-4 | 2-Critical | MCPD might crash if the AOM restarts | |
663197-3 | 2-Critical | Security hardening of files to prevent sensitive configuration from being stored in qkview. | |
626861-2 | 2-Critical | K31220138 | Ensure unique IKEv2 sequence numbers |
599223-1 | 2-Critical | Prevent static destructors in tmipsecd daemon | |
581851-2 | 2-Critical | K16234725 | mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands |
559980-1 | 2-Critical | Change console baud rate requires reboot to take effect | |
508113-3 | 2-Critical | tmsh load sys config base merge file <filename> fails | |
720880 | 3-Major | Attempts to license/re-license the BIG-IP system fail. | |
720756 | 3-Major | SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS | |
720104 | 3-Major | BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware' | |
714848 | 3-Major | OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled | |
710602 | 3-Major | iCRD commands requiring 'root' user access fixed | |
707445 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover |
704336-3 | 3-Major | Updating 3rd party device cert not copied correctly to trusted certificate store | |
704282-3 | 3-Major | TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy | |
701900 | 3-Major | K55938217 | DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease. |
698947-1 | 3-Major | BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled. | |
694740-1 | 3-Major | BIG-IP reboot during a TMM core results in an incomplete core dump | |
693106-2 | 3-Major | IKEv1 newest established phase-one SAs should be found first in a search | |
692179-3 | 3-Major | Potential high memory usage from errdefsd. | |
687905 | 3-Major | K72040312 | OneConnect profile causes CMP redirected connections on the HA standby |
687534-3 | 3-Major | If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page | |
686926-3 | 3-Major | IPsec: responder N(cookie) in SA_INIT response handled incorrectly | |
684391-1 | 3-Major | Existing IPsec tunnels reload. tmipsecd creates a core file. | |
680838-3 | 3-Major | IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator | |
679347-3 | 3-Major | K44117473 | ECP does not work for PFS in IKEv2 child SAs |
678925-4 | 3-Major | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | |
677928-2 | 3-Major | A wrong source MAC address may be used in the outgoing IPsec encapsulated packets. | |
676897-1 | 3-Major | K25082113 | IPsec keeps failing to reconnect |
676092-1 | 3-Major | IPsec keeps failing to reconnect | |
675718-1 | 3-Major | IPsec keeps failing to reconnect | |
669268 | 3-Major | Failover in the same availability zone of AWS may fail when AWS services are intermittently available. | |
667223 | 3-Major | The merge option for the tmsh load sys config command removes existing nested objects | |
666035-1 | 3-Major | Obscuring secrets in files collected by qkview | |
621314-6 | 3-Major | K55358710 | SCTP virtual server with mirroring may cause excessive memory use on standby device |
617865-1 | 3-Major | Missing health monitor information for FQDN members | |
605270-5 | 3-Major | On some platforms the SYN-Cookie status report is not accurate | |
588929-2 | 3-Major | SCTP emits 'address conflict detected' log messages during failover | |
588794-2 | 3-Major | Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements | |
588771-2 | 3-Major | SCTP needs traffic-group validation for server-side client alternate addresses | |
586938-1 | 3-Major | K57360106 | Standby device will respond to the ARP of the SCTP multihoming alternate address |
586031-1 | 3-Major | K40453207 | Configuration with LTM policy may fail to load |
525580-1 | 3-Major | K51013874 | tmsh load sys config merge file filename.scf base command does not work as expected |
685475-3 | 4-Minor | K93145012 | Unexpected error when applying hotfix |
680856-3 | 4-Minor | IPsec config via REST scripts may require post-definition touch of both policy and traffic selector | |
679135-3 | 4-Minor | IKEv1 and IKEv2 cannot share common local address in tunnels | |
678388-3 | 4-Minor | K00050055 | IKEv1 racoon daemon is not restarted when killed multiple times |
658298-3 | 4-Minor | SMB monitor marks node down when file not specified | |
624484-2 | 4-Minor | K09023677 | Timestamps not available in bash history on non-login interactive shells |
573031-1 | 4-Minor | qkview may not collect certain configuration files in their entirety | |
720391-1 | 5-Cosmetic | BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' | |
713491-1 | 5-Cosmetic | IKEv1 logging shows spi of deleted SA with opposite endianess | |
651826-2 | 5-Cosmetic | SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
718071-3 | 2-Critical | HTTP2 with ASM policy not passing traffic | |
709334-2 | 2-Critical | Memory leak when SSL Forward proxy is used and ssl re-negotiates | |
708114-3 | 2-Critical | K33319853 | TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed |
707447-2 | 2-Critical | Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles. | |
707207-2 | 2-Critical | iRuleLx returning undefined value may cause TMM restart | |
703914-1 | 2-Critical | TMM SIGSEGV crash in poolmbr_conn_dec. | |
686685-1 | 2-Critical | LTM Policy internal compilation error | |
683631-1 | 2-Critical | TMM crashes during stress test | |
678722-2 | 2-Critical | In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources | |
676721-2 | 2-Critical | K33325265 | Missing check for NULL condition causes tmm crash. |
674004-1 | 2-Critical | K34448924 | tmm may crash when after deleting pool member in traffic |
670804-2 | 2-Critical | K03163260 | Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP |
656898-2 | 2-Critical | 'oops' 'bad transition' messages occur | |
613524-3 | 2-Critical | TMM crash when call HTTP::respond twice in LB_FAILED | |
598110-1 | 2-Critical | pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic. | |
586587-1 | 2-Critical | RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. | |
571651-3 | 2-Critical | Reset Nitrox3 crypto accelerator queue if it becomes stuck. | |
440620-2 | 2-Critical | New connections may be reset when a client reuses the same port as it used for a recently closed connection | |
713951-3 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
713934-4 | 3-Major | Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response | |
712475-1 | 3-Major | K56479945 | DNS zones without servers will prevent DNS Express reading zone data |
712464-1 | 3-Major | Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate | |
712437-1 | 3-Major | K20355559 | Records containing hyphens (-) will prevent child zone from loading correctly |
711281-3 | 3-Major | nitrox_diag may run out of space on /shared | |
707951 | 3-Major | Stalled mirrored flows on HA next-active when OneConnect is used. | |
704381-3 | 3-Major | SSL/TLS handshake failures and terminations are logged at too low a level | |
703580 | 3-Major | TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host. | |
702151-2 | 3-Major | HTTP/2 can garble large headers | |
700889-2 | 3-Major | K07330445 | Software syncookies without TCP TS improperly include TCP options that are not encoded |
700061-3 | 3-Major | Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file | |
700057-3 | 3-Major | LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved | |
698916-3 | 3-Major | TMM crash with HTTP/2 under specific condition | |
698379-3 | 3-Major | K61238215 | HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( |
693838 | 3-Major | Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors | |
691806-3 | 3-Major | K61815412 | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state |
688553-1 | 3-Major | SASP GWM monitor may not mark member UP as expected | |
685615-5 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
681757-1 | 3-Major | K32521651 | Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' |
678872-2 | 3-Major | Inconsistent behavior for virtual-address and selfip on the same ip-address | |
677525-3 | 3-Major | Translucent VLAN group may use unexpected source MAC address | |
676914-1 | 3-Major | The SSL Session Cache can grow indefinitely if the traffic group is changed. | |
676828-2 | 3-Major | K09012436 | Host IPv6 traffic is generated even when ipv6.enabled is false |
676355-2 | 3-Major | DTLS retransmission does not comply with RFC in certain resumed SSL session | |
675212-3 | 3-Major | The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication | |
673052-2 | 3-Major | On i-Series platforms, HTTP/2 is limited to 10 streams | |
671337-1 | 3-Major | NetHSM DNSSEC key creation can attempt to change the SELinux label on a file | |
668196-2 | 3-Major | Connection limit continues to be enforced with least-connections and pool member flap, member remains down | |
668006-1 | 3-Major | K12015701 | Suspended 'after' command leads to assertion if there are multiple pending events |
667707-2 | 3-Major | LTM policy associations with virtual servers are not ConfigSynced correctly | |
659519-1 | 3-Major | K42400554 | Non-default header-table-size setting on HTTP2 profiles may cause issues |
657883-2 | 3-Major | K34442339 | tmm cache resolver should not cache response with TTL=0 |
657626-2 | 3-Major | User with role 'Manager' cannot delete/publish LTM policy. | |
651541-2 | 3-Major | K83955631 | Changes to the HTTP profile do not trigger validation for virtual servers using that profile |
636289-2 | 3-Major | Fixed a memory issue while handling TCP::congestion iRule | |
633691-4 | 3-Major | HTTP transaction may not finish gracefully due to TCP connection is closed by RST | |
624846-1 | 3-Major | TCP Fast Open does not work for Responses < 1 MSS | |
604838-1 | 3-Major | TCP Analytics reports incorrectly reports entities as "Aggregated" | |
595281-1 | 3-Major | TCP Analytics reports huge goodput numbers | |
570277-1 | 3-Major | K16044231 | SafeNet client not able to establish session to all HSMs on all blades. |
367226-4 | 3-Major | Outgoing RIP advertisements may have incorrect source port | |
251162-3 | 3-Major | K11564 | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name |
248914-4 | 3-Major | K00612197 | ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address |
713533-3 | 4-Minor | list self-ip with queries does not work | |
708249-4 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
700433-2 | 4-Minor | K10870739 | Memory leak when attaching an LTM policy to a virtual server |
685467-2 | 4-Minor | K12933087 | Certain header manipulations in HTTP profile may result in losing connection. |
678801-2 | 4-Minor | WS::enabled returned empty string | |
677958-2 | 4-Minor | WS::frame prepend and WS::frame append do not insert string in the right place. | |
645729-1 | 4-Minor | SSL connection is not mirrored if ssl session cache is cleared and resume attempted | |
639970-3 | 4-Minor | GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error | |
627764-2 | 4-Minor | Prevent sending a 2nd RST for a TCP connection | |
627695-2 | 4-Minor | [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational | |
621379-2 | 4-Minor | TCP Lossfilter not enforced after iRule changes TCP settings | |
618024-2 | 4-Minor | software switched platforms accept traffic on lacp trunks even when the trunk is down | |
604272-1 | 4-Minor | SMTPS profile connections_current stat does not reflect actual connection count. | |
523814-3 | 4-Minor | When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections | |
522302-2 | 4-Minor | TCP Receive Window error messages are inconsistent on UI | |
495242-3 | 4-Minor | mcpd log messages: Failed to unpublish LOIPC object |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
713066-3 | 2-Critical | K10620131 | Connection failure during DNS lookup to disabled nameserver can crash TMM |
707310-1 | 2-Critical | DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs) | |
706128-1 | 3-Major | DNSSEC Signed Zone Transfers Can Leak Memory | |
705503-1 | 3-Major | Context leaked from iRule DNS lookup | |
680069-3 | 3-Major | K81834254 | zxfrd core during transfer while network failure and DNS server removed from DNS zone config★ |
675539-1 | 3-Major | Inter-system communications targeted at a Management IP address might not work in some cases. | |
672491-2 | 3-Major | K10990182 | net resolver uses internal IP as source if matching wildcard forwarding virtual server |
660263-4 | 3-Major | DNS transparent cache message and RR set activity counters not incrementing | |
653775-3 | 3-Major | K05397641 | Ampersand (&) in GTM synchronization group name causes synchronization failure. |
643813-2 | 3-Major | ZoneRunner does not properly process $ORIGIN directives | |
637227-4 | 3-Major | K60414305 | DNS Validating Resolver produces inconsistent results with DNS64 configurations. |
629421-1 | 3-Major | Big3d memory leak when adding/removing Wide IPs in a GTM sync pair. | |
609527-2 | 3-Major | DNS cache local zone not properly copying recursion desired (RD) flag in response | |
602300-1 | 3-Major | Zone Runner entries cannot be modified when sys DNS starts with IPv6 address | |
669262-2 | 4-Minor | [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record | |
638170-1 | 4-Minor | K36455356 | Pagination broken or missing while viewing pool statistics for GTM wideip |
605537-5 | 4-Minor | K03997964 | Error when resetting statistics on GSLB Pool Members |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
639767-2 | 2-Critical | Policy with Session Awareness Statuses may fail to export | |
606983-3 | 2-Critical | ASM errors during policy import | |
580862-1 | 2-Critical | Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes | |
712362-1 | 3-Major | ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase | |
710327-3 | 3-Major | Remote logger message is truncated at NULL character. | |
707888 | 3-Major | Some ASM operations delayed due to scheduled ASU update | |
707147-2 | 3-Major | High CPU consumed by asm_config_server_rpc_handler_async.pl | |
706845-1 | 3-Major | False positive illegal multipart violation | |
704143-2 | 3-Major | BD memory leak | |
700726-1 | 3-Major | Search engine list was updated, and fixing case of multiple entries | |
691897-1 | 3-Major | Names of the modified cookies do not appear in the event log | |
687759-2 | 3-Major | bd crash | |
686765-1 | 3-Major | Database cleaning failure may allow MySQL space to fill the disk entirely | |
683241-3 | 3-Major | K70517410 | Improve CSRF token handling |
674527-1 | 3-Major | TCL error in ltm log when server closes connection while ASM irules are running | |
666112-1 | 3-Major | K53708490 | TMM 'DoS Layer 7' memory leak during config load |
663396-1 | 3-Major | URL Method override is enforced incorrectly after upgrade | |
654996-1 | 3-Major | K50345236 | Closed connections remains in memory |
665470-1 | 4-Minor | Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised | |
700812-2 | 5-Cosmetic | asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
716747-4 | 2-Critical | TMM my crash while processing APM or SWG traffic | |
715250-2 | 2-Critical | TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED | |
681850-1 | 2-Critical | APMD process may fail to initialize on start either after upgrade or after adding certain configurations | |
671373-2 | 2-Critical | urldb core seen | |
632798-2 | 2-Critical | K30710317 | Double-free may occur if Access initialization fails |
720695-2 | 3-Major | Export then import of APM access Profile/Policy with advanced customization is failing | |
720030-3 | 3-Major | Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U) | |
718208-1 | 3-Major | Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO | |
715207-2 | 3-Major | coapi errors while modifying per-request policy in VPE | |
714542-1 | 3-Major | 'Always Connected Mode' text is missing in EdgeClient tray | |
712924 | 3-Major | In VPE SecurID servers list are not being displayed in SecurID authentication dialogue | |
712857-1 | 3-Major | SWG-Explicit rejects large POST bodies during policy evaluation | |
706374-2 | 3-Major | Heavy use of APM Kerberos SSO can sometimes lead to memory corruption | |
704524-2 | 3-Major | [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries | |
684937-6 | 3-Major | K26451305 | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users |
683113-6 | 3-Major | K22904904 | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users |
658664-3 | 3-Major | K21390304 | VPN connection drops when 'prohibit routing table change' is enabled |
609793-1 | 3-Major | HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response. | |
602429-1 | 3-Major | DNS suffix is not restored after disconnecting Network Access | |
543344-3 | 3-Major | ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event | |
516736-1 | 3-Major | URLs with backslashes in the path may not be handled correctly in Portal Access |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
703515-5 | 2-Critical | K44933323 | MRF SIP LB - Message corruption when using custom persistence key |
698338-2 | 2-Critical | Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection | |
685708-3 | 2-Critical | Routing via iRule to a host without providing a transport from a transport-config created connection cores | |
669739-1 | 2-Critical | K71963740 | Potential core when using MRF SIP with SCTP |
659173-1 | 2-Critical | K76352741 | Diameter Message Length Limit Changed from 1024 to 4096 Bytes |
700571-2 | 3-Major | SIP MR profile, setting incorrect branch param for CANCEL to INVITE | |
696049-3 | 3-Major | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running | |
688942-3 | 3-Major | ICAP: Chunk parser performs poorly with very large chunk | |
679114-2 | 3-Major | Persistence record expires early if an error is returned for a BYE command | |
674747-2 | 3-Major | K30837366 | sipdb cannot delete custom bidirectional persistence entries. |
673814-4 | 3-Major | K37822302 | Custom bidirectional persistence entries are not updated to the session timeout |
642298-3 | 3-Major | Unable to create a bidirectional custom persistence record in MRF SIP | |
640384-3 | 3-Major | New iRule options for MR::message route command | |
620759-4 | 3-Major | Persist timeout value gets truncated when added to the branch parameter. | |
632658-4 | 4-Minor | Enable SIP::persist command to operate during SIP_RESPONSE event | |
617690-4 | 4-Minor | enable SIP::respond iRule command to operate during MR_FAILED event |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
677473-1 | 2-Critical | MCPD core is generated on multiple add/remove of Mgmt-Rules | |
663770-2 | 3-Major | K04025134 | AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
699531-3 | 2-Critical | Potential TMM crash due to incorrect number of attributes in a PEM iRule command | |
696294-3 | 2-Critical | TMM core may be seen when using Application reporting with flow filter in PEM | |
715090 | 3-Major | PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers | |
711570-1 | 3-Major | PEM iRule subscriber policy name query using subscriber ID, may not return applied policies | |
711093-2 | 3-Major | PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled | |
709610-1 | 3-Major | Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM | |
697718-3 | 3-Major | Increase PEM HSL reporting buffer size to 4K. | |
648802-3 | 3-Major | Required custom AVPs are not included in an RAA when reporting an error. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
667662-1 | 3-Major | K06579313 | Autolasthop does not work for PPTP-GRE traffic. |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
625114-2 | 2-Critical | K08062851 | Internal sync-change conflict after update to local users table |
Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
708956 | 1-Blocking | K51206433 | During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform' |
696732 | 2-Critical | K54431534 | tmm may crash in a compression provider |
697616 | 3-Major | Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests | |
692239-1 | 3-Major | K31554905 | AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds |
689730-2 | 3-Major | Software installations from v13.1.0 might fail★ | |
674455-7 | 3-Major | Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS | |
680388-2 | 4-Minor | f5optics should not show function name in non-debug log messages | |
653759-2 | 4-Minor | Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★ |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
701538-1 | 2-Critical | SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured | |
662078-1 | 2-Critical | Occasionally connections are dropped in response to timing errors | |
694778-2 | 3-Major | Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size | |
686631-1 | 3-Major | Deselect a compression provider at the end of a job and reselect a provider for a new job | |
679494-2 | 3-Major | Change the default compression strategy to speed | |
632824-1 | 3-Major | K00722715 | SSL TPS limit can be reached if the system clock is adjusted |
495443-10 | 3-Major | K16621 | ECDH negotiation failures logged as critical errors. |
679496-1 | 4-Minor | Add 'comp_req' to the output of 'tmctl compress' |
Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
695901-2 | CVE-2018-5513 | K46940010 | TMM may crash when processing ProxySSL data |
693312-2 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
688516-2 | CVE-2018-5518 | K03165684 | vCMPd may crash when processing bridged network traffic |
704580-3 | CVE-2018-5549 | K05018525 | apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP |
701359-2 | CVE-2017-3145 | K08613310 | BIND vulnerability CVE-2017-3145 |
688009-5 | CVE-2018-5519 | K46121888 | Appliance Mode TMSH hardening |
671497-4 | CVE-2017-3142 | K59448931 | TSIG authentication bypass in AXFR requests |
615269-1 | CVE-2016-2183 | K13167034 | CVE-2016-2183: AFM SSH Proxy Vulnerability |
603758-1 | CVE-2018-5540 | K82038789 | Big3D security hardening |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
680850-1 | 3-Major | K48342409 | Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage. |
570570-5 | 3-Major | Default crypto failure action is now 'go-offline-downlinks'. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
711547 | 1-Blocking | Update cipher support for Common Criteria compliance | |
708054-3 | 2-Critical | Web Acceleration: TMM may crash on very large HTML files with conditional comments | |
706305-2 | 2-Critical | bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled | |
703761-1 | 2-Critical | Disable DSA keys for public-key and host-based authentication in Common Criteria mode | |
677937-1 | 2-Critical | K41517253 | APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets |
673484-1 | 2-Critical | K85405312 | IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO |
664549-2 | 2-Critical | K55105132 | TMM restart while processing rewrite filter |
599423-1 | 2-Critical | K24584925 | merged cores and restarts |
583111-1 | 2-Critical | BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured | |
701626-1 | 3-Major | K16465222 | GUI resets custom Certificate Key Chain in child client SSL profile |
686029-1 | 3-Major | A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces | |
664737-2 | 3-Major | Do not reboot on ctrl-alt-del | |
655005-1 | 3-Major | K23355841 | "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync |
646890-1 | 3-Major | K12068427 | IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512 |
635703-1 | 3-Major | K14508857 | Interface description may cause some interface level commands to be removed |
614486-1 | 3-Major | BGP community lower bytes of zero is not allowed to be set in route-map | |
612721-4 | 3-Major | FIPS: .exp keys cannot be imported when the local source directory contains .key file | |
609967-2 | 3-Major | K55424912 | qkview missing some HugePage memory data |
586412-2 | 3-Major | BGP peer-group members address-family configuration not saved to configuration | |
583108-1 | 3-Major | Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart. | |
581101-1 | 3-Major | non-admin user running list cmd: can't get object count | |
557155-8 | 3-Major | K33044393 | BIG-IP Virtual Edition becomes completely unresponsive under very heavy load. |
421797-3 | 3-Major | ePVA continues to accelerate hardware offloaded traffic in Standby. | |
651413-2 | 4-Minor | K34042229 | tmsh list ltm node does not return an error when node does not exist |
598437-1 | 4-Minor | SNMP process monitoring is incorrect for tmm and bigd |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
706631 | 2-Critical | A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured. | |
705611-1 | 2-Critical | The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used | |
704666-2 | 2-Critical | memory corruption can occur when using certain certificates | |
701202-1 | 2-Critical | K35023432 | SSL memory corruption |
700862-2 | 2-Critical | K15130240 | tmm SIGFPE 'valid node' |
700393-2 | 2-Critical | K53464344 | Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash |
685254-1 | 2-Critical | K14013100 | RAM Cache Exceeding Watchdog Timeout in Header Field Search |
678416-2 | 2-Critical | Some tmm/umem_usage_stat counters may be incorrect under memory pressure. | |
676028-2 | 2-Critical | K09689143 | SSL forward proxy bypass may fail to release memory used for ssl_hs instances |
673951-4 | 2-Critical | K56466330 | Memory leak when using HTTP2 profile |
670814-2 | 2-Critical | Wrong SE Linux label breaks nethsm DNSSEC keys | |
665185-1 | 2-Critical | K20994524 | SSL handshake reference is not dropped if forward proxy certificate lookup failed |
657463-2 | 2-Critical | SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake. | |
648320-3 | 2-Critical | K38159538 | Downloading via APM tunnels could experience performance downgrade. |
647757-2 | 2-Critical | K96395052 | RATE-SHAPER:Fred not properly initialized may halt traffic |
613088-3 | 2-Critical | pkcs11d thread has session initialization problem. | |
452283-2 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
705794-1 | 3-Major | Under certain circumstances a stale HTTP/2 stream might cause a tmm crash | |
690042-3 | 3-Major | K43412307 | Potential Tcl leak during iRule suspend operation |
689449-3 | 3-Major | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | |
687205-3 | 3-Major | Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart | |
686972-1 | 3-Major | The change of APM log settings will reset the SSL session cache. | |
686395 | 3-Major | With DTLS version1, when client hello uses version1.2, handshake shall proceed | |
683697-3 | 3-Major | K00647240 | SASP monitor may use the same UID for multiple HA device group members |
677962-3 | 3-Major | Invalid use of SETTINGS_MAX_FRAME_SIZE | |
677457 | 3-Major | K13036194 | HTTP/2 Gateway appends semicolon when a request has one or more cookies |
677400-3 | 3-Major | K82502883 | pimd daemon may exit on failover |
673399-1 | 3-Major | HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server. | |
665652-2 | 3-Major | K41193475 | Multicast traffic not forwarded to members of VLAN group |
664528-1 | 3-Major | K53282793 | SSL record can be larger than maximum fragment size (16384 bytes) |
663551-1 | 3-Major | K14942957 | SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event |
662911-2 | 3-Major | K93119070 | SASP monitor uses same UID for all vCMP guests in a chassis or appliance |
654368-7 | 3-Major | K15732489 | ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require |
654086-3 | 3-Major | Incorrect handling of HTTP2 data frames larger than minimal frame size | |
653976-2 | 3-Major | K00610259 | SSL handshake fails if server certificate contains multiple CommonNames |
651901-2 | 3-Major | Removed unnecessary ASSERTs in MPTCP code | |
640369-2 | 3-Major | TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan | |
633333-3 | 3-Major | During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent | |
619844-2 | 3-Major | Packet leak if reject command is used in FLOW_INIT rule | |
611691-5 | 3-Major | Packet payload ignored when DSS option contains DATA_FIN | |
608991-7 | 3-Major | BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed | |
605480-4 | 3-Major | BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection | |
604880-4 | 3-Major | tmm assert "valid pcb" in tcp.c | |
604549-7 | 3-Major | MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data | |
592731-1 | 3-Major | K34220124 | Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck. |
653746-2 | 4-Minor | K83324551 | Unable to display detailed CPU graphs if the number of CPU is too large |
569814-2 | 4-Minor | K30240351 | iRule "nexthop IP_ADDR" rejected by validator |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
710424-3 | 2-Critical | Possible SIGSEGV in GTMD when GTM persistence is enabled. | |
699135-2 | 2-Critical | tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip | |
691287-3 | 2-Critical | tmm crashes on iRule with GTM pool command | |
682335-3 | 2-Critical | TMM can establish multiple connections to the same gtmd | |
699339-1 | 3-Major | K24634702 | Geolocation upgrade files fail to replicate to secondary blades |
696808-3 | 3-Major | Disabling a single pool member removes all GTM persistence records | |
687128-3 | 3-Major | gtm::host iRule validation for ipv4 and ipv6 addresses | |
679149-2 | 3-Major | TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] | |
663310-3 | 3-Major | named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★ | |
619158-1 | 3-Major | iRule DNS request with trailing dot times out with empty response | |
595293-4 | 3-Major | Deleting GTM links could cause gtm_add to fail on new devices. |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679221-1 | 1-Blocking | APMD may generate core file or appears locked up after APM configuration changed | |
702278-3 | 2-Critical | Potential XSS security exposure on APM logon page. | |
678715-1 | 2-Critical | Large volume of query result update to SessionDB fails and locks down ApmD | |
712315-1 | 3-Major | LDAP and AD Group Resource Assign are not displaying Static ACLs correctly | |
710211 | 3-Major | Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. | |
702490-4 | 3-Major | Windows Credential Reuse feature may not work | |
702487-1 | 3-Major | AD/LDAP admins with spaces in names are not supported | |
700780-4 | 3-Major | F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses | |
699267-1 | 3-Major | LDAP Query may fail to resolve nested groups | |
681415-1 | 3-Major | Copying of profile with advanced customization or images might fail | |
675775-2 | 3-Major | TMM crashes inside dynamic ACL building session db callback | |
672250-1 | 3-Major | SessionDB update from ApmD with large volume fails | |
671149-3 | 3-Major | Captive portal login page is not rendered until it is refreshed | |
669459-2 | 3-Major | Efect of bad connection handle between APMD and memcachd | |
639283-4 | 3-Major | Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate | |
569542-1 | 3-Major | After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★ | |
667237-3 | 4-Minor | Edge Client logs the routing and IP tables repeatedly |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
673463-2 | 2-Critical | K68275280 | SDD v3 symmetric deduplication may start performing poorly after a failover event |
685693 | 3-Major | APM AppTunnels memory leak |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
702738 | 3-Major | K32181540 | Tmm might crash activating new blob when changing firewall rules |
528499-3 | 4-Minor | AFM address lists are not sorted while trying to create a new rule. |
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
706086-1 | CVE-2018-5515 | K62750376 | PAM RADIUS authentication subsystem hardening |
704490 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
704483 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
467709-1 | 4-Minor | FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707226-2 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | |
704804-2 | 3-Major | The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address | |
704733-2 | 3-Major | NAS-IP-Address is sent with the bytes in reverse order | |
703869-1 | 3-Major | Waagent updated to 2.2.21 | |
701249-2 | 3-Major | RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1 | |
699147 | 3-Major | Hourly billed cloud images are now pre-licensed | |
687098 | 3-Major | IPv6 RADIUS servers not supported for remote authentication | |
674288-2 | 3-Major | K62223225 | FQDN nodes - monitor attribute doesn't reliably show in GUI |
649465-1 | 3-Major | SELinux warning messages regarding nsm daemon |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
695117 | 2-Critical | K30081842 | bigd cores and sends corrupted MCP messages with many FQDN nodes |
668883 | 2-Critical | FQDN pool member status may become out-of-sync when enabled/disabled through GUI | |
707675 | 3-Major | FQDN nodes or pool members flap when DNS response received | |
701609 | 3-Major | Static member of pool with FQDN members may revert to user-disabled after being re-enabled | |
685344-2 | 3-Major | Monitor 'min 1 of' not working as expected with FQDN nodes/members | |
673075-1 | 3-Major | Reduced Issues for Monitors configured with FQDN | |
671228-1 | 3-Major | Multiple FQDN ephemeral nodes may be created with autopopulate disabled | |
667560-3 | 3-Major | K69205908 | FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed |
573602-1 | 3-Major | FQDN pool members not shown by tmsh show ltm monitor | |
573302-1 | 3-Major | FQDN pool member remains in disabled state after removing monitor | |
571095-1 | 3-Major | Monitor probing to pool member stops after FQDN pool member with same IP address is deleted | |
699262-2 | 5-Cosmetic | FQDN pool member status remains in 'checking' state after full config sync |
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
700556-2 | CVE-2018-5504 | K11718033 | TMM may crash when processing WebSockets data |
698080-1 | CVE-2018-5503 | K54562183 | TMM may consume excessive resources when processing with PEM |
691504-3 | CVE-2018-5503 | K54562183 | PEM content insertion in a compressed response may cause a crash. |
686305-2 | CVE-2018-5534 | K64552448 | TMM may crash while processing SSL forward proxy traffic |
677193-2 | CVE-2017-6154 | K38243073 | ASM BD Daemon Crash. |
674189 | CVE-2016-0718 | K52320548 | iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0 |
673078-1 | CVE-2017-6150 | K62712037 | TMM may crash when processing FastL4 traffic |
670822-3 | CVE-2017-6148 | K55225440 | TMM may crash when processing SOCKS data |
668501-2 | CVE-2017-6151 | K07369970 | HTTP2 does not handle some URIs correctly |
630446-1 | CVE-2016-0718 | K52320548 | Expat vulnerability CVE-2016-0718 |
621233-1 | CVE-2018-5509 | K49440608 | FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm |
699455-3 | CVE-2018-5523 | K50254952 | SAML export does not follow best practices |
699346-2 | CVE-2018-5524 | K53931245 | NetHSM capacity reduces when handling errors |
694274-2 | CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 | K23565223 | [RHSA-2017:3195-01] Important: httpd security update - EL6.7 |
688625-2 | CVE-2017-11628 | K75543432 | PHP Vulnerability CVE-2017-11628 |
688011-5 | CVE-2018-5520 | K02043709 | Dig utility does not apply best practices |
676457-3 | CVE-2017-6153 | K52167636 | TMM may consume excessive resource when processing compressed data |
671638-4 | CVE-2018-5500 | K33211839 | TMM crash when load-balancing mptcp traffic |
670405-4 | CVE-2017-1000366 | K20486351 | K20486351: glibc vulnerability CVE-2017-1000366: |
662850-2 | CVE-2015-2716 | K50459349 | Expat XML library vulnerability CVE-2015-2716 |
662663-6 | CVE-2018-5507 | K52521791 | Decryption failure Nitrox platforms in vCMP mode |
643375-1 | CVE-2018-5508 | K10329515 | TMM may crash when processing compressed data |
631204-1 | CVE-2018-5521 | K23124150 | GeoIP lookups incorrectly parse IP addresses |
617273-7 | CVE-2016-5300 | K70938105 | Expat XML library vulnerability CVE-2016-5300 |
593139-9 | CVE-2014-9761 | K31211252 | glibc vulnerability CVE-2014-9761 |
572272-5 | CVE-2018-5506 | K65355492 | BIG-IP - Anonymous Certificate ID Enumeration |
673607-2 | CVE-2017-3169 | K83043359 | Apache CVE-2017-3169 |
672667-4 | CVE-2017-7679 | K75429050 | CVE-2017-7679: Apache vulnerability |
605579-8 | CVE-2012-6702 | K65460334 | iControl-SOAP expat client library is subjected to entropy attack |
578983-4 | CVE-2015-8778 | K51079478 | glibc: Integer overflow in hcreate and hcreate_r |
684033-1 | CVE-2017-9798 | K70084351 | CVE-2017-9798 : Apache Vulnerability (OptionsBleed) |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
686389-3 | 3-Major | APM does not honor per-farm HTML5 client disabling at the View Connection Server | |
685020-1 | 3-Major | Enhancement to SessionDB provides timeout | |
653772-2 | 3-Major | fastL4 fails to evict flows from the ePVA | |
639505-3 | 3-Major | BGP may not send all configured aggregate routes | |
587107-3 | 3-Major | Allow iQuery to negotiate up to version TLS1.2 |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
667148-1 | 1-Blocking | K02500042 | Config load or upgrade can fail when loading GTM objects from a non-/Common partition |
689577-1 | 2-Critical | K45800333 | ospf6d may crash when processing specific LSAs |
678833 | 2-Critical | IPv6 prefix SPDAG causes packet drop | |
676203-1 | 2-Critical | Inter-blade mpi connection fails, does not recover, and eventually all memory consumed. | |
667405-2 | 2-Critical | K61251939 | Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM. |
667404-2 | 2-Critical | K77576404 | Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts |
651362 | 2-Critical | eventd crashes during boot | |
631700-1 | 2-Critical | K72453283 | sod may kill bcm56xxd under heavy load |
617733-1 | 2-Critical | Error message: subscriber id response; Subscription not found | |
580753-1 | 2-Critical | K82583534 | eventd might core on transition to secondary. |
563661-2 | 2-Critical | Datastor may crash | |
694696-3 | 3-Major | On multiblade Viprion, creating a new traffic-group causes the device to go Offline | |
687658-2 | 3-Major | Monitor operations in transaction will cause it to stay unchecked | |
687353-3 | 3-Major | K35595105 | Qkview truncates tmstat snapshot files |
682213-3 | 3-Major | K31623549 | TLS v1.2 support in IP reputation daemon |
679480-1 | 3-Major | User able to create node when an ephemeral with the same IP already exists | |
674320-2 | 3-Major | K11357182 | Syncing a large number of folders can prevent the configuration getting saved on the peer systems |
672815-2 | 3-Major | Incorrect disaggregation on VIPRION B4200 blades | |
671082-1 | 3-Major | K85168072 | snmpd constantly restarting |
669888-2 | 3-Major | No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96 | |
669462-1 | 3-Major | Error adding /Common/WideIPs as members to GTM Pool in non-Common partition | |
669415-1 | 3-Major | Flow eviction for hardware-accelerated flow might fail | |
664894-1 | 3-Major | K11070206 | PEM sessions lost when new blade is inserted in chassis |
664057-2 | 3-Major | Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached | |
664017-3 | 3-Major | OCSP may reject valid responses | |
652968-2 | 3-Major | K88825548 | IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys |
645723-2 | 3-Major | K74371937 | Dynamic routing update can delete admin ip route from the kernel |
632366-1 | 3-Major | Prevent a spurious Broadcom switch driver failure. | |
631316 | 3-Major | K62532020 | Unable to load config with client-SSL profile error★ |
626990-1 | 3-Major | K64915164 | restjavad logs flooded with messages from ChildWrapper |
624362-1 | 3-Major | VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file | |
623803-2 | 3-Major | K12921801 | General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP' |
610122-1 | 3-Major | Hotfix installation fails: can't create /service/snmpd/run★ | |
598724-1 | 3-Major | Abandoned indefinite lifetime SessionDB entries on STANDBY devices. | |
586887-2 | 3-Major | K25883308 | SCTP tmm crash with virtual server destination. |
579760-3 | 3-Major | K55703840 | HSL::send may fail to resume after log server pool member goes down/up |
471237-2 | 3-Major | K12155235 | BIG-IP VE instances do not work with an encrypted disk in AWS. |
699281 | 4-Minor | Version format of hypervisor bundle matches Version format of ISO | |
669255-2 | 4-Minor | K20100613 | An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms |
660239-3 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present | |
655085-2 | 4-Minor | While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors | |
613275-2 | 4-Minor | K62581339 | SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up |
601168-1 | 4-Minor | Incorrect virtual server CPU utilization may be observed. | |
509980-1 | 4-Minor | Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
692970-3 | 2-Critical | Using UDP port 67 for purposes other than DHCP might cause TMM to crash | |
687603-1 | 2-Critical | K36243347 | tmsh query for dns records may cause tmm to crash |
686228-3 | 2-Critical | K23243525 | TMM may crash in some circumstances with VLAN failsafe |
682682-3 | 2-Critical | tmm asserts on a virtual server-to-virtual server connection | |
681175-1 | 2-Critical | K32153360 | TMM may crash during routing updates |
676982-2 | 2-Critical | K21958352 | Active connection count increases over time, long after connections expire |
674576-4 | 2-Critical | Outage may occur with VIP-VIP configurations | |
665924-1 | 2-Critical | K24847056 | The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios |
665732-2 | 2-Critical | K45001711 | FastHTTP may crash when receiving a fragmented IP packet |
664461-3 | 2-Critical | K16804728 | Replacing HTTP payload can cause tmm restart |
658989-2 | 2-Critical | Memory leak when connection terminates in iRule process | |
639039-4 | 2-Critical | K33754014 | Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons |
614702-1 | 2-Critical | K24172560 | Race condition when using SSL Orchestrator can cause TMM to core |
704073-3 | 3-Major | K24233427 | Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm |
698000-1 | 3-Major | K04473510 | Connections may stop passing traffic after a route update |
689089-3 | 3-Major | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | |
686307-1 | 3-Major | K10665315 | Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later |
686065-1 | 3-Major | RESOLV::lookup iRule command can trigger crash with slow resolver | |
685955 | 3-Major | TMM hud_message_ctx leak | |
685110-3 | 3-Major | K05430133 | With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. |
683683-1 | 3-Major | ASN1::encode returns wrong binary data | |
682104-1 | 3-Major | HTTP PSM leaks memory when looking up evasion descriptions | |
680755-1 | 3-Major | K27015502 | max-request enforcement no longer works outside of OneConnect |
673621-2 | 3-Major | Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile. | |
670816-2 | 3-Major | K44519487 | HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters |
669974-1 | 3-Major | K90395411 | Encoding binary data using ASN1::encode may truncate result |
668522-1 | 3-Major | bigd might try to read from a file descriptor that is not ready for read | |
668419-1 | 3-Major | K53322151 | ClientHello sent in multiple packets results in TCP connection close |
666315 | 3-Major | Global SNAT sets TTL to 255 instead of decrementing | |
666160-1 | 3-Major | K63132146 | L7 Policy reconfiguration causes a slow memory leak |
665022-1 | 3-Major | Rateshaper stalls when TSO packet length exceeds max ceiling. | |
664769-1 | 3-Major | TMM may restart when using SOCKS profile and an iRule | |
663821-3 | 3-Major | K41344010 | SNAT Stats may not include port FTP traffic |
661881-2 | 3-Major | K00030614 | Memory and performance issues when using certain ASN.1 decoding formats in iRules |
659648-2 | 3-Major | LTM Policy rule name migration doesn't properly handle whitespace | |
657795-1 | 3-Major | K51498984 | Possible performance impact on some SSL connections |
655432-7 | 3-Major | K85522235 | SSL renegotiation failed intermittently with AES-GCM cipher |
651681-4 | 3-Major | Orphaned bigd instances may exist (within multi-process bigd) | |
651135-4 | 3-Major | K41685444 | LTM Policy error when rule names contain slash (/) character★ |
645220-2 | 3-Major | bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs | |
645197-3 | 3-Major | Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change | |
640565-1 | 3-Major | K11564859 | Incorrect packet size sent to clone pool member |
636149-3 | 3-Major | Multiple monitor response codes to single monitor probe failure | |
628721-1 | 3-Major | In rare conditions, DNS cache resolver outbound TCP connections fail to expire. | |
627926-1 | 3-Major | K21211001 | Retrieving a server-side SSL session ID in iRules does not work |
584865-1 | 3-Major | Primary slot mismatch after primary cluster member leaves and then rejoins the cluster | |
582487-2 | 3-Major | K22210514 | 'merged.method' set to 'slow_merge,' does not update system stats |
574526-1 | 3-Major | K55542554 | HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter |
573366-4 | 3-Major | parking command used in the nesting script of clientside and serverside command can cause tmm core | |
692095-3 | 4-Minor | K65311501 | bigd logs monitor status unknown for FQDN Node/Pool Member |
625892-2 | 4-Minor | Nagle Algorithm Not Fully Enforced with TSO | |
530877-7 | 4-Minor | K13887095 | TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
692941-3 | 2-Critical | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | |
678861-3 | 2-Critical | DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★ | |
580537-1 | 2-Critical | The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data | |
562921-4 | 2-Critical | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | |
700527-1 | 3-Major | cmp-hash change can cause repeated iRule DNS-lookup hang | |
691498-1 | 3-Major | Connection failure during iRule DNS lookup can crash TMM | |
690166-3 | 3-Major | ZoneRunner create new stub zone when creating a SRV WIP with more subdomains | |
671326-2 | 3-Major | K81052338 | DNS Cache debug logging might cause tmm to crash. |
667469-1 | 3-Major | K35324588 | Higher than expected CPU usage when using DNS Cache |
665347-2 | 3-Major | K17060443 | GTM listener object cannot be created via tmsh while in non-Common partition |
636853-2 | 3-Major | K19401488 | Under some conditions, a change in the order of GTM topology records does not take effect. |
621374-1 | 3-Major | "abbrev" argument in "whereis" iRule returns nothing | |
487144-2 | 3-Major | tmm intermittently reports that it cannot find FIPS key |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
701327-1 | 2-Critical | failed configuration deletion may cause unwanted bd exit | |
699720-3 | 2-Critical | ASM crash when configuring remote logger for WebSocket traffic with response-logging:all | |
691670-3 | 2-Critical | Rare BD crash in a specific scenario | |
684312-2 | 2-Critical | K54140729 | During Apply Policy action, bd agent crashes, causing the machine to go Offline |
681109-2 | 2-Critical | K46212485 | BD crash in a specific scenario |
679603-2 | 2-Critical | K15460886 | bd core upon request, when profile has sensitive element configured. |
678462-2 | 2-Critical | after chassis failover: asmlogd CPU 100% on secondary | |
678228-1 | 2-Critical | K27568142 | Repeated Errors in ASM Sync |
672301-2 | 2-Critical | ASM crashes when using a logout object configuration in ASM policy | |
664708-2 | 2-Critical | TMM memory leak when DoS profile is attached to VS | |
662281-2 | 2-Critical | Inconsistencies in Automatic sync ASM Device Group | |
637252-1 | 2-Critical | K73107660 | Rest worker becomes unreliable after processing a call that generated an error |
633070-1 | 2-Critical | Sync Inconsistencies when using Autosync ASM Group between Chassis devices | |
631609-1 | 2-Critical | ASM Centralized Management Infrastructure Sync issues | |
614441-4 | 2-Critical | K04950182 | False Positive for illegal method (GET) |
611154-1 | 2-Critical | BD crash | |
599221-1 | 2-Critical | ASM Policy cannot be created in non-default partition via the Import Policy Task | |
576123-3 | 2-Critical | K23221623 | ASM policies are created as inactive policies on the peer device |
702946-2 | 3-Major | Added option to reset staging period for signatures | |
701841-1 | 3-Major | Unnecessary file recovery_db/conf.tar.gz consumes /var disk space | |
700564-2 | 3-Major | JavaScript errors shown when debugging a mobile device with ASM deviceID enabled | |
700330 | 3-Major | AJAX blocking page isn't shown when a webpage uses jQuery framework. | |
700143-1 | 3-Major | ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages | |
698919-1 | 3-Major | Anti virus false positive detection on long XML uploads | |
697303-3 | 3-Major | BD crash | |
696265-3 | 3-Major | K60985582 | BD crash |
694922-4 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
691477-1 | 3-Major | ASM standby unit showing future date and high version count for ASM Device Group | |
685743-3 | 3-Major | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | |
685207-2 | 3-Major | DoS client side challenge does not encode the Referer header. | |
683508-3 | 3-Major | K00152663 | WebSockets: umu memory leak of binary frames when remote logger is configured |
682612 | 3-Major | Event Correlation is disabled on vCMP even though all the prerequisites are met. | |
679384-1 | 3-Major | K85153939 | The policy builder is not getting updates about the newly added signatures. |
678293-1 | 3-Major | K25066531 | Uncleaned policy history files cause /var disk exhaustion |
676416-2 | 3-Major | BD restart when switching FTP profiles | |
675232-3 | 3-Major | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction | |
674494-1 | 3-Major | K77993010 | BD memory leak on specific configuration and specific traffic |
671675-1 | 3-Major | Centralized Management Infrastructure: asm_config_server restart on device group change | |
668184-1 | 3-Major | Huge values are shown in the AVR statistics for ASM violations | |
668181-2 | 3-Major | Policy automatic learning mode changes to manual after failover | |
667922 | 3-Major | K44692860 | Alternative unicode encoding in JSON objects not being parsed correctly |
666986-2 | 3-Major | K50320144 | Filter by Support ID is not working in Request Log |
663535-1 | 3-Major | Sending ASM cookies with "secure" attribute even without client-ssl profile | |
654925-1 | 3-Major | K25952033 | Memory Leak in ASM Sync Listener Process |
654873-2 | 3-Major | ASM Auto-Sync Device Group | |
619516-1 | 3-Major | Inconsistencies in Automatic sync ASM Device Group | |
605982-1 | 3-Major | Policy settings change during export/import | |
434821-1 | 3-Major | Remote logging of staged signatures and staged sets | |
694073-1 | 4-Minor | All signature update details are shown in 'View update history from previous BIG-IP versions' popup | |
655159-1 | 4-Minor | K84550544 | Wrong XML profile name Request Log details for XML violation |
625602-3 | 4-Minor | ASM Auto-Sync Device Group Does Not Sync |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
658343-2 | 3-Major | K33043439 | AVR tcp-analytics: per-host RTT average may show incorrect values |
648242 | 3-Major | K73521040 | Administrator users unable to access all partition via TMSH for AVR reports |
582029-4 | 3-Major | AVR might report incorrect statistics when used together with other modules. | |
682105 | 4-Minor | Adding widget in Analytics Overview can cause measures list to empty out on Page change | |
649161-1 | 4-Minor | K42340304 | AVR caching mechanism not working properly |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
693739-3 | 2-Critical | VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled | |
660711-1 | 2-Critical | K05265457 | MCPd might crash when user trying to import a access policy |
649234-3 | 2-Critical | K64131101 | TMM crash from a possible memory corruption. |
639929-2 | 2-Critical | Session variable replace with value containing these characters ' " & < > = may cause tmm crash | |
632178-1 | 2-Critical | LDAP Query agent creates only two session variables when required attributes list is empty | |
703984-2 | 3-Major | Machine Cert agent improperly matches hostname with CN and SAN | |
703429-1 | 3-Major | Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services | |
700783-3 | 3-Major | Machine certificate check does not check against all FQDN hostnames | |
692307-1 | 3-Major | User with 'operator' role may not be able to view some session variables | |
689826-2 | 3-Major | K95422068 | Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese) |
686282-1 | 3-Major | APMD intermittently crash when processing access policies | |
684325-3 | 3-Major | APMD Memory leak when applying a specific access profile | |
683389-1 | 3-Major | Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file | |
682500-1 | 3-Major | VDI Profile and Storefront Portal Access resource do not work together | |
680112-1 | 3-Major | K18131781 | SWG-Explicit rejects large POST bodies during policy evaluation |
678851-1 | 3-Major | Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase() | |
676690-3 | 3-Major | Windows Edge Client sometimes crashes when user signs out from Windows | |
675866-1 | 3-Major | WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO | |
675399-3 | 3-Major | K14304639 | Network Access does not work when empty variables are assigned for WINS and DNS |
674593-1 | 3-Major | APM configuration snapshot takes a long time to create | |
674410-3 | 3-Major | K59281892 | AD auth failures due to invalid Kerberos tickets |
673748-1 | 3-Major | K19534801 | ng_export, ng_import might leave security.configpassword in invalid state |
672868-1 | 3-Major | Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly | |
672040-3 | 3-Major | Access Policy Causing Duplicate iRule Event Execution | |
671597-1 | 3-Major | Import, export, copy and delete is taking too long on 1000 entries policy | |
670910-2 | 3-Major | Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined | |
669510-2 | 3-Major | When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled. | |
669154-1 | 3-Major | K25342114 | Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases. |
668623-5 | 3-Major | K85991425 | macOS Edge client fails to detect correct system language for regions other than USA |
668503-3 | 3-Major | Edge Client fails to reconnect to virtual server after disabling Network Adapter | |
668129-1 | 3-Major | BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers. | |
666689-1 | 3-Major | Occasional "profile not found" errors following activate access policy | |
666058-2 | 3-Major | K86091857 | XenApp 6.5 published icons are not displayed on APM Webtop |
665416-3 | 3-Major | K02016491 | Old versions of APM configuration snapshots need to be reaped more aggressively if not used |
665330-1 | 3-Major | MSIE 11 should avoid compatibility mode | |
664507-3 | 3-Major | When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration | |
663127-1 | 3-Major | Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration. | |
655364-1 | 3-Major | Portal access rewriting window.opener causes JS exception | |
655146-2 | 3-Major | APM Profile access stats are not updated correctly | |
654508-2 | 3-Major | SharePoint MS-OFBA browser window displays Javascript errors | |
654046-1 | 3-Major | K22121533 | BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs. |
653771-2 | 3-Major | tmm crash after per-request policy error | |
653324-3 | 3-Major | K87979026 | On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly |
651910-2 | 3-Major | Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later | |
649613-3 | 3-Major | Multiple UDP/TCP packets packed into one DTLS Record | |
632646-4 | 3-Major | APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. | |
629921-4 | 3-Major | [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work. | |
621682-1 | 3-Major | Portal Access: problem with specific JavaScript code | |
616104-2 | 3-Major | VMware View connections to pool hit matching BIG-IP virtuals | |
613373-2 | 3-Major | Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page | |
610582-2 | 3-Major | Device Guard prevents Edge Client connections | |
601420-3 | 3-Major | Possible SAML authentication loop with IE and multi-domain SSO. | |
596083-1 | 3-Major | Error running custom APM Reports with "session creation time" on Viprion Platform | |
590992-3 | 3-Major | If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working | |
578413-1 | 3-Major | Missing reference to customization-group from connectivity profile if created via portal access wizard | |
575444-1 | 3-Major | Wininfo agent incorrectly reports OS version on Windows 10 in some cases | |
563135-3 | 3-Major | SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt | |
466068-1 | 3-Major | Allow setting of the AAA Radius server timeout value larger than 60 seconds | |
447565-5 | 3-Major | K33692321 | Renewing machine-account password does not update the serviceId for associated ntlm-auth. |
691017-1 | 4-Minor | Preventing ng_export hangs | |
684414-1 | 4-Minor | Retrieving too many groups is causing out of memory errors in TMUI and VPE | |
673717-1 | 4-Minor | VPE loading times can be very long | |
671627-1 | 4-Minor | K06424790 | HTTP responces without body may contain chunked body with empty payload being processed by Portal Access. |
667304-1 | 4-Minor | K68108551 | Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled |
561892-2 | 4-Minor | K08121752 | Kerberos cache is not cleared when Administrator password is changed in AAA AD Server |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
662844 | 2-Critical | K87735013 | TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x. |
643785-3 | 2-Critical | diadb crashes if it cannot find pool name | |
699431 | 3-Major | Possible memory leak in MRF under low memory |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
456376-4 | 1-Blocking | K53153545 | BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32 |
671052-3 | 2-Critical | K50324413 | AFM NAT security RST the traffic with (FW NAT) dst_trans failed |
644822-2 | 2-Critical | K19245372 | FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned |
564058-1 | 2-Critical | K91467162 | AutoDoS daemon aborts intermittently after it's being up for several days |
620543-1 | 3-Major | Security Address Lists and Port Lists can't change Description field |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
696383-2 | 2-Critical | PEM Diameter incomplete flow crashes when sweeped | |
694717-3 | 2-Critical | Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. | |
616008-3 | 2-Critical | K23164003 | TMM core may be seen when using an HSL format script for HSL reporting in PEM |
696789-2 | 3-Major | PEM Diameter incomplete flow crashes when TCL resumed | |
695968-3 | 3-Major | Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues. | |
694319-3 | 3-Major | CCA without a request type AVP cannot be tracked in PEM. | |
694318-3 | 3-Major | PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP. | |
684333-3 | 3-Major | PEM session created by Gx may get deleted across HA multiple switchover with CLI command | |
678820-2 | 3-Major | Potential memory leak if PEM Diameter sessions are not created successfully. | |
678714-3 | 3-Major | After HA failover, subscriber data has stale session ID information | |
660187-3 | 3-Major | TMM core after intra-chassis failover for some instances of subscriber creation | |
642068-1 | 3-Major | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | |
638594-3 | 3-Major | TMM crash when handling unknown Gx messages. | |
627616-3 | 3-Major | CCR-U missing upon VALIDITY TIMER expiry when quota is zero | |
624231-5 | 3-Major | No flow control when using content-insertion with compression | |
680729-3 | 4-Minor | K64307999 | DHCP Trace log incorrectly marked as an Error log. |
678822-3 | 4-Minor | Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
663333-1 | 2-Critical | TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high | |
615432-1 | 2-Critical | Multiple TFTP data transfers cannot be initiated in a single session | |
663974-2 | 3-Major | TMM crash when using LSN inbound connections |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
692123-2 | 3-Major | GET parameter is grayed out if MobileSafe is not licensed | |
667892-2 | 3-Major | FPS: BLFN inheritance won't take effect until GUI refresh |
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
681710-4 | CVE-2017-6155 | K10930474 | Malformed HTTP/2 requests may cause TMM to crash |
673595-2 | CVE-2017-3167 CVE-2017-3169 | K34125394 | Apache CVE-2017-3167 |
648786-5 | CVE-2017-6169 | K31404801 | TMM crashes when categorizing long URLs |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
673129 | 3-Major | K41458656 | New feature: revoke license |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
682837 | 1-Blocking | Compression watchdog period too brief. | |
675921 | 1-Blocking | Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running | |
696468 | 2-Critical | Active compression requests can become starved from too many queued requests. | |
667173 | 2-Critical | 13.1.0 cannot join a device group with 13.1.0.1 | |
665656-1 | 2-Critical | BWC with iSession may memory leak | |
663366-3 | 2-Critical | SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms. | |
621386-1 | 2-Critical | K91988084 | restjavad spawns too many icrd_child instances |
683114-1 | 3-Major | Need support for 4th element version in Update Check | |
679959-1 | 3-Major | Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000 | |
672988-2 | 3-Major | K03433341 | MCP memory leak when performing incremental ConfigSync |
669288-3 | 3-Major | K76152943 | Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist. |
668352-2 | 3-Major | High Speed Logging unbalance in log distribution for multiple pool destination. | |
668048-1 | 3-Major | K02551403 | TMM memory leak when manually enabling/disabling pool member used as HSL destination |
663063-2 | 3-Major | Disabling pool member used in busy HSL TCP destination can result service disruption. | |
659057-1 | 3-Major | BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD | |
658636-2 | 3-Major | K51355172 | When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped. |
652691-1 | 3-Major | Installation fails if only .iso.384.sig (new format signature file) is present★ | |
652689-2 | 3-Major | K14243280 | Displaying 100G interfaces |
642952 | 3-Major | platform_check doesn't run PCI check on i11800 | |
640636-3 | 3-Major | F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade | |
638881-1 | 3-Major | Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances | |
628739-1 | 3-Major | BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD | |
628735-1 | 3-Major | Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles | |
604547-1 | 3-Major | K21551422 | Unix daemon configuration may lost or not be updated upon reboot |
674515 | 4-Minor | New revoke license feature for VE only implemented | |
663580-1 | 4-Minor | K31981624 | logrotate does not automatically run when /var/log reaches 90% usage |
644723-1 | 4-Minor | cm56xxd logs link 'DOWN' message when an interface is admin DISABLED | |
507206-1 | 4-Minor | Multicast Out stats always zero for management interface. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
689080 | 2-Critical | Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value | |
463097-3 | 3-Major | Clock advanced messages with large amount of data maintained in DNS Express zones |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
672504-1 | 2-Critical | K52325625 | Deleting zones from large databases can take excessive amounts of time. |
614788-1 | 2-Critical | zxfrd crash due to lack of disk space | |
655233-1 | 3-Major | K93338593 | DNS Express using wrong TTL for SOA RRSIG record in NoData response |
648766-1 | 3-Major | K57853542 | DNS Express responses missing SOA record in NoData responses if CNAMEs present |
645615-2 | 3-Major | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
433678-2 | 3-Major | K32401561 | A monitor removed from GTM link cannot be deleted: 'monitor is in use' |
646615-1 | 4-Minor | Improved default storage size for DNS Express database |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
652796-1 | 1-Blocking | When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled. | |
652792-1 | 2-Critical | When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled. | |
678976-2 | 3-Major | K24756214 | Do not print all HTTP headers to avoid printing user credentials to /var/log/apm. |
677058-3 | 3-Major | K31757417 | Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679440-2 | 2-Critical | K14120433 | MCPD Cores with SIGABRT |
591828-4 | 3-Major | K52750813 | For unmatched connection, TCP RST may not be sent for data packet |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
668252-2 | 2-Critical | K22784428 | TMM crash in PEM_DIAMETER component |
628311-3 | 2-Critical | K87863112 | Potential TMM crash due to duplicate installed PEM policies by the PCRF |
675928-2 | 3-Major | Periodic content insertion could add too many inserts to multiple flows if http request is outstanding | |
674686-2 | 3-Major | Periodic content insertion of new flows fails, if an outstanding flow is a long flow | |
673683-2 | 3-Major | Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener | |
673678-2 | 3-Major | Periodic content insertion fails, if http request/response get interleaved by second subscriber http request | |
673472-2 | 3-Major | After classification rule is updated, first periodic Insert content action fails for existing subscriber | |
639486-4 | 3-Major | TMM crash due to PEM usage reporting after a CMP state change. | |
634015-3 | 3-Major | K49315364 | Potential TMM crash due to a PEM policy content triggered buffer overflow |
572568-2 | 3-Major | Gy CCR-i requests are not being re-sent after initial configured re-transmits |
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
687193-1 | CVE-2018-5533 | K45325728 | TMM may leak memory when processing SSL Forward Proxy traffic |
684879-2 | CVE-2017-6164 | K02714910 | TMM may crash while processing TLS traffic |
662022-5 | CVE-2017-6138 | K34514540 | The URI normalization functionality within the TMM may mishandle some malformed URIs. |
653993-3 | CVE-2017-6132 | K12044607 | A specific sequence of packets to the HA listener may cause tmm to produce a core file |
653880 | CVE-2017-6214 | K81211720 | Kernel Vulnerability: CVE-2017-6214 |
652539 | CVE-2016-0634 CVE-2016-7543 CVE-2016-9401 |
K73705133 | Multiple Bash Vulnerabilities |
652516 | CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 | K31603170 | Multiple Linux Kernel Vulnerabilities |
651221-2 | CVE-2017-6133 | K25033460 | Parsing certain URIs may cause the TMM to produce a core file. |
650286-2 | CVE-2017-6167 | K24465120 | REST asynchronous tasks permissions issues |
650059-1 | CVE-2017-6129 | K20087443 | TMM may crash when processing VPN traffic |
649907-2 | CVE-2017-3137 | K30164784 | BIND vulnerability CVE-2017-3137 |
649904-2 | CVE-2017-3136 | K23598445 | BIND vulnerability CVE-2017-3136 |
644904-5 | CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486 |
K55129614 | tcpdump 4.9 |
644693-3 | CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 | K15518610 | Fix for multiple CVE for openjdk-1.7.0 |
638556-2 | CVE-2016-10045 | K73926196 | PHP Vulnerability: CVE-2016-10045 |
634779-1 | CVE-2017-6147 | K43945001 | TMM may crash will processing SSL Forward Proxy traffic |
625860-2 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on B4450 platform. |
624903-6 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms. |
600069-6 | CVE-2017-0301 | K54358225 | Portal Access: Requests handled incorrectly |
659791-2 | CVE-2017-6136 | K81137982 | TFO and TLP could produce a core file under specific circumstances |
655059-3 | CVE-2017-6134 | K37404773 | TMM Crash |
653224-1 | CVE-2016-8610 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337 |
K59836191 | Multiple GnuTLS Vulnerabilities |
653217-2 | CVE-2016-2125 CVE-2016-2126 |
K03644631 | Multiple Samba Vulnerabilities |
645480-3 | CVE-2017-6139 | K45432295 | Unexpected APM response |
645101-2 | CVE-2017-3731, CVE-2017-3732 | K44512851 | OpenSSL vulnerability CVE-2017-3732 |
642659-2 | CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540 | K34527393 | Multiple LibTIFF Vulnerabilities |
640768 | CVE-2016-10088 CVE-2016-9576 |
K05513373 | Kernel vulnerability: CVE-2016-10088 |
639729-2 | CVE-2017-0304 | K39428424 | Request validation failure in AFM UI Policy Editor |
637666-2 | CVE-2016-10033 | K74977440 | PHP Vulnerability: CVE-2016-10033 |
635314-5 | CVE-2016-1248 | K22183127 | vim Vulnerability: CVE-2016-1248 |
622178-1 | CVE-2017-6158 | K19361245 | Improve flow handling when Autolasthop is disabled |
597176-1 | CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE | K01837042 | Multiple Wireshark (tshark) vulnerabilities |
583678-1 | CVE-2016-3115 | K93532943 | SSHD session.c vulnerability CVE-2016-3115 |
582773-5 | CVE-2018-5532 | K48224824 | DNS server for child zone can continue to resolve domain names after revoked from parent |
567233-1 | CVE-2015-5252, CVE-2015-5296, CVE-2015-5299 | K92616530 | Multiple samba vulnerabilities |
353229-2 | CVE-2018-5522 | K54130510 | Buffer overflows in DIAMETER |
656912-4 | CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458 | K32262483 | Various NTP vulnerabilities |
632875-3 | CVE-2018-5516 | K37442533 | Non-Administrator TMSH users no longer allowed to run dig |
615226-5 | CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300 | K13074505 | Libarchive vulnerabilities: CVE-2016-8687 and others |
590840-2 | CVE-2015-8325 | K20911042 | OpenSSH vulnerability CVE-2015-8325 |
655021-2 | CVE-2017-3138 | K23598445 | BIND vulnerability CVE-2017-3138 |
652638-2 | CVE-2016-10167 | K23731034 | php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx() |
627203-1 | CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597 | K63427774 | Multiple Oracle Java SE vulnerabilities |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
654549-1 | 2-Critical | PVA support for uncommon protocols DoS vector | |
653729-2 | 2-Critical | Support IP Uncommon Protocol | |
653234 | 2-Critical | Many objects must be reconfigured before use when loading a UCS from another device.★ | |
652094-2 | 2-Critical | K49190243 | Improve traffic disaggregation for uncommon IP protocols |
643210-2 | 2-Critical | K45444280 | Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM |
643054-2 | 2-Critical | ARP and NDP packets should be CoS marked by the swtich on ingress | |
663521-2 | 3-Major | Intermittent dropping of multicast packets on certain BIG-IP platforms | |
651772-3 | 3-Major | IPv6 host traffic may use incorrect IPv6 and MAC address after route updates | |
643143-2 | 3-Major | ARP and NDP packets should be QoS/DSCP marked on egress | |
610710-2 | 3-Major | Pass IP TOS bits from incoming connection to outgoing connection | |
584545-2 | 3-Major | Failure to stabilize internal HiGig link will not trigger failover event | |
567177-1 | 4-Minor | Log all attempts of key export in ltm log | |
650074-1 | 5-Cosmetic | Changed Format of RAM Cache REST Status output. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
642703-2 | 1-Blocking | Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★ | |
619097 | 1-Blocking | iControl REST slow performace on GET request for virtual servers | |
539093-1 | 1-Blocking | K26104530 | VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface. |
697878 | 2-Critical | High crypto request completion time under some workload patterns | |
666790-2 | 2-Critical | K06619044 | Use HSB HiGig MAC reset to recover both FCS errors and link instability |
665354-2 | 2-Critical | K31190471 | Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log |
658574-2 | 2-Critical | K61847644 | An accelerated flow transmits packets to a stale (incorrect) destination MAC address. |
655357-2 | 2-Critical | K06245820 | Corrupted L2 FDB entries on B4450 blades might result in dropped traffic |
653376-5 | 2-Critical | bgpd may crash on receiving a BGP update with >= 32 extended communities | |
649866-1 | 2-Critical | fsck should not run during first boot on public clouds | |
638997-2 | 2-Critical | Reboot required after disk size modification in a running BIG-IP VE instance. | |
625456-5 | 2-Critical | Pending sector utility may write repaired sector incorrectly | |
624826-2 | 2-Critical | K36404710 | mgmt bridge takes HWADDR of guest vm's tap interface |
613415-2 | 2-Critical | K22750357 | Memory leak in ospfd when distribute-list is used |
609335-1 | 2-Critical | IPsec tmm devbuf memory leak. | |
604011-1 | 2-Critical | Sync fails when iRule or policy is in use★ | |
595783 | 2-Critical | Changing console baud rate for B2100, B2150 and B2250 blades does not work | |
593137-1 | 2-Critical | userDefined property for bot signatures is not shown in REST | |
579210-3 | 2-Critical | K11418051 | VIPRION B4400N blades might fail to go Active under rare conditions. |
471860-10 | 2-Critical | K16209 | Disabling interface keeps DISABLED state even after enabling |
412817-3 | 2-Critical | BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive. | |
671920-1 | 3-Major | Accessing SNMP over IPv6 on non-default route domains | |
669818-2 | 3-Major | K64537114 | Higher CPU usage for syslog-ng when a syslog server is down |
667278-3 | 3-Major | DSC connections between BIG-IP units may fail to establish | |
667138-1 | 3-Major | LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★ | |
664829-1 | 3-Major | BIG-IP sometimes performs unnecessary reboot on first boot | |
662331-1 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
661764-2 | 3-Major | K53762147 | It is possible to configure a number of CPUs that exceeds the licensed throughput |
660532-2 | 3-Major | K21050223 | Cannot specify the event parameter for redirects on the policy rule screen. |
655671-1 | 3-Major | Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced | |
655649-2 | 3-Major | K88627152 | BGP last update timer incorrectly resets to 0 |
654011-2 | 3-Major | K33210520 | Pool member's health monitors set to Member Specific does not display the active monitors |
651155-1 | 3-Major | HSB continually logs 'loopback ring 0 tx not active' | |
650349 | 3-Major | K50168519 | Creation or reconfiguration of iApps fails if high speed logging is configured |
650002-1 | 3-Major | tzdata bug fix and enhancement update | |
649949-1 | 3-Major | Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★ | |
647988-3 | 3-Major | K15331432 | HSL Balanced distribution to Two-member pool may not be balanced correctly. |
647944-2 | 3-Major | MCP may crash when making specific changes to a FIX profile attached to more than one virtual server | |
645179-6 | 3-Major | Traffic group becomes active on more than one BIG-IP after a long uptime | |
644404-1 | 3-Major | Extracting SSD from system leads to Emergency LCD alert★ | |
644184-4 | 3-Major | K36427438 | ZebOS daemons hang while AgentX SNMP daemon is waiting. |
643294 | 3-Major | IGMP and PIM not in self-allow default list when upgrading from 10.2.x★ | |
643121-1 | 3-Major | Failed installation volumes cannot be deleted in the GUI. | |
643013 | 3-Major | DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3 | |
642982-3 | 3-Major | K23241518 | tmrouted may continually restart after upgrade, adding or renaming an interface★ |
642314-2 | 3-Major | K24276198 | CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★ |
638825-2 | 3-Major | SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD | |
637561-1 | 3-Major | Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice | |
636744-1 | 3-Major | K16918340 | IKEv1 phase 2 SAs not deleted |
631866-2 | 3-Major | K12402013 | Cannot access LTM policy rules in the web UI when the name contains certain characters |
631172-4 | 3-Major | K54071336 | GUI user logged off when idle for 30 minutes, even when longer timeout is set |
624692-3 | 3-Major | Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying | |
623391-5 | 3-Major | cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★ | |
622619-5 | 3-Major | BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD | |
622133-1 | 3-Major | VCMP guests may incorrectly obtain incorrect MAC addresses | |
621259-3 | 3-Major | Config save takes long time if there is a large number of data groups | |
619060 | 3-Major | Reduction in boot time in BIG-IP Virtual Edition platforms | |
612752-1 | 3-Major | UCS load or upgrade may fail under certain conditions.★ | |
610442-2 | 3-Major | K75051412 | vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★ |
607961-1 | 3-Major | Secondary blades restart when modifying a virtual server's route domain in a different partition. | |
605792-1 | 3-Major | Installing a new version changes the ownership of administrative users' files★ | |
601709-2 | 3-Major | K02314881 | I2C error recovery for BIG-IP 4340N/4300 blades |
590938-3 | 3-Major | The CMI rsync daemon may fail to start | |
583475-1 | 3-Major | The BIG-IP may core while recompiling LTM policies | |
577474-3 | 3-Major | K35208043 | Users with auditor role are unable to use tmsh list sys crypto cert |
569100-1 | 3-Major | Virtual server using NTLM profile results in benign Tcl error | |
544906-2 | 3-Major | K07388310 | Issues when using remote authentication when users have different partition access on different devices |
507240-4 | 3-Major | K13811263 | ICMP traffic cannot be disaggregated based on IP addresses |
480983-4 | 3-Major | tmrouted daemon may core due to daemon_heartbeat | |
471029-2 | 3-Major | If the configuration contains a filename with the $ character, then saving the UCS fails. | |
656900-1 | 4-Minor | Blade family migration may fail | |
655314 | 4-Minor | When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★ | |
653225-1 | 4-Minor | coreutils security and bug fix update | |
645717 | 4-Minor | UCS load does not set directory owner | |
644975-4 | 4-Minor | K09554025 | /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost |
644799-1 | 4-Minor | K42882011 | TMM may crash when the BIG-IP system processes CGNAT traffic. |
642723-3 | 4-Minor | Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect | |
634371-2 | 4-Minor | Cisco ethernet NIC driver | |
530927-8 | 4-Minor | Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed | |
530530-6 | 4-Minor | K07298903 | tmsh sys log filter is displayed in UTC time |
527720-1 | 4-Minor | Rare 'No LopCmd reply match found' error in getLopReg | |
448409-1 | 4-Minor | K15491 | 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle |
626596 | 5-Cosmetic | Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
670011-2 | 1-Blocking | SSL forward proxy does not create the server certchain when ignoring server certificates | |
621452-1 | 1-Blocking | K58146172 | Connections can stall with TCP::collect iRule |
659899-1 | 2-Critical | K10589537 | Rare, intermittent system instability observed in dynamic load-balancing modes |
657713-5 | 2-Critical | K05052273 | Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. |
655628-1 | 2-Critical | TCP analytics does not release resources under specific sequence of packets | |
655211-1 | 2-Critical | bigd crash (SIGSEGV) when running FQDN node monitors | |
650317-3 | 2-Critical | The TMM on the next-active panics with message: "Missing oneconnect HA context" | |
649171-4 | 2-Critical | tmm core in iRule with unreachable remote address | |
648037-2 | 2-Critical | LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash | |
646643-2 | 2-Critical | K43005132 | HA standby virtual server with non-default lasthop settings may crash. |
646604-5 | 2-Critical | K21005334 | Client connection may hang when NTLM and OneConnect profiles used together |
645663 | 2-Critical | Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus. | |
644112-2 | 2-Critical | K56150996 | Permanent connections may be expired when endpoint becomes unreachable |
643631 | 2-Critical | K70938130 | Serverside connections on virtual servers using VDI may become zombies. |
635274-1 | 2-Critical | K21514205 | SSL::sessionid command may return invalid values |
634265-2 | 2-Critical | K34688632 | Using route pools whose members aren't directly connected may crash the TMM. |
632552-2 | 2-Critical | K08634156 | tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event |
629178-1 | 2-Critical | K42206046 | Incorrect initial size of connection flow-control window |
611704-5 | 2-Critical | tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event | |
605983-1 | 2-Critical | tmrouted may crash when being restarted in debug mode | |
604926-3 | 2-Critical | K50041125 | The TMM may become unresponsive when using SessionDB data larger than ~400K |
604223-2 | 2-Critical | pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM" | |
583700-3 | 2-Critical | K32784801 | tmm core on out of memory |
583355-1 | 2-Critical | The TMM may crash when changing profiles associated with plugins | |
566071-5 | 2-Critical | network-HSM may not be operational on secondary slots of a standby chassis. | |
559030-1 | 2-Critical | K65244513 | TMM may core during ILX RPC activity if a connflow closes before the RPC returns |
677119 | 3-Major | HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE | |
676471-1 | 3-Major | Insufficient space for core files on i11x00-series platforms | |
672008-1 | 3-Major | K22122208 | NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds |
671935-2 | 3-Major | Possible uneven ephemeral port reuse. | |
669025-1 | 3-Major | K11425420 | Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate |
668521-2 | 3-Major | Bigd might stall while waiting for an external monitor process to exit | |
666032-3 | 3-Major | K05145506 | Secure renegotiation is set while data is not available. |
663326-2 | 3-Major | Thales HSM: "fipskey.nethsm --export" fails to make stub keys | |
662881-2 | 3-Major | K10443875 | L7 mirrored packets from standby to active might cause tmm core when it goes active. |
662085-1 | 3-Major | iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages | |
658214-2 | 3-Major | K20228504 | TCP connection fail intermittently for mirrored fastl4 virtual server |
655793-1 | 3-Major | K04178391 | SSL persistence parsing issues due to SSL / TCP boundary mismatch |
654109-2 | 3-Major | K01102467 | Configuration loading may fail when iRules calling procs in other iRules are deleted |
653511-2 | 3-Major | Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve | |
652535-1 | 3-Major | K54443700 | HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented. |
652445-2 | 3-Major | K87541959 | SAN with uppercase names result in case-sensitive match or will not match |
651651-3 | 3-Major | K54604320 | bigd can crash when a DNS response does not match the expected value |
650292-2 | 3-Major | DNS transparent cache can return non-recursive results for recursive queries | |
650152-1 | 3-Major | Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms | |
648954-5 | 3-Major | K01102467 | Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls |
647137 | 3-Major | bigd/tmm con vCMP guests | |
646443-1 | 3-Major | K54432535 | Ephemeral Node may be errantly created in bigd, causing crash |
645058-3 | 3-Major | Modifying SSL profiles in GUI may fail when key is protected by passphrase | |
645036-3 | 3-Major | K85772089 | Removing pool from virtual server does not update its status |
644873-2 | 3-Major | K97237310 | ssldump can fail to decrypt captures with certain TCP segmenting |
644851-2 | 3-Major | Websockets closes connection on receiving a close frame from one of the peers | |
644418-2 | 3-Major | Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate | |
643777-2 | 3-Major | K27629542 | LTM policies with more than one IP address in TCP address match may fail |
643582-2 | 3-Major | Config load with large ssl profile configuration may cause tmm restart | |
641491-2 | 3-Major | K37551222 | TMM core while running iRule LB::status pool poolname member ip port |
640376-3 | 3-Major | K46452834 | STPD leaks memory on 2000/4000/i2000/i4000 series |
638715-3 | 3-Major | K77010072 | Multiple Diameter monitors to same server ip/port may race on PID file |
632001-1 | 3-Major | For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys | |
627574-1 | 3-Major | After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft. | |
626434-6 | 3-Major | K65283203 | tmm may be killed by sod when a hardware accelerator does not work |
624805-1 | 3-Major | ILX node.js process may be restarted if a single operation takes more than 15 seconds | |
623940-3 | 3-Major | SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello | |
622017-8 | 3-Major | K54106058 | Performance graph data may become permanently lost after corruption. |
621736-6 | 3-Major | K00323105 | statsd does not handle SIGCHLD properly in all cases |
620788-1 | 3-Major | K05232247 | FQDN pool created with existing FQDN node has RED status |
618161-1 | 3-Major | SSL handshake fails when clientssl uses softcard-protected key-certs. | |
618121 | 3-Major | "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★ | |
607246-10 | 3-Major | Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires | |
603609-2 | 3-Major | Policy unable to match initial path segment when request-URI starts with "//" | |
602040-3 | 3-Major | Truncated support ID for HTTP protocol security logging profile | |
600614-5 | 3-Major | External crypto offload fails when SSL connection is renegotiated | |
596433-3 | 3-Major | Virtual with lasthop configured rejects request with no route to client. | |
596242-1 | 3-Major | K17065223 | [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record |
595275-5 | 3-Major | Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN | |
593390-4 | 3-Major | Profile lookup when selected via iRule ('SSL::profile') might cause memory issues. | |
589006-5 | 3-Major | SSL does not cancel pending sign request before the handshake times out or is canceled. | |
587705-5 | 3-Major | K98547701 | Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools. |
578573-1 | 3-Major | SSL Forward Proxy Forged Certificate Signature Algorithm | |
563933-4 | 3-Major | [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs | |
536563-7 | 3-Major | Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets. | |
484542-1 | 3-Major | QinQ tag-mode can be set on unsupported platforms | |
668802-3 | 4-Minor | K83392557 | GTM link graphs fail to display in the GUI |
667318-3 | 4-Minor | BIG-IP DNS/GTM link graphs fail to display in the GUI. | |
584210-1 | 4-Minor | TMM may core when running two simultaneous WebSocket collect commands | |
578415-2 | 4-Minor | Support for hardware accelerated bulk crypto SHA256 missing | |
513288-7 | 4-Minor | Management traffic from nodes being health monitored might cause health monitors to fail. | |
462043-2 | 4-Minor | DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
620903-1 | 2-Critical | Decreased performance of ICMP attack mitigation. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
636541-3 | 1-Blocking | DNS Rapid Response filters large datagrams | |
667028-1 | 2-Critical | DNS Express does not run on i11000 platforms with htsplit disabled. | |
649564-2 | 2-Critical | Crash related to GTM monitors with long RECV strings | |
663073-1 | 3-Major | GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list. | |
659912-1 | 3-Major | K81210772 | GSLB Pool Member Manage page display issues and error message |
655807-5 | 3-Major | K40341291 | With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score |
655445-2 | 3-Major | Provide the ability to globally specifiy a DSCP value. | |
654599-1 | 3-Major | K74132601 | The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed |
648286-2 | 3-Major | GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button. | |
644447-2 | 3-Major | sync_zones script increasingly consumes memory when there is network connectivity failure | |
626141-3 | 3-Major | DNSX Performance Graphs are not displaying Requests/sec" | |
615222-1 | 3-Major | K79580892 | GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★ |
605260-1 | 3-Major | [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0 | |
659969-1 | 4-Minor | tmsh command for gtm-application disabled contexts does not work with none and replace-all-with | |
644220-3 | 4-Minor | Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page | |
604371-1 | 4-Minor | Pagination controls missing for GSLB pool members |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
653014-1 | 2-Critical | Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name | |
652200-1 | 2-Critical | K81349220 | Failure to update ASM enforcer about account change. |
651001-1 | 2-Critical | massive prints in tmm log: "could not find conf for profile crc" | |
638629-2 | 2-Critical | Bot can be classified as human | |
619110-1 | 2-Critical | Slow to delete URLs, CPU spikes with Automatic Policy Builder | |
672695-1 | 3-Major | Internal perl process listening on all interfaces when ASM enabled | |
665905 | 3-Major | K83305000 | Signature System corruption from specific ASU prevents ASU load after upgrade |
664930-2 | 3-Major | Policy automatic learning mode changes to manual after failover | |
655617-1 | 3-Major | K36442669 | Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge |
650081-1 | 3-Major | K53010710 | Proactive Bot Defense JavaScript challenges may introduce high latencies and cause some browsers to display a blank page. |
648617 | 3-Major | K23432927 | JavaScript challenge repeating in loop when URL has path parameters |
644855-2 | 3-Major | irules with commands which may suspend processing cannot be used with proactive bot defense | |
631444-2 | 3-Major | Bot Name for ASM Search Engines is case sensitive | |
630356-1 | 3-Major | JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge | |
628351-1 | 3-Major | Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled | |
618656-2 | 3-Major | JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters | |
606521-1 | 3-Major | Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade | |
605616-1 | 3-Major | Creating 256 Fundamental Security policies will result in an out of memory error | |
602975-1 | 3-Major | Unable to update the HTTP URL's "Header-Based Content Profiles" values | |
596685-1 | 3-Major | K76841626 | Request Log failure on request with XML format violation |
595900-4 | 3-Major | K11833633 | Cookie Signature overrides may be ignored after Signature Update |
563727-1 | 3-Major | Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked' | |
534247-1 | 3-Major | Issue a Body in Get sub violation for GET request with content type header | |
519612-1 | 3-Major | JavaScript challenge fails when coming within iframe with different domain than main page |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
604191-1 | 2-Critical | AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★ | |
629573-1 | 3-Major | K66001885 | No drill-down filter for virtual-servers is mentioned on exported reports when using partition |
603875-2 | 3-Major | The statistic ASM memory Utilization - bd swap size: stats are wrong | |
601536-1 | 3-Major | Analytics load error stops load of configuration★ | |
639395-2 | 4-Minor | K91614278 | AVR does not display 'Max read latency' units. |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
647108-1 | 1-Blocking | Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction | |
679235-5 | 2-Critical | Inspection Host NPAPI Plugin for Safari can not be installed | |
669341 | 2-Critical | Category Lookup by Subject.CN will result in a reset | |
666454-2 | 2-Critical | K05520115 | Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update |
663506-7 | 2-Critical | K30533350 | apmd crash during ldap cache initialization |
652004-2 | 2-Critical | K45320415 | Show /apm access-info all-properties causes memory leaks in tmm |
662639-2 | 3-Major | Policy Sync fails when policy object include FIPS key | |
659371-2 | 3-Major | K54310201 | apmd crashes executing iRule policy evaluate |
658852-5 | 3-Major | Empty User-Agent in iSessions requests from APM client on Windows | |
654513-6 | 3-Major | K11003951 | APM daemon crashes when the LDAP query agent returns empty in its search results. |
649929-1 | 3-Major | saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it | |
648053-1 | 3-Major | K94477320 | Rewrite plugin may crash on some JavaScript files |
646928-1 | 3-Major | Landing URI incorrect when changing URI | |
645684-2 | 3-Major | Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting. | |
618957-1 | 3-Major | Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates | |
601919-2 | 3-Major | Custom categories and custom url filter assignment must be specific to partition instead of global lookup | |
583272-2 | 3-Major | "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth | |
580567-1 | 3-Major | LDAP Query agent failed to resolve nested group membership | |
551795-1 | 3-Major | Portal Access: corrections to CORS support for XMLHttpRequest | |
550547-2 | 3-Major | URL including a "token" query fails results in a connection reset |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
664535-1 | 2-Critical | Diameter failure: load balancing fails when all pool members use same IP Address | |
640407-1 | 2-Critical | Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF | |
568545-2 | 2-Critical | K17124802 | iRules commands that refer to a transport-config will fail validation |
559953-1 | 2-Critical | tmm core on long DIAMETER::host value | |
662364-2 | 3-Major | MRF DIAMETER: IP ToS not passing through with DIAMETER | |
644946-2 | 3-Major | K05053251 | Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation |
644565-1 | 3-Major | MRF Message metadata lost when routing message to a connection on a different TMM | |
634078-2 | 3-Major | MRF: Routing using a virtual with SNAT set to none may select a source port of zero | |
624155-2 | 3-Major | MRF Per-Client mode connections unable to return responses if used by another client connection | |
620929-4 | 3-Major | New iRule command, MR::ignore_peer_port | |
651640-3 | 4-Minor | queue full dropped messages incorrectly counted as responses |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
670400-3 | 2-Critical | SSH Proxy public key authentication can be circumvented in some cases | |
655470 | 2-Critical | K79924625 | IP Intelligence logging publisher removal can cause tmm crash |
618902-4 | 3-Major | PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
658261-2 | 2-Critical | K12253471 | TMM core after HA during GY reporting |
658148-2 | 2-Critical | K23150504 | TMM core after intra-chassis failover for some instances of subscriber creation |
657632-4 | 2-Critical | Rarely if a subscriber delete is performed following HA switchover, tmm may crash | |
653285-1 | 2-Critical | PEM rule deletion with HSL reporting may cause tmm coredump | |
652973-2 | 2-Critical | Coredump observed at system bootup time when many DHCP packets arrive | |
650422-2 | 2-Critical | TMM core after a switchover involving GY quota reporting | |
659567-1 | 3-Major | K94685557 | iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions |
652052-3 | 3-Major | PEM:sessions iRule made the order of parameters strict | |
635257-2 | 3-Major | K41151808 | Inconsistencies in Gx usage record creation. |
623037-2 | 3-Major | delete of pem session attribute does not work after a update |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
676808-2 | 2-Critical | FPS: tmm may crash on response with large payload from server | |
669364-1 | 2-Critical | TMM core when server responds fast with server responses such as 404. | |
669359 | 2-Critical | WebSafe might cause connections to hang | |
674931 | 3-Major | FPS modified responses/injections might result in a corrupted response | |
674909-3 | 3-Major | Application CSS injection might not work as expected when connection is congested | |
667872-1 | 3-Major | Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports | |
658321-2 | 3-Major | Websafe features might break in IE8 | |
657502-2 | 3-Major | JS error when leaving page opened for several minutes | |
644694 | 3-Major | FPS security update check ends up with an empty page when error occurs. | |
618185-1 | 3-Major | Mismatch in URL CRC32 calculation | |
643602-2 | 4-Minor | 'Select All' checkbox selects items on hidden pages |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
605123-1 | 2-Critical | IAppLX objects fail to sync after establishing HA in auto-sync mode★ |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
606316-4 | 1-Blocking | HTTPS request to F5 licensing server fails | |
665778-1 | 2-Critical | K34503519 | Non-admin BIG-IP users can now view/re-deploy iApps through TMUI. |
599424-2 | 2-Critical | iApps LX fails to sync★ | |
632060-1 | 4-Minor | restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★ |
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
693211-3 | CVE-2017-6168, CVE-2020-5929 | K21905460 | CVE-2017-6168 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
664063-1 | 2-Critical | K03203976 | Azure displays failure for deployment of BIG-IP from a Resource Manager template |
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
652151-1 | CVE-2017-6131 | K61757346 | Azure VE: Initialization improvement |
623885-4 | CVE-2016-9251 | K41107914 | Internal authentication improvements |
621371-2 | CVE-2016-9257 | K43523962 | Output Errors in APM Event Log |
648865-2 | CVE-2017-6074 | K82508682 | Linux kernel vulnerability: CVE-2017-6074 |
643187-2 | CVE-2017-3135 | K80533167 | BIND vulnerability CVE-2017-3135 |
641445-1 | CVE-2017-6145 | K22317030 | iControl improvements |
641360-2 | CVE-2017-0303 | K30201296 | SOCKS proxy protocol error |
641256-1 | CVE-2016-9257 | K43523962 | APM access reports display error |
636702-3 | CVE-2016-9444 | K40181790 | BIND vulnerability CVE-2016-9444 |
636699-5 | CVE-2016-9131 | K86272821 | BIND vulnerability CVE-2016-9131 |
631582 | CVE-2016-9250 | K55792317 | Administrative interface enhancement |
630475-5 | CVE-2017-6162 | K13421245 | TMM Crash |
628836-4 | CVE-2016-9245 | K22216037 | TMM crash during request normalization |
624570-1 | CVE-2016-8864 | K35322517 | BIND vulnerability CVE-2016-8864 |
624526-3 | CVE-2017-6159 | K10002335 | TMM core in mptcp |
624457-5 | CVE-2016-5195 | K10558632 | Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195 |
623093-1 | CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320 | K38871451 | TIFF vulnerability CVE-2015-7554 |
620400-1 | CVE-2017-6141 | K21154730 | TMM crash during TLS processing |
610255-1 | CVE-2017-6161 | K62279530 | CMI improvement |
596340-8 | CVE-2016-9244 | K05121675 | F5 TLS vulnerability CVE-2016-9244 |
580026-5 | CVE-2017-6165 | K74759095 | HSM logging error |
648879-2 | CVE-2016-6136 CVE-2016-9555 | K90803619 | Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555 |
641612-2 | CVE-2017-0302 | K87141725 | APM crash |
638137 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 | K51201255 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 |
635412 | CVE-2017-6137 | K82851041 | Invalid mss with fast flow forwarding and software syn cookies |
635252-1 | CVE-2016-9256 | K47284724 | CVE-2016-9256 |
631688-7 | CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 | K55405388 K87922456 K63326092 K51444934 K80996302 | Multiple NTP vulnerabilities |
630150-1 | CVE-2016-9253 | K51351360 | Websockets processing error |
627916-1 | CVE-2017-6144 | K81601350 | Improve cURL Usage |
627907-1 | CVE-2017-6143 | K11464209 | Improve cURL usage |
627747-1 | CVE-2017-6142 | K20682450 | Improve cURL Usage |
625372-5 | CVE-2016-2179 | K23512141 | OpenSSL vulnerability CVE-2016-2179 |
623119 | CVE-2016-4470 | K55672042 | Linux kernel vulnerability CVE-2016-4470 |
622496 | CVE-2016-5829 | K28056114 | Linux kernel vulnerability CVE-2016-5829 |
622126-1 | CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 | K54308010 | PHP vulnerability CVE-2016-7124 |
621337-6 | CVE-2016-7469 | K97285349 | XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469 |
618261-6 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
615267-2 | CVE-2016-2183 | K13167034 | OpenSSL vulnerability CVE-2016-2183 |
613225-7 | CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
606710-10 | CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 | K15479471 | Mozilla NSS vulnerability CVE-2016-2834 |
605420-5 | CVE-2016-5387, CVE-2007-6750 | K80513384 | httpd security update - CVE-2016-5387 |
600232-9 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
600223-2 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
599858-7 | CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240 | K68785753 | ImageMagick vulnerability CVE-2015-8898 |
635933-3 | CVE-2004-0790 | K23440942 | The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable |
628832-4 | CVE-2016-6161 | K71581599 | libgd vulnerability CVE-2016-6161 |
622662-7 | CVE-2016-6306 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
617901-1 | CVE-2018-5525 | K00363258 | GUI to handle file path manipulation to prevent GUI instability. |
609691-1 | CVE-2014-4617 | K21284031 | GnuPG vulnerability CVE-2014-4617 |
600205-9 | CVE-2016-2178 | K53084033 | OpenSSL Vulnerability: CVE-2016-2178 |
600198-2 | CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
599285-2 | CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 | K51390683 | PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095 |
598002-10 | CVE-2016-2178 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
621937-1 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
621935-6 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
606771-2 | CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 | K35799130 | Multiple PHP vulnerabilities |
601268-5 | CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 | K43267483 | PHP vulnerability CVE-2016-5766 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
653453 | 2-Critical | ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs. | |
628972-2 | 2-Critical | BMC version 2.51.7 for iSeries appliances | |
624831-2 | 2-Critical | BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps | |
616918-1 | 2-Critical | BMC version 2.50.3 for iSeries appliances | |
633723-3 | 3-Major | New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot | |
633391-1 | 3-Major | GUI Error trying to modify IP Data-Group | |
609614-3 | 3-Major | Yafuflash 4.25 for iSeries appliances | |
597797-4 | 3-Major | K78449695 | Allow users to disable enforcement of RFC 7507 Fallback SCSV |
584471-1 | 3-Major | K34343741 | Priority order of clientssl profile selection of virtual server. |
581840-5 | 3-Major | K46576869 | Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ. |
564876-2 | 3-Major | New DB variable log.lsn.comma changes CGNAT logs to CSV format | |
609084-2 | 4-Minor | K03808942 | Max number of chunks not configurable above 1000 chunks |
597270-2 | 4-Minor | tcpdump support missing for VXLAN-GPE NSH |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
655500 | 1-Blocking | Rekey SSH sessions after one hour | |
642058-1 | 1-Blocking | CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances | |
641390-5 | 1-Blocking | K00216423 | Backslash removal in LTM monitors after upgrade |
627433-1 | 1-Blocking | HSB transmitter failure on i2x00 and i4x00 platforms | |
602830-1 | 1-Blocking | BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode | |
648056-2 | 2-Critical | K16503454 | bcm56xxd core when configuring QinQ VLAN with vCMP provisioned. |
645805 | 2-Critical | K92637255 | LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses |
641248 | 2-Critical | IPsec-related tmm segfault | |
641013-5 | 2-Critical | GRE tunnel traffic pinned to one TMM | |
638935-3 | 2-Critical | Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
636918-2 | 2-Critical | Fix for crash when multiple tunnels use the same traffic selector | |
636290 | 2-Critical | vCMP support for B4450 blade | |
627898-2 | 2-Critical | K53050234 | tmm leaks memory in the ECM subsystem |
625824-1 | 2-Critical | iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory | |
624263-4 | 2-Critical | iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response | |
618779-1 | 2-Critical | Route updates during IPsec tunnel setup can cause tmm to restart | |
616059-1 | 2-Critical | K19545861 | Modifying license.maxcores Not Allowed Error |
614296-1 | 2-Critical | Dynamic routing process ripd may core | |
613536-5 | 2-Critical | tmm core while running the iRule STATS:: command | |
610295-1 | 2-Critical | K32305923 | TMM may crash due to internal backplane inconsistency after reprovisioning |
583516-2 | 2-Critical | tmm ASSERT's "valid node" on Active, after timer fire.. | |
567457-2 | 2-Critical | TMM may crash when changing the IKE peer config. | |
652484-2 | 3-Major | tmsh show net f5optics shows information for only 1 chassis slot in a cluster | |
649617-2 | 3-Major | qkview improvement for OVSDB management | |
648544-5 | 3-Major | K75510491 | HSB transmitter failure may occur when global COS queues enabled |
646760 | 3-Major | Common Criteria Mode Disrupts Administrative SSH Access | |
644892-1 | 3-Major | Files captured multiple times in qkview | |
644490-1 | 3-Major | Finisar 100G LR4 values need to be revised in f5optics | |
637559-1 | 3-Major | Modifying iRule online could cause TMM to be killed by SIGABRT | |
636535 | 3-Major | K24844444 | HSB lockup in vCMP guest doesn't generate core file |
635961-1 | 3-Major | gzipped and truncated files may be saved in qkview | |
635129 | 3-Major | Chassis systems in HA configuration become Active/Active during upgrade★ | |
635116-1 | 3-Major | K34100550 | Memory leak when using replicated remote high-speed logging. |
634115-1 | 3-Major | Not all topology records may sync. | |
633879-1 | 3-Major | K52833014 | Fix IKEv1 md5 phase1 hash algorithm so config takes effect |
633512-1 | 3-Major | HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION. | |
633413-1 | 3-Major | IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI | |
631627-4 | 3-Major | Applying BWC over route domain sometimes results in tmm not becoming ready on system start | |
630622-1 | 3-Major | tmm crash possible if high-speed logging pool member is deleted and reused | |
630610-5 | 3-Major | K43762031 | BFD session interface configuration may not be stored on unit state transition |
630546-1 | 3-Major | Very large core files may cause corrupted qkviews | |
629499-9 | 3-Major | tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found" | |
629085-1 | 3-Major | K55278069 | Any CSS content truncated at a quoted value leads to a segfault |
628202-4 | 3-Major | Audit-forwarder can take up an excessive amount of memory during a high volume of logging | |
628164-3 | 3-Major | K20766432 | OSPF with multiple processes may incorrectly redistribute routes |
628009-1 | 3-Major | f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800 | |
627961-3 | 3-Major | K15130343 | nic_failsafe reboot doesn't trigger if HSB fails to disable interface |
627914-1 | 3-Major | Unbundled 40GbE optics reporting as Unsupported Optic | |
627214-3 | 3-Major | BGP ECMP recursive default route not redistributed to TMM | |
626839 | 3-Major | sys-icheck error for /var/lib/waagent in Azure. | |
626721-5 | 3-Major | "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart | |
625703-2 | 3-Major | SELinux: snmpd is denied access to tmstat files | |
625085 | 3-Major | lasthop rmmod causes kernel panic | |
624361-1 | 3-Major | Responses to some of the challenge JS are not zipped. | |
623930-3 | 3-Major | vCMP guests with vlangroups may loop packets internally | |
623401-1 | 3-Major | Intermittent OCSP request failures due to non-optimal default TCP profile setting | |
623336-4 | 3-Major | After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★ | |
623055-1 | 3-Major | Kernel panic during unic initialization | |
622183-5 | 3-Major | The alert daemon should remove old log files but it does not. | |
621909-4 | 3-Major | K23562314 | Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members |
621273-1 | 3-Major | DSR tunnels with transparent monitors may cause TMM crash. | |
620659-3 | 3-Major | The BIG-IP system may unecessarily run provisioning on successive reboots | |
620366-4 | 3-Major | Alertd can not open UDP socket upon restart | |
617628-1 | 3-Major | SNMP reports incorrect value for sysBladeTempTemperature OID | |
615934-1 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
615107-1 | 3-Major | Cannot SSH from AOM/SCCP to host without password (host-based authentication). | |
613765-3 | 3-Major | Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors. | |
612809-1 | 3-Major | Bootup script fails to run on on a vCMP guest due to a missing reference file. | |
611658-3 | 3-Major | "less" utility logs an error for remotely authenticated users using the tmsh shell | |
611512-1 | 3-Major | AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name. | |
611487-3 | 3-Major | vCMP: VLAN failsafe does not trigger on guest | |
610417-1 | 3-Major | K54511423 | Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported. |
609119-7 | 3-Major | Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3: | |
608320-3 | 3-Major | iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response | |
604727-1 | 3-Major | Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★ | |
604237-3 | 3-Major | Vlan allowed mismatch found error in VCMP guest | |
604061-2 | 3-Major | Link Aggregation Control Protocol May Lose Synchronization after TMM Crash | |
602376-1 | 3-Major | qkview excludes files | |
598498-7 | 3-Major | Cannot remove Self IP when an unrelated static ARP entry exists. | |
598134-1 | 3-Major | Stats query may generate an error when tmm on secondary is down | |
596067-2 | 3-Major | GUI on VIPRION hangs on secondary blade reboot | |
590211-2 | 3-Major | jitterentropy-rngd quietly fails to start | |
586738-4 | 3-Major | The tmm might crash with a segfault. | |
583754-7 | 3-Major | When TMM is down, executing 'show ltm persist persist-records' results in a blank error message. | |
575027-1 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. | |
562928-2 | 3-Major | Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled | |
559080-5 | 3-Major | High Speed Logging to specific destinations stops from individual TMMs | |
557471-3 | 3-Major | LTM Policy statistics showing zeros in GUI | |
543208-1 | 3-Major | Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★ | |
534520-1 | 3-Major | qkview may exclude certain log files from /var/log | |
424542-5 | 3-Major | tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments | |
418349-2 | 3-Major | Update/overwrite of FIPS keys error | |
643404-2 | 4-Minor | K30014507 | 'tmsh system software status' does not display properly in a specific cc-mode situation★ |
636520-3 | 4-Minor | K88813435 | Detail missing from power supply 'Bad' status log messages |
633181-1 | 4-Minor | A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section | |
632668-5 | 4-Minor | When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds | |
632069-3 | 4-Minor | Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076 | |
621957-2 | 4-Minor | Timezone data on AOM not syncing with host | |
609107-1 | 4-Minor | mcpd does not properly validate missing 'sys folder' config in bigip_base.conf | |
599191-2 | 4-Minor | One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card | |
589379-2 | 4-Minor | K20937139 | ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route. |
585097-1 | 4-Minor | Traffic Group score formula does not result in unique values. | |
541550-3 | 4-Minor | Defining more than 10 remote-role groups can result in authentication failure | |
541320-10 | 4-Minor | K50973424 | Sync of tunnels might cause restore of deleted tunnels. |
500452-8 | 4-Minor | K28520025 | PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware |
642015-2 | 5-Cosmetic | SSD Manufacturer "unavailable" | |
524277-2 | 5-Cosmetic | Missing power supplies issue warning message that should be just a notice message. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
651476 | 2-Critical | bigd may core on non-primary bigd when FQDN in use | |
648715-2 | 2-Critical | BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0 | |
643396-2 | 2-Critical | K34553627 | Using FLOW_INIT iRule may lead to TMM memory leak or crash |
642400-2 | 2-Critical | Path MTU discovery occasionally fails | |
640352-2 | 2-Critical | K01000259 | Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet |
639744-1 | 2-Critical | K84228882 | Memory leak in STREAM::expression iRule |
637181-4 | 2-Critical | VIP-on-VIP traffic may stall after routing updates | |
632685 | 2-Critical | bigd memory leak for FQDN nodes on non-primary bigd instance | |
630306-1 | 2-Critical | TMM crash in DNS processing on UDP virtual server with no available pool members | |
629145-1 | 2-Critical | External datagroups with no metadata can crash tmm | |
628890-1 | 2-Critical | Memory leak when modifying large datagroups | |
627403-2 | 2-Critical | HTTP2 can can crash tmm when stats is updated on aborting of a new connection | |
626311-2 | 2-Critical | K75419237 | Potential failure of DHCP relay functionality credits to incorrect route lookup. |
625198-1 | 2-Critical | TMM might crash when TCP DSACK is enabled | |
622856-1 | 2-Critical | BIG-IP may enter SYN cookie mode later than expected | |
621870-2 | 2-Critical | Outage may occur with VIP-VIP configurations | |
619663-3 | 2-Critical | K49220140 | Terminating of HTTP2 connection may cause a TMM crash |
619528-4 | 2-Critical | TMM may accumulate internal events resulting in TMM restart | |
619071-3 | 2-Critical | OneConnect with verified accept issues | |
614509-1 | 2-Critical | iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart | |
609027-1 | 2-Critical | TMM crashes when SSL forward proxy is enabled. | |
608304-1 | 2-Critical | K55292305 | TMM crash on memory corruption |
603667-2 | 2-Critical | TMM may leak or corrupt memory when configuration changes occur with plugins in use | |
603082-3 | 2-Critical | Ephemeral pool members are getting deleted/created over and over again. | |
602136-5 | 2-Critical | iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server. | |
601828-1 | 2-Critical | K13338433 | An untrusted certificate can cause tmm to crash. |
600982-5 | 2-Critical | TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0" | |
599720-2 | 2-Critical | TMM may crash in bigtcp due to null pointer dereference | |
597828-1 | 2-Critical | SSL forward proxy crashes in some cases | |
596450-1 | 2-Critical | TMM may produce a core file after updating SSL session ticket key | |
594642-3 | 2-Critical | Stream filter may require large allocations by Tcl leading TMM to core on allocation failure. | |
581746-1 | 2-Critical | K42175594 | MPTCP or SSL traffic handling may cause a BIG-IP outage |
557358-5 | 2-Critical | TMM SIGSEGV and crash when memory allocation fails. | |
423629-3 | 2-Critical | K08454006 | bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted |
653201 | 3-Major | Update the default CA certificate bundle file to the latest version and remove expiring certificates from it | |
651106 | 3-Major | memory leak on non-primary bigd with changing node IPs | |
649571-1 | 3-Major | Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello | |
648990 | 3-Major | Serverside SSL renegotiation does not occur after block cipher data limit is exceeded | |
641512-4 | 3-Major | K51064420 | DNSSEC key generations fail with lots of invalid SSL traffic |
632324-2 | 3-Major | PVA stats does not show correct connection number | |
629412-3 | 3-Major | BIG-IP closes a connection when a maximum size window is attempted | |
627246-1 | 3-Major | K09336400 | TMM memory leak when ASM policy configured on virtual server |
626386-1 | 3-Major | K28505256 | SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled |
626106-3 | 3-Major | LTM Policy with illegal rule name loses its conditions and actions during upgrade★ | |
625106-2 | 3-Major | Policy Sync can fail over a lossy network | |
624616-1 | 3-Major | Safenet uninstall is unable to remove libgem.so | |
620625-2 | 3-Major | K38094257 | Changes to the Connection.VlanKeyed db key may not immediately apply |
620079-3 | 3-Major | Removing route-domain may cause monitors to fail | |
619849-4 | 3-Major | In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled. | |
618430-2 | 3-Major | iRules LX data not included in qkview | |
618428 | 3-Major | iRules LX - Debug mode does not function in dedicated mode | |
618254-4 | 3-Major | Non-zero Route domain is not always used in HTTP explicit proxy | |
617858-2 | 3-Major | bigd core when using Tcl monitors | |
616022-2 | 3-Major | K46530223 | The BIG-IP monitor process fails to process timeout conditions |
613326-1 | 3-Major | SASP monitor improvements | |
612694-5 | 3-Major | TCP::close with no pool member results in zombie flows | |
610429-5 | 3-Major | X509::cert_fields iRule command may memory with subpubkey argument | |
610302-1 | 3-Major | Link throughput graphs might be incorrect. | |
609244-4 | 3-Major | tmsh show ltm persistence persist-records leaks memory | |
608551-3 | 3-Major | Half-closed congested SSL connections with unclean shutdown might stall. | |
607152-1 | 3-Major | Large Websocket frames corrupted | |
604496-4 | 3-Major | SQL (Oracle) monitor daemon might hang. | |
603979-4 | 3-Major | Data transfer from the BIG-IP system self IP might be slow | |
603723-2 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
603550-1 | 3-Major | K63164073 | Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats. |
600827-8 | 3-Major | K21220807 | Stuck Nitrox crypto queue can erroneously be reported |
600593-1 | 3-Major | Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests | |
600052-1 | 3-Major | GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system | |
599121-2 | 3-Major | K24036315 | Under heavy load, hardware crypto queues may become unavailable. |
592871-3 | 3-Major | Cavium Nitrox PX/III stuck queue diagnostics missing. | |
591666-3 | 3-Major | TMM crash in DNS processing on TCP virtual with no available pool members | |
589400-1 | 3-Major | K33191529 | With Nagle disabled, TCP does not send all of xfrags with size greater than MSS. |
584310-1 | 3-Major | K83393638 | TCP:Collect ignores the 'skip' parameter when used in serverside events |
584029-6 | 3-Major | Fragmented packets may cause tmm to core under heavy load | |
582769-1 | 3-Major | K99405272 | WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual |
579926-1 | 3-Major | HTTP starts dropping traffic for a half-closed connection when in passthrough mode | |
568543-4 | 3-Major | Syncookie mode is activated on wildcard virtuals | |
562267-3 | 3-Major | FQDN nodes do not support monitor alias destinations. | |
517756-6 | 3-Major | Existing connections can choose incorrect route when crossing non-strict route-domains | |
509858-5 | 3-Major | BIG-IP FastL4 profile vulnerability | |
419741-3 | 3-Major | Rare crash with vip-targeting-vip and stale connections on VIPRION platforms | |
352957-4 | 3-Major | K03005026 | Route lookup after change in route table on established flow ignores pool members |
660170-1 | 4-Minor | K28505910 | tmm may crash at ~75% of VLAN failsafe timeout expiration |
631862-1 | 4-Minor | K32107573 | Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk |
618517-1 | 4-Minor | K61255401 | bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring |
611161-3 | 4-Minor | K28540353 | VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default. |
587966-1 | 4-Minor | K77283304 | LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port |
583943-1 | 4-Minor | K27491104 | Forward proxy does not work when netHSM is configured on TMM interfaces |
574020-5 | 4-Minor | Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}') |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
621115-1 | 2-Critical | IP/IPv6 TTL/hoplimit may not be preserved for host traffic |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
642039-2 | 2-Critical | K20140595 | TMM core when persist is enabled for wideip with certain iRule commands triggered. |
584374-2 | 2-Critical | K67622400 | iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address. |
642330-2 | 3-Major | GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
640903-1 | 3-Major | Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen | |
632423-4 | 3-Major | K40256229 | DNS::query can cause tmm crash if AXFR/IXFR types specified. |
629530-2 | 3-Major | K53675033 | Under certain conditions, monitors do not time out. |
628897-1 | 3-Major | Add Hyperlink to gslb server and vs on the Pool Member List Page | |
625671-4 | 3-Major | The diagnostic tool dnsxdump may crash with non-standard DNS RR types. | |
624876-1 | 3-Major | Response Policy Zones can trigger even after entry removed from zone | |
624193-2 | 3-Major | Topology load balancing not working as expected | |
623023-1 | 3-Major | Unable to set DNS Topology Continent to Unknown via GUI | |
621239-2 | 3-Major | Certain DNS queries bypass DNS Cache RPZ filter. | |
620215-5 | 3-Major | TMM out of memory causes core in DNS cache | |
619398-7 | 3-Major | TMM out of memory causes core in DNS cache | |
612769-1 | 3-Major | K33842313 | Hard to use search capabilities on the Pool Members Manage page. |
601180-2 | 3-Major | K73505027 | Link Controller base license does not allow DNS namespace iRule commands.★ |
567743-2 | 3-Major | K70663134 | Possible gtmd crash under certain conditions. |
557434-4 | 3-Major | After setting a Last Resort Pool on a Wide IP, cannot reset back to None | |
366695-1 | 5-Cosmetic | Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
646511-1 | 2-Critical | BD crashes repeatedly after interrupted roll-forward upgrade★ | |
636397-1 | 2-Critical | bd cores when persistent storage configuration and under some memory conditions. | |
634001-2 | 2-Critical | ASM restarts after deleting a VS that has an ASM security policy assigned to it | |
627117-1 | 2-Critical | crash with wrong ceritifcate in WSS | |
625783-1 | 2-Critical | Chassis sync fails intermittently due to sync file backlog | |
618771-1 | 2-Critical | Some Social Security Numbers are not being masked | |
601378-2 | 2-Critical | Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons | |
584082-3 | 2-Critical | BD daemon crashes unexpectedly | |
540928-1 | 2-Critical | Memory leak due to unnecessary logging profile configuration updates. | |
640824-1 | 3-Major | K20770267 | Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★ |
635754-1 | 3-Major | K65531575 | Wildcard URL pattern match works inncorectly in Traffic Learning |
632344-2 | 3-Major | POP DIRECTIONAL FORMATTING causes false positive | |
632326-2 | 3-Major | K52814351 | relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation |
631737-1 | 3-Major | K61367823 | ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations |
630929-1 | 3-Major | K69767100 | Attack signature exception list upload times-out and fails |
627360-1 | 3-Major | Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★ | |
626438-1 | 3-Major | Frame is not showing in the browser and/ or an error appears | |
625832-4 | 3-Major | A false positive modified domain cookie violation | |
622913-2 | 3-Major | Audit Log filled with constant change messages | |
621524-2 | 3-Major | Processing Timeout When Viewing a Request with 300+ Violations | |
620635-2 | 3-Major | Request having upper case JSON login parameter is not detected as a failed login attempt | |
614563-3 | 3-Major | AVR TPS calculation is inaccurate | |
611151-2 | 3-Major | An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive | |
608245 | 3-Major | Reporting missing parameter details when attack signature is matched against parameter value | |
583024-1 | 3-Major | TMM restart rarely during startup | |
581406-1 | 3-Major | SQL Error on Peer Device After Receiving ASM Sync in a Device Group | |
580168-4 | 3-Major | Information missing from ASM event logs after a switchboot and switchboot back | |
576591-6 | 3-Major | Support for some future credit card number ranges | |
572885-1 | 3-Major | Policy automatic learning mode changes to manual after failover | |
392121-3 | 3-Major | TMSH Command to retrieve the memory consumption of the bd process | |
642874-1 | 4-Minor | K15329152 | Ready to be Enforced filter for Policy Signatures returns too many signatures |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
634215-1 | 2-Critical | False detection of attack after restarting dosl7d | |
573764-1 | 2-Critical | In some cases, only primary blade retains it's statistics after upgrade on multi bladed system | |
642221-2 | 3-Major | Incorrect entity is used when exporting TCP analytics from GUI | |
641574 | 3-Major | K06503033 | AVR doesn't report on virtual and client IP in DNS statistics |
635561-1 | 3-Major | Heavy URLs statistics are not shown after upgrade. | |
631722 | 3-Major | Some HTTP statistics not displayed after upgrade | |
631131-3 | 3-Major | Some tmstat-adapters based reports stats are incorrect | |
605010-1 | 3-Major | Thrift::TException error | |
560114-6 | 3-Major | Monpd is being affected by an I/O issue which makes some of its threads freeze |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
645339-2 | 1-Blocking | TMM may crash when processing APM data | |
637308-8 | 2-Critical | K41542530 | apmd may crash when HTTP Auth agent is used in an Access Policy |
632005-1 | 2-Critical | BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes | |
622244-2 | 2-Critical | Edge client can fail to upgrade when always connected is selected | |
617310-2 | 2-Critical | Edge client can fail to upgrade when Always Connected is selected★ | |
614322-1 | 2-Critical | K31063537 | TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway |
608424-2 | 2-Critical | Dynamic ACL agent error log message contains garbage data | |
608408-2 | 2-Critical | TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library | |
593078-1 | 2-Critical | CATEGORY::filetype command may cause tmm to crash and restart | |
643547-1 | 3-Major | K43036745 | APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP |
638799-1 | 3-Major | Per-request policy branch expression evaluation fails | |
638780-3 | 3-Major | Handle 302 redirects for VMware Horizon View HTML5 client | |
636044-1 | 3-Major | K68018520 | Large number of glob patterns affects custom category lookup performance |
634576 | 3-Major | K48181045 | TMM core in per-request policy |
634252 | 3-Major | K99114539 | TMM crash with per-request policy in SWG explicit |
632504-1 | 3-Major | K31277424 | APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list |
632499-1 | 3-Major | K70551821 | APM Policy Sync: Resources under webtop section are not sync'ed automatically |
632472-1 | 3-Major | Frequently logged "Silent flag set - fail" messages | |
632386-1 | 3-Major | EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists | |
630571-1 | 3-Major | K35254214 | Edge Client on Mac OSX Sierra stuck in a reconnect loop |
629801-2 | 3-Major | Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain. | |
629698-1 | 3-Major | Edge client stuck on "Initializing" state | |
629069-2 | 3-Major | Portal Access may delete scripts from HTML page in some cases | |
628687-2 | 3-Major | Edge Client reconnection issues with captive portal | |
628685-2 | 3-Major | K79361498 | Edge Client shows several security warnings after roaming to a network with Captive Portal |
627972-2 | 3-Major | K11327511 | Unable to save advanced customization when using Exchange iApp |
627059-1 | 3-Major | In some rare cases TMM may crash while handling VMware View client connection | |
626910-1 | 3-Major | Policy with assigned SAML Resource is exported with error | |
625474-1 | 3-Major | POST request body is not saved in session variable by access when request is sent using edge client | |
625159-1 | 3-Major | Policy sync status not shown on standby device in HA case | |
624966-2 | 3-Major | Edge client starts new APM session when Captive portal session expire | |
623562-3 | 3-Major | Large POSTs rejected after policy already completed | |
622790-1 | 3-Major | EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP | |
621976-4 | 3-Major | OneDrive for Business thick client shows javascript errors when rendering APM logon page | |
621974-4 | 3-Major | Skype For Business thick client shows javascript errors when rendering APM logon page | |
621447-1 | 3-Major | In some rare cases, VDI may crash | |
621210-2 | 3-Major | Policy sync shows as aborted even if it is completed | |
621126-2 | 3-Major | Import of config with saml idp connector with reuse causes certificate not found error | |
620829-2 | 3-Major | K34213161 | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly |
620801-3 | 3-Major | Access Policy is not able to check device posture for Android 7 devices | |
620614-4 | 3-Major | Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account | |
619879-1 | 3-Major | HTTP iRule commands could lead to WEBSSO plugin being invoked | |
619811-2 | 3-Major | Machine Cert OCSP check fails with multiple Issuer CA | |
619486-3 | 3-Major | Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self | |
619473-2 | 3-Major | Browser may hang at APM session logout | |
618170-3 | 3-Major | Some URL unwrapping functions can behave bad | |
617063-1 | 3-Major | After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel | |
617002-1 | 3-Major | SWG with Response Analytics agent in a Per-Request policy fails with some URLs | |
616838-3 | 3-Major | Citrix Remote desktop resource custom parameter name does not accept hyphen character | |
615970-1 | 3-Major | SSO logging level may cause failover | |
615254-2 | 3-Major | Network Access Launch Application item fails to launch in some cases | |
612419-1 | 3-Major | APM - suspected memory leak (umem_alloc_32/network access (variable)) | |
611968-3 | 3-Major | JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow | |
611669-4 | 3-Major | Mac Edge Client customization is not applied on macOS 10.12 Sierra | |
610180-2 | 3-Major | SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin. | |
597214-5 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
595819-1 | 3-Major | Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached, | |
595272-1 | 3-Major | Edge client may show a windows displaying plain text in some cases | |
591246-1 | 3-Major | Unable to launch View HTML5 connections in non-zero route domain virtual servers | |
584582-1 | 3-Major | JavaScript: 'baseURI' property may be handled incorrectly | |
570217-2 | 3-Major | BIG-IP APM now uses Airwatch v2 API to retreive device posture information | |
533956-3 | 3-Major | K30515450 | Portal Access: Space-like characters in EUC character sets may be handled incorrectly. |
503842-4 | 3-Major | Microsoft WebService HTML component does not work after rewriting | |
640521-1 | 4-Minor | EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices | |
636254-2 | 4-Minor | Cannot reinitiate a sync on a target device when sync is completed | |
618404-1 | 4-Minor | Access Profile copying might be invalid if policies are named series of names. | |
606257-3 | 4-Minor | K56716107 | TCP FIN sent with Connection: Keep-Alive header for webtop page resources |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
630661-2 | 3-Major | K30241432 | WAM may leak memory when a WAM policy node has multiple variation header rules |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
644970-1 | 2-Critical | Editing a virtual server config loses SSL encryption on iSession connections | |
644489-1 | 3-Major | K14899014 | Unencrypted iSession connection established even though data-encrypt configured in profile |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
639236-1 | 2-Critical | K66947004 | Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute |
624023-3 | 2-Critical | TMM cores in iRule when accessing a SIP header that has no value | |
569316-1 | 2-Critical | Core occurs on standby in MRF when routing to a route using a transport config | |
649933-1 | 3-Major | Fragmented RADIUS messages may be dropped | |
629663-1 | 3-Major | K23210890 | CGNAT SIP ALG will drop SIP INVITE |
625542-1 | 3-Major | SIP ALG with Translation fails for REGISTER refresh. | |
625098-3 | 3-Major | SCTP::local_port iRule not supported in MRF events | |
601255-4 | 3-Major | RTSP response to SETUP request has incorrect client_port attribute |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
632731-2 | 2-Critical | K21964367 | specific external logging configuration can cause TMM service restart |
628623-1 | 2-Critical | tmm core with AFM provisioned | |
639193-1 | 3-Major | K03453591 | For HA BIG-IP devices, deleting parent policy causes sync to fail. |
631025-1 | 3-Major | 500 internal error on inline rule editor for certain firewall policies | |
610129-3 | 3-Major | K43320840 | Config load failure when cluster management IP is not defined, but instead uses address-list. |
592113-5 | 3-Major | tmm core on the standby unit with dos vectors configured | |
590805-4 | 3-Major | Active Rules page displays a different time zone. | |
431840-3 | 3-Major | Cannot add vlans to whitelist if they contain a hyphen |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
627257-2 | 2-Critical | Potential PEM crash during a Gx operation | |
626851-2 | 2-Critical | K37665112 | Potential crash in a multi-blade chassis during CMP state changes. |
624744-1 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. | |
624733-1 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. | |
624228-1 | 2-Critical | Memory leak when using insert action in pem rule and flow gets aborted | |
623922-5 | 2-Critical | K64388805 | TMM failure in PEM while processing Service-Provider Disaggregation |
641482-2 | 3-Major | Subscriber remains in delete pending state until CCR-t ack has success as result code is received | |
640510-3 | 3-Major | BWC policy category attachment may fail during a PEM policy update for a subscriber. | |
640457-2 | 3-Major | Session Creation failure after HA | |
635233-3 | 3-Major | K80902149 | Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages |
630611-1 | 3-Major | K84324392 | PEM module crash when subscriber not fund |
627798-3 | 3-Major | Buffer length check for quota bucket objects | |
627279-2 | 3-Major | Potential crash in a multi-blade chassis during CMP state changes. | |
623927-2 | 3-Major | K41337253 | Flow entry memory leaked after DHCP DORA process |
564281-3 | 3-Major | TMM (debug) assert seen during Failover with Gy | |
628869-4 | 4-Minor | Unconditional logs seen due to the presence of a PEM iRule. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
609788 | 2-Critical | PCP may pick an endpoint outside the deterministic mapping | |
642284 | 3-Major | Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption. | |
629871-2 | 3-Major | FTP ALG deployment should not rewrite PASV response 464 XLAT cases |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
639750-1 | 2-Critical | username aliases are not supported | |
636370 | 3-Major | Application Layer Encryption AJAX support | |
629627-1 | 3-Major | FPS Log Publisher is not grouped nor filtered by partition | |
629127-1 | 3-Major | Parent profiles cannot be saved using FPS GUI | |
628348-1 | 3-Major | Cannot configure any Mobile Security list having 11 records or more via the GUI | |
628337-1 | 3-Major | Forcing a single injected tag configuration is restrictive | |
625275-1 | 3-Major | Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI | |
624198-1 | 3-Major | Unable to add multiple User-Defined alerts with the same search category | |
623518-1 | 3-Major | Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition | |
594127-2 | 3-Major | Pages using Angular may hang when Websafe is enabled | |
635541 | 4-Minor | "Application CSS Locations" is not inherited if changing parent profile |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
625172-1 | 2-Critical | tmm crashes when classification is enabled and ftp traffic is flowing trough the box | |
631472-1 | 3-Major | Reseting classification signatures to default may result in non-working configuration |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
606518-3 | 2-Critical | K00762373 | iControl REST with 3rd party auth does not function as expected with special characters in the username e.g., '$', '@' / email addresses as username. |
642983-1 | 3-Major | K94534313 | Update to max message size limit doesn't work sometimes |
629845-2 | 3-Major | Disallowing TLSv1 connections to HTTP causes iControl/REST issues | |
626542-2 | 3-Major | Unable to set maxMessageBodySize in iControl REST after upgrade★ |
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
618306-2 | CVE-2016-9247 | K33500120 | TMM vulnerability CVE-2016-9247 |
616864-1 | CVE-2016-2776 | K18829561 | BIND vulnerability CVE-2016-2776 |
613282-2 | CVE-2016-2086, CVE-2016-2216, CVE-2016-1669 | K15311661 | NodeJS vulnerability CVE-2016-2086 |
611469-3 | CVE-2016-7467 | K95444512 | Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector |
597394-2 | CVE-2016-9252 | K46535047 | Improper handling of IP options |
591328-7 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
591325-8 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K75152412 | OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 |
591042-17 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K23230229 | OpenSSL vulnerabilities |
560109-7 | CVE-2017-6160 | K19430431 | Client capabilities failure |
618549-1 | CVE-2016-9249 | K71282001 | Fast Open can cause TMM crash CVE-2016-9249 |
618263-1 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
614147-1 | CVE-2017-6157 | K02692210 | SOCKS proxy defect resolution |
614097-1 | CVE-2017-6157 | K02692210 | HTTP Explicit proxy defect resolution |
607314-1 | CVE-2016-3500 CVE-2016-3508 | K25075696 | Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508 |
605039-3 | CVE-2016-2775 | K92991044 | lwresd and bind vulnerability CVE-2016-2775 |
601059-6 | CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 | K14614344 | libxml2 vulnerability CVE-2016-1840 |
599536-1 | CVE-2017-6156 | K05263202 | IPsec peer with wildcard selector brings up wrong phase2 SAs |
597023-1 | CVE-2016-4954 | K82644737 | NTP vulnerability CVE-2016-4954 |
595242-1 | CVE-2016-3705 | K54225343 | libxml2 vulnerabilities CVE-2016-3705 |
595231-1 | CVE-2016-3627 | K54225343 | libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705 |
594496-1 | CVE-2016-4539 | K35240323 | PHP Vulnerability CVE-2016-4539 |
593447-1 | CVE-2016-5024 | K92859602 | BIG-IP TMM iRules vulnerability CVE-2016-5024 |
592485 | CVE-2015-5157 CVE-2015-8767 | K17326 | Linux kernel vulnerability CVE-2015-5157 |
592001-1 | CVE-2016-4071 CVE-2016-4073 | K64412100 | CVE-2016-4073 PHP vulnerabilities |
591455-7 | CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 | K24613253 | NTP vulnerability CVE-2016-2516 |
591447-1 | CVE-2016-4070 | K42065024 | PHP vulnerability CVE-2016-4070 |
591358-1 | CVE-2016-3425 CVE-2016-0695 CVE-2016-3427 | K81223200 | Oracle Java SE vulnerability CVE-2016-3425 |
585424-1 | CVE-2016-1979 | K20145801 | Mozilla NSS vulnerability CVE-2016-1979 |
580747-1 | CVE-2016-0739 | K57255643 | libssh vulnerability CVE-2016-0739 |
557190-3 | CVE-2017-6166 | K65615624 | 'packet_free: double free!' tmm core |
597010-1 | CVE-2016-4955 | K03331206 | NTP vulnerability CVE-2016-4955 |
596997-1 | CVE-2016-4956 | K64505405 | NTP vulnerability CVE-2016-4956 |
591767-8 | CVE-2016-1547 | K11251130 | NTP vulnerability CVE-2016-1547 |
591438-7 | CVE-2015-8865 | K54924436 | PHP vulnerability CVE-2015-8865 |
575629-3 | CVE-2015-8139 | K00329831 | NTP vulnerability: CVE-2015-8139 |
573343-1 | CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 | K01324833 | NTP vulnerability CVE-2015-8158 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
615377-3 | 3-Major | Unexpected rate limiting of unreachable and ICMP messages for some addresses. | |
590122-2 | 3-Major | Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification. | |
581438-2 | 3-Major | Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision. | |
561348-7 | 3-Major | krb5.conf file is not synchronized between blades and not backed up | |
541549-2 | 3-Major | AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination. | |
530109-3 | 3-Major | OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled. | |
246726-1 | 3-Major | K8940 | System continues to process virtual server traffic after disabling virtual address |
225634-1 | 3-Major | The rate class feature does not honor the Burst Size setting. | |
599839-3 | 4-Minor | Add new keyords to SIP::persist command to specify how Persistence table is updated | |
591733-4 | 4-Minor | K83175883 | Save on Auto-Sync is missing from the configuration utility. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
625784 | 1-Blocking | TMM crash on i4x00 and i2x00 platforms with large ASM configuration. | |
617622 | 1-Blocking | In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure | |
621422 | 2-Critical | i2000 and i4000 series appliances do not warn when an incorrect optic is in a port | |
620056-1 | 2-Critical | Assert on deletion of paired in-and-out IPsec traffic selectors | |
617935 | 2-Critical | IKEv2 VPN tunnels fail to establish | |
617481-1 | 2-Critical | TMM can crash when HTML minification is configured | |
614865-5 | 2-Critical | Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors. | |
610354-1 | 2-Critical | TMM crash on invalid memory access to loopback interface stats object | |
605476-3 | 2-Critical | statsd can core when reading corrupt stats files. | |
601527-4 | 2-Critical | mcpd memory leak and core | |
600894-1 | 2-Critical | In certain situations, the MCPD process can leak memory | |
598748 | 2-Critical | IPsec AES-GCM IVs are now based on a monotonically increasing counter | |
598697-1 | 2-Critical | vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★ | |
595712-1 | 2-Critical | Not able to add remote user locally | |
591495-2 | 2-Critical | VCMP guests sflow agent can crash due to duplicate vlan interface indices | |
591104-1 | 2-Critical | ospfd cores due to an incorrect debug statement. | |
588686 | 2-Critical | High-speed logging to remote logging node stops sending logs after all logging nodes go down | |
587698-3 | 2-Critical | bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured | |
585745-2 | 2-Critical | sod core during upgrade from 10.x to 12.x. | |
583936-5 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM | |
557680-4 | 2-Critical | Fast successive MTU changes to IPsec tunnel interface crashes TMM | |
355806-7 | 2-Critical | Starting mcpd manually at the command line interferes with running mcpd | |
622877-1 | 3-Major | i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away | |
622199 | 3-Major | sys-icheck reports error with /var/lib/waagent | |
622194 | 3-Major | sys-icheck reports error with ssh_host_rsa_key | |
621423 | 3-Major | sys-icheck reports error with /config/ssh/ssh_host_dsa_key | |
621242-1 | 3-Major | Reserve enough space in the image for future upgrades. | |
621225 | 3-Major | LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0" | |
620782 | 3-Major | Azure cloud now supports hourly billing | |
619410-1 | 3-Major | TMM hardware accelerated compression not registering for all compression levels. | |
617986-2 | 3-Major | Memory leak in snmpd | |
617229-1 | 3-Major | K54245014 | Local policy rule descriptions disappear when policy is re-saved |
616242-3 | 3-Major | K39944245 | basic_string::compare error in encrypted SSL key file if the first line of the file is blank★ |
614530-2 | 3-Major | Dynamic ECMP routes missing from Linux host | |
614180-1 | 3-Major | ASM is not available in LTM policy when ASM is licensed as the main active module | |
610441-3 | 3-Major | When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received. | |
610352-1 | 3-Major | sys-icheck reports error with /etc/sysconfig/modules/unic.modules | |
610350-1 | 3-Major | sys-icheck reports error with /config/bigpipe/defaults.scf | |
610273-3 | 3-Major | Not possible to do targeted failover with HA Group configured | |
605894-3 | 3-Major | Remote authentication for BIG-IP users can fail | |
603149-2 | 3-Major | Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy | |
602854-8 | 3-Major | Missing ASM control option from LTM policy rule screen in the Configuration utility | |
602502-2 | 3-Major | Unable to view the SSL Cert list from the GUI | |
601989-3 | 3-Major | K88516119 | Remote LDAP system authenticated username is case sensitive★ |
601893-2 | 3-Major | K89212666 | TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero. |
601502-4 | 3-Major | Excessive OCSP traffic | |
600558-5 | 3-Major | Errors logged after deleting user in GUI | |
599816-2 | 3-Major | Packet redirections occur when using VLAN groups with members that have different cmp-hash settings. | |
598443-1 | 3-Major | Temporary files from TMSH not being cleaned up intermittently. | |
598039-6 | 3-Major | MCP memory may leak when performing a wildcard query | |
597729-5 | 3-Major | Errors logged after deleting user in GUI | |
596104-1 | 3-Major | K84539934 | HA trunk unavailable for vCMP guest★ |
595773-4 | 3-Major | Cancellation requests for chunked stats queries do not propagate to secondary blades | |
594426-2 | 3-Major | Audit forwarding Radius packets may be rejected by Radius server | |
592870-2 | 3-Major | Fast successive MTU changes to IPsec tunnel interface crashes TMM | |
592344-2 | 3-Major | NTP Security Updates | |
592320-5 | 3-Major | ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1 | |
589083-2 | 3-Major | TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors. | |
586878-4 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★ | |
585833-3 | 3-Major | Qkview will abort if /shared partition has less than 2GB free space | |
585547-1 | 3-Major | NTP configuration items are no longer collected by qkview★ | |
585485-3 | 3-Major | inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system | |
584583-3 | 3-Major | K18410170 | Timeout error when using the REST API to retrieve large amount of data |
583285-5 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
582084-1 | 3-Major | BWC policy in device sync groups. | |
580500-1 | 3-Major | /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed. | |
578551-5 | 3-Major | bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot | |
576305-7 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code | |
575649-5 | 3-Major | MCPd might leak memory in IPFIX destination stats query | |
575591-6 | 3-Major | Potential MCPd leak in IKE message stats query code | |
575589-5 | 3-Major | Potential MCPd leak in IKE event stats query code | |
575587-7 | 3-Major | Potential MCPd leak in BWC policy class stats query code | |
575176-1 | 3-Major | K58275035 | Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic |
575066-1 | 3-Major | Management DHCP settings do not take effect | |
570818-4 | 3-Major | Address lease-pool in IKEv2 might interfere with IKEv2 negotiations. | |
568672-1 | 3-Major | Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI | |
566507-4 | 3-Major | Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment | |
553795-7 | 3-Major | Differing cert/key after successful config-sync | |
547479-5 | 3-Major | Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted | |
546145-1 | 3-Major | Creating local user for previously remote user results in incomplete user definition. | |
540872-1 | 3-Major | Config sync fails after creating a partition. | |
527206-5 | 3-Major | Management interface may flap due to LOP sync error | |
393270-1 | 3-Major | Configuration utility may become non-responsive or fail to load. | |
618421 | 4-Minor | Some mass storage is left un-used | |
617124 | 4-Minor | Cannot map hardware type (12) to HardwareType enumeration | |
581835-1 | 4-Minor | Command failing: tmsh show ltm virtual vs_name detail. | |
567546-1 | 4-Minor | Files with file names larger than 100 characters are omitted from qkview | |
564771-1 | 4-Minor | cron sends purge_mysql_logs.pl email error on LTM-only device | |
564522-2 | 4-Minor | K40547220 | cron is configured with MAILTO=root but mailhost defaults to 'mail' |
559837-4 | 4-Minor | Misleading error message in catalina.out when listing certificates. | |
551349-5 | 4-Minor | K80203854 | Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★ |
460833-5 | 4-Minor | MCPD sync errors and restart after multiple modifications to file object in chassis | |
572133-5 | 5-Cosmetic | tmsh save /sys ucs command sends status messages to stderr | |
442231-4 | 5-Cosmetic | Pendsect log entries have an unexpected severity |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
618905-1 | 1-Blocking | tmm core while installing Safenet 6.2 client | |
616215-4 | 2-Critical | TMM can core when using LB::detach and TCP::notify commands in an iRule | |
615388-1 | 2-Critical | L7 policies using normalized HTTP URI or Referrer operands may corrupt memory | |
612229-1 | 2-Critical | TMM may crash if LTM a disable policy action for 'LTM Policy' is not last | |
609628-2 | 2-Critical | CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session | |
609199-6 | 2-Critical | Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join | |
608555-1 | 2-Critical | Configuring asymmetric routing with a VE rate limited license will result in tmm crash | |
607724-2 | 2-Critical | K25713491 | TMM may crash when in Fallback state. |
607524-2 | 2-Critical | Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down. | |
607360-5 | 2-Critical | Safenet 6.2 library missing after upgrade★ | |
606573-3 | 2-Critical | FTP traffic does not work through SNAT when configured without Virtual Server★ | |
605865-4 | 2-Critical | Debug TMM produces core on certain ICMP PMTUD packets | |
604133-2 | 2-Critical | Ramcache may leave the HTTP Cookie Cache in an inconsistent state | |
603032-1 | 2-Critical | clientssl profiles with sni-default enabled may leak X509 objects | |
602326-1 | 2-Critical | Intermittent pkcs11d core when stopping or restarting pkcs11d service | |
599135-2 | 2-Critical | B2250 blades may suffer from high TMM CPU utilisation with tcpdump | |
588959-2 | 2-Critical | K34453301 | TMM may crash or behave abnormally on a Standby BIG-IP unit |
588351-5 | 2-Critical | IPv6 fragments are dropped when packet filtering is enabled. | |
586449-1 | 2-Critical | Incorrect error handling in HTTP cookie results in core when TMM runs out of memory | |
584213-1 | 2-Critical | Transparent HTTP profiles cannot have iRules configured | |
575011-1 | 2-Critical | K21137299 | Memory leak. Nitrox3 Hang Detected. |
574880-3 | 2-Critical | Excessive failures observed when connection rate limit is configured on a fastl4 virtual server. | |
549329-3 | 2-Critical | K02020031 | L7 mirrored ACK from standby to active box can cause tmm core on active |
545810-3 | 2-Critical | K14304373 | TMM halts and restarts |
459671-4 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. | |
617862-2 | 3-Major | Fastl4 handshake timeout is absolute instead of relative | |
617824-3 | 3-Major | "SSL::disable/enable serverside" + oneconnect reuse is broken | |
615143-1 | 3-Major | VDI plugin-initiated connections may select inappropriate SNAT address | |
613429-2 | 3-Major | Unable to assign wildcard wide IPs to various BIG-IP DNS objects. | |
613369-4 | 3-Major | Half-Open TCP Connections Not Discoverable | |
613079-4 | 3-Major | Diameter monitor watchdog timeout fires after only 3 seconds | |
613065-1 | 3-Major | User can't generate netHSM key with Safenet 6.2 client using GUI | |
612040-4 | 3-Major | Statistics added for all crypto queues | |
611320-3 | 3-Major | Mirrored connection on Active unit of HA pair may be unexpectedly torndown | |
610609-3 | 3-Major | Total connections in bigtop, SNMP are incorrect | |
608024-3 | 3-Major | Unnecessary DTLS retransmissions occur during handshake. | |
607803-3 | 3-Major | K33954223 | DTLS client (serverssl profile) fails to complete resumed handshake. |
607304-5 | 3-Major | TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap. | |
606940-3 | 3-Major | Clustered Multiprocessing (CMP) peer connection may not be removed | |
606575-6 | 3-Major | Request-oriented OneConnect load balancing ends when the server returns an error status code. | |
606565-2 | 3-Major | K52231531 | TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection |
604977-2 | 3-Major | K08905542 | Wrong alert when DTLS cookie size is 32 |
603236-1 | 3-Major | 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware | |
602385-1 | 3-Major | Add zLib compression | |
602366-1 | 3-Major | Safenet 6.2 HA performance | |
602358-5 | 3-Major | BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version | |
601496-4 | 3-Major | iRules and OCSP Stapling | |
601178-6 | 3-Major | HTTP cookie persistence 'preferred' encryption | |
598874-2 | 3-Major | GTM Resolver sends FIN after SYN retransmission timeout | |
597978-2 | 3-Major | GARPs may be transmitted by active going offline | |
597879-1 | 3-Major | CDG Congestion Control can lead to instability | |
597532-1 | 3-Major | iRule: RADIUS avp command returns a signed integer | |
597089-8 | 3-Major | Connections are terminated after 5 seconds when using ePVA full acceleration | |
593530-6 | 3-Major | K26430211 | In rare cases, connections may fail to expire |
592784-2 | 3-Major | Compression stalls, does not recover, and compression facilities cease. | |
592497-1 | 3-Major | Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state. | |
591659-5 | 3-Major | K47203554 | Server shutdown is propagated to client after X-Cnection: close transformation. |
591476-7 | 3-Major | K53220379 | Stuck crypto queue can erroneously be reported |
591343-5 | 3-Major | K03842525 | SSL::sessionid output is not consistent with the sessionid field of ServerHello message. |
589223-1 | 3-Major | TMM crash and core dump when processing SSL protocol alert. | |
588115-1 | 3-Major | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw | |
588089-3 | 3-Major | SSL resumed connections may fail during mirroring | |
587016-3 | 3-Major | SIP monitor in TLS mode marks pool member down after positive response. | |
585813-3 | 3-Major | K22111214 | SIP monitor with TLS mode fails to find cert and key files. |
585412-4 | 3-Major | SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines | |
583957-6 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. | |
582465-1 | 3-Major | Cannot generate key after SafeNet HSM is rebooted | |
580303-5 | 3-Major | When going from active to offline, tmm might send a GARP for a floating address. | |
579843-1 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states | |
579371-4 | 3-Major | K70126130 | BIG-IP may generate ARPs after transition to standby |
578951-2 | 3-Major | TCP Fast Open connection timeout during handshake does not decrement pre_established_connections | |
572281-5 | 3-Major | Variable value in the nesting script of foreach command get reset when there is parking command in the script | |
570057-2 | 3-Major | Can't install more than 16 SafeNet HSMs in its HA group | |
569288-6 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures | |
565799-4 | 3-Major | CPU Usage increases when using masquerade addresses | |
551208-6 | 3-Major | Nokia alarms are not deleted due to the outdated alert_nokia.conf. | |
550161-4 | 3-Major | Networking devices might block a packet that has a TTL value higher than 230. | |
545796-5 | 3-Major | [iRule] [Stats] iRule is not generating any stats for executed iRules. | |
545450-5 | 3-Major | Log activation/deactivation of TM.TCPMemoryPressure | |
537553-8 | 3-Major | tmm might crash after modifying virtual server SSL profiles in SNI configuration | |
534457-4 | 3-Major | Dynamically discovered routes might fail to remirror connections. | |
530266-7 | 3-Major | Rate limit configured on a node can be exceeded | |
506543-5 | 3-Major | Disabled ephemeral pool members continue to receive new connections | |
483953-1 | 3-Major | Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value. | |
472571-7 | 3-Major | Memory leak with multiple client SSL profiles. | |
464801-3 | 3-Major | Intermittent tmm core | |
423392-6 | 3-Major | tcl_platform is no longer in the static:: namespace | |
371164-1 | 3-Major | BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs. | |
598860-4 | 4-Minor | IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address | |
587676-2 | 4-Minor | SMB monitor fails due to internal configuration issue | |
560471-1 | 4-Minor | Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down | |
544033-5 | 4-Minor | K30404012 | ICMP fragmentation request is ignored by BIG-IP |
222034-4 | 4-Minor | HTTP::respond in LB_FAILED with large header/body might result in truncated response |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
510631-1 | 3-Major | B4450 L4 No ePVA or L7 throughput lower than expected |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
603598-3 | 2-Critical | big3d memory under extreme load conditions | |
587656-2 | 2-Critical | GTM auto discovery problem with EHF for ID574052 | |
587617-1 | 2-Critical | While adding GTM server, failure to configure new IP on existing server leads to gtmd core | |
615338-2 | 3-Major | The value returned by "matchregion" in an iRule is inconsistent in some cases. | |
613576-1 | 3-Major | QOS load balancing links display as gray | |
613045-7 | 3-Major | Interaction between GTM and 10.x LTM results in some virtual servers marked down | |
607658-1 | 3-Major | GUI becomes unresponsive when managing GSLB Pool | |
589256-1 | 3-Major | K71283501 | DNSSEC NSEC3 records with different type bitmap for same name. |
588289-1 | 3-Major | GTM is Re-ordering pools when adding pool including order designation | |
584623-2 | 3-Major | Response to -list iRules command gets truncated when dealing with MX type wide IP | |
574052-4 | 3-Major | GTM autoconf can cause high CPU usage for gtmd | |
370131-4 | 3-Major | Loading UCS with low GTM Autoconf Delay drops pool Members from config |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
609499-1 | 2-Critical | Compiled signature collections use more memory than prior versions | |
603945-2 | 2-Critical | BD config update should be considered as config addition in case of update failure | |
588087-1 | 2-Critical | Attack prevention isn't escalating under some conditions in session opening mitigation | |
587629-2 | 2-Critical | IP exceptions may have issues with route domain | |
575133-1 | 2-Critical | asm_config_server_rpc_handler_async.pl SIGSEGV and core | |
622386-1 | 3-Major | Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled | |
621808-1 | 3-Major | Proactive Bot Defense failing in IE11 with Compatibility View enabled | |
616169 | 3-Major | ASM Policy Export returns HTML error file | |
613459-1 | 3-Major | Non-common browsers blocked by Proactive Bot Defense | |
613396-1 | 3-Major | Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs | |
611385-1 | 3-Major | "Learn Explicit Entities" may continue to work as if it is 'Add All Entities' | |
610857-1 | 3-Major | DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver. | |
610830-1 | 3-Major | FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page. | |
609496-2 | 3-Major | Improved diagnostics in BD config update (bd_agent) added | |
608509-1 | 3-Major | Policy learning is slow under high load | |
606875-1 | 3-Major | DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page | |
604923-5 | 3-Major | REST id for Signatures change after update | |
604612-1 | 3-Major | K20323120 | Modified ASM cookie violation happens after upgrade to 12.1.x★ |
602221-2 | 3-Major | Wrong parsing of redirect Domain | |
601924-1 | 3-Major | Selenium detection by ports scanning doesn't work even if the ports are opened | |
596502-1 | 3-Major | Unable to force Bot Defense action to Allow in iRule | |
584642-1 | 3-Major | Apply Policy Failure | |
584103-2 | 3-Major | FPS periodic updates (cron) write errors to log | |
582683-2 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan | |
582133-1 | 3-Major | Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.) | |
581315-1 | 3-Major | Selenium detection not blocked | |
579917-1 | 3-Major | User-defined signature set cannot be created/updated with Signature Type = "All" | |
579495-1 | 3-Major | Error when loading Upgrade UCS★ | |
521204-2 | 3-Major | Include default values in XML Policy Export | |
501892-1 | 3-Major | Selenium is not detected by headless mechanism when using client version without server |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
602654-2 | 2-Critical | TMM crash when using AVR lookups | |
602434-1 | 2-Critical | Tmm crash with compressed response | |
601056 | 2-Critical | TCP-Analytics, error message not using rate-limit mechanism can halt TMM | |
622735 | 3-Major | TCP Analytics statistics does not list all virtual servers | |
618944-1 | 3-Major | AVR statistic is not save during the upgrade process | |
601035 | 3-Major | TCP-Analytics can fail to collect all the activity |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
618506 | 2-Critical | TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual. | |
618324-1 | 2-Critical | Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor | |
592868-3 | 2-Critical | Rewrite may crash processing HTML tag with HTML entity in attribute value | |
591117-3 | 2-Critical | APM ACL construction may cause TMM to core if TMM is out of memory | |
569563-3 | 2-Critical | Sockets resource leak after loading complex policy | |
619250-1 | 3-Major | Returning to main menu from "RSS Feed" breaks ribbon | |
617187-1 | 3-Major | APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate | |
614891-2 | 3-Major | Routing table doesn't get updated when EDGE client roams among wireless networks | |
613613-2 | 3-Major | Incorrect handling of form that contains a tag with id=action | |
611922-1 | 3-Major | Policy sync fails with policy that includes custom CA Bundle. | |
611240-3 | 3-Major | Import of config with securid might fail | |
610224-3 | 3-Major | APM client may fetch expired certificate when a valid and an expired certificate co-exist | |
608941-1 | 3-Major | AAA RADIUS system authentication fails on IPv6 network | |
604767-1 | 3-Major | Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object. | |
601905-1 | 3-Major | POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server | |
600119-3 | 3-Major | DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions | |
598981-3 | 3-Major | K06913155 | APM ACL does not get enforced all the time under certain conditions |
598211-1 | 3-Major | Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode. | |
597431-2 | 3-Major | VPN establishment may fail when computer wakes up from sleep | |
596116-3 | 3-Major | LDAP Query does not resolve group membership, when required attribute(s) specified | |
595227-1 | 3-Major | SWG Custom Category: unable to have a URL in multiple custom categories | |
594288-1 | 3-Major | Access profile configured with SWG Transparent results in memory leak. | |
592414-4 | 3-Major | IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed | |
591840-1 | 3-Major | encryption_key in access config is NULL in whitelist | |
591590-1 | 3-Major | APM policy sync results are not persisted on target devices | |
591268-1 | 3-Major | VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions | |
590820-3 | 3-Major | Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser. | |
588888-3 | 3-Major | K80124134 | Empty URI rewriting is not done as required by browser. |
586718-1 | 3-Major | Session variable substitutions are logged | |
586006-1 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present | |
585562-3 | 3-Major | VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari | |
583113-1 | 3-Major | NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event | |
582752-3 | 3-Major | Macrocall could be topologically not connected with the rest of policy.★ | |
582526-3 | 3-Major | Unable to display and edit huge policies (more than 4000 elements) | |
580893-2 | 3-Major | K08731969 | Support for Single FQDN usage with Citrix Storefront Integration mode |
573643-3 | 3-Major | flash.utils.Proxy functionality is not negotiated | |
572558-1 | 3-Major | Internet Explorer: incorrect handling of document.write() to closed document | |
569309-3 | 3-Major | Clientside HTML parser does not recognize HTML event attributes without value | |
562636-2 | 3-Major | K05489319 | Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases. |
525429-11 | 3-Major | DTLS renegotiation sequence number compatibility | |
455975-1 | 3-Major | Separate MIBS needed for tracking Access Sessions and Connectivity Sessions | |
389484-6 | 3-Major | OAM reporting Access Server down with JDK version 1.6.0_27 or later | |
386517-1 | 3-Major | Multidomain SSO requires a default pool be configured | |
238444-3 | 3-Major | K14219 | An L4 ACL has no effect when a layered virtual server is used. |
605627 | 4-Minor | Selinux denial seen for apmd when it is being shutdown. | |
584373-2 | 4-Minor | AD/LDAP resource group mapping table controls are not accessible sometimes | |
573611-1 | 4-Minor | Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs | |
557411-1 | 4-Minor | Full Webtop resources appear overlapping in IE11 compatibility mode |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
619757-1 | 2-Critical | iSession causes routing entry to be prematurely freed |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
613297-3 | 2-Critical | Default generic message routing profile settings may core | |
612135-3 | 2-Critical | Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic | |
603397-2 | 2-Critical | tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config | |
596631-2 | 2-Critical | SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later | |
609575-5 | 3-Major | BIG-IP drops ACKs containing no max-forwards header | |
609328-3 | 3-Major | K53447441 | SIP Parser incorrectly parsers empty header |
607713-3 | 3-Major | SIP Parser fails header with multiple sequential separators inside quoted string. | |
603019-3 | 3-Major | Inserted SIP VIA branch parameter not unique between INVITE and ACK | |
599521-5 | 3-Major | Persistence entries not added if message is routed via an iRule | |
598854-3 | 3-Major | sipdb tool incorrectly displays persistence records without a pool name | |
598700-6 | 3-Major | MRF SIP Bidirectional Persistence does not work with multiple virtual servers | |
597835-3 | 3-Major | K12228503 | Branch parameter in inserted VIA header not consistent as per spec |
583010-4 | 3-Major | Sending a SIP invite with 'tel' URI fails with a reset | |
578564-4 | 3-Major | ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response | |
573075-4 | 3-Major | ADAPT recursive loop when handling successive iRule events | |
566576-6 | 3-Major | ICAP/OneConnect reuses connection while previous response is in progress | |
401815-1 | 3-Major | BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic | |
585807-2 | 4-Minor | 'ICAP::method <method>' iRule is documented but is read-only | |
561500-4 | 4-Minor | ICAP Parsing improvement |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
612874-1 | 2-Critical | iRule with FLOW_INIT stage execution can cause TMM restart | |
609095-1 | 2-Critical | mcpd memory grows when updating firewall rules | |
622281-1 | 3-Major | Network DoS logging configuration change can cause TMM crash | |
614284-2 | 3-Major | Performance fix to not reset a data structure in the packet receive hotpath. | |
608566-1 | 3-Major | The reference count of NW dos log profile in tmm log is incorrect | |
605427-1 | 3-Major | TMM may crash when adding and removing virtual servers with security log profiles | |
594869-4 | 3-Major | AFM can log DoS attack against the internal mpi interface and not the actual interface | |
594075-2 | 3-Major | Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically | |
586070 | 3-Major | 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings | |
585823-1 | 3-Major | FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode) |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
609005-2 | 1-Blocking | Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67). | |
611467-3 | 2-Critical | TMM coredump at dhcpv4_server_set_flow_key(). | |
608009-1 | 2-Critical | Crash: Tmm crashing when active system connections are deleted from cli | |
603825-2 | 2-Critical | Crash when a Gy update message is received by a debug TMM | |
593070-2 | 2-Critical | TMM may crash with multiple IP addresses per session | |
472860-5 | 2-Critical | RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented. | |
623491-2 | 3-Major | After receiving the first Gx response from the PCRF, the BWC action against a rule is lost. | |
622220-2 | 3-Major | Disruption during manipulation of PEM data with suspected flow irregularity | |
618657-4 | 3-Major | Bogus ICMP unreachable messages in PEM with ipother profile in use | |
617014-3 | 3-Major | tmm core using PEM | |
608742-2 | 3-Major | K48561135 | DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode. |
608591-1 | 3-Major | Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers | |
592070-5 | 3-Major | DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied | |
588456-3 | 3-Major | K60250444 | PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed). |
577863-5 | 3-Major | K56504204 | DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
606066-2 | 2-Critical | LSN_DELETE messages may be lost after HA failover | |
605525-1 | 2-Critical | Deterministic NAT combined with NAT64 may cause a TMM core | |
587106-1 | 2-Critical | Inbound connections are reset prematurely when zombie timeout is configured. | |
602171-1 | 3-Major | TMM may core when remote LSN operations time out |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
617648 | 2-Critical | Surfing with IE8 sometimes results with script error | |
603234-3 | 2-Critical | Performance Improvements | |
597471 | 2-Critical | Some Alerts are sent with outdated username value | |
617688 | 3-Major | Encryption is not activated unless "real-time encryption" is selected | |
613671-2 | 3-Major | Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation | |
610897-2 | 3-Major | FPS generated request failure throw "unspecified error" error in old IE. | |
609098-1 | 3-Major | Improve details of ajax failure | |
604885-1 | 3-Major | Redirect/Route action doesn't work if there is an alert logging iRule | |
601083-1 | 3-Major | FPS Globally Forbidden Words lists freeze in IE 11 | |
588058-3 | 3-Major | False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer | |
609114-1 | 4-Minor | Add the ability to control dropping of alerts by before-load-function | |
605125-2 | 4-Minor | Sometimes, passwords fields are readonly | |
592274-3 | 4-Minor | RAT-Detection alerts sent with incorrect duration details |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
588405-1 | 3-Major | BADOS - BIG-IP Self-protection during (D)DOS attack | |
608826-1 | 4-Minor | Greylist (bad actors list) is not cleaned when attack ends |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
624370-1 | 2-Critical | tmm crash during classification hitless upgrade if virtual server configuration is modified |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
621401 | 3-Major | When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
615824-1 | 3-Major | REST API calls to invalid REST endpoint log level change |
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
613127-3 | CVE-2016-5696 | K46514822 | Linux TCP Stack vulnerability CVE-2016-5696 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
612564 | 1-Blocking | mysql does not start | |
618382-4 | 2-Critical | qkview may cause tmm to restart or may take 30 or more minutes to run | |
614766-1 | 3-Major | lsusb uses unknown ioctl and spams kernel logs | |
612952-1 | 3-Major | PSU FW revision not displayed correctly | |
611352 | 3-Major | K68092141 | Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms |
610307 | 3-Major | Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber | |
609325 | 3-Major | Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported | |
606807-1 | 3-Major | i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error | |
604459-1 | 3-Major | On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up | |
597309-2 | 3-Major | Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms | |
561444-1 | 3-Major | LCD might display incorrect output. | |
521270-1 | 3-Major | Hypervisor might replace vCMP guest SYN-Cookie secrets | |
434573-6 | 3-Major | K25051022 | Tmsh 'show sys hardware' displays Platform ID instead of platform name |
609677-1 | 4-Minor | Dossier warning 14 | |
607857-1 | 4-Minor | Some information displayed in "list net interface" will be stale for interfaces that change bundle state | |
607200-1 | 4-Minor | Switch interfaces may seem up after bcm56xxd goes down | |
602061 | 4-Minor | i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages | |
601309 | 4-Minor | Locator LED no longer persists across reboots | |
592716-1 | 4-Minor | BMC timezone value was not being synchronized by BIG-IP |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
597708-4 | 3-Major | Stats are unavailable and vCMP state and status are incorrect |
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
598294-1 | CVE-2016-7472 | K17119920 | BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472 |
601938-2 | CVE-2016-7474 | K52180214 | MCPD stores certain data incorrectly |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
542097-4 | 2-Critical | Update to RHEL6 kernel | |
601927-1 | 4-Minor | K52180214 | Security hardening of control plane |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
602653-1 | 2-Critical | TMM may crash after updating bot-signatures | |
599769 | 2-Critical | TMM may crash when managing APM clients. | |
605682-2 | 3-Major | With forward proxy enabled, sometimes the client connection will not complete. | |
599054-2 | 3-Major | LTM policies may incorrectly use those of another virtual server |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
585120-1 | 2-Critical | Memory leak in bd under rare scenario |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
596674-2 | 2-Critical | High memory usage when using CS features with gzip HTML responses. | |
575170-2 | 2-Critical | Analytics reports may not identify virtual servers correctly | |
590074-1 | 3-Major | Wrong value for TCP connections closed measure |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
603997 | 2-Critical | Plugin should not inject nonce to CSP header with unsafe-inline | |
594910-1 | 3-Major | FPS flags no cookie when length check fails | |
590608-1 | 3-Major | Alert is not redirected to alert server when unseal fails | |
590578-4 | 3-Major | False positive "URL error" alerts on URLs with GET parameters | |
593355 | 4-Minor | FPS may erroneously flag missing cookie | |
589318-1 | 4-Minor | Clicking 'Customize All' checkbox does not work. |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
603605-1 | 2-Critical | Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active | |
608373-2 | 3-Major | Some iApp LX packages will not be saved during upgrade or UCS save/restore |
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
596488-1 | CVE-2016-5118 | K82747025 | GraphicsMagick vulnerability CVE-2016-5118. |
579955-6 | CVE-2016-7475 | K01587042 | BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 |
587077-1 | CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 | K37603172 | Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118 |
579220-1 | CVE-2016-1950 | K91100352 | Mozilla NSS vulnerability CVE-2016-1950 |
570697-1 | CVE-2015-8138 | K71245322 | NTP vulnerability CVE-2015-8138 |
580340-1 | CVE-2016-2842 | K52349521 | OpenSSL vulnerability CVE-2016-2842 |
580313-1 | CVE-2016-0799 | K22334603 | OpenSSL vulnerability CVE-2016-0799 |
579829-7 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability CVE-2016-0702 |
579085-6 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
578570-1 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
569355-1 | CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 | K50118123 | Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 |
565895-1 | CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210 | K17235 | Multiple PCRE Vulnerabilities |
570667-2 | CVE-2016-0701 CVE-2015-3197 | K64009378 | OpenSSL vulnerabilities |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
606509-4 | 2-Critical | Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★ | |
595605 | 2-Critical | Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★ | |
591119 | 2-Critical | OOM with session messaging may result in TMM crash | |
601076 | 3-Major | Fix watchdog event for accelerated compression request overflow | |
597303 | 3-Major | "tmsh create net trunk" may fail | |
595693 | 3-Major | Incorrect PVA indication on B4450 blade | |
591261 | 3-Major | BIG-IP VPR-B4450N shows "unknown" SNMP Object ID | |
590904-1 | 3-Major | New HA Pair created using serial cable failover only will remain Active/Active | |
589661 | 3-Major | PS2 power supply status incorrect after removal | |
588327 | 3-Major | Observe "err bcm56xxd' liked log from /var/log/ltm | |
587735 | 3-Major | False alarm on LCD indicating bad fan | |
587668 | 3-Major | LCD Checkmark button does not always bring up clearing prompt on VIPRION blades. | |
585332 | 3-Major | Virtual Edition network settings aren't pinned correctly on startup★ | |
584670 | 3-Major | Output of tmsh show sys crypto master-key | |
584661 | 3-Major | Last good master key | |
584655 | 3-Major | platform-migrate won't import password protected master-keys from a 10.2.4 UCS file | |
583177 | 3-Major | LCD text truncated by heartbeat icon on VIPRION | |
581945-2 | 3-Major | Device-group 'datasync-global-dg' becomes out-of-sync every hour | |
581811 | 3-Major | The blade alarm LED may not reflect the warning that non F5 optics is used. | |
579529 | 3-Major | Stats file descriptors kept open in spawned child processes | |
578064 | 3-Major | tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade | |
578036-1 | 3-Major | incorrect crontab can cause large number of email alerts | |
573584 | 3-Major | CPLD update success logs at the same error level as an update failure | |
563592 | 3-Major | Content diagnostics and LCD | |
559655 | 3-Major | Post RMA, system does not display correct platform name regardless of license | |
555039-4 | 3-Major | K24458124 | VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration |
539360 | 3-Major | Firmware update that includes might take over 15 minutes. Do not turn off device. | |
526708 | 3-Major | system_check shows fan=good on removed PSU of 4000 platform | |
433357 | 3-Major | Management NIC speed reported as 'none' | |
400778 | 3-Major | Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete | |
400550 | 3-Major | LCD listener error during shutdown | |
587780 | 4-Minor | warning: HSBe2 XLMAC initial recovery failed after 11 retries. | |
478986 | 4-Minor | Powered down DC PSU is treated as not-present | |
418009 | 5-Cosmetic | Hardware data display inaccuracies |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
603700 | 2-Critical | tmm core on multiple SSL::disable calls | |
598052-1 | 2-Critical | SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails | |
591139 | 2-Critical | TMM QAT segfault after zlib/QAT compression conflation. | |
585654 | 2-Critical | Enhanced implementation of AES in Common Criteria mode | |
579953 | 2-Critical | Updated the list of Common Criteria ciphersuites | |
584926-1 | 3-Major | Accelerated compression segfault when devices are all in error state. | |
566342 | 3-Major | Cannot set 10T-FD or 10T-HD on management port |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
599803 | 1-Blocking | TMM accelerated compression incorrectly destroying in-flight contexts. | |
588879-2 | 2-Critical | apmd crash under rare conditions with LDAP |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
581824-2 | 3-Major | "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
588049-1 | 2-Critical | Improve detection of browser capabilities | |
585352-2 | 2-Critical | bruteForce record selfLink gets corrupted by change to brute force settings in GUI | |
585054-1 | 2-Critical | BIG-IP imports delay violations incorrectly, causing wrong policy enforcement | |
583686-2 | 3-Major | High ASCII meta-characters can be disallowed on UTF-8 policy via XML import | |
581991-1 | 3-Major | Logging filter for remote loggers doesn't work correctly with more than one logging profile | |
521370-1 | 3-Major | Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8 | |
518201-4 | 3-Major | ASM policy creation fails with after upgrading |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
587419-1 | 3-Major | TMM may restart when SAML SLO is performed after APM session is closed | |
585442-2 | 3-Major | Provisioning APM to 'none' creates a core file |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
596809-1 | 3-Major | It is possible to create ssh rules with blank space for auth-info | |
593925-1 | 3-Major | ssh profile should not contain rules that begin and end with spaces (cannot be deleted) | |
593696-1 | 3-Major | Sync fails when deleting an ssh profile |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
584921-1 | 2-Critical | Inbound connections fail to keep port block alive |
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
600662-9 | CVE-2016-5745 | K64743453 | NAT64 vulnerability CVE-2016-5745 |
599168-7 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
598983-7 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
580596-1 | CVE-2013-0169 CVE-2016-6907 CVE-2019-6593 | K14190 K39508724 K10065173 | TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
604211-1 | 2-Critical | K72931250 | License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★ |
600859-2 | 2-Critical | Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★ | |
599033-5 | 2-Critical | Traffic directed to incorrect instance after network partition is resolved | |
595394-3 | 2-Critical | Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★ | |
606110-2 | 3-Major | BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets. | |
596814-4 | 3-Major | HA Failover fails in certain valid AWS configurations | |
596603-2 | 3-Major | AWS: BIG-IP VE doesn't work with c4.8xlarge instance type. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
600357-2 | 3-Major | bd crash when asm policy is removed from virtual during specific configuration change |
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
569467-5 | CVE-2016-2084 | K11772107 | BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084. |
591806-8 | CVE-2016-3714 | K03151140 | ImageMagick vulnerability CVE-2016-3714 |
591918-2 | CVE-2016-3718 | K61974123 | ImageMagick vulnerability CVE-2016-3718 |
591908-2 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
591894-2 | CVE-2016-3715 | K10550253 | ImageMagick vulnerability CVE-2016-3715 |
591881-1 | CVE-2016-3716 | K25102203 | ImageMagick vulnerability CVE-2016-3716 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
583631-2 | 1-Blocking | ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers. | |
590993 | 3-Major | Unable to load configs from /usr/libexec/aws/. | |
576478 | 3-Major | Enable support for the Purpose-Built DDoS Hybrid Defender Platform | |
544477 | 3-Major | New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
591039 | 2-Critical | DHCP lease is saved on the Custom AMI used for auto-scaling VE | |
590779 | 2-Critical | Rest API - log profile in json return does not include the partition but needs to | |
588140 | 2-Critical | Pool licensing fails in some KVM/OpenStack environments | |
587791-1 | 2-Critical | Set execute permission on /var/lib/waagent | |
565137 | 2-Critical | K12372003 | Pool licensing fails in some KVM/OpenStack environments. |
554713-2 | 2-Critical | Deployment failed: Failed submitting iControl REST transaction | |
592363 | 3-Major | Remove debug output during first boot of VE | |
592354 | 3-Major | Raw sockets are not enabled on Cloud platforms |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
592699-3 | 2-Critical | IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance | |
594302-1 | 3-Major | Connection hangs when processing large compressed responses from server | |
592854-1 | 3-Major | Protocol version set incorrectly on serverssl renegotiation | |
592682-1 | 3-Major | TCP: connections may stall or be dropped | |
531979-6 | 3-Major | SSL version in the record layer of ClientHello is not set to be the lowest supported version. |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
582629-1 | 2-Critical | User Sessions lookups are not cleared, session stats show marked as invalid |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
590601-2 | 3-Major | BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed | |
590428-1 | 3-Major | The "ACCESS::session create" iRule command does not work | |
590345-1 | 3-Major | ACCESS policy running iRule event agent intermittently hangs | |
585905-1 | 3-Major | Citrix Storefront integration mode with pass-through authentication fails | |
581834-5 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
588399-1 | 3-Major | BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated | |
582374-1 | 3-Major | Multiple 'Loading state for virtual server' messages in admd.log | |
569121-1 | 3-Major | Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low | |
547053-1 | 4-Minor | Bad actor quarantining |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
590795-1 | 2-Critical | tmm crash when loading default signatures or updating classification signature★ |
Cumulative fix details for BIG-IP v12.1.5.3 that are included in this release
981169-5 : F5 TMUI XSS vulnerability CVE-2021-22994
Solution Article: K66851119
975233-5 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K52510511
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K52510511
Impact:
For more information, please see:
https://support.f5.com/csp/article/K52510511
Workaround:
None
Fix:
For more information, please see:
https://support.f5.com/csp/article/K52510511
973333-1 : TMM buffer-overflow vulnerability CVE-2021-22991
Solution Article: K56715231
955145-5 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
954381-5 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: K03009991
953729-5 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990
Solution Article: K56142644
953677-5 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
Solution Article: K18132488
950077-5 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988
Solution Article: K18132488
949861 : Wr_urldbd returns unknown results for customdb on some blades
Component: Traffic Classification Engine
Symptoms:
Some blades return 'Unknown' for newly added URLs in a custom database
Conditions:
This might occur under when feedlist updates are done quickly in a loop
Impact:
BIG-IP is unable to classify using url categories defined in the custom database.
Workaround:
Restart wr_urldbd
Fix:
Customdb classification now work as expected with the provided fix
949145-2 : Improve TCP's response to partial ACKs during loss recovery
Component: Local Traffic Manager
Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.
Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.
Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.
Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.
Fix:
Partial ACK handling during loss recovery is improved.
948769-2 : TMM panic with SCTP traffic
Component: TMOS
Symptoms:
TMM panics and generates a core file. The panic message is "balanced nodes".
Conditions:
SCTP enabled virtual server
Impact:
Traffic interrupted while TMM restarts
Workaround:
Ensure that you have a route to the server's alternate address (like a default route since the remote server might not be under direct control) or
On versions earlier than 13.0 make sure that auto-lasthop is enabled for the virtual server (either via global, vlan or virtual setting)
Fix:
TMM now handles SCTP traffic properly
943125-5 : Web-Socket request with JSON payload causing core during the payload parsing
Component: Application Security Manager
Symptoms:
Any web-socket request with JSON payload may cause a core witihin the JSON parser, depending on the used machine memory distribution.
Conditions:
Depends on the memory distribution of the used machine.
Sending web-socket request with JSON payload to the backend server.
Impact:
BD crash while parsing the JSON payload.
Workaround:
N/A
Fix:
No crashes during JSON payload parsing.
941853-4 : Logging Profiles do not disassociate from virtual server when multiple changes are made
Component: Application Security Manager
Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.
Conditions:
Multiple Logging Profile changes are made in a single update.
Impact:
The previous Logging Profiles are not disassociated from the virtual server.
Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.
941089-5 : TMM core when using Multipath TCP
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
940401-5 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'
Component: Fraud Protection Services
Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.
Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.
Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.
Workaround:
None.
Fix:
Section now reads 'Rooting Detection'.
939845-5 : Invalid MPTCP JOIN messages not immediately dropped
Component: Local Traffic Manager
Symptoms:
An invalid MPTCP JOIN message is not dropped immediately. Instead a RST will be sent to the originator after a few second timeout
Conditions:
A standard virtual server processing TCP traffic is configured
Impact:
A brief delay before the connection is closed may be noticed
Workaround:
None
Fix:
Invalid MPTCP messages are now dropped immediately
939841-5 : BIG-IP MPTCP vulnerability CVE-2021-23003
Component: Local Traffic Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K43470422
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K43470422
Impact:
For more information, please see:
https://support.f5.com/csp/article/K43470422
Workaround:
None
Fix:
For more information, please see:
https://support.f5.com/csp/article/K43470422
939529-5 : Branch parameter not parsed properly when topmost via header received with comma separated values
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.
Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:
SIP/2.0 481 Call/Transaction Does Not Exist.
Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.
Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.
935401-6 : BIG-IP ASM iControl REST vulnerability CVE-2021-23001
Component: Application Security Manager
Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K06440657
Conditions:
For more information, please see:
https://support.f5.com/csp/article/K06440657
Impact:
For more information, please see:
https://support.f5.com/csp/article/K06440657
Workaround:
None
Fix:
For more information, please see:
https://support.f5.com/csp/article/K06440657
933741-6 : Security hardening in FPS GUI
Solution Article: K63497634
933461-1 : BGP multi-path candidate selection does not work properly in all cases.
Component: TMOS
Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.
Conditions:
An inbound route-map exists that modifies a route's path selection attribute.
Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.
Workaround:
None.
932697 : BIG-IP TMM vulnerability CVE-2021-23000
Solution Article: K34441555
932065-5 : iControl REST framework exception handling hardening
Solution Article: K87502622
931837-4 : NTP has predictable timestamps
Component: TMOS
Symptoms:
No known symptoms.
Conditions:
Ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 are vulnerable.
Two main prerequisites for this to be exploited.
1. Having the BIG-IP act as an NTP server.
2. Sources for BIG-IP's time being unreliable/unauthenticated upstream NTP servers
Impact:
A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. An attacker who can send a large number of packets with the spoofed IPv4 address of the upstream server can use this flaw to modify the victim's clock by a limited amount or cause ntpd to exit.
Workaround:
Redhat suggested the following mitigations:
1. Have enough trustworthy sources of time.
2. If you are serving time to a possibly hostile network, have your system get its time from other than unauthenticated IPv4 over the hostile network.
3. Use NTP packet authentication where appropriate.
4. Pay attention to error messages logged by ntpd.
5. Monitor your ntpd instances. If the pstats command of ntpq shows the value for "bogus origin" is increasing then that association is likely under attack.
6. If you must get unauthenticated time over IPv4 on a hostile network, Use restrict ... noserve to prevent this attack (note that this is a heavy-handed protection), which blocks time service to the specified network.
927617-5 : "Illegal Base64 value" violation is detected for cookie with valid base64 value
Component: Application Security Manager
Symptoms:
Request that should be passed to the backend server with cookie header which contain cookie valid value encoded to base64 is blocked.
Conditions:
A cookie name has to be defined in "Security ›› Application Security : Headers : Cookies List ›› New Cookie..." with enabled "Base64 Decoding".
Impact:
Blocking page, while the request should not be blocked.
Workaround:
Disable "Base64 Decoding" for the desired cookie.
Fix:
Requests with valid base64 encoding cookies should not get blocked by the enforcer.
921337-4 : ASM processes some web-sockets requests longer than usual
Solution Article: K88230177
918933-5 : Some ASM attack signatures do not match on cookies
Solution Article: K88162221
Component: Application Security Manager
Symptoms:
Some ASM attack signatures are not matching as expected on a cookie value.
Conditions:
Matching enabled for specific attack signatures.
Impact:
False negative. A signature does not match and an attack is getting through.
Workaround:
There is no valid workaround except creating custom signatures for cookies from all these signatures.
Fix:
Signatures now match on cookies as expected.
917509-6 : ASM processes some requests longer than usual
Solution Article: K58102101
915281-7 : Do not rearm TCP Keep Alive timer under certain conditions
Component: Local Traffic Manager
Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.
Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.
Impact:
Continuous rearming results in consuming CPU resources unnecessarily.
Workaround:
None.
Fix:
Rearming of TCP Keep Alive timer is improved.
913441-1 : Tmm cores while doing Hitless Upgrade while there are active flows
Component: Traffic Classification Engine
Symptoms:
Tmm cores.
Conditions:
Addition of new flows to existing lib while Hitless Upgrade is in progress.
Impact:
Tmm core while doing app detection for new flows. Traffic disrupted while tmm restarts.
Workaround:
Restrict addition of new flows if a Hitless Upgrade is in progress.
Fix:
New flows are no longer added to the classification engine to any of the library if the Hitless Upgrade process is in progress.
911761-6 : F5 TMUI XSS vulnerability CVE-2020-5948
Solution Article: K42696541
909237-2 : CVE-2020-8617: BIND Vulnerability
Solution Article: K05544642
909233-2 : DNS Hardening
Solution Article: K97810133
908673-1 : TMM may crash while processing DNS traffic
Solution Article: K43850230
905905-5 : TMUI CSRF vulnerability CVE-2020-5904
Solution Article: K31301245
904937-6 : Excessive resource consumption in zxfrd
Solution Article: K25595031
902417-1 : Configuration error caused by Drafts folder in a deleted custom partition★
Component: TMOS
Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.
01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.
Conditions:
Create draft policy under custom partition
Impact:
Impacts the software upgrade.
Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.
898949-5 : APM may consume excessive resources while processing VPN traffic
Solution Article: K04518313
895993-6 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
895981-6 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
895881-5 : BIG-IP TMUI XSS vulnerability CVE-2020-5903
Solution Article: K43638305
895525-6 : TMUI RCE vulnerability CVE-2020-5902
Solution Article: K52145254
888497-6 : Cacheable HTTP Response
Component: TMOS
Symptoms:
JSESSIONID, BIGIPAUTHCOOKIE, BIGIPAUTH can be seen in the browser's debugging page.
Conditions:
-- Accessing the BIG-IP system using the GUI.
-- Viewing the browser's stored cache information.
Impact:
HTTPS session information is captured/seen in the browser's local cache, cookie.
Note: The BIG-IP system does not display and/or return sensitive data in the TMUI. Content that is marked appropriately as sensitive is never returned, so it is never cached. Data that is cached for TMUI in the client browser session is not considered secret.
Workaround:
Disable caching in browsers.
888493-6 : ASM GUI Hardening
Solution Article: K40843345
887089-6 : Upgrade can fail when filenames contain spaces
Component: TMOS
Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.
The file's content is also significant because that determines the md5sum value.
Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:
Not enough free disk space to install!
Conditions:
Filenames with spaces in /config directory.
Impact:
Upgrade or loading of UCS fails.
Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.
886085-7 : BIG-IP TMM vulnerability CVE-2020-5925
Solution Article: K45421311
883717-5 : BD crash on specific server cookie scenario
Solution Article: K37466356
883097-3 : Radius authentication may consume excessive resources
Solution Article: K11400411
882185-3 : BIG-IP Edge Client Windows ActiveX
Solution Article: K20346072
881445-3 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5898
Solution Article: K69154630
880361-5 : TMM may crash while processing iRules LX commands
Solution Article: K13323323
879745-7 : TMM may crash while processing Diameter traffic
Solution Article: K82530456
879413-5 : Statsd fails to start if one or more of its *.info files becomes corrupted
Component: Local Traffic Manager
Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:
-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.
Conditions:
Corrupted *.info file in /var/rrd.
Impact:
Stats are no longer accurate.
Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):
found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done
Fix:
The system now detects corrupt *.info files and deletes and recreates them.
879025-7 : When processing TLS traffic, LTM may not enforce certificate chain restrictions
Solution Article: K72752002
872673-5 : TMM can crash when processing SCTP traffic
Solution Article: K26464312
871657-4 : Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S
Component: TMOS
Symptoms:
Mcpd restarts and produces a core file.
Conditions:
This can occur while adding a pool member to a NAPTR GTM pool where the flag used is an uppercase 'A' or 'S' character.
Impact:
Mcpd crash and restart results in high availability (HA) failover.
Workaround:
Use a lowercase 'a' or 's' as the flag value.
Fix:
Mcpd no longer crashes under these conditions. The flag value is always stored in lowercase regardless of the case used as input in the REST call or tmsh command, etc.
870273-1 : TMM may consume excessive resources when processing SSL traffic
Solution Article: K44020030
866021-5 : Diameter Mirror connection lost on the standby due to "process ingress error"
Component: Service Provider
Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.
Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.
Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.
Fix:
Diameter mirror connection no longer lost due to "process ingress error" when there is high mirror traffic.
860517-5 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
Component: TMOS
Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.
As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash
Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.
Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.
Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.
Fix:
The memory efficiency of MCPD has been improved. This allows very large BIG-IP configurations to be used successfully.
860477-7 : SCP hardening
Solution Article: K82518062
860005-5 : Ephemeral nodes/pool members may be created for wrong FQDN name
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.
Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.
The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.
Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.
Workaround:
It may be possible to mitigate this issue by one or more of the following actions:
-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.
-- Reducing the number of FQDN template nodes (FQDN names to be resolved).
-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.
859089-2 : TMSH allows SFTP utility access
Solution Article: K00091341
858301-5 : HTTP RFC compliance now checks that the authority matches between the URI and Host header
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
It is possible to have an absolute URI with an authority different from that in the Host header. The HTTP profile by default does not verify that these are the same.
Conditions:
HTTP profile is enabled.
A request contains an absolute URI with an authority different from that in the Host header.
Impact:
HTTP requests with mismatched authority and Host headers are forwarded to back-end servers.
Workaround:
None.
Fix:
The HTTP RFC compliance option now rejects requests with an absolute URI that contains an authority different than that in the Host header.
HTTP PSM's "invalid host" option now checks that the authorities match between the URI and Host header.
858297-5 : HTTP requests with multiple Host headers are rejected if RFC compliance is enabled
Solution Article: K27551003
Component: Local Traffic Manager
Symptoms:
HTTP requests with multiple Host headers may confuse servers. The HTTP parser currently uses the last header of a given name in a header block, whereas other software may not. This miss-match in parsing may lead to a security hole.
Note that many servers reject such requests. Such servers are not vulnerable to this kind of attack.
Conditions:
HTTP profile enabled.
Multiple Host headers exist in a HTTP request.
Impact:
HTTP requests with multiple host headers may be forwarded to back-end servers.
Workaround:
None.
Fix:
If HTTP RFC compliance is enabled on the HTTP profile, then a request that has multiple Host headers will be rejected.
HTTP PSM can now be configured to reject multiple Host headers.
858229-1 : XML with sensitive data gets to the ICAP server
Solution Article: K22493037
Component: Application Security Manager
Symptoms:
XML with sensitive data gets to the ICAP server, even when the XML profile is not configured to be inspected.
Conditions:
XML profile is configured with sensitive elements on a policy.
ICAP server is configured to inspect file uploads on that policy.
Impact:
Sensitive data will reach the ICAP server.
Workaround:
No immediate workaround except policy related changes
Fix:
An internal parameter, send_xml_sensitive_entities_to_icap was added. It's default is 1 as this is the expected behavior. To disable this functionality, change the internal parameter value to 0.
Behavior Change:
An internal parameter has been added, called send_xml_sensitive_entities_to_icap, and the default value is 1.
When this is changed to 0 (using this command):
/usr/share/ts/bin/add_del_internal add send_xml_sensitive_entities_to_icap 0
XML requests with sensitive data will not be sent to ICAP.
858189-6 : Make restnoded/restjavad/icrd timeout configurable with sys db variables.
Component: Device Management
Symptoms:
When a large number of LTM objects are configured on BIG-IP, making updates via iControl REST can result in restjavad/restnoded/icrd errors.
Conditions:
Using iControl REST/iapp to update a data-group that contains a large number of records, e.g., 75,000 or more.
Impact:
REST operations can time out when they take too long, and it is not possible to increase the timeout.
Workaround:
None.
Fix:
ICRD/restjavad/restnoded timeouts are now configurable through sys db variables.
Behavior Change:
New Sys DB variables have been added to allow you to modify the timeout settings of restjavad, restnoded, and icrd:
restnoded.timeout
restjavad.timeout
icrd.timeout
The default value is 60 seconds for each of these.
A restart of restjavad and restnoded is required for the change to take effect.
tmsh restart /sys service restjavad
tmsh restart /sys service restnoded
858025-6 : Proactive Bot Defense does not validate redirected paths
Solution Article: K33440533
857669 : BIG-IP Edge Client may log sensitive data on Linux client
Solution Article: K33023560
854177-1 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
Component: Application Security Manager
Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.
Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.
Impact:
Latency is introduced to ASM handling.
Workaround:
Set the fast changing nodes to static updates every hour.
Fix:
ASM now correctly ignores pool member updates that do not affect remote logging.
852929-4 : AFM WebUI Hardening
Solution Article: K25160703
852445-6 : Big-IP : CVE-2019-6477 BIND Vulnerability
Solution Article: K15840535
851789-1 : SSL monitors flap with client certs with private key stored in FIPS
Component: Local Traffic Manager
Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.
Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.
Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.
Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.
Fix:
Optimized FIPS API calls to improve performance of SSL monitors.
851045-5 : LTM database monitor may hang when monitored DB server goes down
Component: Local Traffic Manager
Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.
Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).
Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.
Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.
850673-5 : BD sends bad ACKs to the bd_agent for configuration
Component: Application Security Manager
Symptoms:
-- The bd_agents stops sending the configuration in the middle of startup or a configuration change.
-- The policy may be incomplete in the bd causing incorrect enforcement actions.
Conditions:
This is a rarely occurring issue, and the exact conditions that trigger it are unknown.
Impact:
-- The bd_agent hangs or restarts, which may cause a complete ASM restart (and failover).
-- A partial policy may exist in bd causing improper enforcement.
Workaround:
-- Unassign and reassign the policy.
-- if unassign/reassign does not help, export and then reimport the policy.
Fix:
Fixed inconsistency scenario between bd and bd_agent.
848445-5 : Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★
Solution Article: K86285055
Component: Application Security Manager
Symptoms:
Global/URL/Flow Parameters with flag is_sensitive true are not masked in referrer and their value may be exposed in logs.
Conditions:
Global/URL/Flow Parameters with flag is_sensitive true are defined in the policy. In logs, the value of such parameter will be masked in QS, but will be exposed in the referrer.
Impact:
The parameter will not be masked in 'Referer' value header in logs, although it is masked in 'QS' string.
Workaround:
Can defined the parameters as global sensitive parameters.
Fix:
After the fix, such parameters will be treated like global sensitive parameters and will be covered also in the Referer
848405-7 : TMM may consume excessive resources while processing compressed HTTP traffic
Solution Article: K26244025
846917-6 : lodash Vulnerability: CVE-2019-10744
Solution Article: K47105354
842937-1 : TMM crash due to failed assertion 'valid node'
Component: Local Traffic Manager
Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.
Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Refrain from using ramcache may mitigate the problem.
Fix:
Ramcache module stops handling messages after it is teared down, so it does not attempt to use data structures which have already been deinitialized.
842717-2 : BIG-IP Edge Client for Windows vulnerability CVE-2020-5855
Solution Article: K55102004
842189-1 : Tunnels removed when going offline are not restored when going back online
Component: TMOS
Symptoms:
When a BIG-IP instance goes offline, any functioning tunnel is removed from the active configuration. Upon restoration to online operation, the tunnel is not automatically restored.
Conditions:
-- Configuration includes tunnels.
-- BIG-IP instance goes offline and then comes back online.
Impact:
Failure of tunnel packet traffic.
Workaround:
Manually recreate the tunnel after the BIG-IP instance has been brought back online.
Fix:
Tunnels removed when going offline are now restored when going back online.
841953-2 : A tunnel can be expired when going offline, causing tmm crash
Component: TMOS
Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.
If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.
Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.
Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The tmm process no longer crashes under these conditions.
841577-7 : iControl REST hardening
Solution Article: K20606443
841333-2 : TMM may crash when tunnel used after returning from offline
Component: TMOS
Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.
Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
839453-1 : lodash library vulnerability CVE-2019-10744
Solution Article: K47105354
838909-2 : BIG-IP APM Edge Client vulnerability CVE-2020-5893
Solution Article: K97733133
838881-6 : APM Portal Access Vulnerability: CVE-2020-5853
Solution Article: K73183618
837837-6 : F5 SSH server key size vulnerability CVE-2020-5917
Solution Article: K43404629
837773-5 : Restjavad Storage and Configuration Hardening
Solution Article: K12936322
836357-2 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
Component: Service Provider
Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.
Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.
Impact:
This causes the BIG-IP system to abort the flow that originates the message.
Workaround:
None.
Fix:
SIP MBLB correctly initiates a new flow from a virtual IP to the client when an existing flow is in the FIN-wait2 stage.
833685-2 : Idle async handlers can remain loaded for a long time doing nothing
Component: Application Security Manager
Symptoms:
Idle async handlers can remain loaded for a long time doing nothing because they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a large XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.
Impact:
Depletion of memory by lingering idle async handlers may deprive other processes of sufficient memory, triggering out-of-memory conditions and process failures.
Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart asm_config_server periodically using cron, as idle handlers are soon created again.
Fix:
Idle async handlers now exit after 5 minutes of not receiving any new calls.
832885-6 : Self-IP hardening
Solution Article: K05975972
832757-2 : Linux kernel vulnerability CVE-2017-18551
Solution Article: K48073202
832205-2 : ASU cannot be completed after Signature Systems database corruption following binary Policy import
Component: Application Security Manager
Symptoms:
Signatures cannot be updated after signature systems have become corrupted in the configuration database, after a binary policy containing a user-defined Signature Set using an unknown System was imported.
Conditions:
Signature systems are corrupted in configuration database, because a binary policy containing a user-defined Signature Set using an unknown System was imported.
Impact:
Signatures cannot be updated.
Workaround:
Delete signature systems with an ID greater than 38, and re-add them by performing a signature update. You can delete these signature systems by running the following command:
mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "DELETE FROM PLC.NEGSIG_SYSTEMS WHERE system_group = ''"
831661-5 : ASMConfig Handler undergoes frequent restarts
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the Policy Builder process restarts frequently, causing unnecessary churn and slower learning performance.
Conditions:
Configure one or more policies with automatic policy building enabled and learn traffic with violations
Impact:
Control Plane instability and poor learning performance on the device.
Fix:
The Policy Builder handler is now restored to a more robust process lifecycle.
831325-4 : HTTP PSM detects more issues with Transfer-Encoding headers
Solution Article: K10701310
Component: Local Traffic Manager
Symptoms:
HTTP PSM may not detect some invalid Transfer-Encoding headers.
Conditions:
HTTP PSM is used to detect HTTP RFC violations. A request with an invalid Transfer-Encoding header is sent.
Impact:
Traffic is not alarmed/blocked as expected.
Workaround:
None.
Fix:
HTTP PSM detects new cases of invalid Transfer-Encoding headers.
831293-1 : SNMP address-related GET requests slow to respond.
Component: TMOS
Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.
Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.
Impact:
Slow performance.
Workaround:
None.
830401-6 : TMM may crash while processing TCP traffic with iRules
Solution Article: K54200228
829121-6 : State mirroring default does not require TLS
Solution Article: K65720640
829117-6 : State mirroring default does not require TLS
Solution Article: K17663061
826601-2 : Prevent receive window shrinkage for looped flows that use a SYN cookie
Component: Local Traffic Manager
Symptoms:
TMM cores.
Conditions:
-- VIP to VIP (looped flow) configuration.
-- SYN cookie is used.
-- Initial receive window is greater than 3.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
-- Set the initial receive window value of the VIP to 3.
Fix:
Receive window shrinkage is prevented for looped flows using SYN cookies.
825049-2 : Windows code signing certificate update 2019
Component: Access Policy Manager
Symptoms:
The certificate for APM Edge Client (v7.1.8.1) expires on 12 Dec. 2019
Conditions:
Code signing certificate expired on December 11,2019.
Impact:
Certificate is expired.
Fix:
Update APM client with the certificate attributes and use the new code singing certificate.
823893-5 : Qkview may fail to completely sanitize LDAP bind credentials
Solution Article: K03318649
822025-5 : HTTP response not forwarded to client during an early response
Component: Local Traffic Manager
Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.
Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.
Impact:
A client does not receive the redirect from the HTTP::respond iRule.
Workaround:
None.
Fix:
The client now receives the redirect from the HTTP:respond iRule.
819397-4 : TMM does not enforce RFC compliance when processing HTTP traffic
Solution Article: K50375550
Component: Local Traffic Manager
Symptoms:
TMM does not require RFC compliance when processing HTTP traffic. This does not impact the performance or security of BIG-IP systems, but may impact connected systems if they expect only compliant traffic to be forwarded.
Conditions:
-- HTTP virtual server
-- Non-compliant HTTP request from client
Impact:
Pool members may be exposed to non-compliant HTTP requests.
Workaround:
None.
Fix:
The HTTP filter now optionally performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
Behavior Change:
A new BigDB variable has been added.
The new 'Tmm.HTTP.RFC.Enforcement' option may be enabled or disabled. It is disabled by default.
If enabled, the HTTP filter performs basic RFC compliance checks. If a request fails these checks, then the connection is reset.
The checks performed are a subset of those described within the HTTP PSM module. If a blocking page is required, or more detailed control over which checks are performed, configure HTTP PSM or ASM on the virtual server.
If either HTTP PSM or ASM are configured on a virtual server, the state of the 'Tmm.HTTP.RFC.Enforcement' BigDB variable is ignored on that virtual server.
819197-7 : BIGIP: CVE-2019-13135 ImageMagick vulnerability
Solution Article: K20336394
819189-6 : BIGIP: CVE-2019-13136 ImageMagick vulnerability
Solution Article: K03512441
818709-5 : TMSH does not follow current best practices
Solution Article: K36814487
818429-1 : TMM may crash while processing HTTP traffic
Solution Article: K70275209
818177-7 : CVE-2019-12295 Wireshark Vulnerability
Solution Article: K06725231
816529 : If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart.
Component: Traffic Classification Engine
Symptoms:
URLCAT lookups to Custom DB return Unknown result.
Conditions:
-- URL is being looked up against Custom DB
-- wr_urldbd is restarted at the same time
Impact:
Queries will likely fail in highly loaded environments if wr_urldbd is restarted for any reason.
Workaround:
None.
Fix:
Wr_urldbd restores connection to Custom DB after restart.
815877-5 : Information Elements with zero-length value are rejected by the GTP parser
Component: Service Provider
Symptoms:
When processing a GTP message containing zero-length IEs (which are allowed by the 3GPP Technical Specification), the message might get rejected.
Conditions:
Virtual server with GTP profile enabled processing GTP traffic.
Impact:
Well-formed GTP messages might get rejected.
Workaround:
Avoid sending GTP messages containing zero-length IEs.
Fix:
Zero-length IEs are now processed correctly.
814761-4 : PostgreSQL monitor fails on second ping with count != 1
Component: Local Traffic Manager
Symptoms:
When using one of the DB monitors (Oracle, MSSQL, MySQL, PostgreSQL) to monitor the health of a server, the pool member may initially be marked UP, but then will be marked DOWN on the next and all subsequent pings.
When this occurs, an error message similar to the following appears in the monitor-instance log under /var/log/monitors:
Database down, see /var/log/DBDaemon.log for details.
Exception in thread "DBPinger-##" java.lang.AbstractMethodError: org.postgresql.jdbc3.Jdbc3Connection.isValid(I)Z
at com.f5.eav.DB_Pinger.db_Connect(DBDaemon.java:1474)
at com.f5.eav.DB_Pinger.db_Ping(DBDaemon.java:1428)
at com.f5.eav.MonitorWorker.run(DBDaemon.java:772)
at java.lang.Thread.run(Thread.java:748)
Conditions:
This may occur if all of the following conditions are true:
1. You are using a DB monitor (Oracle, MSSQL, MySQL, PostgreSQL) configured with a 'count' value of either '0' or a value of '2' or higher.
2. You are using a version of BIG-IP (including an Engineering Hotfix) which contains the fix for ID 775901.
Impact:
Unable to monitor the health of postgresql server pool members accurately.
Workaround:
To work around this issue, configure a 'count' value of '1' in the postgresql monitor configuration.
Fix:
The DB monitor reports the health of a DB server pool member accurately in conjunction with the fix for ID 775901.
814585-6 : PPTP profile option not available when creating or modifying virtual servers in GUI
Component: TMOS
Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.
Conditions:
Creating or modifying a virtual server in the GUI.
Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.
Workaround:
Use TMSH to add a PPTP profile to the virtual server.
812981-1 : MCPD: memory leak on standby BIG-IP device
Component: TMOS
Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.
Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically
Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.
Fix:
MCPD on standby BIG-IP device does not take more memory than the same daemon on active BIG-IP device.
811789-5 : Device trust UI hardening
Solution Article: K57214921
811109 : TMM RAM Cache Vulnerability: CVE-2020-5861
Solution Article: K22113131
810957-6 : Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core
Component: TMOS
Symptoms:
When using dynamic routing, changing a virtual server's address from IPv6 to IPv4 can cause tmrouted to core.
Conditions:
-- Using dynamic routing.
-- Changing a virtual server's destination address from IPv6 to IPv4.
-- The virtual server's state changes.
Impact:
Tmrouted cores and restarts, which causes a temporary interruption of dynamic routing services.
Workaround:
Use TMSH to modify both the destination address and the netmask at the same time, e.g.:
tmsh modify ltm virtual <virtual server name> destination <destination address> mask <netmask>
Fix:
Now preventing tmrouted from coring when a virtual server's address is changed from IPv6 to IPv4.
810557-5 : ASM ConfigSync Hardening
Solution Article: K05123525
809205-2 : CVE-2019-3855: libssh2 Vulnerability
Component: TMOS
Symptoms:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server.
Conditions:
-- Authenticated administrative user with Advanced Shell Access.
-- Use of cURL from the command line to connect to a compromised SSH server.
Impact:
A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
Workaround:
None.
Fix:
libcurl updated
809165-5 : TMM may crash will processing connector traffic
Solution Article: K50046200
809125-4 : CSRF false positive
Component: Application Security Manager
Symptoms:
A CSRF false-positive violation.
Conditions:
CSRF enforcing security policy.
This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.
Impact:
False-positive Blocking / Violation
Workaround:
If this happens change the csrf parameter and restart the asm daemon:
1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>
2. Restart the asm daemon:
restart asm
808409-2 : Unable to specify if giaddr will be modified in DHCP relay chain
Component: Local Traffic Manager
Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.
However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.
Conditions:
DHCP Relay deployments where the giaddr needs to be changed.
Impact:
You are unable to specify whether giaddr will be changed.
Workaround:
None.
Fix:
A new sys db tmm.dhcp.relay.giaddr.overwrite is introduced
The default is :
sys db tmm.dhcp.relay.giaddr.overwrite {
value "enable"
}
On versions with a fix to 746077, the sys db DOES NOT exist and BIG-IP will always retain the source IP
On versions with both this fix and ID748333 fix, this fix overrides the fix for 746077. To change the default, set to "disable" to retain
807821-1 : ICMP echo requests occasionally go unanswered
Component: Local Traffic Manager
Symptoms:
ARP entry get stuck at state NEXTHOP_INCOMPLETE for several seconds.
Conditions:
-- There is no ARP entry for the return-route router.
-- The 'remote' BIG-IP system receives ICMP echo request.
Impact:
Possible traffic failures.
Workaround:
None.
Fix:
ICMP echo replies are always sent for a valid ICMP echo request.
807477-4 : ConfigSync Hardening
Solution Article: K04280042
807005-6 : Save-on-auto-sync is not working as expected with large configuration objects
Component: TMOS
Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true
Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.
Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions
Impact:
Configuration is not saved, which leads to out-of-sync condition.
Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.
805837-5 : REST does not follow current design best practices
Solution Article: K22441651
805557-5 : TMM may crash while processing crypto data
Solution Article: K43815022
805017-4 : DB monitor marks pool member down if no send/recv strings are configured
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle or PostgreSQL database monitor type) is configured without a 'send' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- AnLTM pool or pool members are configured to us an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- No send string is configured for the monitor.
Impact:
With this configuration, the monitor connects to the configured database, but does not issue a query or check for a specific response. Pool members are always marked DOWN when using a database monitor with no 'send' string configured.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
803233-5 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
Component: Local Traffic Manager
Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):
1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:
-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.
2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:
-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.
Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.
Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.
Workaround:
None.
801637-2 : Cmp_dest on C2200 platform may give incorrect results
Component: TMOS
Symptoms:
Cmp_dest on C2200 platform may give incorrect results.
Conditions:
Run cmp_dest.
Impact:
Incorrect results from cmp_dest.
Fix:
Cmp_dest now gives correct results.
800185-1 : Saving a large encrypted UCS archive may fail and might trigger failover
Component: TMOS
Symptoms:
-- When saving a very large encrypted UCS file, you may encounter an error:
# tmsh save /sys ucs my_ucs passphrase <mysecret>
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package
-- If saving UCS is automated you may find related errors in /var/log/audit:
err scriptd[45342]: 014f0013:3: Script (/Common/f5.automated_backup__backup) generated this Tcl error: (script did not successfully complete: (UCS saving process failed. while executing "tmsh::save /sys ucs $fname ))
-- Other services might be restarted due to lack of memory, which might result in failover.
--System management via config utility or command line may be sluggish while UCS saves.
Conditions:
-- Large encrypted UCS files and low free host memory.
-- UCS file sizes in hundreds of MB are much more likely to encounter this issue, along with free memory less than 1 GB.
Impact:
The operation uses at least 1.3 times the UCS file size of RAM. The UCS may not get saved correctly, and if not enough memory is available, low free-memory symptoms become apparent.
The latter may result in services being killed to free memory, resulting in service impact and failover, though it is quite typical for the overly large process saving the UCS to be terminated with no other impact.
Workaround:
A mitigation is to minimise UCS file size. UCS files large enough to encounter this issue typically contain very large files, some of which may not be needed or are no longer necessary.
Remove unnecessary large files from directories that contribute to UCS archives, for example, stray, large files such as packet captures in /config or its subdirectories. (For help understanding what is in UCS archives, see K12278: Removing non-essential files from a UCS when disk space errors are encountered :: https://support.f5.com/csp/article/K12278.)
If using APM, remove unnecessary EPSEC ISO files. (For more information, see K21175584: Removing unnecessary OPSWAT EPSEC packages from the BIG-IP APM system :: https://support.f5.com/csp/article/K21175584.
Fix:
Saving a large UCS file no longer fails.
799617-5 : ConfigSync Hardening
Solution Article: K05123525
799589-5 : ConfigSync Hardening
Solution Article: K05123525
797885-5 : ConfigSync Hardening
Solution Article: K05123525
796993-2 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
Component: Local Traffic Manager
Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.
Conditions:
-- Create a pool with fqdn node as it pool members
-- Apply monitor to it
-- Monitor marks the pool member up/down based on reachability
Impact:
-- Status message is not updated in /var/log/ltm logs.
-- There is no functional impact.
796469-1 : ConfigSync Hardening
Solution Article: K05123525
795797-5 : AFM WebUI Hardening
Solution Article: K21121741
795649-1 : Loading UCS from one iSeries model to another causes FPGA to fail to load
Component: TMOS
Symptoms:
When loading a UCS file from one iSeries model to a different iSeries model, the FPGA fails to load due to a symlink in the UCS file pointing to the firmware version for the source device.
The system will remain in INOPERATIVE state, and messages similar to the following will be seen repeatedly in /var/log/ltm:
-- emerg chmand[7806]: 012a0000:0: FPGA firmware mismatch - auto update, No Interruption!
-- emerg chmand[7806]: 012a0000:0: No HSBe2_v4 PCIs found yet. possible restart to recover Dataplane.
-- emerg chmand[7806]: 012a0000:0: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
-- err chmand[7806]: 012a0003:3: HAL exception publishing switch config: Dataplane INOPERABLE - Incorrect number of HSBs:0, Exp:1, TMMs: 2
Conditions:
Loading a UCS from one iSeries model onto another model, for example, from an i7800 onto an i11400-ds, or from an i2600 to an i5600.
Impact:
FPGA fails to load; the BIG-IP system becomes unusable.
Workaround:
1. Update the symbolic link /config/firmware/hsb/current_version to point to the correct firmware file for the hardware model in use. Here are some examples:
-- For the i2800:
# ln -sf /usr/firmware/hsbe2v4_atlantis/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i7800:
# ln -sf /usr/firmware/hsbe2v2_discovery/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
-- For the i11400-ds:
# ln -sf /usr/firmware/hsbe2_discovery_turbo/L7L4_BALANCED_FPGA /config/firmware/hsb/current_version
2. Reboot the system
795437-1 : Improve handling of TCP traffic for iRules
Solution Article: K06747393
795197-4 : Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
Solution Article: K26618426
794501-5 : Duplicate if_indexes and OIDs between interfaces and tunnels
Component: TMOS
Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.
Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.
Impact:
SNMP OIDs relating to interfaces may yield incomplete results.
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:
# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
if-index 64 <-------------------------------
net interface mgmt {
if-index 32
net vlan external {
if-index 96
net vlan internal {
if-index 112
net vlan test {
if-index 128
net vlan tmm_bp {
if-index 48
net tunnels tunnel http-tunnel {
if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
if-index 80
# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm
-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: high availability (HA) daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: high availability (HA) daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: high availability (HA) proc_running named enabled.
=========================
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289
Workaround:
No workaround currently known.
Fix:
Duplicate if_indexes are no longer assigned to tunnels and interfaces. The resulting duplicate SNMP OIDs are prevented.
794413-5 : BIND vulnerability CVE-2019-6471
Solution Article: K10092301
794389-5 : iControl REST endpoint response inconsistency
Solution Article: K89509323
793149-1 : Adding the Strict-transport-Policy header to internal responses
Component: Application Security Manager
Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.
Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.
Impact:
Responses arrives to the browser without the Strict-transport-Policy header.
Workaround:
Create an iRule to add the header to the response.
Fix:
Adding a BigDB parameter (asm.strict_transport_policy) which allows to add the header to all internal responses. Default is disabled.
789893-5 : SCP file transfer hardening
Solution Article: K54336216
788773-5 : HTTP/2 Vulnerability: CVE-2019-9515
Solution Article: K50233772
788769-5 : HTTP/2 Vulnerability: CVE-2019-9514
Solution Article: K01988340
788577-2 : BFD sessions may be reset after CMP state change
Component: TMOS
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.
It might also lead to a situation where the BFD session is deleted and immediately recreated.
This problem occurs rarely and only on a chassis with more than one blade.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.
Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.
This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There are two workarounds, although the latter is probably impractical:
-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.
Fix:
BFD session is no longer reset during CMP state change.
788513-5 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
Component: Service Provider
Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:
warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]
This appears to be benign, as the configuration loads successfully, and the script works as expected.
Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name
Instead of:
RADIUS::avp replace USER-NAME "static value"
Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.
Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.
788325-5 : Header continuation rule is applied to request/response line
Solution Article: K39794285
Component: Local Traffic Manager
Symptoms:
When a browser communicates with a server over HTTP, it can split a long header into several lines, prepending continuation lines with leading whitespace symbols. This rule does not apply to request or response line, so having leading whitespace in a first header line is invalid. The BIG-IP system parses such line a header with empty value.
Conditions:
A virtual server is configured on the BIG-IP system with HTTP profile.
Impact:
The BIG-IP system can hide some important HTTP headers either passing those to the pool member or failing to properly handle the request (or response) or failing to correctly load balance a connection (or request in case of OneConnect profile).
Workaround:
None.
Fix:
Now, when the BIG-IP system receives an invalid request or response with leading whitespace in first header line, it properly parses the header and handles it correctly.
788301-2 : SNMPv3 Hardening
Solution Article: K58243048
Component: TMOS
Symptoms:
SNMPv3 agents do not follow current best practices.
Conditions:
SNMPv3 agents enabled.
Impact:
SNMPv3 agents do not follow current best practices.
Fix:
SNMPv3 features now follow current best practices.
788057-6 : MCPD may crash while processing syncookies
Solution Article: K00103216
787825-4 : Database monitors debug logs have plaintext password printed in the log file
Solution Article: K58243048
Component: Local Traffic Manager
Symptoms:
When monitor instance is in "debug" logging enabled mode for certain monitor types, the resulting monitor instance logs may contain sensitive details like password
Conditions:
When debug mode is enabled for following monitoring types
1. mssql
2. mysql
3. oracle
4. postgresql
Impact:
The user-account password configured in the health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors/.
Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes , remove the resulting log files from the BIG-IP system after troubleshooting is completed.
Fix:
The password filed for monitor will now be redacted by external monitors when monitor debugging is enabled.
785481-5 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
Component: Local Traffic Manager
Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.
Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.
Impact:
Reset packets are not sent back to clients when they should be.
Workaround:
None.
Fix:
Packets that match a BIG-IP object but fail due to connection limits will now be rejected with an RST.
785009-1 : Binary policy import fails with a user-defined Signature Set containing only non-existent signatures
Component: Application Security Manager
Symptoms:
Binary policy import fails if the policy contains a user-defined Signature Set which contains only non-existent Signatures (such as user-defined Signatures).
The error in the GUI:
Failed to insert to PLC.PL_POLICY_NEGSIG_SETS (DBD::mysql::db do failed: Cannot add or update a child row: a foreign key constraint fails (`PLC`.`PL_POLICY_NEGSIG_SETS`, CONSTRAINT `PL_POLICY_NEGSIG_SETS_ibfk_2` FOREIGN KEY (`set_id`) REFERENCES `NEGSIG_SETS` (`set_id`) ON DELETE CASCADE) at /usr/local/share/perl5/F5/BatchInsert.pm line 223.
)
The error in /var/log/asm:
crit g_server_rpc_handler_async.pl[26870]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Failed to insert to PLC.PL_POLICY_NEGSIG_SETS (DBD::mysql::db do failed: Cannot add or update a child row: a foreign key constraint fails (`PLC`.`PL_POLICY_NEGSIG_SETS`, CONSTRAINT `PL_POLICY_NEGSIG_SETS_ibfk_2` FOREIGN KEY (`set_id`) REFERENCES `NEGSIG_SETS` (`set_id`) ON DELETE CASCADE) at /usr/local/share/perl5/F5/BatchInsert.pm line 223.
Conditions:
A binary policy file contains a user-defined Signature Set which contains only signatures that don't exist on the target device (such as user-defined Signatures).
Impact:
Policy import fails.
Workaround:
You can use either of the following Workarounds:
-- Re-export the policy as XML.
-- Create the missing user-defined Signatures.
Fix:
Binary policy import succeeds even with empty user-defined Signature Sets.
784565-5 : VLAN groups are incompatible with fast-forwarded flows
Component: Local Traffic Manager
Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.
Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.
Impact:
Some connections may fail.
Workaround:
None.
Fix:
The system now prevents flows on VLAN groups from being fast-forwarded to other TMMs.
783505-1 : ASU is very slow on device with hundreds of policies due to table checksums
Component: Application Security Manager
Symptoms:
ASU is very slow on devices with hundreds of policies due to table checksums.
Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- 'DoTableChecksums' is set to 1.
Impact:
The ASU process takes hours to complete.
Workaround:
In the configuration file /etc/ts/dcc/prepare_policy.cfg, set 'DoTableChecksums' to 0.
783113-2 : BGP sessions remain down upon new primary slot election
Component: TMOS
Symptoms:
BGP flapping after new primary slot election.
Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)
-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.
-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.
Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.
Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
bigstart restart tmrouted
Fix:
BFD no longer remains DOWN after a blade reset/reboot. There is a convergence period caused by blade changes(blade reset/reboot, new blade installed, blade comes up), which may take a few moments, but after that BFD sessions show correct status.
782529-5 : iRules does not follow current design best practices
Solution Article: K30215839
781377-3 : tmrouted may crash while processing Multicast Forwarding Cache messages
Solution Article: K93417064
781225-4 : HTTP profile Response Size stats incorrect for keep-alive connections
Component: Local Traffic Manager
Symptoms:
The HTTP profile Response Size static is incorrectly updated per-response using the cumulative number of response bytes seen for the lifetime of the connection, rather than the bytes seen per-response.
Conditions:
-- HTTP profile configured
-- HTTP connection reused for multiple requests/responses
Impact:
The HTTP profile Response Size statistics may be incorrectly reported and do not correlate to actual traffic seen.
Workaround:
None.
Fix:
The HTTP Response Size statistics are correctly updated using per-response values.
780817-3 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
Component: TMOS
Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:
notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.
Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.
+ VIPRION B4300, B4340, and B44xx blades.
+ BIG-IP iSeries i15x00 platforms
-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.
Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.
Guests part of a redundant pair may fail over.
Workaround:
None.
Fix:
TMM no longer crashes on certain vCMP hosts after modifications to VLANs and guests.
780601-5 : SCP file transfer hardening
Solution Article: K03585731
779177-5 : Apmd logs "client-session-id" when access-policy debug log level is enabled
Solution Article: K37890841
778077-2 : Virtual to virtual chain can cause TMM to crash
Solution Article: K53183580
777261-1 : When SNMP cannot locate a file it logs messages repeatedly
Component: TMOS
Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.
Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.
Impact:
This can fill up the log with errors.
Fix:
The SNMP daemon has been fixed to log this error once.
774301-1 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:
err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response
Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.
-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.
-- This is also applicable to any SAML requests/responses that are signed:
a) SAML Authentication Request
b) SAML Assertion
c) SAML Artifact Response
e) SAML SLO Request/Response
Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.
Workaround:
None.
Fix:
Output now matches the Canonicalized element without Signature' calculated by APM, so deployment occurs without error.
773673-5 : HTTP/2 Vulnerability: CVE-2019-9512
Solution Article: K98053339
773653-3 : APM Client Logging
Solution Article: K23876153
773649-3 : APM Client Logging
Solution Article: K23876153
773641-3 : APM Client Logging
Solution Article: K23876153
773637-3 : APM Client Logging
Solution Article: K23876153
773633-3 : APM Client Logging
Solution Article: K23876153
773621-3 : APM Client Logging
Solution Article: K23876153
773553-5 : ASM JSON parser false positive.
Component: Application Security Manager
Symptoms:
False positive JSON malformed violation.
Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.
Impact:
HTTP request is blocked or an alarm is raised.
Workaround:
There is no workaround other than disabling the JSON profile.
Fix:
JSON parser has been fixed as per RFC8259.
773421-5 : Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied
Component: Local Traffic Manager
Symptoms:
When OneConnect is applied to a virtual server, the server-side packets larger than the client-side MTU may be dropped.
Conditions:
-- If the client-side MTU is smaller than server-side (either via Path MTU Discovery (PMTUD), or by manually configuring the client-side VLAN).
-- OneConnect is applied.
-- proxy-mss is enabled (the default value starting in v12.0.0).
Impact:
The BIG-IP system rejects server-side ingress packets larger than the client-side MTU, with an ICMP fragmentation needed message. Connections could hang if the server ignores ICMP fragmentation needed and still sends TCP packets with larger size.
Workaround:
Disable proxy-mss in the configured TCP profile.
Fix:
OneConnect prevents sending ICMP fragmentation needed messages to servers.
771873-2 : TMSH Hardening
Solution Article: K40378764
770477-4 : SSL aborted when client_hello includes both renegotiation info extension and SCSV
Component: Local Traffic Manager
Symptoms:
Client SSL reports an error and terminates handshake.
Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
Impact:
Unable to connect with SSL.
Workaround:
None.
Fix:
Allow both signaling mechanism in client_hello.
769817-5 : BFD fails to propagate sessions state change during blade restart
Component: TMOS
Symptoms:
BFD fails to propagate sessions state change during blade restart.
Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.
Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.
Workaround:
Change BGP hold time to reasonable lower value.
Fix:
The affected BFD session is removed from the BFD table after blade reset during the period configured for this BFD session.
769809-1 : The vCMP guests 'INOPERATIVE' after upgrade
Component: TMOS
Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.
Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.
Impact:
The vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.
Workaround:
Important: If you upgrade vCMP hosts from an affected version to a version unaffected by this issue (ID 769809), ensure that the upgrade version contains the fix for Bug ID 810593: Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade :: https://cdn.f5.com/product/bugtracker/ID810593.html.
Upon encountering this issue, it may be best to roll back to the previously used, unaffected version on the vCMP host, and then install a version unaffected by this issue (i.e., versions later than 12.1.4.1 or later than 13.1.1.5).
Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade
769309-4 : DB monitor reconnects to server on every probe when count = 0
Component: Local Traffic Manager
Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.
Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).
Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.
Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.
Fix:
The LTM database monitor keeps the network connection to the monitored database server open indefinitely when configured with the default 'count' value of 0 (zero).
769193-3 : Added support for faster congestion window increase in slow-start for stretch ACKs
Component: Local Traffic Manager
Symptoms:
When Appropriate Byte Counting is enabled (the default), TCP's congestion window increases slower in slow-start when the data receiver sends stretch ACKs.
Conditions:
-- TCP data sender receives stretch ACKs (ACKs that acknowledges more than 2*MSS bytes of data).
-- Appropriate Byte Counting (ABC) is enabled in slow-start.
Impact:
ABC limits the increase of congestion window by 2*MSS bytes per ACK. TCP's congestion window is increased slower in slow-start, which may lead to longer transfer times.
Workaround:
There is no workaround at this time.
Fix:
A new sys db (TM.TcpABCssLimit) is provided to set TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received. If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
Behavior Change:
There is a new db variable, TM.TcpABCssLimit for specifying TCP's ABC limit (the default is 2*MSS) on increasing congestion window per ACK. With a larger limit (default is 2*MSS), TCP's congestion window increases faster in slow-start when stretch ACKs are received.
Note: If the data receiver sends regular ACKs/delayed ACKs, this setting has no impact.
768981-5 : VCMP Hypervisor Hardening
Solution Article: K05765031
767373-4 : CVE-2019-8331: Bootstrap Vulnerability
Solution Article: K24383845
767013-5 : Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
Component: TMOS
Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.
Conditions:
This happens when there is heavy traffic load on VIPRION B2150, B2250, and B4450 blades. This has also been seen on F5 Appliances, such as iSeries platforms. The root cause of that is still under investigation. It happens extreme rarely.
Impact:
Reboot the BIG-IP system.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when it detects that the HSB is in this state.
766577-5 : APMD fails to send response to client and it already closed connection.
Component: Access Policy Manager
Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer
APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.
Conditions:
Backend server is slow, causing longer-than-usual response times.
Impact:
This causes the client to close the connection. APMD fails to respond to the client.
The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.
Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.
766169-1 : Replacing all VLAN interfaces resets VLAN MTU to a default value
Component: Local Traffic Manager
Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.
Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.
Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.
Workaround:
There are two workarounds:
-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.
Fix:
VLAN MTU value is left unchanged after the last interface is removed. It is recalculated upon adding a new interface anyway, so there is no risk it will be too large.
766017-5 : [APM][LocalDB] Local user database instance name length check inconsistencies★
Component: Access Policy Manager
Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.
The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.
Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.
Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.
Workaround:
Delete instance from tmsh and re-create it with a shorter name.
Fix:
Tmsh now enforces the length limit for localdb instance names.
765809 : Memory increases for the bd daemon on cluster environment primary blade
Component: Application Security Manager
Symptoms:
BD memory increases. The increased memory is seen as a very large number in the last column of the bd.log files UMU prints.
Conditions:
-- ASM provisioned on cluster environment.
-- ASM policy attached to a virtual.
-- Brute force protection configured.
Impact:
Memory increase; swap usage.
Workaround:
None.
Fix:
Freed a chunk of memory which was allocated upon a sync from secondary to primary blade.
765533-5 : Sensitive information logged when DEBUG logging enabled
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
762453-4 : Hardware cryptography acceleration may fail
Solution Article: K63558580
762073-3 : Continuous TMM restarts when HSB drops off the PCI bus
Component: TMOS
Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.
Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.
Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.
Workaround:
Manually reboot the BIG-IP system.
Fix:
TMM no longer gets stuck in a restart loop, as a reboot is now automatic in this scenario.
761231-5 : Bot Defense Search Engines getting blocked after configuring DNS correctly
Solution Article: K79240502
Component: Application Security Manager
Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.
A cache is stored for legal / illegal requests to prevent querying the DNS again.
This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.
Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.
Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.
Workaround:
Restart TMM by running the following command:
bigstart restart tmm
Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.
761185-5 : Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic
Solution Article: K50375550
Component: Local Traffic Manager
Symptoms:
For more information please see: https://support.f5.com/csp/article/K50375550
Conditions:
For more information please see: https://support.f5.com/csp/article/K50375550
Impact:
For more information please see: https://support.f5.com/csp/article/K50375550
Workaround:
For more information please see: https://support.f5.com/csp/article/K50375550
Fix:
For more information please see: https://support.f5.com/csp/article/K50375550
761144-2 : Broadcast frames may be dropped
Solution Article: K95117754
761112-6 : TMM may consume excessive resources when processing FastL4 traffic
Solution Article: K76328112
761014-5 : TMM may crash while processing local traffic
Solution Article: K11447758
760950-1 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Note: A previous bug had this same symptom, but was due to a different root cause.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system.
760878-1 : Incorrect enforcement of explicit global parameters
Component: Application Security Manager
Symptoms:
A false positive or false negative enforcement of explicit global parameter.
Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.
Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.
Workaround:
Make the explicit parameters a wildcard parameter.
Fix:
Explicit parameters are enforced correctly on all parameters.
760723-4 : Qemu Vulnerability
Solution Article: K64765350
760629-1 : Remove Obsolete APM keys in BigDB
Component: Access Policy Manager
Symptoms:
Several APM/Access BigDB keys are obsolete and should be removed as they only add confusion
Conditions:
--BigIp is UP and Running
Impact:
Though those keys are not being used they create confusion as a placeholder
Workaround:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade
Fix:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade
760550-2 : Retransmitted TCP packet has FIN bit set
Component: Local Traffic Manager
Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.
Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.
Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.
Workaround:
Set Nagle to disabled in the TCP profile.
Fix:
The incorrect FIN bit is removed.
760471-5 : GTM iQuery connections may be reset during SSL key renegotiation.
Component: Global Traffic Manager (DNS)
Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.
Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)
Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.
Workaround:
There is no workaround.
Fix:
GTM iQuery renegotiations no longer cause the error that reset the connection.
760439-1 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
Component: TMOS
Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).
Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.
Impact:
Unit may become active/standby before intended (e.g., during maintenance).
Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.
760234-3 : Configuring Advanced shell for Resource Administrator User has no effect
Component: TMOS
Symptoms:
Advanced shell is present in the Terminal Access dropdown list when creating a Resource Administrator User, but the functionality is not available.
Conditions:
Configuring Advanced shell for Resource Administrator User.
Impact:
There is no warning message, but the setting has no effect. Gives the false impression that you can configure a Resource Administrator User to have Advanced shell access when the role does not support it.
Workaround:
None.
Fix:
The Advanced shell option is no longer present in the Resource Administrator User Terminal Access dropdown list.
Behavior Change:
Resource Administrator User can no longer select Advanced shell. The option has been removed from the dropdown list in the GUI for the Resource Administrator User.
759968-1 : Distinct vCMP guests are able to cluster with each other.
Component: Local Traffic Manager
Symptoms:
-- Distinct vCMP guests are able to cluster with each other.
-- Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:
clsh tmctl -d blade tmm/vcmp -w 200 -s vcmp_name,tmid,rebroad_mac
Check the 'rebroad_mac' field for duplicate mac addresses.
vcmp_name tmid rebroad_mac
--------- ---- -----------------
default 0 02:01:23:45:01:00
vcmp1 0 00:00:00:00:00:00
vcmp5 0 02:01:23:45:01:04
vcmp6 0 00:00:00:00:00:00
vcmp7 0 02:01:23:45:01:06
vcmp8 0 00:00:00:00:00:00
vcmp9 0 02:01:23:45:01:08
vcmp10 0 02:01:23:45:01:0A <--------------
vcmp11 0 02:01:23:45:01:0A <--------------
Conditions:
-- It is not yet clear under what circumstances the issue occurs.
-- One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate 'rebroad_mac' on one or more slots.
Impact:
Only the vCMP guest acting as primary will be operative.
Workaround:
-- Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:
modify sys db clusterd.communicateovertmmbp value false.
To disable the db variable on the affected guest, log in to the TMOS Shell (tmsh) by entering the following command:
tmsh
Then run the following commands, in sequence:
stop sys service clusterd
modify sys db clusterd.communicateovertmmbp value false
start sys service clusterd
save sys config
Afterwards, the affected guest might still have the wrong management IP address. To resolve that, log into the vCMP Hypervisor and force a management IP update such as changing the netmask and then changing it back.
With the above steps, the duplicated rebroadcaster MAC still shows, but the vguests are in stable states. To fix the duplicated MAC problem, apply the workaround (on all blades) documented in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
Important: Applying procedure described in K13030 interrupts traffic.
Fix:
The vCMP guests no longer end up having a non-null and duplicate 'rebroad_mac' on one or more slots. Distinct vCMP guests are no longer able to cluster with each other.
759596-4 : Tcl errors in iRules 'table' command
Component: TMOS
Symptoms:
The iRules 'table delete' command causes Tcl errors due to improperly handling the return code from SessionDB.
Conditions:
-- iRules 'table delete' command is used.
-- Does not occur consistently, but is more prone to occur when the system is processing more traffic.
Impact:
The 'table delete' command randomly fails and causes disruptions in traffic.
Workaround:
Do not use 'table delete' command
Fix:
Fixed 'table delete' to properly interpret the return code from SessionDB.
759480-1 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
Component: Local Traffic Manager
Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.
Conditions:
When all of the following conditions are met:
-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.
-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).
-- A CLIENT_CLOSED event is present.
-- The pool member fails in some manner, triggering LB_FAILED
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.
759343-3 : MacOS Edge Client installer does not follow best security practices
Solution Article: K49827114
758872-1 : TMM memory leak
Component: Local Traffic Manager
Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.
Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.
Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.
Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.
Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.
Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.
758764-5 : APMD Core when CRLDP Auth fails to download revoked certificate
Component: Access Policy Manager
Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.
Conditions:
Empty revoked-certificate list handling.
Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.
Workaround:
None.
Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).
758631-1 : ec_point_formats extension might be included in the server hello even if not specified in the client hello
Component: Local Traffic Manager
Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.
Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.
Impact:
Some clients abort the connection in this case.
Workaround:
There is no workaround other than not configuring any EC cipher suites.
Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.
758527-5 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
Solution Article: K39604784
Component: TMOS
Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.
Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.
Impact:
Frames not delivered as expected.
Workaround:
Disable global STP.
Fix:
Frames now delivered as expected.
758336-2 : Incorrect recommendation in Online Help of Proactive Bot Defense
Component: Application Security Manager
Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:
Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.
Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.
The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Conditions:
Application has multiple cross-domain resources.
Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.
Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.
Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.
758119-3 : qkview may contain sensitive information
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048
Conditions:
For more information see: https://support.f5.com/csp/article/K58243048
Impact:
For more information see: https://support.f5.com/csp/article/K58243048
Workaround:
For more information see: https://support.f5.com/csp/article/K58243048
Fix:
For more information see: https://support.f5.com/csp/article/K58243048
758065-3 : TMM may consume excessive resources while processing FIX traffic
Solution Article: K82781208
758018-2 : APD/APMD may consume excessive resources
Solution Article: K61705126
757578-5 : RAM cache is not compatible with verify-accept
Component: Local Traffic Manager
Symptoms:
The TCP profile's verify-accept option is not compatible with the RAM cache feature
Conditions:
A TCP profile is used with the 'verify-accept' option enabled, together with a Web Acceleration via RAM cache.
Impact:
There may be a log message in /var/log/tmm# describing an 'Invalid Proxy Transition'. The RAM cache feature may not handle later pipelined requests due to the proxy shutting down the connection.
Workaround:
Do not use TCP's verify-accept option together with RAM cache.
Fix:
RAM cache now works correctly when the TCP profile enables the verify-accept option.
757520 : After a software upgrade, the BIG-IP system does not use the correct hostname for logging.★
Component: TMOS
Symptoms:
After performing a regular software upgrade during which the configuration was rolled forward, the log messages for all daemons except tmm on the upgraded unit, report the default hostname (i.e., localhost) instead of the hostname assigned to the BIG-IP system.
Conditions:
Performing a software upgrade to BIG-IP version 11.5.6, 11.5.7, 11.5.8, or 12.1.4 while rolling forward the existing configuration.
This can also happen when you first set up remote syslog on a new LTM on an affected version.
Impact:
There is no impact to the BIG-IP system itself. However, a BIG-IP Administrator may wrongly assume that the configuration failed to load the configuration due to the default hostname being visible in the logs.
This is not the case; the BIG-IP system correctly loads the configuration post-upgrade. If you are concentrating logs to an external server this may make it difficult to determine where some logs originated.
Workaround:
To work around this issue, run the following command:
bigstart restart syslog-ng
Note: This issue occurs only the very first time one of the affected versions is booted. Once the issue has been worked around once, the issue does not recur. Therefore, this workaround can be considered permanent.
Fix:
After software upgrade, the BIG-IP system now uses the intended hostname for logging.
757455-4 : Excessive resource consumption when processing REST requests
Solution Article: K87920510
757391-1 : Datagroup iRule command class can lead to memory corruption
Component: Local Traffic Manager
Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.
Conditions:
A [class] command used within a foreach loop.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround aside from removing that iRule.
Fix:
tmm no longer crashes under these conditions.
757088 : TMM clock advances and cluster failover happens during webroot db nightly updates
Component: Traffic Classification Engine
Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.
Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.
Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.
Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.
#vi /etc/wr_urldbd/bcsdk.cfg
DoBcap=true
DoRtu=false
DownloadDatabase=false
Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover does not happen.
757027-4 : BIND Update
Solution Article: K01713115
757026-4 : BIND Update
Solution Article: K25244852
757025-4 : BIND Update
Solution Article: K00040234
757023-5 : BIND vulnerability CVE-2018-5743
Solution Article: K74009656
756774-3 : Aborted DNS queries to a cache may cause a TMM crash
Solution Article: K24401914
756538-2 : Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair.
Solution Article: K15759349
756450-3 : Traffic using route entry that's more specific than existing blackhole route can cause core
Component: Local Traffic Manager
Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.
Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use /32 blackhole routes.
Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.
756270-1 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
Component: Local Traffic Manager
Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.
Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.
Impact:
Handshake failure.
Workaround:
None.
Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.
756153-1 : Add diskmonitor support for MySQL /var/lib/mysql
Component: TMOS
Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.
Conditions:
The disk partition /var/lib/mysql is filled to 100%.
Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.
Workaround:
None.
756094-1 : DNS express in restart loop, 'Error writing scratch database' in ltm log
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd
Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).
Impact:
Zone updates from the DNS master servers are not processed.
Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:
bigstart stop zxfrd
rm /shared/zxfrd/*
bigstart start zxfrd
Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.
Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.
755997-3 : Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
Component: Local Traffic Manager
Symptoms:
When IPsec traffic is processed by a FastL4 profile, which is not related to an IPsec listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x.
Conditions:
-- IPsec traffic is processed by a FastL4 profile, which is not related to an IPSEC listener.
-- The traffic is sent out via a gateway pool or a dynamic route.
Impact:
The incorrect source address is used.
Workaround:
None.
Fix:
The IPsec traffic uses now the correct IP source-address.
755727-4 : Ephemeral pool members not created after DNS flap and address record changes
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.
Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.
Conditions:
This issue may occur under rare timing conditions when the following factors are present:
-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.
Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.
Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:
1. Restart the dynconfd daemon:
bigstart restart dynconfd
2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }
To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.
755507-1 : [App Tunnel] 'URI sanitization' error
Component: Access Policy Manager
Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)
Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).
Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.
Workaround:
None.
755005-4 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
Component: Application Security Manager
Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.
Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.
Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.
Workaround:
None.
Fix:
Correct templates are now used for Illegal Request Length and Illegal Query String Length violations, so the correct titles show.
754944-4 : AVR reporting UI does not follow best practices
Solution Article: K00432398
754460 : No failover on HA Dual Chassis setup using HA score
Component: TMOS
Symptoms:
On a high availability (HA) set up of two chassis, an HA failover does not occur, despite HA score on Standby being greater than Active.
Conditions:
-- Multiple blades disabled.
-- Both active and standby chassis have same HA score.
-- Enabling blades on standby chassis.
Impact:
Although enabling blades on the standby chassis causes a higher HA score on the standby (which should cause a failover to occur), HA state remains the same on both chassis. HA failover is not occurring using HA score calculation.
Workaround:
None.
754365-2 : Updated flags for countries that changed their flags since 2010
Component: Application Security Manager
Symptoms:
Old flags for countries that changed their flags since 2010.
Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya
Impact:
Old flag is shown.
Workaround:
None.
Fix:
The three flags are now updated in ASM.
754345-4 : WebUI does not follow best security practices
Solution Article: K79902360
754257 : URL lookup queries not working
Component: Traffic Classification Engine
Symptoms:
Occasionally, there is no response to a url-categorization query.
Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.
Impact:
URL does not get classified. Cannot take any actions against those URLs.
Workaround:
None.
Fix:
URL lookup queries now work as expected.
754103-3 : iRulesLX NodeJS daemon does not follow best security practices
Solution Article: K75532331
753912-1 : UDP flows may not be swept
Solution Article: K44385170
Component: Local Traffic Manager
Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.
Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.
Impact:
Increased memory utilization of TMM.
Workaround:
None.
Fix:
The system now correctly manages all expired flows.
753805-2 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
Component: Local Traffic Manager
Symptoms:
After failover, a longer time than expected for the virtual server to become available.
Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.
Impact:
Virtual server takes longer than expected to become available.
Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.
753796-3 : SNMP does not follow best security practices
Solution Article: K40443301
753776-3 : TMM may consume excessive resources when processing UDP traffic
Solution Article: K07127032
753014-2 : PEM iRule action with RULE_INIT event fails to attach to PEM policy
Component: Policy Enforcement Manager
Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.
Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.
Impact:
PEM fails to update the new iRule action.
Workaround:
Force mcpd to reload the BIG-IP configuration.
To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
Fix:
The system now continues processing PEM iRule actions if RULE_INIT event is present, so this issue no longer occurs.
752930 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
Component: Local Traffic Manager
Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.
Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.
Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop or mcpd process restarting loop.
Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.
2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:
# ssh slot2 bigstart stop
# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109
# save sys config
# clsh rm -f /var/db/mcpdb.bin
# ssh slot2 bigstart start
Note: This recovery method might have to be executed multiple times to restore a working setup.
752835-1 : Mitigate mcpd out of memory error with auto-sync enabled.
Solution Article: K46971044
Component: TMOS
Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.
Conditions:
-- Auto-sync enabled in an high availability (HA) pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.
Impact:
Mcpd crashes.
Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.
Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.
751586-1 : Http2 virtual does not honour translate-address disabled
Component: Local Traffic Manager
Symptoms:
Translate-address disabled on an HTTP/2 virtual server is ignored.
Conditions:
-- HTTP/2 virtual server configured.
-- Translate-address disabled.
Impact:
The traffic is still translated to the destination address to the pool member.
Workaround:
None.
Fix:
Translate-address disabled is working correctly now.
751036-4 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
Solution Article: K52035247
750586-3 : HSL may incorrectly handle pending TCP connections with elongated handshake time.
Component: TMOS
Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.
Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.
Impact:
-- Service interruption while TMM restarts.
-- Failover event.
Workaround:
None.
Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.
750488 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.
Conditions:
Responses to queries with EDNS0 record to DNS Cache do not contain the RFC-required EDNS0 record.
Impact:
Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
Corrected EDNS OPT record handling in DNS Cache.
Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:
example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa
These types of responses are expected when running the validation tool against DNS Cache.
750484 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.
Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.
Impact:
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC.
Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:
example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa
These types of responses are expected when running the validation tool against DNS Cache.
750473-2 : VA status change while 'disabled' are not taken into account after being 'enabled' again
Component: Local Traffic Manager
Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.
Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.
Impact:
No route-advertisement of the virtual-address.
Workaround:
Toggle the route-advertisement for virtual-address.
Fix:
The virtual-address now operations as expected when disabled.
750472 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express drops a DNS query that contains an EDNS OPT Record that it does not understand.
Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.
Impact:
DNS Express drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
When a query with an invalid EDNS OPT version is received by DNS Express, send a response with the BADVERS error code as stipulated by the RFC.
Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:
example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok
750460-4 : Subscriber management configuration GUI
Solution Article: K61002104
750457 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.
Conditions:
Queries to DNS Express containing an ENDS0 record it does not understand.
Impact:
DNS Express responses might not contain the RFC-required ENDS0 record. Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
Corrected EDNS OPT record handling in DNS Express.
Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:
example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok
750292-3 : TMM may crash when processing TLS traffic
Solution Article: K54167061
750213-1 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
Solution Article: K25351434
Component: Global Traffic Manager (DNS)
Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.
Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.
Note: If the response is not in the hardware cache, then the query should be properly handled.
Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.
This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.
Workaround:
None.
750187-4 : ASM REST may consume excessive resources
Solution Article: K29149494
749879 : Possible interruption while processing VPN traffic
Solution Article: K47527163
749785-3 : nsm can become unresponsive when processing recursive routes
Component: TMOS
Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.
Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.
Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.
Workaround:
None.
Fix:
nsm now processes recursive route without issues.
749774-2 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
None.
Fix:
In this release, responses are now consistent when caching is enabled.
749675-2 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
749508-4 : LDNS and DNSSEC: Various OOM conditions need to be handled properly
Component: Global Traffic Manager (DNS)
Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.
Conditions:
LDNS and DNSSEC OOM conditions.
Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.
Workaround:
None.
Fix:
The system contains improvements for handling OOM conditions properly.
749414-1 : Invalid monitor rule instance identifier error
Component: Local Traffic Manager
Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.
Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.
Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.
-- Pool members are incorrectly marked down.
Workaround:
You can use either of the following:
-- Failover or failback traffic to the affected device.
-- Run the following command: tmsh load sys config.
749388-4 : 'table delete' iRule command can cause TMM to crash
Component: TMOS
Symptoms:
TMM SegFaults and restarts.
Conditions:
'table delete' gets called after another iRule command.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
Call 'table lookup' on any key before performing a 'table delete'.
Whether or not the key was added into the database beforehand does not matter.
Fix:
Fixed code to prevent invalid use of internal data structure.
749324-4 : jQuery Vulnerability: CVE-2012-6708
Solution Article: K62532311
749294-1 : TMM cores when query session index is out of boundary
Component: Local Traffic Manager
Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.
Conditions:
When session index equals the size of session caches.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.
749153 : Cannot create LTM policy from GUI using iControl
Component: TMOS
Symptoms:
LTM policy cannot be created from GUI using iControl REST.
Conditions:
Using iControl to create an LTM policy.
Impact:
LTM policy cannot be created from the GUI
Workaround:
Create LTM policy using TMSH.
Fix:
Can now create LTM policy from GUI using iControl.
749007-4 : South Sudan, Sint Maarten, and Curacao country missing in GTM region list
Component: TMOS
Symptoms:
South Sudan, Sint Maarten, and Curacao countries are missing from the region list.
Conditions:
-- Creating a GTM region record.
-- Create a GTM any region of Country South Sudan, Sint Maarten, or Curacao.
Impact:
Cannot select South Sudan county from GTM country list.
Workaround:
None
Fix:
South Sudan, Sint Maarten, and Curacao are now present in the GTM country list.
748902-8 : Incorrect handling of memory allocations while processing DNSSEC queries
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes.
Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.
748502-4 : TMM may crash when processing iSession traffic
Solution Article: K72335002
748205-2 : SSD bay identification incorrect for RAID drive replacement★
Component: TMOS
Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.
Conditions:
iSeries platform with dual SSDs.
Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot
Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.
The following steps will help to avoid inadvertently removing the wrong drive:
As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.
Here are some steps to follow to prevent this issue from occurring.
1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
• tmsh show sys raid
• tmsh show sys raid array
• array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.
Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.
748187-1 : 'Transaction Not Found' Error on PATCH after Transaction has been Created
Component: TMOS
Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.
Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.
Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.
Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.
Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.
748177-4 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
Component: Global Traffic Manager (DNS)
Symptoms:
Multiple wildcards not matched to the most specific WideIP.
Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.
Impact:
DNS request gets wrong answer.
Workaround:
There is no workaround at this time.
Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.
747968-4 : DNS64 stats not increasing when requests go through DNS cache resolver
Component: Local Traffic Manager
Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.
Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.
Impact:
DNS64 stats are not correct.
Workaround:
There is no workaround at this time.
747909-2 : GTPv2 MEI and Serving-Network fields decoded incorrectly
Component: Service Provider
Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.
Conditions:
Processing GTP traffic with iRules.
Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.
Workaround:
No workaround.
Fix:
Decoding of GTPv2 MEI and Serving-Network fields corrected.
747725-1 : Kerberos Auth agent may override settings that manually made to krb5.conf
Component: Access Policy Manager
Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent
Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm
Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly
Workaround:
None
Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings
747617-4 : TMM core when processing invalid timer
Component: Local Traffic Manager
Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.
Conditions:
SSLO is configured and passing traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
SSL filter will no longer be enabled after connection close.
747592-4 : PHP vulnerability CVE-2018-17082
Component: TMOS
Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.
Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.
Workaround:
No known workaround.
Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.
747585-1 : TCP Analytics supports ANY protocol number
Component: Local Traffic Manager
Symptoms:
No TCP analytics data is collected for an ANY virtual server.
Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.
Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.
Workaround:
There is no workaround this time.
Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.
747560-2 : ASM REST: Unable to download Whitehat vulnerabilities
Component: Application Security Manager
Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.
Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.
Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.
Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.
Fix:
The REST endpoint for importing Scanner Vulnerabilities for the Whitehat Scanner now correctly downloads the vulnerability file automatically when no file is provided.
747192-3 : Small memory leak while creating Access Policy items
Component: Access Policy Manager
Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.
Conditions:
The leak occurs while creating new policy items in Access.
Impact:
After a long uptime interval, mcpd may crash due to lack of memory.
Workaround:
Restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.
Fix:
Leak was fixed by clearing the leaked objects.
747187-4 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response
Component: Service Provider
Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.
Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.
Impact:
Media does not flow on pinholes for which a collision was detected and reported.
Workaround:
None
Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.
747104-4 : LibSSH: CVE-2018-10933
Solution Article: K52868493
Component: Advanced Firewall Manager
Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493
Conditions:
For more information see: https://support.f5.com/csp/article/K52868493
Impact:
For more information see: https://support.f5.com/csp/article/K52868493
Fix:
For more information see: https://support.f5.com/csp/article/K52868493
746922-3 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
Component: Local Traffic Manager
Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.
If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.
#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.
Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.
Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.
Workaround:
Use either of these workaround after a new route in child domain is added.
-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.
-- Recreate a routing object.
- If a pool member is affected, recreate the pool member.
- If a SNAT pool list is affected, recreate it.
- And so on.
Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.
746877-4 : Omitted check for success of memory allocation for DNSSEC resource record
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.
Conditions:
During memory stress while handling DNSSEC traffic.
Impact:
TMM panic and subsequent interruption of network traffic.
Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.
Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.
746868 : memory leakage when "apply to base domain" is enabled
Component: Fraud Protection Services
Symptoms:
Memory leakage when "apply to base domain" is enabled. this can result in a crash or aggressive sweeper mode.
Conditions:
"apply to base domain" is enabled in the anti-fraud profile
Impact:
Aggressive connections sweeper mode, and traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
746768-2 : APMD leaks memory if access policy policy contains variable/resource assign policy items
Component: Access Policy Manager
Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.
Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.
Impact:
APMD's memory footprint will increase whenever the access policy is applied.
Workaround:
There is no workaround.
Fix:
Memory growth has been addressed.
746348-3 : On rare occasions, gtmd fails to process probe responses originating from the same system.
Component: Global Traffic Manager (DNS)
Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.
Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.
Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.
Workaround:
Restart gtmd on the affected BIG-IP system.
746266-4 : A vCMP guest VLAN MAC mismatch across blades.
Component: TMOS
Symptoms:
The vCMP guests running on blades in a single chassis report different MAC addresses on a single VLAN upon host reboot for the vCMP guest.
Conditions:
This issue may be seen when all of the following conditions are met:
-- One or more blades are turned off completely via AOM.
-- There are two VLANs.
-- You deploy a multi-slot guest with the higher lexicographic VLAN, and assign the lower VLAN to the guest.
-- Reboot the host.
Impact:
Incorrect MAC addresses are reported by some blades.
Workaround:
None.
Fix:
There is no longer a vCMP guest VLAN MAC mismatch across blades under these conditions.
746091-4 : TMSH Vulnerability: CVE-2019-19151
Solution Article: K21711352
746077-2 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
Component: Local Traffic Manager
Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.
Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,
Impact:
RFC 1542 violation
Workaround:
None.
Fix:
DHCP-RELAY no longer overwrites the 'giaddr' field containing a non-zero value.
745713-2 : TMM may crash when processing HTTP/2 traffic
Solution Article: K94563344
745654-1 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
Component: Access Policy Manager
Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.
Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.
Impact:
Low throughput and slow responses from Virtual server.
Workaround:
There is no workaround at this time.
Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.
745574-4 : URL is not removed from custom category when deleted
Component: Access Policy Manager
Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.
Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.
Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.
Workaround:
"bigstart restart tmm" will resolve the issue.
Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.
745405 : Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover
Component: TMOS
Symptoms:
Under heavy SSL traffic, it is observed that sw crypto codec queue is stuck and taken out of service, but no failover happened
Conditions:
Heavy SSL traffic
Impact:
Traffic is impacted and a large number of SSL handshakes to the BIG-IP are failing.
Workaround:
Increase crypto.queue.timeout to a much larger number(from 100 to 500 for example). Restart tmms for the change to take effect.
745404-3 : MRF SIP ALG does not reparse SDP payload if replaced
Component: Service Provider
Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.
Conditions:
This occurs internally while processing SDP in a SIP message.
Impact:
Changes to the SDP are ignored when creating media pinhole flows
Workaround:
None.
Fix:
The SDP payload is now reparsed if modified or replaced.
745387-4 : Resource-admin user roles can no longer get bash access
Solution Article: K07702240
745371-3 : AFM GUI does not follow best security practices
Solution Article: K68151373
745358-4 : ASM GUI does not follow best practices
Solution Article: K14812883
745261-3 : The TMM process may crash in some tunnel cases
Component: TMOS
Symptoms:
When Direct Server Return (DSR) or asymmetric routing with a tunnel is deployed, the TMM process may crash.
Conditions:
There are two scenarios that may lead to this issue:
Scenario 1: DSR
- DSR is deployed.
Scenario 2: Asymmetric routing
- The sys db variable connection.vlankeyed is set to 'disable'.
- A VLAN and a tunnel are used to handle asymmetric routing.
Impact:
The TMM process crashes.Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM process no longer crashes.
745257-4 : Linux kernel vulnerability: CVE-2018-14634
Solution Article: K20934447
745165-4 : Users without Advanced Shell Access are not allowed SFTP access
Solution Article: K38941195
744959-2 : SNMP OID for sysLsnPoolStatTotal not incremented in stats
Component: Carrier-Grade NAT
Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.
Conditions:
This affects all of the global port block allocation (PBA) counters.
Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.
Workaround:
None.
Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.
744937-4 : BIG-IP DNS and GTM DNSSEC security exposure
Solution Article: K00724442
Component: Global Traffic Manager (DNS)
Symptoms:
For more information please see: https://support.f5.com/csp/article/K00724442
Conditions:
For more information please see: https://support.f5.com/csp/article/K00724442
Impact:
For more information please see: https://support.f5.com/csp/article/K00724442
Workaround:
None.
Fix:
For more information please see: https://support.f5.com/csp/article/K00724442
Behavior Change:
Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables:
-- dnssec.nsec3apextypesbitmap
-- dnssec.nsec3underapextypesbitmap.
These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively.
When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type.
When using these variables:
-- Configure type values as all lowercase.
-- Enclose multiple types in quotation marks (e.g., "txt rrsig").
-- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.
744707-1 : Crash related to DNSSEC key rollover
Component: Global Traffic Manager (DNS)
Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.
Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.
744536 : HTTP/2 may garble large headers
Component: Local Traffic Manager
Symptoms:
The HTTP/2 filter may incorrectly encode large headers.
Conditions:
A header that encodes to larger than 2048 bytes.
Impact:
Application functionality may be disrupted because large header values, such as for cookies, may be truncated when passed to the endpoint.
Workaround:
None.
Fix:
The HTTP/2 filter now correctly encodes large HTTP headers.
744516-2 : TMM panics after a large number of LSN remote picks
Component: Carrier-Grade NAT
Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.
Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.
Impact:
TMM restarts. Traffic is interrupted.
Workaround:
There is no workaround.
Fix:
TMM no longer panics regardless of the number of remote picks.
744347-1 : Protocol Security logging profiles cause slow ASM upgrade and apply policy
Component: Application Security Manager
Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.
Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.
Impact:
ASM upgrade and apply policy are delayed.
Workaround:
There is no workaround at this time.
744331-1 : OpenSSH hardening
Component: TMOS
Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.
Conditions:
Administrative SSH access enabled.
Impact:
OpenSSH does not follow best practices.
Fix:
The default OpenSSH configuration includes best practices for security hardening.
744269-3 : dynconfd restarts if FQDN template node deleted while IP address change in progress
Component: Local Traffic Manager
Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.
Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).
Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.
Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.
744117-6 : The HTTP URI is not always parsed correctly
Solution Article: K18263026
Component: Local Traffic Manager
Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.
Conditions:
-- HTTP profile is configured.
-- The URI is inspected.
Impact:
If the URI is used for security checks, then those checks might be bypassed.
Workaround:
None.
Fix:
The HTTP URI is parsed in a more robust manner.
744035-3 : APM Client Vulnerability: CVE-2018-15332
Solution Article: K12130880
743950-3 : TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled
Component: Local Traffic Manager
Symptoms:
TMM raises a segmentation violation and restarts.
Conditions:
-- Set up client-side and server-side SSL with:
+ Client Certificate Constrained Delegation (C3D) enabled.
+ OCSP enabled.
-- Supply SSL traffic.
Impact:
Memory leaks when traffic is supplied. When traffic intensifies, more memory leaks occur, and eventually, tmm raises a segmentation fault, crashes, and restarts itself. All SSL connections get terminated. Traffic disrupted while tmm restarts.
Workaround:
Disable C3D.
Fix:
Memory no longer leaks when C3D and OCSP are both enabled with client SSL and server SSL set up.
743815-4 : vCMP guest observes connflow reset when a CMP state change occurs.
Component: TMOS
Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.
Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.
Impact:
This might interrupt a long-lived flow and eventually cause an outage.
Workaround:
None.
Fix:
The system now drops the connflow instead of resetting it.
743803-5 : IKEv2 potential double free of object when async request queueing fails
Component: TMOS
Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.
Conditions:
When an async IPsec crypto operation fails to queue.
Impact:
Restart of tmm. All tunnels lost must be re-established.
Workaround:
No workaround known at this time.
743790-4 : BIG-IP system should trigger a high availability (HA) failover event when expected HSB device is missing from PCI bus
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.
Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.
Impact:
No failover to standby unit after this error condition, causing site outage.
Workaround:
None.
Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.
743105-5 : BIG-IP SNAT vulnerability CVE-2021-22998
Solution Article: K31934524
743082-3 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members★
Component: TMOS
Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.
Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.
Impact:
Configuration fails to load.
Workaround:
Remove stray colon-character from bigip_gtm.conf.
Fix:
Fixed an issue preventing configurations from loading into 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from a version before 12.1.3.
742628-6 : Tmsh session initiation adds increased control plane pressure
Solution Article: K53843889
Component: TMOS
Symptoms:
Under certain circumstances, the Traffic Management Shell (tmsh) can consume more system memory than expected.
Conditions:
Multiple users or remote processes connecting to the BIG-IP administrative command-line interface.
Impact:
Increased control plane pressure. Various delays may occur in both command-line and GUI response. Extreme instances may cause one or more processes to terminate, with potential disruptive effect. Risk of impact from this issue is increased when a large number of automated tmsh sessions are created.
Workaround:
For users with administrative privilege (who are permitted to use the 'bash' shell), the login shell can be changed to avoid invoking tmsh when it may not be needed:
tmsh modify /auth user ADMINUSERNAME shell bash
742237-1 : CPU spikes appear wider than actual in graphs
Component: Local Traffic Manager
Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.
Conditions:
CPU usage has spikes.
Impact:
Graphs of CPU spikes appear to last longer than they actually last.
Workaround:
Perform the following procedure:
1. Run the following command to record the 5-second average rather than the 1-second average:
sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf
2. Restart statsd to load the new configuration:
bigstart restart statsd
Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.
742226-3 : TMSH platform_check utility does not follow best security practices
Solution Article: K11330536
742078-1 : Incoming SYNs are dropped and the connection does not time out.
Component: Local Traffic Manager
Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.
Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.
Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.
Workaround:
There is no workaround.
Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable
741994 : Cleanup Webroot database files when database fail to download
Component: Traffic Classification Engine
Symptoms:
/var partition gets full when the temporary files are not deleted.
Conditions:
When the update process of the wr_urldb encounters errors, the temporary (downloaded/created) files do not appear to be deleted, and /var directory fills with them.
Impact:
/var partition may get full.
Workaround:
Empty /var/wr_urldb/bcdatabase, and restart wr_urldbd to re-download the new database file.
Fix:
With this release, the temp files downloaded during the database download process get deleted when the download fails.
741951-3 : Multiple extensions in SIP NOTIFY request cause message to be dropped.
Component: Service Provider
Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.
Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.
Impact:
NOTIFY message is not forwarded.
Workaround:
None.
Fix:
Improved SIP URI parser now correctly handles multiple extensions in a URI.
741919-1 : HTTP response may be dropped following a 100 continue message.
Component: Local Traffic Manager
Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.
Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).
Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.
Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.
Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.
-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable
741902-4 : sod does not validate message length vs. received packet length
Component: TMOS
Symptoms:
sod may crash or produce unexpected behavior.
Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.
Impact:
sod may crash, causing a failover.
Workaround:
None.
Fix:
sod validates the received packet length and does not reference invalid memory.
741423-1 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
Component: TMOS
Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.
The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.
Conditions:
-- Cluster devices are joined in the trust for high availability (HA) or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.
Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.
Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):
1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.
For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:
tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }
2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.
Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established high availability (HA) or config-sync configurations.
741108 : tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses
Component: Application Security Manager
Symptoms:
tmm memory leak can lead to tmm out-of-memory state.
Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has device ID enabled.
-- HTTP profile accept_xff enabled.
Impact:
Unexpected tmm out-of-memory state can be reached, causing sweeper activity and disrupting traffic.
Workaround:
Disable accept_xff in HTTP profile that is assigned to a virtual server along with ASM policy.
Fix:
The leak is now fixed.
740963-3 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
Component: Local Traffic Manager
Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.
Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.
Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TCP retransmit bursts are now handled gracefully.
740959-1 : User with manager rights cannot delete FQDN node on non-Common partition
Component: Local Traffic Manager
Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.
This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.
Conditions:
-- A user is created with manager rights for a non-Common partition.
-- That user does not have manager rights for the /Common partition;
-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.
-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.
Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.
Workaround:
You can use either of the following workarounds:
-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.
-- Create the FQDN template node on the /Common partition.
Fix:
A user with manager rights for a non-Common partition that has no manager rights to the /Common partition, is now able to successfully delete an FQDN template node created on that non-Common partition.
740777-2 : Secondary blades mcp daemon restart when subroutine properties are configured
Component: Access Policy Manager
Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.
Conditions:
When a subroutine is configured in the access policy.
Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.
Workaround:
There is no workaround other than to not use subroutine in the access policy.
Fix:
You can now use subroutines in the access policy.
740490-2 : Configuration changes involving HTTP2 or SPDY may leak memory
Component: Local Traffic Manager
Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.
Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.
Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.
Workaround:
None.
Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.
740228-3 : TMM crash while sending a DHCP Lease Query to a DHCP server
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
- DHCP Lease Query is enabled on the BIG-IP system.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes while sending a DHCP Lease Query to a DHCP server.
739971-3 : Linux kernel vulnerability: CVE-2018-5391
Solution Article: K74374841
739970-3 : Linux kernel vulnerability: CVE-2018-5390
Solution Article: K95343321
739963-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
To restore the state of the member, remove it and add it back to the pool.
739947-3 : TMM may crash while processing APM traffic
Solution Article: K42465020
739945-1 : JavaScript challenge on POST with 307 breaks application
Component: Application Security Manager
Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.
Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.
Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.
Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.
Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.
739927-1 : Bigd crashes after a specific combination of logging operations
Component: Local Traffic Manager
Symptoms:
Bigd crashes. Bigd core will be generated.
Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.
Impact:
Bigd crashes.
Workaround:
None.
Fix:
Bigd no longer crashes under these conditions.
739872-3 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
Component: TMOS
Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.
Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.
Impact:
Unintended failover.
Workaround:
None.
Fix:
HA Group scores are no longer updated when running 'load sys config verify' commands.
739846-4 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
Component: Global Traffic Manager (DNS)
Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.
Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.
Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.
Workaround:
None.
Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.
739798 : Massive number of log messages being generated and written to the bd.log.
Component: Application Security Manager
Symptoms:
Log messages regarding parameters might fill the bd.log file. The system logs messages appear similar to the following:
deleting job-> converterd key
deleting p_node
Conditions:
No special conditions are required to cause this to occur.
Impact:
Lots of I/O processing. Potentially large bd.log file.
Workaround:
None.
Fix:
Fixed a scenario that resulted in a massive number of log messages being generated and written to the bd.log.
739744-2 : Import of Policy using Pool with members is failing
Component: Access Policy Manager
Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)
Conditions:
Policy has pool attached to it with resource assign or chained objects
Impact:
Policy is not being imported on the same box
Workaround:
There is no workaround at this time.
Fix:
ng-import is now importing policy correctly.
739638-1 : BGP failed to connect with neighbor when pool route is used
Component: Local Traffic Manager
Symptoms:
BGP peering fails to be established.
Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.
Impact:
BGP dynamic route paths are not created.
Workaround:
Use a gateway route.
Fix:
BGP peering can be properly established through a pool route.
739570-1 : Unable to install EPSEC package★
Component: Access Policy Manager
Symptoms:
Installation of EPSEC package via tmsh fails with error:
Configuration error: Invalid mcpd context, folder not found (/Common/EPSEC/Images).
Conditions:
-- EPSEC package has never been installed on the BIG-IP device.
-- Running the command:
tmsh create apm epsec epsec-package <package_name>.iso local-path /shared/apm/images/<package_name>.iso
Impact:
First-time installation of EPSEC package through tmsh fails.
Workaround:
You can do a first-time installation of EPSEC with the following commands:
tmsh create sys folder /Common/EPSEC
tmsh create sys folder /Common/EPSEC/Images
tmsh install Upload/<package_name>.iso
Fix:
When EPSEC package is installed through tmsh command, the folder /Common/EPSEC/Images gets created if it does not exist.
739144-1 : Domain logoff scripts runs after VPN connection is closed
Component: Access Policy Manager
Symptoms:
APM Network Access option: 'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.
Conditions:
Following options configured for Microsoft Windows clients:
* Synchronize with Active Directory policies on connection establishment.
and
* Execute logoff scripts on connection termination.
-- Windows client is part of a domain.
-- Domain logoff script is not available without VPN connection.
Impact:
'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.
Workaround:
None.
Fix:
Changes in APM client allow it to wait until domain logoff script execution completes before closing VPN connection, so this issue no longer occurs.
739094-4 : APM Client Vulnerability: CVE-2018-5546
Solution Article: K54431371
738945-1 : SSL persistence does not work when there are multiple handshakes present in a single record
Component: Local Traffic Manager
Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.
Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.
Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.
Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.
After changing or disabling persistence, the transaction succeeds and no longer hangs.
738943-1 : imish command hangs when ospfd is enabled
Component: TMOS
Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs
Conditions:
- running imish command
Impact:
ability to show dynamic routing state using imish
Workaround:
restart ospfd daemon
738887-2 : BIG-IP SNMPD vulnerability CVE-2019-6608
Component: TMOS
Symptoms:
https://support.f5.com/csp/article/K12139752
Conditions:
https://support.f5.com/csp/article/K12139752
Impact:
https://support.f5.com/csp/article/K12139752
Workaround:
https://support.f5.com/csp/article/K12139752
Fix:
https://support.f5.com/csp/article/K12139752
738789-3 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
Component: Application Security Manager
Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii".
Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- ASM handles XML traffic with encoding="us-ascii" (use of the value encoding="us-ascii" is very uncommon, the typical value is encoding="utf-8").
Impact:
Blocked XML requests.
Workaround:
You can use either of the following workarounds:
-- Remove XML profile from a URL in the ASM policy.
-- Disable XML malformed document detection via ASM policy blocking settings.
Fix:
XML parser now supports encoding="us-ascii".
738669-3 : Login validation may fail for a large request with early server response
Component: Fraud Protection Services
Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.
Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.
Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.
Workaround:
None.
Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.
738647-1 : Add the login detection criteria of 'status code is not X'
Component: Application Security Manager
Symptoms:
There is a criterion needed to detect successful login.
Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).
Impact:
Cannot configure login criteria.
Workaround:
None.
Fix:
This release adds a new criterion to the login criteria.
738523-3 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
Component: Local Traffic Manager
Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:
09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.
Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.
Impact:
The pool member is marked down even though it is actually up.
Workaround:
None.
Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.
738521-2 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
Component: Local Traffic Manager
Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.
Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.
Impact:
Trunks are brought down by upstream switch.
Workaround:
There are two workarounds:
-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.
Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.
738445-1 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
Component: TMOS
Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:
-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.
-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.
Either alone prevents finding the SA to delete.
Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.
Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.
Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>
Fix:
SPI is now extracted correctly from the payload as a binary integer, and the phase 2 SA lookup is done with a proper SPI search, which also requires a match in the peer address.
738397-2 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
Component: Access Policy Manager
Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.
The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.
Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
+ The IdP has a Per-Request policy (in addition to a V1 policy).
+ That Per-Request policy has a subroutine or a subroutine macro with a logon page.
Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.
Workaround:
None.
Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.
738236-3 : UCS does not follow current best practices
Solution Article: K25607522
738119-3 : SIP routing UI does not follow best practices
Solution Article: K23566124
738046-3 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
Component: Local Traffic Manager
Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.
Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.
Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.
Workaround:
None.
Fix:
SERVER_CONNECTED now fires when expected on the standby device.
737998 : Brute Force end attack condition isn't satisfied for successful logins only
Component: Application Security Manager
Symptoms:
When brute force attack is detected and prevented by asm, asm continue to prevent login attempts even the attacking traffic has stopped 5 minutes ago.
Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM Brute Force protection enabled in the asm policy
- There is an ongoing brute force attack on the backend server.
Impact:
ASM doesn't report that brute force attack is finished and logins mitigation continues to occur.
Workaround:
While ongoing endless brute force attack, change an arbitrary field in brute force configuration and apply policy. Brute force attack end event will be triggered and the system will stop brute force prevention, if the attacking traffic still being sent, new brute force attack event will be raised and the mitigation will reoccur.
Fix:
Fix brute force end condition check for a case when only successful logins are sent.
737910-1 : Security hardening on the following platforms
Solution Article: K18535734
737758-1 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core
Component: Local Traffic Manager
Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.
Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.
Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.
737731-3 : iControl REST input sanitization
Solution Article: K44885536
737597 : AVR DoS Attack report misses virtual server name in a specific config
Component: Application Visibility and Reporting
Symptoms:
In Security :: Reporting : DoS : Network, the report shows the attack, but categorizes the attack under 'Aggregated' in the Virtual Server name value, rather than the actual name of the Virtual Server on which the attack is happening.
Conditions:
-- A Virtual Server is configured with a IP/Subnet range.
For example,
-- Virtual Server with Destination Address: 10.10.10.0/27 (meaning the destination range is 10.10.10.32 - 10.10.10.63).
-- Destination Address of the Client Traffic and Attack: 10.10.10.63
View AVR Reporting, which does not resolve the to any specific Virtual Server, but instead categorizes the attack as 'Aggregate'.
Impact:
AVR report missing the Virtual Server information.
Workaround:
None.
737574-3 : iControl REST input sanitization★
Solution Article: K20541896
737565-3 : iControl REST input sanitization
Solution Article: K20445457
737442-1 : Error in APM Hosted Content when set to public access
Solution Article: K32840424
737441-1 : Disallow hard links to svpn log files
Solution Article: K54431371
737437-1 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
Component: TMOS
Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.
Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.
Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.
Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.
Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.
737389 : Kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed
Component: TMOS
Symptoms:
There may be a large number of messages in /var/log/kern.log similar to the following:
Tracklist initialized
Tracklist destroyed
Conditions:
This can happen when vCMP is provisioned, which enables SR-IOV mode.
Impact:
It causes messages to show up in /var/log/kern.log, but does not affect traffic. This is a cosmetic issue and does not indicate a functionality issue.
Workaround:
None.
Fix:
Tracklist is now disabled, so this issue no longer occurs.
737332-2 : It is possible for DNSX to serve partial zone information for a short period of time
Component: Global Traffic Manager (DNS)
Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.
Conditions:
-- Two zones being transferred during the same time period
+ zone1.example.net
+ zone2.example.net
-- Transfer of zone1 has started, but not finished.
-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.
Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.
Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.
Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.
737322-1 : tmm may crash at startup if the configuration load fails
Component: TMOS
Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.
Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes at startup if the configuration load fails.
737055-3 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
Component: TMOS
Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.
Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.
Impact:
You are unable to login to the Configuration Utility.
Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.
735832-2 : RAM Cache traffic fails on B2150
Component: Performance
Symptoms:
Rendering pages from RAM Cache fails. System does not pass RAM Cache traffic on B2150 platform.
Conditions:
-- VIPRION B2150 blade.
-- Attempting to pass traffic from RAM Cache.
Impact:
B2150 does not pass any RAM Cache traffic.
Workaround:
None.
Fix:
RAM Cache traffic now succeeds on B2150.
735565-3 : BGP neighbor peer-group config element not persisting
Component: TMOS
Symptoms:
neighbor peer-group configuration element not persisting after restart
Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart
Impact:
BGP peer-group configuration elements don't persist
Workaround:
Reconfigure BGP neighbor peer-group after restart
Fix:
BGP neighbor peer-group configuration is properly save to configuration, and persists after restart
734622 : Policy change with newly enforced signatures causes sig collection failure in other policies
Solution Article: K83093212
Component: Application Security Manager
Symptoms:
An ASM policy change with newly enforced signatures causes a signature collection failure in all other policies.
Conditions:
An ASM policy is changed by adding newly enforced signatures.
Impact:
Signature collection failures are logged for all other policies.
Workaround:
For each other policy on the device, make a spurious change (such as modifying policy description and saving) and apply the policy. Alternatively, a new user-defined signature which would be included in enforcement can be spuriously added and then immediately removed.
734539-2 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
Component: TMOS
Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.
Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.
Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.
Workaround:
There is no workaround at this time.
Fix:
The system no longer destroys the parent phase-one SA when an INVALID-SPI notification cannot find the target phase-two SA, so this issue does not occur.
734527-4 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured
Component: TMOS
Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.
Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.
Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.
Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.
Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.
Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.
734446-3 : TMM crash after changing LSN pool mode from PBA to NAPT
Component: Carrier-Grade NAT
Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.
Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.
The PBA pool can be deleted after the virtual servers are no longer using it.
Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.
734177 : CVE-2019-12190 : RHEL6 Kernel Vulnerability
Solution Article: K42142782
727292-2 : SSL in proxy shutdown case does not deliver server TCP FIN
Component: Local Traffic Manager
Symptoms:
Connection is not torn down.
Conditions:
HTTPS server disconnects connection when in handshake.
Impact:
Potential resource exhaustion.
Workaround:
You can mitigate this condition in either of the following ways:
-- Wait for system to clean up lingering connections.
-- Use tmsh to clean up connections. (Note: Sometimes this might not work as expected depending on conditions.)
-- If this happens on the config-sync channel, use a different self-ip for config-sync on the affected device.
Fix:
SSL server side handles this error situation by sending out all remaining egress data and sending a shutdown signal to lower filters.
727206-4 : Memory corruption when using SSL Forward Proxy on certain platforms
Component: Local Traffic Manager
Symptoms:
When using SSL Forward proxy, memory corruption can occur, which can eventually lead to a tmm crash.
Conditions:
Client SSL profile on a virtual server with SSL Forward proxy enabled.
-- Using the following platforms:
- vCMP host
- 2000s / 2200s
- 5000s / 5200v
- 5050s / 5250v / 5250v-F
- 10350V-F
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes under these conditions.
727107-1 : Request Logs are not stored locally due to shmem pipe blockage
Component: Application Security Manager
Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:
----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.
Messages similar to the following appear in pabnagd.log:
Conditions:
Request Logs are not stored locally due to shmem pipe blockage.
Impact:
Event logs stop logging locally.
Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd
Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.
727044-1 : TMM may crash while processing compressed data
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing compressed data.
Conditions:
Compression enabled
Hardware compression disabled
Impact:
TMM crash leading to a failover event.
Workaround:
No workaround.
Fix:
TMM now correctly processes compressed traffic
727031-2 : TMM disruption from disaggregation in vCMP systems
Component: Access Policy Manager
Symptoms:
On B2250 blades the Traffic Management Microkernel (TMM) may experience a series of panics and restarts.
The system reports a related message in /var/log/tmm:
vdag failed to attach
On other types of BIG-IP systems some ICMP monitors may fail, indicating a node that is known to be up is down.
Conditions:
-- Guest BIG-IP instance in a vCMP configuration.
-- Guest is running BIG-IP v13.1.3.5.
-- Host is running a software version other than BIG-IP v13.1.3.5.
-- For tmm panic issue, host is B2250 blade
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Note: If installing 13.1.3.5 on a vCMP host or guest, please contact F5 Support and ask for an engineering hotfix with the fix for this issue. Install it on the vCMP host and all guests on that host running 13.1.3.5.
Fix:
TMM disruption no longer occurs from disaggregation in vCMP systems.
726983-5 : Inserting multi-line HTTP header not handled correctly
Component: Local Traffic Manager
Symptoms:
Using an iRule to insert an HTTP header that contains an embedded newline followed by whitespace is not parsed properly. It can result in the new header being incorrectly split into multiple headers.
Conditions:
iRule which adds a header containing embedded newline followed by whitespace:
HTTP::header insert X-Multi "This is a\n multi-line header"
Impact:
New header does not get parsed properly, and its values are treated like new header values. In some cases the tmm may be restarted.
Workaround:
Ensure that the trailing whitespace text is not present (if not legitimately there). For manipulation of HTTP Cookie headers, use the HTTP::cookie API rather than directly via HTTP::header.
Fix:
Inserting multi-line HTTP header parsed correctly
726895-1 : VPE cannot modify subroutine settings
Solution Article: K02205915
Component: Access Policy Manager
Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.
Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors such as one of these:
- Unable to execute transaction because of:
- Unable to execute transaction because of: 01020036:3: The requested user role partition (admin Common) was not found.
Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.
Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE
Workaround:
Use tmsh to modify these values, for example:
tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }
Fix:
The issue has been fixed; it is now possible to view and modify subroutine settings in the VPE.
726647-1 : PEM content insertion in a compressed response may truncate some data
Component: Policy Enforcement Manager
Symptoms:
HTTP compressed response with content insert action can truncate data.
Conditions:
PEM content insertion action with compressed HTTP response.
Impact:
Data might be truncated.
Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.
Fix:
HTTP compressed response with content insert action no longer truncates data.
726592-2 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
Component: Access Policy Manager
Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.
Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.
Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.
Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.
Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.
726487-1 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
Component: TMOS
Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:
-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.
-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.
Or:
--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).
--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.
Or:
err mcpd[12620]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Invalid static route modification. A destination change from 172.25.0.1%500 to 172.25.0.1 is not supported... failed validation with error 17237812.
Conditions:
This issue occurs when all of the following conditions are met:
-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Either:
+ Creating a pool member in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
+ Modifying a route in that partition while a configuration save is taking place at the same time (either system- or user-initiated).
Impact:
If the system is Active, traffic is disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).
Workaround:
There is no workaround other than not to create pool members or modify routes from one client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.
Fix:
MCPD on secondary blades no longer restarts if a pool member is created or a route is modified in a partition that uses a non-default route domain at the same as the configuration is being saved.
726412-1 : Virtual server drop down missing objects on pool creation
Component: Global Traffic Manager (DNS)
Symptoms:
Available virtual servers are not populated in the drop down list during Pool creation.
Conditions:
Virtual server names containing single quote, backslash, or greater-than and less-than signs: ' \ < >.
Impact:
Unable to add available virtual servers to pools.
Workaround:
After pool creation, go into that newly created pool, click 'Members', and then click 'Manage', and use the Virtual Server drop-down list to add any virtual servers.
Fix:
Fixed the drop down for virtual servers. Now virtual servers get loaded in the drop-down list during pool creation.
726409-3 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
Component: TMOS
Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439
Impact:
denial of service
Workaround:
don't allow login
Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439
726393-5 : DHCPRELAY6 can lead to a tmm crash
Solution Article: K36228121
726317-3 : Improved debugging output for mcpd
Component: TMOS
Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.
Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.
Impact:
None. Has no effect without log.mcpd.level set to debug.
Workaround:
None.
Fix:
New output helps F5 engineers diagnose mcpd problems more easily.
726303 : Unlock 10 million custom db entry limit
Component: Traffic Classification Engine
Symptoms:
Cannot add more than 10 million custom db entries.
Conditions:
This happens when you try to add more than 10 million custom db entries.
Impact:
Not able to add more than 10 million entries.
Workaround:
There is no workaround at this time.
Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.
726255-3 : dns_path lingering in memory with last_access 0 causing high memory usage
Component: Global Traffic Manager (DNS)
Symptoms:
dns_path not released after exceeding the inactive path ttl.
Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.
Impact:
High memory usage.
Workaround:
There is no workaround at this time.
Fix:
dns_path memory will be released after ttl.
726239-3 : interruption of traffic handling as sod daemon restarts TMM
Component: Local Traffic Manager
Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.
Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when TCP persist timer is active.
726232-1 : iRule drop/discard may crash tmm
Component: Local Traffic Manager
Symptoms:
TMM crash after an iRule attempts to drop packet.
Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
drop
# discard - drop is the same as discard
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
TMM correctly handles 'drop' command in 'LB_SELECTED' event.
726154-1 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
Component: Advanced Firewall Manager
Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.
Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.
Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.
Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.
Fix:
TMM no longer crashes under the conditions described. Firewall and NAT configurations are applied correctly on virtual servers with the same names as route-domains.
726089-3 : Modifications to AVR metrics page
Solution Article: K44462254
725879 : Internet Explorer running on Windows phone 8.1 gets CAPTCHA during legitimate browsing
Component: Application Security Manager
Symptoms:
Internet Explorer (IE) running on Microsoft Windows phone v8.1 gets CAPTCHA during legitimate browsing.
Conditions:
-- Proactive Bot Defense is enabled on a DoS profile attached to a virtual server.
-- A client connects using IE on Windows phone v8.1.
Impact:
CAPTCHA occurs during legitimate browsing.
Workaround:
None.
Fix:
A CAPTCHA event is no longer inadvertently enabled for Internet Explorer browsers on Windows Phone 8.1.
725791-3 : Potential HW/HSB issue detected
Solution Article: K44895409
Component: TMOS
Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.
With a burst of CRC errors in the SRAM for ePVA transformation cache, it does not trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This occurs because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.
In these cases, there might be the following messages in /var/log/tmm*:
Device error: hsb_lbb* tre2_crc_errs count *
Conditions:
Traffic is offloaded to HSB hardware for acceleration.
Impact:
Hardware accelerated traffic drop.
Workaround:
Switch traffic to software acceleration.
Fix:
Including traffic-critical registers in failover triggers, helps failover happen quickly with minimum disruption to traffic in the case of SRAM hardware failures.
725551-5 : ASM may consume excessive resources
Solution Article: K40452417
724868-2 : dynconfd memory usage increases over time
Component: Local Traffic Manager
Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.
Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.
Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.
Fix:
dynconfd no longer leaks memory when processing messages.
724824-5 : Ephemeral nodes on peer devices report as unknown and unchecked after full config sync
Component: Local Traffic Manager
Symptoms:
After a Full Configuration Sync is performed in a device cluster, Ephemeral (FQDN) nodes on peers to the device initiating the Configuration Sync will report their status as Unknown with monitor status of Unchecked.
Note: The nodes are still monitored properly by the peer devices even though they are not reported as such.
Conditions:
-- Full configuration sync performed in a device cluster.
-- Ephemeral (FQDN) nodes configured.
Impact:
Monitor status on the peer devices is reported incorrectly.
Workaround:
Any of the following three options will correct reporting status on the peer devices:
-- Restart bigd
-- Cause monitoring to the FQDN nodes to fail for at least one probing interval, and then restore monitoring accessibility.
-- Disable and then re-enable the FQDN node
Each of these workarounds results in the reported status of the FQDN node on the peer reporting correctly again. The workarounds do not prevent a subsequent configuration sync from placing the FQDN nodes back into Unknown status on peers, however.
724680-3 : OpenSSL Vulnerability: CVE-2018-0732
Solution Article: K21665601
724556-1 : icrd_child spawns more than maximum allowed times (zombie processes)
Component: TMOS
Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.
Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.
Impact:
There are zombie icrd_child processes consuming memory.
Workaround:
Restart the system.
Fix:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds
If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.
If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.
A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.
Behavior Change:
Introduced the following configuration in /etc/icrd.conf: sigkillDelaySeconds
If set to 0, or if missing from icrd.conf, SIGKILL will not be issued after SIGTERM is issued to the icrd_child process.
If set to greater than 0, after the specified delay, SIGKILL will be issued after SIGTERM is issued to the icrd_child process if icrd_child process is not terminated.
A 'safe' number for the delay may be 3 seconds, but will depend on your configuration.
724532-1 : SIG SEGV during IP intelligence category match in TMM
Component: Advanced Firewall Manager
Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.
Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.
Impact:
TMM restart. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.
724339-2 : Unexpected TMUI output in AFM
Solution Article: K04524282
724335-2 : Unexpected TMUI output in AFM
Solution Article: K21042153
724214-2 : TMM core when using Multipath TCP
Component: Local Traffic Manager
Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
724109-5 : Manual config-sync fails after pool with FQDN pool members is deleted
Component: TMOS
Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.
Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually
Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP
Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.
Workaround:
The workaround for this issue is to use auto-sync.
723794-4 : PTI (Meltdown) mitigation should be disabled on AMD-based platforms
Component: TMOS
Symptoms:
Platforms with AMD processors freeze when the PTI (Page Table Isolation) mitigation is enabled, after a period ranging from several hours to several days.
You can find information about which versions have the PTI (Meltdown) mitigations enabled in the AskF5 Article: Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations :: https://cdn.f5.com/product/bugtracker/ID707226.html.
Conditions:
-- AMD-based platforms:
+ BIG-IP B4100 blades
+ BIG-IP B4200 blades
+ BIG-IP 6900 and NEBS appliances
+ BIG-IP 89x0 appliances
+ BIG-IP 6400 FIPS and NEBS platforms
+ BIG-IP 110x0 appliances
-- The database variable kernel.pti is set to enable (to address PTI (Meltdown)).
Impact:
System locks up and is rebooted by the watchdog timer.
Workaround:
Set the database variable kernel.pti to disable by running the following command:
tmsh modify sys db kernel.pti value disable
According to AMD, these AMD processors are not vulnerable to PTI (Meltdown), so there is no reason to leave the db variable enabled.
Fix:
PTI (Page Table Isolation) mitigation is no longer enabled on AMD-based platforms.
723792-3 : GTM regex handling of some escape characters renders it invalid
Component: Global Traffic Manager (DNS)
Symptoms:
The memory footprint of big3d increases.
Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.
723790-4 : Idle asm_config_server handlers consumes a lot of memory
Component: Application Security Manager
Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.
Conditions:
This issue might result from several sets of conditions. Here is one:
Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.
Impact:
Unnecessary memory consumption.
Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------
2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.
723722-3 : MCPD crashes if several thousand files are created between config syncs.
Component: TMOS
Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.
Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.
Impact:
Traffic is disrupted while the MCPD process restarts.
Workaround:
Run a config sync operation after every ~5000 files created.
Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.
723298-3 : BIND upgrade to version 9.11.4
Component: TMOS
Symptoms:
The BIG-IP system is running BIND version 9.9.9.
Conditions:
BIND on BIG-IP system.
Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.
Workaround:
None.
Fix:
BIND version has been upgraded to 9.11.4.
723288-3 : DNS cache replication between TMMs does not always work for net dns-resolver
Component: Global Traffic Manager (DNS)
Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.
Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.
Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.
Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.
Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)
723130-3 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
Solution Article: K13996
Component: TMOS
Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.
Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).
Note: Existing BIG-IP VE instances are not subject to this issue.
Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.
Workaround:
None.
Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.
722969-1 : Access Policy import with 'reuse' enabled instead rewrites shared objects
Component: Access Policy Manager
Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.
Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.
Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.
Workaround:
None.
Fix:
Access policy import with 'reuse' option enabled no longer rewrites shared objects
722707-1 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
Component: Local Traffic Manager
Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.
Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.
Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).
Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).
722682-1 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load★
Component: TMOS
Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.
Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
+ 12.1.3.x
+ Any 13.0.x
+ All 13.1.x earlier than 13.1.1.2
+ 14.0.x earlier than 14.0.0.3
Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.
Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.
1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:
for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done
4. Run the following command: load sys config gtm-only
Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.
722677-3 : BIG-IP HSB vulnerability CVE-2019-6604
Solution Article: K26455071
722387-2 : TMM may crash when processing APM DTLS traffic
Solution Article: K97241515
722380-3 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
Component: TMOS
Symptoms:
On platforms with HSB, if an HSB lockup occurs, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. In certain cases, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
-- Any platform with HSB.
-- An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Reboot is delayed until TMM core file is completed.
722363-1 : Client fails to connect to server when using PVA offload at Established
Component: Local Traffic Manager
Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.
When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.
Conditions:
A FastL4 virtual server is configured with offload_state = EST.
Impact:
Clients fail to connect to the server.
Workaround:
There is no workaround other than to disable PVA acceleration.
722230-6 : Cannot delete FQDN template node if another FQDN node resolves to same IP address
Component: TMOS
Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.
Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.
Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.
Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.
722091-2 : TMM may crash while processing HTTP traffic
Solution Article: K64208870
722013-3 : MCPD restarts on all secondary blades post config-sync involving APM customization group
Component: Access Policy Manager
Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.
Each affected blade will log an error message similar to the following example:
-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1
Conditions:
This issue occurs when all of the following conditions are met:
- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).
- Systems are provisioned for APM.
- The device-group is configured for incremental manual synchronizations.
- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.
- You synchronize the configuration from the source_system to the device-group.
- On the source_system, you create a new configuration object of any kind (for example, an LTM node).
- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).
- The MCPD daemon restarts on all secondary blades of the source_system.
Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.
-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.
-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.
Workaround:
None.
Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.
721924-3 : BIG-IP ARM BGP vulnerability CVE-2018-17539
Solution Article: K17264695
721895-1 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
Component: Global Traffic Manager (DNS)
Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.
Conditions:
Running a vulnerability scanner or other SSL test tool.
Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.
Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.
In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.
Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).
After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.
721752-1 : Null char returned in REST for Suggestion with more than MAX_INT occurrences
Component: Application Security Manager
Symptoms:
Unable to view ASM event log details for a majority of violations.
Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.
Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.
Workaround:
Use the following sql command:
UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;
Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.
721741-2 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
Component: Application Security Manager
Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------
Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.
Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives
Workaround:
There is no workaround at this time.
Fix:
System no longer generates these false positive/negative log entries.
721621-2 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
Component: Local Traffic Manager
Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.
When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.
Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.
Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.
Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.
Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).
If no other members are defined in the pool, traffic will be interrupted.
Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.
Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.
Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.
721526-1 : tcpdump fails to write verbose packet data to file
Component: TMOS
Symptoms:
On some BIG-IP platforms, tcpdump is unable to write verbose packet data to a file (e.g., 'tcpdump -nni 2.1:nn -e -vvv -s 0 -w /tmp/dump.pcap').
Conditions:
Use tcpdump with -w and -v options on a front panel interface that is actively sending/receiving traffic.
This occurs on the following hardware:
-- BIG-IP 5000,7000, 10000, i5000, i7000, i10000, i11000, and i15000 platforms.
-- VIPRION B4400, B4300, B2200, and B2100 blades.
Impact:
Cannot use tcpdump to write verbose packet data to file.
Workaround:
There is no workaround at this time.
Fix:
The tcpdump operation is now able to write verbose packet data to file.
721399-3 : Signature Set cannot be modified to Accuracy = 'All' after another value
Component: Application Security Manager
Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.
Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.
Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.
Workaround:
You can use either of the following workarounds:
-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').
Fix:
ASM Signature Set can now be set to Accuracy = 'All' after a value was previously set.
721375 : Export then import of config with RSA server in it might fail
Component: Access Policy Manager
Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.
Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.
Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.
Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.
Fix:
You can now successfully import an exported policy containing an RSA server as well as both sdconf.rec and sdstatus.12 files.
720880 : Attempts to license/re-license the BIG-IP system fail.
Component: TMOS
Symptoms:
Attempts to activate or reactivate the license on the BIG-IP system results in failure messages.
Conditions:
No specific configurations are associated with this issue, but license activation/reactivation requests that include add-ons are more likely to fail.
This occurs under random conditions.
Impact:
The system is either unusable or very difficult to activate.
Workaround:
Because the conditions under which this issue occurs are random, additional licensing attempts might succeed.
Fix:
The source of the underlying problem has been corrected. No additional logs, error message, or user-interaction is involved.
720819-1 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups
Component: TMOS
Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.
For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.
Instead, the recovery mechanism should trigger almost instantaneously.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.
-- The HSB locks-up due to a different issue.
Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.
Workaround:
None.
Fix:
The HSB lock-up is now promptly detected and remedied.
720799-3 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
Component: Local Traffic Manager
Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.
This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.
Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).
Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.
Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.
Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.
To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.
The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.
720756 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
Component: TMOS
Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.
Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.
Impact:
Cannot tell the actual platform name in the SNMP query.
Workaround:
There is no workaround at this time.
Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.
720713-3 : TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail
Component: TMOS
Symptoms:
When a BIG-IP iSeries i5800, i7800, or i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.
Note: Management port traffic to/from the device is unaffected.
Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.
The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.
Conditions:
This issue occurs when all of the following conditions apply:
- BIG-IP iSeries i5800, i7800, or i10800 device in vCMP host mode.
- At least one vCMP guest is deployed or was deployed, at some point.
Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.
Workaround:
Ensure that the host is running a compatible version of BIG-IP. For more information on supported host/guest versions, see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088
Fix:
The vCMP host continues to handle traffic correctly once a guest is started.
720695-2 : Export then import of APM access Profile/Policy with advanced customization is failing
Component: Access Policy Manager
Symptoms:
An exported policy containing advanced customization fails to import.
Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.
Impact:
Import fails.
Workaround:
None.
Fix:
Access policy import containing advanced customization now succeeds.
720651-3 : Running Guest Changed to Provisioned Never Stops
Component: TMOS
Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.
Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.
Impact:
Guests do not stop and change status until vcmpd process is restarted, which is likely to impact running guests.
Workaround:
There is no workaround.
Fix:
The guest now stops when the state is changed from deployed to provisioned.
720569-2 : Disaggregation algorithm distributing traffic unequally across CPU cores on Virtual Edition
Component: TMOS
Symptoms:
After a period of time, Inet port exhaustion error messages begin to be reported, and traffic starts to fail:
crit tmm1[17985]: 01010201:2: Inet port exhaustion on <ip_address> to <ip_address>.
CPU cores are unevenly loaded by the tmm process. Typically odd cores will have a more loaded tmm thread.
Conditions:
BIG-IP system uses unic, sock or virtIO drivers
Impact:
The system reports Inet port exhaustion error messages, and traffic starts to fail.
Where CPU use by the tmm process is very uneven as the busiest cores reach near maximum connections will be offloaded at an early stage to less used tmm threads on quieter cores. This means the uneven CPU usually has a minimal impact itself.
Workaround:
None.
Fix:
Disaggregation algorithm has been improved to avoid unequal distribution.
720461-3 : qkview prompts for password on chassis
Component: TMOS
Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.
Conditions:
SSH auth keys are missing or corrupted.
Impact:
This blocks collecting qkview.
Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:
$date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;
Fix:
The qkview is no longer blocked with a password prompt.
720440 : Radius monitor marks pool members down after 6 seconds
Component: Local Traffic Manager
Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.
Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.
Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.
Workaround:
There is no workaround at this time.
Fix:
The maximum length of time that the radius probe will wait for has been increased from 6 seconds to 30 seconds.
720391-1 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.
Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.
Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.
Workaround:
None.
Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.
720293-1 : HTTP2 IPv4 to IPv6 fails
Component: Local Traffic Manager
Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.
Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.
Impact:
Traffic connection does not establish; no traffic passes.
Workaround:
None.
Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.
720269-3 : TACACS audit logging may append garbage characters to the end of log strings
Component: TMOS
Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.
Conditions:
Using audit forwarding with a remote TACACS server.
Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.
Workaround:
There is no workaround at this time.
Fix:
Prevented extra characters from being appended to TACACS audit logs.
720219-1 : HSL::log command can fail to pick new pool member if last picked member is 'checking'
Solution Article: K13109068
Component: Local Traffic Manager
Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.
Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.
Impact:
Failure to send log messages via HSL.
Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.
Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.
720110-4 : 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
Component: TMOS
Symptoms:
Neither learned nor default-originate default routes (0.0.0.0/0) are sent to the BGP peer if the BGP peer has terminated the BGP session with TCP FIN, without the BGP notify message.
Conditions:
-- BGP session is terminated without BGP notify (just TCP FIN).
-- Either learned (not originated in the BIG-IP system) and default-originate (originated in the BIG-IP system) routes are not sent.
Impact:
Default routes are not propagated in the network after the BGP peer restart.
Workaround:
There is no workaround at this time.
Fix:
Default routes are now always sent after the BGP session reset. Consistent behavior between BGP session reset with and without BGP notify message.
720104 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
Component: TMOS
Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.
Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.
Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.
Workaround:
There is no workaround at this time.
Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.
720030-3 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.
Conditions:
APM end users using Kerberos SSO to access backend resources.
Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.
Workaround:
For BIG-IP software v12.x and later,
Edit the /etc/resolv.conf file to add an EDNS0 option.
There is no workaround if you are running a version earlier than 12.x.
Fix:
Kerberos DNS SRV requests now support EDNS0, so that UDP responses greater than 512 bytes can be received correctly, eliminating the need to re-send the request on TCP while communicating to the internal DNS server (dnscached).
719644-1 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
Component: Global Traffic Manager (DNS)
Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.
Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.
Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.
Workaround:
There is no workaround at this time.
Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.
719554-3 : Linux Kernel Vulnerability: CVE-2018-8897
Solution Article: K17403481
718885-1 : Under certain conditions, monitor probes may not be sent at the configured interval
Solution Article: K25348242
Component: Global Traffic Manager (DNS)
Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.
Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.
Impact:
Monitor probes are not consistently performed at the configured interval.
Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.
The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.
For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:
-- Change the interval for 10 of the monitors to a different value.
-- Set the monitor interval to 40.
Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.
Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.
718210-3 : Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
Component: Local Traffic Manager
Symptoms:
In very rare circumstances, connections that use virtual targeting virtual server and time-wait recycle result in a connection being improperly reused.
Conditions:
Virtual server targeting virtual server (usually occurs in an iRule) with time-wait recycle being used on the virtual server's TCP profile.
Note: This is the default value, so any virtual servers defined internally are using it.
Impact:
A connection might be reused even though it is a new one. TMM can crash and restart. Traffic disrupted while tmm restarts.
Note: This is an extremely rare issue.
Workaround:
None.
Fix:
This issue has been fixed.
718208-1 : Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO
Component: Access Policy Manager
Symptoms:
When using Firefox v52 ESR to install SVPN client, the SVPN client keeps prompting to enter SUDO credentials.
Conditions:
Using Firefox v52 ESR to install SVPN client.
Impact:
Cannot install SVPN client using Firefox v52 ESR browser.
Workaround:
Follow this procedure to work around this problem:
1. Delete the NPAPI plugin from the browser. To do so, remove the browser plugin, which you can find in either or both of the following locations:
~/.mozilla/plugins/np_F5_SSL_VPN_x86_64.so
~/.mozilla/firefox/w8wdvzyy.default/extensions/{5984e8a4-b593-11e5-ad1f-ac88bb8e7f8b}/
2. Launch the browser; connect to APM and install the SVPN client manually.
3. Install the plugin through the browser, or copy the plugin to the browser plugin directory.
4. Restart Firefox v52 ESR to connect to APM.
Fix:
This issue has been fixed, and now you can install the Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR browser.
718071-3 : HTTP2 with ASM policy not passing traffic
Component: Local Traffic Manager
Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.
Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.
Impact:
Traffic does not pass.
Workaround:
No workaround.
Fix:
HTTP2 and ASM now work correctly together.
717896-1 : Monitor instances deleted in peer unit after sync
Component: Local Traffic Manager
Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.
During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.
Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.
Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.
Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.
Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.
Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.
717742-3 : Oracle Java SE vulnerability CVE-2018-2783
Solution Article: K44923228
717276-3 : TMM Route Metrics Hardening
Solution Article: K20622530
717100-4 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
Component: Local Traffic Manager
Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.
The missing FQDN ephemeral pool members may be created an hour after initial operations.
Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.
Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.
Workaround:
The following steps, alone or in combination, may help avoid this issue:
1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.
Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.
In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).
Fix:
Ephemeral pool members are now created for each pool under these conditions.
716992-3 : The ASM bd process may crash
Solution Article: K75432956
716922-4 : Reduction in PUSH flags when Nagle Enabled
Component: Local Traffic Manager
Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.
Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.
Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.
Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.
Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.
Mote: To take advantage of some of the Nagle benefits, use 'Auto'.
Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.
716900-1 : TMM core when using MPTCP
Solution Article: K91026261
716788-3 : TMM may crash while response modifications are being performed within DoSL7 filter
Component: Application Security Manager
Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.
Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.
Impact:
Traffic disrupted while tmm restarts, failover may occur.
Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.
Fix:
Response modification handler has been modified so that this issue no longer occurs.
716747-4 : TMM my crash while processing APM or SWG traffic
Component: Access Policy Manager
Symptoms:
Under certain circumstances, TMM may crash when processing APM or SWG.
There will be a log message in /var/log/apm near the time of crash with this:
err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.
Conditions:
APM or SWG enabled.
Impact:
TMM crash, leading to a failover event.
Workaround:
There is no workaround at this time.
Fix:
TMM now processes APM and SWG traffic as expected.
716716-3 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
Component: Local Traffic Manager
Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.
Conditions:
The scenario that can lead to this state is unknown.
Impact:
TMM cores. Traffic disrupted while tmm restarts.
Workaround:
Either remove the kernel route, or add a matching TMM route.
Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.
716391-3 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation
Solution Article: K76031538
Component: TMOS
Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.
Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.
Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.
Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.
716318-4 : Engine/Signatures automatic update check may fail to find/download the latest update
Component: Fraud Protection Services
Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.
Note: This issue is relevant only for engineering hotfixes.
Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.
Impact:
Automatic update check will detect the wrong update file.
Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.
Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.
716213-3 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
Component: Local Traffic Manager
Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).
Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.
Impact:
A blank page is observed due to the TCP reset.
Workaround:
No workaround is available.
Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.
716166-3 : Dynamic routing not added when conflicting self IPs exist
Component: TMOS
Symptoms:
Missing dynamic route in dynamic routing daemon as shown via 'show ip route'.
Conditions:
When a self IP host address is the same as the network address of the dynamic route being propagated. For example: self IP 10.10.10.0/31 versus dynamic route 10.10.10.0/24; or 10.10.0.0/24 versus dynamic route 10.10.0.0/16.
Impact:
Propagation of the dynamic route to the kernel, TMM.
Workaround:
There is no workaround other than not creating self IPs on the network address of a prefix.
715923-3 : When processing TLS traffic TMM may terminate connections unexpectedly
Solution Article: K43625118
715750-3 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
Solution Article: K41515225
Component: Local Traffic Manager
Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.
For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.
Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.
Conditions:
This issue occurs when the following conditions are met:
-- A standard virtual server with the clientssl and serverssl profiles in use.
-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.
Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.
For example, if the original FIN was received by the BIG-IP system on the clientside:
-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.
-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.
Workaround:
There is no workaround at this time.
Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.
715467-3 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
Component: Local Traffic Manager
Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.
Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.
Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.
Workaround:
There is no workaround at this time.
Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.
715448-1 : Providing LB::status with a GTM Pool name in a variable caused validation issues
Component: Global Traffic Manager (DNS)
Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.
Conditions:
LB::status pool a <Variable containing string>.
Impact:
Unable to use LB::status iRule.
Workaround:
There is no workaround at this time.
Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.
715250-2 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
Component: Access Policy Manager
Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.
Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.
Impact:
System instability, failover, traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
715207-2 : coapi errors while modifying per-request policy in VPE
Component: Access Policy Manager
Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).
err coapi: PHP: requested conversion of uninitialized member.
Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.
Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.
Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.
Fix:
Now per-request access policies can be simultaneously used and edited without causing spurious 'coapi' log errors.
715090 : PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers
Component: Policy Enforcement Manager
Symptoms:
Policy and Charging Rules Function (PCRF) policy actions will have no effect on the subscribers' traffic.
Conditions:
PEM creates a traffic generated subscriber that has PCRF-provided policies associated with it.
Impact:
Potential loss of service depending on the policy actions that do not take effect.
Workaround:
There is no workaround at this time.
Fix:
This issue has been fixed.
715032-6 : iRulesLX Hardening
Solution Article: K73302459
Component: Local Traffic Manager
Symptoms:
iRulesLX does not follow current best practices and should be updated to ensure layered protections.
Conditions:
-iRulesLX in use
Impact:
iRulesLX does not follow current best practices.
Workaround:
None.
Fix:
iRulesLX now follows current best practices.
714986-1 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
Component: TMOS
Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.
Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.
2. Exit from the login prompt in the current terminal session, or kill it and start a new session.
Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.
Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.
1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:
tmsh modify sys console baud-rate 9600
2. Re-program the TTY device with the desired speed by running a command similar to the following:
stty -F /dev/ttyS0 9600
3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:
/usr/bin/killall -q agetty
4. Restart bash logins by running the following command:
/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1
Fix:
In addition to reprogramming the UART with the new baud rate, the BIG-IP system now re-initializes the TTY device and agetty process with the correct speed so that new terminal sessions reflect the change.
714903-1 : Errors in chmand
Component: TMOS
Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.
Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.
Impact:
Cluster does not form.
Workaround:
None.
Fix:
These errors in chmand are fixed.
714879-1 : APM CRLDP Auth passes all certs
Solution Article: K34652116
714848 : OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled
Component: TMOS
Symptoms:
DDM transmit power too low warning continually appear in /var/log/ltm, and in SNMP traps. Messages appear similar to the following:
DDM interface:3/1.0 transmit power too low warning. Transmit power(mWatts) 0.0001 0.0001 0.0001 0.0001
A single warning message is expected, not repeating messages.
Conditions:
This occurs when all of the following conditions are met:
-- The interface is disabled.
-- DDM is enabled.
-- OPT-0031 or OPT-0036.
Impact:
There are multiple messages in /var/log/ltm, and SNMP DDM traps. There is no impact on traffic.
Workaround:
There is no workaround other than to enable the interface or disable DDM.
Fix:
DDM errors no longer continually appear on disabled interfaces containing OPT-0031 or OPT-0036.
714716-3 : Apmd logs password for acp messages when in debug mode
Solution Article: K10248311
Component: Access Policy Manager
Symptoms:
Apmd logs password when executing policy via iRule.
Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active
Impact:
Apmd logs clear text password
Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.
714654-3 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
Component: TMOS
Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.
Conditions:
Creating a static route for a network that already has an advertised dynamic route.
Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.
Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.
Fix:
Creating static routes for advertised dynamic route no longer causes the tmrouted-to-TMM connection to drop.
714559-1 : Removal of HTTP hash persistence cookie when a pool member goes down.
Component: Local Traffic Manager
Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.
Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.
Impact:
Connected clients must establish a new session.
Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:
when CLIENT_ACCEPTED {
persist cookie hash JSESSIONID
}
Fix:
HTTP hash persistence cookie is no longer removed when a pool member goes down.
If you need to remove the cookie, use an iRule similar to the following:
when PERSIST_DOWN {
HTTP::cookie remove JSESSIONID
}
714542-1 : 'Always Connected Mode' text is missing in EdgeClient tray
Component: Access Policy Manager
Symptoms:
When right-clicking the EdgeClient tray icon, the pop-up menu shows a grey box instead of the 'Always Connected Mode' text.
Conditions:
EdgeClient installed in 'Always Connected Mode' with 'Allow' traffic when VPN is disconnected.
Impact:
No functional impact. Previously, the message appeared only for blocked mode.
Workaround:
None.
Fix:
Now, when a user right-clicks the Edge Client tray icon in Always Connected mode, the <uicontrol>Always Connected Mode</uicontrol> text is displayed on the tray icon pop-up menu.
714181-3 : TMM may crash while processing TCP traffic
Solution Article: K14632915
713951-3 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.
713934-4 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
Component: Local Traffic Manager
Symptoms:
Received malformed Truncated DNS response.
Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.
Impact:
DNS request might not be resolved correctly.
Workaround:
There is no workaround at this time.
Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.
713690-1 : IPv6 cache route metrics are locked
Component: Local Traffic Manager
Symptoms:
Under certain circumstances IPv6 route metrics are locked for the lifetime of a route metrics cache entry.
Conditions:
Under certain circumstances IPv6 route metrics cache entries are created locked.
Impact:
IPV6 route metrics are locked for the lifetime of a route metrics cache entry. When receiving subsequent icmpv6 packet to big messages with a larger MTU, the value does not get updated.
Workaround:
None.
Fix:
IPv6 route metrics are not locked anymore.
713655-3 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
Component: Access Policy Manager
Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.
Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.
Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.
Workaround:
None.
Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.
713533-3 : list self-ip with queries does not work
Component: Local Traffic Manager
Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.
Conditions:
list net self always returns all Self IPs
Impact:
You are unable to filter the Self IP list using a regex pattern.
Fix:
You can now use pattern matching to list Self IPs
713491-1 : IKEv1 logging shows spi of deleted SA with opposite endianess
Component: TMOS
Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).
Conditions:
When an SA is deleted.
Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.
Workaround:
There is no workaround at this time.
Fix:
The spi values are shown in the correct endianness now.
713282-3 : Remote logger violation_details field does not appear when virtual server has more than one remote logger
Component: Application Security Manager
Symptoms:
Remote logger violation_details field appears empty.
Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.
Impact:
Violation_details field appears empty in logs.
Workaround:
There is no workaround at this time.
Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.
713066-3 : Connection failure during DNS lookup to disabled nameserver can crash TMM
Solution Article: K10620131
Component: Global Traffic Manager (DNS)
Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.
Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.
This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
Verify connectivity to nameserver.
As an alternative, refrain from using RESOLV::lookup in iRules.
Fix:
This issue is now fixed.
712924 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
Component: Access Policy Manager
Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.
Conditions:
Always when adding SecureID authentication action.
Impact:
Inability to (re)configure SecureId via VPE.
Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:
tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>
712876-4 : CVE-2017-8824: Kernel Vulnerability
Solution Article: K15526101
712857-1 : SWG-Explicit rejects large POST bodies during policy evaluation
Component: Access Policy Manager
Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 128 KB limit on POST bodies while the policy is being evaluated.
The system posts an error message similar to the following in /var/log/apm:
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048
Conditions:
This applies only during policy evaluation. After the policy has been set to 'Allow', there is no limit to the POST body.
Impact:
Unable to start an SWG-Explicit policy with a large POST body.
Workaround:
None.
Fix:
Now, you can resolve this issue by modifying db variable 'tmm.access.maxrequestbodysize' to use a value larger than the maximum request size you want to support.
712664-4 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting
Conditions:
- transparent vlan-group
- Virtual Address with ARP disabled
- Virtual Address corresponds to remote IPv6 host address
Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.
Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.
Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.
712475-1 : DNS zones without servers will prevent DNS Express reading zone data
Solution Article: K56479945
Component: Local Traffic Manager
Symptoms:
DNS Express does not return dig requests.
Conditions:
DNS Express is configured a zone without a server.
Impact:
DNS Express does not return dig requests.
Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.
Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.
712464-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
Component: Local Traffic Manager
Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.
Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs is usually in the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.
Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.
Impact:
Clients cannot access the web server due to SSL handshake failure.
Workaround:
There is no workaround at this time.
Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.
712437-1 : Records containing hyphens (-) will prevent child zone from loading correctly
Solution Article: K20355559
Component: Local Traffic Manager
Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.
Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
myzone.com -- parent
foo.myzone.com -- child
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com
Impact:
DNS can not resolve records correctly.
Workaround:
None.
Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.
712362-1 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
Component: Application Security Manager
Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.
The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.
Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.
Impact:
WebSocket frames stalls.
Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:
HTTP/1.1 101 Switching Protocols
#2 Use an irRule:
when SERVER_CONNECTED {
TCP::collect 15
}
when SERVER_DATA {
if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
}
}
Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.
712336-3 : bd daemon restart loop
Component: Application Security Manager
Symptoms:
Continuous BD restarts after period where /var was full and then cleaned
Conditions:
/var was full and then cleaned
Impact:
Continuous BD restarts
Workaround:
A) Make a spurious change in a policy and apply it.
OR
B) Restart ASM
712315-1 : LDAP and AD Group Resource Assign are not displaying Static ACLs correctly
Component: Access Policy Manager
Symptoms:
In VPE LDAP and AD Group Resource Assign are not displaying static acls when they are configured.
Conditions:
While attempting to assign Static ACls via AD or LDAP Group Resource assign (aka Group Mapping) Static ACLs are not displayed.
Impact:
Users are not able to assign Static ACLs with AD and LDAP Group Mapping via VPE.
Workaround:
Static ACLs are assignable with TMSH.
Fix:
Functionality is restored and Static ACLs are being displayed in AD and Ldap Group Resource Assign aka Group Mapping
use:
tmsh modify apm policy agent resource-assign
711981-3 : BIG-IP system accepts larger-than-egress MTU, PMTU update
Component: Local Traffic Manager
Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.
Conditions:
A valid PMTU message.
Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.
Workaround:
None.
Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.
711570-1 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
Component: Policy Enforcement Manager
Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names
Conditions:
PEM iRule using subscriber ID to get policy name.
Impact:
Subscriber policy names are not returned.
Workaround:
Use PEM::subscriber config policy get <IP address> instead.
Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.
711547 : Update cipher support for Common Criteria compliance
Component: TMOS
Symptoms:
Default cipher selection may not be compliant with Common Criteria requirements. Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.
Conditions:
Common Criteria mode active
Impact:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.
Workaround:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.
Fix:
Improved Common Criteria compliance in default cipher strings.
711281-3 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.
711249-2 : NAS-IP-Address added to RADIUS packet unexpectedly
Component: TMOS
Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.
Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.
Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.
Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.
711093-2 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.
Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).
Impact:
PEM sessions remain in marked-for-delete state.
Workaround:
None.
Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete
710857-4 : iControl requests may cause excessive resource usage
Solution Article: K64855220
710827-4 : TMUI dashboard daemon stability issue
Solution Article: K44603900
710755-2 : TMM crash when route information becomes stale and the system accesses stale information.
Component: Advanced Firewall Manager
Symptoms:
The crash happens intermittently when the route information becomes stale and the system accesses the stale information.
Conditions:
Route information is stale. This usually happens when a connection is waiting for a reply, and in-between route information (applicable for both static and dynamic routes) becomes stale (e.g., change of network-related configuration). If the connection is already filled with old route information, accessing that can cause this crash
Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now fetches the latest egress route/interface information before accessing it.
710705-3 : Multiple Wireshark vulnerabilities
Solution Article: K34035645
710602 : iCRD commands requiring 'root' user access fixed
Component: TMOS
Symptoms:
Some of the iCRD calls that run commands on the base operating system that require elevated permissions fail because iCRD was not correctly executing the commands in the right context.
Conditions:
Use an iCRD endpoint that requires elevated permissions to succeed.
Impact:
Only impacts iCRD endpoints which run commands that require root access.
Workaround:
There is no workaround at this time.
Fix:
This fix resolves this issue by running the commands with the correct user context.
710564-3 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
Component: Local Traffic Manager
Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.
Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.
Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.
Workaround:
There is no workaround at this time.
710424-3 : Possible SIGSEGV in GTMD when GTM persistence is enabled.
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart. The gtmd process reports a SIGSEGV when persistence is enabled.
As a result of this issue, you may encounter one or more of the following symptoms:
-- The gtmd process reports a SIGSEGV and produces a core file.
-- The gtmd process restarts, which prevents clients from receiving answers to requests.
Conditions:
This issue occurs when the following condition is met:
Persistence is enabled for the wide IP pools.
Impact:
The gtmd process may occasionally restart, which prevents clients from receiving answers to requests.
Workaround:
Disable persistence on wide IP pools.
Fix:
The gtmd process no longer crashes and restarts when persistence is enabled.
710355-1 : High CPU when using HTTP::collect for large chunked payloads
Component: Local Traffic Manager
Symptoms:
When collecting large amounts of chunked payload, approximately one million bytes, the processing to parse each chunk for the chunk headers and offsets results in high CPU utilization.
Conditions:
-- HTTP profile is attached to virtual server.
-- Server sends chunked response.
-- An iRule on the virtual server uses the HTTP::collect command to collect and parse large chunked payloads.
Impact:
High CPU utilization.
Workaround:
None.
710327-3 : Remote logger message is truncated at NULL character.
Component: Application Security Manager
Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.
Impact:
Partial request is logged at the remote logger destination.
Workaround:
None.
Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.
710314-2 : TMM may crash while processing HTML traffic
Solution Article: K94105051
710277-2 : IKEv2 further child_sa validity checks
Component: TMOS
Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.
Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.
Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.
Workaround:
None.
Fix:
The validity of a child_sa and its traffic selector are checked now before use, to prevent failure when freed objects are accidentally used.
710246-3 : DNS-Express was not sending out NOTIFY messages on VE
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).
Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.
Impact:
DNS secondary servers serving stale data.
Workaround:
There is no workaround at this time.
Fix:
DNS Express now sends out NOTIFY messages on VE.
710244-1 : Memory Leak of access policy execution objects
Solution Article: K27391542
710211 : Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.
Component: Access Policy Manager
Symptoms:
Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. The system posts a message similar to the following:
Unable to execute transaction because of: 01071203:3: Caption (XYZ1) of the rule in macrocall (/Common/abc_macro) must be identical to the caption (XYZ2) of terminalout.
Conditions:
-- Using Access Policy.
-- Policy includes one or more macros.
-- There is a macrocall on one of the macros.
-- You attempt to add a new terminal to that macro.
Impact:
Cannot edit macro terminals.
Workaround:
None.
Fix:
Can now edit Terminals of Macro if one or more Macrocalls point to a given Macro.
710148-4 : CVE-2017-1000111 & CVE-2017-1000112
Solution Article: K60250153
710028-4 : LTM SQL monitors may stop monitoring if multiple monitors querying same database
Component: Local Traffic Manager
Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.
When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:
[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'
then multiple, periodic instances of the following message, referencing the same connection string:
Abandoning hung SQL query: '<query string>' for: '<connection string>'
or:
<connection string>(<thread-number>): Hung SQL query; abandoning
Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.
And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.
Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.
Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.
To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.
Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.
709972-4 : CVE-2017-12613: APR Vulnerability
Solution Article: K52319810
709688-5 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
Solution Article: K08306700
709670-5 : iRule triggered from RADIUS occasionally fails to create subscribers.
Component: Policy Enforcement Manager
Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).
Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.
Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.
Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.
709610-1 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
Component: Policy Enforcement Manager
Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.
Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
value "0"
}
sys db tmm.pem.session.provisioning.continuous {
value "disable"
}
-- Actions occur in the following order:
1. PEM receives RADIUS START with subscriber ID1 and IP1.
2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
3. PEM receives RADIUS START with subscriber ID1 and IP2.
4. PEM receives RADIUS STOP with subscriber ID1 and IP2.
-- The time interval between steps 1 and 2 is very small (less than ~1ms).
Impact:
Subscriber session creation via PEM may fail.
Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.
Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.
709544-4 : VCMP guests in HA configuration become Active/Active during upgrade★
Component: TMOS
Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.
During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.
Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.
Impact:
When multiple devices become Active simultaneously, traffic is disrupted.
Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.
Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.
709334-2 : Memory leak when SSL Forward proxy is used and ssl re-negotiates
Component: Local Traffic Manager
Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.
Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening
Impact:
Eventually memory reaper will kick in.
Workaround:
There is no workaround at this time.
Fix:
ssl_compat now properly releases connections on re-negotiation.
708956 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
Solution Article: K51206433
Component: TMOS
Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
Dataplane INOPERABLE - only 1 HSBes found on this platform.
Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.
Impact:
System does not come up.
Workaround:
Reboot system.
Because this condition only happens occasionally, rebooting typically corrects the issue.
Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.
708830-1 : Inbound or hairpin connections may get stuck consuming memory.
Component: Carrier-Grade NAT
Symptoms:
When inbound or hairpin connections require a remote Session DB lookup, and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They remain stuck in this state until they time out and expire. In this state, UDP connections queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets accumulate, consuming memory. If the memory consumption becomes excessive, connections may be killed and 'TCP: Memory pressure activated' and 'Aggressive mode activated' messages appear in the logs.
Conditions:
-- An LSN pool with inbound and/or hairpin connections enabled.
-- Lost Session DB messages due to heavy load or hardware failure.
-- Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.
Impact:
Excessive memory consumption that leads to dropped connections.
Workaround:
There is no workaround at this time.
Fix:
When Session DB messages are lost, the connection is killed and any queued packets are discarded. If the client application resends packets, they are treated as new connections.
708653-3 : TMM may crash while processing TCP traffic
Solution Article: K07550539
708421-1 : DNS::question 'set' options are applied to packet, but not to already parsed dns_msg
Solution Article: K52142743
Component: Global Traffic Manager (DNS)
Symptoms:
For certain types of iRules, using the DNS command DNS::question for type AAAA, when the DNS transparent cache is involved in the filter, the type can be reverted.
Conditions:
-- DNS transparent cache.
-- Using an iRule similar to the following:
when DNS_REQUEST {
DNS::question type AAAA
}
Impact:
When the packet goes to the pool, the type is reverted.
Workaround:
Enable gslb or dnsx on the profile.
708249-4 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.
Conditions:
Run the nitrox_diag command.
Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.
Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0
Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.
708114-3 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
Solution Article: K33319853
Component: Local Traffic Manager
Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.
Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.
708068-3 : Tcl commands like "HTTP::path -normalize" do not return normalized path.
Component: Local Traffic Manager
Symptoms:
When using HTTP::path with the -normalized parameter:
"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)
Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.
Impact:
Unexpected result.
Workaround:
There is no workaround.
Fix:
The TCL command HTTP::path -normalize should return normalized path.
708054-3 : Web Acceleration: TMM may crash on very large HTML files with conditional comments
Component: TMOS
Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.
Conditions:
- HTML file with conditional comments inside:
<!--[if condition...]> ... <![endif]-->
- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.
Impact:
TMM crash interrupts all active sessions.
Workaround:
There is no workaround at this time.
Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.
707990-3 : Unexpected TMUI output in SSL Certificate Instance page
Solution Article: K41704442
707951 : Stalled mirrored flows on HA next-active when OneConnect is used.
Component: Local Traffic Manager
Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.
Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.
Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.
Workaround:
Disable OneConnect.
Fix:
Stalled mirrored flows no longer appear when OneConnect is used.
707888 : Some ASM operations delayed due to scheduled ASU update
Component: Application Security Manager
Symptoms:
Some ASM operations (such as Apply Policy) are delayed while a scheduled ASU update is in progress. This issue affects only 12.1.3.x from 12.1.3.2 and later.
Conditions:
A scheduled ASM update is in progress on systems running v12.1.3.x.
Impact:
Some ASM operations, such as Apply Policy, are delayed.
Workaround:
There is no workaround at this time.
Fix:
Other ASM operations are no longer blocked by scheduled ASU update.
707740-3 : Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
Component: TMOS
Symptoms:
When attempting to delete a GTM monitor, the system indicates that it is in use, even after removing that monitor from all GTM virtual servers. The system posts a message similar to the following:
01070083:3: Monitor /Common/mon-A is in use.
Conditions:
1. Attach a GTM monitor to multiple GTM virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port.
2. Remove the monitor from all virtual servers.
3. Attempt to delete the monitor from the configuration.
Impact:
Cannot delete the unused monitor.
Workaround:
After removing the monitor from all virtual servers, reload the GTM configuration using the following command:
tmsh load sys config gtm-only
You can now delete the monitor.
Fix:
You can now delete an unused GTM monitor, if that monitor was attached to multiple GTM virtual servers of the same ip+port combination.
707675 : FQDN nodes or pool members flap when DNS response received
Component: Local Traffic Manager
Symptoms:
When an LTM pool is configured with FQDN nodes or pool members, the LTM pool and associated virtual server(s) may transition from an UP to DOWN state and back over a period of a few seconds.
Such an event is accompanied by log messages similar to the following:
-- notice mcpd[#]: 01071682:5: SNMP_TRAP: Virtual /Common/vs_test has become unavailable
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from GREEN to RED.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from UP to DOWN.
-- err mcpd[#]: 01020066:3: The requested Pool Member (/Common/Test_Pool /Common/test-dummy.com-12.34.56.78 443) already exists in partition Common.
-- notice bigd[##]: 01060144:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 session status enabled by monitor
-- notice bigd[##]: 01060145:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 monitor status up. [ /Common/mon_test_https: UP ] [ was checking for 0hr:0min:2sec ]
-- notice mcpd[#]: 01071681:5: SNMP_TRAP: Virtual /Common/vs_test has become available
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from RED to GREEN.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from DOWN to UP.
This symptom repeats each time a DNS query is performed to resolve the FQDN node/pool-member name to its IP addresses, based on the 'interval' value configured for the FQDN node.
This symptom occurs only when the 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.
Conditions:
-- LTM pool is configured with FQDN nodes or pool members.
-- The 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.
Impact:
LTM pool and virtual server are briefly and periodically marked DOWN. Traffic may be impacted.
Workaround:
Either of the following methods can be used to work around this issue:
-- Configure static IP addresses instead of FQDN nodes/pool-members.
-- Set the 'autopopulate' value to 'disabled' for the FQDN node/pool-member, if possible (that is, if only one IP address is required/expected to be returned for the FQDN name, which means that the 'autopopulate' feature of FQDN nodes/pool-members is not required).
Fix:
FQDN node/pool-member and corresponding pool and virtual server are no longer briefly marked DOWN when the DNS server is queried to resolve the FQDN name, with the 'autopopulate' feature enabled for the FQDN node/pool-member. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
707509-3 : Initial vCMP guest creations can fail if certain hotfixes are used
Component: TMOS
Symptoms:
vCMP guest fails to enter the 'provisioned' or 'deployed' states and similar messages can be seen in /var/log/ltm:
-- vcmpd[14254]: 01510003:2: Guest (guest_name): Install failed.
-- vcmpd[14254]: 01510004:3: Guest (guest_name): Install to VDisk /shared/vmdisks/guest_name.img FAILED: Child exited with non-zero exit code: 255
Conditions:
Creating vCMP guest using certain hotfix images, such as BIG-IP HF software released as partial .iso software images, and engineering hotfixes.
Impact:
vCMP guest cannot be created.
Workaround:
1. Create and deploy the vCMP guest using the full .iso base software image.
2. Log in to the vCMP guest once it has finished starting up.
3. Apply the hotfix image or engineering hotfix.
Fix:
Guest creation succeeds.
707447-2 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
Component: Local Traffic Manager
Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default SNI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).
The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.
Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.
707445 : Nitrox 3 compression hangs/unable to recover
Solution Article: K47025244
Component: TMOS
Symptoms:
LTM logs show the following message:
Nitrox 3, Hang Detected: compression device was reset
When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.
Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.
Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.
Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.
Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.
There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:
A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).
Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.
Fix:
Compression device reset recovery made more robust for some compression failures.
707391-4 : BGP may keep announcing routes after disabling route health injection
Component: TMOS
Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.
Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.
Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.
Workaround:
Workaround would be to restart the dynamic routing process.
Fix:
BGP may no longer keeps announcing routes after disabling route health injection
707310-1 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.
Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.
Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.
Workaround:
There is no workaround at this time.
Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.
707226-2 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
Component: TMOS
Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.
Impact:
Meltdown/PTI mitigations may negatively impact performance.
Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.
To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:
tmsh modify sys db kernel.pti value disable
Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
707207-2 : iRuleLx returning undefined value may cause TMM restart
Component: Local Traffic Manager
Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".
Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.
Impact:
Traffic is interrupted.
Workaround:
There is no workaround at this time.
Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.
707147-2 : High CPU consumed by asm_config_server_rpc_handler_async.pl
Component: Application Security Manager
Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.
Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered
Impact:
A process may consume high CPU even after the high traffic period is finished.
Workaround:
Kill asm_config_server.pl (This will not affect traffic)
Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual
707003-2 : Unexpected syntax error in TMSH AVR
Component: TMOS
Symptoms:
The following tmsh command does not work: tmsh show analytics http report view-by virtual measures { transactions } drilldown
It fails with the following error message: 'Syntax Error: "drilldown" property requires at least one of (device device-list) to be specified before using.'
Conditions:
Whenever the affected tmsh command is run.
Impact:
The following tmsh command will not run: tmsh show analytics http report view-by virtual measures { transactions } drilldown
Workaround:
There is no workaround besides not running the affected command.
Fix:
The following command now works as expected: tmsh show analytics http report view-by virtual measures { transactions } drilldown
706845-1 : False positive illegal multipart violation
Component: Application Security Manager
Symptoms:
A false positive multipart violation.
Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.
Impact:
A false positive violation, request rejected.
Workaround:
Might be workaround using an irule
Fix:
Corrected ASM multipart parsing.
706642-3 : wamd may leak memory during configuration changes and cluster events
Component: WebAccelerator
Symptoms:
wamd memory consumption increases over time.
Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.
Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.
Workaround:
No workaround available.
Fix:
wamd n longer leaks memory during configuration changes and cluster events.
706631 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
Component: Local Traffic Manager
Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.
Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.
-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.
-- Common Criteria mode licensed and configured.
Impact:
A TLS connection succeeds which should fail.
Workaround:
There is no workaround at this time.
Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.
706521-6 : The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password
Solution Article: K21404407
Component: TMOS
Symptoms:
TACACS Shared Key is not encrypted in the DB key and is visible to admin and a read-only user.
Conditions:
Configure TACACS+ auditing forwarder.
Impact:
Exposes sensitive information.
Workaround:
None.
Fix:
The sensitive data is not exposed, and this issue is fixed.
706423-2 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
Component: TMOS
Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.
Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.
A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.
Impact:
TMM restarts, disrupting traffic and causing HA failover.
Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)
Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.
Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.
706374-2 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
Component: Access Policy Manager
Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.
Workaround:
There is no workaround.
Fix:
Stability problems in DNS lookups in APM Kerberos SSO (S4U) have been corrected.
706354-1 : OPT-0045 optic unable to link
Component: TMOS
Symptoms:
The OPT-0045 optical transceiver when inserted into a 40G port does not function. The following error appears in /var/log/ltm:
Invalid module for bundle configuration of interface <portNumber>.0.
Conditions:
OPT-0045 in a 40G port.
Impact:
Optic does not work; interface does not come up.
Workaround:
None.
Fix:
This release supports the OPT-0045 optical transceiver.
706305-2 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
Component: TMOS
Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.
Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.
Impact:
Inability for the unit to use BGP
Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.
Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled
706128-1 : DNSSEC Signed Zone Transfers Can Leak Memory
Component: Global Traffic Manager (DNS)
Symptoms:
TMM might leak memory when performing DNSSEC signed zone transfers. You can detect this issue by examining system memory before and after performing zone transfers.
For example:
tmsh show sys memory raw | grep dnssec
Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc) or from DNS Express.
Impact:
TMM leaks memory related to the signed zone transfer.
Workaround:
There is no workaround at this time.
Fix:
TMM no longer leaks DNSSEC zone transfer related memory.
706104-2 : Dynamically advertised route may flap
Component: TMOS
Symptoms:
ZebOS may repeatedly add and delete the routes from protocol daemons. This may cause the protocol daemons to delete and re-advertise the default route.
Conditions:
- Dynamic routing in use
- Kernel routes redistributed into a routing protocol
- Static route configure in TMOS
- Route advertisement enabled on the virtual-address that's the same as the static route
Impact:
Route flapping may cause instability in the network, including inability to reach the default network advertised by the BIG-IP.
Workaround:
Since the static route will be redistributed in the same way as the virtual-address, there is no need to enable route-advertisement on the VIP virtual-address. Disabling this will resolve the problem.
The problem will also be resolved by moving the route from tmsh into ZebOS.
- In imish config mode, "ip route <route> <gateway>"
- In tmsh, "delete net route <route>"
Fix:
Configuring a static route in TMOS and enabling route-advertisement on the same virtual-address no longer causes route flapping in ZebOS.
706102-3 : SMTP monitor does not handle all multi-line banner use cases
Component: Local Traffic Manager
Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.
Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.
Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.
Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.
Fix:
An SMTP monitor handles all use cases that include a multi-line banner.
706086-1 : PAM RADIUS authentication subsystem hardening
Solution Article: K62750376
705794-1 : Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
Component: Local Traffic Manager
Symptoms:
A HTTP/2 stream is getting overlooked when cleaning up a HTTP/2 flow.
Conditions:
The only known condition is that the closing_stream is not empty. Exact entrance conditions are not clear.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
HTTP/2 flows are now properly cleaned up to prevent a tmm crash.
705768-4 : The dynconfd process may core and restart with multiple DNS name servers configured
Component: Local Traffic Manager
Symptoms:
The dynconfd daemon may crash with a core and restart when processing a DNS query when there are multiple DNS name servers configured, or when the list of DNS name servers is changed.
Conditions:
This may occur rarely when FQDN nodes are configured and multiple DNS name servers are configured, including when a name server is added to or removed from the system DNS configuration while a DNS query is active.
Impact:
Resolution of FQDN names for FQDN nodes and pool members may be briefly interrupted while the dynconfd daemon restarts. This may cause a delay in propagation of DNS zone changes to the BIG-IP configuration.
Workaround:
This issue occurs rarely. There is currently no known workaround.
Fix:
The dynconfd process no longer cores and restarts with multiple DNS name servers configured.
705611-1 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
Component: Local Traffic Manager
Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.
Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.
Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.
705503-1 : Context leaked from iRule DNS lookup
Component: Global Traffic Manager (DNS)
Symptoms:
The memory usage increases, and stats are inaccurate.
Conditions:
Call RESOLV::lookup from an iRule.
Impact:
Memory leak that accumulates over time and inaccurate stats.
Workaround:
There is no workaround other than not using RESOLV::lookup in an iRule.
Fix:
Memory leak no longer occurs.
705476-4 : Appliance Mode does not follow design best practices
Solution Article: K28003839
705112-1 : DHCP server flows are not re-established after expiration
Component: Local Traffic Manager
Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.
Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds
Impact:
DHCP server traffic not load balanced.
Workaround:
None.
Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.
705037-3 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
Solution Article: K32332000
Component: TMOS
Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.
Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.
Impact:
-- Unreliable or confusing statistics via SNMP polling.
-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.
Workaround:
None.
Fix:
System no longer exhibits duplicate if_index statistics.
704804-2 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
Component: TMOS
Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.
Conditions:
This applies to remote authentication for the control plane, not APM.
Impact:
Login may be impacted.
Workaround:
There is no workaround at this time.
Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.
704733-2 : NAS-IP-Address is sent with the bytes in reverse order
Component: TMOS
Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).
Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.
Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.
Workaround:
There is no workaround at this time.
Fix:
This has been corrected.
704666-2 : memory corruption can occur when using certain certificates
Component: Local Traffic Manager
Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.
Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.
Impact:
TMM could crash.
Workaround:
Do not use certificates with extremely long common names
Fix:
A length check has been added to avoid corruption when using extremely long common names.
704580-3 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
Solution Article: K05018525
704524-2 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
Component: Access Policy Manager
Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.
Conditions:
APM users using Kerberos SSO to access backend resources.
Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.
Workaround:
There is no workaround at this time.
Fix:
Kerberos DNS SRV requests now support EDNS0 so that UDP responses greater than 512 bytes can be received correctly, eliminating delays caused by TCP retransmission.
704490 : CVE-2017-5754 (Meltdown)
Solution Article: K91229003
704483 : CVE-2017-5753 (Spectre Variant 1)
Solution Article: K91229003
704450-2 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
Component: Local Traffic Manager
Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').
Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.
Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.
Workaround:
Reduce the load on the system.
Fix:
'bigd' does not crash and runs with complete configuration when (re-)starting when BIG-IP runs under heavy configuration resulting in 'mcpd' delaying its configuration of 'bigd'.
704449-4 : Orphaned tmsh processes might eventually lead to an out-of-memory condition
Component: TMOS
Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.
An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:
/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh
If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.
Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.
Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.
Workaround:
There are several workarounds for this issue:
-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Kill orphaned tmsh processes.
Fix:
tmsh processes are no longer orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects under these conditions.
704381-3 : SSL/TLS handshake failures and terminations are logged at too low a level
Component: Local Traffic Manager
Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).
Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.
Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.
Workaround:
There is no workaround.
Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).
704336-3 : Updating 3rd party device cert not copied correctly to trusted certificate store
Component: TMOS
Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.
Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.
Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.
Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.
Fix:
The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.
704282-3 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
Component: TMOS
Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.
Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.
For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.
For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
F5 does not recommend running the BWC under 64Kbps.
Either decrease the number of subscribers or increase the max-rate of dynamic policy.
Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.
704247-3 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
Component: TMOS
Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.
Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.
Impact:
Installation attempt of the remaining image(s) might fail.
Workaround:
Restart the lind process, so the installation can continue.
Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted
704198-1 : Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
Solution Article: K29403988
Component: Global Traffic Manager (DNS)
Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.
Conditions:
Modify the monitor for GTM objects using tmsh with replace-all-with.
Impact:
There is an leaked/extra monitor instance. Restarting the secondary slot results in a restart loop.
Workaround:
Impact of workaround: Might change the primary slot.
Restart services using the following command:
# bigstart restart
704184-3 : APM MAC Client create files with owner only read write permissions
Solution Article: K52171282
704143-2 : BD memory leak
Component: Application Security Manager
Symptoms:
A BD memory leak.
Conditions:
websocket traffic with specific configuration
Impact:
Resident memory increases, swap getting used.
Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.
704073-3 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
Solution Article: K24233427
Component: Local Traffic Manager
Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.
Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.
Impact:
Log pollution and potential for performance degradation.
Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent
Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.
703984-2 : Machine Cert agent improperly matches hostname with CN and SAN
Component: Access Policy Manager
Symptoms:
MacOS Machine certificate agent matches the configured hostname with the actual hostname upon a beginning partial string match.
Conditions:
MacOS APM client using Machine Certificate Check agent.
Impact:
Hostname match may be incorrect in these cases.
Workaround:
There is no workaround at this time.
Fix:
The MacOS machine certificate check agent now matches on the whole host string rather than a sub string.
703940-3 : Malformed HTTP/2 frame consumes excessive system resources
Solution Article: K45611803
703914-1 : TMM SIGSEGV crash in poolmbr_conn_dec.
Component: Local Traffic Manager
Symptoms:
TMM cores in poolmbr_conn_dec function.
Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.
Impact:
TMM core, traffic interruption, possible failover.
Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.
Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.
703869-1 : Waagent updated to 2.2.21
Component: TMOS
Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.
Conditions:
Using Microsoft Azure.
Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.
Workaround:
None.
Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.
703835-4 : When using SCP into BIG-IP systems, you must specify the target filename
Solution Article: K82814400
703793-1 : tmm restarts when using ACCESS::perflow get' in certain events
Component: Access Policy Manager
Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.
Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Initialization of certain variables was reworked so that the iRule command will not cause a core anymore if the per-flow value is unavailable due to the per-request policy not having been started yet.
703761-1 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode
Component: TMOS
Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.
Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.
Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.
Workaround:
There is no workaround at this time.
Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.
703580 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
Component: Local Traffic Manager
Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)
Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.
Impact:
TLS1.1 handshake fails on the guest.
Workaround:
Use the same software version on the vCMP host and vCMP guests.
Fix:
TLS1.1 handshake no longer fails running v12.x/v13.x vCMP guest with earlier BIG-IP software version on vCMP host.
703515-5 : MRF SIP LB - Message corruption when using custom persistence key
Solution Article: K44933323
Component: Service Provider
Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.
Conditions:
Custom persistence key is not a multiple of 3 bytes
Impact:
The SIP request message may be corrupted when the via header is inserted.
Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.
Fix:
All persistence key lengths work as expected.
703429-1 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
Component: Access Policy Manager
Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.
Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.
Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.
Workaround:
None.
Fix:
System now provides valid data to Citrix Receiver for Android client.
702946-2 : Added option to reset staging period for signatures
Component: Application Security Manager
Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.
Conditions:
Staging enabled for signatures in policy.
Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.
Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.
Note: Apply policy is required between actions.
Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.
702873-3 : Windows Logon Integration feature may cause Windows logon screen freeze
Component: Access Policy Manager
Symptoms:
Windows Logon Integration feature might cause a Microsoft Windows logon screen freeze, making Windows OS unresponsive to any client end user actions.
Conditions:
-- Client user putting laptop into sleep mode and waking it up multiple times.
-- Possibly, only Windows 10 is affected.
Impact:
Logon screen may hang, not allowing client user to type in credentials.
Workaround:
Reinstall EdgeClient without the Windows Logon Integration Feature.
Fix:
Previously, the Windows Logon Integration feature sometimes caused the Windows Logon screen to freeze. Now, this issue has been fixed.
As a side effect of the fix, the Logon screen now shows duplicates of the pre-logon VPN Entries, which might be confusing for client users. One duplicate comes from the Microsoft Credentials Provider. For information on how to disable the default Microsoft Credentials Provider, see the Microsoft Windows article: How to disable additional credential providers :: https://social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b-4b71-9f19-83ee3df0848b/how-to-disable-additional-credential-providers.
702738 : Tmm might crash activating new blob when changing firewall rules
Solution Article: K32181540
Component: Advanced Firewall Manager
Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.
Conditions:
Updating, removing, or adding firewall rules.
Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.
Impact:
Data traffic processing stops.
Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).
Option B
Modify all the rules simultaneously.
For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }
4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.
Fix:
TMM no longer crashes when changing firewall rules.
702490-4 : Windows Credential Reuse feature may not work
Component: Access Policy Manager
Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).
The logterminal.txt file contains messages similar to the following:
<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted
Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.
Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.
Workaround:
There is no workaround at this time.
Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.
702487-1 : AD/LDAP admins with spaces in names are not supported
Component: Access Policy Manager
Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.
Note: Names containing spaces are not supported on BIG-IP systems.
Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.
Impact:
VPE, import/export/copy/delete do not work.
Workaround:
There is no workaround other than to not use admin names containing spaces.
Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.
702472-4 : Appliance Mode Security Hardening
Solution Article: K87659521
702469-4 : Appliance mode hardening in scp
Solution Article: K73522927
702457-3 : DNS Cache connections remain open indefinitely
Component: Global Traffic Manager (DNS)
Symptoms:
Resize / Clearing the DNS cache while a lot of traffic is running can cause numerous connections to remain open indefinitely. tmm crash
Conditions:
Resize / Clear the DNS Cache while it is resolving connections.
Impact:
Connections remain open forever, using up memory
Workaround:
If you are encountering this, you can remove these connections by restarting tmm:
tmsh restart sys service tmm
Impact of workaround: Traffic disrupted while tmm restarts.
Fix:
Fixed an issue where the DNS Cache kept connections open indefinitely when clearing or resizing a cache with active resolutions occurring.
702450-4 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect
Component: Local Traffic Manager
Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:
# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.
The referenced object is not a "policy action" in this case, but is a virtual server.
Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.
Impact:
Possible confusion at the error message.
Workaround:
There is no workaround at this time.
Fix:
Made the error message accurately reflect what the user was attempting to delete.
702278-3 : Potential XSS security exposure on APM logon page.
Component: Access Policy Manager
Symptoms:
Potential XSS security exposure on APM logon page.
Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.
Impact:
Potential XSS security exposure.
Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:
369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----
Fix:
Potential security exposure has been removed from APM logon page.
702151-2 : HTTP/2 can garble large headers
Component: Local Traffic Manager
Symptoms:
The HTTP/2 filter may incorrectly encode large headers.
Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.
Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.
Fix:
The HTTP/2 filter correctly encodes large HTTP headers.
701900 : DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.
Solution Article: K55938217
Component: TMOS
Symptoms:
DHCP-configured domain-name-servers (DNS) unavailable after reboot when there are more than two domain-name-servers in the lease.
Conditions:
- DHCP is enabled on the mgmt interface.
- DHCP server provides more than 2 domain-name-servers in its lease.
Impact:
Name resolution on mgmt interface fails due to misconfiguration in DNS information for mgmt interface.
Workaround:
No workaround at this time.
Fix:
This release corrects the handling of multiple DNS name-servers.
701856-2 : Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
Component: Application Security Manager
Symptoms:
In rare circumstance, when Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm), ASM-config Event Dispatcher memory usage grows uncontrollably.
Conditions:
In rare circumstances, Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm).
Impact:
ASM-config Event Dispatcher memory usage grows continuously until the device eventually fails over.
Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl
Fix:
ASM-config Event Dispatcher memory usage remains stable even upon multiple Policy Builder restarts.
701841-1 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
Component: Application Security Manager
Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.
Conditions:
UCS file is saved.
Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.
Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.
Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.
701785-3 : Linux kernel vulnerability: CVE-2017-18017
Solution Article: K18352029
701680-1 : MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds
Component: Service Provider
Symptoms:
Applying rate-limiting to MBLB SIP or Diameter virtual servers might cause the virtual server to periodically stop sending packets to the pool member server for a few seconds.
Conditions:
-- MBLB SIP or Diameter virtual server.
-- Rate-limited is applied.
Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.
Workaround:
There is no workaround at this time.
Fix:
MBLB rate-limited virtual server now correctly sends packets to the server.
701678-1 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
Component: Local Traffic Manager
Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limited value is exceeded.
Conditions:
-- Virtual configured with rate-limit.
-- Uses a UDP profile (i.e., not using TCP or FastL4).
-- The idle-timeout is set to immediate.
Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.
Workaround:
None.
Fix:
UDP rate-limited virtual server now correctly sends packets to the server.
701626-1 : GUI resets custom Certificate Key Chain in child client SSL profile
Solution Article: K16465222
Component: TMOS
Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).
Conditions:
This happens in the following scenario:
1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.
Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.
Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.
You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..
Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.
701609 : Static member of pool with FQDN members may revert to user-disabled after being re-enabled
Component: Local Traffic Manager
Symptoms:
Within an LTM pool containing both FQDN members and members configured with static IP addresses; a statically-configured member that had been disabled (session = user-disabled) and then re-enabled (session = user-enabled) may become disabled again after making other changes affecting the state of other FQDN members of the pool.
Conditions:
This may occur under the following conditions:
- An LTM pool containing a mix of FQDN and statically-configured members.
- A statically-configured pool member is disabled (session = user-disabled) and then re-enabled (session = user-enabled).
- Other changes occur which affect the availability of FQDN pool members.
For example, if a route to an FQDN pool member is deleted and recreated, a previously-disabled statically-configured member may revert to a disabled state.
Depending on circumstances, the issue may only occur once after BIG-IP, TMM, bigd, or a related daemon restarts.
Impact:
A pool member may be unexpectedly disabled after being re-enabled, and thus would not receive traffic.
Workaround:
It may be possible to work around this issue by disabling and re-enabling the statically-configured pool member again.
Fix:
Statically-configured pool members of a pool that also contains FQDN members remain enabled after being manually disabled then re-enabled. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
701538-1 : SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured
Component: Local Traffic Manager
Symptoms:
SSL handshake fails if the client initiates the handshake with TLS false start (specifically, client SSL sends the SSL record data to the server before the Server sends out the CSS is FINISHED notification).
Conditions:
1. Client initiates the SSL handshake with False Start.
2. The BIG-IP system has SSL hardware acceleration enabled (which is default for for non-virtual edition (VE) versions).
Impact:
The BIG-IP system sends the RST to tear down the connection in TLS false start.
Workaround:
There are no true workarounds. You must disable one of the conditions to workaround the issue:
-- Disable TLS False Start. (Note: this might not be feasible because it needs to be done on all clients.)
-- Disable SSL acceleration.
-- Disable AES-GCM ciphers in the client SSL profile. Without AES-GCM, clients do not try to use TLS false start and still be able to use (EC)DHE.
Fix:
The system no longer processes application data before verifying that the finished message arrives and handshake is complete.
701359-2 : BIND vulnerability CVE-2017-3145
Solution Article: K08613310
701327-1 : failed configuration deletion may cause unwanted bd exit
Component: Application Security Manager
Symptoms:
Immediately after the deletion of a configuration fails, bd exists.
Conditions:
When deleting a configuration fails.
Impact:
Unwanted bd restart.
Workaround:
None.
Fix:
bd will exit upon a failed configuration only when configured to exit on failure.
701253-3 : TMM core when using MPTCP
Solution Article: K16248201
701249-2 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
Component: TMOS
Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.
The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.
Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.
Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.
Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.
Workaround:
There is no workaround.
701202-1 : SSL memory corruption
Solution Article: K35023432
Component: Local Traffic Manager
Symptoms:
In some instances random memory can be corrupted causing TMM core.
Conditions:
SSL is configured (either client-ssl or server-ssl) and SNI is used to select a non-default profile.
Impact:
TMM crash, disrupting traffic.
Workaround:
There is no workaround at this time.
Fix:
The memory corruption issue has been fixed.
701039 : Requests do not appear in local logging due to rare file descriptor exhaustion
Component: Application Security Manager
Symptoms:
In an extremely rare circumstance, requests do not appear in local logging due to file descriptor exhaustion in asmlogd.
Conditions:
-- ASM configured.
-- ASM policy with an associated 'Log all requests' logging profile.
-- Requests sent to virtual server.
-- View Request Log.
Impact:
Requests do not appear in local logging.
Workaround:
Restart ASM, or pkill -f asmlogd.
Fix:
Requests appear in local logging correctly.
700889-2 : Software syncookies without TCP TS improperly include TCP options that are not encoded
Solution Article: K07330445
Component: Local Traffic Manager
Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.
Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.
Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.
Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.
Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.
700862-2 : tmm SIGFPE 'valid node'
Solution Article: K15130240
Component: Local Traffic Manager
Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.
Conditions:
The host is unreachable.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when the host is unreachable.
700827-2 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.
For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.
Workaround:
Randomize source ports when connecting via a BIG-IP system.
Fix:
This release introduces a new variable you can use to mitigate the issue:
mhdag.pu.table.size.multiplier
1. Set the variable to to 2 or 3 on the host.
2. Restart tmm on all blades.
3. Restart tmm on the host.
4. Restart tmm on all guests.
Note: Restarting tmm on the guests only does nothing; restarting on the host only means that the guests still use old DAG settings and have high inter-TMM forwarding traffic, resulting in a worse condition than originally experienced.
Behavior Change:
This release introduces a new variable to mitigate this issue:
mhdag.pu.table.size.multiplier.
You must set the variable to 2 or 3 on the host, and then restart tmm on all host blades and then all guests to mitigate the issue.
700812-2 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview
Component: Application Security Manager
Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.
Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.
Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.
Workaround:
n/a
Fix:
asmrepro now handles the version number properly.
700783-3 : Machine certificate check does not check against all FQDN hostnames
Component: Access Policy Manager
Symptoms:
macOS machine can be on multiple networks simultaneously, so it might have multiple hostnames. Machine certificate check does not check against all FQDN hostnames. This causes failure in certain scenarios.
Conditions:
-- macOS configuration with multiple hostnames.
-- The 'match FQDN with subject alt name' option is specified for machine certificate check.
Impact:
Machine cert check might fail.
Workaround:
No workaround at this time.
Fix:
Previously, with a macOS system that had multiple hostnames, the machine certificate check could not check against all hostnames, causing failures in some scenarios. Now, the machine certificate check compares all hostnames on macOS devices.
700780-4 : F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses
Component: Access Policy Manager
Symptoms:
F5 DNS Relay Proxy service does not support DNS-over-TCP requests, so if, in some configuration, the client resolver decides to use TCP for DNS resolution, this packet is not re-routed/proxied by the DNS Relay Proxy service, and may be causing DNS to be resolved using an incorrect DNS server (where the system decides to send it).
Typically, if a client receives DNS response with the TC flag set, it retries using TCP. Clearing the TC flag makes client resolver not use TCP at all, preventing DNS packets leakage.
Conditions:
-- DNS server responds with TC flag set in DNS response packet.
-- Windows only is affected.
Impact:
DNS resolution may not work as designed, as the system might send a packet to an incorrect DNS server.
Workaround:
None.
Fix:
Now F5 DNS Relay Proxy service clears TC flag in all proxied packets, preventing client DNS resolvers from using TCP. An appropriate log entry is printed into the service's log.
700757-2 : vcmpd may crash when it is exiting
Component: TMOS
Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:
err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create
It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:
umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy
Conditions:
vCMP must be in use.
Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.
Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:
tmsh restart sys service vcmpd
Fix:
Prevented vcmpd from crashing when exiting.
700726-1 : Search engine list was updated, and fixing case of multiple entries
Component: Application Security Manager
Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily. Part of the issue is that when adding custom search engines, there may be multiple search engines which match the User-Agent header, and this causes the match to fail.
Conditions:
Site accessed by search engines.
Impact:
Traffic from search engines is blocked unnecessarily.
Workaround:
Manually add search engines.
Fix:
Search engine list has been updated to reflect current common search engine usage. Also, this version removes the check of multiple search engines, so that now when multiple Search Engines are matched, the Search Engine bypasses the challenges.
700696-2 : SSID does not cache fragmented Client Certificates correctly via iRule
Component: Local Traffic Manager
Symptoms:
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.
Conditions:
-- Client Authentication is enabled.
-- A very large Client Certificate is supplied (typically greater than 16,384 bytes).
-- SSL Session ID Persistence is enabled.
-- The iRule CLIENTSSL_CLIENTCERT is enabled.
Impact:
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.
Workaround:
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.
Fix:
This release supports caching of fragmented client certificates in the SSL Session ID (SSID) persistence feature to properly cache very large-size client certificates (typically exceeding 16,384 bytes).
700571-2 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE
Component: Service Provider
Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.
Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL
Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.
Workaround:
None.
Fix:
The branch parameter value calculation now remains consistent throughout the connection.
700564-2 : JavaScript errors shown when debugging a mobile device with ASM deviceID enabled
Component: Application Security Manager
Symptoms:
When debugging a mobile device with ASM Device ID enabled, the Google Chrome browser console log contains JavaScript errors similar to the following: net::ERR_UNKNOWN_URL_SCHEME.
Note: In order to view the Chrome browser console log, you must use BrowserStack from a developer's console, or physically connect the phone by cable, enable 'usb debug',
enable 'device discovery' on Chrome on the desktop, and view the console from there.
Conditions:
-- ASM policy is attached on a virtual server with deviceID enabled.
-- Device ID collection request has been sent from a mobile device.
-- Chrome browser console log is opened.
Impact:
Mobile device app developers might be concerned about the errors, potentially asking about why the ASM JavaScript code attempts to access UNKNOWN_URL_SCHEME in a mobile device.
The errors occur because Device ID enabled on an ASM policy uses the JavaScript request URI argument 'chrome-extension' to detect the existence of malicious browser extension. However, Chrome on Android/iOS does not support 'chrome-extension'.
Workaround:
Disable Device ID in ASM policy.
Fix:
The system now avoids checking Chrome extensions on mobile devices, so no UNKNOWN_URL_SCHEME errors occur.
700556-2 : TMM may crash when processing WebSockets data
Solution Article: K11718033
700527-1 : cmp-hash change can cause repeated iRule DNS-lookup hang
Component: Global Traffic Manager (DNS)
Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.
Conditions:
-- iRule is in the middle of a call to RESOLV::lookup.
-- A change is made to VLAN cmp-hash configuration.
Impact:
The iRule call can hang repeatedly.
Workaround:
Restart the TMM. This will interrupt client traffic while TMM restarts.
Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.
700433-2 : Memory leak when attaching an LTM policy to a virtual server
Solution Article: K10870739
Component: Local Traffic Manager
Symptoms:
BIG-IP LTM policies may cause an mcpd process memory leak.
As a result of this issue, you may encounter one or more of the following symptoms:
-- Latency when configuring the BIG-IP system.
-- Error messages logged in /var/log/ltm similar to the following example:
01140029:4: HA daemon_heartbeat mcpd fails action is restart.
-- The mcpd process may generate a core file in the /var/core directory.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your configuration includes one or more virtual servers with an associated BIG-IP LTM policy.
-- The BIG-IP LTM policy has at least one rule.
Note: Rules with actions or conditions can leak increased amounts of memory.
-- You delete and add BIG-IP LTM policies that are associated with the virtual server.
Note: This modification causes the memory leak to increase over time.
Impact:
The mcpd process might run slower as memory is consumed, and can fail when all system memory is exhausted. Devices in a high availability (HA) configuration may experience a failover event.
Workaround:
None.
Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.
700393-2 : Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
Solution Article: K53464344
Component: Local Traffic Manager
Symptoms:
Tmm might crash due to a stale/stalled HTTP/2 stream.
Conditions:
HTTP/2 profile in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.
700386-1 : mcpd may dump core on startup
Component: TMOS
Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.
Conditions:
This can happen only at startup.
Impact:
mcpd restarts, but resumes normal operation.
Workaround:
None.
Fix:
mcpd no longer generates a core on startup.
700330 : AJAX blocking page isn't shown when a webpage uses jQuery framework.
Component: Application Security Manager
Symptoms:
Request is blocked by an ASM policy, but the ASM end user does not see the blocking page with a unique support id for the blocked request.
Conditions:
1. ASM policy Asynchronous JavaScript and XML (AJAX) blocking page enabled.
2. ASM policy is working in blocking mode.
3. ASM policy attached to a virtual server.
4. AJAX request has been sent and blocked.
Impact:
ASM end user has no visual indication that there has been a blocked AJAX request.
Workaround:
None.
Fix:
The system now handles Ajax requests being sent via the JQuery framework.
700315-3 : Ctrl+C does not terminate TShark
Solution Article: K26130444
Component: TMOS
Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.
Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.
Impact:
TShark does not exit as expected when pressing CTRL+C.
Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'
Fix:
Ctrl+C now terminates TShark as expected.
700143-1 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
Component: Application Security Manager
Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.
Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.
Impact:
Only the latest 10,000 events are deleted.
Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.
Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.
700061-3 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
Component: Local Traffic Manager
Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'
Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.
Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'
Workaround:
There is no workaround at this time.
Fix:
Fix made sure restart of service MCPD and reboot of device does not change key files Unix read permissions from '-rw-r-----' to
'-rw-r--r--'
700057-3 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
Component: Local Traffic Manager
Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.
Conditions:
Upgrade or load a .ucs with SSL keys configured.
Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.
Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config
Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.
699720-3 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
Component: Application Security Manager
Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.
Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.
Impact:
ASM crash; system goes offline.
Workaround:
Use either of the following workarounds:
-- Remove remote logger.
-- Have response logging for illegal requests only.
Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.
699598-4 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
Component: Local Traffic Manager
Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.
Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.
Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.
Workaround:
None.
Fix:
Large HTTP/2 requests are now processed as expected.
699531-3 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.
For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.
Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.
699455-3 : SAML export does not follow best practices
Solution Article: K50254952
699454-3 : Web UI does not follow current best coding practices
Component: Advanced Firewall Manager
Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.
Conditions:
Authenticated web UI user.
Impact:
UI does not respond as intended.
Workaround:
None.
Fix:
The web UI now follows current best coding practices while processing URL DB updates.
699452-3 : Web UI does not follow current best coding practices
Solution Article: K29280193
699431 : Possible memory leak in MRF under low memory
Component: Service Provider
Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.
Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.
Impact:
The table entry will be remain until the box resets.
Workaround:
There is no workaround at this time.
Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.
699346-2 : NetHSM capacity reduces when handling errors
Solution Article: K53931245
699339-1 : Geolocation upgrade files fail to replicate to secondary blades
Solution Article: K24634702
Component: Global Traffic Manager (DNS)
Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.
Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.
Impact:
Geoip database is not updated to match primary blade.
Workaround:
Use either of the following workarounds:
-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.
-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.
To edit /etc/csyncd.conf:
Merge the following two terms:
monitor dir /shared/GeoIP {...)
monitor dir /shared/GeoIP/v2 {...}
into one term, as follows:
monitor dir /shared/GeoIP {
queue geoip
pull pri2sec
recurse yes
defer no
lnksync yes
md5 no
post "/usr/local/bin/geoip_reload_data"
}
Fix:
Geolocation upgrade files now correctly replicate to secondary blades.
699281 : Version format of hypervisor bundle matches Version format of ISO
Component: TMOS
Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.
Conditions:
Applies to hypervisor bundles (for example ova files for vmware).
Impact:
Version format in names of hypervisor bundles matches version format of ISO file
Workaround:
Version format in names of hypervisor bundles matches version format of ISO file
Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).
699267-1 : LDAP Query may fail to resolve nested groups
Component: Access Policy Manager
Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).
Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled
Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.
Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups
699262-2 : FQDN pool member status remains in 'checking' state after full config sync
Component: Local Traffic Manager
Symptoms:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) shows FQDN pool members stuck in the 'checking' state.
Conditions:
This occurs after a full config sync is forced between peers using FQDN pool members:
tmsh modify cm device-group <dg_name> devices modify { <local_member> { set-sync-leader } }
Impact:
Affected pools show an Availability state of 'unknown', although pool members are available and can pass traffic.
Workaround:
Restart bigd on the affected peer after the config sync.
Fix:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) no longer shows FQDN pool members stuck in the 'checking' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
699147 : Hourly billed cloud images are now pre-licensed
Component: TMOS
Symptoms:
Hourly billed images in cloud environments require outbound internet access to the F5 public license server in order to retrieve a license. This causes some sites with strict network access policies to fail to license.
Conditions:
Using hourly billing.
Impact:
Hourly instances do not receive licenses and thus could not pass traffic without outbound internet access.
Workaround:
Enable outbound internet access when the guest instance is created to allow it to license, then revoke it.
Fix:
Hourly billed cloud images are now pre-licensed and so do not require internet access to receive a license.
699135-2 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.
Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.
Impact:
tmm cores.
Workaround:
Don't use host command for non type A/AAAA wideips.
699091-1 : SELinux denies console access for remote users.
Component: TMOS
Symptoms:
SELinux denies console access for remote users if they are attempting to log in for the first time. This occurs because the user has not logged in before, so no entries exist for them in the userrolepartitions file.
Conditions:
-- Remote authentication is enabled.
-- BIG-IP system user attempts to log in to the console as their first login.
Impact:
Certain remote users may not be able to log in to the console.
Workaround:
Login as a remote user using SSH or the GUI.
Fix:
Allow login to connect to MCP to announce remote user login and set user role partition access.
698947-1 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
Component: TMOS
Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.
Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.
Impact:
The decapsulated packets may be dropped in the BIG-IP system.
Fix:
The BIG-IP system correctly processes decapsulated packets from a GRE point-to-point tunnel.
698919-1 : Anti virus false positive detection on long XML uploads
Component: Application Security Manager
Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.
Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.
Impact:
Violation is detected where no violation has occurred (false positive violation).
Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.
Note: This workaround will affect the amount of logged data from ASM.
Fix:
Fixed a false positive virus-detected violation related to long XML uploads.
698916-3 : TMM crash with HTTP/2 under specific condition
Component: Local Traffic Manager
Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.
Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.
Impact:
TMM crash, leading to a failover event.
Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.
Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.
698813-3 : When processing DNSX transfers ZoneRunner does not enforce best practices
Solution Article: K45435121
698806-2 : Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces
Component: Advanced Firewall Manager
Symptoms:
Egress Interfaces are not checked in the Source Translation page even if they are configured.
Conditions:
Create a source translation object with egress Interfaces set to 'Enabled on...', select Egress Interfaces from the list, and hit 'Finished'. Egress Interfaces will not be checked with the originally configured values.
Impact:
Egress Interfaces will not be checked even if they are configured.
Workaround:
Use tmsh to check if the object is actually configured with Egress Interfaces
Fix:
Egress Interfaces will be selected whenever a user tries to create a source Translation object with Egress Interfaces.
698757-1 : Standby system saves config and changes status after sync from peer
Solution Article: K58143082
Component: Application Security Manager
Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.
Conditions:
-- Manual sync device-group configuration.
-- Modify existing policy encoding to uppercase (via tmsh).
-- ASM configuration.
Impact:
The high availability (HA) configuration goes out of SYNC.
Workaround:
Use either of the following workarounds:
-- Push the sync back from the Standby device to the Active device, and then again from the Active to Standby.
-- Put the device group into auto-sync state and push the config from the Active to the Standby. After the Sync state resolves and the ASM configuration is finished loading, the device group can be put back to Manual sync.
Fix:
Change requested encoding to lowercase.
698619-1 : Disable port bridging on HSB ports for non-vCMP systems
Component: TMOS
Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.
Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).
Impact:
This can result in packet flooding back to the HSB and potential network saturation.
Workaround:
None.
Fix:
Port bridging on HSB interfaces in the switch for non-vCMP systems is now disabled on BIG/IP 5000/7000. However, this issue still occurs on B2100 blades as port bridging is required on that platform for chassis data plane support.
698429-3 : Misleading log error message: Store Read invalid store addr 0x3800, len 10
Component: TMOS
Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.
Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.
Impact:
None. These messages do not indicate an actual problem with the system.
698379-3 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
Solution Article: K61238215
Component: Local Traffic Manager
Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.
Conditions:
HTTP2 virtual server configured.
Impact:
Uploads for the HTTP2 virtual server might fail intermittently.
Workaround:
None.
Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.
698376-4 : Non-admin users have limited bash commands and can only write to certain directories
Solution Article: K46524395
698338-2 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
Component: Service Provider
Symptoms:
The system may core.
Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.
Impact:
The system cores and will restart.
Workaround:
None.
Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.
698080-1 : TMM may consume excessive resources when processing with PEM
Solution Article: K54562183
698000-1 : Connections may stop passing traffic after a route update
Solution Article: K04473510
Component: Local Traffic Manager
Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.
Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.
Impact:
Connections may fail after routing updates. New connections will not be affected.
Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.
Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.
697878 : High crypto request completion time under some workload patterns
Component: TMOS
Symptoms:
The tmctl tmm/crypto table shows heavily loaded bulk crypto queues backed up into associated waiting queue. The crypto requests continue to complete, but are significantly delayed.
Conditions:
High crypto usage often in conjunction with high compression usage.
Impact:
Crypto requests can be delayed as long as 1.5 seconds.
Workaround:
Disable hardware crypto by setting the "crypto.hwacceleration" DB key to "disable":
tmsh modify sys db crypto.hwacceleration value disable
Fix:
Improve accelerated crypto poll-timing calculation.
697718-3 : Increase PEM HSL reporting buffer size to 4K.
Component: Policy Enforcement Manager
Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.
Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.
Impact:
Part of PEM HSL flow reporting information will be lost.
Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.
697616 : Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests
Component: TMOS
Symptoms:
Failure in SSL traffic in vCMP configurations. The system logs the following device error:
-- crit tmm[17083]: 01010025:2: Device error: crypto codec qat-crypto0-0 queue is stuck.
-- warning sod[7759]: 01140029:4: high availability (HA) crypto_failsafe_t qat-crypto0-0 fails action is failover.
Conditions:
-- vCMP guests when performing crypto operations.
-- i5600, i5800, i7600, i7800, i10600, i10800, i12600, i12800, i15600, i15800 platforms.
Impact:
The 'crypto queue stuck' message is reported, and failover will be triggered.
Workaround:
None.
Fix:
The 'crypto queue stuck' issue on vCMP platforms no longer occurs.
697424 : iControl-REST crashes on /example for firewall address-lists
Component: TMOS
Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.
Conditions:
Making a call to /example on firewall address-list.
Impact:
The icrd_child process crashes.
Workaround:
There is no workaround other than not calling /example on firewall address-lists.
697303-3 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.
Impact:
BD crash, failover, and traffic disturbance.
Workaround:
Turn off the internal parameter relax_unicode_in_json.
Fix:
BD no longer crashes under these conditions.
697259-1 : Different versioned vCMP guests on the same chassis may crash.
Solution Article: K14023450
Component: Local Traffic Manager
Symptoms:
The vCMP guest TMM crashes soon after startup.
Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.
Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Different versioned vCMP guests on the same chassis no longer crash.
696808-3 : Disabling a single pool member removes all GTM persistence records
Component: Global Traffic Manager (DNS)
Symptoms:
Disabling a single pool member removes all GTM persistence records.
Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.
Impact:
All GTM persistence records are accidently cleared.
Workaround:
Set drain-persistent-requests yes.
Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.
696789-2 : PEM Diameter incomplete flow crashes when TCL resumed
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.
Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.
Impact:
The tmm will restart and all flows will reset.
Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.
696732 : tmm may crash in a compression provider
Solution Article: K54431534
Component: TMOS
Symptoms:
TMM may crash with the following panic message in the log files:
panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.
Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.
Impact:
TMM crashes, Traffic disrupted while tmm restarts.
Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:
tmsh modify sys db compression.strategy value softwareonly
696468 : Active compression requests can become starved from too many queued requests.
Component: TMOS
Symptoms:
From the "tmctl compress" table: the cur_ctx value for QAT is equal or higher than 512, and the cur_active remains at zero.
CPU utilization per tmm in this condition may be quite high.
Conditions:
At least 512 contexts with no traffic wait in the compression queue and prevent new requests from getting compression service.
Impact:
Compression on a per-tmm basis can stop servicing new requests.
Workaround:
Switch to software compression.
Fix:
Soften the restriction so that accumulated contexts with no traffic cannot not prevent busy contexts from getting compression time.
696383-2 : PEM Diameter incomplete flow crashes when sweeped
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.
Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.
Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.
696294-3 : TMM core may be seen when using Application reporting with flow filter in PEM
Component: Policy Enforcement Manager
Symptoms:
TMM core with flow filter when Application reporting action is enabled
Conditions:
If Application reporting is enabled along with flow filter
Impact:
TMM restart causing service interruption
Fix:
Initialize the application start buffer so as to prevent the TMM core
696265-3 : BD crash
Solution Article: K60985582
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.
Impact:
Potential traffic disturbance and failover.
Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.
Fix:
Fixed a BD crash scenario.
696113-1 : Extra IPsec reference added per crypto operation overflows connflow refcount
Component: TMOS
Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.
Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.
Impact:
Unexpected tmm failover after refcount overflow.
Workaround:
There is no workaround at this time.
Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.
696049-3 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
Component: Service Provider
Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.
Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.
Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.
Workaround:
None.
Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.
695968-3 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
Component: Policy Enforcement Manager
Symptoms:
Memory leak resulting in a potential OOM scenario.
Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM
Impact:
Potential loss of service.
Workaround:
There is no workaround at this time.
Fix:
Freed Diameter messages appropriately.
695925-3 : Tmm crash when showing connections for a CMP disabled virtual server
Component: Local Traffic Manager
Symptoms:
Tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.
Conditions:
This occurs when all of the following conditions are met:
-- There is a CMP-disabled virtual server, or a floating self-IP address defined.
-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).
-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').
Impact:
Tmm crashes and restarts impacting traffic.
Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.
Avoid using tmsh show sys connection.
695901-2 : TMM may crash when processing ProxySSL data
Solution Article: K46940010
695878-5 : Signature enforcement issue on specific requests
Component: Application Security Manager
Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.
Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.
-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).
Impact:
Attack signatures are not enforced on the payload of this request at all.
Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.
Fix:
The operation now looks into part of the payload for the attack signatures enforcement.
695117 : bigd cores and sends corrupted MCP messages with many FQDN nodes
Solution Article: K30081842
Component: Local Traffic Manager
Symptoms:
When configured to monitor large numbers of nodes and/or pool members including FQDN nodes and/or pool members, the following symptoms may occur:
- bigd may core (aborted by sod due to missed heartbeat).
- bigd may produce corrupted MCP messages.
- FQDN nodes and/or pool members may remain in a Checking state indefinitely.
Conditions:
These symptoms may occur on affected versions of BIG-IP when a large number of nodes and/or pool members including FQDN nodes and/or pool members are configured. Depending on the capabilities of the platform in use, approximately one thousand (1,000) or more total nodes and/or pool members may be required to produce these symptoms.
FQDN nodes and/or pool members generate a more significant workload for the bigd daemon than nodes and/or pool members with statically-configured IP addresses. This additional load contributes to high CPU usage and the other observed symptoms.
Impact:
This issue produces the following impacts:
- bigd may core.
- nodes and/or pool members may remain in a Checking state indefinitely.
- bigd may produce corrupted MCP messages, which generate error messages in the LTM log of the following form:
... err mcpd[####]: 01070712:3: Caught configuration exception (0), Can't parse MCP message, ...
Examination of the corrupted MCP message shows objects at the point of corruption that have no hierarchical relationship with the objects referenced at the beginning of the message.
Workaround:
To work around this issue, use the following approaches singly or in combination:
1. Reduce the number of nodes and/or pool members configured for a given BIG-IP system.
2. Configure nodes and/or pool members with statically-configured IP addresses.
Fix:
bigd no longer produces corrupted MCP messages, resulting in nodes and/or pool members remaining in a 'checking' state, with up to 2,000 nodes and/or pool members including FQDN nodes and/or pool members configured. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
694922-4 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.
Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device
Impact:
ASM configuration is not correctly synchronized between devices
Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic
Fix:
Devices no longer spuriously enter an untrusted state
694778-2 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
Component: Local Traffic Manager
Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).
Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.
Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).
Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable
Fix:
SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.
694740-1 : BIG-IP reboot during a TMM core results in an incomplete core dump
Component: TMOS
Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.
Fix:
Reboot is delayed until TMM core file is completed.
694717-3 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
Component: Policy Enforcement Manager
Symptoms:
TMM crashes
Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.
694697-3 : clusterd logs heartbeat check messages at log level info
Solution Article: K62065305
Component: Local Traffic Manager
Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.
-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)
Conditions:
log.clusterd.level set to info.
Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.
Workaround:
Set log.clusterd.level to notice.
Fix:
The log level of clusterd logs heartbeat check messages has changed. For 'Skipping heartbeat check' messages, the log level is now debug, and 'Checking heartbeat of peer slot' messages log level is verbose and now reports on which bp the heartbeat was received.
694696-3 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline
Component: TMOS
Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.
Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.
Impact:
Traffic to all other traffic-groups is disrupted for several seconds.
Workaround:
There is no workaround at this time.
Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.
694656-3 : Routing changes may cause TMM to restart
Solution Article: K05186205
Component: Local Traffic Manager
Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).
Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.
-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.
-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).
Impact:
TMM restarts, resulting in a failover and/or traffic outage.
Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.
If dynamic routing is in use, there is no workaround.
Fix:
TMM now properly manages routing information for active connections.
694319-3 : CCA without a request type AVP cannot be tracked in PEM.
Component: Policy Enforcement Manager
Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.
Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP
Impact:
May hamper effective diagnostics.
Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.
Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type
694318-3 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
Component: Policy Enforcement Manager
Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.
Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.
Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.
Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.
Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.
694274-2 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7
Solution Article: K23565223
694073-1 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup
Component: Application Security Manager
Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.
Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).
Impact:
Low and incorrect visibility of signature update details.
Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.
Fix:
Signature updates are now shown correctly for all versions.
693996-3 : MCPD sync errors and restart after multiple modifications to file object in chassis
Solution Article: K42285625
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
693910-2 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
Component: Local Traffic Manager
Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.
Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.
Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.
Workaround:
None.
Fix:
FDB entries are now flushed by interface whenever an interface transitions to a STP block state.
693884-3 : ospfd core on secondary blade during network unstability
Component: TMOS
Symptoms:
ospfd core on secondary blade while network is unstable.
Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.
Impact:
Dynamic routing process ospfd core on secondary blade.
Workaround:
None.
693838 : Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors
Component: Local Traffic Manager
Symptoms:
Member of pool is not marked down when response time exceeds hard limit.
Conditions:
Adaptive monitoring enabled for UDP monitor and server response time exceeds hard limit.
Impact:
Member remains in pool despite exceeding hard limit which may result in degraded services.
Workaround:
None.
693744-3 : CVE-2018-5531: vCMP vulnerability
Solution Article: K64721111
693739-3 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
Component: Access Policy Manager
Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.
Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.
Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.
Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.
Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.
693582-3 : Monitor node log not rotated for certain monitor types
Component: Local Traffic Manager
Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.
Conditions:
-- This occurs if Monitor Logging is enabled for an LTM node or pool member, and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp
- external
-- This also can happen with tcp-half-open if the monitor is down.
Impact:
Depending on the affected BIG-IP software version in use, effects may include the following symptoms:
1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).
2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).
3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.
Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool members.
-- If symptom #1 occurs, Monitor Logging can be re-enabled after log rotation has occurred.
-- To address symptoms #2 or #3, Monitor Logging can be re-enabled immediately.
For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors :: https://support.f5.com/csp/article/K12531.
Fix:
Monitor node logs are now rotated/compressed as expected.
693388-1 : Log additional HSB registers when device becomes unresponsive
Component: TMOS
Symptoms:
HSB becomes unresponsive, and logs no registers to indicate the state of the device. There is no logging of additional registers to assist in diagnosing the failure.
Conditions:
It is unknown under what conditions the HSB becomes unresponsive.
Impact:
Limited visibility into the HSB state when it becomes unresponsive.
Workaround:
None.
Fix:
There is now logging of additional registers to assist in diagnosing the failure.
The registers can be seen in the TMM log files when there is either an HSB transmitter or receive failure.
693360-6 : A virtual server status changes to yellow while still available
Solution Article: K52035247
693312-2 : vCMPd may crash when processing bridged network traffic
Solution Article: K03165684
693308-3 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
Component: Local Traffic Manager
Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.
Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.
Impact:
The backend server will not be securely accessible via SSL because the connection hangs
Workaround:
Disable SSL Session Persistence.
Fix:
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.
693211-3 : CVE-2017-6168
Solution Article: K21905460
693106-2 : IKEv1 newest established phase-one SAs should be found first in a search
Component: TMOS
Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.
If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.
Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.
If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.
Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.
Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.
Fix:
At the momenet a new IKE-SA is established, we now move that SA to the head of the hashmap bucket searched for that remote peer in the future. This makes us more likely to use the newest SA from the perspective of a remote peer, the next time we initiate another phase two negotiation ourselves.
693007-3 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC
Component: Global Traffic Manager (DNS)
Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.
Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.
Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.
Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.
Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.
Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.
692970-3 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash
Component: Local Traffic Manager
Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.
Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.
Impact:
TMM restart causes traffic interruption or failover.
Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.
Fix:
TMM no longer crashes with DHCP flow validation.
692941-3 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
Component: Global Traffic Manager (DNS)
Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.
Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.
Impact:
gtmd and/or tmm core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.
692307-1 : User with 'operator' role may not be able to view some session variables
Component: Access Policy Manager
Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.
Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.
Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.
Workaround:
Find this data via clicking on the session ID.
Fix:
User with 'operator' role can now view all expected session variables
692239-1 : AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds
Solution Article: K31554905
Component: TMOS
Symptoms:
When using the AOM menu, LCD touchscreen, or the operating system 'halt' command to power off then on the host CPU on i5600, i5800, i7600, i7800, i10600, i10800 platforms, the AOM creates a 'Host Power Cycle Event' SEL log entry every two seconds. The SEL log will continue to grow until external power to the appliance is fully power cycled.
Conditions:
-- Running on i5600, i5800, i7600, i7800, i10600, i10800 platforms.
-- With an older version of CPLD code installed (e.g., CPLD 0x45), power-off the host using the AOM menu, the LCD touchscreen, or the operating system's 'halt' command.
+ Bring up the AOM menu using ESC shift-9, then select 'p' and '0' from the menu to power off the host CPU complex.
+ On the LCD touchscreen, navigate to [System] menu and select [Power Off] to power off the host CPU complex.
+ Run the 'halt' command on the BIG-IP host subsystem.
-- Wait a few seconds, and power on the host.
+ On the AOM menu, select 'p' and '1' to power on the host CPU complex.
+ On the LCD touchscreen, navigate to [System] menu and select [Power On] to power on the host CPU complex.
+ There is no equivalent shell method to turn the power back on after running the 'halt' command.
Impact:
This results in ongoing 'Host Power Cycle Event' messages to post in the SEL log (tail /var/log/sel) every two seconds.
The SEL log will continue to grow and wrap as this message continues to post to the SEL log every two seconds.
This results in a very large number of SEL entry fetches by the host CPU to the AOM and can place a substantial load on the AOM interface.
In addition, the loss of communication between the BIG-IP host and the AOM can cause a number of related errors to be logged in the LTM log, such as:
012a0022:4: Host to AOM communication error
012a0004:4: Unable to get sensor reading for sens num #
012a0004:4: AomSelLogger: unable to sync SEL log time
012a0004:4: AomSelLogger: unable to process SEL logs
012a0004:4: Error writing SEL records, BmcDev: Unable to get SEL Info
012a0004:4: Error syncing SEL time, BmcDev: IpmiCmdDev: : Unable to Set SEL time ######## (rv=fd) Other error 0xfd (cc=80) Invalid Session Handle or Empty Buffer
Workaround:
The actual fix is to install a newer version of i5600, i5800, i7600, i7800, i10600, i10800 platform CPLD code (e.g., CPLD 0x54 or CPLD 0x55).
Another workaround is to fully power cycle the appliance.
However, every time the AOM menu is used to power off then on the host, the SEL log entries re-appear.
Fix:
This issue is fixed in newer versions of the i5600, i5800, i7600, i7800, i10600, i10800 platforms CPLD (e.g., CPLD 0x54 or CPLD 0x55).
692189-3 : errdefsd fails to generate a core file on request.
Component: TMOS
Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.
Conditions:
Forcing errdefsd to core for diagnostic purposes.
Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.
Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd
Fix:
errdefsd now generates a core file when forced to core.
692179-3 : Potential high memory usage from errdefsd.
Component: TMOS
Symptoms:
errdefsd memory usage grows with each config-sync or config update.
Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.
Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.
Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.
Fix:
The changes in this bug force errdefsd to check for config changes once every second in addition to checking whenever management-port destination logs come in.
692165-2 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
Component: TMOS
Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).
Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.
- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.
Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.
Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.
However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.
692158-2 : iCall and CLI script memory leak when saving configuration
Component: TMOS
Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device leaks memory.
Conditions:
Use of iCall or CLI scripts to save the configuration.
Impact:
Repeated invocation might cause the system to run out of memory eventually, causing tmm to restart and disrupting traffic.
Workaround:
There is no workaround other than not saving the configuration from iCall or CLI scripts.
Fix:
scriptd process on the device no longer leaks memory when iCall and CLI scripts are used to save the configuration.
692123-2 : GET parameter is grayed out if MobileSafe is not licensed
Component: Fraud Protection Services
Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.
Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.
Impact:
In FPS Parameter's list, the GET method is always grayed out.
Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.
Fix:
The GET method is not grayed out if MobileSafe is not licensed.
692095-3 : bigd logs monitor status unknown for FQDN Node/Pool Member
Solution Article: K65311501
Component: Local Traffic Manager
Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]
Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.
Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.
Workaround:
None.
Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.
691945-2 : Security Policy Configuration Changes When Disabling Learning
Component: Application Security Manager
Symptoms:
When Learning is enabled in either manual or automatic mode, and is then disabled. This was considered to be the end of the learning process, and so changes are automatically made to the default wildcard entities ("*" URL, Parameter, Filetype) such as removing the element from staging.
The user is not notified of these changes, and they may not be expected, leading to undesired security enforcement.
Conditions:
-- Learning is enabled in Manual or Automatic mode.
-- Learning is then disabled.
Impact:
Unexpected changes to the default wildcard elements in the policy can lead to undesired security enforcement.
Workaround:
The audit log shows all changes that were made to the policy, and undesired changes can be remedied before the policy changes are applied.
Fix:
No changes are made to the default wildcard entities upon disabling of learning.
691897-1 : Names of the modified cookies do not appear in the event log
Component: Application Security Manager
Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.
Conditions:
A modified domain cookies violation happens.
Note: This can happen only if there are also non-modified or staged cookies.
Impact:
Expected violation details are not displayed.
Workaround:
There is no workaround at this time.
Fix:
Issue with modified domain cookie violation details is now fixed.
691806-3 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
Solution Article: K61815412
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.
Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.
Impact:
The BIG-IP system resets connection with RST.
Workaround:
None.
Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.
691670-3 : Rare BD crash in a specific scenario
Component: Application Security Manager
Symptoms:
BD crash or False reporting of signature ID 200023003.
Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).
Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.
Workaround:
Removing attack signature 200023003 from the security policy stops the issue.
Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.
A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.
691589 : When using LDAP client auth, tamd may become stuck
Component: TMOS
Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.
Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.
Impact:
Authentication to the virtual server fails until tamd is restarted.
Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd
Fix:
tamd no longer becomes stuck when using LDAP client auth.
691504-3 : PEM content insertion in a compressed response may cause a crash.
Solution Article: K54562183
691498-1 : Connection failure during iRule DNS lookup can crash TMM
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes in the DNS response cache periodic sweep.
Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.
Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.
Workaround:
No known workaround.
Fix:
The reference counting of the resolver connection was fixed.
691477-1 : ASM standby unit showing future date and high version count for ASM Device Group
Component: Application Security Manager
Symptoms:
Policy builder is changing configuration of standby unit.
Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).
Impact:
Unexpected changes are made to the policy on standby device (CID increment).
Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):
killall -s SIGHUP pabnagd
Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.
691287-3 : tmm crashes on iRule with GTM pool command
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes with a SIGSEGV when a GTM iRule executes a 'pool' command against Tcl variables that have internal string representations, which can occur when a value is a result of (some) string commands (e.g., 'string tolower') or if the value comes from a built-in iRules command (such as 'class').
For example:
when DNS_REQUEST {
pool [string tolower "Test.com"]
}
or:
when DNS_REQUEST {
pool [class lookup pool-dg key-value]
}
Conditions:
GTM iRule executes a 'pool' command against Tcl variables that have internal string representations.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Pass the 'pool' argument through 'string trim'. For instance:
when DNS_REQUEST {
pool [string trim [class lookup pool-dg key-value]]
}
Fix:
tmm no longer crashes on GTM iRules that use the 'pool' command.
691224-1 : Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
Solution Article: K59327001
Component: Local Traffic Manager
Symptoms:
Node Server rejects received-and-incomplete ClientHello message and connection terminates.
Conditions:
This occurs when the following conditions are met:
-- SSL Persistence is enabled.
-- There is no ClientSSL and ServerSSL profile.
-- The BIG-IP device receives fragments of a ClientHello message (typically, 11 bytes each) from an SSL front-end client.
Impact:
With Session Persistence enabled
-- The parser fails to reassemble fragmented ClientHello messages prior to passing it on to the backend server.
-- As a result, the backend server responds as if it has received an incomplete ClientHello message, rejects the handshake, and terminates the connection.
Workaround:
The issue disappears when SSL Persistence is disabled.
691017-1 : Preventing ng_export hangs
Component: Access Policy Manager
Symptoms:
Sometimes ng_export is stuck while reading tmsh thru the pipe because of buffer issues. Export is trying to read more data from tmsh while data is lost in the middle of the read operation.
Conditions:
-- ng_export receives tmsh replies through buffer of constant size x.
-- During the read operation, tmsh returns a buffer size of x minus k, where k is a very small random number (less than 50).
Note: K is a very small random number, which makes this issue difficult to describe.
Impact:
The export operation hangs.
Workaround:
There is no workaround at this time.
Fix:
APM access policy export now uses non-blocking socket and loops to wait for data or terminate gracefully.
690819-3 : Using an iRule module after a 'session lookup' may result in crash
Component: TMOS
Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.
Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.
Impact:
The system may core, or result in undefined and/or undesired behavior.
Workaround:
Check the return value of 'session lookup' before using another iRule module.
If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.
690793-2 : TMM may crash and dump core due to improper connflow tracking
Solution Article: K25263287
Component: TMOS
Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.
Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.
While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.
Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.
Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.
However, this does not eliminate entirely the chances of running into this issue.
Fix:
The system now checks for HSB flow status update data and prevents false positive matches to virtual servers with non-FastL4 profiles.
690215-1 : Missing requests in request log
Component: Application Security Manager
Symptoms:
Requests are missing from request log
Conditions:
Either of:
- pabnagd restart
- asm restart
- failover
Impact:
- Requests are not logged for up to an hour (affected by the amount of policies)
Workaround:
No workaround.
Fix:
All requests are now logged always.
690166-3 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
Component: Global Traffic Manager (DNS)
Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.
Conditions:
Creating SRV wideip with three more layers than existing zone.
Impact:
Unnecessary stub zones created.
690042-3 : Potential Tcl leak during iRule suspend operation
Solution Article: K43412307
Component: Local Traffic Manager
Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.
Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.
Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer leaks memory.
689826-2 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
Solution Article: K95422068
Component: Access Policy Manager
Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.
Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.
Impact:
Proxy settings are not applied on client side after VPN is established.
Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.
Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:
1. Set the custom variable name to the following value:
config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
Note: <network access resource name> is the name of the network access resource.
2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.
3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.
Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.
689730-2 : Software installations from v13.1.0 might fail★
Component: TMOS
Symptoms:
Installation terminates with the following final log messages:
info: updating shared filesystem directories...
progress: 10/100
error: mkdir /mnt/tm_install/3543.JENFeQ/core failed - File exists
Terminal error: Failed to install.
Conditions:
-- BIG-IP Virtual Editions, or the following appliances:
+ i2600
+ i2800
+ i4600
+ i4800
+ i5600
+ i5800
+ i5820
+ i7600
+ i7800
+ i7820
+ i10600
+ i10800
+ i11600
+ i11800
-- Running BIG-IP software v13.1.0 or earlier.
-- Installing BIG-IP software with --instslot option.
Impact:
Installation of new software cannot proceed.
Workaround:
Remove the '/shared/core' symlink, the restart the installation.
Fix:
The installer now properly detects the symlink and proceeds without error.
689577-1 : ospf6d may crash when processing specific LSAs
Solution Article: K45800333
Component: TMOS
Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.
Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.
Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.
Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.
Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.
689449-3 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.
Conditions:
- VIP configured with spdy/http2 and http with fallback-host.
Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.
Workaround:
No workaround at this time.
Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.
689437-2 : icrd_child cores due to infinite recursion caused by incorrect group name handling
Solution Article: K49554067
Component: TMOS
Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.
Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.
Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.
Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.
Fix:
icrd_child parsing logic update is needed to not enter recursion.
689361-3 : Configsync can change the status of a monitored pool member
Component: Local Traffic Manager
Symptoms:
It is possible for a configsync operation to incorrectly change a monitor's state. For example, it can change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device. Other state changes are possible.
Conditions:
Pool members are monitored and a configsync is initiated from a paired device.
Impact:
The configsync causes the monitor on the standby system to transition to an incorrect state, out of sync with the active system.
Workaround:
There is a workaround for the case described in 'Symptoms':
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node does not respond to ICMP requests.
Fix:
A configsync no longer causes an unexpected monitor transition on the standby system.
689211-2 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
Component: TMOS
Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.
Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.
Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.
Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.
Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
bigstart restart
Fix:
Added check for the IPv6 flag in the packet, in addition to testing for a v4-in-v6 address; this corrects the corner case of an address containing all zero when forwarded.
689089-3 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
Component: Local Traffic Manager
Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.
Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:
"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"
Where "N" is the number of physical slots in the chassis (2, 4, or 8).
Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.
Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.
Fix:
The configuration file update logic has been changed to prevent file corruption during update.
689080 : Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value
Component: Local Traffic Manager
Symptoms:
When a software encoding algorithm is being used by tmm to generate syn cookies in a SYN/ACK packet, there is a chance that HSB might mistakenly identify the ACK response to the SYN/ACK as valid syncookie response and stamp a SYNCOOKIE_VALID flag on the packet. In that case, software processes try to extract the MSS (maximum segment size) value encoded in the syncookie, which would be a wrong value. This may cause connection to fail in subsequent transactions, or cause performance degradation.
Conditions:
When software syncookie protection mode is activated and a software encoding algorithm is being used.
Impact:
Connections either fail, or the smaller, incorrect MSS value causes performance degradation.
Workaround:
None.
Fix:
If a software syncookie encoding algorithm is being used, tmm now ignores the SYNCOOKIE_VALID flag stamped by HSB, so the correct MSS value is calculated.
689002-1 : Stackoverflow when JSON is deeply nested
Component: TMOS
Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.
Conditions:
Deeply nested JSON returned from iControl-REST.
Impact:
icrd_child process coredumps.
Workaround:
None.
Fix:
The fix changes the destruction mechanism into an iterative solution, to completely avoid the stack overflow.
688942-3 : ICAP: Chunk parser performs poorly with very large chunk
Component: Service Provider
Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.
Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).
Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.
Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).
Fix:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system streams content back to the HTTP client or server as it arrives, without undue memory use or performance impact.
688629-3 : Deleting data-group in use by iRule does not trigger validation error
Solution Article: K52334096
Component: Local Traffic Manager
Symptoms:
iRule aborts due to failed commands, causing connflow aborts.
Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server
Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.
Workaround:
Don't delete data-groups in use by an iRule.
Fix:
An attempt to delete a data-group in use by an iRule now triggers a validation error.
688625-2 : PHP Vulnerability CVE-2017-11628
Solution Article: K75543432
688553-1 : SASP GWM monitor may not mark member UP as expected
Component: Local Traffic Manager
Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.
Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).
This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).
This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).
Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.
Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.
688516-2 : vCMPd may crash when processing bridged network traffic
Solution Article: K03165684
688399-5 : HSB failure results in continuous TMM restarts
Component: TMOS
Symptoms:
The TMM is continually restarted due to lack of the HSB PDE device. When this issue occurs, HSB errors may be present in the TMM log files, prior to a TMM core (SIGSEGV).
Conditions:
The conditions under which this occurs are unknown.
Impact:
TMM continually restarts until the unit is rebooted. Traffic disrupted while tmm restarts. The reboot appears to clear the condition.
Workaround:
Manually reboot the unit.
Fix:
The TMM restarts no longer occur.
688148-1 : IKEv1 racoon daemon SEGV during phase-two SA list iteration
Component: TMOS
Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.
Conditions:
Deleting phase-two SAs, either manually or in response to notifications.
Impact:
IKEv1 tunnel outage until the racoon daemon restarts.
Workaround:
None.
Fix:
Fixed list iteration to use the correct list linkage, so iterating one phase-one SAs list does not instead visit the global list of phase-two SAs.
688011-5 : Dig utility does not apply best practices
Solution Article: K02043709
688009-5 : Appliance Mode TMSH hardening
Solution Article: K46121888
687905 : OneConnect profile causes CMP redirected connections on the HA standby
Solution Article: K72040312
Component: TMOS
Symptoms:
When virtual server uses OneConnect profile in HA setup, it can cause Clustered Multiprocessing (CMP) redirected connections and memory leak on high availability (HA) standby systems, including high memory usage on standby units.
Conditions:
-- Virtual server uses OneConnect profile in HA configuration.
-- Mirroring is enabled.
-- BIG-IP platform supports CMP.
Impact:
Redirected connections and memory leak on a standby device.
Workaround:
Remove OneConnect profile from the virtual server.
687887-4 : Unexpected result from multiple changes to a monitor-related object in a single transaction
Component: Local Traffic Manager
Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts the 'delete key', and then the 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.
Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).
Impact:
The monitor-related object may be unchanged; or monitoring may stop for that object.
Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').
Fix:
Behavior is as-expected when a transaction executes multiple commands (such as 'delete', 'create', 'modify') upon the same monitor-related object (pool, pool_member, node_address, monitor).
687759-2 : bd crash
Component: Application Security Manager
Symptoms:
A bd crash.
Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).
Impact:
bd crashes; system fails over; traffic disturbance occurs.
Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache
687658-2 : Monitor operations in transaction will cause it to stay unchecked
Component: TMOS
Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.
Conditions:
This only happens within transactions.
Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.
Impact:
Monitor state never returns to its correct value.
Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.
687603-1 : tmsh query for dns records may cause tmm to crash
Solution Article: K36243347
Component: Local Traffic Manager
Symptoms:
tmm experiences segmentation fault.
Conditions:
Run 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.
Impact:
Core file / system outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm experiences segmentation fault when running the 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.
687534-3 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
Component: TMOS
Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool
Conditions:
This issue occurs when a pool name contains .. in the name.
Impact:
Cannot add a Member to the pool using the GUI.
Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
tmsh modify ltm pool <pool name> members add { <member info> }
Fix:
For pools with '..' in the name, it is now possible to add members after pool creation using the GUI Local Traffic :: Pools : Member List page.
687353-3 : Qkview truncates tmstat snapshot files
Solution Article: K35595105
Component: TMOS
Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.
Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).
Note: 5 MiB is qkview utility's default maximum file size value.
Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.
Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0
687205-3 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
Component: Local Traffic Manager
Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.
Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.
Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.
Workaround:
None.
687193-1 : TMM may leak memory when processing SSL Forward Proxy traffic
Solution Article: K45325728
687128-3 : gtm::host iRule validation for ipv4 and ipv6 addresses
Component: Global Traffic Manager (DNS)
Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.
Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.
Impact:
Incorrect host information was being returned.
Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.
Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.
687115-1 : SNMP performance can be impacted by a long list of allowed-addresses
Component: TMOS
Symptoms:
If the SNMP configuration includes a long list of allowed-addresses in the configuration then it can impact SNMP performance.
Conditions:
-- The SNMP daemon consults a system file to determine whether a request can be serviced.
-- There is a long list of allowed addresses in the configuration.
Impact:
Potentially slow SNMP response.
Workaround:
Make the list of allowed addresses be the minimum set of your clients.
Fix:
The daemon code is now more efficient.
687098 : IPv6 RADIUS servers not supported for remote authentication
Component: TMOS
Symptoms:
Authenticating against an IPv6 RADIUS server is not supported, only an IPv4 server.
Conditions:
This applies to remote authentication to log on to the BIG-IP system for management purposes.
Impact:
Logon operation will time out, as if the server did not respond.
Workaround:
Use an IPv4 server. If you have an IPv6 management IP, then you will need to have the IPv4 server reachable over a dataplane VLAN.
Fix:
Support for IPv6 RADIUS servers has been added.
686972-1 : The change of APM log settings will reset the SSL session cache.
Component: Local Traffic Manager
Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.
Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.
Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.
Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.
Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.
686926-3 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly
Component: TMOS
Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.
Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.
Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.
Workaround:
None.
Fix:
The BIG-IP system now correctly tracks a need to receive a SECOND response with message_id zero, to finish the SA_INIT exchange, whenever the first SA_INIT response caused the BIG-IP system to resend the first request with the cookie included.
686765-1 : Database cleaning failure may allow MySQL space to fill the disk entirely
Component: Application Security Manager
Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.
In /var/log/ts/asm_config_server.log you might see these errors repeatedly:
Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full
Conditions:
This occurs if database cleaning failures occur.
Impact:
Disk will fill up, and you will be unable to modify ASM policies.
686763-2 : asm_start is consuming too much memory
Component: Application Security Manager
Symptoms:
asm_start is consuming too much memory.
Conditions:
Roll forward a device with a large ASM configuration.
Impact:
Increase memory pressure on the device.
Workaround:
Run the following command: restart asm
Fix:
asm_start no longer increases its memory footprint during upgrade.
686685-1 : LTM Policy internal compilation error
Component: Local Traffic Manager
Symptoms:
To enable maximum performance, LTM Policies undergo a compilation process, where they are transformed to a compact binary representation. An issue was discovered where the transformation is being done incorrectly under certain circumstances.
Conditions:
While not common, certain LTM Policy combinations will be transformed to binary representation where certain internal parameters are incorrect.
Impact:
The tmm process may experience an unexpected restart, or a policy action may not run as expected.
Workaround:
None.
Fix:
LTM Policies are correctly transformed to their high-performance, compact binary representations.
686631-1 : Deselect a compression provider at the end of a job and reselect a provider for a new job
Component: Local Traffic Manager
Symptoms:
The system might potentially retain a compression context, even though there is no data to be compressed or decompressed. This can affect the calculation of the load of the compression provider.
Conditions:
-- A connection is up.
-- Compression context is active.
-- There is no data for the compression provider.
Impact:
It affects the compression provider selection.
Workaround:
None.
Fix:
The system now deselects a provider at the end of a compression/decompression operation, and reselects a provider at the beginning of another compression/decompression operation.
686395 : With DTLS version1, when client hello uses version1.2, handshake shall proceed
Component: Local Traffic Manager
Symptoms:
With DTLS version1, when client hello uses version1.2, handshake fails with error of :unsupported version".
Conditions:
DTLS version1 handshake:
Handshake version 1.0 . (0xfeff)
Client hello version 1.2(0xfefd)
Impact:
DTLS functionalities.
Workaround:
N/A
Fix:
In this case, we shall still proceed to perform handshake instead of bailing out with "unsupported version" error.
686389-3 : APM does not honor per-farm HTML5 client disabling at the View Connection Server
Component: Access Policy Manager
Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.
With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.
Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.
Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.
Workaround:
There is no workaround at this time.
Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.
Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.
686376-1 : Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
Component: Advanced Firewall Manager
Symptoms:
When there are scheduled firewall rules, and the BIG-IP system is restarted or PCCD daemon is restarted, new blob compilation succeeds, but TMM fails to activate the new blob. Both GUI and TMSH show error status: Firewall rules deployment failed. After the system gets in this state it cannot be fixed except by removing or disabling all scheduled firewall rules.
Conditions:
-- There are scheduled firewall rules.
-- The BIG-IP system is restarted or the PCCD daemon is restarted.
Impact:
After this failure, firewall rules are not applied on data traffic.
Workaround:
Remove or disable all scheduled firewall rules.
Fix:
New blob deployed and new firewall rules applied successfully.
686307-1 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
Solution Article: K10665315
Component: Local Traffic Manager
Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.
Note: Without LTM policies in the configuration, monitors upgrade without problem.
Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.
Impact:
Monitors may not work after upgrade.
Workaround:
No workaround at this time.
Fix:
This release addresses the underlying problem so the issue no longer occurs.
686305-2 : TMM may crash while processing SSL forward proxy traffic
Solution Article: K64552448
686282-1 : APMD intermittently crash when processing access policies
Component: Access Policy Manager
Symptoms:
APMD process may crash intermittently (rare) when processing access policies.
Conditions:
This rarely encountered issue occurs when any one of the following conditions exist:
-- iRule is configured with 'ACCESS::policy evaluate'.
-- NTLM authentication configured and ECA plugin is involved (for example VDI RDG).
-- Kerberos authentication is configured with RBA enabled.
Impact:
APM end users cannot pass access policy, cannot login.
Workaround:
None.
Fix:
APMD no longer intermittently crashes when processing access policies.
686228-3 : TMM may crash in some circumstances with VLAN failsafe
Solution Article: K23243525
Component: Local Traffic Manager
Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms
Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.
Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.
Workaround:
Relax the timer to the default VLAN failsafe timer setting.
Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.
686124-3 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
Solution Article: K83576240
Component: TMOS
Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.
Conditions:
Events causing deletion of phase one IKE SAs.
Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.
Workaround:
None.
Fix:
Phase one and phase two SA relationships are now more robust, tolerating operations that occur in any order, so tearing down old data structures will be done safely.
686065-1 : RESOLV::lookup iRule command can trigger crash with slow resolver
Component: Local Traffic Manager
Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.
Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove RESOLV::lookup from the workflow if it is not required.
Fix:
The scenario now works as expected and no longer results in a crash.
686059-1 : FDB entries for existing VLANs may be flushed when creating a new VLAN.
Component: Local Traffic Manager
Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.
Conditions:
- Creating a new VLAN with existing VLANs using trunk members.
- STP is enabled on its trunk member.
Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.
Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.
686029-1 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
Component: TMOS
Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.
Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.
Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.
Workaround:
None.
Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.
685955 : TMM hud_message_ctx leak
Component: Local Traffic Manager
Symptoms:
There is a TMM memory issue caused by leaked hud_message_ctx objects, each holding a websockets_frame.
Conditions:
Running WebSocket traffic that needs to be processed by a plugin like ASM.
Impact:
Increasing TMM memory usage leading to eventual service outage. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The memory leak in TMM has been fixed.
685862-2 : BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML IdP, and signing is configured, BIG-IP will sign the message by configured signing key, and include last certificate from the configured signing certificate chain in the SAML protocol message. Expected behavior is to include first certificate from the configured signing certificate chain.
The same applies to SAML SP generating SLO request/response messages.
Conditions:
All of the following:
- BIG-IP is used as SAML IdP or SAML as SP with SLO configured.
- BIG-IP generates signed SAML response containing assertion or SLO request/response
- Configured on BIG-IP signing certificate is a security chain and not a single certificate
Impact:
Impact is based on the SAML implementation on the receiving end of message sent by BIG-IP.
Some implementation may drop signed SAML message if last certificate from the bundle is included in the message. Other implementations will accept such signed messages. Note that signing operation itself is performed correctly by BIG-IP using configured signing certificate, and digital signature will contain correct value.
Workaround:
Instead of using signing certificate chain, change BIG-IP SAML IdP/SP configured signing certificate to refer to a standalone signing certificate (single X509 object) by extracting first certificate from the chain.
Fix:
After the fix, BIG-IP will include first certificate found within configured signing certificate (chain).
685743-3 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported
Component: Application Security Manager
Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.
Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.
Impact:
Requests might be blocked, and no reason is reported.
Workaround:
Reset internal 'request_buffer_size' to default.
Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.
685741 : DoS Overview is very slow to load data, to the point of timeout
Component: Application Visibility and Reporting
Symptoms:
When logs contains more than 1 million records, loading of attacks data is extremely slow and requires many SQL queries.
Conditions:
N/A
Impact:
DoS Overview page is unusable
Workaround:
N/A
Fix:
The fix revolved around combining all the required data into a couple of queries instead of sending distinct queries for every attack.
685708-3 : Routing via iRule to a host without providing a transport from a transport-config created connection cores
Component: Service Provider
Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.
Fix:
The system will no longer core.
685693 : APM AppTunnels memory leak
Component: Wan Optimization Manager
Symptoms:
Using APM AppTunnels causes a slow memory leak.
Conditions:
Use of APM AppTunnels.
Impact:
The slow memory leak exhaust tmm memory over time. Traffic disrupted when tmm restarts.
Workaround:
None.
Fix:
The memory leak has been corrected.
685615-5 : Incorrect source mac for TCP Reset with vlangroup for host traffic
Solution Article: K24447043
Component: Local Traffic Manager
Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.
Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.
Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.
Workaround:
Use transparent mode on the VLAN group.
Fix:
source-mac-address for host traffic is correctly set.
685582-5 : Incorrect output of b64 unit key hash by command f5mku -f
Component: TMOS
Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.
Conditions:
Viewing output of 'f5mku -f' command.
Impact:
Inconsistent output of the b64 unit key.
Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:
f5mku -vf
For example:
# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...
Fix:
The unit key hash is now the correct length and is consistent upon each 'f5mku -f' command.
685519-3 : Mirrored connections ignore the handshake timeout
Component: Local Traffic Manager
Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.
Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.
Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.
Workaround:
None.
Fix:
Mirrored connections now honor the TCP handshake timeout.
685475-3 : Unexpected error when applying hotfix
Solution Article: K93145012
Component: TMOS
Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIG-IP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.
Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.
For example, to apply 'Hotfix-BIG-IP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIG-IP-11.6.1.0.0.317.iso'.
Here is another example: on multi-bladed VIPRION systems, where it is resolved by running 12.1.3.6.
1) Install and boot into 12.0.0 on the VIPRION system:
-- install /sys software image 12.0.0.iso create-volume volume HD1.test
-- reboot volume HD1.test
2) Install and boot into 12.1.2.0.402.249:
-- install /sys software hotfix Hotfix-BIG-IP-12.1.2.0.402.249-ENG.iso create-volume volume HD1.test2
-- reboot volume HD1.test2
3) Delete 12.0.0.iso and volume HD1.test:
-- delete sys software image 12.0.0.iso
-- delete sys software volume HD1.test
4) Copy over Hotfix-BIG-IP-13.1.0.7.0.17.1-ENG.iso without the 13.1.0.7 base image.
5) Check the /var/log/ltm logs for the following message:
-- lind[6288]: 013c0006:5: Image (BIG-IP-12.0.0.0.0.606.iso) has a software image entry in MCP database but does not exist on the filesystem.
Impact:
Cannot apply hotfix until the full base image is present.
Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation operation again.
Fix:
Issuing a 'install hotfix' command when the base image is not available sends the system into a 'wait' state. The process status is 'waiting for base image', which should make clear what needs to be done. When the base image becomes available (in the images directory), the hotfix installation proceeds.
685467-2 : Certain header manipulations in HTTP profile may result in losing connection.
Solution Article: K12933087
Component: Local Traffic Manager
Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.
Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).
Impact:
TCP connection is reset, and no response is provided to a client.
Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.
Fix:
An issue of a resetting connections due to configuration options 'Insert X-Forwarded-For' and 'Request Header Erase' in HTTP profile no longer happens.
685458-5 : merged fails merging a table when a table row has incomplete keys defined.
Solution Article: K44738140
Component: TMOS
Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.
Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.
Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.
Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.
Workaround:
None.
Fix:
merged now detect this scenario, a table row with incomplete keys defined, and does not fail.
685344-2 : Monitor 'min 1 of' not working as expected with FQDN nodes/members
Component: Local Traffic Manager
Symptoms:
A pool with a monitor configured as 'min 1 of {...}' may be unavailable when one or more members configured with FQDN are down, rather than remain available as long as at least one pool member remains up.
Conditions:
-- Pool nodes/members are configured with FQDN.
-- At least one associated monitor is defined with the 'min 1 of {...}' feature.
Impact:
The pool may be seen as 'offline' when one or more members are down, rather than remaining available as long as a single pool member is 'UP'.
Workaround:
To configure a pool with 'min 1 of{...}', specify static pool members, do not use FQDN to configure pool members.
Fix:
A pool with FQDN configured nodes/members and specified with a monitor of 'min 1 of {...}' remains available as long as a single pool member remains up.
This issue is resolved by the FQDNv2 feature re-implementation.
685254-1 : RAM Cache Exceeding Watchdog Timeout in Header Field Search
Solution Article: K14013100
Component: Local Traffic Manager
Symptoms:
SOD halts TMM while RAM cache is processing a header.
Conditions:
When RAM cache is attempting to match an ETag and fails to find it in the header field.
Impact:
The search continues until a match is found in memory, or a NUL byte is encountered. If the search takes too long, sod kills RAM cache on a watchdog timeout violation.
Workaround:
No workaround at this time.
Fix:
SOD no longer halts TMM while RAM cache is processing a header.
685230-1 : memory leak on a specific server scenario
Component: Application Security Manager
Symptoms:
The bd process memory increases.
Conditions:
A specific server scenario of handling the traffic.
Impact:
Swap may be used. The kernel OOM killer may be invoked. Possible traffic disturbance.
Workaround:
There is no workaround at this time.
Fix:
A memory leaked related to a specific server scenario was fixed.
685207-2 : DoS client side challenge does not encode the Referer header.
Component: Application Security Manager
Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.
Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.
Impact:
The XSS reflection occurs after triggering the DoS attack.
Workaround:
None.
Fix:
DoS client side challenge now encodes the Referer header.
685164-3 : In partitions with default route domain != 0 request log is not showing requests
Solution Article: K34646484
Component: Application Security Manager
Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.
Conditions:
Select a partition whose default route domain is not 0 (zero).
Impact:
No requests in request log.
Workaround:
As a partial workaround, you can use [All], but it's read only.
Fix:
Fixed filter by Source IP, which worked incorrectly in partitions whose default route domain was not 0 (zero).
685110-3 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
Solution Article: K05430133
Component: Local Traffic Manager
Symptoms:
1. FQDN Node/pools fails to populate with members.
2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:
err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.
Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.
Impact:
Unable to use FDQN nodes/pool members with non-LTM license.
Workaround:
None.
Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.
685020-1 : Enhancement to SessionDB provides timeout
Component: TMOS
Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.
Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.
Impact:
Calls made to SessionDB never return from the remote TMM.
Workaround:
None.
Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT.
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.
# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|
Behavior Change:
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.
# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|
684937-6 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
Solution Article: K26451305
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.
Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.
684879-2 : TMM may crash while processing TLS traffic
Solution Article: K02714910
684414-1 : Retrieving too many groups is causing out of memory errors in TMUI and VPE
Component: Access Policy Manager
Symptoms:
Retrieving too many groups might cause out-of-memory errors in TMUI and VPE. TMUI might end up with HTTP 502 and VPE fails with HTTP 500
Conditions:
LDAP/AD server with over 20,000 groups.
Impact:
It's hard to perform LDAP/AD group mapping because there are no group names in the dialog box, which complicates work on such a large number of groups.
Workaround:
The only solution is to remove /shared/tmp/gmcache folder and use manual groupmapping.
Fix:
Retrieving too many groups no longer results in memory errors in TMUI and VPE, even on LDAP/AD servers with over 20,000 groups.
684391-1 : Existing IPsec tunnels reload. tmipsecd creates a core file.
Component: TMOS
Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.
Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.
Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.
Workaround:
None.
Fix:
Exception handling in tmipsecd has been improved so that tmipsecd will not reload when encountering some unusual conditions.
684333-3 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.
Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.
Impact:
PEM session created using Gx may get deleted.
Workaround:
Initiate failover using alternate commands, such as the following:
tmm big start restart.
684325-3 : APMD Memory leak when applying a specific access profile
Component: Access Policy Manager
Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.
Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.
Impact:
APMD process stops after repeated application of the script.
Workaround:
None.
Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.
684319-2 : iRule execution logging
Component: Local Traffic Manager
Symptoms:
iRule execution can block tmm from getting CPU cycles.
Conditions:
when executing iRule TCL with e.g. a tight while loop, tmm will miss to sent its heartbeat. This change adds additional logging around this.
Impact:
Logging shows now iRule perpetrator.
Workaround:
No workaround.
Fix:
tmm will now log the following message should the configurable execution limit exceed:
notice tmm9[20262]: 01010338:5: Virtual /Common/http_respond iRule /Common/responder <HTTP_REQUEST> execution ran for 631 ticks (192.168.24.24:38169 -> 10.209.31.20:80 TCP)
notice tmm9[20262]: 01010029:5: Clock advanced by 632 ticks
684312-2 : During Apply Policy action, bd agent crashes, causing the machine to go Offline
Solution Article: K54140729
Component: Application Security Manager
Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------
Causing bd and bd_agent processes restart, and causing the machine to go Offline.
Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.
Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..
Workaround:
None.
Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.
684033-1 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)
Solution Article: K70084351
683697-3 : SASP monitor may use the same UID for multiple HA device group members
Solution Article: K00647240
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.
The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.
As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.
The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.
Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.
It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).
Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.
Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.
It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.
Fix:
The SASP monitor reliably uses a unique UID across HA group members, allowing all HA group members to successfully connect to the SASP GWM.
683683-1 : ASN1::encode returns wrong binary data
Component: Local Traffic Manager
Symptoms:
ASN1::encode returns incorrect data for certain integer values. For example, for integer 49280, ASN1::encode returns 02030000.
Conditions:
The problem happens in an implicit UTF encoding/decoding, and it is not obvious what data triggers the error.
This is because it implicitly converts the Tcl object type from byte array to string and later back to byte array, but because of the UTF de-coding algorithm, certain bytes get changed.
Impact:
The returned binary is wrong.
Workaround:
Use binary scan for the value that is incorrectly encoded by the command.
Fix:
ASN1::encode ENCODE mode now works so that it avoids the implicit type-conversion byte array to string back to byte array, which gets the original byte array changed during UTF-8 decoding.
683631-1 : TMM crashes during stress test
Component: Local Traffic Manager
Symptoms:
During stress/load testing, with a large number of connections which triggers flow sweeping, TMM restarts.
Conditions:
A large number of connections are seen, which triggers an expansion of the connflow hash table at the same time the connflow sweeper is active.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Connflow removal from the internal hash table is deferred until the entire bucket is processed.
683508-3 : WebSockets: umu memory leak of binary frames when remote logger is configured
Solution Article: K00152663
Component: Application Security Manager
Symptoms:
ASM out of memory error messages in /var/log/asm.
Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.
Impact:
ASM out of memory, memory leak.
Workaround:
Remove ASM remote logging profile from a virtual server.
Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.
683389-1 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
Component: Access Policy Manager
Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.
Conditions:
Attempt to create local SharedObject.
Impact:
Affected Flash applications are not working when accessed through Portal Access.
Workaround:
None.
Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.
683241-3 : Improve CSRF token handling
Solution Article: K70517410
Component: Application Security Manager
Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.
Conditions:
CSRF is configured.
Impact:
CSRF token handling does not follow current best practices.
Workaround:
None.
Fix:
CSRF token handling now follows current best practices.
683114-1 : Need support for 4th element version in Update Check
Component: TMOS
Symptoms:
Previously, there was no 4th element version Update Check functionality.
Conditions:
Using Update Check.
Impact:
No 4th element version support provided.
Workaround:
None.
Fix:
There is now 4th element version support in Update Check.
683113-6 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
Solution Article: K22904904
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.
Websso CPU usage is very high.
The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.
Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.
682837 : Compression watchdog period too brief.
Component: TMOS
Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.
Conditions:
Very high sustained system-wide compression request traffic.
Impact:
Accelerated compression throughput can drop significantly; some flows dropped.
Workaround:
Switch to software compression.
Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.
682682-3 : tmm asserts on a virtual server-to-virtual server connection
Component: Local Traffic Manager
Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.
Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.
Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.
Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.
682612 : Event Correlation is disabled on vCMP even though all the prerequisites are met.
Component: Application Security Manager
Symptoms:
The GUI screen Security :: Event Logs : Application : Event Correlation reports the message: Event Correlation is not supported on this platform.
Conditions:
Multi-bladed vCMP guest, running on a BIG-IP system with SSD drives, having only one available slot (other slots appear offline/unavailable).
Impact:
Under these conditions, Event Correlation is disabled.
Workaround:
The following workaround does not survive ASM restart.
Thus, it has to be executed after every restart of ASM:
------------------------
# perl -MF5::ASMReady -MF5::Cfg -e 'while (! F5::ASMReady::is_asm_ready()) { print "Waiting for ASM to be ready.\n"; sleep 5; }; print "ASM is ready, patching Event Correlation cfg file\n"; F5::Cfg::cfg_set_config_item(qw{/etc/ts/correlation/correlation.cfg}, qw{General}, qw{Idle}, 0)'
# pkill -f correlation
------------------------
Event Correlation should start with in ~15 seconds, after the execution of this workaround:
------------------------
# ps -elf | grep correlation
0 S root ... /usr/share/ts/bin/correlation
------------------------
Fix:
Event Correlation is now enabled on a multi-bladed SSD vCMP guest with only one active slot.
682500-1 : VDI Profile and Storefront Portal Access resource do not work together
Component: Access Policy Manager
Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.
Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.
Impact:
Citrix Storefront portal access resource cannot be used to launch applications.
Workaround:
None.
Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.
682335-3 : TMM can establish multiple connections to the same gtmd
Component: Global Traffic Manager (DNS)
Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.
Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed, if there is an existing connflow, don't start another connection.
682213-3 : TLS v1.2 support in IP reputation daemon
Solution Article: K31623549
Component: TMOS
Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.
Conditions:
This occurs when using IP reputation.
Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.
Workaround:
None.
Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.
In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.
682105 : Adding widget in Analytics Overview can cause measures list to empty out on Page change
Component: Application Visibility and Reporting
Symptoms:
When adding a new widget on Analytics Overview page with multiple modules (e.g., vCMP, Security), it is possible to reach a state in which the list of available measures is empty.
Conditions:
-- All 'available measurements' is selected (moved left).
-- A page should be changed.
Impact:
In some cases (like in vCMP when changing from Network to SynCookies), the list of available measurements will remain empty. Unable to select measures to display in new widget.
Workaround:
To reset the list of measures so that all measures are visible again, switch to another page and return to the previous one right away.
682104-1 : HTTP PSM leaks memory when looking up evasion descriptions
Component: Local Traffic Manager
Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.
Conditions:
When PSM looks up evasion descriptions.
Impact:
Memory leaked each time might eventually cause out of memory to the TMM.
Workaround:
None.
Fix:
This fix will stop the memory leakage.
681850-1 : APMD process may fail to initialize on start either after upgrade or after adding certain configurations
Component: Access Policy Manager
Symptoms:
APMD process may fail at initialization time with errors similar to the following:
-- createAgent - initInstance() failed for agent xxx_saml_auth_ag type (46)
-- Exiting due to failure in loading access policy objects
Conditions:
-- BIG-IP system is configured as SAML SP.
-- Certificate used by configured SAML Agent was imported onto BIG-IP system in DER format.
Impact:
APMD service may become unresponsive, dropping all traffic protected by APM access policies.
Workaround:
Convert DER encoded certificate used by SAML SP agent into PEM format.
Fix:
DER certificate no longer cause APMD process errors at initialization time.
681757-1 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
Solution Article: K32521651
Component: Local Traffic Manager
Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.
The system records an error message similar to the following in the ltm log file:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.
Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.
Impact:
Configuration fails to load on upgrade.
Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.
Fix:
Upon upgrade to v12.1.0 or later, policies that perform the action 'forward - select - member' will be automatically changed to 'forward - select - node', and configuration will load successfully.
681710-4 : Malformed HTTP/2 requests may cause TMM to crash
Solution Article: K10930474
681535 : CVE-2015-3148 in curl was incomplete.
Solution Article: K35453761
681415-1 : Copying of profile with advanced customization or images might fail
Component: Access Policy Manager
Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar
Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.
Impact:
Unable to copy policy.
Workaround:
None.
Fix:
Copying of profile with advanced customization or images now succeeds as expected.
681175-1 : TMM may crash during routing updates
Solution Article: K32153360
Component: Local Traffic Manager
Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.
Conditions:
-- Dynamic routing.
-- ECMP routes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.
Fix:
TMM no longer crashes on routing updates when ECMP is in use.
681109-2 : BD crash in a specific scenario
Solution Article: K46212485
Component: Application Security Manager
Symptoms:
BD crash occurs.
Conditions:
A specific, non-default configuration with specific traffic.
The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.
For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
Content-Type :: *xml* :: form-data
This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.
Impact:
Failover, traffic disturbance.
Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.
A correctly configured header-based-content-profile property on URLs appears as follows:
In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
Content-Type :: *form* :: Form Data
Content-Type :: *json* :: JSON
Content-Type :: *xml* :: XML
Fix:
Added a check to prevent a crash in a specific scenario.
681010-1 : 'Referer' is not masked when 'Query String' contains sensitive parameter
Solution Article: K33572148
Component: Application Security Manager
Symptoms:
While 'Query String' contains masked sensitive parameter value the 'Referer' header sensitive parameter value is exposed.
Conditions:
-- Sensitive parameter is defined in: 'Security :: Application Security : Parameters : Sensitive Parameters'.
-- 'Query String' contains the defined sensitive parameter.
Impact:
"Referer" header contains unmasked value of the sensitive parameter.
Workaround:
Enable 'Mask Value in Logs' in: 'Security :: Application Security : Headers : HTTP Headers :: referer'.
Fix:
The 'Referer' header value is masked in case of sensitive parameter in 'Query String'.
680917-2 : Invalid monitor rule instance identifier
Component: TMOS
Symptoms:
iApp triggers an error while attempting to change server properties for pool members. The error reads "Invalid monitor rule instance identifier"
Conditions:
While changing the server properties associated with the pool members through iApp.
Impact:
Will not be able to change the server properties using iApp.
680856-3 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
Component: TMOS
Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):
info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy
Conditions:
A new IPsec tunnel is configured over REST.
Impact:
The newly configured IPsec tunnel does not start.
Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.
Fix:
A traffic selector can no longer use a deleted policy by name, and if recreated after deletion, the policy is correctly constructed.
680850-1 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
Solution Article: K48342409
Component: Global Traffic Manager (DNS)
Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.
Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug
Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.
Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.
Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.
Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.
Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.
This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.
With this fix, setting log.zxfrd.level debug no longer outputs this information.
Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.
Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.
680838-3 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
Component: TMOS
Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.
A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.
Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM will no longer restart due to assertion failure.
680755-1 : max-request enforcement no longer works outside of OneConnect
Solution Article: K27015502
Component: Local Traffic Manager
Symptoms:
max-request enforcement does not work when OneConnect is not configured.
Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.
Impact:
max-request enforcement does not work.
Workaround:
Always use OneConnect.
Fix:
max-request enforcement now works when OneConnect is not configured.
680729-3 : DHCP Trace log incorrectly marked as an Error log.
Solution Article: K64307999
Component: Policy Enforcement Manager
Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.
Impact:
Possible clutter in the TMM logs.
Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical
Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
680388-2 : f5optics should not show function name in non-debug log messages
Component: TMOS
Symptoms:
For logging thresholds other than debug, the function name appears in log messages created by f5optics.
Conditions:
-- BIG-IP is running.
-- Logging thresholds is set to a value other than debug.
Impact:
Log files contain unexpected data.
Workaround:
There is no workaround at this time.
Fix:
With the fix, f5optics is not displaying function names in non-debug logging messages.
680264 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
Component: Local Traffic Manager
Symptoms:
Intermittently, HTTP2 experiences protocol resets.
Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.
For example, the following returns the incorrect header length:
(0xFF BYTE1) next byte, http2_arbint_read.
Impact:
Unexpected loss of HTTP2 frames due to protocol resets.
Workaround:
No effective workaround.
Fix:
HTTP2 now parses the request, regardless of its xfrags distribution.
680112-1 : SWG-Explicit rejects large POST bodies during policy evaluation
Solution Article: K18131781
Component: Access Policy Manager
Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 64 KB limit on POST bodies while the policy is being evaluated.
==> /var/log/apm <==
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048
Conditions:
This applies only during the policy evaluation. After the policy has been set to 'Allow', there is no limit.
Impact:
Unable to start an SWG-Explicit policy with a large POST body.
Workaround:
None.
Fix:
Modify the db variable 'tmm.access.maxrequestbodysize' with a value larger than the maximum post body size you would like to support. The maximum supported value is 25000000 (25 MB).
680069-3 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config★
Solution Article: K81834254
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd cores and restarts.
Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.
Impact:
zxfrd cores.
Workaround:
None.
Fix:
zxfrd no longer cores during transfer while network failure and DNS server removed from DNS zone config.
679959-1 : Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000
Component: TMOS
Symptoms:
Unable to the ping self IP of VCMP guests configured on i5000, i7000, or i10000.
Conditions:
Running TMOS v12.1.3 and VCMP guests configured on i5000, i7000 or i10000.
Impact:
Unable to process client traffic.
Workaround:
No workaround at this time.
Fix:
This issue is fixed.
679861-2 : Weak Access Restrictions on the AVR Reporting Interface
Solution Article: K31152411
679603-2 : bd core upon request, when profile has sensitive element configured.
Solution Article: K15460886
Component: Application Security Manager
Symptoms:
bd crash, system goes offline.
Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.
Impact:
System goes offline/fails over.
Workaround:
Remove sensitive elements from the json profile in the ASM policy.
Fix:
ASM now handles this condition so the crash no longer occurs.
679496-1 : Add 'comp_req' to the output of 'tmctl compress'
Component: Local Traffic Manager
Symptoms:
The output of 'tmctl compress' displays the total numbers of requests (tot_req), but does not distinguish between deflate (compression) requests and inflate (decompression) requests.
Conditions:
Viewing the output of the 'tmctl compress' command.
Impact:
Cannot determine the different types of requests.
Workaround:
There is no workaround at this time.
Fix:
This release now distinguishes between deflate (compression) requests and inflate (decompression) requests, as follows: there is an indicator, 'comp_req', for compression requests. The number of decompression request is tot_req - comp_req.
679494-2 : Change the default compression strategy to speed
Component: Local Traffic Manager
Symptoms:
The current default compression.strategy is 'latency', which does not perform properly, i.e., the provider selection algorithm does not react to load change fast enough.
Conditions:
Using compression.strategy to distribute workload among hardware and software compression providers.
Impact:
The work load may not be distributed evenly among hardware and software compression providers when compression.strategy is 'latency'.
Workaround:
Modify the tmsh sys db variable compression.strategy to 'speed'.
Fix:
The default compression strategy is now set to 'speed'.
679480-1 : User able to create node when an ephemeral with the same IP already exists
Component: TMOS
Symptoms:
If an FQDN ephemeral node exists for a given IP address, the user is still able to create a real node for the same IP address.
Conditions:
This can only be done by the GUI, not by tmsh or iControl REST.
Impact:
This should be prevented, but is allowed.
Workaround:
Avoid creating such a node.
Fix:
Validation now prevents this from happening.
679440-2 : MCPD Cores with SIGABRT
Solution Article: K14120433
Component: Advanced Firewall Manager
Symptoms:
MCPD cores with SIGABRT.
Conditions:
This occurs while the dynamic white/black daemon (dwbld) processes auto-blacklisted IP addresses.
Impact:
MCPD core.
Workaround:
Run the following command:
tmsh modify sys db debug.afm.shun.notify_peers value disable
Fix:
MCPD no longer cores with SIGABRT if the auto-blacklisting feature is enabled.
679384-1 : The policy builder is not getting updates about the newly added signatures.
Solution Article: K85153939
Component: Application Security Manager
Symptoms:
The policy builder is not getting updates about the newly added signatures.
Conditions:
When ASU is installed or user-defined signatures are added/updated.
Impact:
No learning suggestions for some of the newly added signatures.
Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
killall -s SIGHUP pabnagd
-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).
Fix:
After the fix, Policy Builder will be aware of all newly added signatures.
679347-3 : ECP does not work for PFS in IKEv2 child SAs
Solution Article: K44117473
Component: TMOS
Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).
Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.
Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.
Note: The first child SA is negotiated successfully.
Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.
Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.
Fix:
Full support for ECP as PFS has now been added, so a new child-SA negotiated in a IKEV2EXCH_CREATE_CHILD_SA exchange works as expected for ecp256, ecp384, and ecp512.
679235-5 : Inspection Host NPAPI Plugin for Safari can not be installed
Component: Access Policy Manager
Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.
Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.
Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.
Workaround:
There is no workaround at this time.
Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.
679221-1 : APMD may generate core file or appears locked up after APM configuration changed
Component: Access Policy Manager
Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.
Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.
Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.
Workaround:
None.
Fix:
APMD now processes the configuration changes correctly during 'modify apm profile access <profile name> generation-action increment' (TMSH) or 'Apply Access Policy' (GUI), and no service interruption occurs.
679149-2 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may crash or LB::server returns unexpected result.
Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.
Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
GTM rule command LB::server is now executed at the correct time, so TMM does not crash and LB::server returns expected results.
679135-3 : IKEv1 and IKEv2 cannot share common local address in tunnels
Component: TMOS
Symptoms:
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish.
Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.
Conditions:
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2.
-- Try to create competing listeners.
Impact:
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.
Workaround:
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate.
Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.
Fix:
Logging in /var/log/ltm now reveals failure to establish listener, along with a suggestion to avoid sharing one local address across IKEv1 and IKEv2 tunnels.
679114-2 : Persistence record expires early if an error is returned for a BYE command
Component: Service Provider
Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.
Conditions:
An error is returned for a any SIP command.
Impact:
The persistence record will expire early when the call has not been ended.
Workaround:
None.
Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.
678976-2 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
Solution Article: K24756214
Component: Access Policy Manager
Symptoms:
VDI debug logs print user credentials to /var/log/apm.
Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.
Impact:
User credentials are written to /var/log/apm.
Workaround:
Set VDI debug level to Notice.
Fix:
The system no longer prints user credentials to VDI debug logs.
678925-4 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
Component: TMOS
Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.
Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.
Then, a connection using the tunnel may cause a TMM crash.
Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.
Impact:
The TMM crashes and traffic is disrupted.
Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.
Fix:
The TMM no longer crashes.
678872-2 : Inconsistent behavior for virtual-address and selfip on the same ip-address
Component: Local Traffic Manager
Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.
Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.
Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.
Workaround:
No workaround.
Fix:
This implements the initialization-order-independent set of rules of whether particular IP address should have ARP/ICMP enabled for multiple maching vaddrs. The lookup is performed from the most fine netmask to the most coarse netmask. If for particular netmask there is no maching vaddr then more coarse netmask is lookedup. Otherwise if any machnig vaddr for particular netmask have ARP/ICMP enabled then IP address will have ARP/ICMP enabled. If none of matching vaddrs for particular netmask have ARP/ICMP enabled the then IP address will have ARP/ICMP disabled.
The rule above have one exception, due to the performance optimizations. If the vaddr have both ARP and ICMP disabled then the vaddr is considered deleted.
678861-3 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
Component: Global Traffic Manager (DNS)
Symptoms:
Upgrade fails with a message similar to the following.
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.
Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.
Impact:
Upgrade fails.
Workaround:
Remove DNS:: commands from procs before upgrade.
Or use AFM instead of iRules.
678851-1 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
Component: Access Policy Manager
Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.
Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool
Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().
Impact:
Affected Java applets cannot be started through Portal Access.
Workaround:
None.
Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.
678833 : IPv6 prefix SPDAG causes packet drop
Component: TMOS
Symptoms:
If IPv6 prefix SPDAG is turned on, on systems running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3, it can cause packet drops.
Conditions:
Turn on IPv6 prefix DAG.
-- Assign a value other than 128 to sys db tmm.pem.session.ipv6.prefix.len.
-- Running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3.
Impact:
Packet drops.
Workaround:
Turn off IPv6 prefix SPDAG.
678822-3 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed
Component: Policy Enforcement Manager
Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.
Conditions:
If the route to PCRF/OCS is missing or not reachable.
Impact:
Non-Zero stats for provision pending sessions
Workaround:
Disable the Gx/Gy profile if not required or configure the route.
Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.
678820-2 : Potential memory leak if PEM Diameter sessions are not created successfully.
Component: Policy Enforcement Manager
Symptoms:
Memory leak resulting in reduction in available memory.
Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.
Impact:
Loss of service
Workaround:
There is no workaround at this time.
Fix:
Diameter context is freed in case of a failed Diameter session creation.
678801-2 : WS::enabled returned empty string
Component: Local Traffic Manager
Symptoms:
WS::enabled command returned empty string instead of 0 or 1 for status.
Conditions:
-- WS::enabled command is used to query the status of WebSocket processing.
-- WebSocket and HTTP profiles are configured on the virtual server.
Impact:
Unable to determine the status of WebSocket processing using iRule commands.
Workaround:
There is no workaround at this time.
Fix:
Invoke appropriate method via WebSocket Tcl code.
678722-2 : In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources
Component: Local Traffic Manager
Symptoms:
in SSL-O, due to race condition, TMM may core when SSL forward proxy tries to free up memory usage by releasing certificate resources.
Conditions:
This only happens in SSL-O with SSL forward proxy configured.
Impact:
TMM may restart due to using the wrong free function. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores under these conditions.
678715-1 : Large volume of query result update to SessionDB fails and locks down ApmD
Component: Access Policy Manager
Symptoms:
While writing large query results from AD server to sessionDB using memcache API, write operation fails with partial write.
Conditions:
Large volumes of AD query (with Required 'All Attributes') results from AD server while writing to SessionDB.
Impact:
Operation fails with partial write. All worker threads performing authentication eventually gets locks down. Session watchdog thread eventually make a forced abort to recover from the situation. Apmd restarts in this situation.
Workaround:
Make query for specific attributes not the option 'All Attributes'.
Fix:
Partial write failure has been fixed, by writing remaining parts of the query results in several iterations, till the entire result is written.
678714-3 : After HA failover, subscriber data has stale session ID information
Component: Policy Enforcement Manager
Symptoms:
After a failover in a high availability (HA) configuration, subscriber local data is populated with stale session id information
Conditions:
-- HA failover.
-- PEM subscriber.
Impact:
Subscriber data with stale session ID information might cause invalid reference to incorrect subscriber data.
Workaround:
None.
Fix:
Subscriber local data is now populated with new, generated session ID information.
678488-3 : BGP default-originate not announced to peers if several are peering over different VLANs
Solution Article: K59332320
Component: TMOS
Symptoms:
BGP default-originate is not announced to peers if several are configured as peers over different VLANs.
Conditions:
-- default-originate is configured on four similar neighbors.
-- The neighbors are reachable over different interfaces/subnets.
Impact:
Only some of the peered neighbors get the default route.
Workaround:
Add the following to the the BGP configuration:
network 0.0.0.0/0
Fix:
All peered neighbors now get the default route.
678462-2 : after chassis failover: asmlogd CPU 100% on secondary
Component: Application Security Manager
Symptoms:
After a failover in a chassis:
- asmlogd CPU 0% on primary slot (which was secondary before the failover).
- asmlogd CPU 100% on secondary (which was primary before the failover).
Without traffic running through the chassis.
Conditions:
-- ASM provisioned.
-- Chassis with at least two active slots.
-- Chassis failover after some traffic was passed through the chassis.
Impact:
asmlogd CPU shows 100% on secondary (which was primary before the failover), and vice versa.
Workaround:
There is no workaround at this time.
Fix:
The asmlogd process now better handles chassis failovers during which the chassis slots change roles (primary/secondary), so this issue no longer occurs.
678456-2 : ZebOS BGP peer-group configuration not fixed up on upgrade★
Component: TMOS
Symptoms:
ZebOS BGP configuration failed to load from upgrade.
Conditions:
Upgrade to 12.1.3.4-12.1.5 or 13.0.0
Configuration specifies neighbor peer-group inside the address-family clause
Impact:
Loading of ZebOS configuration after upgrade
Workaround:
Modify the ZebOS configuration to put the neighbor peer-group clause outside of the address-family clause
Fix:
The ZebOS configuration correctly orders the neighbor peer-group clause outside of the address-family clause, and loading of the BGP configuration after upgrade is successful.
678416-2 : Some tmm/umem_usage_stat counters may be incorrect under memory pressure.
Component: Local Traffic Manager
Symptoms:
After the BIG-IP system experiences severe memory pressure, the 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table incorrectly show extremely high values.
Conditions:
The BIG-IP system experiences enough memory pressure that slabs are transferred between threads.
Impact:
The 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table do not reflect actual values. However, there is no functionality issue as a result. This is a cosmetic issue only.
Workaround:
None.
Fix:
The system now manages better under memory pressure so that the tmm/umem_usage_stat counters correctly reflect actual values.
678388-3 : IKEv1 racoon daemon is not restarted when killed multiple times
Solution Article: K00050055
Component: TMOS
Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.
Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.
Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.
Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd
Fix:
Fixed tmipsecd so it correctly tracks whether the IKEv1 racoon daemon is still running or needs a restart. This also covers odd timing, such as killing racoon right after it starts.
678380-3 : Deleting an IKEv1 peer in current use could SEGV on race conditions.
Solution Article: K26023811
Component: TMOS
Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.
Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.
Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.
Workaround:
None.
Fix:
The system now checks whether the old peer definition is valid when navigating from phase-one SAs to the IKEv1 peer definition.
678293-1 : Uncleaned policy history files cause /var disk exhaustion
Solution Article: K25066531
Component: Application Security Manager
Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.
Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.
Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.
Impact:
/var disk usage is high.
Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:
----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------
Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.
In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.
678254-2 : Error logged when restarting Tomcat
Component: TMOS
Symptoms:
An error is logged after restarting Tomcat and using the web UI.
Conditions:
Using the web UI to restart tomcat.
Impact:
An error is logged after restarting Tomcat and using the web UI.
Workaround:
There is no workaround.
Fix:
When restarting Tomcat and using the web UI, and error will be logged only if the debug flag is enabled.
678228-1 : Repeated Errors in ASM Sync
Solution Article: K27568142
Component: Application Security Manager
Symptoms:
If an error is encountered when building a full sync file for an ASM enabled Device Group, any future attempts at building a sync file will continue to fail.
Conditions:
An error such as a full disk or out of memory occurs when attempting to build a sync file for an ASM enabled Device Group
Impact:
Any future attempts at building a sync file will continue to fail.
Workaround:
Restart the ASM Config processes, or clear out /ts/var/sync.
Fix:
Remnants of failed sync files are now correctly cleaned up before building a new one.
677962-3 : Invalid use of SETTINGS_MAX_FRAME_SIZE
Component: Local Traffic Manager
Symptoms:
When BIG-IP negotiates settings over HTTP/2 connection, it adopts a value of peer's SETTINGS_MAX_FRAME_SIZE parameter as its own.
Conditions:
A virtual is configured with HTTP/2 profile.
Impact:
BIG-IP may accept a DATA frame with size above 16,384 bytes violating RFC.
Workaround:
There is no workaround at this time.
Fix:
BIG-IP no longer accepts DATA frames with sizes exceeding a default value of 16,384 bytes.
677958-2 : WS::frame prepend and WS::frame append do not insert string in the right place.
Component: Local Traffic Manager
Symptoms:
When WS::frame prepend and WS::frame append are used together in the same event, the strings are not inserted in the right place.
Conditions:
-- Both WS::frame prepend and WS::frame append commands are present in the same iRule event.
-- WebSocket and HTTP profile are configured on the virtual.
-- Client/server send and receive WebSocket frames.
Impact:
The user-supplied string is not inserted in the right place when sent to the end-point.
Workaround:
None.
Fix:
Separate buffers were now used for append and prepend, instead of reusing the same buffer.
677937-1 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
Solution Article: K41517253
Component: TMOS
Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.
Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).
Impact:
No connectivity between the client and the server.
Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)
Fix:
APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.
677928-2 : A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.
Component: TMOS
Symptoms:
A wrong source MAC address may be used in the outgoing IPsec encapsulated packets when the BIG-IP VE system is operated in Azure.
Conditions:
The BIG-IP VE system is first deployed in Azure with a single NIC. After the first reboot and then power off, a second NIC is added to the BIG-IP system. Then, an IPsec tunnel is configured to associate with a selfip on the second NIC.
Impact:
The Azure environment or a remote device may drop the outgoing IPsec encapsulated packets from the BIG-IP system because the source MAC address of the packets is wrong.
Fix:
The source MAC address of the outgoing IPsec encapsulated packets from the BIG-IP system is set correctly.
677525-3 : Translucent VLAN group may use unexpected source MAC address
Component: Local Traffic Manager
Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.
Conditions:
VLAN group in translucent mode.
Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.
Workaround:
No workaround at this time.
Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.
677473-1 : MCPD core is generated on multiple add/remove of Mgmt-Rules
Component: Advanced Firewall Manager
Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.
Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).
Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
MCP no longer crashes, and other dependent daemons no longer restart. The BIG-IP system remains operational in both control-plane (tmsh/GUI) and data traffic processing.
677457 : HTTP/2 Gateway appends semicolon when a request has one or more cookies
Solution Article: K13036194
Component: Local Traffic Manager
Symptoms:
With an HTTP/2 profile, a virtual server on a BIG-IP system receives requests and handles cookies converting those into a cookie-string. The BIG-IP system concatenates the cookie pairs with semicolon (%3B) and a space (%20) in the cookie-string. This delimiters pair also is appended to the last cookie pair.
Conditions:
HTTP/2 profile is configured on a virtual server and a request contains one or more cookies.
Impact:
The request forwarded to a backend server contains an extra semicolon at the end of cookie-string.
Workaround:
Use an iRule to remove an extra delimiter if it negatively impacts backend server performance.
For example:
when HTTP_REQUEST {
if {[HTTP::header value "Cookie"] contains ";"}
{
set new_header [string range [HTTP::header "Cookie"] 0 end-2]
log local0.notice "$new_header"
HTTP::header replace "Cookie" $new_header
}
}
Fix:
Virtual server with HTTP/2 profile no longer appends extra delimiter to a cookie-string when it forwards the request to HTTP/1.x backend server.
677400-3 : pimd daemon may exit on failover
Solution Article: K82502883
Component: Local Traffic Manager
Symptoms:
When multicast traffic is passing on a high availability (HA) pair, the pimd daemon on the unit that transitions to standby may exit and drop a core file.
Conditions:
-- Multicast routing configured.
-- PIM-Sparse Mode configured.
-- HA failover configuration.
Impact:
None. The system that goes active will reconverge, and multicast traffic will resume.
Workaround:
No workaround required.
Fix:
The pimd daemon no longer exits when an HA failover occurs.
677193-2 : ASM BD Daemon Crash.
Solution Article: K38243073
677119 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
Component: Local Traffic Manager
Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. The BIG-IP system incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.
Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.
Impact:
The BIG-IP system does not accept the value, and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.
Workaround:
None.
Fix:
The BIG-IP system no longer generates an error due to this issue, and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.
677088-4 : BIG-IP tmsh vulnerability CVE-2018-15321
Solution Article: K01067037
677058-3 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text
Solution Article: K31757417
Component: Access Policy Manager
Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.
Conditions:
This occurs when following conditions are met:
- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.
Impact:
APM logs plain text password when debug logging is turned on for access policy.
Workaround:
None.
Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.
676982-2 : Active connection count increases over time, long after connections expire
Solution Article: K21958352
Component: Local Traffic Manager
Symptoms:
- Number of active connections is increasing over time.
- Memory used by TMM increases over time.
- Potential TMM restart is possible.
Conditions:
This issue arises only when all the following conditions occur:
- Hardware is chassis type.
- There is more than one blade in service.
- A fastL4 profile is configured (e.g., using bigproto).
- SessionDB is used either by iRules or by native profile
functionality.
Impact:
- Service may be impacted after a period.
- TMM instances may restart.
Workaround:
None.
Fix:
SessionDB-related accesses initiated via iRules are now properly cleaned up and no longer hang.
676914-1 : The SSL Session Cache can grow indefinitely if the traffic group is changed.
Component: Local Traffic Manager
Symptoms:
If there are entries in the SSL Session Cache, and the traffic group is changed, the cache might grow indefinitely.
Conditions:
-- SSL is configured.
-- Session cache has a limit on the number of entries. --
After entries are made into the session cache, the traffic group is then changed.
Impact:
Eventually all memory will be consumed causing TMM to restart. Traffic disrupted while tmm restarts.
Workaround:
Disable the session cache.
As an alternative, after changing the traffic group, restart TMM.
Fix:
Changing the traffic group no longer causes the session cache to grow.
676897-1 : IPsec keeps failing to reconnect
Solution Article: K25082113
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
Fix:
This release corrects this issue.
676828-2 : Host IPv6 traffic is generated even when ipv6.enabled is false
Solution Article: K09012436
Component: Local Traffic Manager
Symptoms:
Observing IPv6 traffic from the BIG-IP system, even when ipv6.enabled is set to false.
Conditions:
sys db ipv6.enabled is false.
Impact:
Extraneous IPv6 traffic from the the BIG-IP system.
Workaround:
None.
Fix:
IPv6 traffic now properly observes the ipv6.enabled sys db variable.
676808-2 : FPS: tmm may crash on response with large payload from server
Component: Fraud Protection Services
Symptoms:
A request to a unprotected FPS URL may cause tmm crash if response payload is large and the URL was configured via live update.
Conditions:
1. Page is not protected.
2. Large response payload (e.g.,50 KB).
3. FPS registered for response event (this will happen if a global URL (configured via live update) was matched).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
FPS will check for fast response situation and will act accordingly.
676721-2 : Missing check for NULL condition causes tmm crash.
Solution Article: K33325265
Component: Local Traffic Manager
Symptoms:
Missing check for NULL condition causes tmm crash.
Conditions:
This issue occurs when all of the following conditions are met:
1) The BIG-IP system receives a new connection request and attempts to select a pool member.
2) All pool members are unresponsive. This may be due to one of the following reasons:
a) The pool members have reached their configured connection limit.
b) There is no route to the pool members.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM correctly checks for NULL condition to prevent the crash.
676705-2 : Agetty should not run on VE that lack serial port
Component: TMOS
Symptoms:
The init process spawns the /sbin/agetty over and over, filling the log file daemon.log.
Conditions:
BIG-IP Virtual Edition without a serial port.
Impact:
Excessive logging.
Workaround:
Change 'respawn' to 'off' in /etc/init/serial-ttySX.conf.
Fix:
Serial ports are now correctly detected.
676690-3 : Windows Edge Client sometimes crashes when user signs out from Windows
Component: Access Policy Manager
Symptoms:
In rare cases Windows Edge Client may crash when user signs out from Windows
Conditions:
User signs out from Windows or restarts Windows while EdgeClient is running and VPN is established
Impact:
No functional impact, user see a message box with error block sign out process. When the user closes the message box, sign out process continues.
Fix:
Previously, in some instances, the Edge Client on Windows would crash when the user signed out of Windows. This has been fixed.
676471-1 : Insufficient space for core files on i11x00-series platforms
Component: Local Traffic Manager
Symptoms:
The default location for core files is '/var/core'. On i11000 Series platforms, there is insufficient space in this directory for core files. When a process generates a core file, or when a core file is created manually, the system truncates the core file's content.
Conditions:
-- A process encounters a condition that leads to a core file being generated, or a core file is produced manually.
-- Using one of the following platforms:
+ i11400-DS
+ i11600 / i11800
+ i11600-DS / i11800-DS
Impact:
Core file content is truncated. Further analysis of the problem that created the core cannot proceed.
Workaround:
Change the location where the kernel places core files. For example, you might use '/appdata' as the destination.
Change /proc/sys/kernel/core_pattern to define the pathname used to generate the core file.
For more information about core files, refer to the core man page, available by running the following command in tmsh: man core
Fix:
More space has been made available in '/var/core'. Core files are no longer truncated.
676457-3 : TMM may consume excessive resource when processing compressed data
Solution Article: K52167636
676416-2 : BD restart when switching FTP profiles
Component: Application Security Manager
Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.
Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.
Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.
Workaround:
There is no workaround at this time.
Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.
676355-2 : DTLS retransmission does not comply with RFC in certain resumed SSL session
Component: Local Traffic Manager
Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.
Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.
Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.
Workaround:
None.
Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.
676223-2 : Internal parameter in order not to sign allowed cookies
Component: Application Security Manager
Symptoms:
ASM TS cookies may get big (up to 4k).
Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.
Impact:
This increases web site throughput.
Workaround:
N/A
Fix:
Parameter to not to sign allowed cookies added.
676203-1 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
Component: TMOS
Symptoms:
TMM memory usage suddenly increases rapidly.
Conditions:
The inter-blade mpi connection fails and does not recover.
Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.
Workaround:
None.
Fix:
Inter-blade mpi connection now continues as expected, without memory issues.
676092-1 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
Fix:
The system now correctly handles these conditions so the issue no longer occurs.
676028-2 : SSL forward proxy bypass may fail to release memory used for ssl_hs instances
Solution Article: K09689143
Component: Local Traffic Manager
Symptoms:
TMM leaks memory used for ssl_hs instances when using SSL forward proxy when bypass is enabled.
Conditions:
-- The leak can be triggered by iRules, where a duplicate forward proxy lookup is initiated and interferes with the initial asynchronous lookup.
-- SSL Forward Proxy with SSL Forward Proxy Bypass are enabled.
Impact:
TMM will core after running out of memory, which impacts availability.
Workaround:
None.
Fix:
Resolved by preventing duplicate forward proxy lookup.
675928-2 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
Component: Policy Enforcement Manager
Symptoms:
Multiple flows of the same subscriber could get insert content enabled frequently, if the requests from those flows are outstanding
Conditions:
If the http request from the subscriber is outstanding when the new flow is triggered
Impact:
PEM insert content pem_acton will be enabled on multiple flows till the first response is received
Fix:
Throttle insert content action on new flows only to periodic interval if the transaction is outstanding.
675921 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
Component: TMOS
Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status of 'running'.
Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.
Impact:
5th guest and beyond result in an error.
Workaround:
There is no workaround other than not creating more than 4 'ssl-mode dedicated' vCMP guests when provisioning vCMP guests on the i5800 platform.
Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.
675866-1 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
Component: Access Policy Manager
Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.
Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.
Impact:
Cannot access the Kerberos-protected resources.
Workaround:
None.
Fix:
Kerberos SSO (S4U) tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.
675775-2 : TMM crashes inside dynamic ACL building session db callback
Component: Access Policy Manager
Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.
Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Guard against NULL pointer dereference for dynamic ACL build.
675718-1 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
Fix:
Corrected an environmental problem with the racoon daemon.
675539-1 : Inter-system communications targeted at a Management IP address might not work in some cases.
Component: Global Traffic Manager (DNS)
Symptoms:
Inter-system communications fail to connect to a BIG-IP system using the Management IP address.
Conditions:
This occurs if the device connection is configured between a Self IP address on one BIG-IP system and the Management IP address on another.
This occurs because the big3d daemon acts as a proxy, listening on the Management IP address and will send proper SSL connections (using SNI) to TMM (since TMM does not listen on the Management IP address).
This is not an issue if either of the following is true:
-- If the source of the connection is coming from the Management IP,
the connection is clear text. (Not SSL encrypted and thus does not use SNI)
-- The destination of the connection is a Self IP address, because TMM (via an iRule) will
handle the connection.
Impact:
Device sync operations do not work.
Workaround:
Do not use the Management IP address for between-device communications.
Fix:
The big3d proxy properly handles SSL SNI connections on the Management IP address.
675399-3 : Network Access does not work when empty variables are assigned for WINS and DNS
Solution Article: K14304639
Component: Access Policy Manager
Symptoms:
Network Access does not work when empty variables are assigned for WINS and DNS.
Conditions:
If the admin configures empty values for WINS or DNS in the Variable Assign agent in the VPE.
Impact:
The system does not parse the XML tags correctly. Users may not be able establish VPN tunnel.
Workaround:
Do not leave the DNS or WINS values empty in the Variable assign Agent.
Fix:
APM now correctly handles the condition where an empty string is assigned for WINS and/or DNS in the Variable Assign policy agent.
675232-3 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
Component: Application Security Manager
Symptoms:
Errors encountered -
In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.
Impact:
The policy is created but the modify action cannot find the policy.
Workaround:
iApps are built to work with ASM Policy Templates.
A new ASM Policy Template can be created from the desired ASM Policy.
That can be done via GUI and starting from from v13.0 via REST as well.
Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------
Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.
675212-3 : The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication
Component: Local Traffic Manager
Symptoms:
Under specific conditions, the BIG-IP system allows clients through (that otherwise should be rejected) as part of SSL Client Certificate Authentication.
Conditions:
This issue occurs when the Trusted Certificate Authority specified in the Client-SSL profile is expired.
Note: The client's certificate must be valid and trusted for the SSL handshake to continue.
This issue purely deals with how the BIG-IP system treats the validity period of the signing Certificate Authority.
Impact:
F5 has reviewed this issue and has not classified it as a Vulnerability. However, F5 recognizes this issue may have a Security Exposure depending on how the BIG-IP system is utilized.
Please observe that the issue here is not validation of the expiration time in the client's certificate. The issue here is handling of the expiration field in the certificate the BIG-IP system explicitly trusts, the so-called 'trust anchor'. In most cases, the trust anchor is a self-signed certificate.
It is important to understand that the expiration field in trust anchors has no clear meaning, and even utilities such as OpenSSL historically treated this field in different ways.
After completing its review, F5 has decided the correct and best behavior for the BIG-IP system is to reject the SSL handshake when the Trusted Certificate Authority has expired.
The impact of this issue will vary greatly based on your deployment and type of business. In most cases, continuing to allow clients through past the validity of the Certificate Authority may be the behavior you expect or one that carries no negative consequences.
However, if you obtained the Certificate Authority from a third party and expected the client certificates signed by that authority to stop working when its validity period expires, this will not happen because of this issue.
Workaround:
F5 recommends that you renew (or obtain renewed copies of) Certificate Authorities that are about to expire and that you want the BIG-IP system to continue trusting.
F5 recommends that you remove from the BIG-IP system Certificate Authorities that are about to expire and that you do not plan to renew or continue trusting.
This will ensure the BIG-IP system behaves optimally on versions affected by this issue.
Fix:
The BIG-IP system now correctly handles the validity period of Trusted Certificate Authorities used for SSL Client Certificate Authentication.
674931 : FPS modified responses/injections might result in a corrupted response
Component: Fraud Protection Services
Symptoms:
in case a connection was congested and FPS tries to send additional egress (modifying the response, e.g. injections) the order of the response sending might break if this send is successful (i.e congestion just ended). instead of sending the buffered data first (response part that was buffered due to congestion), FPS tries to send the new data first and only than will send the buffered data.
Conditions:
- congested connection
- FPS sends modified response (e.g. injections)
- sending egress succeeded (congestion ended)
Impact:
response is corrupted - order of data has erroneously changed
Workaround:
N/A
Fix:
FPS will handle this case correctly, first sending buffered data then sending the new egress.
674909-3 : Application CSS injection might not work as expected when connection is congested
Component: Fraud Protection Services
Symptoms:
Large CSS files configured for phishing protection injection in FPS may be truncated upon response to client.
Conditions:
-- Inject into Application CSS enabled in Anti-Fraud Profile :: Advanced :: Phishing Detection.
-- Large CSS file such as bootstrap files configured for Application CSS Locations.
-- Network congestion engaging TMM flow control.
Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. Application functionality might not work as expected.
Workaround:
You can use either of the following workarounds:
-- Remove affected large files from Application CSS Locations.
-- Disable Inject into Application CSS entirely.
Fix:
FPS now handles the case where injecting to application CSS is interrupted by congestion.
674795-1 : tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.
Component: Traffic Classification Engine
Symptoms:
tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds. In fact, it is in hours.
Conditions:
-- Viewing tmsh help/man page.
-- Searching for urldb feedlist polling interval.
Impact:
Note that the interval described is in hours instead of seconds.
Workaround:
None.
Fix:
tmsh help/man page now correctly states that the urldb feedlist polling interval is in hours.
674747-2 : sipdb cannot delete custom bidirectional persistence entries.
Solution Article: K30837366
Component: Service Provider
Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.
Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.
Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.
Workaround:
None.
Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.
674686-2 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow
Component: Policy Enforcement Manager
Symptoms:
If an outstanding flow with periodic insertion pem_action is very long, it prevents new flow matching the same rule from adding inert content pem_action even for a new periodic interval
Conditions:
If the outstanding flow with insert content pem_action spans multiple periodic interval.
Impact:
No content insertion during the time the long flow is outstanding for new flows matching the same rule as the long flow.
Workaround:
Long flows and short flows need to have separate rule configured
Fix:
New flows will add content insertion, if the new flow request falls in the new periodic interval.
674593-1 : APM configuration snapshot takes a long time to create
Component: Access Policy Manager
Symptoms:
It takes a long time to create the configuration snapshot for a file. This may be accompanied by MEMCACHED related log message, as shown below.
notice apmd[12928]: 0149016a:5: Initiating snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 0149016f:5: Waiting for MEMCACHED to be ready
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1273 Msg: Unable to connect to tmm (sessiondb). Trying again...
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1280 Msg: Successfully connected to tmm (sessiondb)...
notice apmd[12928]: 0149016b:5: Completed snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 01490171:5: MEMCACHED is up
Conditions:
The issue happens if an access profile contains many resources, the resulting configuration
snapshot will have even more configuration variables.
Impact:
TMM will run out of memory If the issue persists. User will not be able to log in due to profile not found error similar to the following:
err apmd[13681]: 01490114:3: /Common/workspace-acess2:Common:a6b495ce: process_request(): Profile '/Common/workspace-acess2' was not found
Workaround:
None.
Fix:
APM policy configuration snapshot generation performance for very large configurations has been improved.
674591-2 : Packets with payload smaller than MSS are being marked to be TSOed
Solution Article: K37975308
Component: Local Traffic Manager
Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.
Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.
Impact:
TCP Packets are dropped.
Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.
Fix:
Packets less than MSS are not sent as TSO packets, so there is no performance degradation.
674576-4 : Outage may occur with VIP-VIP configurations
Component: Local Traffic Manager
Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.
Conditions:
VIP-VIP configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround at this time.
Fix:
TMM no longer produces a core with a 'no trailing data' assert.
674527-1 : TCL error in ltm log when server closes connection while ASM irules are running
Component: Application Security Manager
Symptoms:
TCL error in ltm log, for example:
TCL error: /Common/bug <ASM_REQUEST_DONE> - plugin_tcl_command_execute: Command error. invoked from within "ASM::severity"
Conditions:
1. ASM irules are attached.
2. There was already one request passed to the web-server
3. Server closes connection.
Impact:
Error in ltm log.
674515 : New revoke license feature for VE only implemented
Component: TMOS
Symptoms:
Prior to this version, the license revoke feature was not implemented/available.
Conditions:
With out revoke implemented, the feature is simply not available.
Impact:
Licenses cannot be revoked and hence re-used.
Fix:
With this feature implemented, VE licenses can be revoked and then re-used on different VE.
674494-1 : BD memory leak on specific configuration and specific traffic
Solution Article: K77993010
Component: Application Security Manager
Symptoms:
RSS memory of the bd grows.
Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.
Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.
Workaround:
None.
Fix:
Freeing up the remote loggers data when deciding not to log remotly.
674486-5 : Expat Vulnerability: CVE-2017-9233
Solution Article: K03244804
674455-7 : Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
Component: TMOS
Symptoms:
When booted into the Maintenance OS image from the grub boot menu, running tmidiag -r drops the serial console from the grub kernel line, which causes a loss of communication on the serial console after rebooting.
Conditions:
-- Booted into Maintenance OS.
-- Running the command: tmidiag -r
Impact:
Serial console baud rate settings are incorrect. Uses the bios baud rate on the console.
Workaround:
When booting, edit the grub kernel line to include console=ttyS0.
Note: The value is "tty", an uppercase "S" character, and zero, so ttyS0.
Fix:
tmidiag has been fixed to not strip out console=ttyS0.
674410-3 : AD auth failures due to invalid Kerberos tickets
Solution Article: K59281892
Component: Access Policy Manager
Symptoms:
User can not login.
Conditions:
- AAA AD server is configured on BIG-IP.
- AD Auth/Query agent is used in Access Policy.
- Cached Kerberos ticket is invalid or backend AD server is not reachable for some reason
Impact:
AD Auth/Query fails. APM end user won't be able to take successful branch in Access Policy.
Workaround:
None.
Fix:
Invalid Kerberos tickets for AD Query are now automatically renegotiated by APM.
674367-1 : SDD v3 symmetric deduplication may stop working indefinitely
Solution Article: K20983428
Component: Wan Optimization Manager
Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may stop working indefinitely.
Conditions:
This issue occurs when all of the following conditions are met:
1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) Applications configured to benefit from symmetric deduplication are actively passing traffic.
4) Both BIG-IP HA pairs (the near and far sides) are failed over concurrently (although in more rare cases, even failing over a single pair is sufficient to reproduce the issue).
Impact:
Applications no longer benefit from symmetric deduplication, increasing the amount of data transmitted over the WAN.
Workaround:
Restarting the services on all BIG-IP units involved in the topology (without performing additional failovers after they return on-line) restores symmetric deduplication functionality. This will cause some downtime.
Fix:
Performing failovers in AAM environment no longer breaks SDD v3 symmetric deduplication.
674320-2 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems
Solution Article: K11357182
Component: TMOS
Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:
notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59
Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)
Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).
Impact:
Configuration on peer systems in a device group does not get saved after a sync.
Workaround:
Manually save the configuration on peer systems after a sync.
Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.
674288-2 : FQDN nodes - monitor attribute doesn't reliably show in GUI
Solution Article: K62223225
Component: TMOS
Symptoms:
When creating more than one node with FQDN configured with monitors, monitors are not displayed in the GUI properly.
Conditions:
Create more than one node with FQDN configured.
Impact:
The previously created FQDN node does not display monitors in the GUI. However, the subsequently created FQDN node does display the correct monitors.
Workaround:
Use tmsh to view monitors for Nodes with FQDN configured.
Fix:
Node page now displays the correct monitors for nodes configured with FQDN.
674189 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
Solution Article: K52320548
674145-3 : chmand error log message missing data
Component: TMOS
Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.
Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP
The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.
Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.
Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.
Fix:
The expected data values are properly printed in the log message.
674004-1 : tmm may crash when after deleting pool member in traffic
Solution Article: K34448924
Component: Local Traffic Manager
Symptoms:
tmm may crash when after deleting pool member that is processing traffic.
Conditions:
-- Two or more pools share the same node as pool member.
-- A pool member (with the shared node) is deleted while traffic is passing.
-- A One-Connect profile is configured on the virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes when after deleting pool member while traffic is passing.
673974-1 : agetty auto detects parity on console port incorrectly
Solution Article: K63225596
Component: TMOS
Symptoms:
With a BIG-IP system configured for a console baud rate that is different from the baud rate of the serial terminal that is plugged in to the console port, he system returns garbled characters on the screen. Changing the terminal setting to match the console baud rate has no effect after that: the BIG-IP system continues to send garbage.
Conditions:
BIG-IP system with a console at certain baud rate.
-- Plug in a serial terminal with a different baud rate.
-- Press enter several times.
Impact:
The parity detection code selects the wrong setting, leaving the console port unusable until reboot of the BIG-IP system, or after killing and restarting agetty.
Workaround:
To recover from this condition, log on to the BIG-IP system via ssh, force parity off, and kill the agetty process (assuming the console is not logged in, and is therefore running agetty).
via ssh:
# stty -F /dev/ttyS0 -parenb ; killall agetty
However, this is not an ideal workaround, as a frequent reason to use the serial console is lack of network access to the device.
In that situation, you can log on by setting the terminal to Mark parity (8 data bits, Mark parity, 1 stop bit).
Note: There is no way to mitigate the issue from the console connection itself, as agetty doesn't run while the console is logged in.
You can also reboot the BIG-IP system, reset the terminal speed on the laptop to match the console speed set on the BIG-IP system, and reconnect the laptop.
Fix:
This issue has been corrected.
673951-4 : Memory leak when using HTTP2 profile
Solution Article: K56466330
Component: Local Traffic Manager
Symptoms:
Memory continues to grow despite reduced volume of traffic. Large number of spdy_frame and xdata allocated.
Conditions:
Virtual server configured with HTTP2 profile.
Impact:
Memory leak, which might eventually trigger aggressive sweeper and potential crash, resulting in failover.
Workaround:
None.
Fix:
Virtual server configured with HTTP2 profile no longer leaks memory.
673842-3 : VCMP does not follow best security practices
Solution Article: K01413496
673814-4 : Custom bidirectional persistence entries are not updated to the session timeout
Solution Article: K37822302
Component: Service Provider
Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.
Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.
Impact:
The persistence timeout will prematurely time out.
Workaround:
Set the transaction timeout to the session timeout value.
Fix:
The persistence timeout is correctly updated to the session timeout value when a successful response message is received.
673748-1 : ng_export, ng_import might leave security.configpassword in invalid state
Solution Article: K19534801
Component: Access Policy Manager
Symptoms:
If import/export of Access Profile or Access Policy results in an error, security.configpassword may retain temporary not <null> state, which can cause problems when the config is saved or loaded using the sys save config or sys load config commands.
Conditions:
Import or export of Access Profile or Access Policy fails with an error.
Impact:
Passwords in .conf might get mangled.
Workaround:
Set the security.configpassword db variable using the following command:
modify sys db security.configpassword value "<null>"
Fix:
Error handling for access policy import failures has been improved.
673717-1 : VPE loading times can be very long
Component: Access Policy Manager
Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.
Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.
Impact:
Policies with thousands of entries can take tens of seconds or more to load.
Workaround:
None.
Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.
673683-2 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
Component: Policy Enforcement Manager
Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.
Conditions:
When a subscriber action list have Insert content added and if pem and classification profiles are detached and re-attached to the Listener, periodic insertion may fail to insert the content. This happens when more than one subscriber is using the same policy rule and the listener.
Impact:
Periodic insert content action will fail to insert the content
Workaround:
Delete and recreate the subscriber for which insert content action no longer working
Fix:
For subscriber content insertion record lookup, use the right session id storage associated with the subscriber
673678-2 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
Component: Policy Enforcement Manager
Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.
Conditions:
When a subscriber action list have Insert content added and if the request/response for that http transaction get interleaved by another subscriber request. This happens when more than one subscriber is using the same policy rule
Impact:
Periodic insert content action will fail to insert the content
Workaround:
Delete and recreate the subscriber for which insert content action no longer working
Fix:
For subscriber content insertion record lookup, use the correct session id storage associated with the subscriber.
673621-2 : Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
Component: Local Traffic Manager
Symptoms:
Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
Conditions:
Set ca-file to 'none' in the clientssl profile.
Impact:
Chain is still sent.
Workaround:
None.
Fix:
Chain certificate is no longer sent to the client when both ca-file and chain certificate are removed from the clientssl profile.
673607-2 : Apache CVE-2017-3169
Solution Article: K83043359
673595-2 : Apache CVE-2017-3167
Solution Article: K34125394
673484-1 : IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO
Solution Article: K85405312
Component: TMOS
Symptoms:
IPsec IKEv2 tunnels cannot be established when the remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child Security Association (SA) establishment. This parameter is commonly sent by ASA devices.
Conditions:
-- IPsec IKEv2 with ASA peer.
-- Remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child SA establishment.
Impact:
IKEv2 IPsec tunnels cannot be established with ASA peer.
Workaround:
Use IKEv1.
Fix:
During IPsec IKEv2 child SA establishment, the BIG-IP will ignore the NON_FIRST_FRAGMENTS_ALSO notification and will continue to establish the SA.
673472-2 : After classification rule is updated, first periodic Insert content action fails for existing subscriber
Component: Policy Enforcement Manager
Symptoms:
Immediately after the classification rule associated with a static subscriber is updated and if the action list has Insert content, the first periodic insert content action fails for the subscribers. Subsequent Insert content action will proceed as expected
Conditions:
Update of the classification rule associated with the subscribers.
Impact:
First periodic Insert content action, immediately succeeding after the update of the classification rule will fail.
Workaround:
bigstart restart tmm, after updating the classification rule with insert content action will fix the issue
Fix:
Update the record count associated with the subscriber during eval.
673463-2 : SDD v3 symmetric deduplication may start performing poorly after a failover event
Solution Article: K68275280
Component: Wan Optimization Manager
Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may start performing poorly for some file transfers.
Conditions:
This issue occurs when all of the following conditions are met:
1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) The far side BIG-IP HA configuration (from the perspective of the client performing the download) is failed over.
4) Clients attempt to download files that had previously been transferred through the BIG-IP units.
Impact:
Symmetric deduplication is severely impacted (virtually no hits) for files that had previously been transferred through the units. This causes the amount of data transmitted over the WAN to increase. Files that were not transferred previously through the units are not affected by this issue.
Workaround:
To eliminate the impacted symmetric deduplication condition, restart the receiving (i.e., the near) side.
Fix:
SDD v3 symmetric deduplication no longer performs poorly after a failover event.
673399-1 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
Component: Local Traffic Manager
Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.
Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.
Impact:
Connection is reset.
Workaround:
Disable Websockets profile on the virtual server.
Fix:
We now check whether the Websockets filter is on the virtual server before attempting an insert.
673165 : CVE-2017-7895: Linux Kernel Vulnerability
Solution Article: K15004519
673129 : New feature: revoke license
Solution Article: K41458656
Component: TMOS
Symptoms:
A different license is required for each Virtual Edition (VE) instance.
Conditions:
Creating new instances of VE.
Impact:
Cannot reuse an existing VE license.
Workaround:
None.
Fix:
For Virtual Edition (VE) BIG-IP systems, licenses can now reused by other VE instances by revoking an active license on one and installing it on another.
Behavior Change:
Revoke license is a new feature so that licenses can be reused for other virtual edition configurations.
To revoke a license using tmsh, run the following command:
tmsh revoke sys license registration-key <reg-key-number>
The system responds with the following confirmation prompt:
Revoking the license will return this BIG-IP to an unlicensed state. It will stop processing traffic. Are you sure? Y/N:
When you type y, the system revokes the license and returns a response similar to the following:
License successfully revoked
[root@bigip11:LICENSE INOPERATIVE:Standalone] config # Jul 17 12:04:28 bigip11 emerg mcpd[5144]: 01070608:0: License is not operational (expired or digital signature does not match contents).
673078-1 : TMM may crash when processing FastL4 traffic
Solution Article: K62712037
673075-1 : Reduced Issues for Monitors configured with FQDN
Component: Local Traffic Manager
Symptoms:
Monitors configured using FQDN might experience several edge cases in some deployment environments. For example, you might experience issues with FQDN-configured monitors when used in environments with volatile/unstable DNS servers, or when network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'. In such cases, the monitor may experiences delay in rotating to the next available DNS server. This is due to complex edge cases that exist within the initial FQDN monitor implementation, where anomalous behavior is aggravated through some network configurations.
Conditions:
Monitors are configured using FQDN, and one-or-more environment conditions exist such as: Unstable DNS servers (i.e., 'flapping' DNS), or the network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'.
Impact:
The monitor will not be updated with information from the (new) DNS server when the previous DNS server becomes unavailable. Other monitor behavior will continue to function normally.
Workaround:
In some cases network configuration can be changed to avoid these edge cases, such as: Ensuring stable DNS servers with only periodic rollovers to backup DNS servers; ensure network ICMP packets are routable back to 'bigd'. Alternatively, monitors may be configured without using FQDN.
Fix:
Monitors configured using FQDN behave as expected in volatile environments, such as those with flapping DNS servers and where ICMP packets for unreachable DNS servers are non-routable back to 'bigd'.
673052-2 : On i-Series platforms, HTTP/2 is limited to 10 streams
Component: Local Traffic Manager
Symptoms:
On i-Series platforms, HTTP/2 is limited to 10 streams by licensing.
"HTTP2 limited to 10 concurrent streams: Web Accelerator feature not licensed." appears in /var/log/ltm
Conditions:
Using an i-Series platform where WAM is unlicensable.
Impact:
HTTP/2 performance may be less than desired
Fix:
It is possible to configure HTTP/2 with more than 10 streams on i-Series platforms.
672988-2 : MCP memory leak when performing incremental ConfigSync
Solution Article: K03433341
Component: TMOS
Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.
This leak occurs on the device that is sending the configuration.
Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.
Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.
Workaround:
None.
Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.
672868-1 : Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly
Component: Access Policy Manager
Symptoms:
Portal Access server-side JavaScript parser may work incorrectly if JavaScript code includes non-whitespace control characters inside text constants.
Conditions:
JavaScript code with non-whitespace control characters (0x00..0x08, 0x0E..0x1B, 0x7F..0x9F) inside text constants.
Impact:
Web application may not work correctly.
Workaround:
There is no workaround at this time.
Fix:
Now JavaScript code with non-whitespace control characters can be processed by Portal Access.
672818-2 : When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established
Component: Access Policy Manager
Symptoms:
When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established.
Conditions:
-- Install Traditional Chinese Windows.
-- Change the 'Region and Language' setting format to Simplified Chinese.
-- Edge Client or browser.
Impact:
Cannot establish VPN.
Workaround:
There is no workaround if there is a to change the 'Region and language' setting must be Simplified Chinese.
Fix:
VPN can now be established when 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows.
672815-2 : Incorrect disaggregation on VIPRION B4200 blades
Component: TMOS
Symptoms:
During startup of the bcm56xxd daemon, the LTM log shows BCM SDK errors containing the string 'SDK error Invalid parameter'. IP fragments fail to be reassembled. The reassembly time out triggers and the flow is killed.
Conditions:
-- After startup as long as the SDK errors occur.
-- Running on VIPRION B4200 blades.
Impact:
TCP connections and UDP datagrams which have fragmented packets are killed or dropped.
Workaround:
There is no workaround that will process fragments correctly.
Fix:
Incorrect disaggregation on VIPRION B4200 blades has been corrected.
672695-1 : Internal perl process listening on all interfaces when ASM enabled
Component: Application Security Manager
Symptoms:
ASM configuration processes are available on unprotected network interfaces.
Conditions:
ASM provisioned
Impact:
Connections to the ASM configuration processes may interfere with normal ASM operations, leading to reduced performance
Workaround:
None
Fix:
ASM-config Event Dispatcher now listens only on protected interfaces
672667-4 : CVE-2017-7679: Apache vulnerability
Solution Article: K75429050
672504-1 : Deleting zones from large databases can take excessive amounts of time.
Solution Article: K52325625
Component: Global Traffic Manager (DNS)
Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.
Conditions:
With a significantly sized database, deletes might be very time-intensive.
Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests
Workaround:
None.
Fix:
Dramatically improved algorithm, to remove significant delay in deletions.
672491-2 : net resolver uses internal IP as source if matching wildcard forwarding virtual server
Solution Article: K10990182
Component: Global Traffic Manager (DNS)
Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.
Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.
Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.
Impact:
Failed DNS queries as a result of incorrect source IP address.
Workaround:
None.
Fix:
This issue was resolved by ensuring listener lookup only matches the exact IP addresses, no-wildcards.
672312-2 : IP ToS may not be forwarded to serverside with syncookie activated
Component: Local Traffic Manager
Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.
Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.
Impact:
IP ToS header is not forwarded to the serverside.
Workaround:
None.
Fix:
The BIG-IP system now forwards IP ToS in syncookie mode.
672301-2 : ASM crashes when using a logout object configuration in ASM policy
Component: Application Security Manager
Symptoms:
bd daemon crash and writes a core file in the /shared/core directory.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Logout object configured in the policy.
-- System receives a POST request.
Impact:
System goes offline for a few seconds, failover occurs.
Workaround:
Remove logout object configuration from ASM policy.
Fix:
The system now handles this condition.
672250-1 : SessionDB update from ApmD with large volume fails
Component: Access Policy Manager
Symptoms:
While writing large amounts of data to sessionDB using memcache API, the write operation fails with partial write.
Conditions:
Large volumes data writing to SessionDB via memcache API.
Impact:
All worker threads performing authentication eventually get locked down. Session watchdog thread eventually makes a forced abort to recover from the situation. ApmD restarts in this situation.
Workaround:
Control write to sessionDB with a smaller data size.
Fix:
Partial write failure has been fixed, by writing remaining part(s) of query results in several iteration(s), until entire result is written.
672221 : TMM cores if the certificate configured to validate message signature does not exist.
Component: Access Policy Manager
Symptoms:
TMM cores if the SAML message signature verification certificate cannot be found in the configuration.
Conditions:
-- SAML is configured with an invalid certificate in the message signature validation setting.
-- The control-plane is unable to detect such misconfiguration.
Note: This is an unlikely occurrence if the usual control-plane is used to configure the SSO/SAML object. In this particular case, the certificate-key was passed in as the certificate which triggered a certificate-not-found error.
Impact:
The issue can lead to momentary service interruption. Traffic disrupted while tmm restarts.
Workaround:
Make sure the certificate configured for use with the SAML message signature verification is correctly configured and the configuration loads successfully.
672124-3 : Excessive resource usage when BD is processing requests
Solution Article: K12403422
672063-1 : Misconfigured GRE tunnel and route objects may cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.
Solution Article: K38335326
Component: TMOS
Symptoms:
Misconfigured GRE tunnel and route objects on the BIG-IP system might cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.
The following is an example to illustrate how misconfiguration can lead to an ill-formed routing loop inside the TMM.
net tunnels tunnel gre1 {
if-index 5472
local-address 10.10.0.1
mtu 1400
profile gre
remote-address 10.20.0.1
}
net self 10.9.0.1/24 {
address 10.9.0.1/24
traffic-group traffic-group-local-only
vlan gre1
}
net route 10.20.0.0/24 {
interface /Common/gre1
network 10.20.0.0/24
}
In the above example, if a packet is destined for the network 10.20.0.0/24, the packet is sent over the GRE tunnel for encapsulation. After encapsulation, the destination address of the encapsulated packet is 10.20.0.1 (i.e., tunnel's remote-address) which matches the configured route again. As a result, the encapsulated packet is fed to the tunnel again and this process repeats to form a routing loop inside the TMM.
Conditions:
Misconfigured GRE tunnel and route objects, leading to an ill-formed routing loop inside the TMM. Please refer to the above example for an illustration.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
This issue is caused by misconfiguration which can be avoided. The recommendation is to examine the configuration, making sure that it does not lead to an ill-formed routing loop inside the TMM.
Fix:
The TMM has been enhanced to detect an ill-formed single-level routing loop in a tunnel setting (e.g., refer to the above example). When an ill-formed single-level routing loop is detected in a tunnel setting, the packets will be dropped and the TMM no longer crashes, and the following message is also logged in /var/log/ltm:
Tunnel output has a potential loop for remote endpoint <IP address>, tunnel name = <name>.
672040-3 : Access Policy Causing Duplicate iRule Event Execution
Component: Access Policy Manager
Symptoms:
iRule event gets triggered twice in clientless mode when access policy is executed.
Conditions:
This only occurs when using iRule in clientless-mode.
Impact:
HTTP_REQUEST event is logged twice in /var/log/ltm.
See below example:
when HTTP_REQUEST {
HTTP::header insert {clientless-mode} 1
set myCount [expr {$myCount + 1}]
log local0. "Count is $myCount"
}
LTM logs:
-----------
Jul 3 12:29:35 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 1
Jul 3 12:29:36 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 2
When this iRule is used, you will see duplicate HTTP_REQUEST with increased count in logs. If this count is used in further calculation, it gives you incorrect result.
Fix:
HTTP_REQUEST iRule event is no longer executed multiple times when using APM clientless-mode.
672008-1 : NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
Solution Article: K22122208
Component: Local Traffic Manager
Symptoms:
Remote syslog logging destinations configured for RFC5424 format might receive malformed timestamp values if the log message is sent when clock rolls over to 1,000,000 microseconds exactly. The resulting log message will have a NUL character appended to the microseconds value in the log's timestamp field.
Example:
Correct timestamp: 2003-08-24T05:14:15.000000-07:00
Malformed timestamp: 2003-08-24T05:14:14.100000\00-07:00
Conditions:
-- syslog destination configured for RFC5424 format.
-- Sending log message when clock rolls over to 1,000,000 microseconds.
Impact:
Some syslog collectors may fail to parse the message, resulting in incorrect log entry or warning.
Workaround:
Change syslog destination format to use RFC3164, which does not include microsecond resolution in timestamp fields.
Fix:
The timestamp field is now formatted correctly for microseconds and seconds values. Seconds now correctly increment when microseconds equal 1,000,000.
671999-2 : Re-extract the the thales software everytime the installation script is run
Component: Local Traffic Manager
Symptoms:
If Thales has already been installed on the BIG-IP system, installing a new version does not overwrite the existing installed version.
Conditions:
/shared/nfast exists on the BIG-IP system before installing the Thales client software.
Impact:
The old version of the software will be used in the installation operation, instead of the expected new version of the software.
Workaround:
You can use either or both of the following workarounds before running the installation script:
-- Run the uninstallation script.
-- Delete the /shared/nfast folder.
Fix:
The Thales installation script now always extracts the Thales software in /shared/thales_install and overwrites the /shared/nfast directory.
Behavior Change:
Thales HSM installation script always overwrites the /shared/nfast directory.
671935-2 : Possible uneven ephemeral port reuse.
Component: Local Traffic Manager
Symptoms:
When selecting server-side source ports, the BIG-IP system favors ephemeral ports in the upper range.
Conditions:
In many cases, the BIG-IP system needs to select a source port for the server-side flow different than the source port selected by the client.
This is always the case when the virtual server's 'source-port' option is set to 'change'.
Impact:
If connections on the servers are in the TIME_WAIT state and connection recycling is not configured, the servers may reset those connections that reused a source port too quickly.
Workaround:
Modify the virtual server's 'source-port' option to 'preserve'.
This will reduce the need to find suitable source ports for the server-side by the BIG-IP system.
Fix:
When searching for an available source port, and wrapping into the privileged port range (<1024), the BIG-IP system now performs a small jump out of that range, thus not going into the upper range unnecessarily.
671920-1 : Accessing SNMP over IPv6 on non-default route domains
Component: TMOS
Symptoms:
The SNMP daemon cannot send traps to a non-default route domain destination. However, it can respond to SNMP requests over from a client that is accessed through a non-default route domain path for IPv4. For IPv6 this does not work.
Conditions:
SNMP access over IPv6 on a client accessed through a non-default route domain does not work.
Impact:
Access to SNMP must be through default route domain for IPv6.
Fix:
With this bug fix you can access SNMP from an IPv6 client on a non-default route domain. There is no plan to allow traps to be delivered to destinations on a non-default route domain.
671741-4 : LCD on iSeries devices can lock at red 'loading' screen.
Component: TMOS
Symptoms:
There are cases when TMOS is under stress conditions that the LCD on iSeries devices can lock at red 'loading' screen.
Conditions:
-- iSeries platforms.
-- Device under stress.
Impact:
LCD on iSeries devices can lock at red 'loading' screen. Appliance power cycle is required to correct the error.
Workaround:
None. You must power cycle the device to correct the condition.
Fix:
This issue is resolved.
671725-1 : Connection leak on standby unit
Solution Article: K19920320
Component: Local Traffic Manager
Symptoms:
High connection count on standby unit.
Conditions:
-- High availability (HA) configuration.
-- Virtual server that has the attribute 'spanning enabled'.
Impact:
Flow leak on Next Active action.
Workaround:
None.
Fix:
Connection leak on standby unit no longer occurs under these conditions.
671714-2 : Empty persistence cookie name inserted from policy can cause TMM to crash
Component: Local Traffic Manager
Symptoms:
Empty persistence cookie name inserted from policy can cause TMM to restart.
Conditions:
Empty persistence cookie name is used in a policy definition.
A connection is made that uses the policy.
Impact:
Traffic disrupted while tmm restarts
Workaround:
Use non-empty peristence cookie name in policy definition.
Fix:
Empty persistence cookie name inserted from policy no longer causes TMM to restart.
671712 : The values returned for the ltmUserStatProfileStat table are incorrect.
Component: TMOS
Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.
Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.
Impact:
Incorrect data returned in SNMP walk of LTM profile table.
Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.
Fix:
The values in the ltmUserStatProfileStat table are always correct.
671675-1 : Centralized Management Infrastructure: asm_config_server restart on device group change
Component: Application Security Manager
Symptoms:
If device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group the ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group
Conditions:
A device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group.
Impact:
ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group
Workaround:
Wait 30 seconds between leaving an ASM enabled device group before joining a different one.
Fix:
Successive changes to ASM sync enabled device group are handled correctly.
671638-4 : TMM crash when load-balancing mptcp traffic
Solution Article: K33211839
671627-1 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
Solution Article: K06424790
Component: Access Policy Manager
Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.
Conditions:
HTTP response without body processed by Portal Access
Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.
Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.
Fix:
Now Portal Access does not add invalid 'Transfer-Encoding' header and/or body to responses which have no body.
671597-1 : Import, export, copy and delete is taking too long on 1000 entries policy
Component: Access Policy Manager
Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.
Conditions:
When access policy has 1000+ entires.
Impact:
Import, export and copy are abandoned or fail due to out of memory condition.
Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.
Fix:
Ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation
ng_export is still should be used from the console.
671498-3 : BIND zone contents may be manipulated
Solution Article: K02230327
671497-4 : TSIG authentication bypass in AXFR requests
Solution Article: K59448931
671447-2 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
Component: TMOS
Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.
Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)
Impact:
IS-IS adjacencies may not form.
Workaround:
None.
Fix:
The BIG-IP system now uses a correct SystemID length in the Restart TLV.
671373-2 : urldb core seen
Component: Access Policy Manager
Symptoms:
Due to having multiple threads, terminating and destroying the database can cause the crash. The main thread does not wait for others to exit before trying to destroy the database.
Conditions:
SWG is provisioned and re-provisioned after the config has loaded.
Note: This core is very rare (it is intermittent and timing-dependent).
Impact:
urldb cores. Since it was in the process of being shut down for the re-provisioning anyway, this has little to no impact.
Workaround:
There is no workaround at this time.
Fix:
urldb no longer cores SWG is provisioned and re-provisioned after the config has loaded.
671337-1 : NetHSM DNSSEC key creation can attempt to change the SELinux label on a file
Component: Local Traffic Manager
Symptoms:
A log message such as type=AVC msg=audit(1498506868.354:3786): avc: denied { relabelfrom } for pid=7567 comm="mv" name="_Common_zsk_127000B6DC9454EACB50A1FD2073C5F5314F.key" dev="dm-15" ino=80012 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:mcpd_tmp_t:s0 tclass=file
can appear in the logs.
Conditions:
When a NetHSM DNSSEC key is created in a temporary directory and is trying to change the SELinux label on a file without permissions.
Impact:
SELinux error will be logged
Fix:
Allow netHSM script via MCPd to relabel files
671326-2 : DNS Cache debug logging might cause tmm to crash.
Solution Article: K81052338
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache debug logging might cause tmm to crash.
Conditions:
This occurs when the following conditions are met:
-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.
Fix:
DNS Cache debug logging no longer causes tmm to crash.
671314-4 : BIG-IP system cores when sending SIP SCTP traffic
Solution Article: K37093335
Component: TMOS
Symptoms:
Virtual servers with an SCTP profile and a SIP message-routing profile may crash the TMM.
Conditions:
This flaw affects virtual servers that pass SCTP traffic, where the SIP message-routing profile has the record-route option enabled.
Impact:
TMM crashes and fails over, disrupting traffic processing. Traffic disrupted while TMM restarts.
Workaround:
Remove the record-route option, or change the traffic to use TCP or UDP instead of SCTP.
Fix:
This crash has been fixed.
671228-1 : Multiple FQDN ephemeral nodes may be created with autopopulate disabled
Component: Local Traffic Manager
Symptoms:
Multiple FQDN ephemeral nodes may be created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records for the FQDN, and bigd is restarted.
Conditions:
This may occur when:
1. An FQDN node is configured with autopopulate disabled.
2. The DNS server returns multiple address records for the FQDN.
3. There is a pool configured to use the FQDN node.
4. bigd is restarted (such as when the system goes offline or tmm restarts).
Impact:
Multiple FQDN ephemeral nodes may be created unexpectedly.
Workaround:
Configure the FQDN node with autopopulate enabled.
Fix:
Multiple FQDN ephemeral nodes are no longer created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records, and bigd is restarted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
671149-3 : Captive portal login page is not rendered until it is refreshed
Component: Access Policy Manager
Symptoms:
Sometimes Edge Client shows an error page for captive portal-redirected URLs.
Conditions:
Some captive portal pages use cloud-based authentication and network management. Such captive portals rely on several HTTP redirects and/or HTML (auto-refresh). Sometimes Edge Client fails to download the page/content from the redirected URL. In such scenarios, a full browser re-attempts and successfully downloads and displays the page, but Edge Client does not re-attempt and shows an error page.
Impact:
For the locked client, an APM end user has no access to the internet until captive portal authentication is performed and the Network Access (VPN) tunnel is created.
Workaround:
None.
Fix:
Edge Client now has a retry mechanism to access and display captive portal login pages in case the first attempt fails.
671082-1 : snmpd constantly restarting
Solution Article: K85168072
Component: TMOS
Symptoms:
sod is restarting snmpd, which also produces a core.
SNMP clients are unable to walk the ifTable.
Conditions:
snmpd takes too long processing a request for the ifTable because there are a large amount of VLANs or VLAN groups configured.
Impact:
SNMP requests will not receive replies while snmpd is restarting.
SNMP clients are not able to walk the ifTable.
Workaround:
None.
Fix:
Significantly reduced the time it takes snmpd to process requests for the ifTable when the number of VLANs or VLAN groups is high.
671052-3 : AFM NAT security RST the traffic with (FW NAT) dst_trans failed
Solution Article: K50324413
Component: Advanced Firewall Manager
Symptoms:
In certain cases, destination translation fails with the following message: reset cause '(FW NAT) dst_trans failed'.
Conditions:
This issue may be seen with Source/Destination translation.
Impact:
Destination translation failure. In most of the cases, TMM restart resolves the issue. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fix addresses a case where one of the fields was not initialized.
671044-3 : FIPS certificate creation can cause failover to standby system
Solution Article: K78612407
Component: TMOS
Symptoms:
FIPS certificate creation can cause failover or outage of a system under heavy load. The certificate creation could take longer than the default timeout, causing TMOS to think the FIPS chip is locked up.
Conditions:
Creating a FIPS certificate while the system is handling a high FIPS traffic load.
Impact:
Possible failover from active to standby, or an outage if there is no standby system, or if the certificate creation causes both active and standby systems to time out.
Workaround:
Setting crypto.queue.timeout to 2000 will avoid this problem. The actual timeout needed depends on the system type and how heavily loaded the FIPS chip is. 2000 should be more than sufficient for all currently supported BIG-IP platforms under high load.
Fix:
FIPS certificate creation no longer causes failover to standby system under these conditions.
670910-2 : Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
Component: Access Policy Manager
Symptoms:
Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined.
Conditions:
This might occur when using the following definition:
<?xml version="1.0" encoding="utf-8"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
<-->xmlns:s="library://ns.adobe.com/flex/spark"
<-->width="100%" height="100%"
<-->minWidth="256" minHeight="64"
<-->creationComplete="initApp()">
<--><s:VGroup width="100%" height="100%" verticalAlign="middle" horizontalAlign="center">
<--><--><s:TextInput id="f_output" text="..." width="100%" />
<--><--><fx:Script><![CDATA[
<--><--><-->import flash.external.ExternalInterface;
<--><--><-->private function initApp():void {
<--><--><--><-->f_output.text = ExternalInterface.call("function(v){window.alert(/a\\dc/.toString());return '\\\\Done: '+v+' URL: '+location.href;}", "\\\\Ok?");
<--><--><-->}
<--><-->]]></fx:Script>
<--></s:VGroup>
</s:Application>
Impact:
Flash application malfunction.
Workaround:
None.
Fix:
APM Portal Access Rewrite now correctly handles flash.external.ExternalInterface.call() when the loaderInfo object is not defined.
670822-3 : TMM may crash when processing SOCKS data
Solution Article: K55225440
670816-2 : HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
Solution Article: K44519487
Component: Local Traffic Manager
Symptoms:
An HTTP/HTTPS/TCP monitor response code may contain extraneous trailing characters, such as: 'Response Code: 200 (OKxxx)' where the server response code 'OK' is appended with unrelated characters 'xxx', when the server does not include a carriage-return/line-feed after the response status line.
Conditions:
An HTTP/HTTPS/TCP monitor is configured with a receive string, and the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.
Impact:
The monitor status code displays the correct server response code, but with extraneous trailing characters appended. The monitor continues to function and respond to status changes as expected.
Workaround:
Configure HTTP/HTTPS/TCP servers to return a response that includes a carriage-return/line-feed after the response status line and before the receive string.
Fix:
HTTP/HTTPS/TCP monitor response code for 'last fail reason' no longer contains extraneous trailing characters when the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.
670814-2 : Wrong SE Linux label breaks nethsm DNSSEC keys
Component: Local Traffic Manager
Symptoms:
In /var/log/ltm:
(_Common_thales_key) create failed, retry attempt 1 [nfgk_new: Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied mv: cannot stat `/shared/tmp/_Common_thales_key': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_req': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_selfcert': No such file or directory str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=1024 embedsavefile="_Common_thales_key" plainname="_Common_thales_key" digest=sha256] rfs-sync: error from NFastApp_Connect `(null)': Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied No updates. Update done. Create key pair done. ].
or the output of the following command:
ausearch -m AVC,SELINUX_ERR -ts recent
time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.574:24190): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffd059e2720 a2=6e a3=7ffd059e2470 items=0 ppid=3310 pid=3311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="generatekey" exe="/shared/nfast/tcl/bin/generatekey" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.574:24190): avc: denied { write } for pid=3311 comm="generatekey" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----
time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.600:24191): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffd9dbc33a0 a2=6e a3=7ffd9dbc30f0 items=0 ppid=3313 pid=3316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rfs-sync" exe="/shared/nfast/bin/rfs-sync" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.600:24191): avc: denied { write } for pid=3316 comm="rfs-sync" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----
Conditions:
trying to use a thales nethsm for DNSSEC
Impact:
cannot create DNSSEC keys protected by a thales nethsm
Workaround:
chcon -R --reference=/var/run/rd0.sock /shared/nfast/sockets/
NB: you should also apply the workaround for BZ671337 as well. It's almost certain that if this bug exists, that bug also exists.
Fix:
SE LInux labels no longer prevent the creation of thales-protected nethsm DNSSEC keys
670804-2 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
Solution Article: K03163260
Component: Local Traffic Manager
Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.
Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Disable verified accept when used with OneConnect on a virtual server.
Fix:
Verified accept, OneConnect, and hardware syncookies now work together correctly.
670528-1 : Warnings during vCMP host upgrade.
Solution Article: K20251354
Component: TMOS
Symptoms:
- Log message repeats every 5 seconds in /var/log/ltm
slot<#>/<host> warning vcmpd[<pid>]: 01510005:4: Failed to find value for enum::cli_id (ha_feature_t::provisioning-failed).
Conditions:
- Configure vCMP host in 12.1.x or 11.6.x.
- Deploy 13.x guest.
- Monitor /var/log/ltm.
Impact:
Warning message displayed every 5 seconds.
Workaround:
Run the following command:
tmsh create sys log-config filter stop_vcmpd_log message-id 01510005 publisher none
670405-4 : K20486351: glibc vulnerability CVE-2017-1000366:
Solution Article: K20486351
670400-3 : SSH Proxy public key authentication can be circumvented in some cases
Component: Advanced Firewall Manager
Symptoms:
SSH Proxy public key authentication might be circumvented in some cases, allowing a user without the appropriate private key in to the back-end end SSH server.
Conditions:
Public key authentication is being used to authenticate users.
Note: This issue affects only public key authentication, so if additional forms of authentication are being used, the additional security that they provide will not be impacted.
Impact:
Unauthorized access.
Workaround:
A suggested workaround is to configure the back-end SSH server to require 2-factor authentication, or 3-factor authentication. This can be done by adding both publickey+password and publickey+keyboard-interactive as Required Authentications in the configuration file for the back-end SSH server.
See the list below of supported client method orders. Also, keep in mind that the back-end server must support all 3 authentication methods (public-key, password, and keyboard-interactive), as an existing constraint of the current SSH proxy functionality.
One cosmetic item to note is that, when multi-factor authentication is used, regardless of the result of the validity check of the public-key, the SSH proxy will report a 'failed' authentication to the client. However, the returned 'failed' code is merely cosmetic: the actual result of the validity check is what is used to determine whether or not the authentication succeeded.
-------
Supported client method orders:
publickey,keyboard-interactive
publickey,password
publickey,keyboard-interactive,password
publickey,password,keyboard-interactive
Any other combination of authentication methods will fail.
Fix:
Implemented stricter error handling in authentication checking.
670011-2 : SSL forward proxy does not create the server certchain when ignoring server certificates
Component: Local Traffic Manager
Symptoms:
Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.
Conditions:
-- SSL forward proxy or SSL intercept is configured.
-- Ignore server certificate configured in the server SSL profile.
Impact:
Client cannot establish SSL connection with server due to SSL handshake always timing out.
Workaround:
None.
Fix:
The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.
669974-1 : Encoding binary data using ASN1::encode may truncate result
Solution Article: K90395411
Component: Local Traffic Manager
Symptoms:
When using ASN1::encode to encode one or more values, and where the encoding of any of these values results in a representation containing a NUL ('\x0') byte, the overall result that is presented to the iRule does not include the entire set of encoded values and is truncated at the first NUL byte.
Conditions:
-- Using ASN1::encode with binary values (e.g., INTEGER).
-- Encoded results contain a NUL ('\x0') byte.
Impact:
Encoding results in the wrong/truncated value.
Workaround:
It is possible to encode the problematic values using an alternative method.
Fix:
ASN1::encode now correctly encodes binary values.
669888-2 : No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96
Component: TMOS
Symptoms:
The BIG-IP does not differentiate between IPv4 addresses (such as 1.2.3.4) and IPv6 addresses in the prefix ::ffff:0:0/96 (such as ::ffff:102:304, also written ::ffff:1.2.3.4). If you enter such an IPv6 address, the equivalent IPv4 address will be rendered and used.
Conditions:
Any attempt to use an IPv6 address in that subnet.
Impact:
The BIG-IP system will operate as if you entered the IPv4 address.
Workaround:
No workaround at this time.
Fix:
The differing addresses now are handled correctly. For most modules, this does not change the functionality at all. AFM is one exception; IPv6 traffic in the ::ffff:0:0/96 subnet will be treated differently than IPv4 traffic.
669818-2 : Higher CPU usage for syslog-ng when a syslog server is down
Solution Article: K64537114
Component: TMOS
Symptoms:
Higher CPU usage for syslog-ng when a syslog server is down.
Conditions:
A remote log server is added but it is not available.
Impact:
Potentially higher than expected CPU usage.
Workaround:
To mitigate this issue, use either of the following:
-- Ensure that the remote log server is available.
-- Remove the remote log server from the configuration.
669739-1 : Potential core when using MRF SIP with SCTP
Solution Article: K71963740
Component: Service Provider
Symptoms:
The system may core when using SCTP with MRF SIP if the outgoing connection receives more messages than it can process.
Conditions:
-- SCTP with MRF SIP configured.
-- Outgoing connection receives more messages than it can process.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
With SCTP with MRF SIP, the system better handles conditions when the outgoing connection receives more messages than it can process, so the system does not core and restart.
669645-1 : tmm crashes after LSN pool member change
Component: Carrier-Grade NAT
Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.
Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.
Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.
Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.
Fix:
tmm no longer crashes when changing LSN pool members while processing traffic.
669510-2 : When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
Component: Access Policy Manager
Symptoms:
- When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
Conditions:
- Allow local DNS servers' option is enabled in Network Access configuration.
- Prohibit routing table changes during Network Access connection option is enabled in Network Access configuration.
- Network changes after VPN is established.
Impact:
- Network access tunnel is dropped due to routing table changes.
Workaround:
User needs to connect to VPN again.
669462-1 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
Component: TMOS
Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/
Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool
Impact:
Unable to use pool-members from /Common/ when outside of /Common/
Workaround:
No workaround at this time.
Fix:
Fixed issue preventing users from using GTM pool-members within /Common/ on GTM Pools outside of /Common/
669459-2 : Efect of bad connection handle between APMD and memcachd
Component: Access Policy Manager
Symptoms:
When a connection handle (fd) between apmd and memcachd gets bad (someone else is using or already closed by memcachd), all worker threads gets locked out. A cleaner thread then restart APMD with an assert.
Conditions:
This is difficult to reproduce. It happens if one or more connection handle between apmd worker thread and memcachd gets misused.
Impact:
APMD gets locked down , eventually restart with a core.
Workaround:
None.
Fix:
Communication between APMD and TMM has been improved to be more tolerant of error conditions.
669415-1 : Flow eviction for hardware-accelerated flow might fail
Component: TMOS
Symptoms:
In rare cases, evicting a hardware-accelerated ePVA flow might fail. Under normal conditions, this flow eventually idles out of the ePVA, but if traffic happens to be generated over the flow, then it can stay in the ePVA indefinitely, even if there is no software connection context for this connection.
Conditions:
A virtual server using a FastL4 profile.
Impact:
A connection becomes stuck in the ePVA. Traffic might be disrupted if tmm restarts.
Workaround:
Disable hardware acceleration.
Fix:
This release has updated the process for evicting a connection from the ePVA.
669364-1 : TMM core when server responds fast with server responses such as 404.
Component: Fraud Protection Services
Symptoms:
TMM core when server responds fast with server responses such as 404.
Conditions:
-- FPS gets a request with a WebSafe URL (usually global URL - declared by signatures update).
-- Server response is fast (based on URL/headers).
-- FPS need to take some action on response.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
FPS now handles these conditions without a tmm crash.
669359 : WebSafe might cause connections to hang
Component: Fraud Protection Services
Symptoms:
In a loaded environment, FPS might free a connection context without cleaning up the state.
Conditions:
This occurs in a loaded environment (xoff events present).
Impact:
A connection might stall until abandoned by client.
Workaround:
None.
Fix:
when freeing a connection context, FPS will clear internal egress state.
669341 : Category Lookup by Subject.CN will result in a reset
Component: Access Policy Manager
Symptoms:
Category Lookup Agent is unable to find the Subject.CN, so it initiates an SSL Handshake failure.
==> /var/log/apm <==
crit tmm[11181]: 01790602:2: [C] 10.20.100.1:11980 -> 10.11.10.101:443: (ERR_NOT_FOUND) Error processing URL Classification query from CatEngine
Conditions:
Category Lookup agent configured to use Subject.CN. May also apply if a Category Lookup agent is configured to use SNI, but the client does not send an SNI, resulting in the agent trying to use the Subject.CN.
Impact:
Cannot use Subject.CN as a data source for category lookup agent.
Workaround:
None.
Fix:
The category lookup agent is now able to find the Subject.CN.
669288-3 : Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.
Solution Article: K76152943
Component: TMOS
Symptoms:
From tmsh, running util unix-ls /var/log fails with the following error:
exception: (Failed to canonicalize "/shared/f5optics/images") (util/RealpathHelper.cpp, line 49), continuing...
Data Input Error: /var/log is not an accessible directory for the current mode.
Conditions:
-- A BIG-IP system configured for Appliance mode.
-- Upgrading from a pre-v12.x to v12.x or later.
-- Using a platform that does not have a /shared/f5optics/images directory.
These include the following BIG-IP blades and appliances:
B4400, i4x00, i10x00, i2x00, i7x00, i5x00
Impact:
There is no shell access to the file system when the BIG-IP system is in Appliance mode. This is the intended purpose of Appliance mode. Therefore, unix-* commands are the only way to list directories, and perform other operations specific to the operating system.
Workaround:
To work around this issue, create the /shared/f5optics/images directory. To do so, do the following:
1. Boot the BIG-IP system into single-user mode.
2. Create the directory /shared/f5optics/images with the following command:
mkdir -m 777 -p /shared/f5optics/images.
3. Reboot the BIG-IP system, and allow it to start up normally.
Fix:
The reported exception does not occur, and unix-* commands commands issued in Appliance mode run as expected.
669268 : Failover in the same availability zone of AWS may fail when AWS services are intermittently available.
Component: TMOS
Symptoms:
Intermittently available AWS services may lead to failure of curl requests to AWS or ec2 tools commands, resulting in failure of failover. As a result, public EIPs (for virtual servers) might remain pointing to the standby BIG-IP system.
Conditions:
AWS services are intermittently available.
Impact:
Failure of failover. Traffic will be routed to the standby BIG-IP system and lost.
Workaround:
Manually fail the systems over till failover succeeds at the desired BIG-IP system.
669262-2 : [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record
Component: Global Traffic Manager (DNS)
Symptoms:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA, resulting that zone is not treated as reverse zone.
PTR is not available from the 'Type' dropbox menu when creating new resource record for that zone:
DNS :: Zones : ZoneRunner : Resource Record List :: New Resource Record.
Conditions:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA.
Impact:
Cannot create PTR resource record for the created reverse zones.
Workaround:
Create reverse zones exactly ending with .arpa.
669255-2 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
Solution Article: K20100613
Component: TMOS
Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:
- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.
Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:
- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade
Impact:
The BIG-IP system operates at a suboptimal performance level.
Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.
Fix:
Performance is no longer degraded on certain platforms when the configuration includes enabled sFlow receivers.
669154-1 : Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.
Solution Article: K25342114
Component: Access Policy Manager
Symptoms:
Adding new SAML IdP configuration object containing empty attribute values via tmsh may cause tmm to restart.
Conditions:
New SSO SAML configuration contains one or more attribute values containing a session variable, following by another empty value "", for example:
multi-values { "%{session.ad.last.attr.name}" "" }
Note: This is not a valid configuration: empty values must not be provided in the list of SAML attributes.
Impact:
TMM may restart when new configuration is added. Traffic disrupted while tmm restarts.
Workaround:
Remove empty attribute values from configuration.
Fix:
SAML object validation has been improved so that empty SAML SSO object attribute values will no longer be accepted.
669025-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
Solution Article: K11425420
Component: Local Traffic Manager
Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.
Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs usually is are the BIG-IP system's ca-bundle. The BIG-IP system receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.
Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.
Impact:
Clients cannot access the web server due to SSL handshake failure.
Workaround:
There is no workaround at this time.
Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.
668964-2 : 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group
Solution Article: K81873940
Component: TMOS
Symptoms:
When running the 'bgp neighbor <peer IP> update-source <IP>' command to a single peer, the changes may be applied to all peers in peer-group, if the peer IP belongs to a peer group.
Conditions:
- Using BGP with peer-groups.
- Run 'bgp neighbor <peer IP> update-source <IP>', where <peer IP> is an IP of a peer in a peer-group.
Impact:
Changes may apply to all peers in the group.
Workaround:
Depending on the network setup, it may be possible to workaround the issue using the interface version of the command:
bgp neighbor <peer IP> update-source <vlan name>.
Fix:
The command 'bgp neighbor <peer -IP> update-source <IP>' no longer applies the change to all peers in peer-group
668883 : FQDN pool member status may become out-of-sync when enabled/disabled through GUI
Component: Local Traffic Manager
Symptoms:
After toggling enable/disable on an FQDN pool member through the GUI, an FQDN pool member status may become 'out-of-sync', and the pool member might process connections opposite to its status. Specifically: 'disabled' might accept connections, and 'enabled' might not accept connections. In this state, the FQDN pool member appears to be exactly 'one-message-behind' for an enable/disable status change made in the GUI.
The FQDN pool member status for enabled/disabled is always correctly displayed in the GUI and in tmsh, and behavior is correctly restored after a system reboot. Other pool members are unaffected.
Conditions:
-- BIG-IP systems configured for high availability (HA).
-- At least three members within an FQDN pool.
-- Use the GUI to toggle enable/disable state on a FQDN pool member.
Impact:
The FQDN pool member does not correctly participate in receiving connections to the pool when in this error state. Other pool members remain unaffected.
Workaround:
Change FQDN pool to statically assign members.
Fix:
Toggling FQDN pool member between 'enable/disable' correctly changes that member's participation for accepting connections within its parent pool. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
668802-3 : GTM link graphs fail to display in the GUI
Solution Article: K83392557
Component: Local Traffic Manager
Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.
statsd reports an error in /var/log/ltm
err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found
Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
-- Trying to view the GTM link graphs in the GUI.
Impact:
Unable to view BIG-IP DNS/GTM link graphs.
Workaround:
None.
Fix:
The GTM graphs are available as expected.
668623-5 : macOS Edge client fails to detect correct system language for regions other than USA
Solution Article: K85991425
Component: Access Policy Manager
Symptoms:
macOS Edge client fails to detect correct system language for regions other than USA.
Conditions:
-- macOS Sierra.
-- Non-English language (e.g., Korean with different regions).
Impact:
Incorrect customization of Edge client for certain items, such as: logo, banner color, banner text color, and tray icon type.
Workaround:
Run one of the following command on the Terminal and re-launch Edge client:
For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"
For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"
For Japanese:
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"
For French:
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"
For Spanish:
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"
For Chinese traditional:
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"
For Chinese simplified:
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"
Fix:
Customization of the following items for Edge client now correctly reflect the region's language selection.
-- Edge client logo.
-- Banner color.
-- Banner text color.
-- Tray icon.
668522-1 : bigd might try to read from a file descriptor that is not ready for read
Component: Local Traffic Manager
Symptoms:
The bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.
Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.).
Impact:
The bigd process might consume excessive CPU resources for for various amounts of time.
Single monitor probes might fail. Depending upon the timing of these failures, it might be possible to see monitor flapping when multiple probes for a specific monitored object happen to fail.
Workaround:
None.
Fix:
An issue was resolved where the bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.
668521-2 : Bigd might stall while waiting for an external monitor process to exit
Component: Local Traffic Manager
Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.
Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)
High system load makes this more likely to occur.
Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.
Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.
Fix:
bigd no longer stalls while waiting for an external monitor process to exit.
668503-3 : Edge Client fails to reconnect to virtual server after disabling Network Adapter
Component: Access Policy Manager
Symptoms:
1. Connect to an APM Virtual Server.
2. Disable Network Adapter.
3. Enable the Network Adapter.
Edge Client fails to reconnect.
Conditions:
Network Adapter is disabled and re-enabled.
Impact:
Edge Client does not re-establish VPN when Network Adapter is re-enabled.
Workaround:
Disconnect and Connect Edge Client.
Fix:
Edge Client now successfully reconnects to virtual server after disabling and enabling Network Adapter.
668501-2 : HTTP2 does not handle some URIs correctly
Solution Article: K07369970
668419-1 : ClientHello sent in multiple packets results in TCP connection close
Solution Article: K53322151
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system receives ClientHello messages in multiple fragments, and the first fragment length is less than 9 bytes, SSL might process it as a non-SSL packet.
Conditions:
-- The system receives ClientHello messages in multiple fragments.
-- The first fragment length is less than 9 bytes.
Impact:
SSL might process the first fragment as a non-SSL packet, and discard it, and then tear down the TCP connection.
Workaround:
None.
Fix:
Now, if the system receives the ClientHello message in multiple fragments, and the first fragment is less than 9 bytes, the system waits for the whole SSL packet to arrive before processing it.
668352-2 : High Speed Logging unbalance in log distribution for multiple pool destination.
Component: TMOS
Symptoms:
Remote High Speed Logging may send logs in an imbalance when configured to use multiple logging pools.
The imbalance may occur if the logging destination remained idle for a while (no logs sent) after initial configuration.
Conditions:
-- Remote High Speed Logging destination configured with multiple pools.
-- The logging destination idle after initial configuration for more than 5 seconds.
Impact:
-- Log distribution imbalance.
Workaround:
There is no workaround at this time.
Fix:
Logs distributed equally on destination pools.
668252-2 : TMM crash in PEM_DIAMETER component
Solution Article: K22784428
Component: Policy Enforcement Manager
Symptoms:
TMM crashes when the route to PCRF is lost.
Conditions:
-- PEM establishes connection with the diameter endpoint (Gx / Gy).
-- The route to the diameter endpoint is lost (interface down / route deleted).
Impact:
TMM diameter module tries to communicate, does not handle the error, and crashes. Module reboot. Traffic disrupted while tmm restarts.
Workaround:
Mitigation: Ensure that the network interface configuration routing diameter packet is not manually brought down.
No workaround for externally triggered failures.
Fix:
The system now handles connections established with the diameter endpoint when the route to PCRF is lost.
668196-2 : Connection limit continues to be enforced with least-connections and pool member flap, member remains down
Component: Local Traffic Manager
Symptoms:
In rare circumstances while using least-connections load balancing with a connection limit applied, if a pool member is at the connection limit and the node is stopped and restarted, the node will remain marked down.
Conditions:
This occurs under the following circumstances:
- Least Connections (node or member).
- Connection limit is set.
- Then a pool member hits the connection limit.
- The pool member is then marked down then up (e.g., manually).
Impact:
Pool member remains marked down.
Workaround:
This condition is very rare but if it occurs you can try removing the pool member or node and re-adding it.
Fix:
Connection limit is now correctly enforced with least-connections and pool member flap, so the member no longer incorrectly remains down.
668184-1 : Huge values are shown in the AVR statistics for ASM violations
Component: Application Security Manager
Symptoms:
Huge values are shown in the AVR statistics for ASM violations.
Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.
Impact:
ASM violation numbers are incorrectly reported.
Workaround:
None.
Fix:
An issue with bd sending wrong numbers to AVR was fixed.
668181-2 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.
668129-1 : BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.
Component: Access Policy Manager
Symptoms:
Certain SAML implementations support configuration of multiple signing certificates to be used for signing SAML messages. In these deployments different signing certificates could be used when certificate rotation takes place. Until now BIG-IP as SP only supported single signing certificate from external IdPs.
When certificate rotation happens on external IdP, BIG-IP signing verification certificates have to be updated.
Conditions:
External IdP advertises multiple signing certificates in SAML metadata.
Impact:
When external IdP starts using new signing certificate previously advertised in metadata, authentication on BIG-IP as SAML SP will fail until administrator adjusts configuration to specify new signature validation certificate on appropriate SAML IdP connector object.
Workaround:
Signing certificates on BIG-IP as SAML SP can be reconfigured manually.
Fix:
BIG-IP as SP now supports multiple signing certificates advertised by external identity providers.
668048-1 : TMM memory leak when manually enabling/disabling pool member used as HSL destination
Solution Article: K02551403
Component: TMOS
Symptoms:
High Speed Logging fails to free an allocated cache memory resulting in memory leak. A small linear increase in mds_btree_nodes memory utilization may occur.
Conditions:
- Remote High Speed Logging configured.
- Server-side connections dropped or closed. OR
- High Speed Logging pool members removed.
Impact:
Increase in mds_btree_nodes memory utilization.
Workaround:
There is no workaround at this time.
Fix:
High Speed Logging frees allocated memory correctly.
668006-1 : Suspended 'after' command leads to assertion if there are multiple pending events
Solution Article: K12015701
Component: Local Traffic Manager
Symptoms:
TMM crashes when an iRule has multi-parking commands including command after.
Conditions:
-- iRule has multi-parking commands.
-- Command after is used multiple times in the iRule.
Note: The exact condition of crashing tmm is not definitive, but when the above situation is met, it could trigger this crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Depending on the iRule, (e.g., script that uses command after very heavily, very often), the usages can be combined:
after 100
after 200 { some script }
can be combined to after 300 { the script }
Fix:
Suspended 'after' command no longer leads to assertion if there are multiple pending events
667922 : Alternative unicode encoding in JSON objects not being parsed correctly
Solution Article: K44692860
Component: Application Security Manager
Symptoms:
JSON content might be blocked when unicode encoding is used in one of the JSON nodes.
Conditions:
Configured ASM Policy with JSON profile.
Impact:
False positive blocked request.
Workaround:
Disable metachars checks in JSON profile.
Fix:
The JSON parser now handles unicode sequences correctly.
667892-2 : FPS: BLFN inheritance won't take effect until GUI refresh
Component: Fraud Protection Services
Symptoms:
1. Create fps profile with a "Additional function to be run before JavaScript load" (BLFN) configured.
2. Clone this profile.
3. In the cloned profile choose another profile to defaults from (where there is no BLFN).
4. Save configuration.
Conditions:
- Current profile has a BLFN configured.
- New parent profile has no BLFN.
Impact:
The original BLFN is still configured on the profile (should have inherited the empty BLFN from parent profile).
Workaround:
1. Use tmsh.
2. Refresh before save.
Fix:
Correct BLFN inheritance logic in GUI.
667872-1 : Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
Component: Fraud Protection Services
Symptoms:
'Apply cookies to base domain' feature doesn't work for non standard ports.
Conditions:
'Apply cookies to base domain' is enabled and
connection is over non-standard ports (not 80, 443, etc.).
Impact:
Cookies won't be applied to base domain, thus WebSafe functionality will be broken and missing cookie alerts will be sent.
Workaround:
Use only standard ports.
Fix:
FPS now correctly parses base-domain, including port (if exists).
667779-2 : iRule commands may cause the TMM to crash in very rare situations.
Component: Local Traffic Manager
Symptoms:
A TMM crash may occur in very rare situations.
Conditions:
A Tcl iRule command is used.
Impact:
A TMM Core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Tcl iRule commands are more robust to extreme scenarios within the TMM.
667707-2 : LTM policy associations with virtual servers are not ConfigSynced correctly
Component: Local Traffic Manager
Symptoms:
The association of Local Traffic Policies to virtual servers do not synchronize properly.
This can result in configuration sync failures with error messages including:
-- 01070635:3: The policy (/Common/asm_auto_l7_policy__vs_27) is referenced by one or more virtuals.
-- Configuration error: The bot-defense-asm profile /Common/asm_policy_1 was added to virtual server /Common/vs1 but it does not match the asm-controlling policy. The bot-defense-asm profile is added to the virtual server automatically.
-- 010716fd:3: Virtual Server '/Common/vs' cannot contain policies with conflicting controls.
In other circumstances, BIG-IP systems report themselves as 'in sync' despite a virtual server having different local traffic policies associated.
Under certain circumstances, configuration sync fails after an LTM policy is removed from a virtual server and deleted.
Conditions:
This occurs under the following conditions:
-- Full sync operations (e.g., 'full-load-on-sync' or 'force-full-load-push').
And either of the following:
-- Configuration changes made where local traffic policies are removed or added from a virtual server.
-- Configuration changes made where a local traffic policy is removed from a virtual server, and then the virtual server is deleted.
Impact:
Configuration fails to sync, or devices report 'In Sync' but have different LTM policies associated with virtual servers.
Workaround:
There is no workaround at this time.
Fix:
Configuration sync is successful.
667662-1 : Autolasthop does not work for PPTP-GRE traffic.
Solution Article: K06579313
Component: Carrier-Grade NAT
Symptoms:
Autolasthop does not work for PPTP-GRE traffic.
Conditions:
Autolasthop configured for client ingress VLAN, serving PPTP-ALG traffic.
Impact:
PPTP-ALG traffic through the BIG-IP system.
Workaround:
Create static routes to return PPTP-GRE traffic back to the client network.
Fix:
Autolasthop setting works correctly for PPTP-GRE traffic.
667560-3 : FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed
Solution Article: K69205908
Component: Local Traffic Manager
Symptoms:
A pool member configured through an FQDN node and which has multiple associated monitors may become unknown (blue) after a monitor rule change to one of its associated monitors. The expected behavior is that the node should remain 'green' if monitoring is successful with the new rule, but the node may become unknown (blue) until bigd is restarted.
Conditions:
A pool member is configured through an FQDN node, and has multiple associated monitors, and a monitor rule change is made to one of the associated monitors.
Impact:
The pool member status correctly reflects whether monitoring is successful (green) or the pool member is unknown (blue), but the changed monitor rule may not take effect until bigd is restarted.
Workaround:
When making changes to a monitor rule associated with a pool member configured through FQDN, verify the node remains monitored (green or checking), or restart bigd. Alternatively, change monitor rules within the configuration file, and reload the configuration.
Fix:
Pool members configured through FQDN nodes and with multiple associated monitors continue to be monitored after a monitor rule change to one of the associated monitors. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
667469-1 : Higher than expected CPU usage when using DNS Cache
Solution Article: K35324588
Component: Global Traffic Manager (DNS)
Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.
Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.
Impact:
Higher than expected CPU usage.
Workaround:
No workaround at this time.
Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.
667405-2 : Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.
Solution Article: K61251939
Component: TMOS
Symptoms:
When the BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets, memory leaks may occur in the TMM.
Conditions:
The BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets.
Impact:
Memory leak in the TMM.
Workaround:
None.
Fix:
No memory leak in the TMM.
667404-2 : Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts
Solution Article: K77576404
Component: TMOS
Symptoms:
If fragmented IP packets match an IPsec policy, then get forwarded to another tmm for actual processing, the flow lookup might accidentally grab a stale flow_key for another connflow, including internal MCP flows. When that happens, if IPsec does tunnel those flows, internal MCP heartbeats later miss and cause tmm restarts.
Conditions:
-- Packet fragmentation.
-- Packets are serviced by IPsec due to a matching policy for those packets.
Impact:
Tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
You can prevent this using either of the following methods:
-- If you can, arrange that fragmented packets are re-assembled before reaching IPsec policy handling.
-- Modify MTU configuration so fragmentation does not happen.
Note: There is no mitigation when fragmented packets reach IPsec and need forwarding from one tmm to another.
Fix:
Now fragmented packets are handled correctly, and other flows cannot experience interference.
667318-3 : BIG-IP DNS/GTM link graphs fail to display in the GUI.
Component: Local Traffic Manager
Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.
statsd reports an error in /var/log/ltm
err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found
Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
Impact:
Unable to view BIG-IP DNS/GTM link graphs.
Workaround:
None.
Fix:
BIG-IP DNS/GTM link graphs are now available in the GUI.
667304-1 : Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled
Solution Article: K68108551
Component: Access Policy Manager
Symptoms:
'Save Password' checkbox is shown even if the feature is not enabled.
Conditions:
-- APM end user tries to authenticate to APM/BIG-IP Server.
-- 'Save Password' is not enabled.
Impact:
APM end user receives the login page with 'Save Password' checkbox. Checking the box has no effect unless 'Save Password' is enabled.
Workaround:
None.
Fix:
'Save Password' checkbox is not shown unless the feature is enabled.
667278-3 : DSC connections between BIG-IP units may fail to establish
Component: TMOS
Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:
-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).
While the unit at the other end of the connection will log messages similar to the following example:
-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed
Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).
Impact:
Config-Sync and device discovery operations will fail between affected units.
Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).
Fix:
Config-Sync and device discovery operations no longer fail.
667257-2 : CPU Usage Reaches 100% With High FastL4 Traffic
Component: TMOS
Symptoms:
CPU usage reaches 100% with high FastL4 traffic. Issue with re-offloading evicted FastL4 traffic to ePVA.
Typically observed on systems handling a lot of FastL4 traffic that have been upgraded to a version that has re-offload behavior implemented by Bug ID 563475: ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
Conditions:
-- Most traffic is FastL4 forwarding deterministic LDNS.
-- ePVA hardware is in use.
Impact:
Default configurations may suddenly show higher CPU performance profile usage after upgrade.
Workaround:
None.
Fix:
The following db variables have been added to control re-offload behavior:
sys db pva.reoffload.delay {
value "5"
}
sys db pva.reoffload.exponential {
value "true"
}
pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.
If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).
If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.
Behavior Change:
The following db variables have been added to control re-offload behavior:
sys db pva.reoffload.delay {
value "5"
}
sys db pva.reoffload.exponential {
value "true"
}
pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.
If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).
If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.
667237-3 : Edge Client logs the routing and IP tables repeatedly
Component: Access Policy Manager
Symptoms:
Edge Client logs the routing and IP tables repeatedly - in each reconnecting attempt.
Conditions:
Edge Client is in reconnecting state and gateway is reachable. However, APM server is not reachable/responding.
Impact:
It fills up the log file with information that is not useful.
Workaround:
There is no workaround at this time.
Fix:
When Edge Client is in re-connection state and the APM server is not reachable/responding, skip logging the Routing/IP tables in each reconnecting attempts.
667223 : The merge option for the tmsh load sys config command removes existing nested objects
Component: TMOS
Symptoms:
Nested objects are removed when newer objects are merged in.
Configuration objects can contain nested objects. The merge option for tmsh load sys config command expects the nested-objects passed in to be merged alongside existing objects.
example:
Initial configuration
[root@plate:Active:Standalone] config # tmsh list ltm pool
ltm pool test-pool-mcconfig {
members {
test-mc1:http {
address 10.13.14.15
priority-group 1
session monitor-enabled
state checking
}
test-mc2:http {
address 10.13.14.16
priority-group 4
session monitor-enabled
state down
}
}
monitor tcp
}
Run load merge command:
[root@plate:Active:Standalone] config # tmsh -m
root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm pool test-pool-mcconfig {
members {
test-mc2:http {
priority-group 0
}
}
}
Loading configuration...
root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# ^D
New configuration, not merged:
[root@plate:Active:Standalone] config # tmsh list ltm pool
ltm pool test-pool-mcconfig {
members {
test-mc2:http {
address 10.13.14.16
session monitor-enabled
state down
}
}
monitor tcp
}
Conditions:
Execute tmsh load sys config merge from-terminal command.
The configuration contains nested objects. The configuration that is being merged in contains nested objects of the same type as the existing configuration.
Impact:
Configuration loss: Post merge the existing nested configuration objects are deleted.
Workaround:
None.
Fix:
The behavior for the merge option of tmsh load sys config is corrected. The nested objects in the existing configuration are not deleted.
667173 : 13.1.0 cannot join a device group with 13.1.0.1
Component: TMOS
Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.
Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.
Impact:
Cannot form Device Trust.
Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.
Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.
667148-1 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition
Solution Article: K02500042
Component: TMOS
Symptoms:
GTM configuration fails to load.
Conditions:
GTM config referencing non-/Common partition objects from /Common.
Impact:
GTM configuration fails to load, which may keep a system from becoming active
Workaround:
No workaround.
Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.
667138-1 : LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★
Component: TMOS
Symptoms:
After upgrade from 10.2.4 to 12.1.2, full config load fails.
Conditions:
The pre-upgrade version must be 10.2.4 and the pre-upgrade config must have user-defined partitions.
Impact:
After upgrade, if changes are made to the running config (in memory; not on disk), then the config files on disk from upgrade cannot be restored.
Workaround:
10.2.4 config on upgrade is stored at /config/bigpipe/. So, a workaround is to load defaults, then merge the original config using bigpipe.
/usr/libexec/bigpipe merge /config/bigpipe/*.conf
Fix:
Full load after upgrade from 10.2.4 now succeeds.
667028-1 : DNS Express does not run on i11000 platforms with htsplit disabled.
Component: Global Traffic Manager (DNS)
Symptoms:
tmm processes enter a restart loop when trying to run DNS Express (DNSX) on i11000 platforms with htsplit disabled.
Conditions:
-- i11000 platform.
-- htsplit disabled (sys db scheduler.splitplanes.ltm set to false).
-- Trying to run DNSX.
Impact:
tmm processes enter a restart loop. In this condition, DNSX does not run, though other DNS functions are unaffected.
Workaround:
Enable htsplit using the following command:
modify sys db scheduler.splitplanes.ltm value true
Fix:
tmm no longer cores under these conditions. However, you cannot use DNSX with htsplit disabled; htsplit must be enabled.
Note: DNSX works as expected with htsplit enabled, both before and after the fix.
666986-2 : Filter by Support ID is not working in Request Log
Solution Article: K50320144
Component: Application Security Manager
Symptoms:
In some cases the Support ID of a request might be shorter than 19 digits. In this case filter by Support ID does not work in Request Logs.
Conditions:
-- Support ID is shorter than 19 digits.
-- Trying to filter by Support ID.
Impact:
Filter by Support ID is not displayed in filter bar and does not affect the list.
Workaround:
You can try to filter by last 4 digits of Support ID. Although that does not replace filter by Support ID functionality, it might help.
Fix:
Filter by Support ID works for any length but 4 digits (in this case search uses the last 4 digits; also a 4-digit Support ID is not a realistic occurrence).
666884-2 : Message: Not enough free disk space to install! cpcfg cannot copy a configuration on a chassis platform★
Solution Article: K27056204
Component: TMOS
Symptoms:
cpcfg fails with errors similar to the following:
info: Getting configuration from HD1.3
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
error: status 256 returned by command: F5_INSTALL_MODE=install F5_INSTALL_SESSION_TYPE=hotfix chroot /mnt/tm_install/23102.e3MAZU /usr/local/bin/im -force /var/local/ucs/config.ucs
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /shared: Not enough free space
info: 6144 bytes required
info: 0 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.
Conditions:
Only on a chassis platform running 12.1.x or 13.0.x.
Impact:
You cannot use cpcfg on a chassis platform.
Workaround:
Save a UCS from the source volume, reboot to the destination volume, then load that UCS file.
Fix:
cpcfg could incorrectly calculate the amount of free space available, refusing to do the copy unless the /shared filesystem had sufficient space to do the copy. This has been resolved and this free space calculation is done correctly.
666790-2 : Use HSB HiGig MAC reset to recover both FCS errors and link instability
Solution Article: K06619044
Component: TMOS
Symptoms:
In addition to HiGig Link instability, FCS errors can be seen on internal switch and HSB Higig link. This is likely some PHY-related issues and can cause instability in communication links.
One symptom associated with this might be that a blade cannot become active and join the cluster.
Conditions:
FCS errors reported in tmm/hsbe2_internal_lbb_hgm. Traffic failure observed on some VIPs or self IPs.
Impact:
Link unstable, frame loss.
TMOS MPI and CDP packet loss and internal blade communication issues.
HSB lockup and accumulated FCS errors observed from stats and log.
Workaround:
A switch port reset might be used to recover this failure. Note, however: that procedure might cause potential HSB lockups.
Fix:
FCS errors and link instability no longer occur.
666689-1 : Occasional "profile not found" errors following activate access policy
Component: Access Policy Manager
Symptoms:
Immediately following the applying of a modified access policy it is possible for some profiles to disappear.
It is transient and within a minute or two the profiles are available again.
Conditions:
Clicking "apply access policy" in the GUI or using tmsh to increment snapshot ids will clear the list of profiles and policies and then rebuild those lists. Authentication requests using profiles or policies not yet rebuilt returned the "profile not found" error.
Impact:
Some authentication attempts fail while the lists get rebuilt.
Retrying the authentication a minute or two later succeeds.
Workaround:
Retry the authentication.
Fix:
Applying Access Policies in APM is improved to avoid a short dead time between when the old policies are removed and the new policies are activated.
666595-2 : Monitor node log fd leak by bigd instances not actively monitoring node
Component: Local Traffic Manager
Symptoms:
Each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis opens a file descriptor for each node or pool member that has monitor logging enabled. However, only one instance of bigd is actively monitoring each individual node, and actively logging health monitor events to the node log. When LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool, or pool member configuration.
Note: This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool or pool member configuration.
Conditions:
This may occur when the following conditions are met:
1. An LTM health monitor is assigned to an LTM node, pool or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool or pool member configuration while logging is still enabled ('monitor' value set to 'none').
Impact:
When this problem occurs, the instance of bigd that is actively monitoring a particular node will close its file descriptor to that node's log file (under /var/log/monitors), but other instances of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis will leak their file descriptor to the node log.
File descriptors that are opened by the bigd daemon and not closed will count against bigd's internal file descriptor limit. This may result in file descriptor exhaustion and failure of LTM health monitoring.
Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.
Fix:
The bigd daemon no longer leaks file descriptors for monitor node logs when multiple instances of bigd are running, LTM health monitors are configured with node logging enabled, and the monitor is then removed from the LTM node, pool, or pool member configuration.
666505-2 : Gossip between VIPRION blades
Component: iApp Technology
Symptoms:
The REST framework's 'gossip' mechanism does not appear to run between VIPRION blades in a device service cluster.
Conditions:
-- VIPRION systems.
-- Configured with device service clustering and a high availability (HA) group.
-- The REST framework's 'gossip' mechanism is configured on the non-primary blade.
Impact:
Gossip being enabled on the non-primary VIPRION blade interferes with communication between the primary and the remote peer.
Workaround:
None.
Fix:
The system no longer enables Gossip sync on non-primary VIPRION blades.
Behavior Change:
Previously, when The REST framework's 'gossip' mechanism was enabled on the non-primary VIPRION blade, it interfered with communication between the primary and the remote peer. Now, the 'gossip' mechanism is disabled on the non-primary blade, so communication between the primary and the remote peer is not impacted.
666454-2 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
Solution Article: K05520115
Component: Access Policy Manager
Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.
Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.
Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.
Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.
Impact:
VPN connection will fail.
Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.
666401-2 : Memory might become corrupted when a Standby device transitions to Active during failover
Solution Article: K03294104
Component: Local Traffic Manager
Symptoms:
When a failover event occurs with connection mirroring enabled, it is possible for memory to be corrupted when the Standby device transitions to Active.
Conditions:
-- Active-Standby high availability configuration.
-- Virtual server configured with the type set to 'Standard'.
-- Connection mirroring enabled.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Memory is no longer corrupted.
666315 : Global SNAT sets TTL to 255 instead of decrementing
Component: Local Traffic Manager
Symptoms:
Global SNAT sets the TTL to 255 instead of decrementing.
Conditions:
Global SNAT configured.
Impact:
Possible routing loop.
Workaround:
No workaround.
Fix:
TTL for global SNAT now gets decremented.
666221-2 : tmm may crash from DoSL7
Solution Article: K47152503
Component: Application Security Manager
Symptoms:
tmm crash.
Conditions:
A virtual server configured with the following:
compression profile configuration, HTTP/DoSL7 with DoSL7 iRule, RamCache.
Impact:
SIGSEGV. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a possible tmm crash.
666160-1 : L7 Policy reconfiguration causes a slow memory leak
Solution Article: K63132146
Component: Local Traffic Manager
Symptoms:
When a virtual server with a L7 policy is reconfigured, a small amount of memory is leaked.
Conditions:
A virtual server with L7 policies has a configuration change.
Impact:
The memory leak will reduce the amount of resources for the TMM.
Workaround:
None.
Fix:
L7 Policies no longer leak memory when a virtual server using them is reconfigured.
666112-1 : TMM 'DoS Layer 7' memory leak during config load
Solution Article: K53708490
Component: Application Security Manager
Symptoms:
Degraded performance; potential eventual out-of-memory.
Note: The 'DoS Layer 7' allocations increase by 'TMM count * #domains' after each config load.
Tip: You can watch the watch the 'DoS Layer 7' allocations increase on a shell on the BIG-IP system using the following command:
# watch -n1 -- 'tmctl -s name,allocated,max_allocated,cur_allocs memory_usage_stat | grep -E "^name|---|^DoS Layer 7 "'
Conditions:
-- Provision ASM.
-- Make sure the built-in 'security dos bot-signature' are added to the config.
-- Load the config from another shell using the following command:
tmsh load sys config
Impact:
Degraded performance; potential eventual out-of-memory.
Workaround:
None.
Fix:
Fix memory leak after each config load.
666058-2 : XenApp 6.5 published icons are not displayed on APM Webtop
Solution Article: K86091857
Component: Access Policy Manager
Symptoms:
While publishing XenApp 6.5 resources through APM Webtop, some applications are not displaying the icons correctly.
VDI Error logs are seen as follows:
failed to handle '/f5vdi/citrix/icon/': Incorrect bitmap size.
Conditions:
-- XenApp 6.5 is used with their rollup hotfix 6 or 7.
-- Some of the third-party applications more icon bitmap information than expected.
Impact:
Icons are not displayed on the APM Webtop
Workaround:
None.
Fix:
Now APM Webtop correctly displays Citrix XenApp icons correctly regardless of the size of the bitmap data.
666035-1 : Obscuring secrets in files collected by qkview
Component: TMOS
Symptoms:
Some config files collected by qkview may have clear text secrets.
Conditions:
Run qkview and extract to see files with cleartext secrets
Impact:
Plaintext secrets are uploaded to iHealth.
Workaround:
To workaround this issue, follow this procedure:
1. Untar qkview file.
2. Obfuscate secrets from the affected file.
3. Recreate qkview file to upload.
For more information, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.
Qkview obfuscation
==================
-- Specific information from text files collected by qkview can be replaced/obscured.
-- Configuration file is in JSON format and it requires regex search pattern and replacement text for given files.
Config file
===========
/etc/qkview_obfuscate.conf
Config Template
===============
{
"filename_regex1":
{
"search_regex11": "replace_text11",
"search_regex12": "replace_text12",
"search_regex13": "replace_text13" <= No comma after the last element.
},
"filename_regex2":
{
"search_regex21": "replace_text21",
"search_regex22": "replace_text22",
"search_regex23": "replace_text23"
} <= No comma after the last node.
}
Notes
=====
-- Search-and-replace rules are applied to the files that match the filename regex.
-- Filename and search_pattern are the regex. JSON special characters need to be escaped in the regex. (JSON special chars list :: http://json.org/.)
Example:
search_pattern "bindpw\s+(\S+)" should be "bindpw\\s+(\\S+)".
('\' is escaped by '\\'.)
-- If a filename matches multiple filename regexes, all rules of those files' regexes are applied to that file.
Example:
{
"abc123\\.conf": {
"password\\s+(\\S+)": "password ####",
"passphrase\\s+(\\S+)": "passphrase ####"
},
"abc\\w+\\.conf": {
"bindpw\\s+(\\S+)": "bindpw dummypasswd"
}
}
Because abc123.conf matches both filename regexes, all three rules are applied to abc123.conf.
-- Obfuscation works only on text files. Compressed files are ignored.
-- The qkview command fails if the config file is syntactically incorrect.
Sample config
=============
{
"abc123\\.conf": {
"password\\s+(\\S+)": "password ####",
"passphrase\\s+(\\S+)": "passphrase ####"
},
"myapp?\\w+\\.conf": {
"bindpw\\s+(\\S+)": "bindpw dummypasswd"
}
}
"abc123\\.conf" - matches abc123.conf
"myapp?\\w+\\.conf - matches myapp*.conf
666032-3 : Secure renegotiation is set while data is not available.
Solution Article: K05145506
Component: Local Traffic Manager
Symptoms:
Secure renegotiation is set while data is not available, which causes a crash in certain connections.
Conditions:
This occurs when handling SSL secure renegotiation in certain connections.
Impact:
Crashes happen to certain SSL connections.
Workaround:
None.
Fix:
Secure renegotiation is set while data is not available no longer causes a crash in certain connections.
665924-1 : The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
Solution Article: K24847056
Component: Local Traffic Manager
Symptoms:
A TMM crash caused by a double-free of memory within the HTTP2 and SPDY filters. This crash could occur in other TMM sub-systems unrelated to HTTP2 or SPDY.
Conditions:
The HTTP2 or SPDY filter is used, together with many other TMM modules. This situation is difficult to trigger.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The HTTP2 and SPDY filters will no longer double-free memory in rare situations.
665905 : Signature System corruption from specific ASU prevents ASU load after upgrade
Solution Article: K83305000
Component: Application Security Manager
Symptoms:
After loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im" on 11.5.4 HF2 (or later) and upgrading to certain software versions, attempts to perform Signature Update fail.
Conditions:
-- Loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im".
-- Using v11.5.4 HF2 (or later).
-- Upgrading the device to 11.6.1, 12.1.0, 12.1.1, or 12.1.2.
Impact:
Attempts to perform Signature Update fail.
Workaround:
The mistaken Signature System can be deleted using the following SQL:
----------------------------------------------------------------------
UPDATE PLC.NEGSIG_SIGNATURE_SYSTEMS set system_id = 14 where system_id = (select system_id FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache');
DELETE FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache';
----------------------------------------------------------------------
Fix:
Database corruption introduced by loading Attack Signature Update 'ASM-SignatureFile_20170403_145743.im' is now corrected upon upgrade.
665778-1 : Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
Solution Article: K34503519
Component: iApp Technology
Symptoms:
Non-admin BIG-IP users cannot view deployed iApps, so they cannot redeploy the iApp. The system presents an error and does not allow access to the component view or the reconfiguration view. The error shown is 'An error has occurred while trying to process your request.'
Conditions:
-- Login to the BIG-IP system as a non-admin.
-- Try to view components or reconfigure iApps.
Impact:
Cannot view/re-deploy iApps.
Workaround:
Use TMSH to view/re-deploy iApps.
There are two TMUI workarounds to view/re-deploy iApps. Once you employ one of the workarounds, a Manager user can reconfigure the iApp successfully.
Note: After successful submission, the system posts the error described, and the Manager still cannot access the Component list or iApps editing screens.
-- Click on 'app_name' link anywhere in the system where iApp-related objects are listed. For example, if the iApp created a virtual server, click the Application column link on the 'Local Traffic :: Virtual Servers : Virtual Server List' page.
-- Have an Admin user provide the direct link to app. To do so, perform the following procedure:
1. Login as Admin to the BIG-IP system.
2. Navigate to iApps :: Application Services : Applications :: <app_name>.
3. Get the direct link to the app reconfigure page by hovering over the Settings icon and then clicking 'Direct link to this page'. Note: This link will work as long as 'app_name' and template name have not been modified. The URL appears similar to the following:
https://10.10.10.10/tmui/Control/jspmap/tmui/application/reenter.jsp?mode=app&name=/ptn1/abcd.app/abcd&template_name=/Common/f5.microsoft_exchange_2010_2013_cas.v1.6.1
4. Logout as Admin and login as Manager.
5. Paste the app direct link in the browser's address bar and press Enter.
Fix:
Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
665732-2 : FastHTTP may crash when receiving a fragmented IP packet
Solution Article: K45001711
Component: Local Traffic Manager
Symptoms:
A virtual server configured to use FastHTTP may cause a TMM core if fragmented IP packets are received by the virtual. This can be observed by the following TMM log statement: panic: Assertion 'l4hdr set' failed.
Conditions:
A virtual server configured with a FastHTTP profile receiving fragmented IP packets.
Impact:
Intermittent TMM core, resulting in a TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Use a different profile than FastHTTP, such as a full proxy with TCP/HTTP filters.
Fix:
Force packet reassembly before packet is forwarded to a FastHTTP virtual.
665656-1 : BWC with iSession may memory leak
Component: TMOS
Symptoms:
A memory leak may occur when BWC is configured with iSession.
Conditions:
-- BWC is configured with iSession.
-- The BWC policy is removed or reset.
Impact:
A memory leak.
Workaround:
None.
Fix:
The memory leak is prevented when BWC and iSession are configured together and a BWC policy is removed or reset.
665652-2 : Multicast traffic not forwarded to members of VLAN group
Solution Article: K41193475
Component: Local Traffic Manager
Symptoms:
Multicast traffic traversing through the BIG-IP system through a VLAN that is member of a VLAN group does not get forwarded to other members of the VLAN group.
Conditions:
Multicast traffic ingress from a VLAN in a VLAN group.
Impact:
Traffic is not forwarded to the other members of the VLAN group.
Workaround:
None.
Fix:
Multicast traffic is now correctly forwarded to members of VLAN group.
665470-1 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised
Component: Application Security Manager
Symptoms:
Failed to Learn page malicious IP addresses in a specific case.
Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.
Impact:
Requests that should be learned are not.
Workaround:
Turn on logging.
Fix:
The system now Learns page malicious IP addresses when IP intelligence is turn on and logging is turned off.
665416-3 : Old versions of APM configuration snapshots need to be reaped more aggressively if not used
Solution Article: K02016491
Component: Access Policy Manager
Symptoms:
Currently, it takes 24 hrs for old versions of APM config snapshots that are not being used to time out and to release the memory. If access profiles are complex and are updated frequently within 24 hrs, memory resource is likely to be exhausted.
Conditions:
If access profiles are updated frequently within 24 hrs and each version of the configuration snapshot contains many variables.
Impact:
TMM may run out of memory and crash, causing service interruption.
Workaround:
None.
Fix:
Per-session access policy snapshots are now deleted after 60 minutes instead of 24 hours.
665362-4 : MCPD might crash if the AOM restarts
Component: TMOS
Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.
Conditions:
This can occur while AOM is restarting.
Impact:
System goes offline for a few minutes.
Workaround:
None.
Fix:
Added error handling to prevent crash. If this error occurs in the future it will not crash, but a restart of mcpd is required.
665354-2 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
Solution Article: K31190471
Component: TMOS
Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.
Those two messages together indicate this known issue.
Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.
Impact:
The unit intermittently reboots.
Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.
If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.
Important: A device Return Materials Authorization (RMA) will not prevent this issue.
Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.
665347-2 : GTM listener object cannot be created via tmsh while in non-Common partition
Solution Article: K17060443
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use tmsh to create a GTM listener in a non-Common partition.
Conditions:
-- In a non-Common partition.
-- Create a listener using a command similar to the following:
(/Common/newpart)(tmos)# create gtm listener new address 10.2.2.2
Impact:
The listener will not be created. The system outputs an error similar to the following:
01020036:3: The requested profile (/Common/newpart/udp_gtm_dns) was not found.
Workaround:
None.
Fix:
GTM Listener parser now correctly handles validation and selections of profiles for GTM listeners.
665330-1 : MSIE 11 should avoid compatibility mode
Component: Access Policy Manager
Symptoms:
MSIE 11 in compatibility mode is causing JS errors because MSIE 7-9 are not good in javascript.
Conditions:
APM Client and MSIE 11 forced to compartibility mode.
Impact:
Certain pages on client UI are not being rendered or being rendered with errors.
Workaround:
Don't push MSIE 11 to compatibility mode with APM
Use browsers that are good with javascript.
Fix:
We've added meta that sets MSIE in native mode. Although group policy in domain still can overwrite it, for most use cases it's enough.
665185-1 : SSL handshake reference is not dropped if forward proxy certificate lookup failed
Solution Article: K20994524
Component: Local Traffic Manager
Symptoms:
In rare cases, when forward-proxy certificate-lookup fails, the SSL handshake reference is not dropped, which can consume memory that is no longer needed.
Conditions:
Forward-proxy certificate-lookup fails; specifically, input string size is larger than maximum allowed.
Impact:
tmm memory use grows.
Workaround:
None.
Fix:
The system now drops the SSL handshake reference when when forward-proxy certificate-lookup fails. This is correct behavior.
665022-1 : Rateshaper stalls when TSO packet length exceeds max ceiling.
Component: Local Traffic Manager
Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.
Conditions:
Packet length exceeds rateshaper's configured max ceiling.
Impact:
The flow stalls.
Workaround:
Increase the configured rateshaper's max ceiling value to be larger than the largest packet length.
Fix:
Rateshaper no longer stalls when TSO packet length exceeds max ceiling.
664930-2 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.
664894-1 : PEM sessions lost when new blade is inserted in chassis
Solution Article: K11070206
Component: TMOS
Symptoms:
Inserting a blade into a chassis that is using high availability (HA) is configured for 'between clusters' can cause data loss in the SessionDB. This includes iRule table command as well as entries stored in the SessionDB from modules.
Conditions:
HA in use 'between clusters'.
Impact:
Data loss of some SessionDB entries.
Workaround:
In order to cleanly add a blade, put the setting from 'between clusters' to 'within cluster'; then add the new blade(s) to both clusters. Wait 60 seconds, then restore the HA connection to 'between clusters'
Fix:
PEM sessions are now retained when new blade is inserted in chassis when using 'between clusters'.
664829-1 : BIG-IP sometimes performs unnecessary reboot on first boot
Component: TMOS
Symptoms:
Some versions of the BIG-IP Virtual Edition (VE) software incorrectly determine that the size of its disk has changed, and re-sizes the partition table and causes a reboot to occur. This is likely to occur only on VE guests.
Conditions:
-- First boot of VE.
-- Software version that exhibits this issue.
Note: A specific software version for a specific cloud environment either always exhibit this, or never does.
Impact:
Additional, unnecessary minor filesystem size adjustment and additional time for a reboot to occur.
Workaround:
None.
Fix:
An additional, unnecessary reboot of a BIG-IP Virtual Edition during its first boot-up should no longer occur.
664769-1 : TMM may restart when using SOCKS profile and an iRule
Component: Local Traffic Manager
Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.
Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.
Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.
Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.
664737-2 : Do not reboot on ctrl-alt-del
Component: TMOS
Symptoms:
BIG-IP reboots on ctrl-alt-del keys
Conditions:
VE with ctrl-alt-del keys in the video console.
Impact:
BIG-IP reboots.
Fix:
prevent reboot on ctrl-alt-del
664714-1 : Client-side challenge is changing POST parameter value under some circumstances
Component: Application Security Manager
Symptoms:
A parameter arrives with a different value to the server than was sent from the client. Happens while a brute force attack or web scraping challenge or web scraping session client-side mitigation is happening,
Conditions:
-- POST request with URL-decoded parameters.
-- A parameter is escaped.
-- A client-side challenge is returned for this request.
Impact:
The wrong parameter arrives to the application. In response, the application may stop working or have other errors.
Workaround:
N/A
Fix:
Client-side challenge no longer changes POST parameter value under described circumstances.
664708-2 : TMM memory leak when DoS profile is attached to VS
Component: Application Security Manager
Symptoms:
TMM memory leak when DoS profile is attached to VS
Conditions:
1. have DoS profile
2. traffic from search engine is coming to this VS
3. DNS resolver is configured
Impact:
TMM memory use increases over time.
Workaround:
There is no workaround at this time.
Fix:
Free memory periodically.
664618-3 : Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
Component: Local Traffic Manager
Symptoms:
When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. 'Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset.
Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.
Conditions:
-- PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled).
-- The maximum number of headers is exceeded for server responses.
Impact:
Connections are reset, when only alerting is expected.
Workaround:
None.
Fix:
Two threshold values are now available for monitoring the number of HTTP headers:
-- Use the HTTP security profile and select 'alarm' (as opposed to 'block').
-- Use the HTTP service protocol profile. When the 'alarm' threshold is hit, the HTTP traffic remains intact, and logging can be seen in the PSM event logs. When the HTTP service protocol profile's threshold is hit, the HTTP traffic will be blocked, and logging to be seen in both LTM log and PSM event logs.
664549-2 : TMM restart while processing rewrite filter
Solution Article: K55105132
Component: TMOS
Symptoms:
TMM restart and failover occurs while processing rewrite filter.
Conditions:
-- Virtual server with rewrite-uri-translation profile.
-- Serverside attempts to get data from clientside when connection flow does not exist.
Impact:
TMM restart and failover. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM restart and failover no longer occurs while processing rewrite filter.
664535-1 : Diameter failure: load balancing fails when all pool members use same IP Address
Component: Service Provider
Symptoms:
Case1: Run 2 Servers with same IP but different ports. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server. Same result when use-local-connection is disabled.
Case2: Run 2 Servers with same IP but different ports but this time use MR::message route iRule command to route messages between hosts. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server.
Conditions:
Load balancing scenario with single client and two pool members. The servers use same IP, different ports.
Impact:
All the requests from the same client are delivered to 1 server only.
Workaround:
Use different IP address in the pool member. Or use different IP address as the client request.
Fix:
Load balancing scenario with single client and two pool members now completes successfully even when all pool members use same IP Address.
664528-1 : SSL record can be larger than maximum fragment size (16384 bytes)
Solution Article: K53282793
Component: Local Traffic Manager
Symptoms:
SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.
Conditions:
This usually happen when a large certificate or certificate chain is configured for server or client authentication.
Impact:
SSL handshake will fail with client or server that properly checks the record size.
Workaround:
Use a certificate that is smaller in size.
Fix:
Properly fragment handshake data.
664524 : CVE-2017-2636: A race condition was found in the N_HLDC Linux kernel driver that can lead to double free CVE-2016-7910:A flaw was found in the Linux kernel's implementation of seq_file which can lead to memory corruption
Component: TMOS
Symptoms:
CVE-2017-2636:
A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free.
CVE-2016-7910:
A flaw was found in the Linux kernel's implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation.
Conditions:
CVE-2017-2636:
A local, unprivileged user able to set the HDLC line discipline on the tty device.
CVE-2016-7910:
local attacker could manipulate memory in the put() function pointer
Impact:
CVE-2017-2636:
Local user can use this flaw to increase their privileges on the system.
CVE-2016-7910:
local attacker can manipulate memory which could lead to memory corruption and possible privileged escalation
Workaround:
CVE-2017-2636:
This module can be prevented from loading using the following commnd # echo "install n_hdlc /bin/true" >> /etc/modprobe.d/disable-n_hdlc.conf
The system will need to be restarted if the n_hdlc modules are already loaded.
In most circumstances, the n_hdlc kernel modules will be unable to be unloaded if in use and while any current process using this line discipline is required.
CVE-2016-7910:
None
Fix:
Upstream patch applied.
664507-3 : When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
Component: Access Policy Manager
Symptoms:
IdP-connector automation removes certificate reference when update to metadata file is detected, and metadata file contains multiple signing certificates
Conditions:
- BIG-IP is used as SAML SP with configured IdP-connector automation via remotely published metadata.
- Remotely published SAML metadata contains multiple signing certificates.
- Remotely published SAML metadata is periodically updated.
Impact:
Certificate reference to remotely published metadata is removed from local configuration (saml-idp-connector object). As a result, assertions generated by external IdP will not be accepted until proper certificate is configured on saml-idp-connector object again.
Workaround:
When remote metadata is changed, manually update certificate reference on saml-idp-connector object.
Fix:
When changes to remotely published SAML metadata are detected by IdP-connector automation, certificate is no longer removed from saml-idp-connector object.
664461-3 : Replacing HTTP payload can cause tmm restart
Solution Article: K16804728
Component: Local Traffic Manager
Symptoms:
Under certain conditions, using the [ HTTP::payload replace ... ] iRule can result in the tmm restarting.
Conditions:
Occurs when server response is non-chunked, does not contain a Content-Length header, an iRule adds a Content-Length header and performs an HTTP::payload replace command where the length is shorter than the original body length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The HTTP::payload replace command no longer causes tmm restarts under certain conditions.
664063-1 : Azure displays failure for deployment of BIG-IP from a Resource Manager template
Solution Article: K03203976
Component: TMOS
Symptoms:
When deploying BIG-IP images through Azure Resource Manager or Marketplace Solution templates, the Azure portal will never display success. A timeout will eventually occur and the deployment will appear to have failed.
Conditions:
Deployment from an Azure Resource Manager or Solution template, including the BIG-IP WAF Solution from the Azure Security Center.
Impact:
A successful deployment will appear to have failed when monitoring the status in the Azure portal.
Workaround:
None.
Fix:
Deployments of BIG-IP from Azure Resource Manager or Marketplace Solution templates, or the BIG-IP WAF Solution from the Azure Security Center, now show the correct deployment status.
664057-2 : Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached
Component: TMOS
Symptoms:
Upgrades from pre-12.0.0 to 12.0.0 or beyond would delete WideIPs without pools attached even if they had an iRule attached.
Conditions:
Pre-12.0.0 configuration with an WideIP without any pools, but with an iRule.
Impact:
Some or all of a post-upgrade "GSLB-typed" wideip would be lost during the upgrade process.
Workaround:
Manually add missing WideIPs after upgrade.
Fix:
Fixed issue that could delete certain types of GTM WideIPs after an upgrade from a pre-12.0.0 version to a post 12.0.0 version.
664017-3 : OCSP may reject valid responses
Component: TMOS
Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:
OCSP response: got EOF
Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.
Impact:
Valid OCSP responses may be rejected.
Workaround:
None.
Fix:
These responses are now accepted.
663974-2 : TMM crash when using LSN inbound connections
Component: Carrier-Grade NAT
Symptoms:
TMM might crash when using an LSN pool with inbound connections.
Conditions:
LSN inbound connections configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when using an LSN pool with inbound connections.
663924-2 : Qkview archives includes Kerberos keytab files
Component: TMOS
Symptoms:
Qkview captures Kerberos keytab files used for APM dataplane services.
Conditions:
APM provisioned with Kerberos authentication.
Impact:
Private security key exposure.
Workaround:
There is no workaround.
Fix:
Qkview no longer collects 'kerberos_keytab_file_d' directory containing keytab files when creating qkview archive.
663821-3 : SNAT Stats may not include port FTP traffic
Solution Article: K41344010
Component: Local Traffic Manager
Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).
Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.
Impact:
Stats are not incremented in tmsh or GUI
Workaround:
None.
Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.
663770-2 : AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server
Solution Article: K04025134
Component: Advanced Firewall Manager
Symptoms:
AFM rules are bypassed / not evaluated on the 'redirected' virtual server when the traffic is internally forwarded to that virtual server.
This is a regression from 12.1.x behavior.
Conditions:
Incoming traffic matches a virtual server and then gets internally redirected to another virtual server either via an iRule or a LTM local traffic policy.
Impact:
This has the effect of potentially negating firewall protections for the traffic that is being redirected to a different virtual server (application) if that virtual server has an AFM policy enabled on it.
Workaround:
There is no workaround at this time.
Fix:
Cause of the regression is fixed and now AFM policy is applied to traffic that is internally redirected to another virtual server (either via iRule or LTM traffic policy).
663730-1 : Bigd prematurely kills child/external monitor process if WIFCONTINUED signal received
Component: Local Traffic Manager
Symptoms:
The bigd daemon may prematurely kill a child/external monitor process when a WIFCONTINUED signal is received for the child process.
Conditions:
This may occur under rare timing conditions when one of the following LTM monitor types is configured and in active use:
- external
- ftp
- imap
- pop3
- snmp
Impact:
Health monitoring using an affected monitor type may be temporarily interrupted when the child/external monitor process is killed and subsequently restarted.
Fix:
The bigd daemon now logs a message and does not prematurely kill a child/external monitor process when a WIFCONTINUED signal is received.
663580-1 : logrotate does not automatically run when /var/log reaches 90% usage
Solution Article: K31981624
Component: TMOS
Symptoms:
The alertd daemon does not run logrotate when the diskmonitor utility detects that /var/log has less than 10% free space.
Conditions:
/var/log has less than 10% free space.
Impact:
The /var/log filesystem might become completely full, preventing new log messages from being written.
Note: K8865: Overview of the diskmonitor utility (https://support.f5.com/csp/article/K8865) provides a desription for expected behavior.
Workaround:
None.
Fix:
The alertd daemon now correctly recognizes the log message from diskmonitor to initiate logrotate.
663551-1 : SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event
Solution Article: K14942957
Component: Local Traffic Manager
Symptoms:
If an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE event, the expected result is that the SERVERSSL_DATA event will be raised when the serverside receives the SSL data. Then, the decrypted SSL data can be examined and manipulated.
*****************************
when SERVERSSL_HANDSHAKE {
SSL::collect
}
when SERVERSSL_DATA {
log local0. "ServerSSL Data"
log local0. [SSL::payload]
SSL::release
}
*****************************
The issue is that SERVERSSL_DATA is not raised, even when the serverside receives the SSL data when the iRule calls the [SSL::collect] in the SERVERSSL_HANDSHAKE:
****************************
when SERVERSSL_HANDSHAKE {
SSL::collect
}
****************************
Conditions:
Calling the [SSL::collect] in the SERVERSSL_HANDSHAKE event.
****************************
when SERVERSSL_HANDSHAKE {
SSL::collect
}
****************************
Impact:
SERVERSSL_DATA event is not raised.
Workaround:
Add the [SSL::release] command in the SERVERSSL_HANDSHAKE event.
**********************************
when SERVERSSL_HANDSHAKE {
SSL::collect
SSL::release
}
Fix:
SERVERSSL_DATA event is now raised when an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE.
663535-1 : Sending ASM cookies with "secure" attribute even without client-ssl profile
Component: Application Security Manager
Symptoms:
ASM cookies can be set with "secure" attribute on when BIG-IP works on SSL profile.
Conditions:
Enabling ASM, network to BIG-IP without client-ssl.
Impact:
When working with encrypted network in the client side but clear network in the ASM virtual, cookies cannot be set with "secure" attributes.
Workaround:
There is no workaround at this time.
Fix:
Added an internal parameter "assume_https", to decide always setting the "secure" attribute, even when the BIG-IP network is clear.
663531-1 : TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel
Component: Carrier-Grade NAT
Symptoms:
TMM crashes when PPTP finds a matching non-PPTP-GRE flow when checking for an existing tunnel.
Conditions:
PPTP-ALG and CGNAT on a BIG-IP system when a GRE tunnel matches a PPTP-GRE flow
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Possible mitigation by not using a forwarding virtual for non-PPTP GRE traffic.
Fix:
The system now drops the new flow/tunnel and allow it to clean up, so TMM no longer crashes when PPTP finds a non-PPTP-GRE flow when checking for an existing tunnel.
663521-2 : Intermittent dropping of multicast packets on certain BIG-IP platforms
Component: TMOS
Symptoms:
The switch device on the VIPRION B2250 and B4300 blades and the BIG-IP 10x00, i10x00, i7x00 and i5x00 platforms might drop multicast packets under certain high traffic conditions.
Conditions:
-- Certain high-traffic conditions.
-- Running on the specified blades/platforms.
Note: These dropped packets are counted under the 'drop_out' column from 'show net interface all-properties'.
Impact:
Dropped multicast packets, possibly impacting multicast protocols.
Workaround:
None.
Behavior Change:
Under certain high traffic conditions, multicast and broadcast packets will no longer be dropped.
663506-7 : apmd crash during ldap cache initialization
Solution Article: K30533350
Component: Access Policy Manager
Symptoms:
apmd crashes.
Conditions:
- LDAP module is in use in an access policy,
- APM end-users are logging in, while administrator modifies AAA LDAP Server or LDAP Agent,
- Cache update takes a while (too many groups in domain and/or slow network).
Impact:
BIG-IP cannot process user logon request, until apmd is restarted and LDAP cache is updated
Workaround:
The best practice is to update policy/AAA LDAP Server when BIG-IP is not under load. Then make one logon manually. apmd updates caches on first APM end-user's logon. Once caches update, all the further logons should happen much faster and should not cause any problems
Fix:
APMD now handles the generation of LDAP Query / AD Query nested group cache correctly during high authentication load.
663396-1 : URL Method override is enforced incorrectly after upgrade
Component: Application Security Manager
Symptoms:
After an upgrade, an overridden HTTP method on a particular URL is enforced incorrectly. Additionally, in a rare circumstance, requests using GET method are illegal after upgrade.
Conditions:
A HTTP method is overridden on a particular URL and the system is upgraded.
Impact:
Requests are incorrectly blocked.
Workaround:
Make a spurious change to any policy and click 'Apply Policy'.
Fix:
Overridden HTTP methods are enforced correctly after upgrade.
663366-3 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
Component: TMOS
Symptoms:
On the i4x00 and i2x00 platforms, TMM can encounter a second SEGV fault while crashing from an initial 'panic'.
Conditions:
-- i4x00 and i2x00 platforms.
-- TMM encounters a second SEGV fault while crashing from an initial 'panic'.
Impact:
TMM is crashing due to a 'panic'. No additional impact, as traffic is already disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes the driver shutdown code to prevent SEGV during TMM panic.
663333-1 : TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high
Component: Carrier-Grade NAT
Symptoms:
TMM may core while trying to allocate a new block
Conditions:
If LSN pool is under provisioned OR if the utilization is high, TMM may need to send MPI messages to other TMMs to search for other blocks. The TMM may core if these operations time out
Impact:
Traffic disrupted while tmm restarts.
663326-2 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys
Component: Local Traffic Manager
Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.
Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.
Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.
Workaround:
This can be worked around by directly using the Thales command, for example:
[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
[default sha1] >
Fix:
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.
663310-3 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
Component: Global Traffic Manager (DNS)
Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.
Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.
Impact:
Zones cannot be loaded.
Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;
Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".
On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".
663197-3 : Security hardening of files to prevent sensitive configuration from being stored in qkview.
Component: TMOS
Symptoms:
Sensitive configuration information, such as auth-related passwords, is being stored in cleartext in qkview files.
Conditions:
Run qkview and extract to see files with cleartext configuration information.
Impact:
Cleartext configuration information is uploaded to iHealth
Workaround:
None.
Fix:
Security hardening of files to prevent sensitive configuration from being stored in qkview. Cleartext passwords will be replaced with **** in all of the following config files while collecting in qkview:
/config/bigip/auth/pam.d/cert-ldap/system-auth.conf
/config/bigip/auth/pam.d/ldap/system-auth.conf
/config/bigip/auth/pam.d/radius/system-auth.conf
/config/bigip/auth/pam.d/tacacs/system-auth
/config/bigip/auth/pam.d/ocsp/*
/config/bigip/auth/pam.d/cc_ldap/*
663178-1 : tmm may crash sometimes usng VPN
Component: Local Traffic Manager
Symptoms:
tmm crash and BIG-IP fail over
Conditions:
VPN is used
Impact:
tmm crash and BIG-IP fail over. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Problem is fixed.
663127-1 : Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.
Component: Access Policy Manager
Symptoms:
Symptom will show as an error log in /var/log/apm similar to the one below:
Internal error processing sso config /Common/idp_obj_name
sso_tmconf_string_parse_list
When this error message is logged, subsequent authentication attempt using this BIG-IP as IdP object will fail.
Conditions:
SAML Identity Provider configuration is invalid: attribute contains empty value(s), for example:
apm sso saml /Common/idp_obj {
attributes {
{
multi-values { "" user@f5.com }
name User.Email
}
}
Impact:
Authentication will fail for users using affected SAML IdP object.
Workaround:
Manually edit bigip.conf configuration fail and remove empty value(s) in SAML attribute, e.g.:
apm sso saml /Common/idp_obj {
attributes {
{
multi-values { user@f5.com }
name User.Email
}
}
Fix:
Empty values in SAML attributes will no longer be accepted by validation logic.
663073-1 : GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
Component: Global Traffic Manager (DNS)
Symptoms:
GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
Conditions:
When adding a pool member via the combo box, if you click the arrow to expand the dropdown list and select a member by clicking on it, that member name is added to the text box.
If you then mouse over other members in the dropdown list, and then click the Add button, the system adds the selected member to the list, but also removes the wrong member from the combo box: more specifically, it removes the member that was last highlighted by the mouse over.
Impact:
Available pool members might be potentially lost from the combo box until a page reload.
Note: The pool members are not gone from the system; they are still present, just not displayed.
Workaround:
Either use TMSH or place the mouse cursor away from the combo box, and use the text box to narrow down the content in the dropdown list. Then use the arrow keys and the Enter key to select the desired pool member.
Fix:
Changed the behavior of the combo box when a member is selected by clicking on it in the dropdown list. Adding a selected pool member as described above will cause the combo box to correctly remove that pool member from the combo box.
663063-2 : Disabling pool member used in busy HSL TCP destination can result service disruption.
Component: TMOS
Symptoms:
Manually disabling an otherwise available pool member from a pool used as HSL TCP destination can result in tmm crash and service disruption.
This is more likely to occur when HSL destination is using 'balanced' distribution.
Conditions:
-- Busy HSL destination configured with TCP protocol, balanced distribution, and using pool.
-- Manually disabling a pool member.
Impact:
Service disruption while tmm recovers. HA fail-over event. Traffic disrupted while tmm restarts.
Workaround:
You can avoid the issue in either of these ways:
-- Do not manually disable busy pool members that can still respond to TCP handshake.
-- Disable the service on the pool member first.
Fix:
TMM crash no longer occurs when HSL TCP pool member with pending connection is manually disabled.
662911-2 : SASP monitor uses same UID for all vCMP guests in a chassis or appliance
Solution Article: K93119070
Component: Local Traffic Manager
Symptoms:
The SASP GWM monitor generates the LB UID from the chassis serial number of the platform on which BIG-IP is running. All vCMP guests running on the platform attempt to use the same UID.
The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.
As a result, only one vCMP guest running on each BIG-IP appliance or VIPRION chassis is able to successfully use the SASP monitor.
- The SASP monitor running on the first vCMP guest can successfully connect to the SASP GWM.
- Subsequent SASP monitor instances running on other vCMP guests will fail to connect to the SASP GWM.
Conditions:
This occurs when multiple vCMP guests are running on a single BIG-IP appliance or VIPRION chassis, each using a SASP monitor connecting to the same SASP GWM to monitor pool member availability.
Impact:
The SASP monitor is unable to monitor pool member availability on more than one vCMP guest running on a single BIG-IP appliance or VIPRION chassis.
Workaround:
None.
Fix:
The SASP monitor can be used to monitor pool member availability on multiple vCMP guests running on a single BIG-IP appliance or VIPRION chassis.
662881-2 : L7 mirrored packets from standby to active might cause tmm core when it goes active.
Solution Article: K10443875
Component: Local Traffic Manager
Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.
Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
662850-2 : Expat XML library vulnerability CVE-2015-2716
Solution Article: K50459349
662844 : TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.
Solution Article: K87735013
Component: Service Provider
Symptoms:
Mirroring for Diameter MRF was not implemented in v12.x.x. However, there is a option that allows the user to enable it. When enabled, tmm crashes.
Conditions:
-- Connection mirroring is enabled for Diameter MRF virtual server's router profile.
-- Using v12.x.x.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Note: Mirroring for Diameter MRF was implemented in v13.0.0. The presence of the option to enable the unimplemented functionality is erroneous.
Workaround:
Do not enable Diameter MRF router profile's connection mirroring setting for v12.x.x.
Fix:
Diameter MRF mirroring for Diameter MR has been implemented beginning with v13.0.0. Enabling this option in v12.x.x results in a tmm crash.
662816-2 : Monitor node log fd leak for certain monitor types
Solution Article: K61902543
Component: Local Traffic Manager
Symptoms:
When certain types of LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool or pool member configuration.
Conditions:
This may occur when:
1. One of the below-listed LTM health monitor types is assigned to an LTM node, pool, or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool, or pool member configuration while logging is still enabled ('monitor' value set to 'none').
Affected LTM health monitor types include:
diameter, external, firepass, ftp, gateway_icmp, icmp, imap, ldap, module_score, mssql, mysql, nntp, oracle, pop3, postgresql, radius, radius_accounting, real_server, rpc, sasp, scripted, sip, smb, smtp, snmp_dca, snmp_dca_base, soap, virtual_location, wap, wmi.
This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool, or pool member configuration.
The following LTM health monitor types are not affected:
dns, http, https, inband, mqtt, tcp, tcp_echo, tcp_half_open
Impact:
When this problem occurs, each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis leaks one file descriptor for each node or pool member with monitor logging enabled.
File descriptors that are opened by the bigd daemon and not closed count against bigd's internal file descriptor limit. This can result in file descriptor exhaustion and failure of LTM health monitoring.
Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.
Fix:
The bigd daemon does not leak file descriptors for monitor node logs when certain types of LTM health monitors are configured with node logging enabled and the monitor is then removed from the LTM node, pool, or pool member configuration.
662663-6 : Decryption failure Nitrox platforms in vCMP mode
Solution Article: K52521791
662639-2 : Policy Sync fails when policy object include FIPS key
Component: Access Policy Manager
Symptoms:
Policy sync failed with a vague error:
err mcpd[5597]: 01071600:3: APM PSync: Atom attribute (fips_exported_key) data type (blob) in class (certificate_key_file_object) object name (/Common/fips1.key) blob value is not empty - no handler for blob Object dump: **certificate_key_file_object:/Common/fips1.key ...
Conditions:
-- Sync-only device group configuration.
-- FIPS cards in use.
-- On one device:
+ Create FIPS key and certificate:
1. Go to System::Certificate Management::Traffic Certificate Management::SSL Certificate List::Create.
2. For 'Security Type' field of 'Key Properties' section, select 'FIPS'.
+ Create a rewrite profile:
1. Go to Access Policy :: Portal Access :: Rewrite :: Create New Profile.
2. Under 'JavaPatcher Settings' select 'Signer' and 'Signer Key' to the one created above (e.g., 'fips1.crt' and 'fips1.key', respectively).
+ Create an access profile.
+ Create a virtual server and attach the access profile and rewrite profile to it.
(Note: You must also include other dependent settings, such as a connectivity profile.)
3. Start a policy sync from the device.
Impact:
Feature failure for specific configurations.
Workaround:
None.
Fix:
Now APM policy sync succeeds even when policy includes FIPS key.
662372-1 : Uploading a new device certificate file via the GUI might not update the device certificate
Solution Article: K41250179
Component: TMOS
Symptoms:
After uploading a new device certificate via the 'Upload File' option in the GUI, the device certificate remains unchanged.
Conditions:
-- Upload a new device certificate file via the GUI.
-- There is already a file called /tmp/server.crt.
Impact:
The device certificate is not updated and no error is shown.
Workaround:
Use the 'Paste Text' option to import the certificate.
662364-2 : MRF DIAMETER: IP ToS not passing through with DIAMETER
Component: Service Provider
Symptoms:
IP layer's ToS is not passing through MRF Diameter.
Conditions:
-- The IP ToS bit is received in the clientside connection.
-- ip-tos-to-client is set as pass-through.
Impact:
The ToS from the client does not reach the server.
Workaround:
Use an iRule to preserve the ToS from the client and set it to serverside's connection.
Fix:
The ToS bit that arrives from the clientside connection is able to pass-through with Diameter MRF.
662331-1 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Solution Article: K24331010
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.
Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.
Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.
662308-1 : BD core
Component: Application Security Manager
Symptoms:
BD process crashes and produces a core file; traffic disturbance.
Conditions:
BD threads access the data structure, and in a rare circumstance, one thread touches while the other is processing data.
Note: This issue very timing sensitive to occur so it is unlikely to occur in normal operating conditions.
Impact:
Memory corruption on one of the internal data structures. Traffic disrupted while bd restarts.
Workaround:
None.
Fix:
Fixed a bd crash related to internal CPU stats.
662281-2 : Inconsistencies in Automatic sync ASM Device Group
Component: Application Security Manager
Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.
This can cause any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices
Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.
Impact:
Any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices
Workaround:
Disable automatic sync on the device group, and periodically push changes manually.
Fix:
Calls are correctly propagated across Automatic sync Device Groups
662085-1 : iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
Component: Local Traffic Manager
Symptoms:
Using Node.js package manager (NPM) to install a large Node.js package in the TMUI results in truncated contents in the workspace.
Conditions:
Installing large Node.js packages using the TMUI.
Impact:
The workspace contents will be truncated. Some of the package contents will be missing, or boilerplate F5 elements (f5-nodejs, package.json, etc.) will not be shown.
Workaround:
None.
Note: TMSH recognizes the entire file structure of node_modules (e.g., package.json and module folders of f5-nodejs and async), but TMUI does not.
Fix:
All contents from the workspace filesystem are now shown and are editable from the TMUI.
662078-1 : Occasionally connections are dropped in response to timing errors
Component: Local Traffic Manager
Symptoms:
Occasionally connections are dropped and the following message is posted, even when TPS is set to UNLIMITED: SSL transaction (TPS) rate limit reached.
Conditions:
-- SSL traffic is received.
-- A certain timing condition is encountered.
Impact:
Connection is dropped. This is an occasional, timing-related issue.
Workaround:
There is no workaround at this time.
Fix:
Timing error no longer occurs when SSL traffic is received, so connections are not dropped.
662022-5 : The URI normalization functionality within the TMM may mishandle some malformed URIs.
Solution Article: K34514540
661881-2 : Memory and performance issues when using certain ASN.1 decoding formats in iRules
Solution Article: K00030614
Component: Local Traffic Manager
Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.
Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.
Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.
Workaround:
None.
Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.
Fix:
Prevented memory leak when using calls to ASN1::decode with "a" or "B" characters in the format string.
661828-1 : TMM may consume excessive resources when processing SSL traffic
Solution Article: K55101404
661764-2 : It is possible to configure a number of CPUs that exceeds the licensed throughput
Solution Article: K53762147
Component: TMOS
Symptoms:
The system does not prevent you from selecting a number of CPUs that exceeds the license's throughput limit.
Conditions:
Configure a number of CPUs that exceeds the licensed throughput, for example, configuring 4 CPUs on a 2Mbps license on a VE system.
Impact:
Depending on the operations performed, it is possible for tmm to core.
Workaround:
None, other than configuring only the available number of CPUs.
Fix:
The system now detects when a configuration invalid for the license is in use and fails gracefully, presenting an error message explaining the failure.
660913-1 : For ActiveSync client type, browscap info provided is incorrect.★
Component: Access Policy Manager
Symptoms:
Clients using Microsoft ActiveSync are failing access policy evaluation.
Conditions:
-- This occurs with clients using Microsoft ActiveSync.
-- It can be encountered on upgrade if you are upgrading to version 12.1.2 - 14.1.0 from an earlier version.
Impact:
ActiveSync "Client UI" expression will fail and a wrong branch will be selected. As a result Clients using ActiveSync may not be authenticated.
Workaround:
In the VPE change the ActiveSync "Client UI" expression to:
expr { [mcget {session.server.landinguri}] starts_with "/Microsoft-Server-ActiveSync" || [mcget {session.ui.mode}] == 8 }
Fix:
Session variable session.client.browscap_info is now set correctly.
660760-1 : DNS graphs fail to display in the GUI
Solution Article: K75105750
Component: TMOS
Symptoms:
Can no longer view the DNS graphs in the GUI after upgrading from an earlier release. The system reports the following error in the GUI when visiting GUI Statistic :: Performance :: DNS: Error trying to access the database.
Conditions:
This occurs when the BIG-IP system is licensed for the GTM module (mod_gtm) instead of the DNS module (mod_dnsgtm). This might occur in the case where the system is upgraded from an earlier release such as v10.2.4 (where the module was GTM) to a later release such as v12.1.1 (where the module is DNS).
Impact:
Accessing the DNS graphs in the GUI fails.
Workaround:
None.
Fix:
The DNS graphs are now created in the GUI when the system is licensed for the GTM module (mod_gtm) or for the DNS module (mod_dnsgtm).
660711-1 : MCPd might crash when user trying to import a access policy
Solution Article: K05265457
Component: Access Policy Manager
Symptoms:
MCPd restarts during importing an access policy; other daemon might also restart because of MCPd restart.
Conditions:
-- An access policy uses the same agent more than once.
-- Importing that access policy.
-- You do not use GUI/VPE to manage access policy, but directly modify the config file in exported access policy.
Impact:
MCPd and some other daemons restart. GUI unresponsive until daemons restart.
Workaround:
Always use the GUI/VPE to manage access policies; do not modify the config file for an exported access policy.
Fix:
MCP now applies appropriate validation to avoid importing invalid access policies.
660532-2 : Cannot specify the event parameter for redirects on the policy rule screen.
Solution Article: K21050223
Component: TMOS
Symptoms:
Cannot specify the event parameter for redirects on the policy rule screen.
System presents the following error: An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/test', rule 'test-rule3'; an action precedes its conditions.
Conditions:
This occurs when setting a policy rule action's "event" parameter in the GUI when configuring redirects.
Impact:
Cannot specify the event parameter.
Workaround:
None.
Fix:
This release has an option for choosing event for redirect action.
660327-2 : Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
Component: Application Security Manager
Symptoms:
Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
This happens only if before the upgrade, there was an ASM logging profile which had both remote logging and local logging enabled on it.
In the case of a single logging profile with local-plus-remote ASM enabled on it, upon an upgrade, the logging profile is split into two profiles. One has the '_local' extension added to it. Another attempt to load the config of the pre-upgrade system will fail. This only happens when using 'load sys config' or 'load sys config file', and does not happen when using 'load sys ucs'.
Upon failure, the following error is seen on the terminal:
01070710:3: Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127
Unexpected Error: Loading configuration process failed.
And in /var/log/ltm:
err mcpd[6618]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127.
Conditions:
-- Using a configuration that contains a Log Profile with ASM enabled and both Remote Log and Local Log enabled.
-- Upgrade to 12.1.2 or later (Use roll-forward upgrade, or instead use clean install and afterwards load the saved config file).
Impact:
Config load fails. Upgrade fails.
Workaround:
Use one of the following Workarounds:
1.
Save the new configuration before editing and re-loading, using the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all
(Note: Saving the UCS also saves the configuration.)
2.
Instead of loading the full configuration directly, first load the base and then load the full configuration:
tmsh -c 'load sys config partitions all base; load sys config partitions all'
660263-4 : DNS transparent cache message and RR set activity counters not incrementing
Component: Global Traffic Manager (DNS)
Symptoms:
The message and Resource Record (RR) set counters for transparent caches do not increment to reflect traffic.
Conditions:
The cache is of type transparent.
-- Viewing statistics counters.
Impact:
The statistics counters stay zero.
Workaround:
There is no workaround.
Fix:
The system now enables the code that increments these counters for transparent caches similar to other type caches.
660239-3 : When accessing the dashboard, invalid HTTP headers may be present
Component: TMOS
Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.
Conditions:
Access the dashboard via Statistics :: Dashboard.
Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.
You may see such errors in the http error logs
Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf
Workaround:
There is no workaround at this time.
Fix:
Eliminated invalid header data.
660187-3 : TMM core after intra-chassis failover for some instances of subscriber creation
Component: Policy Enforcement Manager
Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.
Conditions:
-- The chassis is loaded with many blades.
-- The high availability (HA) configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.
Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Verify the validity of the AVPs before copying the attributes
660170-1 : tmm may crash at ~75% of VLAN failsafe timeout expiration
Solution Article: K28505910
Component: Local Traffic Manager
Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.
Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.
Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).
Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)
Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
tmsh modify failover.vlanfailsafe.resettimeronanyframe enable
This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.
2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.
Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.
Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:
- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).
659969-1 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
Component: Global Traffic Manager (DNS)
Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.
Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.
Impact:
Command does not complete successfully. This is an internal validation issue.
Workaround:
None.
659912-1 : GSLB Pool Member Manage page display issues and error message
Solution Article: K81210772
Component: Global Traffic Manager (DNS)
Symptoms:
The GSLB Pool Member Manage page displays an error message 'Entry could not be matched against existing objects' when using the static-target checkbox to add a member that does not exist on the BIG-IP config.
Also when editing a pool member, the pool member's name will not be auto-selected in the combo box.
Conditions:
-- GSLB pool configured.
-- Members available for addition to the pool.
Note: This issue can happen when creating a pool in the members section as well as on the pool members manage page.
Impact:
Degraded usability.
Workaround:
Use TMSH to add a static-target and to edit pool members.
Fix:
Fixed issue with the edit button and issue that prevented adding as a static-target a GSLB pool member that was not part of the GTM config. Now, if static target is enabled, you can type the name of the target without the target being configured on the system.
659899-1 : Rare, intermittent system instability observed in dynamic load-balancing modes
Solution Article: K10589537
Component: Local Traffic Manager
Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.
Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.
Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.
659791-2 : TFO and TLP could produce a core file under specific circumstances
Solution Article: K81137982
659709-1 : Mirroring persistence records may cause a TMM memory leak
Component: Local Traffic Manager
Symptoms:
Mirroring persistence records may cause a Traffic Management Microkernel (TMM) memory leak.
As a result of this issue, you may encounter one or more of the following symptoms:
-- The tmsh show /sys memory command indicates that TMM memory usage increases over time.
-- The TMM process generates a core file to the /shared/core directory.
-- The BIG-IP system generates a SIGSEGV fault message in the /var/log/tmm log file.
Conditions:
-- Mirroring enabled on virtual server and/or persistence profile.
-- Persistence used.
-- Another error condition exists, such as high availability (HA) channel down or no mirroring address configured.
Impact:
Traffic is disrupted while the TMM process produces a core file and restarts. Systems configured as part of a HA device group may fail over to a peer device.
Workaround:
To work around this issue, you can disable the Mirror Persistence option for the persistence profiles or make sure the mirroring channel is properly configured and operational. For information about troubleshooting the mirroring channel, refer to K54622241: Troubleshooting connection mirroring :: https://support.f5.com/csp/article/K54622241.
Fix:
When HA mirroring is re-established, persist records will now be freed
659648-2 : LTM Policy rule name migration doesn't properly handle whitespace
Component: Local Traffic Manager
Symptoms:
LTM Policy validation does not allow rule names to begin or end with whitespace characters. When migrating configuration to the next version, the migration process attempts to trim off any leading and trailing whitespace. However, this process does not handle leading and trailing whitespace when such characters occur within a double quoted string.
Conditions:
LTM policy with a rule name that contains leading and/or trailing whitespace characters. These will typically occur within a double-quoted string. Here is an example that one might find in bigip.conf:
ltm policy example1 {
rules {
" leading and trailing spaces " {
...
}
...
}
Impact:
Policy rules are migrated incorrectly, then fail validation because there of remaining leading and/or trailing whitespace characters.
Workaround:
Prior to migration, LTM Policy rule name can be renamed to remove leading and trailing whitespace. After a failed migration, bigip.conf can be manually edited to remove offending characters and then the configuration can be manually loaded.
Fix:
LTM Policy migration properly handles whitespace in rule names in a quoted string.
659567-1 : iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
Solution Article: K94685557
Component: Policy Enforcement Manager
Symptoms:
When the RADIUS discovery virtual server and the traffic listener virtual server sit in two different route domains, the iRule command 'PEM::session info $sub subscriber-id' may not be able to fetch the subscriber-id.
Conditions:
-- Running v12.1.x or v13.0.0.
-- RADIUS server.
-- Use of iRule command PEM::session.
Impact:
'PEM::session info state/subscriber-id' commands might not return the expected session info.
Workaround:
None.
Fix:
iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions. The commands now consider route domains.
659519-1 : Non-default header-table-size setting on HTTP2 profiles may cause issues
Solution Article: K42400554
Component: Local Traffic Manager
Symptoms:
HTTP2 connection sent RST_STREAM due to protocol error in response to headers frame.
Conditions:
HTTP2 profile configured with header-table-size with value exceeding 4096.
Impact:
Periodic HTTP2 connection failure to the virtual.
Workaround:
Restore the default header-table-size setting for the HTTP2 profile.
659371-2 : apmd crashes executing iRule policy evaluate
Solution Article: K54310201
Component: Access Policy Manager
Symptoms:
Following a restart, if apmd executes an iRule policy evaluate before its reinitialization is complete, apmd can crash.
Conditions:
If apmd restarts due to a crash or explicit restart command but tmm remains active, then iRule policy evaluate commands can reach apmd before it completes initialization and it will crash.
Impact:
apmd crashes and restarts, preventing end users from logging in.
Workaround:
NOne.
Fix:
Now APMD has a more robust initialization process to ensure that it does not execute access policies from iRule commands before it is ready.
659173-1 : Diameter Message Length Limit Changed from 1024 to 4096 Bytes
Solution Article: K76352741
Component: Service Provider
Symptoms:
Diameter messages longer than 1024 might cause core dumps.
Conditions:
Using Diameter messages longer than 1024.
Impact:
Diameter MRF virtual servers.
Workaround:
Make sure messages are less than 1024 bytes.
Fix:
Messages of 4096 or fewer bytes now pass, and longer messages no longer cause core dumps.
659057-1 : BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD
Component: TMOS
Symptoms:
The LCD on BIG-IP iSeries appliances must detect whether the system is in IPv4 or IPv6 context before retrieving the gateway from the Host via REST. If two gateways are configured (IPv4 and IPv6) only whichever is first in the list is returned via REST and will be set on the Host.
Conditions:
If two gateways are configured (IPv4 and IPv6).
Impact:
Incorrect gateway retrieval can create bad configs which would impact traffic resulting in failed ping attempts, destination unreachable errors, request timeouts, etc.
Workaround:
No workaround at this time.
Fix:
LCD code now retrieves the correct gateway when switching between IPV4 and IPV6 context.
658989-2 : Memory leak when connection terminates in iRule process
Component: Local Traffic Manager
Symptoms:
Memory leak eventually leading to alloc failure and TMM crash.
Conditions:
Connection is aborted/terminated when iRule processing is suspended for the current connection.
Impact:
Memory leak and eventual TMM restart. Traffic disrupted while tmm restarts.
Workaround:
Avoid suspend/park commands in iRule processing.
Fix:
Memory no longer leaks when connection is aborted/terminated when iRule processing is suspended.
658852-5 : Empty User-Agent in iSessions requests from APM client on Windows
Component: Access Policy Manager
Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.
Conditions:
'/isession' requests from APM client on Windows.
Impact:
Failure to establish a VPN tunnel.
Workaround:
None.
Fix:
Now all connections from Windows APM VPN client contain 'User-Agent' headers, as expected.
658664-3 : VPN connection drops when 'prohibit routing table change' is enabled
Solution Article: K21390304
Component: Access Policy Manager
Symptoms:
When there is a brief network outage and 'prohibit routing table change' is enabled, VPN gets disconnected and no further attempts are made to re-establish the VPN connection.
Conditions:
-- A brief network outage occurs.
-- The 'prohibit routing table change' option is enabled.
Impact:
APM end users must click 'Connect' and re-authenticate in order to re-establish the VPN connection.
Workaround:
To re-establish the VPN connection, click 'Connect' and re-authenticate.
Fix:
Now the Windows Edge Client VPN connection stays active during a brief network outage, regardless of the state of the 'prohibit routing table changes' option.
658636-2 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
Solution Article: K51355172
Component: TMOS
Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,
Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:
create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon
The system creates the following monitor:
gtm monitor http one_test_mon {
defaults-from http
destination *:*
interval 30
probe-timeout 5
recv 200
send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"
Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.
Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.
Fix:
When creating LTM or DNS monitors through batch/transaction mode newlines are now properly escaped.
658574-2 : An accelerated flow transmits packets to a stale (incorrect) destination MAC address.
Solution Article: K61847644
Component: TMOS
Symptoms:
An accelerated flow can send to a stale destination MAC address after the ARP packet with the updated MAC address is received.
Warning: disabling auto-lasthop is not enough when they want BIG-IP to use updated destination MAC address.
Conditions:
A flow is accelerated with a destination MAC address that changes while the flow is accelerated.
Impact:
The BIG-IP system sends packets to a stale (incorrect) destination MAC address. In this case, the new MAC address is not updated for the accelerated flow and the flow will continue to send traffic using the original MAC address.
Workaround:
Disable HW acceleration. Prevent the downstream destination MAC address from changing. For example, if the downstream unit is a BIG-IP active/standby configuration, then use MAC masquerading to prevent the MAC address from changing.
658557-2 : The snmpd daemon may leak memory when processing requests.
Solution Article: K35209601
658417-1 : REST: Failure to authenticate/renew user who is using expired password
Component: Device Management
Symptoms:
1. Authentication failed for REST user, instead of prompt to renew the password.
2. Authentication is down briefly.
Conditions:
1. REST API is used.
2. User password is expired.
Impact:
1. Core log is dumped.
2. Authentication is down briefly.
Workaround:
There is no workaround at this time.
Fix:
Request to /mgmt/shared/authn/login with a user with an expired password returns a 401 and a response asking the user to change their password using basic auth.
658382-1 : Large numbers of ERR_UNKNOWN appearing in the logs
Component: Local Traffic Manager
Symptoms:
There are times when LTM Policy subsystem attempts to execute particular actions, which fail and result in LTM Policy writing an error to the logs with an error type of ERR_UNKNOWN.
Conditions:
This has been observed when plugins are active and experiencing high traffic volumes. The logging of ERR_UNKNOWN occurs when filters and plug-ins experience failures (such as out of memory) and react by initiating a reset of the connection. When these filters and plug-ins return an error to LTM Policy, LTM Policy logs ERR_UNKNOWN.
Impact:
This is a case of unnecessary logging, and there is no adverse effect other than a higher-than-normal amount of logging.
Workaround:
None
658343-2 : AVR tcp-analytics: per-host RTT average may show incorrect values
Solution Article: K33043439
Component: Application Visibility and Reporting
Symptoms:
When viewing the Statistics :: Analytics :: TCP :: RTT, then selecting (in the table below the graph), View By: "Remote Host IP Address", the values presented RTT Avg (ms) may be incorrect (they could even be larger than the RTT Max column).
As values are aggregated through the data tables, the reported rtt average value becomes larger and larger.
Conditions:
AVR is provisioned, and a tcp-analytics profile is attached to a virtual server.
Impact:
The values reported in the RTT Avg column when viewing by Remote Host IP Address may be incorrect.
Workaround:
None.
Fix:
The rtt_count, rtt_max, rtt_avg, rtt_sum metrics after day aggregation and week aggregations are now correct in the day, week, month reports. The rtt_sum is now aggregated with correct value (exceed max int), as expected.
658321-2 : Websafe features might break in IE8
Component: Fraud Protection Services
Symptoms:
IE8 transform all custom HTTP headers names to lowercase
in case header name configured with upper-case characters, WebSafe feature might break.
Conditions:
custom HTTP header configured with upper case characters
client is IE8.
Impact:
FPS plugin will not find the header, as it received lower-case but configured with upper-case characters
as a result, WebSafe functionality is broken (functionality which involve the custom HTTP header, e.g. ajax username header)
Workaround:
Set custom HTTP header name to lower case only.
Fix:
FPS now performs case-insensitive matches for custom HTTP headers.
658298-3 : SMB monitor marks node down when file not specified
Component: TMOS
Symptoms:
The smb monitor may always mark the node down when the file is not specified in the monitor config.
Conditions:
Pool member monitored with smb monitor.
Impact:
Service impact due to node being marked down.
Workaround:
Configure monitor to fetch file (authenticated).
658261-2 : TMM core after HA during GY reporting
Solution Article: K12253471
Component: Policy Enforcement Manager
Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of GY reporting
Conditions:
-- Failover is triggered,
-- The daglib hash redistributes the subscriber DATA to different slots.
-- Existing flows continue on the slots that were allocated using the old hash of daglib.
Note: This is a rarely encountered issue that occurred in a setup with 8 slots and 750 thousand subscribers.
Impact:
Slot reboots. May trigger more hash rearrangement. Traffic disrupted while tmm restarts.
Workaround:
None.
658214-2 : TCP connection fail intermittently for mirrored fastl4 virtual server
Solution Article: K20228504
Component: Local Traffic Manager
Symptoms:
In some cases, an active BIG-IP may fail to forward the SYN on the server-side when handling traffic for a mirrored FastL4 virtual after receiving a context ACK from the standby BIG-IP.
Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.
Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.
Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.
Workaround:
Set the tm.fastl4_ack_mirror db variable using the following command:
tmsh modify sys db tm.fastl4_ack_mirror value disable
Fix:
In this release, mirrored FastL4 virtual servers now forward the SYN on the server-side after receiving the context-ack from the peer as expected.
658148-2 : TMM core after intra-chassis failover for some instances of subscriber creation
Solution Article: K23150504
Component: Policy Enforcement Manager
Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.
Conditions:
-- The chassis is loaded with many blades.
-- The HA configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.
Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
If intra-chassis failover is triggered in a loaded chassis, the tmm no longer crashes in some cases of subscriber creation.
657912-1 : PIM can be configured to use a floating self IP address
Component: TMOS
Symptoms:
Using PIM-Sparse Mode for multicast traffic with BGP for unicast routing/reverse path filtering may prevent PIM neighbor routers from switching from the RPT to the SPT.
Conditions:
-- PIM-Sparse Mode.
-- BGP.
-- Floating self IP address.
Impact:
Routers upstream and including BIG-IP will never receive PIM JOIN messages from the rendezvous point, which is required for traffic to switch from the RPT to the SPT. The sender's DR may continue to send traffic to the RP in register messages indefinitely.
Workaround:
Remove the floating self IP address from the traffic group or select a routing protocol that does not use it, such as OSPF.
Fix:
PIM can now send hello messages from a floating self IP address.
Behavior Change:
PIM can now send hello messages using a floating self IP address. Configure it in imish under the interface along with the PIM mode:
#imish
imish> enable
imish# configure terminal
imish(config)# interface external
imish(config-if)# ip pim use-floating-address
Upon failover, the previously active unit will send hellos from a non-floating self IP address, and the new active unit will begin sending hellos from the floating self IP address. No state is shared between the units; both will generate a new PIM generation ID, and the state of all multicast routes will be reset and need to reconverge.
657883-2 : tmm cache resolver should not cache response with TTL=0
Solution Article: K34442339
Component: Local Traffic Manager
Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.
Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.
Impact:
tmm cache resolver caches responses with TTL=0.
Workaround:
None.
Fix:
The system no longer caches ttl=0 response for tmm cache resolver. This is correct behavior.
657795-1 : Possible performance impact on some SSL connections
Solution Article: K51498984
Component: Local Traffic Manager
Symptoms:
Some SSL connections may be delayed by almost exactly 5 seconds. The delay occurs between the SSL client hello and the server hello response from the BIG-IP system.
Conditions:
-- SSL configured on a Virtual Server. Affects VIPRION/vCMP Guests.
-- Client connects with an SSL session ID that is not in the cache, and in a very specific format that causes tmm to associate the session ID to a blade that does not exist.
Impact:
Performance may be impacted on those SSL connections.
Workaround:
Disable SSL session cache by setting cache-size to zero in the clientssl profile.
Fix:
This release fixes an issue that might cause performance impact on certain SSL connections.
657713-5 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
Solution Article: K05052273
Component: Local Traffic Manager
Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:
-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:
notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **
Conditions:
This issue occurs when either of the following conditions are met:
1.
-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- Your BIG-IP system is configured with DNS resolver.
-- The gateway pool is configured with Action On Service Down = Reject or Action On Service Down = Drop.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- An outstanding DNS request that is pending response.
2.
-- Your BIG-IP system is not configured to route traffic using a gateway pool.
-- Your BIG-IP system is configured with DNS resolver.
-- All pools are configured with Action on Service Down = None.
Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.
Workaround:
For the set of Conditions defined in the first scenario, you can use the following workaround:
Set service-down-action to Action On Service Down = None or Action On Service Down = Reselect.
There is no workaround for the issue described in the second scenario in Conditions.
Fix:
Gateway pool action no longer triggers TMM to produce a core file and restart.
657632-4 : Rarely if a subscriber delete is performed following HA switchover, tmm may crash
Component: Policy Enforcement Manager
Symptoms:
If a subscriber delete is performed following a HA switchover, tmm may coredump. The probability of this scenario is rare, where a subscriber may have been freed during switchover and a subsequent forced delete command quickly follows.
Conditions:
-- A subscriber delete command followed by a HA switchover.
-- During the switchover, the subscriber was freed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now removes the subscriber index from the table if present in these cases.
657626-2 : User with role 'Manager' cannot delete/publish LTM policy.
Component: Local Traffic Manager
Symptoms:
User with role 'Manager' cannot delete/publish LTM policy.
audit.log contains a message similar to the following:
notice icrd_child[18194]: 01420002:5: AUDIT - pid=18194 user=Manager folder=/Manager module=(tmos)# status=[01070822:3: Access Denied: User (Manager) may not delete objects in partition (Common)] cmd_data=publish ltm policy /Manager/Drafts/draft-test.
Conditions:
-- User with 'Manager' role.
-- Attempting to delete or publish an LTM policy.
Impact:
Operation does not complete, and system posts error.
Workaround:
None.
657502-2 : JS error when leaving page opened for several minutes
Component: Fraud Protection Services
Symptoms:
Google Chrome delays JS execution when the tab is not active.
Therefore anti-debug module acts as if someone is trying to debug JS code.
Conditions:
-- JS runs in hidden tab in Google Chrome.
-- Anti-debug functionality is active.
-- Page is left open for several minutes.
Impact:
Errors in console and JS logic is incorrectly executed.
Workaround:
Identify hidden tab and pause anti-debug functionality.
Fix:
The system now correctly handles JS code running in a hidden tab and pauses anti-debug check.
657463-2 : SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
Component: Local Traffic Manager
Symptoms:
SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
Conditions:
SSL sends HUDEVT_SENT to TCP in wrong state.
Impact:
Then HTTP disconnects the handshake
Fix:
Don't allow SSL send HUDEVT_SENT event in the wrong state.
656912-4 : Various NTP vulnerabilities
Solution Article: K32262483
656900-1 : Blade family migration may fail
Component: TMOS
Symptoms:
Migrating the configuration from a B2100 blade to a newer variant, as documented in the "Migrating the Configuration on B2000 Series Blades" page in the "VIPRION Systems: Blade Migration" manual, may show output indicating a failure.
Conditions:
All such blade upgrades.
Impact:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.
Workaround:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.
656898-2 : 'oops' 'bad transition' messages occur
Component: Local Traffic Manager
Symptoms:
The /var/log/ltm log shows many 'oops' 'bad transition' messages.
Conditions:
These messages occur due to internal invariant violations on full proxy TCP virtual servers. Ramcache or SSL on these virtual servers are likely causes. There may be yet unknown causes.
Impact:
Connections encountering these errors are aborted.
Workaround:
The excess logging may be stopped by setting the DB variable tmm.oops to 'silent'.
Although these errors are not reported, connections are still aborted.
Fix:
The conditions under which this error occurred have been resolved.
656784-2 : Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM
Solution Article: K98510679
Component: Access Policy Manager
Symptoms:
After upgrading to Windows 10 Creators Update (version 1703), when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect.
Windows 10 Version 1703 RDP client is using Negotiate HTTP authentication scheme, while APM requires NTLM scheme for RD Gateway.
Conditions:
- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature.
- You upgrade to Windows 10 Creators Update (version 1703).
Impact:
Remote desktop client is not able to authenticate and connect to the desktop.
Workaround:
Use either of the following workarounds:
-- Force the Windows RDP client to use NTLM authentication scheme (instead of Negotiate) by setting Group Policy 'User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway\Set RD Gateway authentication method' to 'Ask for credentials, use NTLM protocol'.
-- Use the following iRule to convert Negotiate to NTLM:
when HTTP_REQUEST {
set is_rdg_request [expr { [HTTP::method] starts_with "RDG_" }]
if {!$is_rdg_request} { return; }
set auth [HTTP::header Authorization]
set is_nego_auth [expr { $auth contains "Negotiate" }]
if { $is_nego_auth } {
set auth [string map {"Negotiate" "NTLM"} $auth]
HTTP::header replace Authorization $auth
}
}
when HTTP_RESPONSE_RELEASE {
if {!$is_rdg_request || !$is_nego_auth} { return; }
catch {
set auth [HTTP::header WWW-Authenticate]
if { $auth contains "NTLM" } {
set auth [string map {"NTLM" "Negotiate"} $auth]
HTTP::header replace WWW-Authenticate $auth
}
}
}
Fix:
After upgrading to Windows 10 Creators Update (version 1703), the RDP client can still authenticate and connect via APM used as RD Gateway.
655807-5 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
Solution Article: K40341291
Component: Global Traffic Manager (DNS)
Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.
Conditions:
QoS load balance.
Impact:
Load balance decision is mostly impacted by packet rate.
Workaround:
None.
Fix:
Corrected a calculation error for QoS score involving packet rate.
655793-1 : SSL persistence parsing issues due to SSL / TCP boundary mismatch
Solution Article: K04178391
Component: Local Traffic Manager
Symptoms:
When the SSL client or server system is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled.
So, any SSL record spanning over multiple TCP segments (in this case it's ServerHello, Certificate, and ServerHelloDone) triggers the issue with the SSID error RST cause.
This can also result from a message size exceeding the maximum configured size (default is 32K).
Conditions:
[1] SSL persistence is enabled.
[2a] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds.
[2b] The message size is greater than the maximum configured size (default 32k).
Impact:
When the parsing fails, the SSL client or server hangs and times out. In other words, SSL traffic is affected.
The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.
Workaround:
Disable SSL persistence.
Fix:
The system now switches the state of the SSL persistence to pass through all remaining messages, since no further parsing is needed.
655724-3 : MSRDP persistence does not work across route domains.
Solution Article: K15695
Component: Local Traffic Manager
Symptoms:
MSRDP persistence doesn't work with non-default route domains.
Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.
Impact:
MSRDP persistence does not work.
Workaround:
Implement MSRDP persistence using iRules.
Fix:
MSRDP persistence with non-default route domains works correctly now.
655671-1 : Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
Component: TMOS
Symptoms:
On platforms that run the bcm56xxd daemon, the polling time that the system waits for I2C bus transactions to complete runs too long. On systems with I2C bus issues, this can lead to bcm56xxd core files, because the bcm56xxd daemon doesn't reset the watchdog so the watchdog timer kills the process.
Conditions:
This is an issue only when there is a stuck I2C bus, which occurs rarely.
Impact:
bcm56xxd process may core and restart. That typically resets the I2C bus, which resolves any issues.
Workaround:
None. Typically, the issue resolves itself.
Fix:
The number of times the bcm56xxd process polls for an I2C bus transaction to complete is reduced to prevent bcm56xxd core files.
655649-2 : BGP last update timer incorrectly resets to 0
Solution Article: K88627152
Component: TMOS
Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.
Output from 'sh ip route':
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
[20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
[20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
[20/0] via 10.10.1.6, eno33554952, 00:00:00
Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.
Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.
Workaround:
None.
Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.
655628-1 : TCP analytics does not release resources under specific sequence of packets
Component: Local Traffic Manager
Symptoms:
TCP analytics does not release memory when a specific sequence of packets is observed, and memory usage increases as more such flows occur.
Conditions:
-- A TCP analytics profile is configured to collect clientside/serverside analytics data.
-- AVR is provisioned.
-- FastL4 and HTTP profiles are configured.
-- A specific sequence of packets (on the serverside) occurs.
Impact:
Main memory occupied by TCP analytics is not released which might lead to memory exhaustion on the BIG-IP system.
Workaround:
Turn off collecting TCP analytics data for the virtual server.
Fix:
TCP analytics now releases resources properly.
655617-1 : Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge
Solution Article: K36442669
Component: Application Security Manager
Symptoms:
When running Safari or Firefox in incognito mode on iOS devices, browser gets TCP RST and will not be able to pass client-side challenge. The system posts the following error in tmm log: failed parsing header 3.
Conditions:
1. Web scraping is configured.
2. Persistent client identification is enabled.
3. Using Safari or Firefox on iOS devices.
Impact:
Browser cannot access the site.
Workaround:
Turn off persistent client identification.
Fix:
Safari, Firefox in incognito mode on iOS device can now pass persistent client identification challenge.
655500 : Rekey SSH sessions after one hour
Component: TMOS
Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour
Conditions:
SSH connections to or from the BIG-IP system.
Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time
Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'
Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.
Fix:
SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.
655470 : IP Intelligence logging publisher removal can cause tmm crash
Solution Article: K79924625
Component: Advanced Firewall Manager
Symptoms:
TMM restart immediately after removing global ip-intelligence logging publisher.
Conditions:
1) Global IP Intelligence logging enabled.
2) While new incoming connections are handled by the system, delete the global logging publisher using the following command:
modify security log profile global-network ip-intelligence { log-publisher none }
Impact:
Traffic disrupted while tmm restarts. This is an intermittent, timing-related issue.
Note: Because deleting the global ip-intelligence logging configuration publisher is uncommon, and might occur once, at setup, this issue is unlikely to manifest.
Workaround:
There is no workaround, other than to not delete the ip-intelligence global logging publisher when heavy traffic is being handled.
Fix:
Error handling now checks for NULL publisher and prevents the TMM restart.
655445-2 : Provide the ability to globally specifiy a DSCP value.
Component: Global Traffic Manager (DNS)
Symptoms:
The DSCP value is not configurable for some types of traffic, which can lead to dropped traffic during adverse network conditions.
Conditions:
Under adverse network conditions, monitor traffic can be dropped by the network.
Impact:
BIG-IP DNS incorrectly reports resources as unavailable because monitor traffic is dropped by the network due to congestion with unrelated traffic.
Workaround:
None.
Fix:
Setting the new db variable tm.egressdscp to a value other than the default value of 0, results in the system setting the DSCP value for outgoing traffic to the configured value.
655432-7 : SSL renegotiation failed intermittently with AES-GCM cipher
Solution Article: K85522235
Component: Local Traffic Manager
Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.
Conditions:
This failure is more likely to occur during mutual authentication.
Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.
Workaround:
Disable AES-GCM cipher.
Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.
655364-1 : Portal access rewriting window.opener causes JS exception
Component: Access Policy Manager
Symptoms:
Portal access engine rewriting window.opener causes JavaScript exception error.
Conditions:
When rewriting window.opener.
Impact:
JavaScript exception error generated.
Workaround:
None.
Fix:
The rewriting window.opener operation now completes with Message 'null', which is correct behavior. No JavaScript exception error is generated.
655357-2 : Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
Solution Article: K06245820
Component: TMOS
Symptoms:
ARP replies reach front panel port of B4450 blades but fail to reach TMMs.
This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.
Conditions:
-- An L2 FDB entry is learned on Higig trunk.
-- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.
Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.
Workaround:
Delete the corrupted L2 FDB entries and cause the switch to re-learn them.
To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.
Fix:
A db variable switchboard.l2.mitigation was introduced to configure this feature.
-- A value of "enable" allows packets to be forwarded in the case of corrupted L2 FDB entries. Packets will be hashed on source and destination addresses. Enabling forwarding this way is only a temporary measure.
-- A value of "monitor" does not forward packets but will count packets which were affected by corrupted L2 FDB entries. The stat table switch/l2_mitgation, updated every 11 seconds, reports packet counts. Differences in packet counts are logged to /var/log/ltm.
-- A value of "disable" disables both forwarding and packet counting. Packet counts are reset.
655314 : When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★
Component: TMOS
Symptoms:
The platform-migrate option to the UCS load command is supposed to reject UCS archives generated on BIG-IP software v10.x. It does this; however, the hostname of the BIG-IP system changes to the one in the UCS.
Conditions:
You are trying to do a platform-migrate load to 12.1.2 or 13.0.0 of a UCS originating on a system running v10.x.
Impact:
The hostname is changed, but no other configuration is modified.
Workaround:
Set the hostname back to its old value.
Fix:
The hostname is now left unmodified.
655233-1 : DNS Express using wrong TTL for SOA RRSIG record in NoData response
Solution Article: K93338593
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.
Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.
Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.
Workaround:
There is no workaround.
Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.
655211-1 : bigd crash (SIGSEGV) when running FQDN node monitors
Component: Local Traffic Manager
Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.
Conditions:
bigd is configured for FQDN node monitors.
Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.
Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.
Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.
655159-1 : Wrong XML profile name Request Log details for XML violation
Solution Article: K84550544
Component: Application Security Manager
Symptoms:
After system upgrade, Request Log details for XML violation show XML profile name as 'N/A'.
Conditions:
System upgrade.
Request Log details for XML violation.
Impact:
System upgrade does not synchronize properly between policy and already existing XML profiles. System functions properly on existing XML profiles, but violation report reference to the XML profile is wrong.
Workaround:
No workaround for already existing violation records.
For new violation reports, run apply policy.
Fix:
The system now uses the correct XML profile name in the Request Log details for XML violation.
655146-2 : APM Profile access stats are not updated correctly
Component: Access Policy Manager
Symptoms:
The active and established sessions counts in the output of 'tmsh show apm profile access' command are not getting updated as sessions are established and terminated. At the same time, the following errors are showing up in the APM log:
err tmm1[19902]: 01490574:3: (null):Common:00000000: Could not find tmstat. (/Common/Google_vsstats_key)
Conditions:
-- When session is established and terminated.
-- Running the command: tmsh show apm profile access to view stats.
Impact:
APM profile access stats are not accurate.
Workaround:
None.
Fix:
Now the tmsh command "tmsh show apm profile access" displays the correct profile access stats.
655085-2 : While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors
Component: TMOS
Symptoms:
Message of the form
"notice sod[nnnn]: 010c006e:5: All devices in traffic group traffic-group-1(1 of 2) should have a HA group."
is logged on peer devices when a Viprion chassis is being rebooted.
Conditions:
Multiple Viprion chassis are configured in a sync-failover device group, using HA Group scores.
Impact:
Log message indicates a configuration error that does not exist.
Workaround:
If these messages occur during a peer reboot, they should be ignored.
Fix:
Viprion chassis does not report HA Group configuration errors during peer reboot.
655059-3 : TMM Crash
Solution Article: K37404773
655021-2 : BIND vulnerability CVE-2017-3138
Solution Article: K23598445
655005-1 : "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync
Solution Article: K23355841
Component: TMOS
Symptoms:
The "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync.
Conditions:
Changing the "Inherit traffic group from current partition / path" setting and syncing to a peer unit using incremental sync.
Impact:
Peers in a Device Group will get out of sync.
Workaround:
Use a full sync instead.
Fix:
The "Inherit traffic group from current partition / path" virtual-address setting is now synchronized during an incremental sync.
654996-1 : Closed connections remains in memory
Solution Article: K50345236
Component: Application Security Manager
Symptoms:
A connection remains open, which results in memory leaks in the tmm for the connections.
The following command shows connections on traffic that was already closed: tmsh show sys conn.
Conditions:
A ASM_RESPONSE_VIOLATION iRule on the ASM-enabled virtual server.
A request with connection: close.
Impact:
Memory increase due to connections left open.
Incoming connections to the virtual server may fail and result in the BIG-IP sending a reset with a reset cause of "TCP closed".
Workaround:
If possible, remove this event from the iRule and/or add the OneConnect profile to the virtual server.
654925-1 : Memory Leak in ASM Sync Listener Process
Solution Article: K25952033
Component: Application Security Manager
Symptoms:
Following several sync errors, a memory leak occurs in the ASM sync listener process (asm_config_server.pl).
Conditions:
-- asm-sync is enabled on an auto-sync Device Group.
-- Errors occur during attempts to sync, either due to full disk or in response to one or more of the following uses in GUI or REST API:
+ Creating/importing/deleting policies.
+ Accepting many suggestions at once.
+ Adjusting Policy Building Settings.
Impact:
RAM is increasing consumed leading to swap usage until the device reaches a panic state.
Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl
Fix:
Hard limits for memory size are now enforced for ASM processes. The sync listener process now shuts down and restarts after an hour of failed repeated attempts to synchronize the device group state.
654873-2 : ASM Auto-Sync Device Group
Component: Application Security Manager
Symptoms:
Some messages that were meant to be sent to peers in a device group are not successfully sent.
Conditions:
A mix of the following uses in GUI or REST API:
1) Creating/importing/deleting policies.
2) Accepting many suggestions at once.
3) Adjusting Policy Building Settings.
Impact:
1) Overuse of full sync between devices.
2) Possible inconsistencies between devices.
3) Possibility of memory leak in rare cases.
Workaround:
Use manual sync groups for ASM sync.
Fix:
Communication for auto-sync groups repaired.
654599-1 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
Solution Article: K74132601
Component: Global Traffic Manager (DNS)
Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.
Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.
Impact:
The "Finished" button on that page does not save the changes made on that page.
Workaround:
Use TMSH.
Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.
654549-1 : PVA support for uncommon protocols DoS vector
Component: TMOS
Symptoms:
A new HSB bitstream for VIPRION B4450 blades is needed to support IP uncommon protocols for DoS Vector.
Conditions:
Using the B4450 blade.
Impact:
No support for IP uncommon protocols for DoS Vector.
Workaround:
None.
Fix:
HSB v3.2.13.0 bitsteam for VIPRION B4450 blades now provides support for IP uncommon protocols for DoS Vector.
Behavior Change:
This bitstream now supports IP uncommon protocols for DoS Vector. Any number of protocols with values between 0-255 can be simultaneously enabled.
654513-6 : APM daemon crashes when the LDAP query agent returns empty in its search results.
Solution Article: K11003951
Component: Access Policy Manager
Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP access profile access policy is configured with an AD Auth agent.
-- The access policy is configured with an LDAP query agent.
-- A user successfully authenticates to the access profile.
-- The LDAP query agent returns no query results.
Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.
Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.
Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.
Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.
654508-2 : SharePoint MS-OFBA browser window displays Javascript errors
Component: Access Policy Manager
Symptoms:
SharePoint MS-OFBA browser window displays Javascript errors while doing authentication.
Conditions:
-- SharePoint Access through LTM and APM.
-- MS-OFBA iRule is used.
Impact:
JavaScript errors shown on the MS-OFBA browser window
Workaround:
None.
Fix:
Now the SharePoint MS-OFBA browser window no longer displays Javascript errors while doing authentication from Microsoft applications.
654368-7 : ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
Solution Article: K15732489
Component: Local Traffic Manager
Symptoms:
Error is not reported if the profile is associated with an invalid Certificate Revocation List (CRL) that is not signed by trusted CAs, if the CRL issuer has the same subject name as one of the certs in trusted CA.
Conditions:
This occurs when associating CRLs with virtual servers.
Impact:
Error is not reported for invalid CRL.
Workaround:
OpenSSL command can be used to check if the CRL is signed by trusted CA.
The command to verify CRL against a CA file is as follows:
openssl crl -CAfile <path to the CA certificate bundle/file> -noout -in <path to CRL file>
Fix:
Error is reported in TMM logs if the CRL is not signed by trusted CA.
654109-2 : Configuration loading may fail when iRules calling procs in other iRules are deleted
Solution Article: K01102467
Component: Local Traffic Manager
Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:
01020036:3: The requested rule (/Common/rule_uses_procs) was not found.
Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).
Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.
Workaround:
Force reloading of the MCP binary database.
For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
Fix:
Configuration loading no longer fails when iRules calling procs in other iRules are deleted.
654086-3 : Incorrect handling of HTTP2 data frames larger than minimal frame size
Component: Local Traffic Manager
Symptoms:
HTTP2 can vary frame size between 16K bytes (included) and 16 Mbytes (not included).
When a client sends a data frame spawning more than one TCP segment, the BIG-IP system incorrectly decrements the frame size twice from the receive window.
If the proxy flow control is disabled, this just creates an additional window update frame. If the proxy is in flow control, this causes a flow control error.
Conditions:
-- HTTP2 profile is configured on a virtual server.
-- Client sends a data frame larger than 16384 bytes, violating RFC. Note: The receiving maximum frame size of the BIG-IP is permanently set at 16384 bytes.
Impact:
HTTP2 resets the stream with FLOW_CONTROL_ERROR.
Workaround:
There is no workaround at this time.
Fix:
When a client sends HTTP2 a data frame exceeding a negotiated maximum frame size, the BIG-IP system correctly resets the stream.
654046-1 : BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.
Solution Article: K22121533
Component: Access Policy Manager
Symptoms:
When an external Service Provider (SP) canonicalizes authentication requests with the use of inclusive namespaces, a BIG-IP system used as SAML IdP may fail to process such requests. User's SSO will fail with following errors contained in /var/log/tmm:
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Digest from SAML message is invalid
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Error(12) Signature verification failed for SAML Authentication
Conditions:
- BIG-IP is used as SAML IdP.
- User performs SP-initiated SAML SSO.
- External SAML SP sends signed authentication request, in which canonicalization was done with use of inclusive namespaces.
Impact:
Users are unable to perform SAML SSO with certain external service providers.
Workaround:
None.
Fix:
Now BIG-IP APM as IdP SAML canonicalized authentication requests containing inclusive namespaces can be processed successfully.
654011-2 : Pool member's health monitors set to Member Specific does not display the active monitors
Solution Article: K33210520
Component: TMOS
Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.
Conditions:
Have a pool member with Health Monitors set to Member Specific.
Impact:
The specified active monitors will be saved but won't be displayed as active.
Workaround:
Use tmsh to view a pool member's active monitors.
Fix:
Pool member's Health Monitors set to Member Specific now display active monitors.
653993-3 : A specific sequence of packets to the HA listener may cause tmm to produce a core file
Solution Article: K12044607
653976-2 : SSL handshake fails if server certificate contains multiple CommonNames
Solution Article: K00610259
Component: Local Traffic Manager
Symptoms:
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.
Conditions:
This issue occurs when both of the following conditions are met:
-- The external server certificate's Subject field contains multiple CommonNames.
-- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).
Impact:
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.
Workaround:
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake.
The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.
Fix:
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.
653930-2 : Monitor with description containing backslash may fail to load.
Solution Article: K69713140
Component: Local Traffic Manager
Symptoms:
When a monitor description contains a \ (backslash) character, the system adds another backslash for every save-load operation. After enough saves/loads, the description eventually hits the maximum length, causing an error message: '01020057:3: The string with more than 65535 characters cannot be stored in a message' upon loading the config.
Conditions:
Monitor with description containing backslash.
Impact:
Configuration changes without human intervention. Potential load failure.
Workaround:
Don't use backslashes in monitor descriptions.
653895 : Admin user cannot edit policy
Component: Application Security Manager
Symptoms:
While logged into the active device, you are unable to edit a policy. The Save and Reconfigure buttons are grayed out. The standby device allows you to edit the policy and you can deploy the change to the active device, but you occasionally can't edit it from the active device.
Conditions:
It is not known what triggers this intermittent problem.
Impact:
Admin users are unable to edit a policy on the active device.
Workaround:
You can edit the policy on the standby device and deploy it to the active device.
653888-2 : BGP advertisement-interval attribute ignored in peer group configuration
Component: TMOS
Symptoms:
BGP peer-group advertisement-interval attribute may be ignored with default settings set on individual peers belonging to the peer-group.
Conditions:
- BGP configured with peer-groups.
- advertisement-interval configured with a non-default value
Impact:
The BGP peer will have an additional statement added indicating a default value of the advertisement-interval.
Workaround:
Manually set the advertisement-interval of the peer, instead of using the peer-group for this particular setting.
Fix:
BGP advertisement-interval attribute is no longer ignored in peer group configuration
653880 : Kernel Vulnerability: CVE-2017-6214
Solution Article: K81211720
653775-3 : Ampersand (&) in GTM synchronization group name causes synchronization failure.
Solution Article: K05397641
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.
Conditions:
A GTM synchronization group name with an ampersand (&) in the name.
Impact:
GTM sync groups does not synchronize.
Workaround:
Remove ampersand from sync group name.
Fix:
Fixed issue that prevented GTM sync groups with an ampersand (&) in the GTM synchronization-group-name from syncing.
653772-2 : fastL4 fails to evict flows from the ePVA
Component: TMOS
Symptoms:
An accelerated flow is in the ePVA with no corresponding software connection.
Conditions:
-- FastL4.
-- ePVA.
-- The other conditions under which this occurs are not well defined.
Impact:
ePVA can continuously send a packet. This might eventually result in a network outage.
Workaround:
Disable HW acceleration.
Fix:
There are now no unknown accelerated flows.
Behavior Change:
The default behavior is to ignore unknown HW accelerated flows (connections). This change will proactively evict unknown HW accelerated flows from the HW (ePVA).
653771-2 : tmm crash after per-request policy error
Component: Access Policy Manager
Symptoms:
TMM core is seen when reject ending in per-request policy encounters error.
Conditions:
The conditions which trigger this are unknown at this time, it was seen once on a per-request policy error.
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM no longer cores when reject ending encounters error in per-request policy
653759-2 : Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★
Component: TMOS
Symptoms:
Chassis Variant number is not specified when checking the log file /var/log/ltm, for example:
#grep queryFDD /var/log/ltm
...debug chmand[12982]: 012a0007:7: queryFDD returned 1 items for: update|F100|||NONE|NONE|NONE|0x0
This should contain the Variant number 400-0028-04, as follows:
...debug chmand[32663]: 012a0007:7: queryFDD returned 1 items for: update|F100|400-0028-04||NONE|NONE|NONE|0x0
Conditions:
-- B2100/B2150/B2200 blade in C2200/C2400 chassis.
-- Checking for the Chassis Variant number.
Impact:
This has no impact, since there are no Variants currently defined for the C2200/C2400 chassis.
Workaround:
There is no workaround at this time.
Fix:
Chassis Variant number is printed out as expected in the log file.
653746-2 : Unable to display detailed CPU graphs if the number of CPU is too large
Solution Article: K83324551
Component: Local Traffic Manager
Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.
Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.
Impact:
Administrator is unable to view the detail CPU graphs.
Workaround:
None.
Fix:
The GUI can now display detailed CPU graphs for 1024 cores with the default of 4 lines per graph.
653729-2 : Support IP Uncommon Protocol
Component: Advanced Firewall Manager
Symptoms:
A BIG-IP system can have CPU usage be non-uniformly distributed across the datapath (tmm) threads, such that the overall CPU usage is low, but individual datapath threads may show high usage of a subset of the CPUs on the system. This can be observed by viewing the per-CPU usage, and can manifest as spuriously dropped packets/flows.
Conditions:
A BIG-IP system receives packets that have uncommon IP protocols – those not parsed by the BIG-IP system.
Impact:
The packets are eventually dropped but may drive a subset of the CPUs in the system to very high usage. As CPU increases, potentially reaching 100%, then the BIG-IP system will start dropping packets and the system might eventually fail.
Workaround:
None.
Fix:
The system now supports packets that have uncommon IP protocols.
Behavior Change:
This change adds the capability of specifying various IP protocols as 'uncommon' protocols. Using this list of uncommon protocols can have the system mitigate an attack from uncommon protocols.
To do so, perform the following procedure:
1. Set the sys db tunable dos.uncommon.replace.illegal to true (it is false by default).
2. Set the 8 sys db tunables dos.uncommon.protocols[0-7] to specify which protocols should be considered uncommon (by default all protocols except TCP/UDP/ICMPv4/ICMPv6/SCTP - bits 1/6/17/58/132 are uncommon).
- dos.uncommon.protocols0 represents bits 31:0 of a 256-bit vector
- dos.uncommon.protocols1 represents bits 63:32 of a 256-bit vector
- dos.uncommon.protocols2 represents bits 95:64 of a 256-bit vector
- dos.uncommon.protocols3 represents bits 127:96 of a 256-bit vector
- dos.uncommon.protocols4 represents bits 159:128 of a 256-bit vector
- dos.uncommon.protocols5 represents bits 191:160 of a 256-bit vector
- dos.uncommon.protocols6 represents bits 223:192 of a 256-bit vector
- dos.uncommon.protocols7 represents bits 255:224 of a 256-bit vector
Setting the specific bit to '1' means that the specified protocol is considered 'uncommon', and setting the specific bit to '0' means that the specified protocol is not considered 'uncommon'.
Then the DoS vector IP Unknown Protocol can be used to mitigate an attack from the above-specified 'Uncommon Protocols'.
653511-2 : Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
Component: Local Traffic Manager
Symptoms:
Connections can fail intermittently when multiple clients use the same ephemeral port to connect to BIG-IP and are SNATted to the same address.
Conditions:
When SNAT/Automap is configured with SP-DAG and virtual server source-port setting is "preserve".
Impact:
Service interruption due to intermittent connection failures.
Workaround:
None.
Fix:
Connections no longer fail intermittently with SNAT/automap, SP-DAG and virtual server source-port=preserve.
653453 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
Component: TMOS
Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 issue in the Broadcom Trident2+ switch B4450 blade uses.
Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.
Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.
Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.
Fix:
Resolved an issue on Broadcom Trident2+ switch B4450 blades use in which ARP replies reached the front panel port, but failed to reach TMMs.
Behavior Change:
A new BigDB variable is added to control in which mode the l2xmsg module in Broadcom SDK should run.
bcm56xxd.l2xmsg.mode: poll/fifo (default)
The BIG-IP system used to always run l2xmsg module in poll mode. Now, the BIG-IP system will run l2xmsg mode in fifo by default.
653376-5 : bgpd may crash on receiving a BGP update with >= 32 extended communities
Component: TMOS
Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities
Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.
Impact:
bgpd may crash causing the BGP peering to reset
Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.
Fix:
bgpd no longer crashes on receiving a BGP update with >= 32 extended communities
653324-3 : On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
Solution Article: K87979026
Component: Access Policy Manager
Symptoms:
On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly; it appears very small.
Conditions:
On macOS Sierra (10.12), edge client, customized icon of size 48x48 pixels.
Impact:
This is a display issue only. There is no functional impact to the system.
Workaround:
Use a custom logo image with the pixel dimensions of 100x121 pixels.
Fix:
On macOS Sierra (10.12), Edge client now shows the customized icon of size 48x48 pixels that is now scaled correctly.
653285-1 : PEM rule deletion with HSL reporting may cause tmm coredump
Component: Policy Enforcement Manager
Symptoms:
tmm coredump caused by deletion of a PEM policy rule with HSL reporting configured and passing active traffic. tmm crash.
Conditions:
PEM policy rule with HSL reporting is deleted while passing subscriber traffic.
Impact:
tmm coredump causes traffic disruption and restart of tmm.
Workaround:
None.
Fix:
PEM rule deletion with HSL reporting no longer causes tmm coredump.
653234 : Many objects must be reconfigured before use when loading a UCS from another device.★
Component: TMOS
Symptoms:
Many objects are ignored by the platform-migrate option, and must be reconfigured before use when loading a UCS from another device.
Conditions:
UCS is being loaded from another device, using the platform-migrate option.
Impact:
Risk of configuration load failures.
Workaround:
None, other than reconfiguring for the destination device.
Fix:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.
Behavior Change:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.
653225-1 : coreutils security and bug fix update
Component: TMOS
Symptoms:
A race condition was found in the way su handled the management of child processes.
Impact:
A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616)
Workaround:
install latest hotfix
Fix:
fixed in coreutils-8.4-46.el6
653224-1 : Multiple GnuTLS Vulnerabilities
Solution Article: K59836191
653217-2 : Multiple Samba Vulnerabilities
Solution Article: K03644631
653201 : Update the default CA certificate bundle file to the latest version and remove expiring certificates from it
Component: Local Traffic Manager
Symptoms:
The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.
Conditions:
If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.
Impact:
When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.
Workaround:
You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm'
Alternatively, you can use a separate certificate, for example:
tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem
tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt
Fix:
This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.
653152-1 : Support RSASSA-PSS-SIGN in F5 crypto APIs.
Component: TMOS
Symptoms:
Client certificate verification in BIG-IP v11.6.0 through v13.1.0 does not support client certificates that are signed using the RSASSA-PSS signature algorithm. Validation of such client certificates will fail.
Conditions:
- Client certificate signed with RSASSA-PSS algorithm.
- Client Certificate is set to 'Required' in Client SSL profile.
- Running any version of BIG-IP software from v11.6.0 through v13.1.0.
Impact:
SSL connections using client PSS certificates are rejected.
Workaround:
There is no workaround at this time.
Fix:
Validation of client certificates that are signed using the RSASSA-PSS signature algorithm now completes successfully.
653017-2 : Bot signatures cannot be created after upgrade with DoS profile in non-Common partition
Component: Application Security Manager
Symptoms:
Bot signatures cannot be created after roll-forward upgrade of configuration with only a DoS profile in non-Common partition.
Conditions:
A DoS profile in non-Common partition has Proactive Bot Defense enabled
Impact:
Bot signatures are not created.
Workaround:
Delete DoS Profile before upgrade, and re-create after upgrade is successful.
Alternatively, another DoS Profile can be created in /Common, even if unused.
653014-1 : Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
Component: Application Security Manager
Symptoms:
An issue was introduced when dealing with custom Blocking pages containing an HTTP Header that has an underscore in the name.
Conditions:
A custom Blocking page is defined containing an HTTP Header that has an underscore in the name.
Impact:
Set Active fails
Workaround:
Use hyphens instead of underscores in the header name.
Fix:
Underscores in HTTP Headers in Blocking Response pages are handled correctly.
652973-2 : Coredump observed at system bootup time when many DHCP packets arrive
Component: Policy Enforcement Manager
Symptoms:
During system bootup, system coredump is observed when many DHCP packets arrive before system is fully ready and many flow entry creation failures are observed
Conditions:
-- BIG-IP DHCP proxy is in forwarding mode.
-- DHCP relay agent in front of BIG-IP modifies giaddr field of DHCP packets to its own IP address.
-- DHCP packets arrive during system bootup and before system is fully ready (i.e., some VLANs, interfaces and routes are not fully up).
Impact:
System crash and coredump.
Workaround:
Make sure system has come up completely before sending DHCP packets to the system.
Fix:
Coredump no longer occurs under these conditions.
652968-2 : IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys
Solution Article: K88825548
Component: TMOS
Symptoms:
During negotiations that use CREATE_CHILD_SA, IKEv2 will fail to send a KE in the payload when PFS (perfect forward security) is used in config.
Rekey in IKEv2 does not negotiate new keys; the PFS value in phase1-perfect-forward-secrecy is used in the first exchange, then this first key is re-used in later rekey negotiation. Vendor interop problems exist when PFS is required by the other peer.
Conditions:
Define phase1-perfect-forward-secrecy with value other than none. After IPsec SAs expire or are manually deleted, the CREATE_CHILD_SA phase to negotiate new keys has no KEi payload from the BIG-IP Initiator and so no new encryption key.
Impact:
PFS settings apply only to first negotiation and not to subsequent SA rekeys. PFS is therefore absent. When the BIG-IP enters CREATE_CHILD_SA with a third party IPsec peer, negotiation will fail if the peer requires PFS. Under the same conditions, BIG-IP to BIG-IP tunnels will not fail.
Workaround:
To resolve vendor interop problems, disable PFS in the IPsec policy of both peers.
Fix:
When phase1-perfect-forward-secrecy is configured with a value other than none, the BIG-IP will now perform PFS negotiation correctly. Now rekey with CREATE_CHILD_SA generates a new key using the same DH Group as the first exchange that creates the first SA.
Note: In the ipsec-policy configuration object, the ike-phase2-perfect-forward-secrecy option is relevant only to IKEv1 and has no influence on IKEv2 PFS rekeying.
652877-3 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
Component: TMOS
Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:
-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.
In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.
Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.
You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.
Impact:
MCPD restart on all secondary blades results in partial service outage.
Workaround:
Reactivate the license only on a system that is standby/offline.
Fix:
Reactivating the license on a VIPRION system no longer causes MCPD process restart on one or all secondary blades.
652796-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
Component: Access Policy Manager
Symptoms:
ECA may be constantly restarting on BIG-IP appliance that has over 24 CPU cores.
Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.
Impact:
ECA NTLM functionality will not be accessible to the users.
Workaround:
If ECA functionality is not required - disable process by running 'bigstart stop eca'.
If ECA functionality is needed:
1. Stop eca by running "bigstart stop eca'.
2. Modify file '/etc/bigstart/scripts/eca' as follows:
a) Replace line:
cpu_count=$(get_number_cpu)
with line:
tmm_count=$(get_tmm_count)
b) Replace line:
exec /usr/sbin/${service} -n ${cpu_count}
with line:
exec /usr/sbin/${service} -n ${tmm_count}
3. Save the file, and restart the process by running 'bigstart start eca'.
Fix:
ECA no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.
652792-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
Component: Access Policy Manager
Symptoms:
urldb may be constantly restarting on a BIG-IP appliance that has over 24 CPU cores.
Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.
Impact:
URLDB functionality will not be accessible to the users.
Workaround:
If URLDB functionality is not required - disable process by running 'bigstart stop urldb'.
If urldb functionality is needed:
1. Stop urldb by running "bigstart stop urldb'.
2. Modify file '/etc/bigstart/scripts/urldb' as follows:
a) Replace line:
cpu_count=$(get_number_cpu)
with line:
tmm_count=$(get_tmm_count)
b) Replace line:
exec /usr/sbin/${service} -n ${cpu_count}
with line:
exec /usr/sbin/${service} -n ${tmm_count}
3. Save the file, and restart the process by running 'bigstart start urldb'.
Fix:
urldb no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.
652691-1 : Installation fails if only .iso.384.sig (new format signature file) is present★
Component: TMOS
Symptoms:
Tab completion only will complete the names of ISO images that have an old style signature format ("BIG-IP-version-build.iso.sig"), not the new style ("BIG-IP-version-build.iso.384.sig"). Then, installation will fail even if you type out the full name.
Conditions:
This only happens when signature checking is enabled for ISO images. You can determine this by looking at the value of the DB variable "liveinstall.checksig".
Impact:
Tab completion will not show the ISO image, and even if you type out the full name, the installation will fail. An error message will appear in "show sys software status" and /var/log/liveinstall.log .
Workaround:
Put both types of signature file (.iso.sig and .iso.384.sig) on the device.
Fix:
Tab completion and installation will now work if the old signature file format (.iso.sig) is missing, and only the new signature format (.iso.384.sig) is present.
652689-2 : Displaying 100G interfaces
Solution Article: K14243280
Component: TMOS
Symptoms:
Interfaces' Active Media Type and Media Speed rows display none.
Conditions:
Having a server with 100G interfaces.
Impact:
Cannot use GUI to determine interfaces' Active Media Type and Media Speed.
Workaround:
Use tmsh to see the affected interface.
Fix:
100G interfaces now display correctly.
652671-4 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.
Solution Article: K31326690
Component: TMOS
Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.
Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.
Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.
Workaround:
Ensure that the provision.extramb value is the same on all units in the device cluster before performing a config sync.
Fix:
The provision.extramb and provision.tomcat.extramb DB keys no longer ConfigSync, which prevents TMM restarting on peer devices after a change is made to the management subsystem provisioning and then performing a ConfigSync.
Behavior Change:
The provision.extramb and provision.tomcat.extramb DB keys no longer ConfigSync between devices.
652638-2 : php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
Solution Article: K23731034
652539 : Multiple Bash Vulnerabilities
Solution Article: K73705133
652535-1 : HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
Solution Article: K54443700
Component: Local Traffic Manager
Symptoms:
HTTP/2 RST_STREAM is seen with PROTOCOL_ERROR when frame header is fragmented.
Conditions:
HTTP/2 profile is enabled on the virtual. The frame header gets fragmented because of TCP segmentation.
Impact:
HTTP/2 stream is reset.
Workaround:
None.
Fix:
HTTP/2 parser changed to handle header splitting across multiple buffers.
652516 : Multiple Linux Kernel Vulnerabilities
Solution Article: K31603170
652484-2 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster
Component: TMOS
Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.
Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.
Impact:
The f5optics version is not displayed for all of the blades.
Fix:
f5optics version information for all blades within a chsasis is displayed when the user issues tmsh show net f5optics from the primary blade.
652445-2 : SAN with uppercase names result in case-sensitive match or will not match
Solution Article: K87541959
Component: Local Traffic Manager
Symptoms:
SSL certificates with SAN domain names with uppercase characters will fail to match SNI requests for that domain name.
Conditions:
Multiple client-ssl profiles configured with SNI associated with a single virtual where the SAN (Subject Alternative Name) contains DNS names with uppercase characters.
Impact:
SNI does not match, resulting in the wrong certificate being returned to the client, which potentially results in a security warning in the client application due to a non-matching domain.
Workaround:
Use lowercase characters for SAN domain names in SSL certificates.
Fix:
SNI match is now case-insensitive.
652200-1 : Failure to update ASM enforcer about account change.
Solution Article: K81349220
Component: Application Security Manager
Symptoms:
There is an error updating BD with the following information:
Errors:
------------
bd_agent|ERR|...|F5::BdAgent::handle_bd_pipe_message,,Some records sent to enforcer were not handled
ECARD|ERR |...|account_id_table_management.cpp:0222|Failed to PUT table
ECARD|ERR |...|temp_func.c:0850|CONFIG_TYPE_ACCOUNTS message had errors in block_index: 0. status=9
-------------
Conditions:
In a high availability environment (with manual failover and ASM) with a UCS load that contains policies with the same names.
Impact:
Traffic is blocked due to Unknown HTTP selector
Workaround:
Use one of the following Workaround:
A) Deactivate and reactivate the affected policy.
B) Restart ASM on the affected device.
Fix:
The system now correctly handles a UCS containing policies with the same names in a high availability environment (with manual failover and ASM).
652151-1 : Azure VE: Initialization improvement
Solution Article: K61757346
652094-2 : Improve traffic disaggregation for uncommon IP protocols
Solution Article: K49190243
Component: TMOS
Symptoms:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default.
Conditions:
Traffic of uncommon IP protocols on VLAN configured with default DAG.
Impact:
Traffic for uncommon IP protocols not distributed evenly among available processing units.
Workaround:
None.
Fix:
The system now correctly distributes traffic for uncommon IP protocols based on src IP and dest IP.
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.
ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)
Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.
Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.
Behavior Change:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.
ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)
Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.
Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.
652052-3 : PEM:sessions iRule made the order of parameters strict
Component: Policy Enforcement Manager
Symptoms:
In the versions before 12.0, the order of parameters for "PEM::SESSIONS" rule was flexible. It was made strict because of the new validation infrastructure in 12.0. This breaks some existing iRules.
The system will report a validation error such as:
01070151:3: Rule [/Common/test_irule] error: /Common/test_irule:2: error: ["invalid argument subscriber-type"][PEM::session create $ip subscriber-type e164 user-name $user imsi $imsi subscriber-id $callingstationid]
Conditions:
Some parameters, for example, subscriber-id come before the parameter user-name.
Impact:
Configuration that was valid in earlier versions is not accepted in newer versions. This may result in the configuration failing to load during an upgrade and return an MCP validation error.
Workaround:
Change the order of the parameters.
652004-2 : Show /apm access-info all-properties causes memory leaks in tmm
Solution Article: K45320415
Component: Access Policy Manager
Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.
Conditions:
when using show /apm access-info all-properties
Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.
Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.
Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.
651910-2 : Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later
Component: Access Policy Manager
Symptoms:
You cannot change the 'Enable Access System Logs' and 'Enable URL Request Logs' properties via the GUI.
Conditions:
After upgrade from 12.x to 13.0.0 (where these new fields were added) or later.
Impact:
You cannot change 'Enable Access System Logs' and 'Enable URL Request Logs'.
Workaround:
Manually add the properties via tmsh. To do so, follow these steps (substituting your affected log setting for abc in the following example):
modify log-setting abc access add { general-log { publisher sys-db-access-publisher } }
modify log-setting abc url-filters add { test_logsetting_swg { enabled true publisher sys-db-access-publisher }}
Fix:
Now it is possible to use the GUI to successfully use and configure log-setting objects that were created with tmsh.
651901-2 : Removed unnecessary ASSERTs in MPTCP code
Component: Local Traffic Manager
Symptoms:
There are many scenarios that call ASSERT in the MPTCP code, many of which can be handled without using ASSERT.
Conditions:
A virtual server is configured with a TCP profile with MPTCP enabled.
Impact:
If an ASSERT fails, traffic is disrupted while TMM restarts.
Workaround:
There is no workaround at this time.
Fix:
Replaced many ASSERTs with other mitigations that allow TMM to continue running.
651889-2 : persist record may be inconsistent after a virtual hit rate limit
Component: Local Traffic Manager
Symptoms:
persist record may be inconsistent after a virtual hit rate limit
Conditions:
A virtual with rate limit set.
persist is enabled.
Impact:
persist behavior will be impacted.
Workaround:
disable rate limit on virtual
Fix:
The problem is fixed.
651886-1 : Certain FIX messages are dropped
Component: Service Provider
Symptoms:
When a FIX message is received with a length, checksum, or message type field containing leading zeros, the message may be dropped.
Conditions:
This bug affects all FIX messages having a length (tag 9), checksum (tag 10) or message type (tag 35) field that contains at least one leading zero. Certain third-party FIX protocol implementations are known to insert leading zeros in these fields.
Impact:
FIX messages from these products cannot be processed by the FIX profile in BIG-IP.
Fix:
Valid Financial Information eXchange protocol messages are no longer rejected
651826-2 : SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly
Component: TMOS
Symptoms:
When checking the SPI fields of an IKEv2 IPsec SA, the byte order of the displayed number is rendered incorrectly. The SPI details are seen in "tmsh show net ipsec ike-sa all-properties".
For example, the BIG-IP will render this:
Spi(local): 0x3c4742cab016098c
Spi(Remote): 0x959f0a013581e25d
When the actual SPIs viewed on the peer device are:
Local spi: 5DE28135010A9F95
Remote spi: 8C0916B0CA42473C
Conditions:
IKEv2 IPsec SAs are established or attempting to be established.
Impact:
Can confuse a BIG-IP Administrator who is attempting to verify that IPsec peers have the same SAs.
Workaround:
Rearrange the SPI numbers manually or examine the ipsec.log to see the established SA SPI numbers.
Fix:
The correct SPI numbers are displayed when running the "tmsh show net ipsec ike-sa all-properties" command. Note that this command only shows IKEv2 SAs.
651772-3 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
Component: Local Traffic Manager
Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.
Conditions:
- Multiple VLANs with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc., that cover the traffic destination.
- Changes in routes that cause the traffic to the destination to shift from one VLAN and gateway to another. This can be typically observed with dynamic routing updates.
Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.
Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific VLAN.
Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.
Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.
651681-4 : Orphaned bigd instances may exist (within multi-process bigd)
Component: Local Traffic Manager
Symptoms:
When multi-process 'bigd' is configured, orphaned 'bigd' instances may be exit; such as an orphaned 'bigd.1' alongside the active 'bigd.1'.
Conditions:
-- db variable Bigd.NumProcs to 2 or higher.
-- System monitors with long timeouts (such as ~183 seconds or longer), might also be relevant.
When 'bigd' manages monitor configurations that results in no monitoring activity for a long time (such as due to long monitor timeouts), the operating system may temporarily suspend (and later resume) the 'bigd' process. The system might treat the 'bigd' process as if it were "hung", and start another 'bigd' instance without explicitly terminating the suspended 'bigd' process.
Impact:
The suspended 'bigd' process consumes process memory. The process might be suspended (consuming no CPU resources), or running, which might result in "double-monitoring" the resources assigned to that 'bigd' process.
Note: If double-monitoring occurs, monitor status should be correct, but the double-monitoring unnecessarily consumes extra resources.
Workaround:
Configure 'bigd' to run as a single process. To do so, set the db variable Bigd.NumProcs to 1.
Shortening monitor timeouts can reduce the possibility of a 'bigd' process being (temporarily) suspended by the operating system.
Fix:
Multi-process 'bigd' no longer produces orphaned (suspended) process instances.
651651-3 : bigd can crash when a DNS response does not match the expected value
Solution Article: K54604320
Component: Local Traffic Manager
Symptoms:
bigd can crash when a response returned from a DNS request does not match the expected value.
Conditions:
Monitoring DNS server(s), or using FQDN.
Impact:
Potential bigd core and restart; may cause endless restart loop as long as DNS monitor instance is configured.
Workaround:
No workaround at this time.
Fix:
Prevented bigd from crashing when a response returned from a DNS request does not match the expected value.
651640-3 : queue full dropped messages incorrectly counted as responses
Component: Service Provider
Symptoms:
negative number of active response messages reported on sipsession profile stats
Conditions:
If a request message is dropped because the sip filter's ingress message queue is full, the wrong stats is incremented
Impact:
Counting the dropped request messages as response messages causes the calculation of the accepted response messages to be incorrectly calculated, thus producing a negative value.
Fix:
correct stats fields are incremented
651541-2 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile
Solution Article: K83955631
Component: Local Traffic Manager
Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.
Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.
Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.
Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.
Fix:
Changing the HTTP profile now triggers validation of all virtual servers using that profile.
651476 : bigd may core on non-primary bigd when FQDN in use
Component: Local Traffic Manager
Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.
Conditions:
FQDN is in use.
Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.
Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.
Fix:
Known causes of the bug have been fixed.
651413-2 : tmsh list ltm node does not return an error when node does not exist
Solution Article: K34042229
Component: TMOS
Symptoms:
TMSH does not post an error message in response to the tmsh command to list a specific, non-existent LTM node, or when listing a set of non-existent nodes using regular expressions.
Conditions:
-- Running the command: tmsh list ltm node.
-- Running a regular expression to list a set of nodes.
-- The specified node does not exist.
Impact:
The command produces no output or error message. No indication of why there is no output, nor is there a description of the possible error condition.
Workaround:
None.
Fix:
TMSH now posts the appropriate, node-not-found error message when LTM nodes do not exist when running the command: tmsh list ltm node.
651362 : eventd crashes during boot
Component: TMOS
Symptoms:
eventd may crash during boot due to heap corruption.
Conditions:
This happens during subscription and unsubscription of events.
Impact:
eventd crashes.
Workaround:
None.
Fix:
Race condition has been resolved, so eventd no longer crashes.
651221-2 : Parsing certain URIs may cause the TMM to produce a core file.
Solution Article: K25033460
651155-1 : HSB continually logs 'loopback ring 0 tx not active'
Component: TMOS
Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.
Conditions:
The conditions under which this occurs are not known.
Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.
Workaround:
None.
Fix:
HSB no longer continually logs 'loopback ring 0 tx not active'.
651135-4 : LTM Policy error when rule names contain slash (/) character★
Solution Article: K41685444
Component: Local Traffic Manager
Symptoms:
Beginning with v12.0.0, there has been additional validation for LTM Policy rule names to allow only certain valid characters. Prior to v13.1.0, the slash (/) character was included in the set of valid characters.
But because the slash character is used as a delimiter in the BIG-IP virtual path hierarchy (e.g., /Common/my_policy/my_rule), extra slashes in a rule name causes validation problems because the rule appears to the system as having additional path segments.
Conditions:
LTM Policy rule contains the slash (/) character.
Impact:
Configuration will not load.
Configuration may load, but admin GUI may not show policy rule.
Workaround:
In the bigip.conf file, the LTM Policy rule names can be manually edited to either remove the illegal character or to substitute a valid character.
For example, the following policy won't load because the rule name contains a slash (/) character:
ltm policy mypolicy {
...
rules {
/testperson/a {
...
}
But it will load when the slash (/) characters are changed to a legal character, such as underscores (_):
ltm policy mypolicy {
...
rules {
_testperson_a {
...
}
Fix:
For upgraded configurations, the roll-forward process will automatically translate slash (/) to underscore (_) in LTM Policy rule names. When creating new rules, validation will not succeed if a rule name contains an illegal character, such as a slash, so the issue will be prevented.
651106 : memory leak on non-primary bigd with changing node IPs
Component: Local Traffic Manager
Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.
Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.
Impact:
bigd memory leak; possible bigd crash.
Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.
651001-1 : massive prints in tmm log: "could not find conf for profile crc"
Component: Application Security Manager
Symptoms:
Massive messages in tmm log:
"could not find conf for profile crc"
messages are shown while traffic is passing.
Conditions:
1. Have dos profile attached to vs. dos profile does not have dos application enabled.
2. Have ASM policy attached to VS with Web Scraping on/session hijacking/session awarness with DID collection/brute force with DID collection.
Impact:
Massive prints in tmm log that can cause tmm to abort. Traffic disrupted while tmm restarts.
Workaround:
Have DOS application enabled (even if doing nothing).
Fix:
disable prints.
650422-2 : TMM core after a switchover involving GY quota reporting
Component: Policy Enforcement Manager
Symptoms:
Core dump in the code path for async subscriber lookup causes core-dump.
Conditions:
This core happens in an intra-chassis HA configuration, if GY is configured & HA switchover is forced.
Impact:
An initial coredump (or HA switchover) forces multiple core dumps. Traffic disrupted while tmm restarts.
650349 : Creation or reconfiguration of iApps fails if high speed logging is configured
Solution Article: K50168519
Component: TMOS
Symptoms:
If logging destination of any type is configured (ArcSight, IPFIX, remote high speed logging, etc.), creation or reconfiguration of iApps will fail. The following error will be reported in /var/log/webui.log and displayed in the GUI: The connection to mcpd has been lost, try again.
If the iApp is being create or modified via iControl then the following message will be logged in /var/log/audit
-- notice icrd_child[19904]: 01420002:5: AUDIT - pid=19904 user=admin folder=/Common module=(tmos)# status=[The connection to mcpd has been lost, try again.] cmd_data=create sys application service /Common/group2-analytics { template /Common/group2-analytics variables add { statistics__pushinterval { value 120 } statistics__customcollection { value Yes } } lists add { statistics__customcollectionconfig { value { tmm_stat interface_stat cpu_info_stat disk_info_stat host_info_stat profile_dns_stat gtm_wideip_stat dns_cache_resolver_stat tmmdns_zone_stat rule_stat virtual_server_stat pool_member_stat } } } }
The import part of the message is the daemon, which is 'icrd_child', and the status, which is 'The connection to mcpd has been lost, try again.'
Conditions:
-- Logging is configured: filter, destination, and publisher where scriptd logs to a high speed logging target, which can occur if the there is a logging filter that has source of 'all' or 'scriptd'.
-- Attempting to create or reconfigure iApps.
Impact:
iApp creation or reconfiguration fails. Cannot create new iApps or reconfigure existing ones.
Workaround:
This workaround stops scriptd from logging anything to any logging destination, so you should remove it and restart scriptd after the iApp is created/reconfigured.
1. Which step one you take depends on whether you have log filters that have a source of 'scriptd' and a publisher whose destination is of type remote-high-speed-log:
a. If you do, make sure all those filters have their publisher set to 'none'.
b. If you do not, create a log-config filter with a source of 'scriptd', a level of 'debug', and a publisher of 'none'.
For example:
sys log-config filter NoScriptd {
app-service none
description none
level debug
message-id none
publisher none
source scriptd
}
2. After the log-config filters are modified, restart scriptd using the following command:
bigstart restart scriptd
Fix:
Can now create or reconfigure iApps if logging is configured.
650317-3 : The TMM on the next-active panics with message: "Missing oneconnect HA context"
Component: Local Traffic Manager
Symptoms:
The next-active TMM panics with message: "Missing oneconnect HA context" on a virtual which doesn't have one-connect on the active.
Conditions:
A mirrored virtual is configured with one-connect on the next-active but no one-connect profile is present on the active. This can occur when the config-sync connection between peers is down or auto-sync on the device group is disabled. The next-active expects a one-connect HA context but the active does not send it.
Impact:
Connections on the active are not mirrored while the next-active restarts.
Workaround:
Resolving configuration differences between the active and next-active will prevent this panic.
Fix:
Mirrored connections which fail to find an HA context on the next-active are not established on the next-active.
650292-2 : DNS transparent cache can return non-recursive results for recursive queries
Component: Local Traffic Manager
Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.
Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.
Impact:
Non recursive responses for recursive requests.
Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.
Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.
650286-2 : REST asynchronous tasks permissions issues
Solution Article: K24465120
650152-1 : Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms
Component: Local Traffic Manager
Symptoms:
In Nitrox PX platforms, vCMP guests can't accelerate AES-GCM traffic, which might cause high CPU usage.
Conditions:
For those vCMP guests deployed on Nitrox PX-based platforms, and SSL cipher is configured to use AES-GCM.
The following blades support the Nitrox PX and vCMP combination: VIPRION B4200, B4300, B2100, and B2150 blades.
Impact:
High CPU usage.
Workaround:
No workaround.
Fix:
Added AES-GCM hardware acceleration support for Nitrox PX-based vCMP.
650081-1 : Proactive Bot Defense JavaScript challenges may introduce high latencies and cause some browsers to display a blank page.
Solution Article: K53010710
Component: Application Security Manager
Symptoms:
When PBD and FP are both enabled, there is a very high client-side latency, especially on Microsoft Internet Explorer version 11 (IE11).
On IE11, sometimes the challenge remains on a blank page, never moving on to the site from the back-end server.
Conditions:
This issue occurs when the following conditions are met:
-- Your BIG-IP system has Proactive Bot Defense and fingerprinting enabled.
-- The client is using IEll.
Note: IE11 is known to be affected by this issue. However, other browsers may also be affected.
Impact:
Delay or blank page when clients access the page using IE11.
Workaround:
None
Fix:
Improved the client-side run-time of the JavaScript challenge and prevented it from getting stuck on Internet Explorer.
650074-1 : Changed Format of RAM Cache REST Status output.
Component: Local Traffic Manager
Symptoms:
The REST API returned cache contents in displayable form, not tagged field form.
Conditions:
Using REST API.
Impact:
Text must be parsed as if the caller plans to post-process it.
Workaround:
To present the data in some other format, the text can be displayed as is, but must be parsed as if the caller plans to post-process it.
Fix:
Now RAM Cache REST Status output is returned in field format, and must be parsed by a JSON parser and formatted for display. If you were using the previous format, you must now parse the JSON and re-format the data for display.
Behavior Change:
REST API calls for ramcache stats now returns data as formatted JSON.
650070-2 : iRule that uses ASM violation details may cause the system to reset the request
Solution Article: K23041827
Component: Application Security Manager
Symptoms:
When an iRule attempts to use the violation details such as attackSignature or MaliciousFingerprint, in some cases a legal request will be reset.
Conditions:
-- An ASM iRule that uses violation details is attached to the virtual server.
-- The request contains the violation
Impact:
A legal request is being reset.
Workaround:
None.
Fix:
iRule that uses ASM violation details no longer causes the system to reset the request.
650059-1 : TMM may crash when processing VPN traffic
Solution Article: K20087443
650002-1 : tzdata bug fix and enhancement update
Component: TMOS
Symptoms:
There have been changes to timezone data that impact tzdata packages:
* Mongolia no longer observes Daylight Saving Time (DST).
* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.
Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.
Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).
Workaround:
None.
Fix:
To accommodate for Mongolia no longer observing DST, the new America/Punta_Arenas zone was created. Changes were also made to support other timezone changes.
* The zone1970.tab file has been added to the list of files to be installed with the tzdata packages installation.
Note: Users of tzdata are advised to upgrade tzdata to zdata-2017b-1.el6
649949-1 : Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★
Component: TMOS
Symptoms:
Following the instructions at https://support.f5.com/csp/article/K13117 will occasionally fail on iSeries platforms, with the system being unable to find the installation media.
If this happens, running the following command will fail.
image2disk --instslot=HD1.1 --setdefault --nosaveconfig
Conditions:
This can occur on iSeries platforms while performing a clean installation.
Impact:
The /dev/cdrom softlink points to the virtual CD-ROM drive in iSeries platforms instead of the physical USB DVD-ROM drive. This prevents image2disk from automatically finding the installation media.
Workaround:
After the failure, while in MOS, determine USB CDROM device name, mount it, and tell image2disk specifically where it is:
bash (try 'info') / > dmesg | grep "sr0\|sr1"
sr0: scsi3-mmc drive: 62x/62x writer dvd-ram cd/rw xa/form2 cdda tray <-- cdrom name
sr 6:0:0:0: Attached scsi CD-ROM sr0
sr1: scsi-1 drive
sr 7:0:0:0: Attached scsi CD-ROM sr1
bash (try 'info') / > mount -r -t iso9660 /dev/srX /cdserver
bash (try 'info') / > image2disk --instslot=HD1.1 --nosaveconfig /cdserver
In the mount command, replace "/dev/srX" with whichever device is the physical drive.
649933-1 : Fragmented RADIUS messages may be dropped
Component: Service Provider
Symptoms:
Large RADIUS messages may be dropped when processed by iRules.
Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.
Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:
Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""
Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.
649929-1 : saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
Component: Access Policy Manager
Symptoms:
Cannot delete saml_sp_connector from a transaction even when all related objects are specified.
Conditions:
When deleting saml_sp_connector from a transaction along their associated objects.
Impact:
Cannot delete saml_sp_connector and associated objects.
Workaround:
Delete objects in the following order:
SSOResource
SSOSAMLConfig
SPConnector
Fix:
The apm sso saml_sp_connector object can now be deleted from a transaction involving all the related objects regardless of the order in which the objects are specified.
649907-2 : BIND vulnerability CVE-2017-3137
Solution Article: K30164784
649904-2 : BIND vulnerability CVE-2017-3136
Solution Article: K23598445
649866-1 : fsck should not run during first boot on public clouds
Component: TMOS
Symptoms:
Although it is not needed, filesystem check runs during the first boot. This increases the boot time, especially for images that were created more than 180 days before the first boot, because twice year, booting up runs a more comprehensive fsck operation.
Conditions:
This occurs when booting up public cloud configurations of Virtual Edition (VE).
Impact:
Potentially unacceptable long boot times.
Workaround:
None.
Fix:
fsck does not run during first boot on public cloud configurations of VE. Running fsck is postponed until the second boot. If the more comprehensive fsck operation is required, it runs during the second boot as well.
649617-2 : qkview improvement for OVSDB management
Component: TMOS
Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.
If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.
Conditions:
The following conditions need to be met:
- BIG-IP has the SDN services license.
- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.
- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.
Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.
Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.
In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.
Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.
649613-3 : Multiple UDP/TCP packets packed into one DTLS Record
Component: Access Policy Manager
Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.
However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.
Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.
Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.
Workaround:
None.
Fix:
DTLS performance has been improved in lossy or high latency networks by optimizing the number of encoded ppp records inside of DTLS records.
649571-1 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not act on the absence of renegotiation.
Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.
An example of such a TLS server is Apache/2.4.10 on Fedora Linux.
Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".
Workaround:
None.
Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.
649564-2 : Crash related to GTM monitors with long RECV strings
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.
Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.
Impact:
Core dump. Traffic might be disrupted while gtmd restarts.
Workaround:
None.
Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.
649465-1 : SELinux warning messages regarding nsm daemon
Component: TMOS
Symptoms:
Receiving SELinux warning messages regarding nsm daemon when BFD is enabled, and deleting VLANs.
Conditions:
-- BFD enabled for any route-domain.
-- Deleting VLANs.
Impact:
None. This warning message references actions that are extraneous for the nsm daemon.
Workaround:
None.
Fix:
nsm no longer triggers SELinux warning messages with BFD enabled, and deleting VLANs
649234-3 : TMM crash from a possible memory corruption.
Solution Article: K64131101
Component: Access Policy Manager
Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.
Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Access to an invalid or stale Access session result from custom iRules no longer causes TMM crash.
649177-2 : Testing for connection to SMTP Server always returns "OK"
Solution Article: K54018808
Component: Application Visibility and Reporting
Symptoms:
When you click the SMTP GUI config "Test Connection" button it always gives green "OK" response, even if there is no network, or if the DNS response is NXDomain.
Conditions:
This is encountered when testing the SMTP connection using the GUI.
Impact:
Validation of SMTP server availability is incorrect
Workaround:
You can test SMTP at the command line by attempting to send a test email, as in this example (substitute user@example.com with your valid email address):
# echo "ssmtp test mail" | mail -vs "Test email" user@example.com
Fix:
The 'Test Connection' button for the SMTP server configuration reports errors as expected.
649171-4 : tmm core in iRule with unreachable remote address
Component: Local Traffic Manager
Symptoms:
TCP::unused_port <remote_addr> <remote_port> <local_addr> [<hint_port>] with a non reachable remote_addr, tmm cores
Conditions:
This occurs when using TCP::unused_port in an iRule and the remote address is not reachable
Impact:
Traffic disrupted while tmm restarts.
Workaround:
create faux route for the destination address
649161-1 : AVR caching mechanism not working properly
Solution Article: K42340304
Component: Application Visibility and Reporting
Symptoms:
The AVR caching mechanism fails to store dimension-based queries properly, which leads to incorrect reports.
Conditions:
Using AVR caching mechanism (turned-on by default).
Impact:
Reports will be incorrect.
Workaround:
Using the following TMSH command should solve the problem:
tmsh modify sys db avr.requestcache value disable
* NOTE: the above might cause AVR to perform a bit slower.
Fix:
The system no longer stores the dimension-based queries in the AVR cache.
648990 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
Component: Local Traffic Manager
Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:
info tmm[17859]: 01260034:6: Block cipher data limit exceeded.
Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.
Impact:
Serverssl renegotiation does not occur, log message is displayed.
648954-5 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
Solution Article: K01102467
Component: Local Traffic Manager
Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:
01020036:3: The requested rule (/Common/rule_uses_procs) was not found.
Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).
Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.
Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.
Workaround:
Force reloading of the MCP binary database.
For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
648879-2 : Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
Solution Article: K90803619
648865-2 : Linux kernel vulnerability: CVE-2017-6074
Solution Article: K82508682
648802-3 : Required custom AVPs are not included in an RAA when reporting an error.
Component: Policy Enforcement Manager
Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).
Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.
Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.
Workaround:
There is no workaround at this time.
Fix:
Custom AVPs included regardless of an error code in an RAA.
648786-5 : TMM crashes when categorizing long URLs
Solution Article: K31404801
648766-1 : DNS Express responses missing SOA record in NoData responses if CNAMEs present
Solution Article: K57853542
Component: Global Traffic Manager (DNS)
Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.
Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.
Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.
Workaround:
None.
Fix:
The SOA record is now included as appropriate.
648715-2 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
Component: Local Traffic Manager
Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.
Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.
Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.
Workaround:
None.
Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.
648639-3 : TS cookie name contains NULL or other raw byte
Solution Article: K92201230
Component: Application Security Manager
Symptoms:
The TS cookie name may intermittently contain NULL.
Conditions:
This can occur intermittently when ASM is provisioned and has a unique combination of security policy name and the server's cookie attributes (path and domain).
Impact:
False positives triggered on modified domain cookies.
Workaround:
To resolve this, change the policy security name.
Fix:
Fixed an issue with the TS cookie name length.
648621-1 : SCTP: Multihome connections may not expire
Component: TMOS
Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.
Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.
Impact:
The multi-homing connections won't be expired.
Workaround:
Don't manually deleted the multi-homing connections.
648617 : JavaScript challenge repeating in loop when URL has path parameters
Solution Article: K23432927
Component: Application Security Manager
Symptoms:
The JavaScript challenge is repeating in a loop on URLs which have path parameters (when the URL contains the ';' character). The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.
Conditions:
URLs contain the ';' character, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.
Impact:
Requests with ';' character will be blocked and the browser will repeat the challenge in a loop.
Workaround:
None
Fix:
The JavaScript challenge no longer gets stuck in a loop on URLs which have path parameters.
648544-5 : HSB transmitter failure may occur when global COS queues enabled
Solution Article: K75510491
Component: TMOS
Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.
Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.
Impact:
If this issue occurs then the BIG-IP is rebooted.
Workaround:
Do not use global COS queues.
Fix:
Loopback packet priority is now set during runtime to guarantee transmit on mgmt ring 0.
648320-3 : Downloading via APM tunnels could experience performance downgrade.
Solution Article: K38159538
Component: Local Traffic Manager
Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.
Conditions:
When downloading using APM tunnels.
Impact:
High number of packet drops and inferior performance.
Workaround:
None.
Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.
648286-2 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
Component: Global Traffic Manager (DNS)
Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.
Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.
Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.
Loss of functionality from earlier releases.
Workaround:
Manually select each entry to add to the member list.
Fix:
Restored behavior that selects the next available entry in list after pressing the Add button on GSLB Pool's Member manage page.
648270-4 : mcpd can crash if viewing a fast-growing log file through the GUI
Component: TMOS
Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.
Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.
Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.
648242 : Administrator users unable to access all partition via TMSH for AVR reports
Solution Article: K73521040
Component: Application Visibility and Reporting
Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).
Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.
Impact:
AVR reports via TMSH will fail when using partition based entities.
Workaround:
None.
Fix:
Allowing for administrator users to get all partitions available on query.
648056-2 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
Solution Article: K16503454
Component: TMOS
Symptoms:
bcm56xxd constantly crashes, device goes off-line.
Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.
Impact:
Device goes off-line.
Workaround:
None.
Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.
648053-1 : Rewrite plugin may crash on some JavaScript files
Solution Article: K94477320
Component: Access Policy Manager
Symptoms:
Rewrite plugin may crash parsing JavaScript files in US ASCII encoding.
Conditions:
JavaScript file in US ASCII encoding (not in UTF-8).
Impact:
Rewrite plugin may crash parsing this file. No response is sent to client.
Workaround:
It is possible to change/add 'charset' parameter in response header 'Content-type' to 'UTF-8' by iRule.
Fix:
Now Portal Access rewrite correctly handles JavaScript data if the web page uses US ASCII encoding.
648037-2 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.
Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure a monitor for the pool.
Fix:
Fixed a tmm crash related to LB::reselect
647988-3 : HSL Balanced distribution to Two-member pool may not be balanced correctly.
Solution Article: K15331432
Component: TMOS
Symptoms:
When configuring a two-member pool as HSL destination and using "balanced" distribution, logs from iRule HSL::send may end up balanced to a single pool member.
Conditions:
- Two-member pool configured as remote-high-speed-log destination.
- The remote-high-speed-log distribution is set to "balanced"
- Data-Plane logging using for example but not limited to: iRule HSL::send.
Impact:
Log message may not be distributed correctly resulting in more load on a single pool member.
Workaround:
None.
Fix:
Logs are distributed more equally on pool members in "balanced" distribution HSL.
647944-2 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
Component: TMOS
Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.
Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:
- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.
Impact:
Traffic disrupted while mcpd restarts.
Fix:
Prevented MCP from crashing when the FIX profile is edited.
647757-2 : RATE-SHAPER:Fred not properly initialized may halt traffic
Solution Article: K96395052
Component: Local Traffic Manager
Symptoms:
RATE-SHAPER:Fred is not properly initialized and might halt traffic.
Conditions:
Initialize RATE-SHAPER:Fred as the drop policy using its default properties.
Impact:
Traffic is halted.
Workaround:
There are two possible workarounds:
-- Initialize the drop policy fred to the value of 9999 instead of default 0.
-- Use RED as drop policy instead of fred.
647137 : bigd/tmm con vCMP guests
Component: Local Traffic Manager
Symptoms:
bigd/tmm con vCMP guests.
Conditions:
Set up vCMP guest on VIPRION B2100, B4200, or B4300 blades.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
This release corrects this issue so the crash no longer occurs.
647108-1 : Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
Component: Access Policy Manager
Symptoms:
The system posts messages similar to the following even when the server associated to the connector is also being deleted in the same transaction:
01070734:3: Configuration error: apm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/saml_connector because it is being used by aaa-saml-server (/Common/saml_server_test1
Conditions:
When deleting saml-idp-connector first then the associated saml server.
Impact:
Cannot delete saml-idp-connector and associated server in that specific order.
Workaround:
Delete saml server first and then delete the saml connector.
Fix:
Now saml-idp-connector can be deleted with associated objects in any order from a transaction.
646928-1 : Landing URI incorrect when changing URI
Component: Access Policy Manager
Symptoms:
User accesses resource1, and an access policy starts. Before the policy completes, the user changes to resource2. There is a warning page that the session already exists, and the user clicks to create a new session. After the policy completes, the user is directed to the landing URI of the resource1.
Conditions:
Attempting to change landing URI in the middle of an access policy
Impact:
End-user is inconveniently directed to the first resource instead of the second.
Fix:
Now the "To open a new session, please click here." link on the APM logout page reflects the last used landing URI rather than the first used landing URI.
646890-1 : IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512
Solution Article: K12068427
Component: TMOS
Symptoms:
Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.
Conditions:
If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.
Impact:
Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.
Workaround:
Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.
Fix:
Now tmipsecd sends the correct incremental config description of SHA authentication algorithms to racoon, so that IKEv1 ipsec-policy reconfiguration works immediately without requiring a restart of tmipsecd.
646800-2 : A part of the request is not sent to ICAP server in a specific case
Component: Application Security Manager
Symptoms:
The portion of the request that is not sent is not checked for viruses
Conditions:
ICAP is configured.
Impact:
There might be a false negative on anti-virus check
Workaround:
N/A
646760 : Common Criteria Mode Disrupts Administrative SSH Access
Component: TMOS
Symptoms:
If Common Criteria mode is enabled the administrative SSH interface on BIG-IP may become unavailable.
Conditions:
CC-mode enabled.
Impact:
SSH interface not available, sshd may fail to start.
Workaround:
There is no workaround at this time.
Fix:
Correct SSH configuration when in CC mode
646643-2 : HA standby virtual server with non-default lasthop settings may crash.
Solution Article: K43005132
Component: Local Traffic Manager
Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.
Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).
-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).
Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.
646615-1 : Improved default storage size for DNS Express database
Component: Global Traffic Manager (DNS)
Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.
Conditions:
DNS Express with configured zones.
Impact:
Possibly reduced database size.
Workaround:
N/A as this is an improvement.
Fix:
A tweak has been made to the DNS Express database to improve the initial database size.
646604-5 : Client connection may hang when NTLM and OneConnect profiles used together
Solution Article: K21005334
Component: Local Traffic Manager
Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.
Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.
Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.
Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.
Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.
646511-1 : BD crashes repeatedly after interrupted roll-forward upgrade★
Component: Application Security Manager
Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.
Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.
Impact:
BD crashes repeatedly on subsequent attempts to start ASM.
Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:
tmsh modify sys db ucs.asm.traffic_data.save value disable
Fix:
ASM completes roll-forward upgrade with traffic data correctly, even after upgrade process is interrupted.
646443-1 : Ephemeral Node may be errantly created in bigd, causing crash
Solution Article: K54432535
Component: Local Traffic Manager
Symptoms:
When FQDN Ephemeral Nodes are being used at the same time as static Node objects, and there is change in those objects, either via DNS resolver changes or manual changes to static nodes, there exists a chance where one may be misidentified as the other during an update, causing a crash in bigd.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP configuration contains a mix of FQDN pool members or nodes, and static node objects.
-- You perform one of the following actions:
+ Modify current node settings
+ Create or delete nodes
Impact:
The bigd process restarts and produces a core file, causing interruption of pool member monitors.
Workaround:
Avoid use of FQDN Nodes and Pool Members; use only static-IP Nodes/Members instead.
Fix:
Fixed case where misidentification may occur, resulting in bigd running without crashing.
645805 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses
Solution Article: K92637255
Component: TMOS
Symptoms:
LACP PDUs generated by lacpd on the i4x00 and i2x00 platforms contain the wrong Ethernet source MAC address.
Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.
Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP system is not transmitting with an all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.
Workaround:
None.
Fix:
The BIG-IP software now inserts the correct Source MAC address in the LACP PDU.
645729-1 : SSL connection is not mirrored if ssl session cache is cleared and resume attempted
Component: Local Traffic Manager
Symptoms:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.
Conditions:
A previous ssl session is attempting to resume the connection after the ssl session cache has been cleared.
Impact:
Connection is established but is not mirrored.
Workaround:
Could be avoided by disabling ssl session cache.
Fix:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.
645723-2 : Dynamic routing update can delete admin ip route from the kernel
Solution Article: K74371937
Component: TMOS
Symptoms:
Routes obtained from dynamic routing (BGP, etc.) can replace existing management route for the admin IP address, making the BIG-IP lose its management route. Static routes created via TMSH can replace management route.
Conditions:
Using TMSH to create "net route" that matches management network, or dynamic routing accepts a route that matches the management network.
Impact:
Losing the management network route, and potential loss of access to the BIG-IP via the management network.
Workaround:
Don't accept route updates for the management network. Don't create static routes for the management network.
Fix:
Management network admin IP address is now protected from being overwritten.
645717 : UCS load does not set directory owner
Component: TMOS
Symptoms:
When loading a UCS file the directory /etc/ssh will become owned by the first user in the UCS with an .authorized_keys file.
Conditions:
UCS loaded that contains users with .authorized_key files
Impact:
Ownership of /etc/ssh is set to a non-root user after UCS load. This does not interfere with normal system operation or SSH authentication but does not follow secure coding practices
Workaround:
Ownership of on /etc/ssh can be restored with the command: chown root /etc/ssh
Fix:
UCS load now explicitly sets ownership of the /etc/ssh directory to root.
645684-2 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
Component: Access Policy Manager
Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.
Conditions:
This can occur when viewing Flash video while connected to APM.
Impact:
Flash applications might fail to render through Portal Access.
Workaround:
None
Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.
645663 : Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.
Component: Local Traffic Manager
Symptoms:
Accelerated crypto and compression traffic may fail; stuck queue reports appear in logs.
Conditions:
Guests provisioned with more than 12 vcpus, and crypto or compression traffic passed through hardware acceleration.
Impact:
Can cause the hardware accelerator to fail and require host reboot.
Workaround:
Limit guest provisioning to 12 vcpus.
Fix:
Allow guests provisioned with more than 12 vcpus to operate without stalling hardware accelerators.
645615-2 : zxfrd may fail and restart after multiple failovers between blades in a chassis.
Solution Article: K70543226
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.
Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.
Impact:
zxfrd will create a core file and restart, picking up where it left off.
Workaround:
None.
Fix:
The cause of the failure is now addressed.
645480-3 : Unexpected APM response
Solution Article: K45432295
645339-2 : TMM may crash when processing APM data
Component: Access Policy Manager
Symptoms:
Under certain conditions TMM may crash while processing APM data
Conditions:
APM enabled
Impact:
TMM crash leading to a failover event
Fix:
TMM processes APM data as expected
645220-2 : bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs
Component: Local Traffic Manager
Symptoms:
When mcpd debug logging is enabled, mcp messages sent to or received from the bigd daemon are logged with a username of "(user %-P)" or "(user %-S)" instead of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".
Conditions:
mcpd debug messages with the "(user %-P)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and multiple instances of bigd are running.
mcpd debug messages with the "(user %-S)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and a single instance of bigd is running.
Impact:
Confusion about which daemon is referenced in mcpd debug logs with username "(user %-S)" or "(user %-P)".
Fix:
mcpd debug messages sent to or received from the bigd daemon are correctly logged with a username of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".
645197-3 : Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change
Component: Local Traffic Manager
Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) accumulate in the monitor history. Upon monitor status change (such as to 'fail'), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from 'success' to 'fail'), notification from 'bigd' to 'mcpd' fails due to this too-large history, resulting in the monitor remaining in its previous state (i.e., 'success'). 'bigd' properly records the monitor status and continues to monitor, but 'mcpd' is not notified of that status change (due to message-send failure from the history being too large).
This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating 'success'), as 'bigd' elides/merges the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (e.g., by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history continues to grow for that monitor until a status-change is detected.
Conditions:
-- Web server returns unique HTTP/1.1 200 (success) codes, such as an included date/time stamp.
-- Success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from 'success' to 'fail').
Impact:
The monitor remains in the 'success' state, as the status-change is lost' ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.
Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes.
(Receiving the same return-code elides/merges content with previously accumulated values in the monitor history.)
Fix:
HTTP/1.1 200 codes with unique values accumulate for limited history, rather than unbounded history, such that monitor status change notifications are always recorded.
645179-6 : Traffic group becomes active on more than one BIG-IP after a long uptime
Component: TMOS
Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.
For example:
-- For 4 traffic groups, the interval is ~1242 days.
-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.
Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.
645101-2 : OpenSSL vulnerability CVE-2017-3732
Solution Article: K44512851
645058-3 : Modifying SSL profiles in GUI may fail when key is protected by passphrase
Component: Local Traffic Manager
Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:
01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.
This can occur even when the passphrase already in the SSL profile is correct.
Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.
Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:
tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }
Impact:
User cannot update client SSL profile via the GUI.
Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.
Fix:
User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.
645036-3 : Removing pool from virtual server does not update its status
Solution Article: K85772089
Component: Local Traffic Manager
Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.
Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.
Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.
Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.
Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.
Fix:
Associating a pool with the virtual server now correctly updates the virtual server status.
644975-4 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
Solution Article: K09554025
Component: TMOS
Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.
Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.
Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.
Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.
2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.
3) Save the file and exit the text editor to install the root user's new crontab configuration.
4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.
5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.
6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.
7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".
Fix:
The crontab configuration files now specify MAILTO="" at the top, so the /var/log/maillog errors no longer occur.
644970-1 : Editing a virtual server config loses SSL encryption on iSession connections
Component: Wan Optimization Manager
Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.
Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.
Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.
Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.
Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.
644946-2 : Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation
Solution Article: K05053251
Component: Service Provider
Symptoms:
When the mirror flag is enabled in the siprouter and diameterrouter profiles, outgoing per-client create connection will be usable by any client connection from the same IP address.
Conditions:
This occurs when the mirror flag is enabled in the siprouter and diameterrouter profiles.
Impact:
In the siprouter and diameterrouter profiles, enabling mirroring incorrectly enables the internal ignore_peer_port flag, which causes the router to not consider the remote port of the client side connection when determining which of an outgoing per-client connection can be used for forwarding messages.
Workaround:
None.
Fix:
The ignore_peer_port flag is no longer affected by the setting of the mirror flag, which is correct functionality.
644904-5 : tcpdump 4.9
Solution Article: K55129614
644892-1 : Files captured multiple times in qkview
Component: TMOS
Symptoms:
When running a qkview, some files are captured more than once.
Conditions:
This occurs when generating a qkview.
Impact:
Some small files are duplicated in the qkview; there is no other impact.
Workaround:
None.
Fix:
Files are now captured only once when running qkview.
644873-2 : ssldump can fail to decrypt captures with certain TCP segmenting
Solution Article: K97237310
Component: Local Traffic Manager
Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.
The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data
Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.
Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.
Workaround:
None.
Fix:
ssldump now successfully decrypt a capture, so ssldump no longer crashes.
644855-2 : irules with commands which may suspend processing cannot be used with proactive bot defense
Component: Application Security Manager
Symptoms:
A request is dropped.
Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")
For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962
Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.
Workaround:
N/A
Fix:
irules which suspends the execution won't cause a request drop when the proactive bot defense is assigned.
644851-2 : Websockets closes connection on receiving a close frame from one of the peers
Component: Local Traffic Manager
Symptoms:
Websocket connection should be closed once an endpoint has both sent and received a Close control frame. BIG-IP closes connection on receiving a close frame from peer and does not wait for close frame from other endpoint. This results in data sent in the other direction to be dropped.
Conditions:
Websocket and HTTP profile are attached to the virtual.
Impact:
One endpoint sends a Websocket Close control frame. Other endpoint continues sending data which is dropped by BIG-IP.
Fix:
Half-close of connection will be triggered instead of closing the connection entirely.
644822-2 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
Solution Article: K19245372
Component: Advanced Firewall Manager
Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.
This behavior does not match the BIG-IP behavior when AFM is not provisioned.
Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.
Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.
Workaround:
No workaround.
Fix:
Fixed, so FastL4 virtual servers with enabled loose-init option will forward any RST packets.
644799-1 : TMM may crash when the BIG-IP system processes CGNAT traffic.
Solution Article: K42882011
Component: TMOS
Symptoms:
TMM may crash when the BIG-IP system processes CGNAT traffic.
Conditions:
A TMM connflow related to CGNAT traffic is expired.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when the BIG-IP system processes CGNAT traffic.
644725-4 : Configuration changes while removing ASM from the virtual server may cause graceful ASM restart
Solution Article: K01914292
Component: Application Security Manager
Symptoms:
Configuration changes while removing ASM from the virtual server may cause graceful ASM restart.
Conditions:
A reconfiguration / headers configuration happens while the ASM is removed from a VIP. This may happen especially in scripts that create a config or remove a config.
Impact:
ASM restarts. The system goes offline. A failover may happen.
Workaround:
Ensure that there is some time between setting a configuration to removing ASM from the VIP.
644723-1 : cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
Component: TMOS
Symptoms:
If you disable an interface, the interface is erroneously logged as DOWN:
Feb 12 23:14:09 i5800-R18-S30 info bcm56xxd[8210]: 012c0015:6: Link: 1.1 is DOWN
Conditions:
This is logged when disabling an interface.
Impact:
Log message says the interface is DOWN, it should say DISABLED.
644694 : FPS security update check ends up with an empty page when error occurs.
Component: Fraud Protection Services
Symptoms:
While checking for security updates in FPS, GUI may display an empty page caused by internal errors, such as network errors or temporary downtime.
Conditions:
-- Provision and license FPS.
-- Check for security updates.
Impact:
Empty page is presented, with no indication of what error occurred.
Workaround:
Use TMSH or REST API to perform an update check.
Fix:
Now, when an error occurs, the error will be displayed.
644693-3 : Fix for multiple CVE for openjdk-1.7.0
Solution Article: K15518610
644565-1 : MRF Message metadata lost when routing message to a connection on a different TMM
Component: Service Provider
Symptoms:
The system might choose to create a new outgoing connection when there is an available exiting connection that can be used.
Conditions:
When a message is forwarded to another TMM for delivery, an internal state might be lost.
Impact:
Messages should be delivered correctly as the metadata is lost after routing. There might be an impact if routing is retried and the ignore-peer-port setting is lost. This might cause a new connection to be created when an available existing connection exists.
Workaround:
None.
Fix:
The system now ensures that the ignore-peer-port flag is preserved when forwarding a message to a connection on another TMM.
644490-1 : Finisar 100G LR4 values need to be revised in f5optics
Component: TMOS
Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.
Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.
Impact:
Occasional packet loss at the 100G physical layer.
Workaround:
Use 100G SR4 optics modules on the link if possible.
Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.
For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).
644489-1 : Unencrypted iSession connection established even though data-encrypt configured in profile
Solution Article: K14899014
Component: Wan Optimization Manager
Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.
Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
1) An error occurs during dynamic server-ssl profile replacement.
2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.
In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.
Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.
Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.
Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
2) An error occurs during dynamic server-ssl profile replacement.
644447-2 : sync_zones script increasingly consumes memory when there is network connectivity failure
Component: Global Traffic Manager (DNS)
Symptoms:
sync_zones memory usage exponentially increases during network disruption
Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.
Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.
Workaround:
None.
Fix:
sync_zones script now exits successfully at network failure.
644418-2 : Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
Component: Local Traffic Manager
Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate.
Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.
Conditions:
This may occur when SSL Forward Proxy is in use.
Impact:
Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.
Workaround:
None.
Fix:
In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm
644404-1 : Extracting SSD from system leads to Emergency LCD alert★
Component: TMOS
Symptoms:
When an SSD in a dual-SSD system configuration is extracted, an emergency alert may be issued on the LCD. This does not match the actual severity (Warning) as reported in the LTM log.
Conditions:
Dual SSDs in any BIG-IP system where one has been selected for removal.
Impact:
LCD reports an Emergency-level alert, which does not match the actual Warning severity reported in the LTM log.
Workaround:
Clear the Emergency alert from the LCD.
Fix:
The classification for SSD removal has been changed to 'Warning' to match the LTM log level.
644220-3 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
Component: Global Traffic Manager (DNS)
Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.
Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.
Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.
Workaround:
None.
Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.
644184-4 : ZebOS daemons hang while AgentX SNMP daemon is waiting.
Solution Article: K36427438
Component: TMOS
Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.
Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.
Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.
Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.
Fix:
ZebOS daemons no longer hangs while AgentX is waiting.
644112-2 : Permanent connections may be expired when endpoint becomes unreachable
Solution Article: K56150996
Component: Local Traffic Manager
Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.
Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.
Impact:
Tunnel, or other affected connection, will not pass traffic.
Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.
Fix:
Routing updates can no longer lead to expired permanent connections.
643813-2 : ZoneRunner does not properly process $ORIGIN directives
Component: Global Traffic Manager (DNS)
Symptoms:
During an import zone operation, ZoneRunner incorrectly associates the "@" directive with the zone name and not $ORIGIN specified.
Conditions:
If the zone file to be imported contains the $ORIGIN directive, the following "@" directives will reference the zone name, which is incorrect.
Impact:
Zones will not be imported correctly.
Workaround:
Use the named-compilezone tool to "normalize" the zone file before importing into ZoneRunner.
The syntax for this command is similar to the following:
named-compilezone -s full -o outputfilename zone_name input.file
(For information about the other available options, see the named-compilezone tool's man page.)
For example, given a zone file named example.com.file that contains the following information:
"example.com"
$TTL 3600
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
@ IN NS ns1.example.com.
ns1.example.com. IN A 1.1.1.1
$ORIGIN alpha.example.com.
@ IN A 2.2.2.2
$ORIGIN bravo.example.com.
@ IN A 3.3.3.3
The command is as follows:
named-compilezone -s full -o example.com.file.full example.com example.com.file
The contents of the new file are:
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
example.com. 3600 IN NS ns1.example.com.
alpha.example.com. 3600 IN A 2.2.2.2
bravo.example.com. 3600 IN A 3.3.3.3
ns1.example.com. 3600 IN A 1.1.1.1
Which is correct. This file can then be used to import into ZoneRunner.
643785-3 : diadb crashes if it cannot find pool name
Component: Service Provider
Symptoms:
diadb utility crashes if it cannot find pool name.
Conditions:
-- diadb utility is running.
-- Pool name is not available in the Diameter persistence record.
Impact:
diadb utility crashes.
Workaround:
None.
Fix:
diadb will not crash even if it cannot find the pool name in the Diameter persistence record.
643777-2 : LTM policies with more than one IP address in TCP address match may fail
Solution Article: K27629542
Component: Local Traffic Manager
Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.
Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.
Impact:
The action configured with the match may not be taken.
Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.
Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.
643631 : Serverside connections on virtual servers using VDI may become zombies.
Solution Article: K70938130
Component: Local Traffic Manager
Symptoms:
Listing connections with "tmsh show sys connection all-properties" (please be cautious executing this command as it could have performance impact) will show connections with only a server side whose age is greater than the configured idle timeout. As more zombie connections accumulate, the BIG-IP may run out of memory.
Conditions:
APM provisioned and VDI (Virtual Desktop Infrastructure) is configured on the affected virtual.
Impact:
Zombie connections consume memory that cannot be reclaimed. Potential out-of-memory condition.
Workaround:
None.
Fix:
Expired serverside connections are properly torn down.
643602-2 : 'Select All' checkbox selects items on hidden pages
Component: Fraud Protection Services
Symptoms:
In FPS GUI, clicking 'Select All' when the list contains more than 10 items, selects all items and not just the items on the current page, as expected.
Conditions:
-- FPS provisioned and licensed.
-- Check 'Select All' and click Delete on a list page containing enough items to span more than one page, for example:
On the Security :: Fraud Protection Service :: Anti-Fraud Profile :: Mobile Security :: Man in the Middle Detection page, add 20 domains. This creates two pages of domains on the list page. When you then check 'Select all' and click Delete, all 20 domains are deleted instead of the expected 10 visible on the page.
Impact:
Unexpected behavior: items are deleted from pages that are not visible.
Workaround:
Check one or more items individually for deletion.
Fix:
Clicking the 'Select All' checkbox now selects all items on the currently visible page.
643582-2 : Config load with large ssl profile configuration may cause tmm restart
Component: Local Traffic Manager
Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.
Conditions:
Doing a full config load with large number of ssl profiles.
Impact:
Possible tmm restart.
Workaround:
Doing incremental sync of changes can avoid this issue.
Fix:
A full configuration reload with large number of ssl profiles may cause tmm restart.
643554-12 : OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
Solution Article: K37526132 K44512851 K43570545
643547-1 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
Solution Article: K43036745
Component: Access Policy Manager
Symptoms:
Requests to /my.policy are not getting HTTP responses.
Log file '/var/log/apm' contains large number of error messages about failed XML data creation:
err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP APM system is configured with a large number of access policy agents.
-- You are performing an operation that requires the apmd process to start.
-- For example, your BIG-IP APM system is reloaded, you install a new image, or you manually restart the apmd process.
Impact:
APMD will not able to process any requests.
Workaround:
For some configurations and platforms, you can use the following steps to recover:
- Remove all unused access policies (if applicable).
- Restart apmd.
Fix:
Now APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.
643459-3 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy
Solution Article: K81809012
Component: TMOS
Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.
Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.
Impact:
You are unable to login to the Configuration Utility.
Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.
Behavior Change:
Customers who are utilizing the BIG-IP Configuration Utility behind a reverse proxy that does not transparently set the Referer header will be unable log in.
Prior to the change, there were no restrictions on logging in.
643404-2 : 'tmsh system software status' does not display properly in a specific cc-mode situation★
Solution Article: K30014507
Component: TMOS
Symptoms:
If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.
Conditions:
Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true:
-- The system is in Common Criteria mode (db var Security.CommonCriteria).
-- The system is in FIPS compliance mode (db var security.fips140.compliance).
-- Signature checking is manually enabled (db var LiveInstall.CheckSig).
Impact:
It is difficult to ascertain why the software change cannot be made.
Workaround:
The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.
To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.
Fix:
The 'tmsh show system software status' now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso).
Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.
643396-2 : Using FLOW_INIT iRule may lead to TMM memory leak or crash
Solution Article: K34553627
Component: Local Traffic Manager
Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.
Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.
Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a memory leak in the FLOW_INIT iRule event.
643375-1 : TMM may crash when processing compressed data
Solution Article: K10329515
643294 : IGMP and PIM not in self-allow default list when upgrading from 10.2.x★
Component: TMOS
Symptoms:
IGMP or PIM not in self-allow by default after upgrade.
Conditions:
Upgrade from 10.2.x.
Impact:
Advance routing with multicast or PIM does not work, when configured after upgrade with default self-allow.
Workaround:
Manually add PIM or IGMP to self-allow default.
643210-2 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
Solution Article: K45444280
Component: Local Traffic Manager
Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.
Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.
Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.
Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.
Fix:
The BIG-IP no longer deletes keys from the Safenet HSM when the key is deleted from the BIG-IP system. Now, you must manually delete keys using fipskey.nethsm or 'cmu delete'.
Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.
Behavior Change:
Beginning with this release, the BIG-IP system will not delete a key from the SafeNet HSM when you delete the corresponding key on the BIG-IP system: You must manually delete the key on the HSM using either fipskey.nethsm or 'cmu delete'.
Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.
643187-2 : BIND vulnerability CVE-2017-3135
Solution Article: K80533167
643143-2 : ARP and NDP packets should be QoS/DSCP marked on egress
Component: Local Traffic Manager
Symptoms:
There is currently no way to prioritize ARP/NDP traffic on BIG-IP or configure QoS on TMM-originated ARP/NDP packets.
Conditions:
ARP and/or NDP is in use.
Impact:
When the BIG-IP system's CPU is saturated, there is a possibility that ARP and NDP packets might be dropped.
Workaround:
N/A
Fix:
You can now configure QoS on TMM-originated ARP/NDP packets.
To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority
To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority
Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.
These variables are set with the following commands:
tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]
Behavior Change:
You can now configure QoS on TMM-originated ARP/NDP packets.
To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority
To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority
Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.
These variables are set with the following commands:
tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]
643121-1 : Failed installation volumes cannot be deleted in the GUI.
Component: TMOS
Symptoms:
Failed installation volumes aren't displayed under Disk Management and, therefore, cannot be deleted.
Conditions:
Have a failed installation volume.
Impact:
Cannot use the GUI to delete
Workaround:
Use tmsh to delete failed installation volumes using a command similar to the following:
tmsh delete /sys software volume <HDx.y>.
For example, to delete software volume HD1.0, use the following command:
tmsh delete /sys software volume HD1.0.
Fix:
Failed installation volumes can now be deleted in the GUI.
643054-2 : ARP and NDP packets should be CoS marked by the swtich on ingress
Component: Local Traffic Manager
Symptoms:
When ARP and NDP requests are dropped, ARP caches can time out, and peer nodes may fail to resolve the BIG-IP system's self-IP addresses or virtual servers.
Conditions:
TMM0 is saturated and dropping packets.
Impact:
ARP requests can be dropped, and peer devices, such as routers and monitored devices, can fail to resolve the BIG-IP system's address.
Workaround:
None.
Fix:
You can now use db variables to control internal traffic priority for ingress ARP/NDP packets in the switch.
-- arp.priority : high/normal (default)
-- ipv6.nbr.priority : high/normal (default)
The 'normal' value is the default.
-- Setting arp.priority to high raises ARP packet priority.
-- Setting ipv6.nbr.priority to high raises NDP packet priority.
Behavior Change:
You can now use db variables to raise the internal traffic priority for ingress ARP/NDP packets in switch.
arp.priority : high/normal(default)
ipv6.nbr.priority : high/normal(default)
Setting arp.priority to high raises ARP packet priority.
Setting ipv6.nbr.priority to high raises NDP packet priority.
643041-4 : Less than optimal interaction between OneConnect and proxy MSS
Solution Article: K64451315
Component: Local Traffic Manager
Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.
Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.
Impact:
Decreased throughput, possible congestion due to small segments.
Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.
Fix:
This release provides improved interaction between OneConnect and proxy MSS. By default, proxy MSS is disabled with OneConnect. This is controlled by the db variable TM.Tcp.OC.ProxyMSS
643034-1 : Turn off TCP Proxy ICMP forwarding by default
Solution Article: K52510343
Component: Local Traffic Manager
Symptoms:
Forwarding of ICMP PMTU messages through the BIG-IP can negatively impact performance if OneConnect or SNAT functionality is active.
Conditions:
Forwarding of ICMP PMTU messages through the BIG-IP when OneConnect or SNAT are active.
Impact:
Peers use suboptimal Path Maximum Transmission Units (PMTUs).
Workaround:
For TCP and UDP proxies, ensure proxy-mss is disabled in the profile.
OR
Disable MTU caching on pool members.
Fix:
There are legitimate reasons to forward ICMP messages through BIG-IP, so in some cases mitigation must occur at pool members. However, we have introduced more control (tm.tcp.enforcepathmtu) to tune this more precisely.
Behavior Change:
The default behavior on TCP proxies is now to not forward ICMP messages, restoring the default from TMOS 12.0.0 and earlier.
For TCP proxies to forward ICMP PMTU messages now requires BOTH proxy-mss 'enabled' in the TCP profile (which is the default setting) and 'tm.tcp.enforcepathmtu' set to 'enabled' (not the default).
643013 : DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3
Component: TMOS
Symptoms:
DAGv2 is a new DAG type and is designed to run on new platforms, including i5600, i5800, i7600, i7800, i10600, i10800 platforms. DAGv2 was not ready when these platforms were first released. DAGv2 is enabled on these platforms in v12.1.3.
Conditions:
i5600, i5800, i7600, i7800, i10600, i10800 platforms.
Impact:
No functional impact. This is simply an announcement of a change in the DAG version.
Workaround:
None.
Fix:
DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3.
642983-1 : Update to max message size limit doesn't work sometimes
Solution Article: K94534313
Component: Device Management
Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.
When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).
Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.
Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.
Workaround:
None.
Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.
642982-3 : tmrouted may continually restart after upgrade, adding or renaming an interface★
Solution Article: K23241518
Component: TMOS
Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a VLAN, VLAN group, or tunnel.
Conditions:
-- Dynamic routing configured.
-- Non-default partition name or VLAN names greater than 15 characters.
Impact:
Dynamic routing does not function. This may include monitors not functioning properly and marking pool members down incorrectly.
Workaround:
Shorten VLAN, VLAN group, or tunnel name, or move the interface into the Common partition.
Fix:
tmrouted no longer restarts when using long VLAN, VLAN group, or tunnel names in a non-default partition.
642952 : platform_check doesn't run PCI check on i11800
Component: TMOS
Symptoms:
When "platform_check misc" is run, it will return
Miscellaneous Tests
PCI: NOT RUN
Test not available on this platform
Conditions:
This always happens.
Impact:
No platform check for PCI is executed.
Workaround:
There is no workaround.
Fix:
It is fixed, platform check for PCI is executed.
642923-2 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
Component: TMOS
Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.
Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.
There are a number of ways that this issue may manifest.
For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).
*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.
Impact:
mcpd restarts, which causes a system to go offline and restart services.
Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:
modify sys daemon-ha mcpd heartbeat disable
Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.
Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.
To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.
Fix:
A possible case where mcpd goes too long without updating the heartbeat has been fixed by replacing one algorithm with a more efficient one.
642874-1 : Ready to be Enforced filter for Policy Signatures returns too many signatures
Solution Article: K15329152
Component: Application Security Manager
Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.
Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.
Impact:
Incorrect results are shown as a result of the filter.
Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.
Fix:
The "Ready to be Enforced" filter works correctly.
642723-3 : Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect
Component: TMOS
Symptoms:
In version 11.4.0, when pendsect was introduced, the Western Digital WD1600YS-01SHB1 hard drive was not supported. This drive was used in very early shipments of the 1600/3600 products.
If you are running 11.4.0 and have a WD1600YS-01SHB1, you might see the following errors in /var/log/ltm:
-- notice pendsect[1662]: skipping drive -- Model: WDC WD1600YS-01SHB1
-- notice pendsect[1662]: No known drives detected for pending sector check. Exiting
Conditions:
-- Running 11.4.0.
-- Using WD1600YS-01SHB1 hard drives.
Impact:
The only impact is a pendsect notice in /var/log/ltm. The hard drive operates as expected.
Workaround:
There is no mitigation or workaround for this issue.
Fix:
The WD1600YS-01SHB1 hard drive was added to the supported list of hard drives in versions 11.5.x, 11.6.x, and 12.1.3.
642703-2 : Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★
Component: TMOS
Symptoms:
Installation from external media (PXE or USB) fails with error:
error: status 768 returned by command: /sbin/lvcreate -L -4719088K -n dat.share vg-db-cpmirror
info: >++++ result:
info: Negative size is invalid
info: Run `lvcreate --help' for more information.
info: >----
error: MultiVolume_add cpmirror.dat.share failed.
Conditions:
-- i5000, i7000, i10000, i11000, and i12000 platforms.
-- Installation from external media (PXE or USB).
-- Running software v12.1.2 or v13.0.0.
Impact:
System is non-functional. It will not work at all, until an 'installation from external media' is performed. There is no software on the system because the operation failed during the early stages of a formatting installation.
Workaround:
Use an earlier version for the formatting installation, such as 12.1.1, and then upgrade to the target version.
Fix:
The error no longer occurs; the formatting installation succeeds.
642659-2 : Multiple LibTIFF Vulnerabilities
Solution Article: K34527393
642400-2 : Path MTU discovery occasionally fails
Component: Local Traffic Manager
Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.
Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.
Impact:
The connection may stall as large TCP segments are continually retransmitted.
Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.
Fix:
Path MTU discovery functions correctly with the TCP profile.
642330-2 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: Global Traffic Manager (DNS)
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
642314-2 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★
Solution Article: K24276198
Component: TMOS
Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.
Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.
Impact:
gtm config load failure after upgrade.
Workaround:
Remove trailing dots or set "Domain Validation" to "none".
Fix:
Upgrading from 11.x to 12.x or 13.x with GTM Pool with canonical-name removes trailing FQDN dot.
642298-3 : Unable to create a bidirectional custom persistence record in MRF SIP
Component: Service Provider
Symptoms:
Setting a persistence key via iRule sets the persistence entry as uni-directional
Conditions:
Setting a persistence key via iRule sets the persistence entry as uni-directional
Impact:
Custom SIP persistence entries cannot be bidirectional.
Fix:
This change adds a new SIP::persist key to set or reset the persistence entry as bidirectional.
642284 : Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.
Component: Carrier-Grade NAT
Symptoms:
Memory corruption caused by closing a PCP connection while requests are being processed.
Conditions:
This can occur when a PCP client sends multiple requests and closes before receiving the replies. When the client OS receives a reply it will send an ICMP destination unreachable message which causes the BIG-IP to close the PCP connection. If the PCP connection is closed while a request is being processed, memory corruption may occur when the request completes.
Impact:
When memory corruption occurs, TMM may crash or assert. Traffic disrupted while tmm restarts.
Fix:
Closing the PCP connection will not cause memory corruption.
642221-2 : Incorrect entity is used when exporting TCP analytics from GUI
Component: Application Visibility and Reporting
Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected
Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.
Impact:
Incorrect data is being exported.
Workaround:
Use tmsh.
Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.
642211-2 : Warning logged when GENERICMESSAGE::message drop iRule command used
Component: Service Provider
Symptoms:
When submitting an iRule script using GENERICMESSAGE::message drop iRule command, a warning message is returned.
Conditions:
This occurs when saving an iRule that contains GENERICMESSAGE::message drop.
Impact:
A warning message is returned.
Workaround:
NA
Fix:
iRule validation was improved to allow GENERICMESSAGE::message drop commands.
642185-1 : Add support for IBM AppScan scanner schema changes
Component: Application Security Manager
Symptoms:
IBM AppScan changed schema for its report file.
Conditions:
Using IBM AppScan for reporting.
Impact:
Data from new IBM AppScan scanner report file is not extracted properly for URL, parameters and cookies.
Workaround:
None.
Fix:
Added support for IBM AppScan scanner schema changes.
642068-1 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
Component: Policy Enforcement Manager
Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.
Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.
Impact:
PEM sessions remain in the marked-for-delete state.
Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.
Note: The value must be greater than 0 (zero).
Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.
642058-1 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
Component: TMOS
Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.
The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic
The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic
The interface will report in tmsh as down:
tmsh show net interface 5.0
--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none
Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.
Impact:
The CBL-0138-01 will not work.
Workaround:
None.
Fix:
CBL-0138-01 Active Copper now works correctly on i2000/i4000/HRC-i2800 Series appliances.
642039-2 : TMM core when persist is enabled for wideip with certain iRule commands triggered.
Solution Article: K20140595
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV.
Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable persist on wideip.
Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.
Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.
642015-2 : SSD Manufacturer "unavailable"
Component: TMOS
Symptoms:
On systems with an SSD, the manufacturer displayed in 'tmsh show sys hardware' may appear as "unavailable"..
Conditions:
BIG-IP system with SSD installed.
Impact:
No functional impact, cosmetic only.
Workaround:
No workaround but the issue is only cosmetic and does not indicate an issue with the system.
Fix:
SSD Manufacturer now displays "Samsung" as expected.
641869-1 : Assertion "vmem_hashlist_remove not found" failed.
Solution Article: K62744980
Component: Local Traffic Manager
Symptoms:
TMM cores with the following assertion: "vmem_hashlist_remove not found" failed.
Conditions:
It is unknown what leads to that situation directly.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The memory function fails the allocation gracefully.
641753-2 : Syncookies activated on a genuine connection gets reset almost 30-50% of the time
Component: TMOS
Symptoms:
Syncookies activated on a genuine connection to a TCP-based virtual server gets reset almost 30%-50% of the time.
Conditions:
-- VADC platform when syncookie protection mode is configured and activated on a virtual server.
Note: This issue might also occur on v12.x systems using the L7-intelligent-fpga HSB firmware.
Impact:
Potential performance impact.
Workaround:
None.
Fix:
When syncookie protection mode is activated, all the genuine connections go through as expected, so there are no resets.
641612-2 : APM crash
Solution Article: K87141725
641574 : AVR doesn't report on virtual and client IP in DNS statistics
Solution Article: K06503033
Component: Application Visibility and Reporting
Symptoms:
On the analytics DNS page, the virtual and client IP stats will be shown as "Aggregated".
Conditions:
This can be seen in DNS analytics, when view-by virtual or client-ip is selected.
Impact:
DNS statistics show incomplete results.
Workaround:
None.
Fix:
AVR now provides the complete report results on virtual and client IP in DNS statistics.
641512-4 : DNSSEC key generations fail with lots of invalid SSL traffic
Solution Article: K51064420
Component: Local Traffic Manager
Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.
The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.
Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).
Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.
Workaround:
Restart the TMM after the new key generation is created.
Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.
641491-2 : TMM core while running iRule LB::status pool poolname member ip port
Solution Article: K37551222
Component: Local Traffic Manager
Symptoms:
An iRule response to a DNS request may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. As a result of this issue, you may encounter one or more of the following symptoms:
-- The BIG-IP system may temporarily fail to process traffic as it recovers from the TMM restart, and devices configured as an HA pair may fail over.
-- The BIG-IP system generates a TMM core file to the /shared/core directory.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP DNS system is configured with a wide IP that utilizes an iRule.
-- The iRule uses the DNS_REQUEST event command LB::status to check a pool member status.
-- The iRule pool address and port are separated by white space.
Example iRule syntax:
gtm rule pool_member_selection {
when DNS_REQUEST {
LB::status pool pool-one member 10.0.0.10 80
}
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use format 'ip:port' or vsname instead of 'ip port. Following are two examples:
1.
gtm rule rule_crash_test {
when DNS_REQUEST {
LB::status pool pool-one member 10.2.108.100:80
}
}
2.
gtm rule rule_crash_test {
when DNS_REQUEST {
LB::status pool pool-one member pool_vs_name
}
}
Fix:
An iRule response to a DNS request no longer triggers TMM to produce a core file and restart.
641482-2 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received
Component: Policy Enforcement Manager
Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.
Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP
Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)
Workaround:
A tmm restart will cleanup all the stale sessions
Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP
641450 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Solution Article: K30053855
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
641445-1 : iControl improvements
Solution Article: K22317030
641390-5 : Backslash removal in LTM monitors after upgrade
Solution Article: K00216423
Component: TMOS
Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.
Conditions:
-- Specific backslash escaping in LTM monitors.
-- Upgrading from 11.5.x, 11.6.0, 11.6.1, 11.6.2, or 11.6.3 to 12.0.0, 12.1.0, 12.1.1, 12.1.2, or 13.0.0.
Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS/GTM monitors.
For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.
ltm monitor https /Common/my_https {
adaptive disabled
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from /Common/https
destination *:*
interval 5
ip-dscp 0
recv "Test string"
recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
send Test
time-until-up 0
timeout 16
username test\\\"me
}
Impact:
The monitor fails to load.
Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.
Fix:
Upgrade no longer results in incorrectly removing backslashes for some LTM monitor attributes.
641360-2 : SOCKS proxy protocol error
Solution Article: K30201296
641307-2 : Response Page contents are corrupted by XML policy import for non-UTF-8 policies
Component: Application Security Manager
Symptoms:
If non-UTF-8 policy has Response Pages configured with non-ASCII characters, the Response Page contents will be corrupted by an XML export/import.
Conditions:
1) Response pages are configured with Non-ASCII characters in a non-UTF-8 Policy.
2) The Policy is exported via XML export.
Impact:
Response Page contents are corrupted
Workaround:
1) Use binary policy export/import for non-UTF-8 policies.
or
2) Encode the non-ascii characters using the html entities/code representations of them. (Example: 日本語 -> 日本語)
Fix:
Response Page contents are correctly exported.
641256-1 : APM access reports display error
Solution Article: K43523962
641248 : IPsec-related tmm segfault
Component: TMOS
Symptoms:
The tmm cores and all connections are reset.
Conditions:
Race condition during IPsec tunnel tear down.
Impact:
The tmm restarts and all connections reset. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The IPsec-related tmm segfault has been corrected.
641083-2 : Policy Builder Persistence is not saved while config events are received
Component: Application Security Manager
Symptoms:
Policy Builder Persistence is not saved while config events are received.
Conditions:
This occurs when there are many changes made to the policy.
Impact:
Statistics are lost after pabnagd restarts.
Workaround:
None.
Fix:
Persistence is now saved every 24 hours.
641013-5 : GRE tunnel traffic pinned to one TMM
Component: TMOS
Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.
Conditions:
Use forwarding virtual to handle GRE tunnel traffic.
Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.
Workaround:
None.
Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.
640903-1 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
Component: Global Traffic Manager (DNS)
Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.
Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.
Impact:
Extremely long page load time.
Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.
Fix:
The page can now load hundreds of records on a single screen under 3 seconds.
640824-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
Solution Article: K20770267
Component: Application Security Manager
Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded
crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined
crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead
crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted
info perl[21860]: 01310053:6: ASM starting
-------------------------
Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.
Impact:
Upgrade fails.
Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.
In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.
There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never
2) Do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------
Fix:
Roll-forward upgrade including traffic data now works correctly.
640809-1 : Merged constantly restarts★
Solution Article: K79892782
Component: Local Traffic Manager
Symptoms:
Merged constantly restarts. This may occur on upgrade or after merged restarts after enabling debug logging.
The system logs the following error signature in /var/log/user.log:
err merged[27984]: isc/libev evGetNext: Bad File Descriptor: 5, errno: 9 Bad file descriptor.
notice logger: Started writing core file: /var/core/merged.bld0.0.249.core.gz for PID 27984.
Conditions:
log-config filter level is debug and merged restarts.
Note: 'level debug' is the default for a log-config filter therefore the following would be debug logging:
sys log-config filter myfilter {
publisher mypub
}
Impact:
Merged restarting may impact stats collection. This can also impact qkview generation, the statistics may be corrupt or missing, GUI might return "General database error retrieving information."
Workaround:
If you are encountering this, you can run the following tmsh commands to set the log level to the warning level.
Impact of procedure: This will disable debug logging of merged.
tmsh modify sys log-config filter <HSL-Filter-Name> level warn
tmsh save sys config
640768 : Kernel vulnerability: CVE-2016-10088
Solution Article: K05513373
640636-3 : F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade
Component: TMOS
Symptoms:
Inserting a 40G optic into a 100G port, or inserting a 100G optic into a 40G shows the optic as "Unsuported Optic". That is not correct, it may be a supported optic, just inserted in the wrong port.
Conditions:
B4450 Blades with 100G or 40G optics inserted in a port that does not support that speed optic.
Impact:
The user may be confused on why the optic is not working, the error message is misleading when the optic is inserted in the wrong port.
Workaround:
If the optic shows up in "tmsh list net interface" as "Unsuported Optic" remove the optic and verify that the optic speed matches the port.
Fix:
The "tmsh list net interface" will now show:
module-description "F5 Qualified Optic in invalid port"
And the LCD warning message will show:
Optic OPT-XXXX not valid in Interface <InterfaceNumber>.
640565-1 : Incorrect packet size sent to clone pool member
Solution Article: K11564859
Component: Local Traffic Manager
Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.
Conditions:
Clone pool is configured on a virtual server.
Impact:
Clone pool members may get traffic exceeding the link MTU.
Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.
640521-1 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
Component: Access Policy Manager
Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.
Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.
Impact:
EdgeClient can not establish VPN connection.
Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.
Fix:
Now Edge Client can successfully interact with a greater number of wifi captive portals.
640510-3 : BWC policy category attachment may fail during a PEM policy update for a subscriber.
Component: Policy Enforcement Manager
Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.
Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.
Impact:
Use cases dependent on BWC can be impacted.
Fix:
Code changes were added such that BWC policy and category changes through PEM are handled correctly.
640457-2 : Session Creation failure after HA
Component: Policy Enforcement Manager
Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.
Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.
Impact:
A set of subscribers lost during HA will never be added back.
Workaround:
No workaround.
640407-1 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
Component: Service Provider
Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.
Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.
640384-3 : New iRule options for MR::message route command
Component: Service Provider
Symptoms:
When routing a message via the MR::message route command, the connection-mode and max-connections attributes are not settable.
Conditions:
This is encountered when using the MR::message or MR::peer iRule commands and you wish to set the connection mode or max connections.
Impact:
For applications where other connection-modes are required (for example PER_CLIENT), it is not possible to implement via iRule.
Workaround:
NA
Fix:
New keywords added to MR::message route command to allow specification of the connection-mode and max-connections attributes of the temporary route added to the message.
640376-3 : STPD leaks memory on 2000/4000/i2000/i4000 series
Solution Article: K46452834
Component: Local Traffic Manager
Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.
Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.
ex. top -b -n 1 | grep stpd
The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.
Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.
Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.
Fix:
BPDU process source code fixed to release memory allocated for each BPDU packet created and sent.
640369-2 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.
Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan
TMM may respond directly using the auto-lasthop feature and not via the route lookup.
Impact:
Traffic may not follow the expected path.
Fix:
TMM now correctly uses the configured option for auto-lashop and ICMPv6 traffic
640352-2 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
Solution Article: K01000259
Component: Local Traffic Manager
Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.
Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.
Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.
Workaround:
None.
Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.
639970-3 : GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error
Component: Local Traffic Manager
Symptoms:
Client SSL profile certificate extensions names switch to numbers if there is any validation error in save.
Conditions:
Try to Create/Modify client ssl profile such that it results in a validation error and click 'Finished/Update'.
Impact:
No functional impact: certificate extensions names switch to their number representation, but if you correct the actual validation error and submit the change, the saved object will have the expected set of certificate extensions.
Workaround:
Use TMSH to create/update client SSL profile.
Fix:
GUI client SSL profile certificate extensions names are displayed even if there is a validation error.
639929-2 : Session variable replace with value containing these characters ' " & < > = may cause tmm crash
Component: Access Policy Manager
Symptoms:
TMM crash with session variable being replaced with a value containing one of the following special characters:
' " & < > =
Conditions:
Session variable replace with value containing the following characters:
' " & < > =
Impact:
Traffic disrupted while tmm restarts.
Workaround:
If possible, avoid session variable values containing ' " & < > =. Otherwise, there is no workaround.
Fix:
Session variable overwrite operation with value containing special characters now works correctly.
639767-2 : Policy with Session Awareness Statuses may fail to export
Component: Application Security Manager
Symptoms:
ASM policy with many Session Awareness Statuses may fail to export.
Conditions:
There are many Session Awareness Statuses configured for the policy.
Impact:
ASM policy export will fail.
Workaround:
Remove all Session Awareness Statuses before export.
Fix:
ASM policy export only includes Session Awareness Statuses set to "Block All", and completes reliably.
639764-2 : Crash when searching external data-groups with records that do not have values
Component: Local Traffic Manager
Symptoms:
The TMM may crash when search through an external data-group that has at least one value with empty value.
Conditions:
For example, this occurs if data-group is defined as follows:
the key for network 10.40.0.0/13 has no value:
network 10.0.0.0/9 := "network 10.0.0.0/9",
network 10.40.0.0/13,
network 10.10.0.0/17 := "network 10.10.0.0/17",
A search in the data-group above with -value or -element options where at least one of the result records has no value will most likely result in a TMM crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Make sure that every record in the external data-groups has a value.
Fix:
Searching values in an external data-group where result will contain at least one value with an empty value no longer results in a TMM crash. A -value search will yield an empty string for the records that do not have a value.
639750-1 : username aliases are not supported
Component: Fraud Protection Services
Symptoms:
in is a common practice to use aliases for username. for example, an app might allow users to login with either their ID, cell number, or nickname.
WebSafe doesn't support username aliases.
Conditions:
This is encountered when your application uses username aliases.
Impact:
You are unable to use username aliases in your applications.
Workaround:
None.
Fix:
providing new ANTIFRAUD irule command for setting username (replace username alias with the "real" username)
639744-1 : Memory leak in STREAM::expression iRule
Solution Article: K84228882
Component: Local Traffic Manager
Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.
Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.
Impact:
This causes a memory leak in tmm.
Workaround:
None.
Fix:
This release fixes a memory leak in STREAM::expression iRule.
639729-2 : Request validation failure in AFM UI Policy Editor
Solution Article: K39428424
639619-3 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems★
Component: TMOS
Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.
Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)
Impact:
The configuration fails to load.
Workaround:
Perform the following procedure:
1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info
5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot
Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.
639575-5 : Using libtar with files larger than 2 GB will create an unusable tarball
Component: TMOS
Symptoms:
Programs such as qkview create a .tar file (tarball) using libtar. If any of the files collected are greater than 2 GB, the output tar file cannot be read by /bin/tar.
This occurs due to a limitation of the file compression library employed by qkview command; the system cannot collect files larger than 2 GB in size in a Qkview.
The qkview command may generate output that iHealth cannot parse, and that the tar command cannot extract.
Conditions:
-- The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
-- A 2 GB or larger file exists in a directory that qkview normally collects.
Impact:
No qkview diagnostics file is created. Although you can extract the qkview tarball using /usr/bin/libtar, the file will be a zero-length file. Cannot submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.
Workaround:
Remove the file larger than 2 GB from the system prior to running qkview or other program that uses libtar.
Fix:
With the fix to third party software, libtar, programs using libtar no longer create an unusable tarball when dealing with files larger than 2 GB.
639505-3 : BGP may not send all configured aggregate routes
Component: TMOS
Symptoms:
As a result of a known issue, BGP may not send all configured Aggregate routes if one is a supernet of another.
Conditions:
- BGP established sessions.
- BGP configuration contains several aggregate routes, one or more being a supernet of others.
Impact:
The smaller prefix aggregate (least specific), may not be sent to the BGP peer.
Fix:
BGP now sends all configured aggregates
Behavior Change:
BGP now sends all configured aggregates, even if one is supernetwork of another.
639486-4 : TMM crash due to PEM usage reporting after a CMP state change.
Component: Policy Enforcement Manager
Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.
Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Instead of asserting, handled the error condition gracefully.
639395-2 : AVR does not display 'Max read latency' units.
Solution Article: K91614278
Component: Application Visibility and Reporting
Symptoms:
AVR does not display units for 'Max Read Latency'.
Conditions:
AVR, ASM, DoS, or AFM are provisioned.
Impact:
No units are displayed.
Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.
Fix:
Added units (microsecond) to AVR report.
639283-4 : Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
Component: Access Policy Manager
Symptoms:
Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
Conditions:
* Virtual Server has untrusted certificate
* Using Custom Dialer or Windows logon integration features on client machine for establishing secure VPN
Impact:
Windows logon integration doesn't work. Cannot establish secure VPN connection before logging in to the machine.
Custom dialer doesn't work. Cannot establish secure VPN using Dial-up entry.
Workaround:
- Install trusted certificate to Virtual Server or whitelist untrusted certificate on the client machine.
or
- Use Edge Client to establish secure VPN connection.
Fix:
The Custom Dialer/Windows Logon Integration feature now shows a certificate warning when the certificate is untrusted by the client. This allows the logon to proceed if the user accepts the certificate.
639236-1 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
Solution Article: K66947004
Component: Service Provider
Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute
Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.
Impact:
REGISTER is rejected with a '400 Bad request' error message
Workaround:
None.
Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.
639193-1 : For HA BIG-IP devices, deleting parent policy causes sync to fail.
Solution Article: K03453591
Component: Advanced Firewall Manager
Symptoms:
In a high availability (HA) environment, deleting parent policy causes sync to fail.
Conditions:
This occurs when you delete the parent of a policy that was used as the parent of another policy. For example:
1. Clone Policy A and create Policy B.
2. Clone Policy B and create Policy C.
3. Delete Policy B.
Impact:
Sync operation fails.
Workaround:
Use the following Workaround:
Run the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all
Sync
Fix:
In high availability (HA) environments, deleting parent policy no longer causes sync to fail.
639039-4 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
Solution Article: K33754014
Component: Local Traffic Manager
Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.
Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.
Impact:
Dynamic routing information is lost and must be relearned.
Workaround:
When using dynamic routing, only change the host name during a maintenance window.
638997-2 : Reboot required after disk size modification in a running BIG-IP VE instance.
Component: TMOS
Symptoms:
- BIG-IP VE supports disk size modification during the lifetime of a running instance to expand or reduce the disk size that was allocated at the time of deployment.
- A reboot is required after any such modification in the disk size for the changes to take effect. In previous versions, the reboot happened automatically but an affected BIG-IP VE will not have the reboot happening automatically.
- Due to the lack of reboot, changes in disk size do not take effect on the BIG-IP system.
Conditions:
Modifying disk size in a running BIG-IP VE instance.
Impact:
Changes in the disk size do not take effect till BIG-IP system is rebooted.
Workaround:
Manually reboot the running BIG-IP VE instance after making changes in disk size.
Fix:
Reboot required after disk size modification in a BIG-IP VE instance.
638960-2 : A subset of the BIG-IP default profiles can be incorrectly deleted
Component: TMOS
Symptoms:
On the BIG-IP system, default profiles should not be deletable. However, the system incorrectly allows a subset of them to be deleted. Known affected profiles include all default persistence and http profiles.
Conditions:
The issue occurs when someone attempts to delete a susceptible profile via TMSH, iControl SOAP or iControl REST. The issue does not occur when using the WebUI (where susceptible profiles are not selectable for deletion).
Impact:
If a default profile is missing from the configuration, several issues may arise. For instance, the configuration may fail to load or save, and the WebUI may fail to display certain screens.
Fix:
The system no longer allows certain default profiles to be deleted.
638935-3 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: TMOS
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.
638893-1 : Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command
Component: TMOS
Symptoms:
Error message references solution number instead of Knowledgebase number:
err mcpd[6492]: 01071ab6:3: The requested media 100TX-FD for interface 1.0 is invalid. Valid settings are: auto, 1000T-FD. Please see SOL14556 for details.
Conditions:
Incorrectly configure net interface media, e.g.,
modify net interface 1.0 media 100TX-FD.
Impact:
Posted message references SOL14556. The Ask F5 site now uses K numbers instead of SOL numbers. At some point, the previously used SOL numbers might no longer redirect, and the information originally in that article would be lost.
Workaround:
View knowledgebase article K14556: Copper 1 Gbps modules configured with media other than the 'auto' setting may not function, https://support.f5.com/csp/article/K14556.
Fix:
Updated tmsh output to reference the new knowledgebase numbering.
638881-1 : Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances
Component: TMOS
Symptoms:
When the fan tray is removed, the fan status in tmctl tables and 'tmsh show sys hardware' are not updated correctly to reflect the current status of the fan tray i.e. not-present.
Conditions:
When the fan tray is physically removed.
Impact:
It is important to be aware of the fan status since malfunctioning of the fan tray can result in thermal shutdown when temperature thresholds are reached. Having incorrect/incomplete status would result in delayed corrective actions if a problem should arise.
Workaround:
No workaround at this time.
638825-2 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
Component: TMOS
Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.
Conditions:
This always occurs for this type of interface.
Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.
Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.
638799-1 : Per-request policy branch expression evaluation fails
Component: Access Policy Manager
Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:
info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)
Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.
The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.
Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:
#define ACCESS_ALLOWED_IRULE_EVENTS ( \
((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))
Workaround:
None.
Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.
638780-3 : Handle 302 redirects for VMware Horizon View HTML5 client
Component: Access Policy Manager
Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.
Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.
Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.
Workaround:
For versions 11.6.x and 12.x:
===============================
priority 2
when HTTP_REQUEST {
regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}
when HTTP_RESPONSE {
if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
if { [info exists vmview_html5_prefix] } {
set location [HTTP::header "Location"]
set location_path [URI::path $location]
if { $location_path starts_with "/portal/" } {
set path_index [string first $location_path $location]
set new_location [substr $location $path_index]
regsub "/portal/" $new_location $vmview_html5_prefix new_location
HTTP::header replace "Location" $new_location
}
unset vmview_html5_prefix
}
}
}
======================
For version 13.0:
priority 2
when HTTP_REQUEST {
regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}
when HTTP_RESPONSE {
if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
if { [info exists vmview_html5_prefix] } {
set location [HTTP::header "Location"]
set location_path [URI::path $location]
if { $location_path starts_with "/portal/" } {
set path_index [string first $location_path $location]
set new_location "$vmview_html5_prefix[substr $location $path_index]"
HTTP::header replace "Location" $new_location
}
unset vmview_html5_prefix
}
}
}
Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.
638715-3 : Multiple Diameter monitors to same server ip/port may race on PID file
Solution Article: K77010072
Component: Local Traffic Manager
Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.
Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.
Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.
Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).
Fix:
The fix includes the monitor-template name in the generation of the PID file, which ensures multiple Diameter monitor instances probing the same server (IP/port) do not interfere with each other.
638629-2 : Bot can be classified as human
Component: Application Security Manager
Symptoms:
A bot is classified as human in a rare case.
Conditions:
Web scraping is turned on. The CSHUI is tried on the user.
Impact:
Bot traffic gets classified as human by ASM.
Workaround:
N/a
Fix:
Fixed the CSHUI algorithm to have better bot detection.
638594-3 : TMM crash when handling unknown Gx messages.
Component: Policy Enforcement Manager
Symptoms:
TMM crash resulting in potential loss of service.
Conditions:
PCRF sends unsupported Gx messages to PEM.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Add support for identifying unknown messages types and handle them gracefully.
638556-2 : PHP Vulnerability: CVE-2016-10045
Solution Article: K73926196
638170-1 : Pagination broken or missing while viewing pool statistics for GTM wideip
Solution Article: K36455356
Component: Global Traffic Manager (DNS)
Symptoms:
Error occurs while viewing pool statistics for GTM wideip if the number of pools are more than what can be displayed in a single screen.
Conditions:
When the number of pools are more than what can be displayed as specified in the System :: Preferences :: Record Per Screen setting.
Impact:
Unable to view the statistics of GTM wideip pools beyond those displayed on the screen.
Workaround:
Increase the number of Records Per Screen (System :: Preferences :: Records Per Screen) to a number larger than the number of pools in the GTM wideip.
Fix:
Can now view the statistics of GTM wideip pools beyond those displayed on the initial screen.
638137 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
Solution Article: K51201255
638091-4 : Config sync after changing named pool members can cause mcpd on secondary blades to restart
Component: TMOS
Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:
01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>
Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create
Impact:
Secondary blades do not process traffic as they restart
Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).
To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.
1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.
Fix:
Config sync after changing named pool members no longer causes mcpd on secondary blades to restart.
637666-2 : PHP Vulnerability: CVE-2016-10033
Solution Article: K74977440
637561-1 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
Component: TMOS
Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.
Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.
Impact:
Wildcard wideips are not returning wildcard requests correctly.
Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd
Fix:
Wildcard wideips now handle matching queries after tmsh load sys from gtm conf file twice.
637559-1 : Modifying iRule online could cause TMM to be killed by SIGABRT
Component: TMOS
Symptoms:
If iRule is used by several virtual servers, and you edit the iRule online, it could cause TMM to be eventually killed by SOD (watchdog).
Conditions:
This can occur under the following conditions:
1. The iRule is used by large number of virtual servers.
2. You edit the iRule and save changes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
If iRule is used by several virtual servers, and you edit the iRule online, it no longer causes TMM to be eventually killed by SOD (watchdog).
637308-8 : apmd may crash when HTTP Auth agent is used in an Access Policy
Solution Article: K41542530
Component: Access Policy Manager
Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.
Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.
The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.
Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.
Workaround:
Use basic auth, or do not use HTTP Auth.
Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.
637252-1 : Rest worker becomes unreliable after processing a call that generated an error
Solution Article: K73107660
Component: Application Security Manager
Symptoms:
Unreliable behavior from ASM REST API.
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.
Conditions:
A REST worker can enter this state if it processes specific calls that ended in error, such as creating a new active Policy.
Note: Policies are meant to be created inactive and then activated through the apply-policy task.
Impact:
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.
Workaround:
1) Do not create 'active' policies. Create them with 'active': false, and then use the apply-policy task to set them active.
2) To recover a device that has reached this state, restart restjavad using the following command:
bigstart restart restjavad
Fix:
REST workers maintain correct state and behavior after calls with errors.
637227-4 : DNS Validating Resolver produces inconsistent results with DNS64 configurations.
Solution Article: K60414305
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS Validating Resolver incorrectly validates DNS responses received from A queries made as a result of a front-end AAAA query received on a profile with DNS64 configured.
A SERVFAIL response may be sent to the client unless the Validating Resolver cache has previously successfully validated a front-end A query. In this scenario where the A records already exist in the cache, the expected DNS64 AAAA records are synthesized.
Conditions:
This issue may be observed with a DNS Validating Resolver configured on a DNS profile with DNS64 configured when processing AAAA queries.
Impact:
Incorrect SERVFAIL responses for AAAA queries that should get valid responses.
Workaround:
None.
Fix:
DNS validation now occurs as expected, resulting in valid answers to AAAA queries.
637181-4 : VIP-on-VIP traffic may stall after routing updates
Component: Local Traffic Manager
Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.
Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.
Impact:
Existing connections to the outer VIP may stall.
Workaround:
None.
Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.
636918-2 : Fix for crash when multiple tunnels use the same traffic selector
Component: TMOS
Symptoms:
Given multiple tunnels with the same traffic selector, a crash could sometimes occur.
Conditions:
Same traffic selector used with more than one tunnel.
Impact:
Possible tmm restart if problem happens. Traffic disrupted while tmm restarts.
Workaround:
Use different traffic selectors for different tunnels.
Fix:
Fixed a tmm crash related to traffic selectors used with more than one tunnel.
636853-2 : Under some conditions, a change in the order of GTM topology records does not take effect.
Solution Article: K19401488
Component: Global Traffic Manager (DNS)
Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.
Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.
Impact:
In certain configurations, the topology load balancing decision may not be made correctly.
Workaround:
Reload the GTM configuration or add/delete a topology record.
Fix:
Changes in the order of topology records now take effect immediately.
636842-1 : A FastL4 virtual server may drop a FIN packet when mirroring is enabled
Solution Article: K51472519
Component: Local Traffic Manager
Symptoms:
A FastL4 virtual server may drop a FIN packet when mirroring is enabled.
Conditions:
- The virtual server uses the FastL4 profile.
- The virtual server performs mirroring.
- The tm.fastl4_ack_mirror db key is enabled (default).
- The client or the server sends a FIN packet, immediately followed by a RST packet.
Impact:
The BIG-IP system forwards the RST packet but not the FIN packet.
As the RST sent by one of the TCP endpoints would have its sequence number increased by 1 to account for the FIN packet, the other TCP endpoint may not accept the RST as the FIN packet was never seen.
This issue is exacerbated if the FIN packet also carries application data (for example, if it is actually a FIN,PSH,ACK packet). In this case, the other TCP endpoint never sees the application data contained within the packet, and the sequence number in the RST will be off by more than just 1.
Ultimately this can cause application failures and also the two connection flows to stall for some time.
Workaround:
To workaround this issue you can either:
1) Disable mirroring for the virtual server (but this comes with a loss of functionality, which may not be acceptable).
or
2) Disable the tm.fastl4_ack_mirror db key (but this would affect all FastL4 virtual servers performing mirroring on the box).
Fix:
A FastL4 virtual server no longer drops a FIN packet when mirroring is enabled.
636790-3 : Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.
Component: Global Traffic Manager (DNS)
Symptoms:
While logged in as a Manager role, if a user attempts to modify an object this role does not have access to, the GUI will post a validation error.
Conditions:
This occurs when users in the Manager role make changes to Datacenter links/servers/prober-pool/Topology.
Impact:
The system posts generic validation errors when Create, Update, Delete actions are initiated by a user without proper permissions. These permissions are not allowed for the Manager, but the GUI makes it appear as if they are.
Workaround:
None.
Fix:
The GUI now properly hides or disables the action buttons if a user does not have proper permissions to perform the action.
636774-1 : Potential TMM crash credits to BWC token distribution logic
Component: TMOS
Symptoms:
tmm crashes at 'bwc_stb_static_recharge (stb_static=0x560086f501f0) at ../net/bwc_stb.c:364'.
Conditions:
Bandwidth Control (BWC) policies enabled with PEM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Fixed a potential TMM crash credits to BWC token distribution logic.
636744-1 : IKEv1 phase 2 SAs not deleted
Solution Article: K16918340
Component: TMOS
Symptoms:
The BIG-IP system will not start phase 1 or phase 2 ISAKMP negotiation after an Active -> Standby -> Active failover within a short period of time.
Conditions:
The HA Active BIG-IP system goes Standby and then becomes Active again within the phase 2 lifetime.
Impact:
IPsec tunnel(s) is/are not initiated by the BIG-IP system. Network connectivity is broken between the private networks.
Workaround:
Option 1: Switch to IKEv2 and 12.x, which skips the problem altogether. This combination will mirror the SAs and so deleting existing SAs upon failover is not required.
Option 2: Edit /config/failover/active and add the following two lines at the end:
logger -p local0.notice "Employ ID636744 workaround. Purge IPsec phase2 SAs."
tmsh delete net ipsec ipsec-sa
636702-3 : BIND vulnerability CVE-2016-9444
Solution Article: K40181790
636699-5 : BIND vulnerability CVE-2016-9131
Solution Article: K86272821
636669-3 : bd log are full of 'Can't run patterns' messages
Solution Article: K37300224
Component: Application Security Manager
Symptoms:
The bd log are getting filled up with 'Can't run patterns' messages. A core might occur due to the i/o outage. General traffic disturbance/slowness might occur.
Conditions:
Configuration change that relates to attack patterns happens while there is heavy traffic.
Impact:
Potential traffic outage/slowness. 'Can't run patterns' messages filling up the bd log file.
Workaround:
None.
Fix:
Fixed log throttling issue related to attack patterns configuration change.
636541-3 : DNS Rapid Response filters large datagrams
Component: Global Traffic Manager (DNS)
Symptoms:
Assigning a profile with DNS rapid response enabled to a virtual server on a P8 chassis might result in problems with blades and the cluster.
Depending on the timing of operations (config is loaded and tmm restarts), blades might never join the cluster properly and you will see errors similar to the following looping in /var/log/tmm:
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445394
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445416
Conditions:
-- Assigning a profile with DNS rapid response enabled to a virtual server.
-- P8 chassis.
-- Large datagrams being passed.
Impact:
DNS Rapid Response filters large datagrams. Blades might never join the cluster.
Workaround:
There is no workaround at this time.
Fix:
The system now passes through any datagrams too big for DNS rapid response.
636535 : HSB lockup in vCMP guest doesn't generate core file
Solution Article: K24844444
Component: TMOS
Symptoms:
If an HSB lockup occurs in a vCMP guest, the system does not generate a core file.
Conditions:
HSB lockup, which occur rarely.
Impact:
Limited ability to diagnose failures due to HSB lockups.
Workaround:
None.
Fix:
Whenever an HSB lockup occurs in a vCMP guest, the system generates a core file.
636520-3 : Detail missing from power supply 'Bad' status log messages
Solution Article: K88813435
Component: TMOS
Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad
Conditions:
This occurs when the system posts an internal hardware sensor alert.
Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.
Workaround:
If power supply errors continue to be logged:
1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }
2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.
3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }
4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.
Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.
636397-1 : bd cores when persistent storage configuration and under some memory conditions.
Component: Application Security Manager
Symptoms:
bd cores. Log signature in /var/log/bd looks similar to the following:
BD_MISC|ERR |Jan 02 14:24:06.422|27867|io_manager_init.c:0395|internal_keep_alive: BD shrinking...,going down - BD will be right back.
ptr BD_MISC|CRIT |Jan 02 14:24:06.422|27867|signals.c:0073|Received SIGSEGV - Core Dumping.
Conditions:
There is persistent storage configuration. There is high memory usage.
Impact:
bd crash. Traffic resets and/or failover
Workaround:
None.
Fix:
This release fixes a bd crash due to specific memory conditions and persistent storage.
636370 : Application Layer Encryption AJAX support
Component: Fraud Protection Services
Symptoms:
WebSafe doesn't support parameters encryption in Single Page Applications (using AJAX)
Conditions:
Application uses AJAX for sending parameters to web server
Impact:
Encryption won't work for Single Page Applications
Workaround:
N/A
Fix:
Adding AJAX encryption support (full payload encryption)
for 12.1.2-hf, enabling this feature requires:
tmsh modify sys db antifraud.internalconfig.string1 value <AJAX-HEADER-NAME>
AJAX-HEADER-NAME existence will enable AJAX support for current request and its value may contain the username used in current request (if configured and exists)
Note that activating AJAX support in releases > 12.1.2-hf is done differently (configured in profile, not in db)
636290 : vCMP support for B4450 blade
Component: TMOS
Symptoms:
vCMP is not supported in the B4450 blade
Conditions:
This occurs on the B4450 blade on specific BIG-IP software versions, for more information on supported vCMP versions see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088
Impact:
You are unable to configure vCMP on the B4450 blade.
Fix:
vCMP is supported on the B4450 blade in this version.
636289-2 : Fixed a memory issue while handling TCP::congestion iRule
Component: Local Traffic Manager
Symptoms:
Increased memory usage in tmm.
Conditions:
TCP::congestion highspeed iRule is executed for the TCP connection. The issue is only observed for highspeed congestion control.
Impact:
The memory allocated for congestion control is not freed.
Workaround:
If it is desired to use highspeed congestion control under some conditions, it is possible to start with highspeed by choosing highspeed congestion control in the TCP profile and switch to other desired congestion control when condition does not hold. With this workaround, once congestion control is changed to something other than highspeed, it is not possible to switch back to highspeed again.
Fix:
Improved memory utilization while using TCP::congestion iRule.
636254-2 : Cannot reinitiate a sync on a target device when sync is completed
Component: Access Policy Manager
Symptoms:
After a policy sync is successful, re-initating a sync fails with the following error:
"PolicySyncMgr: Sync already in progress for policy xxx"
Conditions:
This occurs rarely when performing a sync after a successful sync.
Impact:
You cannot re-sync a policy. This is a rare occurrence, and after waiting a small amount of time sync should start working again.
Fix:
Now APM Policy Sync no longer hangs in rare cases with the message: "PolicySyncMgr: Sync already in progress for policy xxx"
636149-3 : Multiple monitor response codes to single monitor probe failure
Component: Local Traffic Manager
Symptoms:
A monitor probe failure to a monitor (such as HTTP) is logged to '/var/log/ltm' when the probed resource is unavailable. In some cases, for a probe resulting in an 'Unable to connect' error, multiple log entries are made, with the last log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are 'stale' and due to previous monitor probe behavior that was logged earlier.
This is due to an error where the 'Could not connect' event appends rather than overwrites existing earlier error messages.
Conditions:
A monitor probe to a monitor is attempted (such as over HTTP), resulting in an 'Unable to connect' failure; and where that specific monitor previously reported an error (which is now appended).
Impact:
No system behavior is affected, but multiple log entries are made. The final log entry of the 'Could not connect' or 'Unable to connect' message is relevant, while the possible multiple log entries immediately preceding are 'stale' and not relevant (as they are due to an earlier issue that was previously successfully logged).
Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.
Fix:
The system now handles previous monitor-log errors when reporting a 'Could not connect' error, rather than appending a previous error that might be present.
636044-1 : Large number of glob patterns affects custom category lookup performance
Solution Article: K68018520
Component: Access Policy Manager
Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.
Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.
Impact:
Slow response times to HTTP requests.
Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.
Fix:
Glob pattern matching has been extended to be context sensitive. If the pattern includes the marker "://", a glob immediately before it is restricted to the scheme, and a glob immediately after it is restricted to the hostname. If the match can be satisfied with prefix matching, the pattern will be processed with a prefix comparison rather than as a glob. Also, multiple glob patterns are combined together to create a more optimal match pattern. If custom categories patterns use the context sensitive feature, custom category lookup will be optimized.
635977-1 : Bd core on specific out of memory scenario
Component: Application Security Manager
Symptoms:
The bd process crashes.
Conditions:
-- ASM configured.
-- WebSocket traffic.
-- Memory pressure.
Impact:
The bd process crashes. Traffic disrupted while bd restarts.
Workaround:
None.
Fix:
Memory pressure with WebSocket traffic does not lead to intermittent crashes.
635961-1 : gzipped and truncated files may be saved in qkview
Component: TMOS
Symptoms:
When looking at the files in the qkview, some files might be both gzipped and truncated, when only one or the other is expected.
Conditions:
This occurs for certain files that are large enough to require truncation and gzipping.
Impact:
Minimal impact, as the extra file can be ignored. This is primarily an issue of wasting image space.
Workaround:
Ignore the extra copy of the file.
Fix:
Files are no longer both gzipped and truncated.
635933-3 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
Solution Article: K23440942
635754-1 : Wildcard URL pattern match works inncorectly in Traffic Learning
Solution Article: K65531575
Component: Application Security Manager
Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.
Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.
Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.
Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).
Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.
"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".
Fix:
Wildcard URL pattern match now works as expected in Traffic Learning
635703-1 : Interface description may cause some interface level commands to be removed
Solution Article: K14508857
Component: TMOS
Symptoms:
Adding a description to the interface from within ZebOS may cause interface level routing protocol commands to be lost on restart.
Conditions:
- Add interface level description to a configuration with interface level routing protocol commands.
- Restart services, tmrouted, or reboot.
Impact:
Interface level commands after the description will not appear in the imish running config and will not be loaded/functional.
Workaround:
To prevent this issue, do not use interface-level descriptions.
If the issue has already occurred, and the configuration is not loading, you can manually correct it using the following procedure:
1. Stop tmrouted using the following command: bigstart stop tmrouted
2. Edit the ZebOS.conf from the corresponding route-domain file manually and remove the interface-level 'description' and 'no shutdown' commands.
3. Restart tmrouted using the following command: bigstart restart tmrouted.
Note: Performing the workaround procedure will temporarily disrupt dynamic routing, so care and adequate planning must be taken into consideration.
Fix:
Routing protocol interface commands are no longer lost with the addition of interface descriptions.
635561-1 : Heavy URLs statistics are not shown after upgrade.
Component: Application Visibility and Reporting
Symptoms:
Heavy URLs statistics are not shown after upgrade.
Conditions:
Upgrading to newer version
Impact:
Missing statistics.
Workaround:
No workaround
Fix:
Upgrade and verify all heavy URLs statistics are shown.
635541 : "Application CSS Locations" is not inherited if changing parent profile
Component: Fraud Protection Services
Symptoms:
"Application CSS Locations" is not inherited if changing parent profile, which can cause to the following error while saving: Application CSS Locations cannot be empty.
Conditions:
This occurs in the GUI when FPS provisioned when the system is configured with phishing detection license.
Impact:
Cannot use FPS GUI to configure Application CSS Locations.
Workaround:
Use tmsh or the REST API to configure Application CSS Locations.
Fix:
"Application CSS Locations" is inherited if parent profile is changed. No errors are shown while saving.
635412 : Invalid mss with fast flow forwarding and software syn cookies
Solution Article: K82851041
635314-5 : vim Vulnerability: CVE-2016-1248
Solution Article: K22183127
635274-1 : SSL::sessionid command may return invalid values
Solution Article: K21514205
Component: Local Traffic Manager
Symptoms:
The SSL::sessionid iRule command might return random, invalid values. This also causes high CPU usage on TMM. This occurs when the SSL ID retrieved from SSL is on the stack and gets overwritten prior to use, resulting in a persist lookup loop which causes the high CPU. The issue is also associated with the SSL::sessionid iRule command because SSL::sessionid and SSL persistence use the same internal mechanism to retrieve the SSL session ID.
Conditions:
This issue occurs when either of the following conditions exists:
-- An iRule exists that queries the SSL::sessionid.
-- An SSL persist profile is configured on the virtual server.
Impact:
The iRule might not work as expected.
High CPU usage.
Workaround:
Do not use the SSL:sessionid iRule.
Fix:
The SSL::sessionid iRule returns the session ID as expected.
635257-2 : Inconsistencies in Gx usage record creation.
Solution Article: K41151808
Component: Policy Enforcement Manager
Symptoms:
Duplicate usage records may be created or expected usage records may be missing.
Conditions:
A subscriber session is associated with the following policies:
1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.
2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.
Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.
Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.
To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.
Fix:
Checks to create usage records are now done using the same keys that are used to create them, so there are no duplicate usage records created or expected usage records missing.
635252-1 : CVE-2016-9256
Solution Article: K47284724
635233-3 : Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
Solution Article: K80902149
Component: Policy Enforcement Manager
Symptoms:
CCR-u or CCR-t sent in response to a non-existent policy may be missing some of the custom AVPs such as IMSI, E164, etc., even if the AVPs are marked mandatory.
Conditions:
This occurs when the BIG-IP system sends a CCR-u or CCR-t when the specified policy received from PCRF does not exist.
Impact:
CCR-u and CCR-t may miss some of the subscriber attributes such as IMSI, E164.
Workaround:
None.
Fix:
Added the custom AVPs in the case of CCR-u and CCR-t, if those attributes are enabled for reporting in the protocol profile.
635191-1 : Under rare circumstances TMM may crash
Component: Local Traffic Manager
Symptoms:
tmm crash and BIG-IP failover.
Conditions:
There are no known, reproducible conditions under which this occurs. However, the tmm restart happens once, and then does not recur. The only way to determine that the issue exists is through a review of the core stack, which must be completed by F5 Support.
Impact:
tmm restart and failover. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The tmm restart and failover no longer occur.
635129 : Chassis systems in HA configuration become Active/Active during upgrade★
Component: TMOS
Symptoms:
When devices in a Device Service Cluster are upgraded, multiple devices will become Active simultaneously.
The affected versions erroneously clear their management-ip during reboot and synchronize this to other members of the Device Service Cluster. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the Device Service Cluster members lose contact with each other, and all become Active.
Conditions:
This problem occurs on VIPRION chassis systems, either running natively, or as a VCMP guest, when upgrading from the affected versions (12.1.0, 12.1.1, 12.1.2), to any other version. The problem occurs on any upgrade, whether on the list of affected versions, or a later version.
Impact:
When multiple devices become Active simultaneously, traffic is disrupted.
Workaround:
There is no workaround other than to remain in Active/Active state until all Chassis are finished upgrade. See https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.
Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.
635116-1 : Memory leak when using replicated remote high-speed logging.
Solution Article: K34100550
Component: TMOS
Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.
Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.
Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.
Workaround:
Do not use replication in the HSL destination configuration.
Fix:
TMM no longer leaks memory when using a replicated HSL setup.
634779-1 : TMM may crash will processing SSL Forward Proxy traffic
Solution Article: K43945001
634576 : TMM core in per-request policy
Solution Article: K48181045
Component: Access Policy Manager
Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.
Conditions:
APM or SWG per-request policy with reject ending.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when per-request policy encounters reject ending.
634371-2 : Cisco ethernet NIC driver
Component: TMOS
Symptoms:
The Cisco Ethernet NIC driver is version 2.1.1.67
Conditions:
N/A
Impact:
Cisco recommends using the updated version 2.3.0.12
Fix:
Cisco VIC Ethernet NIC Driver 2.3.0.12 is now used.
634265-2 : Using route pools whose members aren't directly connected may crash the TMM.
Solution Article: K34688632
Component: Local Traffic Manager
Symptoms:
The TMM crashes when trying to resolve routes using route pools whose members are not directly connected.
Conditions:
A configuration has route pools whose members aren't directly connected. Additionally, this is an issue only in configurations where the TMM doesn't proxy traffic but sources traffic. An example is an sFLOW configuration.
Impact:
Traffic disrupted while tmm restarts. The TMM crashes whenever a connection tries to resolve such a route.
Workaround:
Create route pools with directly connected members.
Fix:
Using route pools whose members aren't directly connected no longer crashes the TMM.
634252 : TMM crash with per-request policy in SWG explicit
Solution Article: K99114539
Component: Access Policy Manager
Symptoms:
TMM crash is seen intermittently when evaluating per-request access policies for SWG-explicit use cases.
Conditions:
Although the exact conditions required for this issue are unknown, evaluating per-request access policies for SWG-explicit use cases might be related.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM crash is no longer seen when evaluating per-request access policies for SWG-explicit use cases.
634215-1 : False detection of attack after restarting dosl7d
Component: Application Visibility and Reporting
Symptoms:
False detection of an attack.
Conditions:
Restarting dosl7d during traffic.
Impact:
False attack is reported.
Workaround:
No workaround
Fix:
Restart dosl7d during moderate traffic and verify no false attack is reported.
634115-1 : Not all topology records may sync.
Component: TMOS
Symptoms:
Some GTM topology records may silently not be synchronized to other devices in the sync group.
Conditions:
One known case occurs when topology records have overlapping subnet specifiers (such as 1.0.0.0/8 and 1.0.0.0/9). It is possible that there are other conditions that might cause this issue.
Impact:
Other devices in the GTM sync group will have an incomplete set of topology records, so the returned DNS answers may differ from the expected values.
Workaround:
After updating topology records, run the following command to force a push of all GTM objects: run cm config-sync force-full-load-push to-group gtm.
This can be performed from tmshell or bash.
tmshell:
---------
(/Common)(tmos)# run cm config-sync force-full-load-push to-group gtm
Force a full load sync? (y/n)y
bash:
---------
tmsh run cm config-sync force-load-push to-group gtm
Note: This command executes and returns to bash with no feedback. To determine the outcome, you can check /var/log/gtm for 'success'.
Fix:
Some GTM topology records may have silently not been synchronized to other devices in the sync group. This is now resolved; all topology objects will be synchronized to all expected devices.
634078-2 : MRF: Routing using a virtual with SNAT set to none may select a source port of zero
Component: Service Provider
Symptoms:
If a virtual server has a SNAT setting of none and the 'source-port' attribute set to 'preserve' or 'preserve-strict', the outgoing connection will be created with a source port of zero (0) instead of the remote port of the originating connection.
Conditions:
This occurs when a message routing SIP profile is in use.
Impact:
Source port is set to 0.
Workaround:
None.
Fix:
Source port is now set to the source port of the client when SNAT is set to none. This is correct behavior.
634015-3 : Potential TMM crash due to a PEM policy content triggered buffer overflow
Solution Article: K49315364
Component: Policy Enforcement Manager
Symptoms:
Failure to add a PEM policy to a subscriber session in addition to a TMM crash.
Conditions:
PEM configured with a large number of policy rules that goes beyond the maximum supported PEM resources.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Buffer allocation checks have been added in that result in an error log along in case of a buffer overflow.
634001-2 : ASM restarts after deleting a VS that has an ASM security policy assigned to it
Component: Application Security Manager
Symptoms:
ASM restarts with the following errors:
'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------
'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------
Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.
Impact:
ASM restart
Workaround:
None.
Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.
633879-1 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect
Solution Article: K52833014
Component: TMOS
Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.
Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.
Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.
Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.
Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.
633723-3 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
Component: Local Traffic Manager
Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.
Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.
Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.
See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.
Workaround:
None.
Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.
Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.
If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.
633691-4 : HTTP transaction may not finish gracefully due to TCP connection is closed by RST
Component: Local Traffic Manager
Symptoms:
HTTP or other higher layer protocol transactions may not finish gracefully due to TCP connection is closed by RST.
Conditions:
1. There is ClientSSL or ServerSSL configured on the Virtual Server.
2. HTTP or other higher layer protocol has not finished the translations yet.
3. Client or Server sends out the TCP FIN packet.
Impact:
Application-level responses may not be received at all by the client.
Workaround:
No Workaround.
Fix:
TMM should try to use the TCP FIN to close the connection gracefully as much as possible instead of using RST which will abandon the data which has not been sent out to the wire.
633512-1 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
Component: TMOS
Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).
Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.
Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.
Workaround:
Do not configure Auto-Failback on VIPRION.
Fix:
The devices perform a clean handoff during Auto-Failback, with no Active/Active overlap.
633413-1 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
Component: TMOS
Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).
Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.
Impact:
Get error with unrelated IPv4 address.
Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.
Fix:
You can now add/remove/edit IPv6 and IPv4 within an existing iRules data group.
633391-1 : GUI Error trying to modify IP Data-Group
Component: TMOS
Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.
Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update
Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.
Workaround:
Use tmsh to modify the record field of the data groups.
Fix:
You can now modify the IPv6&IPv4 value within an existing data group.
Behavior Change:
users would be able to modify and update data groups
633333-3 : During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent
Component: Local Traffic Manager
Symptoms:
During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and an MPTCP connection is established.
Impact:
The serverside connection is reset before all data has been sent, causing the tail end of the data stream to not be proxied.
Workaround:
There is no workaround
Fix:
Fixed sequence of events on connection closure.
633181-1 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
Component: TMOS
Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.
Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR
Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.
Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.
633070-1 : Sync Inconsistencies when using Autosync ASM Group between Chassis devices
Component: Application Security Manager
Symptoms:
When at least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it, Devices may go out of sync and may end up with incorrect ASM configuration
Conditions:
At least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it.
An ASM policy is created.
Impact:
Devices may go out of sync and may end up with incorrect ASM configuration
Workaround:
Enable ASM sync on the failover device group, or use manual sync for the ASM device group.
Fix:
Bladed devices (chassis) handle ASM autosync device groups correctly
632968-2 : supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails
Component: Local Traffic Manager
Symptoms:
Clients are unable to establish an SSL session.
If the backend server sends a Certificate Request with Signature Hash Algorithms set to SHA256, the server SSL profile responds with Certificate and Certificate Verify containing a signature signed by SHA1 when ssl-sign-hash in that profile is set to 'ANY'. Because the backend server does not expect SHA1, the handshake fails.
If the BIG-IP server SSL profile advanced configuration setting for SSL sign hash is set to SHA-256 (and not ANY), the handshake fails with the following error:
Connection error: ssl_hs_rsaprivenc:8528: no shared hash algorithm (40).
Conditions:
* BIG-IP system is communicating with a TLS server (applies to server SSL profiles).
* TLS server is requesting client authentication (this is less common).
* TLS client is using the supported_signature_algorithms extension (this is very common)
* TLS 1.2 is likely needed. TLS 1.0 does not support extensions.
* SSL sign hash for the server SSL profile is set to either 'any' or 'sha-256'.
Impact:
BIG-IP systems sign the TLS handshake with the SHA1 algorithm, which fails on the server.
Note that this issue is orthogonal to the issue of hash algorithm in X.509 certificates, e.g., 'SHA1 in X.509 certificates'.
Workaround:
No mitigation is known.
Fix:
BIG-IP now properly parses the following extension in CertificateRequest by a TLS server.:
SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>.
This allows the existing logic to work, in particular, to learn that the server supports SHA2 family of hash algorithms and use them with the signature in the TLS handshake.
632875-3 : Non-Administrator TMSH users no longer allowed to run dig
Solution Article: K37442533
632824-1 : SSL TPS limit can be reached if the system clock is adjusted
Solution Article: K00722715
Component: Local Traffic Manager
Symptoms:
If you adjust the system clock you will occasionally get error messages of the form "SSL transaction (TPS) rate limit reached". (For the intended feature of this message, see K7747: Error Message: SSL transaction (TPS) rate limit reached https://support.f5.com/csp/article/K7747.)
Conditions:
Occurs when you adjust the system clock.
Impact:
When the message occurs, the connection and often several subsequent connections are dropped.
Workaround:
None.
Fix:
The message no longer occurs when the system clock is changed and only occurs when system legitimately reaches the SSL TPS limit.
632798-2 : Double-free may occur if Access initialization fails
Solution Article: K30710317
Component: Access Policy Manager
Symptoms:
Double-free may occur if Access initialization fails.
Conditions:
Access initialization failure occurs, possibly due to license issues.
Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes a double free condition so that the associated tmm crash no longer occurs.
632731-2 : specific external logging configuration can cause TMM service restart
Solution Article: K21964367
Component: Advanced Firewall Manager
Symptoms:
When external logging is configured for ACL rule hits, and the logging server connection is routed through a Forwarding Virtual, the ACL logging causes a TMM crash and service disruption.
Conditions:
The problem is seen when all the following conditions match:
1. External Logging server configured for ACL rule match.
2. External logging server is routed through a Forwarding Virtual (the destination IP of the external logging server matches a Forwarding Virtual's destination address/mask and hence gets routed through the Forwarding VIP).
3. The forwarded logging destination connection causes a crash in TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use one of the following workarounds:
--Avoid configuring remote logging to be forwarded through a Forwarding Virtual.
-- Do not have logging enabled on the forwarding Virtual.
Fix:
Connections originated from the BIG-IP to the remote logging server are not subjected to ACL checks, which prevents generation of logs for log server connection, which prevents the error conditions.
632685 : bigd memory leak for FQDN nodes on non-primary bigd instance
Component: Local Traffic Manager
Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist.
Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes, bigd on the non-primary places memory consumption may be unusually high.
Impact:
bigd memory leak; possible bigd crash.
Workaround:
None.
632668-5 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
Component: TMOS
Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.
Conditions:
System is using statically configured BFD sessions. System is forced offline.
Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.
Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.
632658-4 : Enable SIP::persist command to operate during SIP_RESPONSE event
Component: Service Provider
Symptoms:
Without this change, it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.
Conditions:
It is not possible to change the timeout of a SIP persistence entry during SIP response message processing.
Impact:
it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.
Workaround:
NA
Fix:
It is possible to change the timeout of a SIP persistence entry during SIP response message processing.
632646-4 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
Component: Access Policy Manager
Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.
Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.
Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.
Workaround:
No Workaround
Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.
632552-2 : tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event
Solution Article: K08634156
Component: Local Traffic Manager
Symptoms:
tmm crashes.
Conditions:
When CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event which is fired before either event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Move the script in _CLOSED events to another events.
Fix:
tmm no longer crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event.
632504-1 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
Solution Article: K31277424
Component: Access Policy Manager
Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.
Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".
Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.
Workaround:
If it is a static resource, do not select it as dynamic resource.
Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.
632499-1 : APM Policy Sync: Resources under webtop section are not sync'ed automatically
Solution Article: K70551821
Component: Access Policy Manager
Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.
Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.
Impact:
Sync will fail and some configured resources will not be available on the other devices.
Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.
Fix:
Now administrators can sync access profiles with resources under webtop sections without including them manually as dynamic resources.
632472-1 : Frequently logged "Silent flag set - fail" messages
Component: Access Policy Manager
Symptoms:
APM logs excessive messages similar to the following:
2016-12-07,21:46:10:864, 1740,884,APPCTRL, 2, \UBindSecurityMgr.h, 119, UBindSecurityMgrImpl::GetWindow, Silent flag set - fail
Conditions:
This can occur when connecting to APM via the Edge Client.
Impact:
Excessive messages are logged. These messages can be ignored.
632423-4 : DNS::query can cause tmm crash if AXFR/IXFR types specified.
Solution Article: K40256229
Component: Global Traffic Manager (DNS)
Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.
Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.
Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.
Workaround:
Do not explicitly use AXFR or IXFR query types.
If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:
if { not [DNS::question type] ends_with "XFR" } {
set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}
Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.
632386-1 : EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
Component: Access Policy Manager
Symptoms:
When a iClient control connection, between Edge Client and BIG-IP, exists for a given session id, a new iClient control connection for the same session id cannot be established until the existing connection is torn down. When the client interface is down or the client changes networks, it takes time for the BIG-IP to detect that the existing control connection is down. During this time, if the client attempts to establish a new control connection (interface up or different network), BIG-IP rejects the new connection request.
Conditions:
EdgeClient attempts to open a new iClient control connection with the same session id as that of an existing control connection and without explicitly closing the current connection. This could happen when the client interface is down or clients changes the network it is on.
Impact:
Edge Client cannot establish a iClient control connection and hence a tunnel to the BIG-IP.
Fix:
When BIG-IP sees a new iClient control connection request for a session id for which another iClient control connection exists, the existing connection is closed and the new connection request is attempted to be accepted.
632366-1 : Prevent a spurious Broadcom switch driver failure.
Component: TMOS
Symptoms:
When a high volume traffic is sent to a BIG-IP system, the Broadcom network switch driver might fail. The failure occurs because the switch driver is preempted (by tmm) from completing a long chip reprogramming routine and touching a watchdog. Sod, which monitors the watchdog, thinks the switch driver has become nonfunctional and kills it.
Conditions:
A very high volume traffic is sent to a BIG-IP system under certain circumstances.
Impact:
Potential eventual system outage if the Broadcom switch driver fails.
Workaround:
None.
Fix:
A spurious Broadcom switch driver failure is not possible anymore.
632344-2 : POP DIRECTIONAL FORMATTING causes false positive
Component: Application Security Manager
Symptoms:
ASM reports false positive violation for the XML request.
Conditions:
This occurs when using "%E2%80%AC" POP DIRECTIONAL FORMATTING as a input in the XML request.
Impact:
When one of the following 3 byte chars arrives to the XML parser, the payload considered as malformed XML:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).
Workaround:
None.
Fix:
This release now supports the following 3 byte chars within the XML parser:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).
632326-2 : relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
Solution Article: K52814351
Component: Application Security Manager
Symptoms:
You observe Malformed XML violations on valid XML, even with the relax_unicode_in_xml flag set. The same can apply to JSON with the relax_unicode_in_json flag.
Conditions:
Valid XML containing unicode characters is passed through ASM, and the relax_unicode_in_xml flag is enabled.
Impact:
False positive Malformed XML violations may still be reported.
Workaround:
N/A
Fix:
XML and JSON unicode now operates as expected when using the relax_unicode_in_xml or relax_unicode_in_json internal parameter.
To set these parameters, run the following commands:
/usr/share/ts/bin/add_del_internal add relax_unicode_in_xml 1.
/usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1.
bigstart restart asm.
632324-2 : PVA stats does not show correct connection number
Component: Local Traffic Manager
Symptoms:
do command tmsh show sys pva-traffic global
The current connection number showed up may not be correct
Conditions:
This occurs when there is PVA Traffic
Impact:
Wrong stats number for current PVA connections
Fix:
Fixed incorrect statistics for PVA Traffic
632178-1 : LDAP Query agent creates only two session variables when required attributes list is empty
Component: Access Policy Manager
Symptoms:
When required attributes list is empty, LDAP Query agent produces only two session variables.
in previous releases, the default behavior was - to get all user's attributes and populate those as session variables
Conditions:
LDAP Query agent configured in an Access Policy.
Required attributes list is empty (not any attr is configured)
Impact:
LDAP Query agent failed if branch rule expects to get user's attributes.
any other agent in the policy that relies on user's LDAP attributes will also fail.
Workaround:
As a workaround you can configure required attributes to be retrieved by LDAP Query agent explicitly
Fix:
The default behavior is back; when the required attributes list is empty, the LDAP Query Agent will retrieve all user's attributes and populate them as session variables.
632069-3 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
Component: TMOS
Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.
Conditions:
VE platform
Authenticated user with advanced shell access
Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.
Fix:
Update sudo package to improve security
632060-1 : restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★
Component: iApp Technology
Symptoms:
when upgrading to 12.1.1, 12.1.2 or 13.0 releases, executing a command similar to
curl -k -u admin:admin https://127.0.0.1:443/mgmt/shared/device-discovery-tasks causes the following error:
"errorMessage": "Could not connect to host 10.0.0.160. Please ensure there are no licensing, firewall, port lockdown or network connectivity issues. Error: Failed to read key /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_12100_2: invalid header",
Conditions:
Upgrading from releases prior to 12.1.1 to 12.1.1 or 12.1.2 or 13.0
Impact:
if your device has an iApps LX application, then that application sill not synchronize to the standby device. So if a failover occurs, then the iApps LX application will seem to disappear, and traffic will not pass through the application.
Workaround:
If you have upgraded and are in this condition, and you need to use iAppsLX, you can perform the following procedure to recover.
Impact of procedure: this procedure disables HA and requires you to rebuild your HA environment. You only need to use this procedure if you absolutely need to run an iAppLX.
1. Reset device trust, then re-establish device trust, your device group(s), and your traffic group(s)
2. At the BIG-IP command line for each of the devices, run the following command:
clear-rest-storage
Fix:
Upgrade to 13.1 or 13.0.x hot fix
632005-1 : BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML Service provider (SP), IdP connector creation can be automated using list of URIs containing IdP metadata.
Symptom for this issue:
When remotely published metadata changes - BIG-IP will not be able to modify previously created idp-connector object(s) to reflect the changes.
When issue happens, the error similar to following is logged in /var/log/saml_automation.log :
"apm aaa saml-idp-connector *NAME* import-metadata only supports create operations."
Conditions:
BIG-IP is used as SP. IdP connector creation is automated. Metadata published on automation URIs changes.
Impact:
BIG-IP configuration will not contain the latest changes reflected in published IdP metadata.
This may have different impact based on how metadata is changed.
Impact can be from none to user authentication failure (e.g. when IdP signing certificate is changed).
Workaround:
When error is encountered:
- Manually remove affected idp-connector configuration object
- Restart samlidpd service : "bigstart restart samlidpd"
As a result, SAML connector automation will re-create new idp-connector objects will current up-to-date metadata files.
Fix:
BIG-IP is able to modify previously created idp-connector object(s) to reflect the changes when connector automation is deployed.
632001-1 : For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
Component: Local Traffic Manager
Symptoms:
fipskey.nethsm uses a Thales utility to actually generate/export keys. This utility looks at files in .../kmdata/local to determine what type of protection to use. If there are any softcard or OCS files, then the key will be token protected. If there aren't any files then the key will be module protected.
This can be a problem for BIG-IP since that entire folder is synced down to it, so OCS or softcard files unrelated to the BIG-IP operation will change fipskey.nethsm's behavior.
Conditions:
Use fipskey.nethsm to generate/export a nethsm-protected key while there are OCS or softcard files in the BIG-IP system's .../kmdata/localfolder.
Impact:
Key protection type changes based on the presence of softcard or OCS files in .../kmdata/local.
Workaround:
Explicitly use the -c or --protect option to define the protection type when generating/exporting keys.
Fix:
fipskey.nethsm will now default to making a module-protected key regardless of the presence of OCS or softcard files in .../kmdata/local.
Scripts that export or generate token or softcard protected keys will now need to explicitly set the protection type via the -c or the --protect option in all situations.
631866-2 : Cannot access LTM policy rules in the web UI when the name contains certain characters
Solution Article: K12402013
Component: TMOS
Symptoms:
Access LTM policy rules in the web UI when the name contains percent (%) or slash (/) displays an empty page.
Conditions:
The LTM policy rule name being accessed contains the characters percent (%) or slash (/).
Impact:
The policy rule properties page displays an empty page.
Workaround:
Update the LTM policy rule using tmsh.
Fix:
LTM policy rules can be accessed as expected in the web UI regardless of their names.
631862-1 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
Solution Article: K32107573
Component: Local Traffic Manager
Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.
Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).
Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.
Workaround:
Use following iRule for broken URLs:
when HTTP_RESPONSE {
if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
}
}
A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.
Fix:
When OWS serves Transfer-Encoding chunked with zero size chuck, BIG-IP properly handles the response and sends END_STREAM flag finalizing the response.
631737-1 : ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
Solution Article: K61367823
Component: Application Security Manager
Symptoms:
ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.
Conditions:
This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows:
-- HTTP Protocol Compliance/ High ASCII characters in headers.
-- HTTP Protocol Compliance/ Host header contains IP address.
-- HTTP Protocol Compliance/ CRLF characters before request start.
-- HTTP Protocol Compliance/ Header without header value.
-- HTTP Protocol Compliance/ Body in GET/HEAD requests.
-- Evasion technique/ directories traversals.
Impact:
When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)
Workaround:
None.
Fix:
Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.
631722 : Some HTTP statistics not displayed after upgrade
Component: Application Visibility and Reporting
Symptoms:
Some statistics will disappear after upgrade due to bug in HTTP statistics backup.
Conditions:
Upgrading to newer version
Impact:
Not all statistics are shown.
Workaround:
No workaround
Fix:
Fixed an issue where some ASM HTTP statistics would disappear after upgrade.
631700-1 : sod may kill bcm56xxd under heavy load
Solution Article: K72453283
Component: TMOS
Symptoms:
Under heavy load, bcm56xxd may not get enough CPU cycles to finish some of its operations and activate the watchdog process. In that case, sod will suspect that bcm56xxd has halted and terminate the process.
Conditions:
When the system is very busy, tmm has higher execute priority, and bcm56xxd does not have enough CPU cycles.
Impact:
The switch will not operate during the restart, and traffic might be interrupted.
Workaround:
Reduce the traffic to make the system less busy.
Fix:
The system now has bcm56xxd activate the watchdog so that sod does not terminate the bcm56xxd process.
631688-7 : Multiple NTP vulnerabilities
Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302
631627-4 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start
Component: TMOS
Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.
Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.
Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.
Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.
Workaround:
Remove BWC from route domain and then reapply the BWC back.
Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.
631626 : Unable to delete an access profile which contains a route domain agent
Component: Access Policy Manager
Symptoms:
If an Access profile contains a policy with a route domain agent, the policy cannot be copied or deleted from the GUI or command line tools.
The GUI and CLI both fail with the following message:
Operation error: getHash failed
Conditions:
Access profile contains a route domain agent.
Impact:
Cannot delete or copy the Access profile.
Workaround:
Delete the route domain agent from the VPE and then copy/delete the Access profile.
Fix:
You can now copy and delete Access profiles which contain a route domain agent.
631609-1 : ASM Centralized Management Infrastructure Sync issues
Component: Application Security Manager
Symptoms:
Devices in a multiple Automatic sync device-groups may extraneously request a full sync after initial device sync creation, or after a full sync event.
Conditions:
Devices are in an autosync failover group and an autosync sync-only group with ASM sync enabled.
Impact:
A device may extraneously request additional full syncs after receiving a full sync from its peer or after adding an ASM policy.
Workaround:
No workaround.
Fix:
Extraneous full sync requests are no longer sent.
631582 : Administrative interface enhancement
Solution Article: K55792317
631472-1 : Reseting classification signatures to default may result in non-working configuration
Component: Traffic Classification Engine
Symptoms:
Configuration will not load when running "tmsh load ltm classification signature default" or clicking Reset to Defaults button on Traffic Intelligence :: Applications : Signature Update page.
Conditions:
1. You upgrade classification signatures to an IM package, and reference one of the newly added applications / categories in your configuration (e.g., PEM classification filter).
2. You reset classification signatures back to default by running "tmsh load ltm classification signature default" or selecting "Reset To Defaults" on the Traffic Intelligence :: Applications : Signature Update page.
Impact:
Configuration will not load.
Workaround:
Remove application that came with the new IM from the configuration.
Fix:
The release solves the problem of potentially non-working configurations after classification signatures were reset to default.
631444-2 : Bot Name for ASM Search Engines is case sensitive
Component: Application Security Manager
Symptoms:
CS challenge is returned for request with known search engine which is sent with different case than configured.
Conditions:
ASM profile is configured on the VS; DoS profile is not configured on the VS.
Impact:
Known search engines will get CS challenge.
Workaround:
Have DoS profile on the VS, in which the only feature turned on is Bot Signature, in report only, where only search engine category is turned on.
Fix:
making the ASM Search Engines case insensitive
631334-4 : TMSH does not preserve \? for config save/load operations
Solution Article: K69038629
Component: TMOS
Symptoms:
TMSH strips the escape characters for literal strings '\?' to be '?' or '\[' to be '[' in ltm monitor send/recv strings.
Conditions:
This condition manifests whenever the send/recv string in LTM monitor contains '\?' (backslash-question mark) or '\[' (backslash-open square bracket).
Impact:
This might cause the BIG-IP system to load incorrect monitor send/recv strings.
Workaround:
Use [] (open square bracket-close square bracket) in these cases when using a recv string, for example:
[?] [[]
Another option is not using '\' (backslash) in front of '[' (open square bracket) to indicate a literal string.
Note: This workaround is not valid for send strings.
631316 : Unable to load config with client-SSL profile error★
Solution Article: K62532020
Component: TMOS
Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'
Conditions:
This occurs when both of the following conditions are met:
-- The system is loading config.
-- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:
cert-key-chain {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
rsa {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
}
}
Impact:
Configuration can not be loaded.
Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.
Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:
cert-key-chain {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
rsa {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
}
}
4. Save your changes, and then run the following command:
tmsh load sys conf
631286-1 : TMM Memory leak caused by APM URI cache entries
Component: Access Policy Manager
Symptoms:
Tmctl stats for "access_uri_info" gradually grows and can lead to TMM memory exhaustion.
Conditions:
APM or SWG in use.
Impact:
TMM memory exhaustion.
Workaround:
Restart tmm.
Fix:
This release implements a limit of how many entries the system stores in the URI cache. The default is 2048 entries. The DB variable allows a range of 2048 - 8192. You can the following DB variable to control the max limit:
access.max.euie_uri.cache.entries
631204-1 : GeoIP lookups incorrectly parse IP addresses
Solution Article: K23124150
631172-4 : GUI user logged off when idle for 30 minutes, even when longer timeout is set
Solution Article: K54071336
Component: TMOS
Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.
Conditions:
User logged in to gui and idle for 20-30 minutes
Impact:
User is logged out of the GUI.
Workaround:
None.
Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.
631131-3 : Some tmstat-adapters based reports stats are incorrect
Component: Application Visibility and Reporting
Symptoms:
Stats are being collected in a wrong way for tmstat tables that are using partial-key. This leads to wrong values on reports.
Conditions:
Using partial key from tmstat-table on tmstat-adapter
Impact:
Wrong stats values for some reports.
Fix:
Tmstat-Adapters is now using the correct API from tmstat-framework which simulate a 'group-by' function on the query, and thus provide the correct result-set.
631060-1 : BIG-IP may incorrectly reject serverside connection when REQLOG is configured.
Component: Access Policy Manager
Symptoms:
Serverside connection can be reset when V2 plugin e.g. REQLOG is configured on virtual.
Conditions:
Virtual server configured with REQLOG and SSL clientside and serverside profiles.
Impact:
Serverside connections can not be established due to early TCP RST and failing TCP handshake.
Workaround:
Remove REQLOG from configuration.
Fix:
V2 Plugins work correctly if clientside is disabled on the hudchain.
631048-1 : Portal Access [PeopleSoft] 'My Preferences' page does not have content
Component: Access Policy Manager
Symptoms:
IN PeopleSoft (PS) web-application 'My Preferences' page contains no content.
Conditions:
Steps to Reproduce:
1. Navigate and login to PS Portal through reverse proxy.
2. Click on 'My Preferences' item in 'Action list' button.
Impact:
Page contains no content. Web-application does not work as expected.
Workaround:
To work around this issue, use an iRule.
Fix:
The issue is fixed.
631025-1 : 500 internal error on inline rule editor for certain firewall policies
Component: Advanced Firewall Manager
Symptoms:
While attempting to use the inline rule editor on a firewall policy, the system returns a 500 internal error. Viewing and editing the same policy in tmsh works as expected.
Conditions:
-- This occurs when editing certain firewall policies in the GUI.
-- The issue is specific to policies with rules that meet the following criteria:
a) At least two addresses with the same first three octets.
b) Addresses should have non-default partition.
141.146.155.40%1 { }
141.146.155.41%1 { }
Impact:
Unable to view or edit the policy, page returns an error
Workaround:
You can view these rules in the GUI by disabling the inline rule editor.
Fix:
Fixed an issue with certain AFM rules generating a 500 internal error in the GUI.
630929-1 : Attack signature exception list upload times-out and fails
Solution Article: K69767100
Component: Application Security Manager
Symptoms:
httpd_errors log:
------------
err httpd[<PID>]: [error] [client <client_IP>] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/ts/dms/common/classes/Thrift/packages/asmconfig/f5_thrift.php on line <line_ID>, referer: https://<BIG-IP_MGMT_IP>/dms/policy/pl_header_normalization.php
------------
Conditions:
ASM provisioned.
Attack signature exception list uploaded.
Impact:
Attack signature exception list upload times-out and fails.
Workaround:
N/A
Fix:
Improved the Attack signature exception list upload process to take much less time.
630661-2 : WAM may leak memory when a WAM policy node has multiple variation header rules
Solution Article: K30241432
Component: WebAccelerator
Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.
Conditions:
WAM policy with node utilizing multiple variation header rules.
Impact:
Potential per-request memory leakage driven by client traffic.
Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.
Fix:
WAM no longer leaks memory when evaluation policy nodes which utilize two or more header variation rules.
630622-1 : tmm crash possible if high-speed logging pool member is deleted and reused
Component: TMOS
Symptoms:
When deleting and then re-using a high-speed logging pool member that is in use, a rare tmm crash may occur.
Conditions:
High-speed logging profile configured, high-speed logging pool configured, and a pool member is removed and re-added while the pool is in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Rare tmm crash no longer occurs if high-speed logging pool member is deleted and reused.
630611-1 : PEM module crash when subscriber not fund
Solution Article: K84324392
Component: Policy Enforcement Manager
Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.
Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.
Impact:
PEM/TMM SIGSEV.
Workaround:
None.
Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.
630610-5 : BFD session interface configuration may not be stored on unit state transition
Solution Article: K43762031
Component: TMOS
Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.
Conditions:
State transitions from online to offline.
Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.
Workaround:
Re-add statements manually.
Fix:
BFD session interface configuration is now stored on unit state transition.
630571-1 : Edge Client on Mac OSX Sierra stuck in a reconnect loop
Solution Article: K35254214
Component: Access Policy Manager
Symptoms:
Upon waking laptop Edge Client stuck in a reconnect loop.
Conditions:
Full-Tunnel, no Local LAN Access profile; when opening the device lid, which attempts to reconnect to the VPN service. This occurs only with MAC OS X 10.12.1.
Impact:
Cannot connect to VPN, and the Edge Client gets stuck in a reconnect loop.
Workaround:
Allow local subnet access set to enabled.
Fix:
In this release, using MAC OS X 10.12.1 now resumes a connection to VPN using the Edge Client.
630546-1 : Very large core files may cause corrupted qkviews
Component: TMOS
Symptoms:
If a core file is found on a slave blade in a chassis, that is too large for qkview to include, this can cause the qkview file for the blade to be corrupted.
Conditions:
qkview is run when core files greater than 2.4 GB exist in /var/core.
Impact:
iHealth will not parse the qkview.
Workaround:
Copy the core files on the slave blade from /etc/core to a back up location and delete the original files before creating the qkview.
Fix:
qkview files run when core files greater than 2.4 GB exist in /var/core now complete as expected.
630475-5 : TMM Crash
Solution Article: K13421245
630446-1 : Expat vulnerability CVE-2016-0718
Solution Article: K52320548
630356-1 : JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge
Component: Application Security Manager
Symptoms:
The JavaScript challenge that is sent to a POST request within an iframe will have a follow-up request of GET when coming from Microsoft Internet Explorer or Edge browser. The request reconstruction is incorrect, and the back-end server does not receive the request payload.
This is relevant to all types JavaScript challenges: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.
Conditions:
JavaScript challenge is used in a POST request, when one of the following features in enabled: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.
Impact:
POST requests will be sent as GET and the request payload will not reach the back-end server.
Workaround:
None.
Fix:
JavaScript challenges to POST requests are sent correctly to the back-end server when coming from iframe in Microsoft Internet Explorer/Edge browsers.
630355-3 : Local Logs Missing Or Recorded Found For Incorrect Policy
Solution Article: K57041868
Component: Application Security Manager
Symptoms:
When loading a UCS (manually or due to a UCS sync) which has a the same ASM Policy names, but created in a differing order, the local logging daemon does not update its internal mappings.
Conditions:
The configuration is replaced by a UCS load that had a different list of ASM Policies.
Impact:
Local logs may be missing or listed for an incorrect ASM policy.
Workaround:
Restart asmlogd.
630306-1 : TMM crash in DNS processing on UDP virtual server with no available pool members
Component: Local Traffic Manager
Symptoms:
TMM crash when processing requests to a DNS virtual server.
Conditions:
The issue can occur if a UDP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.
Ensure datagram LB mode is enabled on UDP DNS virtuals.
Fix:
This release prevents a crash in DNS processing on UDP virtual server with no available pool members.
630150-1 : Websockets processing error
Solution Article: K51351360
629921-4 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
Component: Access Policy Manager
Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.
Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth
Impact:
Backend server access is restricted.
Workaround:
None
Fix:
Now when using SWG in explicit proxy mode with NTLM authentication with the Proxy-Authenticate header, BIG-IP allows NTLM authentication to proceed simultaneously to protected resource servers that also use NTLM authentication with the Authenticate header.
629871-2 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases
Component: Carrier-Grade NAT
Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.
Conditions:
FTP ALG deployment.
Impact:
PASV response 464 XLAT cases overwritten.
Workaround:
None.
Fix:
Deploying NAT64 part of a 464 XLAT solution no longer overwrites PASV response 464 XLAT cases.
629845-2 : Disallowing TLSv1 connections to HTTP causes iControl/REST issues
Component: Device Management
Symptoms:
When HTTP disallows TLSv1 connections, UCS via iControl/REST fails with the following in the logs:
[SEVERE][86][08 Nov 2016 16:47:20 UTC][com.f5.rest.icontrol.IControlRunnable] (iControl execution) AxisFault[; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]:
[WARNING][87][08 Nov 2016 16:47:20 UTC][8100/tm/shared/sys/backup/52d67805-3aab-4260-8770-a690154c698e/worker UcsBackupTaskWorker] Failed to restore from backup: backup_test.ucs
Conditions:
This occurs when TLSv1 is explicitly disallowed in the HTTP profile.
Impact:
iControl REST clients are unable to connect.
Workaround:
None.
Fix:
Explicitly disallowing TLSv1 in the HTTP profile no longer causes iControl/REST issues.
629801-2 : Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
Component: Access Policy Manager
Symptoms:
After syncing an access policy, the access policy change on the other device should be prompting you to apply the policy, but instead it applies the policy automatically.
Conditions:
Two or more devices configured in a trust group, one device group is a failover device group, and one device group is a sync-only device group with automatic sync enabled.
A key component that triggers this symptom is that the failover device group is listed first in the configuration. When this occurs, the policy will be applied automatically, which shouldn't occur.
Impact:
Policy changes are automatically applied, when they should only be synced with a prompt to apply after the sync.
Workaround:
None.
Fix:
After syncing an access policy, the access policy change on the other device in the trust group now prompts you to apply the policy, which is correct behavior.
629698-1 : Edge client stuck on "Initializing" state
Component: Access Policy Manager
Symptoms:
It takes a lot of time to reestablish the VPN connection when the Edge Client switches to network with Captive Portal authentication. Edge client freezes on "Initializing" state for around 1 minute.
Conditions:
This can occur on the Edge Client with Captive Portal configured.
Impact:
Edge client is stuck on "Initializing" for an excessive amount of time.
629663-1 : CGNAT SIP ALG will drop SIP INVITE
Solution Article: K23210890
Component: Service Provider
Symptoms:
SIP INVITE message is dropped.
Conditions:
Subscriber registers and then attempts to call out.
Impact:
Subscriber not able to make calls.
Workaround:
None.
Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.
629627-1 : FPS Log Publisher is not grouped nor filtered by partition
Component: Fraud Protection Services
Symptoms:
If there are several log publishers assigned to different partitions, it is not clear which log publisher is assigned to which partition.
All log publishers are displayed regardless of the partition selected.
Conditions:
Provision FPS.
Two or more partitions
Two or more log publishers assigned to different partitions
Impact:
All log publishers are displayed regardless of partition.
Workaround:
None.
Fix:
Log publishers are now grouped in GUI and filtered by the currently selected partition.
629573-1 : No drill-down filter for virtual-servers is mentioned on exported reports when using partition
Solution Article: K66001885
Component: Application Visibility and Reporting
Symptoms:
The selected filters will not appear in exported reports for virtual servers created under non 'Common' partitions.
Conditions:
When using virtual-servers and ASM policies under a non 'Common' partition, exported reports will not display the the selected drill-down filters.
Impact:
Exported reports will be displayed without the filters.
Workaround:
None.
Fix:
Exported reports will take into consideration partitions which will make the drill-down filters appear as expected.
629530-2 : Under certain conditions, monitors do not time out.
Solution Article: K53675033
Component: Global Traffic Manager (DNS)
Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".
Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.
Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.
Workaround:
Disable the affected resources, and then enable them again.
Fix:
The resource status is now correct under all monitor timeout conditions.
629499-9 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
Component: TMOS
Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found
This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.
Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.
Impact:
Certain tmsh sys perf commands fail to work and give an error.
Workaround:
Restart statsd on all blades once the chassis is up.
e.g.
"bigstart restart statsd" on each blade.
Fix:
statsd has been updated to reparse the statsd config file before rebuild it's config so that it doesn't lose the unsupported tables in it's list.
629421-1 : Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.
Component: Global Traffic Manager (DNS)
Symptoms:
The memory consumption of Big3d will slowly increase if a lot of Wide IPs are being created or deleted.
Conditions:
Adding or removing Wide IPs on a GTM sync pair.
Impact:
A few bytes of memory will be leaked by Big3d on sync.
Workaround:
there is no workaround at this time.
Fix:
The leak has been eliminated.
629412-3 : BIG-IP closes a connection when a maximum size window is attempted
Component: Local Traffic Manager
Symptoms:
HTTP2 provides flow control options which allow you to limit the amount of data on flight. A client can send an increment for a window size to an initial value set by standard to 65,535 bytes. BIG-IP used 64K value inherited from SPDY, causing overflow when the client tried to increment the value to its maximum.
Conditions:
HTTP2 profile is configured on a virtual, and client sends a WINDOW_UPDATE frame to increment the value to its maximum.
Impact:
BIG-IP considers the window size overflow as a protocol violation thus it shuts the connection down not serving any request.
Workaround:
None.
Fix:
With a correct value for initial window size (for both a connection and a stream) BIG-IP correctly processes an increment request of the window size to its maximum.
629178-1 : Incorrect initial size of connection flow-control window
Solution Article: K42206046
Component: Local Traffic Manager
Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.
Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).
Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.
Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).
Fix:
The fix in this release allows BIG-IP to behave according to RFC and send WINDOW_UPDATE frames, preventing the connection flow-control window from exhaustion on a remote endpoint.
629145-1 : External datagroups with no metadata can crash tmm
Component: Local Traffic Manager
Symptoms:
If a large data group exists or the db variable tmm.classallocatemetadata is set to disabled, tmm may crash if the class match iRule matches 9 or more items in the datagroup.
Conditions:
External datagroups in use, a class match iRule will produce at least 9 matches, and the datagroup is extremely large or the db variable tmm.classallocatemetadata is set to disabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to large datagroups.
629127-1 : Parent profiles cannot be saved using FPS GUI
Component: Fraud Protection Services
Symptoms:
Any parent profile (profile that has bee inherited) cannot be saved in FPS GUI.
Conditions:
Provision FPS
License FPS.
1 or more child profiles.
Impact:
User configurations may not be saved.
Workaround:
Can use TMSH or REST.
629085-1 : Any CSS content truncated at a quoted value leads to a segfault
Solution Article: K55278069
Component: TMOS
Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.
Example:
...
.c1 {background-image: url('some
Conditions:
CSS ends without closing quote in value.
Example:
...
.c1 {background-image: url('some
Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.
Workaround:
Use a particular iRule.
Fix:
CSS content truncated at a quoted value no longer leads to a segfault.
629069-2 : Portal Access may delete scripts from HTML page in some cases
Component: Access Policy Manager
Symptoms:
If JavaScript uses Range.createContextualFragment() call to insert new scripts into HTML document, in some cases Portal Access may delete one of the scripts in the page.
Conditions:
JavaScript with Range.createContextualFragment() call which is used to add new scripts by subsequent insertBefore()/insertAfter() calls.
Impact:
Web application may not work correctly.
Workaround:
None.
Fix:
Now web apps delivered via APM Portal Access can use Range.createContextualFragment(), insertBefore(), and insertAfter() javascript properly.
628972-2 : BMC version 2.51.7 for iSeries appliances
Component: TMOS
Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.51.7.
Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Upgrading firmware.
Impact:
This is a firmware upgrade.
Workaround:
None.
Fix:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
Behavior Change:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
628897-1 : Add Hyperlink to gslb server and vs on the Pool Member List Page
Component: Global Traffic Manager (DNS)
Symptoms:
Hyperlinks to the GSLB Server and Virtual-server are missing from the GSLB Pool Member list page.
Conditions:
This can be seen in the DNS :: GSLB : Pools : Pick a pool : Members tab
Impact:
You are unable to to quickly get to the server and virtual server from this page.
Workaround:
Manually navigate to associated server and Virtual Server.
Fix:
Hyperlinks for associated server and VS are not showing on the Pool Member list page.
628890-1 : Memory leak when modifying large datagroups
Component: Local Traffic Manager
Symptoms:
When modifying large external datagroups, a significant memory leak may occur.
Conditions:
This can occur when a large datagroup is in use and is modified.
Impact:
Memory is leaked, and the amount of memory leaked can be significant.
Workaround:
None.
Fix:
Fixed a memory leak related to modifying large datagroups.
628869-4 : Unconditional logs seen due to the presence of a PEM iRule.
Component: Policy Enforcement Manager
Symptoms:
TMM log files will fill up.
Conditions:
Execution of an iRule with the following iRule command:
PEM::subscriber config policy get <subscriber-id> <e164 | imsi | nai | private | mac-address | dhcp | mac-dhcp | dhcp-custom | sip-uri>.
Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.
Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.
Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.
628836-4 : TMM crash during request normalization
Solution Article: K22216037
628832-4 : libgd vulnerability CVE-2016-6161
Solution Article: K71581599
628739-1 : BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD
Component: TMOS
Symptoms:
Configuring the management IP outside the management subnet succeeds without error.
Conditions:
On the LCD, navigate to the 'Setup' tab, and select 'Management'.
1. Set the default Gateway for the network.
2. Now set an IP address outside the Gateway subnet.
3. Notice no errors and commit is successful.
Impact:
Admin IP and Gateway for management route (/Common/default) not in a connected network.
Workaround:
Do not configure the IP and Gateway outside the management route.
Fix:
LCD no longer allows invalid configuration of mgmt IP (with gateway IP outside mgmt subnet).
628735-1 : Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles
Component: TMOS
Symptoms:
The Hardware SYN Cookie Protection field is not displayed in the GUI configuration screen for TCP/FastL4/FastHTTP profiles, despite hardware support for the feature existing on the
platform.
Conditions:
Configuring TCP/FastL4/FastHTTP profiles in the BIG-IP GUI.
This occurs on vCMP guests, on the 5000/5050, 5200/5250, 7000/7050/7055, 7200/7250/7255, 10000/100050/10055, 10200/10250/10255, 10350N, i5600, i5800, i7600, i7800, i10600, i10800 platforms, and on VIPRION systems using the B4450 or B4450N blades.
Impact:
The Hardware SYN Cookie Protection field is not displayed.
Workaround:
Use tmsh to set the Hardware SYN Cookie Protection field.
Fix:
The system no longer uses a static list of platforms that have an HSB as a basis for displaying the Hardware SYN Cookie Protection option in the GUI, so the field is shown as expected.
628721-1 : In rare conditions, DNS cache resolver outbound TCP connections fail to expire.
Component: Local Traffic Manager
Symptoms:
If a TCP connection is initiated by the DNS cache resolver but fails to be fully created, it may be leaked until the next restart of tmm.
Conditions:
This is only known to occur when other internal issues are affecting the tmm's functionality. If there are ongoing log messages in the tmm logs of the form: "hud_msg_queue is full," and a DNS cache resolver is attempting new outbound TCP connections, then it is possible to leak these connections.
Impact:
If enough connections are leaked, the tmm will not be able to create new connections even if the conditions causing the "hud_msg_queue" log messages resolve.
Workaround:
Restarting tmm will clear the leaked connections.
Fix:
The connections are now properly cleaned up if they are unsuccessfully created.
628712-1 : Advanced customization doesn't work for Profiles in non-common partition with . (period) with name
Solution Article: K53129098
Component: Access Policy Manager
Symptoms:
Advanced customization doesn't work for Profiles in non-common partition with . (period) with name.
For example, when selecting logon.inc, it shows no source in the window.
Conditions:
Access Profile outside of Common partition.
Impact:
Unable to modify advanced customizaiton. Other functionality is not affected.
Workaround:
Rename profile and policy to non-period version or import profile and then reexport with no periods.
Fix:
Advanced customization now works for Profiles in non-Common partition with . (period) with name
628687-2 : Edge Client reconnection issues with captive portal
Component: Access Policy Manager
Symptoms:
Edge Client stuck at 'Reconnecting' when losing connection to Captive Portal with certificate warning.
Conditions:
Connect to APM through a captive portal.
Impact:
EdgeClient stuck at "Reconnecting".
Workaround:
None.
Fix:
Edge Client no longer hangs at 'Reconnecting' when losing connection to Captive Portal with certificate warning.
628685-2 : Edge Client shows several security warnings after roaming to a network with Captive Portal
Solution Article: K79361498
Component: Access Policy Manager
Symptoms:
Network is blocked by a captive portal. Captive portal uses HTTPS. Periodic-session-check reports SSL certificate is not trusted because access to APM is redirected (to captive portal).
Conditions:
Create a VPN tunnel over WiFi.
Place the computer in sleep/hibernate.
Move to a new network with Captive Portal with SSL and resume from sleep/hibernate.
Impact:
Numerous security warnings.
Workaround:
None.
Fix:
Edge Client no longer shows several security warnings after roaming to a network with Captive Portal.
628623-1 : tmm core with AFM provisioned
Component: Advanced Firewall Manager
Symptoms:
tmm cores on the secondary blade while passing traffic.
Conditions:
This can occur intermittently with AFM provisioned while passing traffic, even if AFM is not in use.
Impact:
Traffic disrupted while tmm restarts.
628402-4 : Operator users receive 'can't get object count from mcpd' error in response to certain commands
Component: TMOS
Symptoms:
Operator users receive the following error in response to certain commands:
Unexpected Error: Can't display all items, can't get object count from mcpd.
Conditions:
-- The user is 'Operator' level.
-- The command is a top-level list or show command, such as the 'show running-config' command.
Impact:
Operator-level users are unable to issue 'show' and 'list' commands on top-level objects, but can 'show' and 'list' specific configuration objects.
Workaround:
Issue commands for specific configuration objects.
Fix:
Operator-level users are now able to issue 'show' and 'list' commands on top-level objects without error.
628351-1 : Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled
Component: Application Security Manager
Symptoms:
When Proactive Bot Defense is enabled, requests to URLs with Path Parameters (URLs containing a semicolon ;) may get stuck on a redirect loop. This typically applies to URLs which do not respond with HTML content or to URLs with low traffic.
Conditions:
-- Proactive Bot Defense is enabled.
-- URLs use Path Parameters (containing the semicolon ; character).
Impact:
Clients cannot access the web server, getting caught in an infinite redirect loop.
Workaround:
None.
Fix:
Requests to URLs with ";" no longer get stuck in a redirect loop when Proactive Bot Defense is enabled.
628348-1 : Cannot configure any Mobile Security list having 11 records or more via the GUI
Component: Fraud Protection Services
Symptoms:
Any item added to a list with more than 10 records in Mobile Security section is ignored.
Conditions:
Provision FPS
License mobilesafe
add 11 records to a list
Impact:
User configuration may not be saved.
Workaround:
Use TMSH or Rest.
Fix:
GUI allows adding items to lists with more than 10 records.
628337-1 : Forcing a single injected tag configuration is restrictive
Component: Fraud Protection Services
Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.
Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.
Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.
Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.
Fix:
Injected tags configuration has been moved to the URL level.
628311-3 : Potential TMM crash due to duplicate installed PEM policies by the PCRF
Solution Article: K87863112
Component: Policy Enforcement Manager
Symptoms:
Potential TMM crash due to duplicate installed PEM policies by the PCRF.
Conditions:
- PEM enabled with Gx and Gy.
- PEM policies configured with Gy quota management.
- PCRF installs an already-installed policy against a subscriber.
Impact:
Loss of service. Traffic disrupted while tmm restarts.
Workaround:
Configure the PCRF to not install an already-installed policy against a subscriber.
Fix:
PEM now prevents PCRF from installing an already-installed policy against a subscriber.
628202-4 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging
Component: TMOS
Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.
Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".
Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.
Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.
Fix:
Prevented audit_forwarder from using more memory than it needs.
628164-3 : OSPF with multiple processes may incorrectly redistribute routes
Solution Article: K20766432
Component: TMOS
Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.
Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.
Impact:
Incorrect routing information in the network when OSPF converges.
Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.
Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.
OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.
628016-2 : MP_JOIN always fails if MPTCP never receives payload data
Component: Local Traffic Manager
Symptoms:
MP_JOIN during an MPTCP connection always fails if the BIG-IP never receives payload data.
Conditions:
A virtual server is configured with a TCP profile attached and "Multipath TCP" is enabled.
An MPTCP connection is established where payload data is never sent to the BIG-IP.
Impact:
Unidirectional data connections receiving data from the BIG-IP (like with FTP) cannot join additional subflows.
Workaround:
There is no workaround at this time.
Fix:
Allow MP_JOIN after receiving a DATA_ACK that acknowledges data.
628009-1 : f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800
Component: TMOS
Symptoms:
The f5optics functionality is not initialized on Herculon iSeries variants.
Conditions:
This occurs on the following Herculon iSeries platforms: HRC-i2800, HRC-i5800, HRC-i10800.
Impact:
None. No f5optics optics module database is presently provided for Herculon platforms. Herculon uses no optics modules that require tuning (e.g., 100G).
Workaround:
None.
Fix:
With the fix, if an optics module data base is provided via an f5optics install, f5optics will become operational on Herculon. An f5optics database will be provided if optics modules requiring tuning are ever used with Herculon.
627972-2 : Unable to save advanced customization when using Exchange iApp
Solution Article: K11327511
Component: Access Policy Manager
Symptoms:
When Policy created using Microsoft Exchange iApp script, Advanced Customization (usually of logon page) might fail with error similar to the following: 01020066:3: The requested Customization Template File (/Common/Exchange.app/exch_custom_logon_ag logon.inc) already exists in partition Common.
Conditions:
Usually: HA Pair, iApp exchange created profile, in general any advanced customization where name not equals customization_group_name:filename is affected.
Impact:
Unable to edit advanced customization, functionality is unaffected.
Workaround:
edit bigip.conf
apm policy customization-group /Common/Exchange_2010.app/exch_custom_logon_ag {
templates {
logon.inc {
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
}
}
}
change
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
to customizaton_group_name:filename i.e.
name /Common/Exchange_2010.app/exch_custom_logon_ag:logon.inc
Fix:
Can now save advanced customization when using Microsoft Exchange iApp.
627961-3 : nic_failsafe reboot doesn't trigger if HSB fails to disable interface
Solution Article: K15130343
Component: TMOS
Symptoms:
The HSB driver attempts a nic_failsafe in the case of failing to disable the interface.
Conditions:
The driver disables nic_failsafe prior to triggering the nic_failsafe. This is in hsb_ifdown_go_dead.
Impact:
TMM may restart continuously resulting in interfaces bouncing constantly.
Workaround:
Reboot the device.
Fix:
This release fixes issues where nic_failsafe reboot did not happen on HSB failures.
627926-1 : Retrieving a server-side SSL session ID in iRules does not work
Solution Article: K21211001
Component: Local Traffic Manager
Symptoms:
Retrieving the server-side SSL session ID using iRule does not work.
Conditions:
Retrieve server-side SSL Session ID using an iRule.
Impact:
iRules that try to log or capture an SSL session ID will not work properly.
Workaround:
None.
Fix:
The server-side SSL session ID can now be retrieved with an iRule.
627916-1 : Improve cURL Usage
Solution Article: K81601350
627914-1 : Unbundled 40GbE optics reporting as Unsupported Optic
Component: TMOS
Symptoms:
When a 40G interface is configured "bundle disabled" the optic module in use on the interface will be declared as an "Unsupported optic" module even though the optic module is F5 branded.
Conditions:
Using unbundled 40GbE optics.
Impact:
This is a cosmetic problem. The interface is able to function as intended.
Workaround:
No workaround, problem is cosmetic.
Fix:
The fix for the defect results in no longer declaring an otherwise supported optics module as unsupported when bundling is configured disabled on the interface.
627907-1 : Improve cURL usage
Solution Article: K11464209
627898-2 : tmm leaks memory in the ECM subsystem
Solution Article: K53050234
Component: TMOS
Symptoms:
tmm leaks memory in the ECM subsystem.
Conditions:
-- You import one or more SSL certificates onto the system.
-- The SSL certificates names contain the 'ca-bundle.crt'. For example, 'my-ca-bundle.crt'.
Impact:
With this configuration in place, tmm leaks memory each time the configuration is modified. tmm eventually runs out of free memory. This initially impacts traffic and might eventually lead to tmm crashing and restarting. Traffic disrupted while tmm restarts.
Workaround:
You can work around this issue by renaming your SSL certificates so that their names do not contain the 'ca-bundle.crt' string.
Fix:
TMM no longer leaks memory in the ECM subsystem.
627798-3 : Buffer length check for quota bucket objects
Component: Policy Enforcement Manager
Symptoms:
For quota bucket (Rating Groups) object, BIG-IP allocates a large buffer locally, and doesn't expect it to be over-run as the objects are expected to be smaller
Conditions:
Any quota bucket objects which are being inserted in PEM database
Impact:
For quota bucket objects which are in PEM database, the buffer is usually large enough, so there should not be any impact. But if the quota bucket ever gets larger, then potential corruption of the quota bucket information could occur. This could trigger a tmm core. Traffic disrupted while tmm restarts.
Workaround:
quota bucket with fewer rules
627764-2 : Prevent sending a 2nd RST for a TCP connection
Component: Local Traffic Manager
Symptoms:
After a specific sequence of packets resulting in sending a RST packet, TCP connection was kept alive and sent another RST when connection expired.
Conditions:
A specific sequence of packets (a second SYN segment within the TCP window) is received by a TCP connection.
Impact:
2 RST segments is sent to the client instead of 1. In addition, the TCP connection was kept alive until the sweeper cleaned it.
Workaround:
There is no workaround at this time.
Fix:
TCP sends a single RST for specific sequence of packets
627747-1 : Improve cURL Usage
Solution Article: K20682450
627695-2 : [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational
Component: Local Traffic Manager
Symptoms:
'Yes' and 'No' options to proceed or cancel the uninstall operation are not operational.
Conditions:
Issue happens when running safenet-sync.sh -u.
Impact:
No impact.
Workaround:
None.
Fix:
In this release, there is no Yes or No option for the SafeNet uninstall 'safenet-sync.sh -u.' command.
627616-3 : CCR-U missing upon VALIDITY TIMER expiry when quota is zero
Component: Policy Enforcement Manager
Symptoms:
CCR-U is not sent upon VALIDITY TIMER experts.
Conditions:
If PCRF does not grant any GSU (no quota), but only specifies the VALIDITY timer.
Impact:
OCS does not get the CCR-U message and misses the information about quota.
Workaround:
Work around is to set the following timers using sysdb to non-zero value. Here is an example:
sys db tmm.pem.session.quota.bucket.denied.timeout { value "1" }
sys db tmm.pem.session.quota.bucket.depleted.timeout { value "2" }
sys db tmm.pem.session.quota.bucket.idle.timeout { value "3" }
Fix:
CCR-U is now sent upon VALIDITY TIMER experts.
627574-1 : After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.
Component: Local Traffic Manager
Symptoms:
If a BIG-IP system has Local Traffic Policies defined in a non-Common partition, and the system is upgraded to version 12.1.0, 12.1.1, or 12.1.2, attempting to create a new draft of the policy by selecting "Create Draft" will fail and give an error message similar to:
err mcpd[8140]: 01070734:3: Configuration error: Can't associate policy rule (/Partition1/Drafts/policy_name policy_name_policy_rule) folder does not exist
Conditions:
A system is upgraded to version v12.1.x with Local Traffic Policies in a non-default partition.
Impact:
You cannot modify existing Local Traffic Policies.
Workaround:
Manually create a 'Drafts' folder in the appropriate partition, e.g.:
tmsh create sys folder /Partition1/Drafts
Alternately, create a new (different) policy in the specified partition, and then delete it. Doing this has a side-effect of creating the Drafts folder.
627454 : Trimming leading whitespaces at logging profile creation
Component: Advanced Firewall Manager
Symptoms:
If a logging profile has a TAB character in its name, the name does not get double-quoted in bigip.conf, so configuration load fails.
Conditions:
Copy-pasting the logging profile name including a leading TAB character.
Impact:
Configuration loading failure upon next boot.
Workaround:
Copy-paste only the name (without the TAB character).
Fix:
Leading whitespaces (including TAB characters) are trimmed at profile creation, so the condition that caused the issue is eliminated.
627433-1 : HSB transmitter failure on i2x00 and i4x00 platforms
Component: TMOS
Symptoms:
On the BIG-IP i2x00 and i4x00 platforms, tmm enters an infinite 'restart' loop after a 'bigstart restart' or 'bigstart restart tmm' command if traffic is actively flowing through the TMM. This is the result of an HSB transmitter failure.
Conditions:
Traffic actively flowing through the tmm and you issue 'bigstart restart' or 'bigstart restart tmm'.
Another instance occurs when syncing the datasync-global-dg device-group for an HA configuration on iSeries platforms.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure all traffic is stopped before issuing the 'bigstart restart' or 'bigstart restart tmm' commands.
Set HSB::failures_before_reset in /config/tmm_init.tcl to a high value, such as 1000 (default is 50) may resolve the issue, depending on the conditions this issue occurred.
Fix:
TMM restart loop no longer occurs following 'bigstart restart' on i2x00 and i4x00 platforms.
627403-2 : HTTP2 can can crash tmm when stats is updated on aborting of a new connection
Component: Local Traffic Manager
Symptoms:
HTTP2 allocates a block of memory for collecting stats on a connection. If the connection is aborted for any reason, tmm may try to update stats prior the memory is allocated.
Conditions:
HTTP2 profile is configured and assigned to a virtual.
Impact:
Traffic disrupted while tmm restarts.
Fix:
A fix stops HTTP2 from accessing stats prior memory is allocated preventing TMM crash for this reason.
627360-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
Component: Application Security Manager
Symptoms:
These errors come up in asm log, upon first start after upgrade:
-------------------------
2016-11-02T08:33:09-06:00 localhost notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
Nov 2 08:35:34 c5af5ltm1b info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
Nov 2 08:36:03 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script launched
Nov 2 08:36:17 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script finished
Nov 2 08:36:23 c5af5ltm1b info asm_start[19802]: ASM config loaded
Nov 2 08:37:40 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined
Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead
Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted
Nov 2 08:38:33 c5af5ltm1b info perl[21860]: 01310053:6: ASM starting
-------------------------
Conditions:
ASM provisioned
Local request logging enabled
Upgrade of a maintenance release, HF or EHF
Impact:
Upgrade fails
Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.
In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.
There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never
2) do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------
627341-1 : TMUI loginProviderName is invalid when requesting a REST token
Component: Device Management
Symptoms:
Requests for X-F5-Auth-Token fail when a TMUI view is loaded that requires a X-F5-Auth-Token used for REST requests.
Conditions:
On startup if the tmos login provider takes too long to become available it will cause the login provider to be unavailable, and requests for auth tokens will fail. This is a race condition and happens intermittently. Typically on lower end devices.
Impact:
GUI cannot retrieve F5-Auth-Token for REST requests
Workaround:
bigstart restart restjavad
Fix:
Added retry to add login provider if unavailable.
627279-2 : Potential crash in a multi-blade chassis during CMP state changes.
Component: Policy Enforcement Manager
Symptoms:
tmm on a blade may crash during a CMP and PEM change.
Conditions:
Multi-blade chassis undergoing a CMP state change. Additionally requires PEM policy changes resulting in usage record updates.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use an HA pair and have the active chassis fail over during a CMP state change. Allow for the new stand by chassis to complete its CMP state change activity.
Fix:
Handle sessionDB failures gracefully.
627257-2 : Potential PEM crash during a Gx operation
Component: Policy Enforcement Manager
Symptoms:
Tmm may core during a Gx operation
Conditions:
Requires a PEM virtual with Gx, Sd or Gy enabled. This occurs when tmm starts.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Perform proper validation checks as part of API processing.
627246-1 : TMM memory leak when ASM policy configured on virtual server
Solution Article: K09336400
Component: Local Traffic Manager
Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.
Conditions:
-- ASM policy is configured on a virtual server.
-- URL access via the virtual server.
Impact:
System leaks 64 bytes of memory. TMM might run out of memory and eventually crash.
Workaround:
None. But disabling ASM policy configuration on the virtual server can alleviate the problem.
Fix:
A memory leak in hud_oob when ASM policy configured on virtual server has been fixed.
627214-3 : BGP ECMP recursive default route not redistributed to TMM
Component: TMOS
Symptoms:
ECMP recursive routes are not properly redistributed to TMM, resulting in an incorrect routing table.
Conditions:
Dynamic routing configured with multiple equal cost paths reachable through a recursive nexthop.
Impact:
Packets are not routed to all ECMP nexthops.
Workaround:
None.
Fix:
ECMP routes with a recursive nexthop are now used correctly by TMM.
627203-1 : Multiple Oracle Java SE vulnerabilities
Solution Article: K63427774
627117-1 : crash with wrong ceritifcate in WSS
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
Web services security is turned on.
a bad / wrong / missing certificate is attached.
Impact:
Traffic drop until the BD is back (or failover).
Workaround:
The workaround would be to fix the attached certificate.
Fix:
Fix an issue with wrong certificates.
627059-1 : In some rare cases TMM may crash while handling VMware View client connection
Component: Access Policy Manager
Symptoms:
TMM crashes.
Conditions:
VMware View client uses PCoIP to connect to backend via APM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed rare TMM crash during handling of VMware View client PCoIP connection
626990-1 : restjavad logs flooded with messages from ChildWrapper
Solution Article: K64915164
Component: TMOS
Symptoms:
Running iControl REST under heavy load might result in restjavad logs being filled with multiple, repeating messages similar to the following:
[WARNING][76559][13 Dec 2016 07:08:00 UTC][ChildWrapper] Exception found in child runner thread: null
Conditions:
-- Put iControl REST under a heavy load.
-- View restjavad logs.
Impact:
Logs fill with messages and rotate out. Logs full of these error messages might cause other messages to be missed.
Workaround:
None.
Fix:
iControl REST properly handles the exception described.
626910-1 : Policy with assigned SAML Resource is exported with error
Component: Access Policy Manager
Symptoms:
If Access Profile's Access Policy has saml resource assigned export is failing with error.
Conditions:
1. Access profile/access policy
2. Saml resource is assigned
Impact:
Unable to Export Policy
Fix:
Work order is restored
626861-2 : Ensure unique IKEv2 sequence numbers
Solution Article: K31220138
Component: TMOS
Symptoms:
Although BIG-IP generates random sequence numbers for use in protocol negotiation, it is possible to allocate a new number already in use by a phase-one ike-SA or a phase-two child-SA.
Conditions:
When a sufficiently large number of tunnels are in use (e.g., numbering in thousands), odds of generating a duplicate sequence number is relatively high, given the number of random bits used to generate the number. More tunnels makes it more likely to occur.
Impact:
On sequence number collision, this might confuse an old SA, and probably never complete negotiation of a new SA. In addition, the system might crash if updating an old SA happened in a state where update is not expected.
Workaround:
None.
Fix:
Now BIG-IP uses more random bits in generated sequence numbers, and it always checks whether a new sequence number is currently in use anywhere else before proceeding. Thus collisions cannot be generated in sequence number allocation. New numbers should always be guaranteed unique now.
626851-2 : Potential crash in a multi-blade chassis during CMP state changes.
Solution Article: K37665112
Component: Policy Enforcement Manager
Symptoms:
CMP state change can result in a blade crash.
Conditions:
CMP state change with a PEM profile enabled on a virtual. The former can be triggered using a TMM restart/unrelated crash, blade insertion or blade administrative state change.
Impact:
Blade crash resulting in potential loss of service.
Workaround:
Deploy PEM in an HA-pair with a chassis fail over configured to occur if at most one blade on the active chassis fails.
Fix:
The system now gracefully handles sessionDB errors due to a CMP state change.
626839 : sys-icheck error for /var/lib/waagent in Azure.
Component: TMOS
Symptoms:
On a BIG-IP deployed in Azure cloud, sys-icheck reports readlink error for /var/lib/waagent directory as following:
ERROR: ....L.... /var/lib/waagent
Conditions:
BIG-IP deployed in Azure cloud.
Impact:
sys-icheck reports "rpm --verify" errors for /var/lib/waagent. This doesn't have any functional impact on the product but looks like factory RPM settings were modified externally and incorrectly.
Workaround:
No workaround exists for this issue.
Fix:
sys-icheck error for /var/lib/waagent in Azure.
626721-5 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
Component: TMOS
Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342
Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.
Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).
Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.
Fix:
Prevented the command "tmsh reset-stats auth login-failure <username>" from restarting mcpd instances on secondary blades when <username> is an unknown user. The bad command is intercepted at the primary blade and is dealt with there.
626596 : Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.
Component: TMOS
Symptoms:
Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections' instead of 'Assisted Connections'.
Conditions:
-- Running vCMP.
-- System provides hardware acceleration.
-- Statistics :: Analytics :: Hardware Acceleration menu.
Impact:
Spelling of 'Assited' instead of the expected 'Assisted'.
Workaround:
N/A
Fix:
Changed spelling of 'Assited' to 'Assisted'.
626589-6 : iControl-SOAP prints beyond log buffer
Solution Article: K73230273
Component: TMOS
Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.
Conditions:
Logging for iControl SOAP is turned on with trace level.
Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.
Workaround:
Do not enable logging with trace level, which is not turned on by default.
Fix:
Trim trace buffer to appropriate length to prevent printing garbage.
626542-2 : Unable to set maxMessageBodySize in iControl REST after upgrade★
Component: Device Management
Symptoms:
After upgrading and attempting to set maxMessageBodySize via iControl REST, you get an error indicating the command is not implemented:
{"code":400,"message":"onPut Not implemented","originalRequestBody":"{\"maxMessageBodySize\": \"111111111\"}","referer":"127.0.0.1","restOperationId":216941,"kind":":resterrorresponse"}
Conditions:
This occurs when upgrading from v11.6.1 to v12.1.0, v12.1.1,or v12.1.2, and applying the UCS from the 11.6.1 release. The error is generated because new defaults were added but they are not set on UCS restore.
Impact:
Command fails, unable to set maxMessageBodySize.
Workaround:
If you encounter this after an upgrade and UCS restore, you can run the following commands from the BIG-IP command line:
1. curl -X DELETE http://localhost:8100/shared/storage?key=shared/server/messaging/settings/8100.
2. bigstart restart restjavad.
Fix:
You can now set maxMessageBodySize via iControl REST after upgrading.
626438-1 : Frame is not showing in the browser and/ or an error appears
Component: Application Security Manager
Symptoms:
frame going blank when ASM policy enabled. this will trigger the following JS error in clients console:
Uncaught TypeError: Cannot read property '3' of undefined
Conditions:
Asm policy enabled. Device id is enabled theough one of the supporting features
Impact:
Site not operating correctly.
Workaround:
N/a
Fix:
Fixed device id javascript issue that prevented a frame from being displayed .
626434-6 : tmm may be killed by sod when a hardware accelerator does not work
Solution Article: K65283203
Component: Local Traffic Manager
Symptoms:
tmm may hang and crash (killed by the switchover daemon, sod), when the Cavium hardware accelerator does not come back after the reset from the driver.
Conditions:
This is a rarely seen occurrence. It is triggered when the Cavium hardware accelerator stops working.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Power cycling the system might correct the error.
Fix:
The system now prints out an error message in the log file, improving the way tmm handles the failure.
626386-1 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
Solution Article: K28505256
Component: Local Traffic Manager
Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.
Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.
Impact:
Client connection hangs during the handshake. No impact to any other module.
Workaround:
Disable SSL persistence.
Fix:
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.
626360 : TMM may crash when processing HTTP2 traffic
Solution Article: K22541983
626311-2 : Potential failure of DHCP relay functionality credits to incorrect route lookup.
Solution Article: K75419237
Component: Local Traffic Manager
Symptoms:
DHCP requests from client to server may not make it through.
Conditions:
-- BIG-IP system configured as a DHCP relay.
-- Input variable (flow_key) incorrectly initialized.
Impact:
Clients might not get an IP address from the DHCP server.
Workaround:
None.
Fix:
Input variable (flow_key) is initialized properly to prevent a potential route-lookup failure.
626141-3 : DNSX Performance Graphs are not displaying Requests/sec"
Component: Global Traffic Manager (DNS)
Symptoms:
The DNSX Performance graphs have a X and Y axis of Requests/second but the data actually shows total requests.
Conditions:
Always.
Impact:
The data displayed in the graph is not correct.
626106-3 : LTM Policy with illegal rule name loses its conditions and actions during upgrade★
Component: Local Traffic Manager
Symptoms:
BIG-IP version 12.0.0 introduced more strict checking on the characters allowed in policy and rule names, and it also introduced an auto-migration feature to convert any disallowed characters to an underscore (_). Allowed characters in policy and rule names are:
A-Z a-z 0-9 . / : % -
Spaces are allowed between these characters.
When there is a pre-v12.0 Policy that contains an illegal character, the rule has each illegal character converted to a legal one. But conditions and actions, which are joined to the rule by name were not similarly adjusted. After migration, LTM Policy rule does not have any conditions or actions referring to its new name.
Conditions:
- Pre-v12.0 BIG-IP
- Policy and/or rule names contain illegal characters like: * < > ( ) [ ]
- Upgrade to v12.0 or later
Impact:
Policy rule name is changed, illegal characters converted to benign underscore (_). The upgraded configuration will load successfully, but the Rule's associated conditions and actions are not changed, and still point to the policy by its former name, effectively becoming orphaned. Inspecting rule using UI or tmsh shows conditions and actions missing.
Workaround:
The bigip.conf file can be manually edited to fix illegal characters and configuration reloaded.
625901-1 : SNAT pools allow members in different partitions to be assigned, but this causes a load failure
Component: TMOS
Symptoms:
SNAT pools allow members in different partitions to be assigned, but this is prohibited at load time.
Conditions:
The SNAT pool is in a partition different from that of the member you are trying to add to it.
Impact:
Load will fail with an error like the following:
01070726:3: SNAT pool translation address /p1/mysnatpool /p2/1.2.3.4%5 in partition PARE cannot reference SNAT Translation /p2/1.2.3.4%5 in partition p2
Workaround:
Use a SNAT pool member in the same partition.
625892-2 : Nagle Algorithm Not Fully Enforced with TSO
Component: Local Traffic Manager
Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.
Conditions:
TCP Segmentation Offload is enabled.
Impact:
Sub-MSS packets increase overhead and client power consumption.
Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable
Fix:
Deliver Integer Multiples of MSS to the TSO hardware when Nagle's algorithm applies.
625860-2 : Improved handling of crypto hardware decrypt failures on B4450 platform.
Solution Article: K55102452
625832-4 : A false positive modified domain cookie violation
Component: Application Security Manager
Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.
Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.
Impact:
A false positive violation.
Workaround:
Remove the modified domain cookie violation from blocking.
Fix:
Fixed a false positive modified domain cookie violation.
625824-1 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
Component: TMOS
Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, which causes swap space to increase continuously and might lead to exhaustion of swap space
Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem
Impact:
iControlPortal.cgi memory increases.
Workaround:
Restart httpd to reload the iControl daemon.
Fix:
Fixed a memory leak associated with iControl.
625784 : TMM crash on i4x00 and i2x00 platforms with large ASM configuration.
Component: TMOS
Symptoms:
With large ASM configurations (50 virtual servers, 50 ASM policies), TMM continuously crashes on boot-up or restart.
Conditions:
-- Large ASM configurations (50 virtual servers, 50 ASM policies).
-- Using i4x00 and i2x00 platforms.
Impact:
TMM continuously crashes and restarts; system is unusable.
Workaround:
None.
Fix:
TMM no longer crashes on i4x00 and i2x00 platforms with large ASM configurations.
625783-1 : Chassis sync fails intermittently due to sync file backlog
Component: Application Security Manager
Symptoms:
Chassis sync may fail intermittently if policies are changed and applied in a short interval.
Conditions:
Policies are changed and applied in a short interval on a chassis platform.
Impact:
Disk partition /var may fill up and synchronized changes may not appear on secondary blades.
Fix:
ASM configuration sync on chassis platform now works more reliably.
625703-2 : SELinux: snmpd is denied access to tmstat files
Component: TMOS
Symptoms:
When a custom SNMP MIB is created by using Tcl scripts or other methods, the snmpwalk will fail to access the created MIB data.
Conditions:
Custom created MIBs.
Impact:
Access to that MIB is denied.
Workaround:
None.
Fix:
When a custom SNMP MIB is created by using a Tcl scripts or other methods, the snmpwalk no longer fails to access the created MIB data.
625671-4 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
Component: Global Traffic Manager (DNS)
Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.
Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.
Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.
Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.
Fix:
dnsxdump handles non-standard resource record types.
625602-3 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
Some messages that should be sent to peers in a device group are not successfully sent.
Conditions:
A series of create/delete ASM policies and multiple changes to the ASM sync Device Group (creation, deletion, joining devices, removing devices).
Impact:
ASM configuration does not sync properly
Workaround:
Reconfigure the device group and restart asm_config_server using the following command:
# pkill -f asm_config_server
Fix:
Communication over the ASM Device Group now works correctly after leaving/joining Device Groups.
625542-1 : SIP ALG with Translation fails for REGISTER refresh.
Component: Service Provider
Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.
Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.
Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.
Workaround:
None
Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.
625474-1 : POST request body is not saved in session variable by access when request is sent using edge client
Component: Access Policy Manager
Symptoms:
POST body sent by Edge Client is not saved in the session db session variable by access hudfilter.
Conditions:
- Configure BIG-IP as SAML Service Provider. To simplify reproduction change Access Policy execution timeout to few seconds.
- Use Edge Client to connect to BIG-IP.
- Saml Agent will redirect user for authentication to IdP
- Wait for few seconds for access policy to time out on BIG-IP.
- Enter credentials/complete authentication on IdP
- User will be redirected back to BIG-IP as SP. At this moment APM will create a new session, and will evaluate access policy again.
Impact:
SAML Agent will now fail with the following error:
SAML Agent: <AgentNameHere> cannot find assertion information in SAML request
Workaround:
Removing the ‘Origin’ header from the request with iRule does fix the issue, and the POST body becomes available to access hudfilter.
Fix:
Check for receipt of HUDEVT_REQUEST_DONE before falling through from EV_ACCESS_TCL_COMPLETION to EV_ACCESS_REQUEST_DONE in client wait for request body to ensure proper storage of POST request body in sessiondb.
625456-5 : Pending sector utility may write repaired sector incorrectly
Component: TMOS
Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.
When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)
For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements
Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.
Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades
Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.
The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:
# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device
# smartctl -i /dev/sda | grep "Sector Size"
Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical
Not Affected:
Sector Size: 512 bytes logical/physical
Impact:
Potential corruption of unknown files on BIG-IP volumes.
625428-1 : SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
Component: TMOS
Symptoms:
The F5 BIG-IP local mib has the wrong value definitions for
F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
allowed(0),disallowed(1)
instead of
disabled(0),enabled(1)
Conditions:
This occurs on any platform that supports this MIB field and has LTM Pool configurations.
Impact:
Information mismatch
625372-5 : OpenSSL vulnerability CVE-2016-2179
Solution Article: K23512141
625275-1 : Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
Component: Fraud Protection Services
Symptoms:
When trying to add URL parameters containing square brackets "[]" in FPS GUI >> URL the parameters name become "0". If trying to modify, the parameters are not saved.
Conditions:
Provision FPS
Create URL
Impact:
FPS GUI
Workaround:
via tmsh, an example:
tmsh modify security anti-fraud profile criteria urls modify { /xml.php { parameters add { "mouse\[2]" } } }
Fix:
It is now possible to add parameters containing square brackets in FPS GUI.
625198-1 : TMM might crash when TCP DSACK is enabled
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
All of the below are required to see this behavior:
DSACK is enabled
MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.
cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.
an iRule exists that changes any of the conditions above besides DSACK.
various client packet combinations interact in certain ways with the iRule logic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change any of the conditions above.
Fix:
TCP maintains state appropriately to avoid crash.
625172-1 : tmm crashes when classification is enabled and ftp traffic is flowing trough the box
Component: Traffic Classification Engine
Symptoms:
tmm crash
Conditions:
1. classification profile attached to the virtual server
2. ftp traffic flows through the system
3. complex configuration with iRules and multiple modules enabled
Impact:
Traffic disrupted while tmm restarts.
Workaround:
remove classification profile from the virtual server
Fix:
Incorrect memory management in one of classification matching mechanisms led to a crash.
625166-1 : Suspended iRules cannot complete on aborted flows
Component: Local Traffic Manager
Symptoms:
An suspended iRule does not resume if the connection aborts in the interim.
Conditions:
an iRule suspends, connection aborts.
Impact:
Not all business logic may execute.
Workaround:
None
Fix:
Keep the connflow alive if TCL operations are pending.
625159-1 : Policy sync status not shown on standby device in HA case
Component: Access Policy Manager
Symptoms:
After policy sync, policy sync statuses are not shown in admin GUI on standby device in a failover device group.
Conditions:
- Create a failover device group whose members are in a bigger sync-only device group for policy.
- Initiate a policy sync from an active device
- Check policy sync stats on standby device
Impact:
It does not affect sync functionality and user still can see the sync status on an active device.
Workaround:
Check sync status on an active device in the group.
Fix:
User will be able to see the sync statuses on a standby device, including itself as well as the list of devices in the whole sync-only group where sync is performed.
625114-2 : Internal sync-change conflict after update to local users table
Solution Article: K08062851
Component: Device Management
Symptoms:
User sync is initiated unexpectedly and automatically by the REST framework. To the internal sync system, this appears as if the same change is being made manually on all devices, causing a change conflict. In other words, 'show cm sync-status' returns output similar to the following:
--------------------------------------------------------
CM::Sync Status
--------------------------------------------------------
Color red
Status Changes Pending
Mode high-availability
Summary There is a possible change conflict between device1 and device2.
Details
device1: connected
mydg (Changes Pending): There is a possible change conflict between device1 and device2.
- Recommended action: Synchronize device2 to group mydg
In addition, users that were synchronized by the REST framework may not have the correct role and/or partition assigned to them.
Conditions:
-- A sync-failover device group exists.
-- The REST framework's 'gossip' mechanism is set up correctly, which should happen automatically, but might not be ready.
You can confirm that this is the case by running 'restcurl shared/resolver/device-groups/tm-shared-all-bigips/devices'. The output must show all your devices, and show that they all have the same 'version' and the same 'restFrameworkVersion'.
Impact:
An unexpected change conflict between devices. In some cases, high CPU utilization by restjavad may be observed.
Workaround:
-- When you have the change conflict, force a sync to the device group from the device where the user was originally created.
-- If the high CPU utilization by restjavad persists after a full sync, you can remediate the CPU utilization by restarting the restjavad service:
restart sys service restjavad
Fix:
Internal sync-change conflict is no longer present after update to local users table.
625106-2 : Policy Sync can fail over a lossy network
Component: Local Traffic Manager
Symptoms:
Policy Sync fails.
Conditions:
BIG-IPs are connected over a lossy link.
Impact:
HA redundancy fails.
Workaround:
tmsh modify sys db TM.TCPProgressive.AutoBufferTuning value disabled
Fix:
Change configuration as described.
625098-3 : SCTP::local_port iRule not supported in MRF events
Component: Service Provider
Symptoms:
SCTP::local_port iRule not supported in MRF events
Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.
Impact:
SCTP::local_port won't work under MR events.
Fix:
After the fix, SCTP::local_port iRule will be supported in MRF events.
625085 : lasthop rmmod causes kernel panic
Component: TMOS
Symptoms:
If someone attempts to unload the lasthop kernel module, it will cause a kernel panic.
Conditions:
Attempting to unload the lasthop kernel module.
Impact:
The system reboots.
Workaround:
Avoid running the following command:
# rmmod lasthop
Fix:
The lasthop kernel module should never be unloaded. The system now prevents the lasthop kernel module from being unloaded, so no kernel panic occurs.
624966-2 : Edge client starts new APM session when Captive portal session expire
Component: Access Policy Manager
Symptoms:
When a Captive portal session expires during Network Access,
Edge-Client shows the Captive portal Authentication page. If the user doesn't authenticate for some amount of time (30-60sec) the Edge Client tries to disconnect the current session. When the user successfully authenticates, Edge Client starts new APM session instead of waiting until the user authenticates on Captive page.
Conditions:
This can occur when Captive portal is configured and the session expires.
Impact:
The Edge Client starts a new session when it should re-use the existing session.
624909-2 : Static route create validation is less stringent than static route delete validation
Component: TMOS
Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.
Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.
Impact:
Unable to delete certain self-IPs.
Workaround:
In order to delete the self-IPs you can either:
1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.
Fix:
Added validation to ensure that when a static route is created there is at least one self-IP that uses the same interface and IP protocol.
624903-6 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
Solution Article: K55102452
624876-1 : Response Policy Zones can trigger even after entry removed from zone
Component: Global Traffic Manager (DNS)
Symptoms:
If an entry (resource record) is removed from a response policy zone it is possible that it may still trigger as a match for RPZ.
Conditions:
-- An RPZ zone contains an entry, for example badzone.example.com.
-- That entry is subsequently removed.
Impact:
The badzone.example.com entries will continue to be blocked by RPZ, even though the item has been removed.
Workaround:
Delete /var/db/zxfrd.bin and /var/db/tmmdns.bin and restart the system using the following command: bigstart restart zxfrd.
This recreates the databases without the remnants of the deleted entries.
Fix:
The deleted entries are now properly handled and no longer trigger incorrect matches.
624846-1 : TCP Fast Open does not work for Responses < 1 MSS
Component: Local Traffic Manager
Symptoms:
BIG-IP does not send the data until receiving the first client ACK.
Conditions:
TCP Fast Open requests an object of less than 1 MSS in size.
Fast open and delayed acks enabled.
Impact:
Delayed completion of the connection.
Workaround:
Disable delayed acks.
Fix:
TCP sends SYN/ACK immediately after receiving the SYN, and the response as soon as it arrives from the server.
624831-2 : BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
Component: TMOS
Symptoms:
tmm crashes while using Bandwidth Control (BWC) dynamic policies.
Conditions:
max-user-rate is set at 2gbps or higher.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
Use a maximum of 1gbps for dynamic BWC policy max-user-rate.
Fix:
tmm crashes while using Bandwidth Control (BWC) dynamic policies with max-user-rate set at 2gbps or higher.
Behavior Change:
no
624826-2 : mgmt bridge takes HWADDR of guest vm's tap interface
Solution Article: K36404710
Component: TMOS
Symptoms:
MGMT interface becomes unreachable and stops responding to traffic. Whenever guest is in provisioned state MAC address assigned to mgmt is correct (taken from base MAC). Whenever guest is in deployed state MAC address on host mgmt interface changes and is exactly the same as mgmt_vm_tap MAC.
Conditions:
The platform shipped with a "low" F5 base_mac
A Linux bridge by default takes as its mac the lowest mac of its constituent interfaces. This did not cause a problem before because F5 Networks systems' baseMacs have historically been "low", e.g., with legacy_baseMacs in {00:01:D7, 00:0A:49, 00:23:E9}.
When a guest tap interface is added to the mgmt bridge, the bridge takes its Linux default action, which is to take as its mac the lowest mac address of its constituent interfaces. With the comparison min(eth0's mac, guestTap's mac) returning guestTap's mac, the mgmt bridge incorrectly assumes a guestTapIntfc mac.
Impact:
Connectivity to the vCMP host platform is lost when the guest is deployed.
Workaround:
Use ifconfig to ensure that the mac address of the mgmt bridge never changes from eth0. For example, the following command sets as the mac of this bridge, the value passed in Mac.
ifconfig <bridgeName= mgmt> hw ether <Mac of Eth0>
Note: This assumes that eth0 will always be contained in the mgmt bridge.
Fix:
The system now uses ifconfig to assign the mac of interface eth0 to bridge mgmt.
624805-1 : ILX node.js process may be restarted if a single operation takes more than 15 seconds
Component: Local Traffic Manager
Symptoms:
There is an ILX node.js process restart that occurs, conditional on the code and operations of the node.js process. The restart occurs when one specific operation (code path in your node.js app) takes longer than 15 seconds to complete.
Conditions:
-- Running ILX with a node.js RPC or streaming setup.
-- A single operation takes more than 15 seconds.
Impact:
Connflow is dropped, traffic processing for the flows handled by that process stops until it restarts fully.
Workaround:
To work around this issue, you can time yourself in your node.js app, to either make sure operations complete within the timeframe, or determine where operations exceed the 15 second limit and rework the code so that operations complete within 15 seconds.
Fix:
There is no longer a time restriction on a single operation.
624744-1 : Potential crash in a multi-blade chassis during CMP state changes.
Component: Policy Enforcement Manager
Symptoms:
Potential TMM crash resulting in flows being impacted.
Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.
Impact:
Traffic disrupted while tmm restarts.
Fix:
NULL check has been added prior to calling a callback for asynchronous handling.
624733-1 : Potential crash in a multi-blade chassis during CMP state changes.
Component: Policy Enforcement Manager
Symptoms:
Potential TMM crash resulting in flows being impacted.
Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.
Impact:
Traffic disrupted while tmm restarts.
Fix:
NULL check has been added to facilitate a graceful failure during asynchronous handling.
624692-3 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
Component: TMOS
Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.
Conditions:
Certificate with multi-byte encoded strings.
Impact:
Unable to view certificate list page or view certificate information via iControl/REST.
624616-1 : Safenet uninstall is unable to remove libgem.so
Component: Local Traffic Manager
Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:
rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.
Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.
Impact:
Uninstall is unable to complete.
Workaround:
None.
Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.
624570-1 : BIND vulnerability CVE-2016-8864
Solution Article: K35322517
624526-3 : TMM core in mptcp
Solution Article: K10002335
624484-2 : Timestamps not available in bash history on non-login interactive shells
Solution Article: K09023677
Component: TMOS
Symptoms:
There are no timestamps in bash history when bash is initiated from tmsh.
Conditions:
This issue arises when an Administrator or Resource Administrator with tmsh as the default shell runs bash from tmsh and then runs the 'history' command.
Impact:
Running 'history' in bash will not include timestamps of commands.
Workaround:
Timestamps can be added to bash history by running the following command in bash: export HISTTIMEFORMAT="%Y-%m-%d %T ".
Fix:
Added timestamps to bash history for non-login interactive shells.
624457-5 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
Solution Article: K10558632
624370-1 : tmm crash during classification hitless upgrade if virtual server configuration is modified
Component: Traffic Classification Engine
Symptoms:
tmm crash
Conditions:
1. classification hitless upgrade is triggered
2. pending (not saved) changes on any of the virtual servers
Impact:
Traffic disrupted while tmm restarts.
Fix:
Change of virtual server configuration triggers new library to be loaded during upgrade which wasn't expected by hitless upgrade mechanism and led to tmm crash. This is fixed in versions starting with 12.1.2.
624362-1 : VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file
Component: TMOS
Symptoms:
/shared disk usage growth and the diskmonitor can alarm when percent of disk usage reaches the configured threshold.
Conditions:
VCMP guest, overtime /shared/tmp/guestagentd.out grows and not rotated.
Impact:
/shared filesystem can fill and cause alerting and inability to copy files such as .iso to /shared.
Workaround:
1. periodically delete the non-critical file /shared/tmp/guestagentd.out
OR,
2. bigstart stop guestagentd (this will disable vcmp health feature on the host)
Fix:
The guestagentd logs no longer fill the tmp file.
624361-1 : Responses to some of the challenge JS are not zipped.
Component: TMOS
Symptoms:
Performance is affected on the JS challenge.
Conditions:
The following is turned on in the application dos configuration :
CS challenge, or PBD challenge when Suspicious browsers are disabled or the Device-ID challenge.
Impact:
1. These responses consume more CPU and more Bandwidth than needed.
2. Client-side latency is degraded.
3. More disk space is utilized than needed
Workaround:
None.
Fix:
Some of the JS challenge have better performance now.
624314-1 : AVR reports incorrect 'actions' in ACL reports
Component: Advanced Firewall Manager
Symptoms:
AVR reports incorrect 'actions' in ACL reports:
-- 'Default" reports as 'Drop'.
-- 'Drop" reports as 'Reject'.
-- 'Reject" reports as 'Accept'.
-- 'Accept" reports as 'Accept decisively'.
-- 'Accept decisively' reports as "Default'.
Conditions:
AVR reporting on ACL statistics.
Impact:
The system reports incorrect actions.
Workaround:
There is no workaround.
Fix:
AVR reports now shows correct actions.
624263-4 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
624231-5 : No flow control when using content-insertion with compression
Component: Policy Enforcement Manager
Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases
Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled
Impact:
Performance impact to flows and possible system crash.
Workaround:
Enable hardware offload and use the pem throttle feature for content insertion
624228-1 : Memory leak when using insert action in pem rule and flow gets aborted
Component: Policy Enforcement Manager
Symptoms:
Memory keeps increasing in PEM after several hours of live service.
Conditions:
Insert action in pem rule and response spawning multiple segments. Connection gets aborted midway.
Impact:
Connections can get reset once memory usage increases beyond threshold
Fix:
free xfrags when aborting flows
624198-1 : Unable to add multiple User-Defined alerts with the same search category
Component: Fraud Protection Services
Symptoms:
Adding 2 or more User-Defined alerts causes to DB exception error.
Conditions:
Provision FPS
Malware Detection license
Add multiple User-Defined alerts with the same "Search In" category.
Impact:
Can impact detection of certain malware.
Workaround:
Adding single record each time.
Use TMSH or Rest.
Fix:
GUI allows adding multiple User-Defined alerts of the same search category.
624193-2 : Topology load balancing not working as expected
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.
Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.
Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.
Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.
Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.
624168-2 : DATA_ACK and DATA_FIN ignored on a subflow not currently used for transmission
Component: Local Traffic Manager
Symptoms:
During an MPTCP connection, if a DATA_ACK or DATA_FIN is received on a subflow that is not currently being used to transmit data, that DATA_ACK or DATA_FIN is ignored. Clients generally respond on the same subflow that they received data on, making this situation somewhat rare.
Conditions:
MPTCP is in use on a connection and a DATA_ACK or DATA_FIN is received on a subflow that is not currently being used to transmit data.
Impact:
The DATA_ACK or DATA_FIN is ignored. If the same information is not sent on other subflows, this can cause the connection to hang until the subflow times out.
Fix:
Accept DATA_ACK and DATA_FIN on any subflow.
624155-2 : MRF Per-Client mode connections unable to return responses if used by another client connection
Component: Service Provider
Symptoms:
When an outgoing connection is created in per-client mode, that connection is exclusively for use by the client whose message was routed to the destination. All messages (response or requests) received by the server are automatically forwarded to the client. The messages received from the server are forwarded to the original connection from the client (even if it has been closed).
Conditions:
The connection from the client closes and the client connects again.
Impact:
Messages from the new client connection will be routed using the previously created outgoing connection. But messages received from the server will be forwarded to the original connection from the client which is closed. These message will fail to be delivered.
Workaround:
None.
Fix:
When message arrive from a new client connection, the outgoing connection will be to forward messages received from the server to the new connection.
624023-3 : TMM cores in iRule when accessing a SIP header that has no value
Component: Service Provider
Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.
Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround.
Fix:
Fix includes adjusting the buffer offset properly to handle the empty header attributes while parsing the SIP message.
623940-3 : SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
Component: Local Traffic Manager
Symptoms:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.
The ltm error log message looks like:
*****************************************************
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260009:4: Connection error: ssl_select_suite:6799: no shared ciphers (40)
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260026:4: No shared ciphers between SSL peers 10.1.6.50.36563:10.1.6.15.443.
*****************************************************
Conditions:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.
Impact:
SSL Handshake fails.
623930-3 : vCMP guests with vlangroups may loop packets internally
Component: TMOS
Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.
Conditions:
vCMP guest, vlangroups.
Impact:
High CPU utilization and potentially undelivered packets.
Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.
Fix:
Packets are no longer looped between vlangroup children on vCMP guests.
623927-2 : Flow entry memory leaked after DHCP DORA process
Solution Article: K41337253
Component: Policy Enforcement Manager
Symptoms:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is not freed.
Conditions:
Run the DHCP DORA process through BIG-IP (in relay mode or forwarding mode, and wait for client connection flow entry ages out.
Impact:
The system leaks flow entry memory. Over a long period of time, system memory will eventually run out.
Workaround:
None.
Fix:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is now freed, so no memory leak occurs.
623922-5 : TMM failure in PEM while processing Service-Provider Disaggregation
Solution Article: K64388805
Component: Policy Enforcement Manager
Symptoms:
TMM failure in PEM while processing Service-Provider Disaggregation.
Conditions:
System crashes when traffic flows and rules get executed on the flow.
Impact:
System crashes.
Workaround:
Set Service-Provider Disaggregation to sp as suggested by documentation.
Fix:
There is no longer a TMM failure in PEM while processing Service-Provider Disaggregation.
623885-4 : Internal authentication improvements
Solution Article: K41107914
623803-2 : General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'
Solution Article: K12921801
Component: TMOS
Symptoms:
When SCTP profile is selected, the system posts a general DB error due to 'read access denied type Virtual Address profile SCTP'.
Conditions:
-- Login to GUI with non-Admin user.
-- Select SCTP profile from the GUI
Impact:
Cannot get the SCTP profile.
Workaround:
Login with Admin user.
Fix:
The non-Admin user is now be able to login to GUI, select the SCTP profile and retrieve SCTP profile information correctly.
623562-3 : Large POSTs rejected after policy already completed
Component: Access Policy Manager
Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:
/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big
/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960
Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.
Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.
Workaround:
Move the resource from '/' to another URL.
Fix:
The logic of '/' in this area was changed to be consistent with other URLs.
623536-2 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
Component: TMOS
Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.
Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable
Impact:
snmp traps are not sent
Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:
alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode \(all VIP\/SNAT\/Proxy connections disabled\)" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}
Fix:
BIG-IP now correctly sends SNMP traps when configured to do so with TCP resets in maintenance mode.
623518-1 : Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
Component: Fraud Protection Services
Symptoms:
If a profile is assigned to a user-defined partition, it is not possible to add users to User Enforcement list.
Also, if a user-defined partition is selected, the GUI will not display a message if a there are available signatures/engine updates.
Conditions:
Provision and license FPS.
Create user-defined partition.
Impact:
You are unable to manage the profile in the user-defined partition.
Workaround:
Use tmsh to add users.
Fix:
Users can be added to User Enforcement list and a message will be displayed if a new update is available.
623491-2 : After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
Component: Policy Enforcement Manager
Symptoms:
The BWC action against a rule is lost and the traffic flow is capped at the maximum bandwidth configured in the BWC policy.
Conditions:
A flow should be associated with a PEM rule that has atleast a BWC action along with a Gx reporting action.
Impact:
The traffic flow is not capped by the correct BWC action, instead it is capped by the maximum configured bandwidth in the BWC policy.
Fix:
The BWC policy is restored correctly after a policy update.
623401-1 : Intermittent OCSP request failures due to non-optimal default TCP profile setting
Component: TMOS
Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.
Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.
Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.
Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.
623391-5 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★
Component: TMOS
Symptoms:
cpcfg fails with errors similar to:
Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.
Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.
Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size
Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3
Fix:
cpcfg could incorrectly calculate the amount of free space required, refusing to do the copy unless the / filesystem on the target volume had sufficient space to do the copy (not taking into account /config, /usr, /var, and other filesystems). This has been resolved and this free space calculation is done correctly.
623336-4 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
Component: TMOS
Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.
Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)
Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.
This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.
Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:
1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
touch /service/mcpd/forceload && reboot
3. After reboot, verify that the two files match (they should have the same checksum):
md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
Fix:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check was performed incorrectly, and the old bundle could accidentally have been chosen. This has been fixed, and the newer version of the file is correctly chosen.
623119 : Linux kernel vulnerability CVE-2016-4470
Solution Article: K55672042
623093-1 : TIFF vulnerability CVE-2015-7554
Solution Article: K38871451
623055-1 : Kernel panic during unic initialization
Component: TMOS
Symptoms:
During system initialization, the kernel panics during unic initialization.
Conditions:
This can occur on BIG-IP Virtual Edition if an error (on memory allocation, io etc.) occurs during unic initialization.
Impact:
The kernel panics, system will not boot.
Fix:
Initialize resources to fail gracefully on error.
623037-2 : delete of pem session attribute does not work after a update
Component: Policy Enforcement Manager
Symptoms:
it will not be possible to delete the session attribute through rules.
Conditions:
rules with session attribute update & delete
Impact:
unable to delete session attribute
623023-1 : Unable to set DNS Topology Continent to Unknown via GUI
Component: Global Traffic Manager (DNS)
Symptoms:
No option in dropdown menu to select Unknown Continent when configuring DNS Topology Record via GUI. Existing Topology Records will be displayed as "Continent is", instead of "Continent is Unknown".
Conditions:
Attempting to configure a DNS Topology Record via the GUI.
Impact:
Unable to set the Continent field to 'Unknown' via GUI.
Workaround:
Set the continent via tmsh using the command `create gtm topology ldns: continent -- server: continent --`
Fix:
The dropdown menu now has an option to select an "Unknown" Continent.
622913-2 : Audit Log filled with constant change messages
Component: Application Security Manager
Symptoms:
Frequent changes by Policy Builder fill the audit log too quickly and can affect viewing the Security Logs:
Error 502 Bad Gateway when clicking "Application Security" logs
Conditions:
Frequent Policy Builder changes occur and no ASM device group is configured.
Impact:
Disk space usage and errors viewing the Application Security logs
Workaround:
Workarounds:
1) Turn off "Recommend Sync when Policy is not applied". (Security ›› Options : Application Security : Preferences)
2) Enable ASM sync on a device group.
Fix:
Updates to the audit log are throttled at max 1/minute.
622877-1 : i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
Component: TMOS
Symptoms:
Messages like the following in /var/log/ltm:
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface: 6.0 transmit power too low alarm. Transmit power:0.0515 mWatts
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 transmit power too low alarm cleared
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 receive power too low alarm cleared
'
Conditions:
i2000 or i4000 series appliances with DDM enabled and a reboot or restart of the pfmand daemon
Impact:
No functional impact, these are not valid DDM alarms or warnings.
Workaround:
Ignore DDM errors that clear right away after powerup or pfmand restart.
Fix:
During DDM initialization clear any alarms or warnings cached in the hardware registers.
622856-1 : BIG-IP may enter SYN cookie mode later than expected
Component: Local Traffic Manager
Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.
Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.
Impact:
BIG-IP does not enter SYN cookie mode at the expected time.
Workaround:
Disable verified accept on all VIP TCP profiles.
Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.
622790-1 : EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
Component: Access Policy Manager
Symptoms:
Edge Client takes a lot of time to disconnect when machine is moved to network with no connectivity to BIG-IP
Conditions:
* VPN is established
* Machine is moved to different network (with no BIG-IP) connectivity
* EdgeClient stays in "Disconnecting..." state for few minutes
Impact:
User have to wait until Disconnect procedure is complete
Fix:
Now Edge Client uses 5000msec timeout in order to complete logout HTTP request. This is enough in normal conditions
622735 : TCP Analytics statistics does not list all virtual servers
Component: Application Visibility and Reporting
Symptoms:
In "Statistics :: Analytics : TCP", displaying the stats by virtual server will only allow the option of "Aggregated".
Conditions:
This occurs on virtual servers with the TCP Analytics profile attached.
Impact:
GUI does not list all virtual servers that have the TCP Analytics profile attached.
Fix:
Fixed an issue with displaying TCP Analytics statistics for virtual servers.
622662-7 : OpenSSL vulnerability CVE-2016-6306
Solution Article: K90492697
622619-5 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
Component: TMOS
Symptoms:
MCPd cpu utilization is high and renders it unresponsive.
Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.
Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.
Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.
622496 : Linux kernel vulnerability CVE-2016-5829
Solution Article: K28056114
622386-1 : Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
Component: Application Security Manager
Symptoms:
Internet Explorer browsers will get into an endless loop of requests, never reaching the back-end server, when accessing a Virtual Server which is enabled with both the Web Scraping feature, and the Proactive Bot Defense, if the mode of Proactive Bot Defense is set to During Attacks.
Conditions:
1. ASM Security Policy is attached to the Virtual Server, and has Web Scraping's Bot Detection set to Alarm & Block.
2. Within Web Scraping, both Fingerprint and Persistent Client Identification are disabled.
3. DoS profile is attached to the Virtual Server, and has Proactive Bot Defense set to During Attacks.
4. Users are using the Internet Explorer browser.
Impact:
Internet Explorer browser users are getting blocked from accessing the back-end server.
Workaround:
Two options for workaround:
1. Set Proactive Bot Defense to Always instead of During Attacks.
2. Enable either Fingerprint or Persistent Client Identification in the Web Scraping configuration.
Fix:
Internet Explorer users are no longer blocked when accessing a Virtual Server which has both Web Scraping enabled, and Proactive Bot Defense set to During Attacks.
622281-1 : Network DoS logging configuration change can cause TMM crash
Component: Advanced Firewall Manager
Symptoms:
Whenever a DoS Network logging profile is assigned or removed from a Virtual Server, it could cause random TMM crash.
Conditions:
The problem happens only with runtime config change.
Any logging profile config settings which was configured already and which gets loaded on TMM startup does not have this problem. Since this problem is a one time event on config change, TMM restart will pickup the config change and will work without any problem after the one time crash and TMM restart.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Invalid memory reference after free resulted in crash, which is fixed.
622244-2 : Edge client can fail to upgrade when always connected is selected
Component: Access Policy Manager
Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled
Conditions:
Always Connected is selected in BIG-IP when upgrading the client
Impact:
Upgrade will fail
Workaround:
Disable the Always Connected mode
Fix:
Upgrade functions as intended regardless of connection mode
622220-2 : Disruption during manipulation of PEM data with suspected flow irregularity
Component: Policy Enforcement Manager
Symptoms:
tmm crashes.
Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to manipulating Policy Enforcement Manager data.
622199 : sys-icheck reports error with /var/lib/waagent
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /var/lib/waagent.
On BIG-IP version 12.0.0:
ERROR: ....L.... /var/lib/waagent
L - readLink(2) path mismatch
On BIG-IP version 12.1.0 and 12.1.1:
ERROR: .M....... /var/lib/waagent
M - Mode differs (includes permissions and file type)
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with waagent that was causing sys-icheck to fail.
622194 : sys-icheck reports error with ssh_host_rsa_key
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub
ERROR: SM5...... /config/ssh/ssh_host_rsa_key
ERROR: SM5...... /config/ssh/ssh_host_rsa_key.pub
Conditions:
This occurs on BIG-IP running on Azure cloud when running the sys-icheck utility.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with ssh_host_rsa_key and ssh_host_rsa_key.pub that was causing sys-icheck to generate an error.
622183-5 : The alert daemon should remove old log files but it does not.
Component: TMOS
Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.
Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.
Impact:
The log filesystem may become completely full, and new log messages cannot be saved.
Fix:
The alert daemon will now remove old log files as intended.
622178-1 : Improve flow handling when Autolasthop is disabled
Solution Article: K19361245
622148-5 : flow generated icmp error message need to consider which side of the proxy they are
Component: Local Traffic Manager
Symptoms:
when generating an error message from a flow, the icmp6 code does not check which side the messages needs to be crafted for.
Conditions:
error handling
Impact:
As a result generated ICMP error message might contain the wrong addressing
Workaround:
no workaround
Fix:
now the code checks flow type before crafting the error message
622133-1 : VCMP guests may incorrectly obtain incorrect MAC addresses
Component: TMOS
Symptoms:
vCMP guests may be re-configured to use MAC addresses based off an all zero MAC address (00:00:00:00:00:00).
The 'tmsh show net vlan' command will show the vlan interfaces having mostly 0's in the MAC address:
-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:00:00:00:00:01
MTU 1500
Tag 3702
Customer-Tag
-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) 00:00:00:00:00:02
MTU 1500
Tag 3703
Customer-Tag
Conditions:
For this to manifest the vCMP host vcmpd process will have to have had a prior crash or be killed.
In this scenario vcmpd on restart uses a default zero-base MAC address for the guests.
The guests will not use the new zero-based MAC until services are restarted on the guest, on which the new MAC address will take effect.
Impact:
This can cause network issues and conflicts if occurring on multiple guests in the same VLAN as the same MAC addresses will be used.
Workaround:
Restart the guest from the hypervisor.
Fix:
vCMP no longer uses zero-based MACs on vcmpd crash/kill.
622126-1 : PHP vulnerability CVE-2016-7124
Solution Article: K54308010
622017-8 : Performance graph data may become permanently lost after corruption.
Solution Article: K54106058
Component: Local Traffic Manager
Symptoms:
During an upgrade, system reboot or restart of the statsd daemon, if a performance graph /var/rrd/*.info file is corrupt, the system is expected to backup the performance data before replacing it and starting with new empty graph data. It is then possible to manually recover the previous performance data.
However, if the /shared/rrd.backup directory already exists, the system restarts the performance graph with new data without backing up the previous data.
Conditions:
During startup of the statsd daemon (such as after an upgrade or reboot), the issue occurs if the following two conditions are present:
* The /var/rrd/<filename>.info files are corrupt (CRC value does not match contents).
* The /shared/rrd.backup directory exists.
Impact:
The previous performance graph data is not displayed, and is no longer available for manual recovery.
Workaround:
Old performance graph data can be extracted from the var/rrd directory of a QKView taken prior to the beginning of the problem.
Fix:
Corrupt performance graph RRD data is now backed up to the /shared/rrd.backup directory during startup even if the directory already exists.
621976-4 : OneDrive for Business thick client shows javascript errors when rendering APM logon page
Component: Access Policy Manager
Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page
Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.
Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.
Workaround:
Click thru javascript error dialogs.
Fix:
OneDrive for Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.
621974-4 : Skype For Business thick client shows javascript errors when rendering APM logon page
Component: Access Policy Manager
Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page
Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.
Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.
Workaround:
Click thru javascript error dialogs.
Fix:
Skype For Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.
621957-2 : Timezone data on AOM not syncing with host
Component: TMOS
Symptoms:
Updating the timezone on the host does not sync to the AOM, because certain tzdata files are placed in the wrong directories.
Conditions:
A system using tzdata version v2016i-1 may encounter this problem. If the following files exist:
/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab
then the system has this problem.
Impact:
Time on the AOM is incorrect.
Workaround:
If the following files exist:
/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab
move them to:
/usr/share/zoneinfo/F5zone.tab
/usr/share/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/F5zone.tab
Fix:
Timezone data on AOM now syncs correctly with host again
621937-1 : OpenSSL vulnerability CVE-2016-6304
Solution Article: K54211024
621935-6 : OpenSSL vulnerability CVE-2016-6304
Solution Article: K54211024
621909-4 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
Solution Article: K23562314
Component: TMOS
Symptoms:
When a trunk on the BIG-IP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.
Conditions:
This can occur for two reasons:
-- Purposefully configuring an odd number of members.
-- A port goes down in a trunk that has an even number of members.
Impact:
Uneven traffic distribution.
Workaround:
None.
Fix:
This release fixes uneven egress trunk distribution on the BIG-IP 5000 or 10000 platforms when there is an odd number of ports.
621870-2 : Outage may occur with VIP-VIP configurations
Component: Local Traffic Manager
Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.
Conditions:
VIP-VIP configuration
Impact:
System outage
Workaround:
None.
621808-1 : Proactive Bot Defense failing in IE11 with Compatibility View enabled
Component: Application Security Manager
Symptoms:
Microsoft Internet Explorer version 11 (IE11) browsers which have 'Compatibility View' enabled (under Compatibility View Settings IE11 menu), fail the JavaScript challenge when Proactive Bot Defense is enabled and the 'Block requests from suspicious browsers' checkbox is checked.
The challenged request is blocked using a TCP_RST flag, and the browser displays 'This page can't be displayed'.
Conditions:
-- DoS profile that is attached to the virtual server.
-- Proactive Bot Defense is enabled
-- The 'Block requests from suspicious browsers' checkbox is checked.
-- IE11 browsers are in use.
-- The site's domain is inserted to the 'Compatibility View Settings' in the browser's menu.
Impact:
Legitimate browsers get blocked when accessing the site.
Workaround:
None.
Fix:
IE11 browsers with 'Compatibility View' enabled on the site no longer get blocked when Proactive Bot Defense is enabled on the DoS profile.
621736-6 : statsd does not handle SIGCHLD properly in all cases
Solution Article: K00323105
Component: Local Traffic Manager
Symptoms:
- Performance graphs are not updating or are not existent.
- proc_pid_stat shows statsd time not increasing.
- Top also shows that statsd is not taking any processor time.
In fact statsd is stuck on a wait in a signal handler.
Conditions:
If statsd receives a SIGCHLD signal.
Impact:
The system gets stuck and does not process anything. No performance graphs are collected / generated
Workaround:
Restart statsd using the following command:
bigstart restart statsd
Fix:
statsd now handles SIGCHLD properly.
621682-1 : Portal Access: problem with specific JavaScript code
Component: Access Policy Manager
Symptoms:
Portal Access does not rewrite JavaScript code with try...catch... operator followed by literal regular expression.
Conditions:
JavaScript code like follows:
try {} catch (e) {} /aaa/.test(b)
Impact:
Web application may not work correctly.
Fix:
Now try / catch operator followed by literal regular expression in JavaScript code is handled correctly by Portal Access.
621524-2 : Processing Timeout When Viewing a Request with 300+ Violations
Component: Application Security Manager
Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.
Conditions:
Attempting to view a request that triggered hundreds or thousands of violations
Impact:
A timeout is encountered.
Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.
Fix:
Processing high violation requests is now more efficient.
621452-1 : Connections can stall with TCP::collect iRule
Solution Article: K58146172
Component: Local Traffic Manager
Symptoms:
Connection does not complete.
Conditions:
-- A TCP::collect command is in use.
-- The first packet received after the SYN carries data.
The Initial Sequence number in the SYN, plus the length of the data in the first packet, plus 1, is greater than-or equal to 2^31.
Note: APM VDI profiles internally use TCP::collect, so virtual servers with VDI profiles may be affected as well.
Impact:
-- Connection fails.
-- This issue can also cause the Configuration Utility's Device Management :: Overview page to stop responding.
Workaround:
There is no workaround at this time.
Fix:
The system now properly sets state variables associated with TCP::collect, so this issue no longer occurs.
621447-1 : In some rare cases, VDI may crash
Component: Access Policy Manager
Symptoms:
VDI process crashes and connections to VDI resources are aborted.
Conditions:
VDI receives unexpected session variable result which is meant for some other VDI thread.
Impact:
Existing VDI connections are aborted and the user needs to login again.
Fix:
VDI should gracefully handle the error condition and should not crash
621423 : sys-icheck reports error with /config/ssh/ssh_host_dsa_key
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_dsa_key and other files:
ERROR: missing /config/ssh/ssh_host_dsa_key
ERROR: missing /config/ssh/ssh_host_dsa_key.pub
ERROR: missing /config/ssh/ssh_host_key
ERROR: missing /config/ssh/ssh_host_key.pub
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with files in /config/ssh/ that was causing sys-icheck to report errors.
621422 : i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
Component: TMOS
Symptoms:
A 1G optic is inserted in a port that only supports 10G optics, or a 10G optic is inserted in a port that only supports 1G optics.
The invalid optic may show a link light, and no warning appears on the LCD.
Conditions:
i2000 or i4000 platforms ports do not auto-negotiate between 1G and 10G optics. Ports are assigned to one or the other speed.
Impact:
User may not understand why optic is not working correctly
Workaround:
Move the optic to the correct port.
621401 : When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load
Component: Device Management
Symptoms:
When BIG-IQ is monitoring more than 1 BIG-IP in a HA clustser, AVR reporting on the BIG-IQ may fail if one of the BIG-IPs is under heavy load.
Conditions:
BIG-IQ monitoring BIG-IPs in a HA cluster
BIG-IPs running AFM and/or ASM
BIG-IQ used to monitor AFM and/or ASM reporting.
At least one of the BIG-IPs is under significant load so as to cause delays in responding to BIG-IQ requests.
Impact:
AVR reporting will stop functioning.
Workaround:
bigstart restart restjavad
621386-1 : restjavad spawns too many icrd_child instances
Solution Article: K91988084
Component: TMOS
Symptoms:
icrd_child process keeps crashing and can lead to an out-of-memory condition.
Conditions:
This occurs due to a race condition while restarting the icrd daemon.
Impact:
icrd might crash.
Workaround:
None.
Fix:
Fixed race condition that caused the system to run out of memory by spawning too many icrd_child processes.
621379-2 : TCP Lossfilter not enforced after iRule changes TCP settings
Component: Local Traffic Manager
Symptoms:
TCP Lossfilter function doesn't work properly, although the first few losses will be properly ignored.
Conditions:
TCP profile has ALL of the following settings:
mptcp disabled; rate-pace disabled; tail-loss-probe disabled; fast-open disabled; cmetrics-cache-timeout = 0; congestion ctrl is reno, new-reno, high-speed, or scalable; nagle enabled or disabled; rtx_thresh = 3; loss-filter settings are both > 0.
an iRule changes any of the above settings except loss-filter.
Impact:
Sending rate declines due to packet losses improperly interpreted as congestion.
Workaround:
Change any of the conditions above.
Fix:
Properly handle loss-filter state when switching TCP stacks.
621374-1 : "abbrev" argument in "whereis" iRule returns nothing
Component: Global Traffic Manager (DNS)
Symptoms:
The iRule [whereis <ip|ldns> abbrev] does not return a value.
Conditions:
iRule relying on whereis abbrev is used.
Impact:
The whereis iRule command will not return the expected value.
621371-2 : Output Errors in APM Event Log
Solution Article: K43523962
621337-6 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
Solution Article: K97285349
621314-6 : SCTP virtual server with mirroring may cause excessive memory use on standby device
Solution Article: K55358710
Component: TMOS
Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.
Conditions:
SCTP virtual server has mirroring enabled.
Impact:
TMMs will have high memory usage on standby device.
Workaround:
Disable mirroring on the SCTP virtual server.
Fix:
SCTP virtual server with mirroring no longer causes excessive memory use on standby device.
621284-5 : Incorrect TMSH help text for the 'max-response' RAMCACHE attribute
Component: WebAccelerator
Symptoms:
The TMSH help text for the 'max-response' RAMCACHE attribute incorrectly states that for the default value of 0 (zero) unlimited cache entries are allowed. In reality the number of cache entries is limited to 10.
Conditions:
Invoking the TMSH man/help page on RAMCACHE.
Impact:
Incorrect TMSH help text
Workaround:
N/A
Fix:
max-response:
Displays the maximum number of entries in the RAM cache. The default value is 0 (zero), which is equivalent with no max-response value being specified. Without the max-response option the system will limit the number of entries to 10 per Traffic Management Microkernel (TMM).
621273-1 : DSR tunnels with transparent monitors may cause TMM crash.
Component: TMOS
Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.
Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".
Impact:
Traffic disrupted while tmm restarts.
Fix:
The TMM does not crash.
621260-5 : mcpd core on iControl REST reference to non-existing pool
Component: TMOS
Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:
curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'
Conditions:
The monitor reference in the REST call must be comprised of a single space character.
Impact:
MCPd restarts, causing many of the system daemons to restart as well.
Workaround:
Don't use spaces in the monitor reference name.
621259-3 : Config save takes long time if there is a large number of data groups
Component: TMOS
Symptoms:
Config save takes a long time to complete
Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration
Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM
621242-1 : Reserve enough space in the image for future upgrades.
Component: TMOS
Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.
Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).
Impact:
Extends the disk image to reserve more disk space for upgrades.
Workaround:
N/A
Fix:
Increased the reserved free space on VE images.
621239-2 : Certain DNS queries bypass DNS Cache RPZ filter.
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.
Conditions:
A DNS Cache configured with RPZ.
Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.
Fix:
The DO-bit is now ignored with respect to RPZ filtering.
621233-1 : FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm
Solution Article: K49440608
621225 : LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
Component: TMOS
Symptoms:
When BIG-IP is initially booted or re-started, there are certain conditions under which the LTM log may report the following message for front panel interfaces, "PCI Device not found for Interface <X.0>", where X can be in the range of 1-6. These messages are misleading because the front panel interfaces do not have any PCI devices associated with them and should not have been flagged as errors.
Conditions:
i2600/i2800 products intermittently produce these messages upon power-up or BIG-IP re-start.
Impact:
They are false alarms in the log. The associated interfaces do not have said PCI devices.
Fix:
Removed the possibility of getting false alarm messages in the LTM log for front panel interfaces 1.0-6.0 that claim, "PCI Device not found for Interface X.0".
621210-2 : Policy sync shows as aborted even if it is completed
Component: Access Policy Manager
Symptoms:
After syncing a policy in a sync-only device group, the policy appears to be synced to the target successfully, however, the remote HA pair devices show status as canceled/aborted.
Conditions:
It is not known exactly what triggers this condition. It was observed in a 4-device trust group consisting of 2 sync/failover groups and a single sync-only device group for all 4 devices. After the sync the status reported as cancelled/aborted.
Impact:
Sync status is displayed incorrectly, even after the sync was successful.
Workaround:
None.
Fix:
Policy sync now shows as completed when it is completed.
621126-2 : Import of config with saml idp connector with reuse causes certificate not found error
Component: Access Policy Manager
Symptoms:
Export and then Import with reuse of config that has SAML Idp Connector as part of configuration would fail with Object not found or Certificate not found error:
Import Error: 01070734:3: Configuration error: /Common/my_cert.crt certificate not found.
Conditions:
Exporting and then importing with "Reuse existing objects" checked. Normal import is ok.
Impact:
Importing fails.
Workaround:
On From box:Disconnect Idp configuration, export config.
On To box:Recereate Idp configuration, import, reconnect it.
Fix:
Importing with reuse is fixed.
621115-1 : IP/IPv6 TTL/hoplimit may not be preserved for host traffic
Component: Performance
Symptoms:
Traffic to and from the Linux host has TTL set to 255 or hop limit set to 64. This may impact any protocols that scrutinize the TTL such as IGMP or BGP.
Conditions:
IP/IPv6 TTL/hoplimit for host traffic.
Impact:
IGMP packets will not be passed from TMM to the Linux host and remote routers may reject IGMP packets from the BIG-IP.
BGP neighbors may reject packets from the BIG-IP.
Workaround:
Adjust TTL verification restrictions on peer devices.
Fix:
The IP/IPv6 TTL/hoplimit of host traffic is no longer modified when it traverses TMM.
620954-3 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
Component: TMOS
Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.
Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.
Impact:
This intermittent authentication failure results in users not being able to login.
Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.
620929-4 : New iRule command, MR::ignore_peer_port
Component: Service Provider
Symptoms:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port. Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.
Conditions:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port.
Impact:
Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.
Workaround:
Without this change, a new connection would need to be created to the client.
Fix:
New iRule command allow script author to identify the current connection as equivalent to other connections of the IP and route domain ID matches.
620903-1 : Decreased performance of ICMP attack mitigation.
Component: Performance
Symptoms:
Decreased performance of ICMP attack mitigation.
Conditions:
A Big-Ip is under attack, for example a ICMP flood attack.
Impact:
Decreased performance of ICMP attack mitigation.
Workaround:
NA
Fix:
Increased performance of ICMP attack mitigation.
620829-2 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Solution Article: K34213161
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
None.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
620801-3 : Access Policy is not able to check device posture for Android 7 devices
Component: Access Policy Manager
Symptoms:
APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item.
If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.
Conditions:
- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status
- User accesses APM from an Android 7 device using F5 Edge Client app.
Impact:
Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.
Workaround:
This workaround only applies to IBM Maas360:
Add Variable Assign agent just before Managed Endpoint Status agent with the following variables:
session.client.platform_tmp = expr {[mcget session.client.platform]}
session.client.platform = expr {"iOS"}
session.client.unique_id = expr {"Android[mcget session.client.unique_id]"}
And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state:
session.client.platform = expr {[mcget session.client.platform_tmp]}
Fix:
Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.
620788-1 : FQDN pool created with existing FQDN node has RED status
Solution Article: K05232247
Component: Local Traffic Manager
Symptoms:
After creating an FQDN pool using an existing FQDN node, the pool has RED status.
Conditions:
-- Existing FQDN node.
-- Pool created with an existing FQDN node as a member.
Impact:
Traffic will not pass in this pool.
Workaround:
As a workaround, follow these steps:
1. Delete the existing FQDN node.
2. Create a new one.
3. Create a pool that includes the new FQDN node.
Fix:
When creating an FQDN pool with an existing FQDN node, the pool status now reflects the actual monitor status.
620782 : Azure cloud now supports hourly billing
Component: TMOS
Symptoms:
Prior to 12.1.2 hourly billing was not supported in Azure cloud.
Conditions:
Any version prior to 12.1.2 in Azure Cloud
Impact:
Hourly billing not possible
Fix:
With 12.1.2 hourly billing is now supported in Azure.
620759-4 : Persist timeout value gets truncated when added to the branch parameter.
Component: Service Provider
Symptoms:
Persist timeout value gets truncated when added to the branch parameter due to difference in storage type.
Conditions:
If the persist timeout value was higher that 65535 then the value gets truncated.
Impact:
Incorrect persist timeout get into affect for the call other than the value set in the config.
Workaround:
None.
Fix:
Persist timeout value no longer gets truncated when added to the branch parameter.
620746-1 : MCPD crash
Component: TMOS
Symptoms:
MCPD may crash while processing large requests.
Conditions:
The conditions under which this occurs are not yet defined.
Impact:
MCPD crash, leading to a failover event.
Workaround:
None.
Fix:
MCPD now processes large requests as expected.
620659-3 : The BIG-IP system may unecessarily run provisioning on successive reboots
Component: TMOS
Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'
During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'
Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).
Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.
The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
<13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB
The /var/log/tmm logfile on the vCMP guest will contain:
<13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
<13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
<13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **
Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.
Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.
620635-2 : Request having upper case JSON login parameter is not detected as a failed login attempt
Component: Application Security Manager
Symptoms:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.
Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ JSON login parameter with an upper-case character
Impact:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.
Workaround:
N/A
Fix:
We've made sure that JSON login parameter are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.
620625-2 : Changes to the Connection.VlanKeyed db key may not immediately apply
Solution Article: K38094257
Component: Local Traffic Manager
Symptoms:
When you modify the connection.vlankeyed database key, some asymmetrically routed connections unexpectedly fail.
Conditions:
This issue occurs when the following condition is met:
You modify the connection.vlankeyed database key.
For example, you set the database key value to disable.
For more information, refer to K13558: Allowing asymmetrically routed connections across multiple VLANs (11.x - 13.x) :: https://support.f5.com/csp/article/K13558.
Impact:
Some connections using asymmetrical routing do not reach their destination.
Workaround:
Restarting TMM resolves the issue, though this briefly interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:
-- On an appliance (BIG-IP platform):
bigstart restart tmm
-- On a clustered system (a VIPRION or VIPRION-based vCMP guest):
clsh bigstart restart tmm
Fix:
Asymmetrically routed connections no longer fail with Connection.VlanKeyed disabled.
620614-4 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
Component: Access Policy Manager
Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.
/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.
The above error, otherwise, below error which deletes the session id abruptly.
Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).
Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.
Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth
Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.
Fix:
Use the right session id for decrypting the password.
620543-1 : Security Address Lists and Port Lists can't change Description field
Component: Advanced Firewall Manager
Symptoms:
'Description' doesn't get saved when a user tries to create a Address List, or Port List.
Conditions:
Create an Address List/Port List with a description, and hit 'Finished'. The Address/Port List will be created, but the object will not be saved.
Impact:
Users will not be able to save description when Address List/Port List gets created via GUI.
Workaround:
Use tmsh to create Address/Port List.
Fix:
'Description' gets saved when a user tries to create a Address List, or Port List.
620522-1 : Some expected command output are missing in qkview
Component: TMOS
Symptoms:
Some commands are not executed and output are not collected by qkview.
Conditions:
If total execution time of all commands is exceeding 360 seconds.
Impact:
Missing command output in qkview tar file.
Workaround:
Missing commands need to be executed manually to share output with F5 support.
Fix:
Timeout can be passed as an arg to qkview command with -t option.
620445-4 : New SIP::persist keyword to set the timeout without changing key
Component: Service Provider
Symptoms:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout> disables bidirectional persistence.
Conditions:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout>.
Impact:
Disables bidirectional persistence. Persistence entry only records destination (not source) of the session.
Workaround:
None.
Fix:
New keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key.
Behavior Change:
There is a new keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key. Previously, if you changed the timeout, it disabled bidirectional persistence.
620400-1 : TMM crash during TLS processing
Solution Article: K21154730
620366-4 : Alertd can not open UDP socket upon restart
Component: TMOS
Symptoms:
alertd fails to restart due to the following error:
Sep 29 18:29:44 B2200-R76-S19 err alertd[16882]: 01100009:3: Couldn't open file UDP listener
Conditions:
alertd has spawned a long-running process (e.g. ntpd) which does not close inherited file descriptors.
Impact:
alertd fails to restart
Fix:
Mark alertd file descriptors for automatic closure in child processes.
620311-1 : GUI Failover Unicast Address information incorrect
Component: TMOS
Symptoms:
In the GUI, the Failover Unicast Address information for the peer device shows the Management IP of the local device, instead of the peer's Management address.
Conditions:
Failover Device group with failover unicast addresses configured with management addresses.
Impact:
GUI displays incorrect address. *Mgmt addresses listed incorrectly show local mgmt addresses in the following locations:
-- Device management :: Devices :: <peer device>
-- Device Connectivity: Failover Unicast Configuration
Workaround:
None.
620301-4 : Policy import fails due to missing signature System in associated Signature Set
Component: Application Security Manager
Symptoms:
ASM policy import fails due to a missing System, used in an associated Signature Set.
Conditions:
ASM policy is imported using an export file from a device with a more recent ASM Signature Update.
Impact:
The ASM policy import fails.
Workaround:
Update the ASM Signature on the target device before importing the policy.
620215-5 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
620079-3 : Removing route-domain may cause monitors to fail
Component: Local Traffic Manager
Symptoms:
Removing a route-domain may cause icmp and gateway-icmp monitors in unrelated route-domains to fail.
Conditions:
-- Route-domain is removed.
-- icmp/gateway-icmp monitor is used.
Impact:
Monitor marks the node down, resulting in partial service outrage.
Workaround:
Restart bigd using the following command:
bigstart restart bigd
Fix:
Removing route-domain no longer causes monitors to fail.
620056-1 : Assert on deletion of paired in-and-out IPsec traffic selectors
Component: TMOS
Symptoms:
When two traffic-selectors, one in and one out, mirror each other by reversing source and destination addresses, then deleting one can miss-fire an assert, restarting tmm.
Conditions:
Defining two clearly related traffic selectors, one for in and one for out, can confuse a later check of their names.
Impact:
When a traffic selector is deleted, from such a pair, an assert can fail that restarts tmm processes. Traffic disrupted while tmm restarts.
Workaround:
Using one traffic selector with direction=both would avoid the problem, before this change appears in a release.
Fix:
The confusion of over names for such paired traffic selectors is now fixed, so the assert cannot occur. Such traffic selectors -- just like each other execpt for reversed source and destination -- will work correctly for IKEv1 configs. For IKEv2 it is still best to use single TS insances with direction=both.
619879-1 : HTTP iRule commands could lead to WEBSSO plugin being invoked
Component: Access Policy Manager
Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 BIG-IP3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor
With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 BIG-IP3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))
Conditions:
HTTP::disable followed by HTTP::enable.
when CLIENT_ACCEPTED {
HTTP::disable
// do some other stuff
HTTP::enable
}
Impact:
client receives a HTTP 503 reset
Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.
Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.
619873-2 : Secure Vault: Key cleanup for 5000-, 7000-series, and i-Series platforms★
Component: TMOS
Symptoms:
Outdated and unused unit key is left on some devices after an upgrade from an older version.
- This occurs with 5000- and 7000-series platforms after upgrade from an older version to v13.0.0.
- This occurs with iSeries platforms after upgrade from an older version to v12.1.4.1 or a later v12.1.x software version.
Conditions:
One of the following sets of conditions:
-- Running on 5000- and 7000-series platforms.
-- Upgrading from a version earlier than v13.0.0 to v13.0.0.
-- Installing v13.0.0 hotfixes
Or:
-- Running on iSeries platforms.
-- Upgrading from v12.1.4 or earlier, to 12.1.4.1 or a later 12.1.x version.
-- Installing v12.1.x point releases or engineering hotfixes.
Impact:
1) Unit key on disk is preferred over unit key in hardware.
2a) Potential config load failures when installing v13.0.0 hotfixes on 5000- and 7000- series devices.
2b) Potential config load failures when installing v12.1.x point releases or hotfixes on iSeries devices.
Workaround:
NOTES:
-- Impacts 5000- and 7000-series platforms on v13.0.x.
-- Impacts iSeries platforms on v12.1.4.1 or a later v12.1.x software version.
On or before upgrade to v13.0.0 or its associated hotfixes, perform the following procedure:
1) Set master key to a known value:
modify sys crypto master-key prompt-for-password
2) Save config:
tmsh save sys config
3) Remove the old unit key:
rm /config/bigip/kstore/.unitkey
4) Load config:
tmsh load sys config
5) Save config:
tmsh save sys config
Fix:
Unit key is no longer left on platforms after upgrade from an older version.
619849-4 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGABRT (killed by sod)
Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.
This issue occurs extremely rarely.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
disable verify accept.
Fix:
the loop is fixed.
619844-2 : Packet leak if reject command is used in FLOW_INIT rule
Component: Local Traffic Manager
Symptoms:
TMM memory usage (packets) increases steadily over time.
Conditions:
'reject' command is used in a FLOW_INIT rule
Impact:
Packet leak over time will consume TMM memory.
Workaround:
Do not use reject command in FLOW_INIT iRule
619811-2 : Machine Cert OCSP check fails with multiple Issuer CA
Component: Access Policy Manager
Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.
Conditions:
This can only happen when issuing CA is not first in the CA file.
Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.
Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.
Follow these steps:
iRule:
1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"
Variable Assign:
3) Read this issuer cert from the session db and assign it back to the same session variable:
session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }
Fix:
Issuer cert is now looked up and set properly from the CA bundle. So there is no longer any failure response from OCSP responder.
619757-1 : iSession causes routing entry to be prematurely freed
Component: Wan Optimization Manager
Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.
Conditions:
iSession-enabled virtual.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No reasonable workaround short of not using iSession functionality.
Fix:
iSession no longer causes routing entries to be prematurely freed.
619706-1 : tmsh appears to allow password change for internal lcd admin user
Component: TMOS
Symptoms:
The 'tmsh modify auth password' command appears to allow the password to be changed for the f5hubblelcdadmin user.
Conditions:
Using the 'modify auth password' command under tmsh, and manually specifying the 'f5hubblelcdadmin' user (which does not appear among the list of available users, such as via tab-completion).
Impact:
This operation appears to succeed, but has no actual effect on BIG-IP operations.
This is an internal user account which provides the context for communication with the lcd front panel display on newer BIG-IP appliances. Changing the stored password for this user account does not affect these operations.
Fix:
Removed the appearance of the ability to change the password for the internal lcd admin user.
619663-3 : Terminating of HTTP2 connection may cause a TMM crash
Solution Article: K49220140
Component: Local Traffic Manager
Symptoms:
TMM crashes when an HTTP2 connection is being terminating on client and server sides concurrently.
Conditions:
-- HTTP2 profile is configured and assigned to a virtual server.
-- A client SSL profile is also used on the same virtual server.
-- Client interrupting a connection and server terminating a connection at the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
A fix stops HTTP2 from further processing when a connection is terminating preventing TMM crash for this reason.
619528-4 : TMM may accumulate internal events resulting in TMM restart
Component: Local Traffic Manager
Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.
Conditions:
HTTP virtual with long-lived connections.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.
Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.
619516-1 : Inconsistencies in Automatic sync ASM Device Group
Component: Application Security Manager
Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.
Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.
Impact:
This can cause any of the following depending on the change:
-- Superfluous full sync operations.
-- Updating the wrong element on the remote devices.
-- Missing changes on the remote devices.
Workaround:
Disable automatic sync on the device group, and periodically push changes manually.
Fix:
Calls are correctly propagated across Automatic sync Device Groups with ASM enabled.
619486-3 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
Component: Access Policy Manager
Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.
To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.
Conditions:
This can occur if a web application has javascript that modifies the value of window.self.
Impact:
Affected web-applications will not work when accessed through Portal Access.
Workaround:
None
Fix:
Scripts on pages accessed through Portal Access are no longer failing when web application code modifies window.self.
619473-2 : Browser may hang at APM session logout
Component: Access Policy Manager
Symptoms:
Browser hangs at logout from APM session with RDP client and/or VMware View client.
Conditions:
- APM Virtual server with RDP client and/or VMware View client on webtop;
- active session on this webtop with opened client.
Impact:
Logout from APM session may take a long time (several minutes). In some cases, it may be necessary to restart browser.
Fix:
Now browser does not hangs at logout from APM session with RDP client and/or VMvare View client.
619410-1 : TMM hardware accelerated compression not registering for all compression levels.
Component: TMOS
Symptoms:
DEFLATE/gzip/zlib compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.
Conditions:
-- Compression requests for DEFLATE/gzip/zlib levels other than level 1.
-- BIG-IP devices using Coleto Creek SSL hardware acceleration.
Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.
Workaround:
None.
Fix:
Hardware accelerator correctly registers for all DEFLATE/gzip/zlib compression levels, not just level 1.
619398-7 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
619250-1 : Returning to main menu from "RSS Feed" breaks ribbon
Component: Access Policy Manager
Symptoms:
When you go to "RSS Feed" configuration page for Document, Picture Library, List etc. and go back to SharePoint Dashboard using link at the top pointing to "RSS FEED for ..." and then click any option on the ribbon, you got "500 Internal Server Error" and ribbon stops working. When you use built-in browser button "go back" instead, everything works Ok.
Conditions:
"500 Internal Server Error" occurred. Ribbon stop working.
Impact:
Ribbon stop working.
Workaround:
Use built-in browser "go back" button instead.
Fix:
Returning to main menu from "RSS FEED for ...", ribbon continue to work. No more "500 Internal Server Error".
619158-1 : iRule DNS request with trailing dot times out with empty response
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS request takes about 20 seconds to respond and the response is empty.
Conditions:
An iRule uses RESOLV::lookup or NAME::lookup to resolve a domain name that ends with a dot.
Impact:
The request does not properly resolve to an IP address.
Workaround:
Strip the trailing dot from the domain name before calling RESOLV::lookup or NAME::lookup.
Fix:
Domain names with trailing dots are properly resolved from iRules. The trailing dot is stripped when the request is saved to later match with the response.
619110-1 : Slow to delete URLs, CPU spikes with Automatic Policy Builder
Component: Application Security Manager
Symptoms:
Deleting a URL causes an incorrect event to be generated and logged for every other URL in the Policy.
When a policy has many URLs configured, deleting a URL takes a long time and consumes heavy CPU time.
Conditions:
Many URLs are configured in the Policy.
This can be due to Policy Builder being set to "Always" learn new HTTP URLs.
If Policy Builder is also configured to collapse common URLs to wildcards, then it deletes the collapsed urls and these calls can be resource intensive.
Impact:
1) GUI is slow to delete URLs
2) Misleading (incorrect) logs are present in the audit log for each other URL in the system after a URL delete.
3) CPU can spike to 100%
Workaround:
A) Change "Learn New HTTP URLs" mode to "Selective" from "Always"
B) Disable collapse URLS.
Fix:
URL delete no longer incorrectly generates an event for every other URL in the system.
619097 : iControl REST slow performace on GET request for virtual servers
Component: TMOS
Symptoms:
Performing a GET request on a BIG-IP with a large number of virtual servers may result in slow performance and timeout errors.
Conditions:
When a significant number of virtual servers reference persistence profiles.
Impact:
Unable to perform large GET query on virtual servers.
Workaround:
None.
Fix:
Improved iControl REST performance for Performing a GET request on a BIG-IP with a large number persistence profiles on virtual servers.
619071-3 : OneConnect with verified accept issues
Component: Local Traffic Manager
Symptoms:
System may experience an outage.
Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed
Impact:
System outage.
Workaround:
Disabled verified accept when used with OneConnect on a VIP.
Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.
619060 : Reduction in boot time in BIG-IP Virtual Edition platforms
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) version has experienced increased boot time.
Conditions:
The increased boot time occurs each time a VE is booted.
Impact:
Long boot time, longer than previous releases.
Workaround:
None.
Fix:
Reduction in boot time in BIG-IP Virtual Edition platforms.
618957-1 : Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
Component: Access Policy Manager
Symptoms:
BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.
Conditions:
Imported metadata contains two certificates with different use types: 'signing' and 'encryption'
Impact:
There is no impact if in metadata signing and encryption certificates are the same. If certificates are different - SAML SSO may not function properly due to incorrect certificate imported in configuration.
Workaround:
Import certificates manually, and assign them to created from metadata SAML SP connector
Fix:
Issue is now fixed: both certificates are imported correctly.
618944-1 : AVR statistic is not save during the upgrade process
Component: Application Visibility and Reporting
Symptoms:
All AVR statistics will be lost after upgrade from 12.1.0 or 12.1.1.
Conditions:
AVR statistic was collected on 12.1.0 or 12.1.1.
The BIG-IP was upgraded.
Impact:
Old AVR statistics will be lost
Workaround:
1. before upgrade edit the following file:
./usr/libdata/configsync/avr_save_pre
2. change the following line " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 $(is_provisioned asm) -eq 1 ] && "
with " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 -o $(is_provisioned asm) -eq 1 ] && "
Fix:
AVR upgrade script fixed
618905-1 : tmm core while installing Safenet 6.2 client
Component: Local Traffic Manager
Symptoms:
tmm core while installing Safenet 6.2 client.
Conditions:
Safenet 6.2 client installation
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm core related to Safenet 6.2 client installation.
618902-4 : PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation
Component: Advanced Firewall Manager
Symptoms:
Each time the Packet Classification Compiler Daemon (PCCD) process recompiles rules due to configuration changes, it loses approximately 20 bytes or more (depends on the rule complexity) due to small memory leak.
Conditions:
This occurs when making changes to the firewall configuration when AFM is configured.
Impact:
This can potentially lead to an out-of-memory situation if the system runs for a long time without reboot and PCCD continuously recompiles due to frequent configuration changes.
Workaround:
None.
Fix:
The PCCD memory leak was identified and fixed.
618884-1 : Behavior when using VLAN-Group and STP
Component: Local Traffic Manager
Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.
Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.
Note: This issue is a constraint to soft switched platforms.
Impact:
May not see ICMP response traffic.
Workaround:
None.
618779-1 : Route updates during IPsec tunnel setup can cause tmm to restart
Component: TMOS
Symptoms:
During the setup of IPsec tunnel flows, tmm depends on a valid route being available towards a remote peer to correctly create the IPsec inbound tunnel flows. The absence of the route at this stage, causes tmm to crash and restart. This is more likely to happen if the route towards the endpoint is dynamic.
Conditions:
IPsec tunnels are being set up with a given remote peer and the route towards that peer is not reliably present (as is in the case of dynamic route updates)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure that there is always a valid route towards each of the remote peers.
Fix:
The tmm process no longer restarts if there is no valid route towards the remote peer during IPsec tunnel setup.
618771-1 : Some Social Security Numbers are not being masked
Component: Application Security Manager
Symptoms:
ASM does not block or mask some SSN numbers.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.
Impact:
The traffic passes neither masked nor blocked to the end client.
Workaround:
None.
Fix:
The system now correctly masks and/or blocks all relevant social security numbers.
618657-4 : Bogus ICMP unreachable messages in PEM with ipother profile in use
Component: Policy Enforcement Manager
Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.
Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.
Impact:
Unnecessary ICMP traffic
Fix:
Fixed an issue related to unnecessary ICMP traffic in the PEM filter.
618656-2 : JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters
Component: Application Security Manager
Symptoms:
The JavaScript challenge is repeating in a loop on Firefox on URLs which are longer than 1033 characters. The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.
Conditions:
URLs are longer than 1033 characters, AND:
Users are using the Firefox browser, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.
Impact:
Requests to URLs longer than 1033 will be blocked on Firefox, and the browser will repeat the challenge in a loop.
Workaround:
None
Fix:
The JavaScript challenge no longer gets stuck in a loop on Firefox, on URLs which are longer than 1033 characters.
618549-1 : Fast Open can cause TMM crash CVE-2016-9249
Solution Article: K71282001
618517-1 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
Solution Article: K61255401
Component: Local Traffic Manager
Symptoms:
- In v11.6.1, bigd reports pool members were marked down that are not actually down, and logs messages similar to the following in the ltm log file:
warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.
- Because of changes in the v12.1.x software, although the problem is still present, it has negligible impact.
Conditions:
-- Monitoring is in use.
-- bigd debug logging is enabled.
-- The bigd debug log file (/var/log/bigdlog) is full.
Impact:
- On v11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.
- In v12.1.x, some of the underlying logging code changed, and there is no real impact.
Workaround:
Prevent the log file from getting full. To do so, rotate the log file using the following command:
logrotate -f bigdlog
Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.
618506 : TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
Component: Access Policy Manager
Symptoms:
TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
Conditions:
APM is provisioned and access profile is attached to the virtual.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Correctly handle session DB data in APM to prevent memory segmentation fault.
618430-2 : iRules LX data not included in qkview
Component: Local Traffic Manager
Symptoms:
Qkview does not contain any of the iRuleLX information.
Conditions:
N/A
Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.
Fix:
The following ILX information was added to the qkview:
TMSH commands:
list ilx workspace all-properties
list ilx plugin all-properties
list ilx global-settings (13.0.0+)
list ltm profile ilx all-properties (13.0.0+)
show ilx plugin all
show ltm profile ilx all (13.0.0+)
The files in the following folders:
/var/ilx - master copies of workspaces
/var/sdm - running files of the plugins
/var/log/ilx - ILX specific logs
618428 : iRules LX - Debug mode does not function in dedicated mode
Component: Local Traffic Manager
Symptoms:
In case if the debug option is enabled in the dedicated mode, sometimes some of the nodejs process can be allocated a "in-use" port, which prevents it from starting successfully.
By design every process is guaranteed a debug port in the configured range as long as there are enough ports available in the system. In-use ports are skipped, so consecutive port allocation is not guaranteed.
Conditions:
some of the ports in the range are busy.
Impact:
Some of the nodejs processes fail to start which prevents normal iRuleLX operation.
Workaround:
Consult with netstat output and set the debug-port-range-low to a higher value (eg. 10000+) to minimise the change of a port conflict.
618421 : Some mass storage is left un-used
Component: TMOS
Symptoms:
In some conditions, about 10% of BIG-IP's mass storage capacity is not made available for application data.
Conditions:
This occurs on the BIG-IP i-Series platforms.
Impact:
Applications that use a lot of storage may not function optimally.
Fix:
The storage is optimally reallocated.
618404-1 : Access Profile copying might be invalid if policies are named series of names.
Component: Access Policy Manager
Symptoms:
After copying an access policy, you receive an error when trying to open the copy: Unable to load accessPolicy '/Common/my_policy_access_1_1' from source.
In version 11.5.x, there was no name resolution, so this issue appeared only because of name truncation. Beginning in version 12.0.0, bot name resolution, truncation and _x reduction happen simultaneously.
Conditions:
When policies have with names ending with _1, _2, etc. For example, my_policy_access_1_1, my_policy_access_1_2, etc.
Impact:
Unable to copy the policy properly.
Workaround:
Export the policy, and then import it with reuse.
Fix:
Copying is fixed for these conditions.
618382-4 : qkview may cause tmm to restart or may take 30 or more minutes to run
Component: TMOS
Symptoms:
When taking a qkview on a heavily loaded BIG-IP device (with lots of connections) running 12.1.0 or 12.1.1, the qkview utility may take a very long time to complete (30+ minutes) or cause tmm to restart. This is due to a new qkview command that was added to gather a list of recent connections with the tmsh show sys connection command, which has a significant performance impact when run while the BIG-IP is heavily loaded.
Conditions:
This can occur on the following versions:
- 12.1.0 including 12.1.0 HF1 and 12.1.0 HF2
- 12.1.1 including 12.1.1 HF1
This can occur when the BIG-IP is heavily loaded and while running the qkview command.
Impact:
Qkview command can take an exceedingly long time to run (30+ minutes).
Traffic disrupted while tmm restarts.
Workaround:
Do not run the qkview command if the device is heavily loaded.
Fix:
Removed offending "show sys connection" command from qkview utility.
618324-1 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
Component: Access Policy Manager
Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.
Conditions:
Wrongful information displayed.
Impact:
Wrongful information displayed.
Workaround:
N/A
Fix:
Correct (*** Invalid ***) information displayed.
618306-2 : TMM vulnerability CVE-2016-9247
Solution Article: K33500120
618263-1 : OpenSSL vulnerability CVE-2016-2182
Solution Article: K01276005
618261-6 : OpenSSL vulnerability CVE-2016-2182
Solution Article: K01276005
618254-4 : Non-zero Route domain is not always used in HTTP explicit proxy
Component: Local Traffic Manager
Symptoms:
You may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction.
Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.
Impact:
End-to-end connectivity failure.
Workaround:
Change configuration so that all services required are on the default route domain, 0.
618185-1 : Mismatch in URL CRC32 calculation
Component: Fraud Protection Services
Symptoms:
In some cases URL CRC32 calculated by JS does not match referrer CRC32 calculated by Plugin.
Conditions:
Each one of next conditions cause this problem:
1. CRC32 calculated for URL with path parameters while strip_path_parameters BigDB variable value is 'true'.
2. CRC32 calculated for URL with a fragment (hashmark '#') in query string.
Impact:
A component validation alert is triggered as a result of mismatch between URL CRC32 calculated by JS and referrer CRC32 calculated by Plugin.
Workaround:
No workaround.
Fix:
strip_path_parameters BigDB variable value is passed to JS and JS URL normalization before CRC32 calculation is now similar to the one Plugin does.
618170-3 : Some URL unwrapping functions can behave bad
Component: Access Policy Manager
Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.
Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.
Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.
Fix:
Fixed.
618161-1 : SSL handshake fails when clientssl uses softcard-protected key-certs.
Component: Local Traffic Manager
Symptoms:
SSL handshake fails when clientssl uses softcard-protected key-certs.
Conditions:
Softcard-protection is enabled and token protection is disabled.
Impact:
SSL handshake fails
Workaround:
None known.
Fix:
SSL handshake no longer fails when clientssl uses softcard-protected key-certs.
618137-1 : Native IXLV: New tagged VLAN does not work after several restarts of tmm
Component: TMOS
Symptoms:
Traffic does not pass for newly added tagged VLANs.
Conditions:
1. Native IXLV devices (Intel X710/XL710/XXV710 family) NICs are in use.
2. Tagged VLAN in use.
3. TMM is restarted several times.
4. A new tagged VLAN is added.
Impact:
The BIG-IP system does not send/receive traffic for tagged VLANs.
Workaround:
To work around this, do the following:
1. Stop the BIG-IP guest.
2. Re-load the i40e driver on the hypervisor host using the following command: rmmod i40e; modprobe i40e.
3. Start the BIG-IP guest.
Fix:
Tagged VLANs now pass traffic as expected regardless of tmm restarts.
618121 : "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★
Component: Local Traffic Manager
Symptoms:
"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x
Conditions:
When the RTSP_RESPONSE event and "persist add" iRule are used and upgrade to v12.x.x.
Impact:
"persist add" iRule validation failed. The iRule will not be loaded.
Workaround:
possible workaround is to bypass validation
when RULE_INIT {
set static::persist_cmd { persist add uie $SessionID $static::persist_timeout }
}
when RTSP_RESPONSE {
set SessionID [RTSP::header value "Session"]
if { $SessionID != "" }{
#persist add uie $SessionID $static::persist_timeout
eval $static::persist_cmd
}
}
618106-1 : bigd core due to memory leak, especially with FQDN nodes
Solution Article: K74714343
Component: Local Traffic Manager
Symptoms:
The bigd daemon may core due to excessive memory consumption caused by a slow memory leak that occurs when creating or updating an LTM node or pool member.
This memory leak occurs much more quickly on BIG-IP v12.1.3.2 and earlier when using FQDN nodes/pool members with the 'autopopulate' feature enabled.
Conditions:
The bigd memory leak occurs slowly with non-FQDN nodes/pool members, but much more quickly on BIG-IP v12.1.3.2 and earlier when using FQDN nodes/pool members with the 'autopopulate' feature enabled.
On BIG-IP v12.1.3.2 and earlier, an additional leak occurs each time an FQDN name is resolved for an FQDN node or pool member. The rate of the leak in this case is determined by the number of FQDN nodes/pool members configured with the 'autopopulate' feature enabled, and the FQDN name resolution interval (determined by the 'interval' setting of the 'fqdn' configuration for the FQDN node).
Impact:
The bigd daemon may core due to excessive memory consumption.
Workaround:
It is possible to work around this issue by one of the following methods:
1. Restart the bigd daemon before memory consumption becomes excessive. (Note that this may interrupt traffic to configured pool members.)
On BIG-IP v12.1.3.2 and earlier:
2. Configure a longer 'interval' value in the 'fqdn' configuration for configured FQDN nodes.
3. Configure FQDN nodes/pool members without the 'autopopulate' setting enabled.
Fix:
The bigd daemon no longer leaks memory when configuring an LTM node or pool member.
618024-2 : software switched platforms accept traffic on lacp trunks even when the trunk is down
Component: Local Traffic Manager
Symptoms:
On software switched platforms tmm owned LCAP trunks still accept traffic even though the trunk is down from the control plane ( LACP status down).
Conditions:
LACP trunk with status down
Impact:
VLAN failsafe timers are erroneous reset, VLAN failsafe is broken.
Workaround:
no workaround
Fix:
tmm now checks the link status on tmm owned lacp trunks before accepting traffic.
617986-2 : Memory leak in snmpd
Component: TMOS
Symptoms:
Memory usage in snmpd is increases until the OOM process kills snmpd.
Conditions:
BIG-IP configured with virtual servers that have the same destination IP address
Impact:
snmp disrupted while snmp restarts.
Workaround:
No workaround
Fix:
Fixed memory leaks.
617935 : IKEv2 VPN tunnels fail to establish
Component: TMOS
Symptoms:
IKEv2 VPN tunnels fail to establish.
Conditions:
This occurs with IKEv2 on a specific 12.1.2 HF1 engineering hotfix.
Impact:
IPsec IKEv2 VPN tunnels fail to establish.
Workaround:
Use IPsec IKEv1.
Fix:
IKEv2 VPN tunnels now establish as expected.
617901-1 : GUI to handle file path manipulation to prevent GUI instability.
Solution Article: K00363258
617865-1 : Missing health monitor information for FQDN members
Component: TMOS
Symptoms:
Health monitor information and status are both missing for FQDN nodes and pool members.
Conditions:
FQDN nodes and pool members configured.
Impact:
GUI does not show health monitors info/status in node properties page, pool member properties page, or monitor instances page. Difficulty checking health monitor info/status for FQDN members.
Workaround:
Check logs for this info.
Fix:
The system now exposes health monitors info/status and the GUI shows them in node properties page, pool member properties page, and monitor instances page.
617862-2 : Fastl4 handshake timeout is absolute instead of relative
Component: Local Traffic Manager
Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.
Conditions:
A TCP connection in three-way handshake.
Impact:
Connections are expired prematurely if they are still in three-way handshake.
Workaround:
Disable handshake timeout.
Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.
Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.
617858-2 : bigd core when using Tcl monitors
Component: Local Traffic Manager
Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.
Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).
Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.
Workaround:
None.
Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.
617824-3 : "SSL::disable/enable serverside" + oneconnect reuse is broken
Component: Local Traffic Manager
Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.
Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.
Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.
Workaround:
You can work around the problem by disabling oneConnect.
617733-1 : Error message: subscriber id response; Subscription not found
Component: TMOS
Symptoms:
BIG-IP restarts the icr_eventd process and generates a core file. You might see the following messages in the LTM log file:
-- err icr_eventd[4589]: 01a10003:3: Receive MCP msg failed: could not get subscriber id response, status: 0x1020046
-- err mcpd[4206]: 01070069:3: Subscription not found in mcpd for subscriber Id %icr_eventd.
Conditions:
Might be related to restarting a BIG-IP Virtual Edition installation.
Impact:
The icr_eventd process restarts, and the system produces a core file.
Workaround:
None.
617690-4 : enable SIP::respond iRule command to operate during MR_FAILED event
Component: Service Provider
Symptoms:
When an message fails to route, it is not possible to return an error status back to the client.
Conditions:
When a message fails to route, the MR_FAILED event is raised for the message.
Impact:
Without this change, it is not possible for the script author to generate a response message to the client based on the routing failure.
Workaround:
NA
Fix:
SIP::respond command now works during MR_FAILED event.
617688 : Encryption is not activated unless "real-time encryption" is selected
Component: Fraud Protection Services
Symptoms:
Encryption is not activated as expected
Conditions:
Encryption enabled
Real-time encryption disabled
Impact:
Encryption error alert received in alert server
Workaround:
Enable "real-time encryption"
Fix:
Encryption on submit is now supported better.
617648 : Surfing with IE8 sometimes results with script error
Component: Fraud Protection Services
Symptoms:
Slow devices running Internet Explorer 8 can suffer performance issues on websafe protected sites.
Conditions:
Slow device running Internet Explorer 8.
Large number of configured or updated malware signatures.
Impact:
Clientside slowness.
In extreme cases, a popup asking the user whether to stop the script.
Workaround:
Reduce the number of malware signatures
Fix:
Compressed signatures
617628-1 : SNMP reports incorrect value for sysBladeTempTemperature OID
Component: TMOS
Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.
# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245
# tmsh show sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...
The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.
Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.
Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.
config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
1 1 0 19 49 Blade air outlet temperature 1
1 2 0 14 41 Blade air inlet temperature 1
1 3 0 21 57 Blade air outlet temperature 2
1 4 0 16 41 Blade air inlet temperature 2
1 5 0 25 60 Mezzanine air outlet temperatur
1 6 0 27 72 Mezzanine HSB temperature 1
1 7 0 17 63 Blade PECI-Bridge local tempera
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
1 9 0 25 68 Mezzanine BCM56846 proximity te
1 10 0 22 69 Mezzanine BCM5718 proximity tem
1 11 0 19 57 Mezzanine Nitrox3 proximity tem
1 12 0 16 46 Mezzanine SHT21 Temperature
617622 : In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure
Component: TMOS
Symptoms:
In TMSH, when trying to save the AAM configuration, TMSH removes value from matching rule. It corrupts bigip.conf and causes system loading configuration failure, with the following error in /var/log/ltm:
01070734:3: Configuration error: Policy "/Common/Drafts/<policy>", node "test_node", matching rule "path:Path": Must have a value.
Unexpected Error: Validating configuration process failed.
Conditions:
-- Use TM Shell to load configuration.
-- AAM configuration is loaded on BIG-IP and it is saved
Impact:
TMSH fails to load system configuration file.
Before the configuration save the policy would look like this:
matching {
path {
values {
/ { }
}
}
}
After the save it is converted to
matching {
path { }
}
Workaround:
None.
Fix:
TMSH now saves AAM configuration without removing values from matching rules. Saving/loading system configuration succeeds.
617481-1 : TMM can crash when HTML minification is configured
Component: TMOS
Symptoms:
When AAM is provisioned and is used to cache dynamic pages, it can be configured to use HTML Minification to improve performance and optimize memory utilization. In some cases, HTML may incorrectly process the HTML code and cause TMM to crash.
Conditions:
1) AAM has to be provisioned and
2) AAM policy has to be configured and
3) has HTML minification enabled and
4) be applied to a virtual.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disabling minification prevent TMM from crashing for this reason.
617391-1 : Custom ASM Search Engines causing sync, offline, and upgrade issues★
Solution Article: K53345828
Component: Application Security Manager
Symptoms:
-- The Device sync status constantly shows 'Changes Pending' when a custom ASM Search Engine is added with a new Bot Name to an existing Search Engine name.
For example, the Yandex search engine is a built-in search engine with Bot Name 'Yandex'. When adding a custom search engine with the same name: 'Yandex', but a different Bot Name, for example: 'yandexbot', the issue occurs.
When the issue appears, the device sync status shows 'Changes Pending'. Running a config-sync brings the status to 'In Sync', but a few seconds later, the status again changes to 'Changes Pending'.
-- Adding a custom ASM Search Engine with Bot Name and Domain Name identical to an existing Search Engine reports an error message, but the Search Engine will be successfully added. The next time ASM is restarted, the device remains offline and ASM restarts indefinitely.
-- Adding a custom ASM Search Engine and then upgrading to a release that already includes it as a built-in Search Engine under a different name, causes ASM to restart indefinitely and the system to remain offline. For example: adding a custom Search Engine with Domain Name '.msn.com' and Bot Name 'msnbot' in 12.1.3.5 and then upgrading to 12.1.3.6 triggers this issue.
Conditions:
This issue occurs when any of the following sets of criteria are met:
-- Multiple devices are joined in sync-failover device-group and ASM sync is enabled, and a custom ASM Search Engine is added with a new Bot Name, for which there is an existing Search Engine Name.
-- Adding a custom Search Engine with a Bot Name and Domain Name identical to an existing Search Engine.
-- Upgrading to 12.1.3.6, and ASM sync is enabled. Note: Only 12.1.3.6 exhibits this behavior.
Impact:
-- Device sync status constantly shows 'Changes Pending'.
-- The custom ASM Search Engine might not be bypassed for JavaScript challenges that are sent as a result of either the Web Scraping Feature, or Device-ID. This applies also to standalone deployments.
-- System might remain offline while ASM is constantly restarting.
-- Upgrade might fail.
Workaround:
-- Add the custom ASM Search Engine under a new name. For example, if adding the 'yandexbox' search engine, then use the Search Engine name 'Yandex-yandexbot' instead of simple 'Yandex'.
-- Before upgrading, remove any custom Search Engines whose Bot Name and Domain Name is identical to an existing Search Engine after the upgrade.
Fix:
Adding custom ASM Search Engines no longer triggers sync, offline or upgrade issues.
617382-1 : Csyncd memory leak on multi-bladed systems
Component: Local Traffic Manager
Symptoms:
Csyncd memory use increases over time.
It may fail due to large size (>2 to 3 GB), possibly leading to this ltm log:
err csyncd[8258]: 013b0004:3: Fatal error: fork failed.
Memory pressure may develop, leading to an increased use of swap, and the system may become sluggish and show other low-memory symptoms.
If memory pressure is severe, the Linux oom killer will likely terminate csyncd. On systems with more free memory, csyncd will terminate with a core file when it is approaching 4GB in size. In both cases csyncd automatically restarts.
Conditions:
Multi-bladed vCMP guest or VIPRION.
Impact:
Low free memory may lead to system instability.
If memory pressure is severe, the Linux oom killer will likely terminate csyncd. On systems with more free memory, csyncd will terminate with a core file when it is above ~2.2 GB in size. In both cases csyncd automatically restarts.
Workaround:
Restart csycnd on all blades to free the memory it has in use:
clsh bigstart restart csyncd
This is typically not service-affecting.
Fix:
Memory leak identified and fixed.
617310-2 : Edge client can fail to upgrade when Always Connected is selected★
Component: Access Policy Manager
Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled
Conditions:
Always Connected is selected in BIG-IP when upgrading the client.
Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.
Workaround:
Turn off Always Connected before upgrading.
Fix:
Edge client now succeeds during upgrade when Always Connected is selected.
617273-7 : Expat XML library vulnerability CVE-2016-5300
Solution Article: K70938105
617229-1 : Local policy rule descriptions disappear when policy is re-saved
Solution Article: K54245014
Component: TMOS
Symptoms:
Local policy rule descriptions disappear when policy is re-saved.
Conditions:
A rule with description exists, and the policy it's under is saved.
Impact:
An existing rule description disappears when the policy it's under is saved.
Workaround:
Use TMSH to modify the policy's properties.
Fix:
Local policy rule descriptions now remain visible when policy is re-saved.
617187-1 : APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
Component: Access Policy Manager
Symptoms:
If APM server uses untrusted SSL certificate/or it is accessed using IP address CustomDilaer, access is refused and there is no prompt to confirm the security warning.
Conditions:
APM has invalid certificate
User uses CustomDialer to access VPN
Impact:
VPN connection can't be established
Workaround:
Use valid SSL certificate on APM or add particular invalid certificate to trusted store on Windows
Fix:
Now CustomDialer warns user about invalid certificate and allows to proceed with invalid certificate.
617124 : Cannot map hardware type (12) to HardwareType enumeration
Component: TMOS
Symptoms:
iControl-SOAP throws an error whenever a method call to SystemInfo::get_hardware_information() is made.
Conditions:
This is reproducible in under all conditions.
Impact:
iControl-SOAP crashes when this call is made.
Workaround:
Don't call this SystemInfo::get_hardware_information().
Fix:
Call this method no longer leads to a crash.
617063-1 : After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
Component: Access Policy Manager
Symptoms:
After VPN tunnel is established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel.
Conditions:
VPN tunnel is established. Place the computer in hibernation. Resume from hibernation and connect to a new network where a Captive Portal is present, e.g. Starbucks.
Impact:
EdgeClient may show an error page for captive portal or stay in Reconnecting state for extended period. Disconnect button may not be responsive.
Fix:
If captive portal is detected during reconnect, close VPN resources before showing captive portal authentication page.
617014-3 : tmm core using PEM
Component: Policy Enforcement Manager
Symptoms:
tmm core when using PEM with cloning monitored traffic
Conditions:
Using PEM with iRules and cloning traffic
Impact:
Traffic disrupted while tmm restarts.
Fix:
The problem with PEM and cloning traffic via iRule has been corrected.
617002-1 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs
Component: Access Policy Manager
Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs
Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.
Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.
Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.
Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.
616918-1 : BMC version 2.50.3 for iSeries appliances
Component: TMOS
Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.50.3.
Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- PXE boot.
Impact:
This is a firmware upgrade.
Workaround:
None.
Fix:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
Behavior Change:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
616864-1 : BIND vulnerability CVE-2016-2776
Solution Article: K18829561
616838-3 : Citrix Remote desktop resource custom parameter name does not accept hyphen character
Component: Access Policy Manager
Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,
01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"
Conditions:
Having Citrix resource with custom parameter name with hyphen character
Impact:
Custom parameter can not be used with hyphen character
Workaround:
None
Fix:
Accept custom parameter name with hyphen character
616298-1 : Loading the configuration fails when a virtual server uses HTTP Strict Transport Security (HSTS).
Component: Local Traffic Manager
Symptoms:
When loading the BIG-IP system's configuration by running the 'tmsh load sys config' command, the command fails and returns an error similar to the following example:
01071afb:3: With HSTS mode enabled in HTTP Profile '/Common/my-http', virtual server '/Common/my-vs' using this profile requires a 'clientssl' profile attached.
Unexpected Error: Loading configuration process failed.
This validation error should only be returned when a virtual server using HSTS was not assigned a client-ssl profile. This issue consists in the fact the BIG-IP system returns the error when your configuration is correct.
Note this issue can also occur during an upgrade from an unaffected version (e.g., 12.1.4) to an affected version (e.g., 12.1.5).
Conditions:
This issue occurs when all of the following conditions are met:
-- Your configuration contains at least one virtual server making use of a HTTP profile with HSTS enabled.
-- You attempt to reload the BIG-IP system's configuration (either explicitly via the tmsh utility, or implicitly during an upgrade).
Impact:
The configuration fails to load. This can have several consequences, depending on what you were doing:
-- Upgrading from an unaffected version to an affected one: the configuration does not load after the upgrade and the system remains inoperative.
-- Reloading the configuration to get rid of unsaved changes: you cannot do so, and the configuration elements you were trying to remove continue to exist in memory.
-- Reloading the configuration to pick up manual changes you made to a configuration file (e.g., bigip.conf): you cannot do so, and the new configuration elements are not loaded into memory.
Workaround:
There is a temporary workaround.
Potential impact of workaround: ideally, this workaround should not be performed on a unit that is already processing traffic, as the virtual servers will not operate in HSTS mode until the procedure is complete. As such, a small window will exist during which new clients will not immediately learn that the virtual servers wish to use HSTS.
1) Edit the /config/bigip.conf file (and all /config/partitions/*/bigip.conf files) and change the following section in HTTP profiles:
From this:
hsts {
mode enabled
}
To this:
hsts {
mode disabled
}
2) Load the configuration:
tmsh load sys config partitions all
3) Re-apply HSTS to the appropriate HTTP profiles.
However, note that the issue occurs again the next time a configuration load is attempted.
If you are planning to upgrade to an affected version and you use HSTS, you can contact F5 Support to obtain an Engineering Hotfix for this issue for your software version.
Fix:
The configuration loads as expected.
616242-3 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
Solution Article: K39944245
Component: TMOS
Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:
01070711:3: basic_string::compare
If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.
Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.
Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).
Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.
616215-4 : TMM can core when using LB::detach and TCP::notify commands in an iRule
Component: Local Traffic Manager
Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.
Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.
Fix:
TMM no longer cores in this instance.
616169 : ASM Policy Export returns HTML error file
Component: Application Security Manager
Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.
Conditions:
It is not known what triggers this condition.
Impact:
Unable to export ASM Policies.
Workaround:
Delete all files in /ts/dms/policy/upload_files/. All files are transient and can safely be deleted.
Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.
616161-1 : BD process crash and restarts
Component: Application Visibility and Reporting
Symptoms:
bd restarts and generates a core file. bd.log contains messages similar to the following:
-- BD_MISC|ERR ... BD shrinking...,going down - BD will be right back.
-- BD_MISC|CRIT ... Received SIGSEGV - Core Dumping.
Conditions:
The virtual server has a Security Policy and there is a heavy load of traffic.
Note: This is a rare race condition case that might occur occasionally when the system is under heavy stress.
Impact:
bd restarts, causing a halt to traffic for few seconds.
Workaround:
None.
Fix:
Race condition has been fixed.
616104-2 : VMware View connections to pool hit matching BIG-IP virtuals
Component: Access Policy Manager
Symptoms:
When a VMware View resource is configured to use a pool as a destination, for all the connections to this pool, except the very first one, a matching virtual lookup is performed.
This doesn't align with the typical BIG-IP behavior on pool connections that should go directly to the chosen pool member and not hit matching virtual servers.
Conditions:
If a VMware View resource is configured to connect to a pool and there is a virtual server matching some or all the IP/port values of pool members, connections to those members will go through the matching virtual server, except for the very first one.
Impact:
If a matching virtual is not intended to pass the traffic through (e.g., a 'reject-all' virtual), those connections routed to this virtual server will fail.
Workaround:
None.
Fix:
All the connections to VMWare View pool members now go directly without hitting matching BIG-IP virtual servers.
616059-1 : Modifying license.maxcores Not Allowed Error
Solution Article: K19545861
Component: TMOS
Symptoms:
Your sync-failover device group status says 'Sync Failed' and reports the following error in Device Management :: Overview: Sync error on <device name>: Load failed from /Common/BIG-IP1 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.
Conditions:
-- Non-homogeneous Virtual Edition (VE) configured with different licenses in a device group, or with hardware-based BIG-IP systems.
-- License variable perf_VE_cores is different among licenses.
Impact:
The device group fails to sync.
Workaround:
If you are using VEs in a device group, ensure that their licenses are the same.
Fix:
The license variable perf_VE_cores no longer syncs, so there is no error message.
616022-2 : The BIG-IP monitor process fails to process timeout conditions
Solution Article: K46530223
Component: Local Traffic Manager
Symptoms:
Pool members that are down are not marked down by the monitor. The BIG-IP system continues to attempt to monitor the object.
Conditions:
It is not known exactly what triggers this condition. It was encountered on an HTTPS monitor.
Impact:
Incorrect monitor state. Pool members may not be marked down even though the target pool-member is down.
Workaround:
No known workaround.
Fix:
The monitor process no longer inadvertently skips processing monitor timeouts and correctly marks monitored objects down.
616008-3 : TMM core may be seen when using an HSL format script for HSL reporting in PEM
Solution Article: K23164003
Component: Policy Enforcement Manager
Symptoms:
TMM core resulting in potential loss of service.
Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.
Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.
615970-1 : SSO logging level may cause failover
Component: Access Policy Manager
Symptoms:
SSO logging level may cause failover.
Conditions:
SSO logging level set to "Debug".
Impact:
TMM may crash. Core file may be generated.
Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".
Fix:
The SSO logging level of "Debug" no longer causes failover.
615934-1 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl/SOAP functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.
615824-1 : REST API calls to invalid REST endpoint log level change
Component: iApp Technology
Symptoms:
In Big-IP 12.x versions before 12.1.2 invalid requests to a REST endpoint were being recorded in the FINE level logs, making it difficult to audit when an invalid request to a REST endpoint was coming in. In version 12.1.2, the log level was changed to INFO so that these messages are more easily consumed by users attempting to audit the log.
Conditions:
Any request made to an invalid REST endpoint will trigger a log message at the FINE level indicating that a request came in to an invalid REST endpoint.
Impact:
Auditing the REST Framework logs is more difficult, requiring you to look at messages logged at the FINE level.
Workaround:
Users can increase the log level of the REST Framework to FINE by making the following change to the file '/etc/restjavad.log.conf':
Before:
.level=FINE
After:
.level=INFO
Fix:
This message is included in the INFO log level on BIG-IP v12.1.2.
615432-1 : Multiple TFTP data transfers cannot be initiated in a single session
Component: Carrier-Grade NAT
Symptoms:
Multiple TFTP data transfers cannot be initiated in a single session.
Conditions:
Virtual server with TFTP profile is configured to handle TFTP traffic.
Impact:
Multiple TFTP data transfers cannot be initiated in a single session.
Workaround:
There is no workaround at this time.
Fix:
Multiple TFTP data transfers can be initiated in a single session
615388-1 : L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
Component: Local Traffic Manager
Symptoms:
TMM may restart when using a L7 policy that contains the 'normalized' keyword for HTTP URI or Referrer operands.
Conditions:
Normalized HTTP URI or Referrer operands used in L7 policies.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No workaround short of removing use of normalization for HTTP URI and Referrer instances in L7 policies.
Fix:
Use of URI or Referrer normalization in L7 policies no longer results in memory corruption.
615377-3 : Unexpected rate limiting of unreachable and ICMP messages for some addresses.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might fail to send RSTs, ICMP unreachable, or ICMP echo responses for some addresses.
/var/log/ltm might contain messages similar to the following:
-- Limiting icmp unreach response from 251 to 250 packets/sec.
-- Limiting icmp ping response from 251 to 250 packets/sec.
-- Limiting closed port RST response from 251 to 250 packets/sec.
Conditions:
Certain traffic patterns to addresses in two or more different traffic-groups.
Impact:
Certain response messages from addresses in one or more traffic-groups (but not all) might be rate limited by the BIG-IP system even though the level of traffic has not exceeded the tm.maxrejectrate setting.
Workaround:
None known.
Fix:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.
Example old log message:
warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.
Behavior Change:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.
Example old log message:
warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.
615338-2 : The value returned by "matchregion" in an iRule is inconsistent in some cases.
Component: Global Traffic Manager (DNS)
Symptoms:
The value returned by "matchregion" in an iRule is inconsistent when the GTM global setting, "cache-ldns-servers", is set to "yes" and the region contains a region, continent, country, state, or ISP.
Conditions:
The GTM global setting, "cache-ldns-servers" must be set to "yes" and the region must contain a region, continent, country, state, or ISP.
Impact:
The value returned by "matchregion" in an iRule is inconsistent and may lead to inconsistent behavior in the iRule.
Workaround:
Set the GTM global setting, "cache-ldns-servers" to "no".
Fix:
"Matchregion" returns the correct value under all conditions.
615303-2 : bigd crash with Tcl monitors
Solution Article: K47381511
Component: Local Traffic Manager
Symptoms:
bigd crashes after logging an error similar to the following:
emerg bigd: PID: 38611 Received invalid magic '1213486160' in the stream
Conditions:
-- Tcl Monitors: FTP, SMTP, POP3, IMAP.
-- This issue might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.
-- May be particularly likely if the monitor is configured with an interval value of 1 second.
Note: Although less frequent, this issue might still occur with proper monitor configurations (timeout: 3*interval + 1).
Impact:
bigd crashes and error messages.
Possible interruption of monitoring status, pool members going down, interruption of traffic.
Workaround:
For the case where a Tcl monitor is configured with a 1-second interval value, increase the interval value to 2 seconds. Also increase the timeout value to 7 seconds (3*interval + 1). This reduces the chances of this issue occurring but does not eliminate it entirely.
Fix:
Monitor works as expected under the conditions described.
615269-1 : CVE-2016-2183: AFM SSH Proxy Vulnerability
Solution Article: K13167034
615267-2 : OpenSSL vulnerability CVE-2016-2183
Solution Article: K13167034
615254-2 : Network Access Launch Application item fails to launch in some cases
Component: Access Policy Manager
Symptoms:
If access policy has multiple network resources with application launch configured, applications will launch only from first network resource.
Conditions:
Multiple Network access resources are configured with application launch.
Impact:
Applications will launch only from first network resource. Applications will not launch for other network resources
Workaround:
Launch applications manually after VPN is established.
Fix:
Applications from all network resources are now detected and launched correctly.
615226-5 : Libarchive vulnerabilities: CVE-2016-8687 and others
Solution Article: K13074505
615222-1 : GTM configuration fails to load when it has GSLB pool with members containing more than one colon character★
Solution Article: K79580892
Component: Global Traffic Manager (DNS)
Symptoms:
The user configuration set (UCS) configuration file may fail to load due to the global server load balancing (GSLB)-referenced virtual server name syntax. The system posts errors similar to the following:
01070226:3: Pool Member 20002 references a nonexistent Virtual Server.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have configured your BIG-IP DNS system (formerly known as BIG-IP GTM) with a virtual server name that includes the colon (:) character.
-- The virtual server is included as a GSLB pool member.
-- You save the configuration to a UCS file.
-- You attempt to load the UCS configuration file.
Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.
Workaround:
None.
Fix:
Fixed issue related to parsing of GTM Pool member names that prevents the use of GTM virtual servers or GTM servers with a colon (:) in the name from being used as a GTM pool member.
615143-1 : VDI plugin-initiated connections may select inappropriate SNAT address
Component: Local Traffic Manager
Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual server before reaching the external network, the selected SNAT address may be inappropriate for the egress VLAN.
Conditions:
-- APM configuration.
-- VDI functionality enabled.
-- Additional virtual server matching the VDI-initiated connections.
Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.
Workaround:
No workaround short of removing the additional virtual server matching the VDI traffic.
Fix:
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtual servers before reaching the external network.
615107-1 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).
Component: TMOS
Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.
Conditions:
Presence of /etc/ssh directory on host.
Impact:
AOM/SCCP unable to connect to host without password.
Workaround:
None.
Fix:
Can now SSH from AOM/SCCP to host without password (host-based authentication).
615097-1 : Incorrect use of HTTP::collect leads to TMM core.
Component: Local Traffic Manager
Symptoms:
Incorrect use of HTTP::collect leads to TMM hang. Watchdog kills TMM on timeout leading to core.
Conditions:
If the iRule requests non-incremental HTTP::collect or amount greater than content-length when the whole-body has already been received, then this leads to TMM hang.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Add an HTTP::release after the HTTP::payload instruction;
Or
Use incremental HTTP::collect commands.
Fix:
HTTP state machine was modified to handle non-incremental collects and condition where whole body has been received when the collect is issued.
614891-2 : Routing table doesn't get updated when EDGE client roams among wireless networks
Component: Access Policy Manager
Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.
Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.
Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.
614865-5 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()
Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.
Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.
Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.
- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.
Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.
614808-1 : Running qkview with option -c (--complete) fails if there is an encrypted key
Component: TMOS
Symptoms:
When you run qkview -c, you are prompted for a password:
Enter pass phrase for ./Common_d/certificate_key_d/:Common:f5_api_com.key_64768_1:
Conditions:
An OpenSSL key exists that is encrypted with a passphrase.
Impact:
qkview -c cannot be run because /bin/printcertmods requires a valid passphrase to finish.
Workaround:
Unless you can enter passphrases from the command line, assuming there are a small number of such keys and the passphrase is available, there is no workaround.
Fix:
The fix simply avoids the issue and skips computing the modulus for any encrypted key.
614788-1 : zxfrd crash due to lack of disk space
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible that the zone transfer daemon (zxfrd) can crash if the /var disk partition fills up and zxfrd needs to increase the size of its database.
Conditions:
DNS Express configured
Full /var partition
Changes to the zone database require more space to be allocated for zxfrd.
Impact:
zxfrd may crash and restart. This process may repeat depending on the need for space on restart.
Workaround:
Free up space in the /var partition.
Fix:
zxfrd now correctly handles the out of space condition.
614766-1 : lsusb uses unknown ioctl and spams kernel logs
Component: TMOS
Symptoms:
RHEL6 version of lsusb and associated libusb1 libraries
are using an ioctl that isn't properly supported by the kernel in the 32-bit syscall path.
Conditions:
RHEL6 version of lsusb and associated libusb1 libraries.
Impact:
Spamming of kernel logs.
Workaround:
None.
Fix:
kernel.el6.5: fix missing ia32 compat mapping for USBDEVFS_GET_CAPABILITIES.
614730-1 : Session opening log shows incorrect number of challenged responses.
Component: Application Security Manager
Symptoms:
Session opening log shows the incorrect number of challenged response.
Conditions:
Session opening is configured to mitigate session opening attack by client-side challenges.
Impact:
The log viewed contains incorrect values.
Workaround:
None.
Fix:
Fixed a reporting issue with the session opening client-side challenges.
614702-1 : Race condition when using SSL Orchestrator can cause TMM to core
Solution Article: K24172560
Component: Local Traffic Manager
Symptoms:
A race condition you encounter when you use the F5 Herculon SSL Orchestrator system can cause the Traffic Management Microkernel (TMM) to restart.
Conditions:
Running the F5 Herculon SSL Orchestrator system with large numbers of connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes the race condition so that TMM does not restart.
614563-3 : AVR TPS calculation is inaccurate
Component: Application Security Manager
Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.
Conditions:
DoS profile attached to the virtual server.
Impact:
Attack can wrongly be detected.
Workaround:
None.
Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.
614530-2 : Dynamic ECMP routes missing from Linux host
Component: TMOS
Symptoms:
When an ECMP route is learned via dynamic routing, it is not added to the Linux host and local processes may not be able to reach the destination prefix. Load balanced traffic is not affected.
Conditions:
Dynamic routing in use, ECMP configured, ECMP route received from neighbors.
Impact:
Monitors may fail, other host-originated traffic may be sent out the wrong interface or nowhere at all.
Workaround:
Disable ECMP in ZebOS by setting "maximum-paths 1" in imish.
Fix:
ECMP routes are correctly added to the Linux host.
614509-1 : iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
Component: Local Traffic Manager
Symptoms:
When the 'all' keyword is used with 'class match' on large external datagroups, the results will be incorrect and may result in TMM restarting.
Conditions:
iRule utilizing 'all' keyword with 'class match' on large external datagroups. A more unusual case is external datagroups with the tmm.classallocatemetadata bigdb entry set to the non-default 'disable' value.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No reasonable workaround short of not using 'all' keyword with 'class match' in iRules.
Fix:
'all' keyword with 'class match' now returns the correct results and TMM does not restart.
614486-1 : BGP community lower bytes of zero is not allowed to be set in route-map
Component: TMOS
Symptoms:
The bgpd process does not accept community attributes that contain values of the form ASN:0.
Conditions:
set the BGP community value to a value of form ASN:0
Impact:
if you attempt to configure a BGP daemon community attribute with a value of the form ASN:0, the system does not set the community value. This could also impact upgrading from the old versions to the version that doesn't support community values of the form ASN:0.
Workaround:
None
Fix:
BGP community can be set to values of the form ASN:0.
614441-4 : False Positive for illegal method (GET)
Solution Article: K04950182
Component: Application Security Manager
Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----
Conditions:
This was seen after upgrade and/or failover.
Impact:
-- False positives.
-- BD has the incorrect security configuration.
Workaround:
Run the following command: restart asm.
614322-1 : TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
Solution Article: K31063537
Component: Access Policy Manager
Symptoms:
TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway.
Conditions:
RDP client uses RDG-RPC protocol to connect via APM's RD Gateway implementation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Fixed TMM crash, which occurred during RDG-RPC protocol handling.
614296-1 : Dynamic routing process ripd may core
Component: TMOS
Symptoms:
As a result of a known issue the dynamic routing protocol daemon ripd, used for the RIP protocol may produce a core file when configuring it to use a interface configured with multiple self IP addresses on different subnets on the same VLAN.
Conditions:
- Use the RIP dynamic routing on an affected version.
- Have multiple self IP addresses belonging to different subnets on the same VLAN
- Add one of the subnets with the network command within the "router RIP" stanza.
Impact:
ripd will core and the configuration will not be allowed.
Workaround:
Configure one subnet/self IP address per VLAN.
Fix:
ripd no longer cores when configured with multiple subnets on the same VLAN.
614284-2 : Performance fix to not reset a data structure in the packet receive hotpath.
Component: Advanced Firewall Manager
Symptoms:
No symptoms. This is a performance fix.
Conditions:
This will happen always in the packet receive hotpath.
Impact:
No impact. Without this fix BIG-IP could have 0.5% (hard to measure) performance impact.
Workaround:
No workaround.
Fix:
Made an optimization to the packet receive hotpath.
614180-1 : ASM is not available in LTM policy when ASM is licensed as the main active module
Component: TMOS
Symptoms:
ASM is not available in LTM policy rule creation when ASM is licensed as the main active module
Conditions:
ASM is licensed as the main active module
Impact:
ASM is not available in LTM policy rule creation
Workaround:
Use a license that has ASM as a sub-module. For example, LTM with Best Bundle.
Fix:
Fixed license data parsing so that the main module is also included in the license map used to determine whether a module is licensed or not.
614147-1 : SOCKS proxy defect resolution
Solution Article: K02692210
614097-1 : HTTP Explicit proxy defect resolution
Solution Article: K02692210
613765-3 : Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
Component: TMOS
Symptoms:
Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
Conditions:
When a virtual server with a destination address of 0.0.0.0:0 is in the list, sorting the list is slow because of extra name resolution performed.
Impact:
Degraded user experience waiting for the extra logic and misleading error in logs.
Workaround:
None.
Fix:
Creating 0.0.0.0:0 Virtual Server in TMUI no longer results in slow-loading virtual server page and name resolution errors.
613728-1 : Import/Activate Security policy with 'Replace policy associated with virtual server' option fails
Component: Application Security Manager
Symptoms:
Visible errors in the BIG-IP Configuration utility:
-- MCP Validation error - 01071abb:3: Cannot create/modify published policy '/Common/<ltm_policy_name>' directly, try specifying a draft folder like '/Common/Drafts/<ltm_policy_name>'.
-- MCP Validation error - 01071726:3: Cannot deactivate policy action '/Common/<asm_policy_name>'. It is in use by ltm policy '/Common/<asm_policy_name>'.
Conditions:
-- ASM provisioned.
-- Having an active Security policy 'A' assigned to an LTM L7 Policy 'L'.
-- Import/Activate Security policy 'B' with the option 'Replace policy associated with virtual server' enabled, to replace security policy 'A'.
Impact:
Security Policy is activated but not assigned to the LTM policy.
Workaround:
Run the following command prior to the Import/Activate of a Security policy action:
---------
# tmsh modify ltm policy L legacy
---------
Fix:
The process of importing/activating a Security policy now correctly replaces an existing policy, when the option 'Replace policy associated with virtual server' is enabled.
613671-2 : Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation
Component: Fraud Protection Services
Symptoms:
Wrong handling of nonexistent parameter configured with Encryption and Obfuscation
Conditions:
nonexistent parameter configured with Encryption and Obfuscation
Impact:
Error in console
Fix:
Ignore nonsexist parameter
613618-1 : The TMM crashes in the websso plugin.
Component: Local Traffic Manager
Symptoms:
The TMM core and plugins operate asynchronously. A connection may abort and the TMM may deallocate connection context before the plugin has finished processing asynchronous events. The TMM crashes when a plugin accesses deallocated connection context.
Conditions:
Events raised during normal use of the sessiondb store may be processed after the connection context has been deallocated.
Impact:
Traffic disrupted while tmm restarts.
Fix:
The TMM will no longer crash.
613613-2 : Incorrect handling of form that contains a tag with id=action
Component: Access Policy Manager
Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.
Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.
Impact:
The impact of this issue is that the web application can not work as expected.
Workaround:
This issue has no workaround at this time.
Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.
613576-1 : QOS load balancing links display as gray
Component: Global Traffic Manager (DNS)
Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.
Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.
Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.
Workaround:
Remove all ilnks from configuration or install this hotfix.
613536-5 : tmm core while running the iRule STATS:: command
Component: TMOS
Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.
Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED
613524-3 : TMM crash when call HTTP::respond twice in LB_FAILED
Component: Local Traffic Manager
Symptoms:
TMM core-dumps when these conditions are met:
- LB_FAILED event
- irule script must use a "delay" (parked) statement together with two HTTP::respond statements.
Conditions:
- LB_FAILED event must be triggered by good IP address and bad port so that the serverside connflow is establish. you will not see this bug if no pool member is used or invalid IP address is used.
- irule script must use a "delay" (parked) statement. the delay together with http response creates the right timing for the client side connflow to go away while proxy is pushing Abort event down to both clientside and serverside.
Impact:
Traffic disrupted while tmm restarts.
Fix:
This fix rectifies the problem.
613509-1 : Platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
Solution Article: K49101035
Component: TMOS
Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.
Conditions:
This issue occurs when all of the following conditions are met:
-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.
Impact:
Traffic throughput may be degraded.
Workaround:
Set source-port to change.
Fix:
Platforms running RSS DAG hash now reuse source port at the correct rate when virtual server sets source-port preserve.
613476-2 : IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion
Component: TMOS
Symptoms:
The IKEv1 racoon daemon can crash and restart when a v1 ike-peer is removed entirely from the config, or simply changed from v1 to v2.
Conditions:
When you remove an ike-peer whose version is v1, including any change from version v1 to v2 (since this has the effect of changing who handles that peer from the racoon daemon to tmm).
Impact:
IKEv1 racoon daemon restart that causes tunnel outage until re-established by future traffic.
Workaround:
None.
Fix:
Validity of a v1 ike-peer inside the racoon daemon is more carefully checked. This release also prevents stale references from old security associations when a peer is removed.
Note: A peer can be removed by complete erasure, or by changing the version to v2 so the IKEv1 racoon daemon no longer handles it.
613459-1 : Non-common browsers blocked by Proactive Bot Defense
Component: Application Security Manager
Symptoms:
Some non-common browsers may get blocked by the Proactive Bot Defense feature. This has been seen in rare cases, and causes these browsers to remain in a white page while the request is not being sent to the back-end server.
Conditions:
Proactive Bot Defense enable on the DoS profile.
Impact:
In rare cases, some non-common browsers may get blocked.
Workaround:
None
Fix:
Non-common browsers no longer get blocked when Proactive Bot Defense is enabled.
613429-2 : Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
Component: Local Traffic Manager
Symptoms:
Assigning a wide IP with wildcard characters in the name to a DHS distributed application may not work properly when done via tmsh, and such configurations created via the GUI will result in configuration files that fail to load.
Conditions:
A wide IP with a wildcard character in its name.
Impact:
Unable to assign wide IP to BIG-IP DNS distributed-app.
Workaround:
None.
Fix:
Fixed issue preventing wide IPs to be assigned to BIG-IP DNS distributed apps if those wide IPs have a wildcard character in their name.
613415-2 : Memory leak in ospfd when distribute-list is used
Solution Article: K22750357
Component: TMOS
Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.
Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.
Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.
Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.
Fix:
ospfd no longer leaks memory when a distribute-list is configured.
613396-1 : Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
Component: Application Security Manager
Symptoms:
Exported Policy in XML format cannot be imported.
Conditions:
Metacharacter overrides are defined on a Websocket URL in the policy.
Impact:
Exported XML policies cannot be imported back into the system without manual manipulation
Workaround:
If such a policy has already been exported only manual manipulation would allow it to be imported again.
Fix:
Policy export now correctly creates valid XML Policies for configurations with metachar overrides configured on Websocket URLs.
613373-2 : Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page
Component: Access Policy Manager
Symptoms:
When accessing the SAML Authentication Context UI page with application editor user role, the following error will be displayed:
Read Access Denied: user (username) type (SAML authentication context classes list)
Conditions:
User attempting to view the page belongs to application editor group/role
Impact:
SAML Authentication Context UI page will not display existing objects
Workaround:
SAML Authentication Context UI page will still show existing object for users with administrative role.
Fix:
With the fix, no errors will be shown to users with Application Editor role when accessing SAML Authentication Context UI page
613369-4 : Half-Open TCP Connections Not Discoverable
Component: Local Traffic Manager
Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.
Conditions:
A TCP connection in half-open state.
Impact:
Half-open TCP connections are not discoverable
Fix:
Properly acknowledge half-open TCP connections.
613326-1 : SASP monitor improvements
Component: Local Traffic Manager
Symptoms:
A SASP monitor created in versions earlier than 13.0.0 might exhibit problems in certain situations, such as:
-- Attempting to connect multiple times with GWM pairs.
-- Dropping and reconnecting frequently with GWM pairs.
-- Problematic behavior with mixed Push/Pull workgroups on the same GWM.
-- Overly-chatty use of the SASP protocol when establishing/reestablishing connections.
-- Marking pool members down during GWM switch-over.
.-- Inability to handle many hundreds of workgroups/workloads
Conditions:
Using versions of the SASP monitor created in versions earlier than 13.0.0.
Impact:
Might cause flapping pool members or unstable pools.
Workaround:
None.
Fix:
A significantly improved SASP monitor has been developed in version 13.0.0. It properly handles the SASP protocol, GWM pairs, and connection semantics. In addition, it has the ability to briefly delay node down on GWM switchover, resulting in no interrupted traffic in most cases, and has vastly improved scalability.
When run in push mode (now the default), it is more efficient with the SASP protocol, only asking for changes from GWM, and pinging GWM infrequently if no traffic has been received.
The improved monitor uses Pool name rather than Monitor name as the Workload name. This allows a single Monitor definition to be shared among many Pools, where previously a single unique Monitor was required for each SASP Pool.
613297-3 : Default generic message routing profile settings may core
Component: Service Provider
Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.
Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.
Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.
Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.
Fix:
In this release, the system automatically disables the internal parser if no separator is provided, so if a virtual is created using the default generic message profile, the first packet received no longer produces an infinite number of messages and overflows the internal buffers.
613282-2 : NodeJS vulnerability CVE-2016-2086
Solution Article: K15311661
613275-2 : SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up
Solution Article: K62581339
Component: TMOS
Symptoms:
The values returned during an SNMP get/MIB walk are incorrect for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.
The values should match what is displayed in tmsh list net interface media-max and tmsh list net interface media-active respectively which are correct.
Conditions:
-- Performing an SNMP get or MIB walk.
-- Viewing values for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.
Impact:
The system reports inaccurate information for these objects.
Workaround:
To get the correct results, use the following commands:
tmsh list net interface media-max
tmsh list net interface media-active
Fix:
SNMP get/MIB walk now return correct information for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.
613225-7 : OpenSSL vulnerability CVE-2016-6306
Solution Article: K90492697
613127-3 : Linux TCP Stack vulnerability CVE-2016-5696
Solution Article: K46514822
613088-3 : pkcs11d thread has session initialization problem.
Component: Local Traffic Manager
Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.
Conditions:
This occurs when SafeNet is configured with VIPRION chassis
Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.
Workaround:
None.
Fix:
Fixed a pkcs11d thread session initialization problem that prevented SafeNet connections.
613079-4 : Diameter monitor watchdog timeout fires after only 3 seconds
Component: Local Traffic Manager
Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.
Conditions:
A Diameter monitor must be configured.
Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.
Workaround:
None.
Fix:
Removed the 3-second Diameter monitor watchdog timeout so that interval and timeout can be used like other external monitors.
613065-1 : User can't generate netHSM key with Safenet 6.2 client using GUI
Component: Local Traffic Manager
Symptoms:
With Safenet6.2, creating key using GUI may hang and timeout. The GUI eventually quits with error message.
Conditions:
Installing Safenet6.2 client and attempting to create netHSM key from the GUI
Impact:
netHSM key creation fails, GUI hang.
Workaround:
You can use the corresponding tmsh command to create key.
Fix:
NetHSM key waiting time has been increased and you can now create a netHSM key using GUI.
613045-7 : Interaction between GTM and 10.x LTM results in some virtual servers marked down
Component: Global Traffic Manager (DNS)
Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.
Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.
Impact:
On the GTM side, that LTM virtual server will never get marked up.
Workaround:
None.
Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.
613023-4 : Update SIP::Persist to support resetting timeout value.
Component: Service Provider
Symptoms:
SIP::persist needs improvement to support long-lived SIP sessions. Having a long timeout for persistence entries globally does not seem efficient for resource usage.
Conditions:
Efficiently using long-lived SIP sessions.
Impact:
Smaller persist timeouts will result in messages being delivered to the wrong entity in the case of supporting long lived SIP sessions.
Workaround:
Set a higher persist timeout value globally.
Note: This workaround might result in memory issues, depending on the BIG-IP system setup and traffic.
Fix:
New SIP Persist iRule commands allow persistence key and an additional parameter to redefine lifetime of the persistence entry to any new value.
Behavior Change:
In previous versions, the SIP Persist iRule command allowed only the persistence key as the parameter to store the persistence entry in the table.
New SIP Persist iRule commands allows persistence key and an additional parameter to define the lifetime of persistence entry. BIG-IP systems now can have better control on the persistence entry for long lived SIP sessions.
612952-1 : PSU FW revision not displayed correctly
Component: TMOS
Symptoms:
When EUD displays the PSU FW revison it is truncated from 16 bytes to 14 bytes.
Conditions:
This occurs when using a Murata REV02 M1845 PSU with AOM FW less than 2.7.14
Impact:
Incomplete PSU FW rev.
Workaround:
Infer the last 2 characters of the PSU FW rev from the 14 that are displayed and the HW revision of the PSU.
612874-1 : iRule with FLOW_INIT stage execution can cause TMM restart
Component: Advanced Firewall Manager
Symptoms:
If you have an iRule that has FLOW_INIT stage execution, it is likely to result in random TMM crashes.
Conditions:
iRule that has FLOW_INIT stage action in it.
The FLOW_INIT stage iRule could be executed either because it was attached to a Virtual Server or configured on an AFM ACL Rule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use iRule with FLOW_INIT action. Other stage iRules does not cause this problem.
Fix:
Memory allocation and release during iRule FLOW_INIT execution was not handled right in a specific scenario, which was corrected.
612809-1 : Bootup script fails to run on on a vCMP guest due to a missing reference file.
Component: TMOS
Symptoms:
Script /etc/sysconfig/sysinit/10virtual-platform.sysinit fails to run. sod log spamming.
Conditions:
Startup in a vCMP guest.
Impact:
vCMP guests shows dbg_echo related errors in /var/log/boot.log.
Workaround:
Disable sys db variable "failover.usetty01" and restart sod.
If unable to restart sod at the moment, apply a filter with no publisher matching message-id 012a0003:
sys log-config filter no-serial-failover-logs {
message-id 012a0003
}
Fix:
This release adds a separate sysinit file for vCMP instead of using sysinit-virtual-platform.
612769-1 : Hard to use search capabilities on the Pool Members Manage page.
Solution Article: K33842313
Component: Global Traffic Manager (DNS)
Symptoms:
With hundreds of potential pool members the GUI does not make it easy to search for them. The search list only supports searches that match the beginning of the pool member's name.
Conditions:
This difficulty exists when there are more than a few potential pool members.
Impact:
Frustrating BIG-IP system administrator experience.
Workaround:
A workaround is to perform the needed virtual server/member addition to the pool via TMOS/CLI using a command similar to the following:
$ tmsh modify gtm pool <record> <pool> members add { <member> }.
Tip: You can take advantage of auto-completing the member's name by pressing the <tab> key, which saves typing the entire name.
Fix:
The system now provides better search capabilities on the Pool Members Manage page.
612752-1 : UCS load or upgrade may fail under certain conditions.★
Component: TMOS
Symptoms:
UCS load fails, with the following error message: loaddb[20786]: 01080023:3: Error return while getting reply from mcpd: 0x10718e6, 010718e6:3: The requested primary admin user (user1) must exist in local user database.
Conditions:
Root login is disabled and the primary administrative user is set to anything other than 'admin', the default.
Impact:
UCS load or upgrade will fail.
Workaround:
Before upgrading or generating the UCS, re-enable the root account by setting DB variable systemauth.disablerootlogin to 'false'.
Unset the custom primary administrative user by setting DB variable systemauth.primaryadminuser to 'admin'.
These settings may be safely reinstated after the upgrade is complete.
612721-4 : FIPS: .exp keys cannot be imported when the local source directory contains .key file
Component: TMOS
Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.
Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).
Impact:
Unable to import the FIPS key
Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.
612694-5 : TCP::close with no pool member results in zombie flows
Component: Local Traffic Manager
Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.
Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).
Impact:
Connection does not tear itself down.
Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.
Fix:
The system now properly handles TCP teardown when TCP::close has already torn down the rest of the stack.
612564 : mysql does not start
Component: TMOS
Symptoms:
ASM storage initialization does not happen.
Conditions:
BIG-IP iSeries platforms; this occurs after new software install.
Impact:
Application is non-functional.
Workaround:
remove the sentinel file ;
/appdata/mprov/local/HD1.4/mysqldb/.moved.to.asmdbvol.
and reboot.
612419-1 : APM - suspected memory leak (umem_alloc_32/network access (variable))
Component: Access Policy Manager
Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.
Conditions:
Network access; full webtop, multiple Network Access resources.
Impact:
Memory usage increases over time.
Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.
Fix:
Fixed a memory leak related to network access.
612229-1 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
Component: Local Traffic Manager
Symptoms:
TMM may crash while processing an LTM policy.
Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.
Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.
Workaround:
Ensure any LTM policy disable action is the last in the list of actions.
Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.
612135-3 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
Component: Service Provider
Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.
Conditions:
Configuring a virtual server with generic message profile without message routing profile.
Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.
Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.
Fix:
Validation has been improved to fail unless both a generic message profile and a message routing profile are used.
612040-4 : Statistics added for all crypto queues
Component: Local Traffic Manager
Symptoms:
Requests for crypto operations that have been issued but not yet actively queued in the crypto hardware will not show up in the "tmm/crypto" statistics table.
Conditions:
Crypto requests issued but not actively queued in the crypto hardware.
Impact:
Crypto requests do not show up in the "tmm/crypto" statistics table.
Fix:
New rows have been added to the "tmm/crypto" statistics table that will count requests that have been issued but not actively queued to the crypto hardware.
611968-3 : JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
Component: Access Policy Manager
Symptoms:
JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow.
Conditions:
- IE8 only.
- Significant number of links: >1000.
- JavaScript event handlers presence.
Impact:
Web application performance slowdown.
Workaround:
None
Fix:
Fixed.
611922-1 : Policy sync fails with policy that includes custom CA Bundle.
Component: Access Policy Manager
Symptoms:
Policy sync fails with a policy that includes a custom CA Bundle with an error similar to the following: mcpd[6191]: 01070710:3: Database error (65), Can't set attribute value, type:certificate_summary attribute:name.
Conditions:
- Add a custom certificate bundle
- Add it to a policy, e.g. create an LTM SSL CA profile and add it to the endpoint security check agent in the access policy.
- Initiate a policy sync.
Impact:
Policy sync fails.
Workaround:
Use a built-in certificate bundle on source device and sync the policy.
Import the custom certificate bundle to all devices
Replace the built-in certificate bundle with the custom one in the policy.
Fix:
Policy sync now succeeds when the policy includes a custom certificate bundle.
611704-5 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
Component: Local Traffic Manager
Symptoms:
A tmm crash was discovered during internal testing.
Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT
611691-5 : Packet payload ignored when DSS option contains DATA_FIN
Component: Local Traffic Manager
Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.
Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.
Impact:
The last packet of data is not received.
Workaround:
Disable MPTCP.
Fix:
Accept data when a packet contains both a payload and an MPTCP DSS option with DATA_FIN set.
611669-4 : Mac Edge Client customization is not applied on macOS 10.12 Sierra
Component: Access Policy Manager
Symptoms:
Mac Edge Client's Icon, application name, company name, amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.
Conditions:
macOS Sierra 10.12, Edge client, customization
Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.
Workaround:
run following command on Terminal and re-launch Edge client:
For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"
For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"
For Japanese
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"
For French
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"
For spanish
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"
For Chinese traditional
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"
For Chinese simplified
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"
Fix:
Edge client honors customization on macOS Sierra 10.12 now.
611658-3 : "less" utility logs an error for remotely authenticated users using the tmsh shell
Component: TMOS
Symptoms:
when using 'less' Syntax Error: unexpected argument "/usr/bin/lesspipe.sh"
Conditions:
admin user configured with tmsh shell
Impact:
admin user cannot use the less command from shell
Workaround:
configure admin user to use the bash shell
611512-1 : AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
Component: TMOS
Symptoms:
In AWS, Pool member autoscaling in BIG-IP fails to add pool members when pool name in BIG-IP is same as Autoscaling Group name in AWS.
Conditions:
- BIG-IP is configured to perform autoscaling of pool members in AWS.
- Pool name in BIG-IP is same as the autoscaling group name in AWS attached with it.
Impact:
- Pool member autoscaling doesn't occur correctly without user intervention.
Workaround:
When configuring pool member auto-scaling in AWS, you must choose a different name for the pool compared to the autoscaling group name attached with it.
Fix:
Choose different names for Pool in BIG-IP and autoscaling group in AWS to correctly configure Pool member autoscaling in BIG-IP .
611487-3 : vCMP: VLAN failsafe does not trigger on guest
Component: TMOS
Symptoms:
vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host.
Conditions:
vCMP host configured, VLAN failsafe enabled on a VLAN, one or more VCMP guests enabled that use that VLAN
Impact:
Since the heartbeat messages going over IPv6 link-local addresses continue to be successfully passed from host to guest, VLAN failsafe does not trigger if a downstream router or switch goes down that's connected to the VLAN.
Workaround:
If you are able to, disabling IPv6 on the host will allow VLAN failsafe to work as expected.
611482-4 : Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
Solution Article: K71450348
Component: Local Traffic Manager
Symptoms:
Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule).
Conditions:
Universal persistence is configured. A loop of HTTP request is sent to tmm which doesn't own the record. Persistence lookup is performed, but finally the pool command is used for load-balancing pick.
Impact:
Discrepancy between persistence records.
Workaround:
Use persist, not pool command, to bind persistence record to a flow.
Fix:
Fixed keeping alive the owner record.
611469-3 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
Solution Article: K95444512
611467-3 : TMM coredump at dhcpv4_server_set_flow_key().
Component: Policy Enforcement Manager
Symptoms:
TMM coredump at dhcpv4_server_set_flow_key().
Conditions:
1. You are using Policy Enforcement Manager (PEM) DHCP to discover subscribers.
2. You have configured a DHCP relay virtual server.
3. Two PEM DHCP subscriber connections share the same connection to a remote DHCP server.
4. One of the PEM DHCP subscriber connections expires.
5. The non-expired PEM DHCP subscriber connection sends a new DHCP request.
6. The remote PEM DHCP server responds to the new PEM subscriber request.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The client uses broadcast to do DHCP renewal is an indication the client did not get ACK from DHCP server when it uses unicast to talk to DHCP server directly. The most likely reason for this to happen is the server routing table is not configured to send DHCP ACK packets back to the client.
You can work around this problem by configuring DHCP server routing table so that it knows how to send DHCP ACK to the client.
611385-1 : "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
Component: Application Security Manager
Symptoms:
Under some scenarios, setting "Learn Explicit Entities" to 'Never' has no effect; it continues to work as if it is 'Add All Entities'
Conditions:
Steps to Reproduce:
1) Create a default policy, set "Learn New HTTP URLs" to "Add All Entities".
2) Create a non-pure wildcard URL "/in*".
3) Send the following request:
GET /index.html HTTP/1.1\r\n
Host: <Host URL>\r\n
\r\n
4) There will be no suggestion to add /index.html URL since learning mode on "/in*" wildcard is "Never" by default.
5) Set "Learn Explicit Entities" to "Add All Entities" on "/in*" wildcard.
6) Send the same traffic again; there will be suggestion to add /index.html URL (which is still correct).
7) Delete all suggestions.
8) Set "Learn Explicit Entities" to "Never" on "/in*" wildcard.
9) Send the same traffic again.
Impact:
There is suggestion to add /index.html URL when there should be no such suggestion since the wildcard is in 'Never' mode now.
Workaround:
Go to "Learning and Blocking Settings", set "Learn New HTTP URLs" to "Never" press "Save", then set it back to "Add All Entities". press "Save" again.
Fix:
"Learn Explicit Entities" to 'Never' now works as expected.
611352 : Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms
Solution Article: K68092141
Component: TMOS
Symptoms:
In /var/log/sel you see these errors:
0082 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: corerrsts: replay_num_rollover_status
0083 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: rperrsts: correctable_error_received
Conditions:
This can be seen on BIG-IP iSeries platforms.
Impact:
This error message is benign and can be safely ignored.
Workaround:
N/A
Fix:
Benign message "replay num rollover error condition correctable errors" counter is no longer seen.
611320-3 : Mirrored connection on Active unit of HA pair may be unexpectedly torndown
Component: Local Traffic Manager
Symptoms:
Mirrored connection on Active unit is torn down. TCP connection is RST with cause of 'HA Expire flow'.
Conditions:
Mirrored connection on Standby unit times out due state mismatch with connection on Active unit.
Impact:
Traffic loss.
Workaround:
Disable mirroring.
Fix:
The system no longer mirrors connflow expiration from Standby to Active. This is correct behavior.
611240-3 : Import of config with securid might fail
Component: Access Policy Manager
Symptoms:
Import of the profile used for securid auth might fail if the profile has already been used for auth purposes at the moment of export.
Conditions:
This occurs when the following conditions are met:
-- Profile configured for securid authenticaiton with securid server attached.
-- Profile has been used for authentication more than 0 times.
-- Full import (no reuse) or Reuse import when secureid server under the same name is not present.
Impact:
Unable to import certain configurations.
Workaround:
1. In VPE, open securid auth item and set server to none before export.
2. Export profile.
3. Import profile.
4. Re-create the aaa securid server.
5. In VPE, open the securid auth item and set server to one from step #4.
Or
1. Export profile.
2. Create aaa securid server under the same name.
2. Import profile with reuse.
It is also possible to remove securid entry from config-files of securid server configuration in .conf.tar.gz, which would also work.
Fix:
It is now possible to successfully export and the import profile using securid in any state.
611161-3 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
Solution Article: K28540353
Component: Local Traffic Manager
Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.
Impact:
There are very rare situations in which failsafe triggers but it should have not.
Workaround:
None.
Fix:
VLAN failsafe no longer generates traffic using ICMP, and now supports non-default cmp-hash on VLAN.
611154-1 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
An iRule (or other non-ASM module) that adds or delete the server headers. Especially if it touches the Set-Cookies header
Impact:
Failover, traffic disrupted while TMM restarts.
Workaround:
No workaround at this time.
Fix:
Added checking for bad dictionary on the response side.
611151-2 : An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
Component: Application Security Manager
Symptoms:
If you configure a sensitive parameter with an upper-case character (like "Password"), the data masking does not take place. When the sensitive parameter is all lower-case (like "password"), the data masking takes place as expected.
Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ a sensitive parameter with an upper-case character
Impact:
no data masking for a JSON sensitive parameter
Workaround:
N/A
Fix:
We've made sure that JSON parameters are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.
610897-2 : FPS generated request failure throw "unspecified error" error in old IE.
Component: Fraud Protection Services
Symptoms:
If FPS generated request sent and failed in old IE, it will throw "unspecified error" error.
Conditions:
FPS generated request sent and failed in old IE
Impact:
The browser will show error message in the left bottom side.
Workaround:
N\A
Fix:
N\A
610857-1 : DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
Component: Application Security Manager
Symptoms:
When selenium client webdriver is detected running a browser Chrome or Firefox it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.
Impact:
A bot which running selenium Chrome or Firefox webdriver isn't mitigated by DoSL7 PBD mechanism.
Workaround:
N/A
Fix:
Adjusted scoring for selenium detection to trigger CAPTCHA upon an attempt to access a website without TSPD101 cookie (usually occurs upon accessing a website's first page)
610830-1 : FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
Component: Application Security Manager
Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.
Conditions:
This occurs when ASM is provisioned and to a virtual sever assigned dos application profile where Device ID mitigation configured or ASM policy with WebScraping and FingerPrint detection enabled.
Impact:
Bad user experience when accessing the website's first page.
Workaround:
tmsh modify sys db dosl7.fp_fonts_enabled disabled
Fix:
The javascript slowness bottleneck is fonts collection, to improve the performance the number of font reduced from 300 to 50. If you wish to eliminate the slowness of the fonts collection at all, a new sys db has been added. tmsh list sys db dosl7.fp_fonts_enable. Note, that eliminating the fonts collection for the fingerprint can reduce the its entropy.
610710-2 : Pass IP TOS bits from incoming connection to outgoing connection
Component: Service Provider
Symptoms:
ToS is set to 0 when going through a SIP profile.
Conditions:
This occurs when a SIP profile is in use and ToS is set.
Impact:
Currently outgoing packets TOS bits are configured via profile and are not affected by TOS bits of incoming packet.
Workaround:
NA
Fix:
Outgoing packets TOS bits can be configured via profile to preserve the TOS bits of incoming packet.
Behavior Change:
This change will only change existing behavior if the transport protocol (TCP, UDP or SCTP) has the ip-tos-to-client attribute set to pass-through. If configured as pass-through, the TOS bits of the incoming packet containing a message will be used on the outgoing packets containing the message. Without this change, the TOS bits of the outgoing packet would be undefined if configured this way.
610609-3 : Total connections in bigtop, SNMP are incorrect
Component: Local Traffic Manager
Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.
Conditions:
This occurs on PVA-enabled hardware platforms.
Impact:
The total connection count statistic is incorrect.
610582-2 : Device Guard prevents Edge Client connections
Component: Access Policy Manager
Symptoms:
When Device Guard is enabled, BIG-IP Edge Client cannot establish a VPN connection.
Conditions:
-- Clients running Windows 10.
-- Device Guard enabled.
-- Attempting to connect using the Edge client.
Impact:
Clients are unable to establish a VPN connection.
Workaround:
As a workaround, have the affected Edge Client users disable Device Guard.
Note: Previously, Device Guard was disabled by default. Starting with the Windows 10 Creators Update, however, Device Guard is enabled by default.
Fix:
The F5 VPN Driver is recertified and is now compliant with Microsoft Device Guard, so that Edge Client users can now establish a VPN connection as expected.
610449-2 : restarting mcpd on guest makes block-device-images disappear
Component: TMOS
Symptoms:
tmsh list sys software block-device-images typically shows available BIG-IP images saved on the platform which are available for install via tmsh install sys software ...
When running BIG-IP on a vcmp guest, GuestAgentDaemon is responsible for fetching from the host these available images and displaying them to the user.
When mcpd goes down, GuestAgentDaemon loses the connection required to fetch and display this information.
If mcpd has gone down since GuestAgentDaemon came up, running "(tmos)# show sys software block-device-image" a second time will no longer display the BIG-IP images available for install.
Restarting GuestAgentDaemon when mcpd restart ensures that GuestAgentDaemon will reestablish the required connection. With this fix, GuestAgentDaemon will restart only in response to mcpd going down and subsequently coming back up. Once both daemons are up and running again, the command '(tmos)# list sys software block-device-image' will again function as designed.
Conditions:
vCMP is provisioned to level dedicated.
One or more guests is provisioned and deployed.
The user is operating inside a deployed guest.
The user attempts to use a block-device-image,
but mcpd has restarted since GuestAgentDaemon began execution.
No block-device-images are shown by GuestAgentDaemon
Impact:
tmsh list sys software block-device-images returns nothing from inside the guest.
Workaround:
Restart GuestAgentDaemon in response to mcpd successfully restarting.
Fix:
GuestAgentDaemon now automatically restarts in response to McpDaemon successfully restarting.
610442-2 : vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★
Solution Article: K75051412
Component: TMOS
Symptoms:
On a vCMP guest, If a user attempts to install using the block-device-image argument (e.g., install sys software block-device-image <some.iso>), and the .iso file has incorrect file permissions (e.g., $chmod 600 <some.iso>), then the lind process on the guest will enter a restart loop, and the system posts the following error:
lind[23565]: 013c0004:3: Fatal error: vcmp_media_insert failed
Conditions:
-- vCMP guest.
-- Run a command similar to the following:
install sys software block-device-image <some.iso>.
-- <some.iso> has bad permissions, e.g., -r--------.
Impact:
On the guest, lind restarts continuously, logging its restart to /var/log/ltm each time and posting the vcmp_media_insert failed error message.
Workaround:
Use either of the following workarounds:
-- Avoid installing block-device-images known to have bad permissions.
-- From the host, attempt to repair the file with bad permissions, copy the repaired file to /shared/images/, and try the install again. To do so, follow this procedure, running these commands from the host:
1. To repair the file, run the following command:
chmod 644 <some.iso>
2. To copy the file, run the following command:
scp <some.iso> mysystem:/shared/images/
3. To install the guest, run the following commands:
bigstart restart lind
tmsh install sys software block-device-image <some.iso>
Fix:
Instead of throwing a runtime error, lind will log an error to /var/log/ltm and return.
610441-3 : When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
Component: TMOS
Symptoms:
When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
Conditions:
This occurs when adding a new member to an existing pool using iControl REST.
Impact:
Unable to tell if the request has succeeded or failed via iControl REST.
Workaround:
Add the following to partitionInfo in icrd.conf.
{"gtm/pool/a/members":[true, true]},
{"gtm/pool/aaaa/members":[true, true]}
610429-5 : X509::cert_fields iRule command may memory with subpubkey argument
Component: Local Traffic Manager
Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.
Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.
Example/signature to look for:
ltm rule rule_leak {
when HTTP_REQUEST {
if { [SSL::cert 0] ne "" } {
HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
} else {
HTTP::respond 200 content "no client cert (WRONG!)"
}
}
}
Impact:
Memory will leak, eventually impacting the operation of tmm.
Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields
610417-1 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
Solution Article: K54511423
Component: TMOS
Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2
If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established
Conditions:
This exists when configuring devices in a device cluster.
Impact:
Unable to configure stronger ciphers for device trust.
If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.
Workaround:
None.
Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).
610354-1 : TMM crash on invalid memory access to loopback interface stats object
Component: TMOS
Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.
Conditions:
TMM drops packets on its internal loopback interfaces.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround.
610352-1 : sys-icheck reports error with /etc/sysconfig/modules/unic.modules
Component: TMOS
Symptoms:
On Azure cloud, running sys-icheck may report an error with /etc/sysconfig/modules/unic.modules:
ERROR: S.5...... /etc/sysconfig/modules/unic.modules
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with files in /etc/sysconfig/modules/unic.modules that was causing sys-icheck to report errors.
610350-1 : sys-icheck reports error with /config/bigpipe/defaults.scf
Component: TMOS
Symptoms:
n Azure cloud, running sys-icheck may report an error with /config/bigpipe/defaults.scf and /usr/share/defaults/defaults.scf:
ERROR: S.5...... c /config/bigpipe/defaults.scf (no backup)
ERROR: S.5...... /usr/share/defaults/defaults.scf
Conditions:
This occurs on BIG-IP running on Azure cloud.
Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.
Fix:
Fixed an issue with files in /config/bigpipe/defaults.scf that was causing sys-icheck to report errors.
610307 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
Component: TMOS
Symptoms:
This error message may be generated once or twice at shutdown:
01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.
Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.
Impact:
None. This can be ignored.
Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.
Fix:
This error message could have been generated once or twice at shutdown:
01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.
It no longer appears. Note that even when it was present, it only occurred at system shutdown and could be ignored.
610302-1 : Link throughput graphs might be incorrect.
Component: Local Traffic Manager
Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.
Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.
For example, there are two links defined and named "mylink" and "mylink2".
Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.
For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"
As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.
Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.
Fix:
Link throughput graphs now collect and show the throughput for the proper link when one link name is a prefix of one or more other links. Note that historical information gathered before the fix will not be corrected.
610295-1 : TMM may crash due to internal backplane inconsistency after reprovisioning
Solution Article: K32305923
Component: TMOS
Symptoms:
In some scenarios on BIG-IP Virtual Edition (VE) platforms, TMM may crash due to backplane inconsistency shortly after a provisioning change.
Conditions:
- BIG-IP VE with performance-limited license.
- Additional licensing/provisioning of modules raises performance limits. New TMM processes are started.
- No reboot has occurred after provisioning.
Impact:
TMM may core with panic and post the following message in /var/log/tmm log: 'Unexpected backplane address'. Traffic disrupted while tmm restarts.
Workaround:
Reboot after provisioning if new license add-on keys raises performance of the BIG-IP system.
Fix:
TMM no longer crashes after provisioning if new license add-on keys raises performance of the BIG-IP system.
610273-3 : Not possible to do targeted failover with HA Group configured
Component: TMOS
Symptoms:
With a traffic-group configured to use HA Group, it is not possible to disable the HA Group to perform targeted failover. Running tmsh run sys failover standby traffic-group traffic-group-1 produces an error:
"Unexpected Error: SOD command standby may not be issued for traffic group /Common/traffic-group-1 because it is configured to use HA group."
Conditions:
Traffic-group configured to use HA Group. Versions prior to 12.0.0 allowed you to disable the HA Group to do targeted failover.
Impact:
Unable to force the traffic-group to standby if HA Group is configured. You would need to change it to use a different mode, such as HA Order.
Workaround:
Temporarily change the traffic group to use a different Failover Method such as Load Aware or HA Order in order to failover. Note that this will disable HA Group functionality until the Failover Method is restored.
610255-1 : CMI improvement
Solution Article: K62279530
610224-3 : APM client may fetch expired certificate when a valid and an expired certificate co-exist
Component: Access Policy Manager
Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.
Conditions:
A valid and an expired certificate co-exist in the certificate store.
Impact:
Machine Certificate check fails.
Workaround:
Remove the expired certificate from the store.
Fix:
When a valid and an expired certificate co-exist, the system now matches the valid certificate.
610180-2 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.
Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO
Impact:
SSO plugin leaks memory
Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.
Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.
610138-2 : STARTTLS in SMTPS filter does not properly restrict I/O buffering
Solution Article: K23284054
Component: Local Traffic Manager
Symptoms:
Commands following STARTTLS in a group are accepted and processed after TLS is in place.
Conditions:
SMTPS profile in use.
Impact:
SMTPS filter will improperly process commands after STARTTLS.
Workaround:
None.
Fix:
Commands in a group after STARTTLS are dropped. This is correct behavior.
610129-3 : Config load failure when cluster management IP is not defined, but instead uses address-list.
Solution Article: K43320840
Component: Advanced Firewall Manager
Symptoms:
In Cluster setup with multiple blades, if configurations do not have management IP addresses assigned to individual blades, but instead assign a cluster management IP address list to the cluster of blades. The configuration load will fail. System posts an error message similar to the following: err mcpd[24235]: 01071824:3: The address list is referenced by one of the rules of the admin IP either directly or in a nested manner, and the entry is of a different address family from that of the Admin IP.
Conditions:
1. Cluster setup with multiple blades.
2. No management IP assigned to individual blades.
3. Assign cluster management IP address list to the cluster of blades.
Impact:
After reboot, configuration load failure on secondary blades.
Workaround:
Define the cluster management IP address as the destination (in rule) without using address list.
Fix:
Config load failure no longer occurs when cluster management IP is not defined, but instead uses address-list.
610122-1 : Hotfix installation fails: can't create /service/snmpd/run★
Component: TMOS
Symptoms:
Hotfix installation fails with RPM transaction errors.
The system posts several errors similar to the following in /var/log/liveinstall.log: info: RPM: can't create /service/snmpd/run at usr/share/perl5/vendor_perl/daemon.pm line 99.
Conditions:
12.x hotfix installation from 11.6.0 on top of a 12.x base image that was previously booted.
Impact:
It is not possible to perform a hotfix installation to a 12.x volume from 11.6.0 after the 12.x volume has been booted.
Workaround:
- Install the hotfix directly to a new slot which has not been booted into before using a command similar to the following:
tmsh install sys software hotfix 12.1.0-hf1 create-volume volume HD1.4
609967-2 : qkview missing some HugePage memory data
Solution Article: K55424912
Component: TMOS
Symptoms:
Some HugePage status data is missing from qkview, if the contents of /proc/meminfo does not list a units column for the Huge Page data.
Conditions:
/proc/meminfo file does not list units for HugePage data.
Impact:
HugePage data is missing from qkview diagnostics file.
Workaround:
Separately provide /proc/meminfo file.
Fix:
HugePage status data is now collected as expected.
609793-1 : HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response.
Component: Access Policy Manager
Symptoms:
HTTP Header Modify agent skips execution if it believes it is in the serverside chain, as the check is based on receipt of HUDEVT_REQ_DONE, which can be true on the clientside chain, causing HTTP header modify agent operations to log out with an error message.
Conditions:
Receipt of HUDEVT_REQ_DONE before execution of HTTP Header Modify agent.
Impact:
HTTP header modify agent cannot perform modification of headers/cookies.
Workaround:
None.
Fix:
Appropriate check for disabling HTTP header agent only in serverside chain has been added and the check for the receipt of request has been processed has been removed.
609788 : PCP may pick an endpoint outside the deterministic mapping
Component: Carrier-Grade NAT
Symptoms:
When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.
Conditions:
With PCP configured and enabled with a lsn-pool in deterministic mode.
Impact:
Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.
Workaround:
Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.
Fix:
PCP no longer picks mappings outside of a client's DNAT range after the first mapping attempt fails.
609691-1 : GnuPG vulnerability CVE-2014-4617
Solution Article: K21284031
609677-1 : Dossier warning 14
Component: TMOS
Symptoms:
After each boot, the var/log/ltm log file contains messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.
Conditions:
This occurs upon reboot after licensing and management port configuration is complete on i5000/i7000/i10000-Series platforms.
Impact:
There is no functional impact. This is a benign message that can be safely ignored.
Workaround:
None.
Fix:
The var/log/ltm log file no longer contains the benign messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.
609628-2 : CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
Component: Local Traffic Manager
Symptoms:
When a client performs an abbreviated handshake by reusing the session from a previously established full handshake, the SSL forward proxy does not raise the CLIENTSSL_SERVERHELLO_SEND event.
Conditions:
This occurs when the following conditions are met:
-- SSL forward proxy configured
-- Session cache is enabled.
Impact:
iRule commands inside of the CLIENTSSL_SERVERHELLO_SEND are only executed for full handshakes but not for abbreviated handshakes; thus any logic that's applied per SSL connection should not run inside of CLIENTSSL_SERVERHELLO_SEND event since it is not reliably raised under all types of handshakes.
Workaround:
To make sure that the CLIENTSSL_SERVERHELLO_SEND event is reliably raised, disable session cache in the client SSL profile.
609614-3 : Yafuflash 4.25 for iSeries appliances
Component: TMOS
Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to Yafuflash 4.25.
Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Yafuflash.
Impact:
This is a firmware upgrade.
Workaround:
None.
Fix:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
Behavior Change:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
609575-5 : BIG-IP drops ACKs containing no max-forwards header
Component: Service Provider
Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.
Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.
Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".
609527-2 : DNS cache local zone not properly copying recursion desired (RD) flag in response
Component: Global Traffic Manager (DNS)
Symptoms:
When a DNS query sets the RD flag, that setting is supposed to be copied to the response. When a DNS query is handled by a cache local zone, the RD flag is not set properly.
Conditions:
A DNS cache local zone must be configured and a DNS query with the RD flag set must be handled by this local zone.
Impact:
The flag is not set properly in the DNS response. This most likely will only be noticed by protocol validation tools as standard DNS clients generally do not check this bit.
Workaround:
Use an equivalent DNS Express configuration instead of the local zone.
Fix:
The fix is to properly check the RD flag on the query so that it can be copied to the response.
609499-1 : Compiled signature collections use more memory than prior versions
Component: Application Security Manager
Symptoms:
Compiled signature collections use more memory than prior versions.
Conditions:
Different signature sets are used for different policies.
Impact:
BD memory usage for compiled signature collections is increased.
Fix:
Compiled signature collections memory usage was consolidated and reduced.
609496-2 : Improved diagnostics in BD config update (bd_agent) added
Component: Application Security Manager
Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.
Conditions:
Further troubleshooting of BD config update transmission is needed.
Impact:
No diagnostics are available.
Workaround:
None.
Fix:
Improved diagnostics in BD config update (bd_agent) were added.
609335-1 : IPsec tmm devbuf memory leak.
Component: TMOS
Symptoms:
A small memory leak was discovered during internal testing of IPsec tunnels. Over time tmm might run out of memory and crash.
Conditions:
It is not known exactly what triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
609328-3 : SIP Parser incorrectly parsers empty header
Solution Article: K53447441
Component: Service Provider
Symptoms:
If a SIP message contains an empty header, the following header will be included as the value of the empty header.
Conditions:
A SIP header without any value will incorrectly cause the next header to be used as the value.
Impact:
If the following header is needed for processing the message, it will not be seen (since it is incorrectly considered the value of the previous header).
Workaround:
None.
Fix:
Parser has been corrected to terminate an empty header when a line ending is seen.
609325 : Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
Component: TMOS
Symptoms:
QSFP modules that do not support DDM (Digital Diagnostic Monitoring), write messages to /var/log/ltm indicating DDM is not supported, however, there are certain unsupported DDM F5-branded SFP modules that do not write a message to the log.
Conditions:
Upon inserting the unsupported DDM SFP modules.
Impact:
DDM is not reporting information for the following optics:
Unsupported DDM 1Gb-10GB SFP modules:
OPT-0004
OPT-0007
OPT-0011
OPT-0015
OPT-0051
OPT-0033
Workaround:
None.
Fix:
All DDM SFP 1Gb-10GB modules now log in /var/log/ltm that DDM is not supported with that optical transceiver.
609244-4 : tmsh show ltm persistence persist-records leaks memory
Component: Local Traffic Manager
Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.
Conditions:
This occurs when running tmsh show ltm persistence persist-records.
Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.
Workaround:
None.
Fix:
tmsh show ltm persistence persist-records no longer leaks memory.
609199-6 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
Component: Local Traffic Manager
Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.
Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP.
Fix:
Remove unestablished joining subflows when freeing the MPTCP connection structure.
609119-7 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
Component: TMOS
Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:
-- err mcpd[19114]: 01070711:3:
For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.
Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.
Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.
Workaround:
None. The problem corrects automatically when the system rewrites the log.
Fix:
The logging system prints out a blank message in response to failed file object configuration change validations.
609114-1 : Add the ability to control dropping of alerts by before-load-function
Component: Fraud Protection Services
Symptoms:
Too many alerts prevents you from enabling FPS. If it does get enabled, a large number of 'missing component' alerts are generated.
Conditions:
This can occur when enabling FPS will trigger a high number of alerts.
Impact:
FPS is disabled, or alerts are not categorized.
Fix:
Add before-load-function capability to drop alert on client.
609107-1 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
Component: TMOS
Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.
Conditions:
A folder is removed from a previously valid configuration file.
Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.
Workaround:
Do not remove folders from the configuration file.
Fix:
mcpd now properly validates missing 'sys folder' config in bigip_base.conf, so the config performs as expected.
609098-1 : Improve details of ajax failure
Component: Fraud Protection Services
Symptoms:
When AJAX request fails, insufficient information is provided to debug the failure.
Conditions:
AJAX failure
Impact:
Difficult to diagnose the failure.
Workaround:
Not relevant
Fix:
Add information to alert about AJAX failure.
609095-1 : mcpd memory grows when updating firewall rules
Component: Advanced Firewall Manager
Symptoms:
While updating firewall rules such as adding/deleting a blacklist, mcpd memory grows by a small amount with each update.
Conditions:
This can occur when making changes to firewall policies.
Impact:
mcpd memory grows unbounded; over a significant amount of time with many changes and no restarts, mcpd can run out of memory and oom killer can trigger a failover.
609084-2 : Max number of chunks not configurable above 1000 chunks
Solution Article: K03808942
Component: Application Security Manager
Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:
Unparsable request content Chunks number exceeds request chunks limit: 1000.
Conditions:
This occurs when the request exceeds 1000 chunks.
Impact:
Requests that are valid from the server side are being rejected.
Workaround:
None.
Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000
Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000
609027-1 : TMM crashes when SSL forward proxy is enabled.
Component: Local Traffic Manager
Symptoms:
TMM crashes when SSL forward proxy is enabled.
Conditions:
This can occur when SSL forward proxy is enabled and there is a server handshake done when client SSL handshake is not ongoing.
Impact:
Traffic disrupted while tmm restarts.
Fix:
SSL forward proxy now ignores server handshake done when client SSL handshake is not ongoing, so an intermittent TMM crash no longer occurs.
609005-2 : Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
Component: Policy Enforcement Manager
Symptoms:
Two client side DHCP packets with giaddr field set, one with source port 67 and another client side packet with source port 68 (not conforming to RFC since giaddr set DHCP packet (from relay agent) should use 67 as source port per RFC),
tmm will crash during err message logging.
Conditions:
1) Two client side DHCP packets arrive one after another.
2) Both DHCP packets have giaddr fields set
3) One packet uses 67 as source port, the other uses 68
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The conditions that cause the crash should not happen in a normal network setup. A DHCP relay agent should only use 67 as source port.
608991-7 : BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed
Component: Local Traffic Manager
Symptoms:
If a SYN with MP_JOIN is received on a new subflow during an MPTCP connection and the connection closes before the three-way handshake is complete, the BIG-IP will continue trying to complete the three-way handshake.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a SYN with MP_JOIN is received on another flow during an MPTCP connection.
Impact:
The BIG-IP retransmits the SYN/ACK to the joining flow after the connection is closed.
Workaround:
There is no workaround
Fix:
Free joining connections when an MPTCP connection is closed.
608952-5 : MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2
Component: Local Traffic Manager
Symptoms:
MSSQL health monitor always shows down.
Conditions:
The Microsoft SQL server that is being monitored has disabled support for legacy security protocols, and supports only versions TLSv1.1 and TLSv1.2.
Impact:
MSSQL monitor is unable to perform health checking when SQL Server is configured to require TLSv1.1 or TLSv1.2.
Workaround:
None.
608941-1 : AAA RADIUS system authentication fails on IPv6 network
Component: Access Policy Manager
Symptoms:
APM supports RADIUS authentication to IPv6 servers for APM clients if the IPv6 servers are in a pool, but using RADIUS for system authentication directly to a RADIUS server fails on invalid IP address. The signature in the log file is as follows:
err apmd[13481]: 01490108:3: /Common/profilename: RADIUS module: authentication with 'aa' failed: Invalid Server IP(0)/Port(0) (1)
Conditions:
RADIUS authentication configured for system authentication direct to a RADIUS server, and the RADIUS server is an IPv6 server.
Impact:
RADIUS is unable to connect directly to the IPv6 RADIUS server, clients unable to log into the system.
608826-1 : Greylist (bad actors list) is not cleaned when attack ends
Component: Anomaly Detection Services
Symptoms:
When attack ends the greylist (detected bad actors) remains till the timeout expiration.
Conditions:
Detected bad actors and attack end.
Impact:
If new attack will start sooner than greylist expiration time, greylist member will be mitigated even if they are not related to the current attack.
Workaround:
It it's necessary it's possible to clear greylist manually using ipidr utility.
Fix:
Clear the greylist upon attack end.
608742-2 : DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.
Solution Article: K48561135
Component: Policy Enforcement Manager
Symptoms:
When the BIG-IP system is configured in Forwarding mode, the BIG-IP system drops the renewal ACK message from the server in response to unicast renewal message from DHCP clients.
Conditions:
-- BIG IP system configured in forwarding mode.
-- DHCP clients sending unicast renewal message to DHCP server.
Impact:
Unicast DHCP renewal requests are not responded to with ACKs. DHCP clients will send broadcast renewal messages and will receive ACK from servers.
Workaround:
None.
Fix:
After being unable to receive ACK responses from DHCP servers for unicast DHCP renewal messages, the DHCP client will send broadcast DHCP renewal messages and receive an ACK from the DHCP server and ACKs forwarded by the BIG-IP system and received by DHCP clients.
608591-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
Component: Policy Enforcement Manager
Symptoms:
CCR-I requests from PEM to PCRF have subscriber ID type set to 6 (UNKNOWN) for DHCP subscribers instead of 3 (NAI).
Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.
Impact:
Might impact the way policies are provided from the PCRF.
Workaround:
None
Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.
608566-1 : The reference count of NW dos log profile in tmm log is incorrect
Component: Advanced Firewall Manager
Symptoms:
In certain circumstances when virtual servers are configured with security log profiles, the log message in tmm log is showing incorrect reference cnt to the log profiles.
Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.
Impact:
This may lead to issues such as TMM crash if the reference count is not calculated correctly
Fix:
The reference count now is showing correct number in the log message after the fix
608555-1 : Configuring asymmetric routing with a VE rate limited license will result in tmm crash
Component: Local Traffic Manager
Symptoms:
Configuring asymmetric routing with a VE rate limited license results in tmm crash.
Conditions:
Asymmetric routing is configured (i.e., client and/or server ingress and egress travel on different VLANs), and a VE rate limited license is used.
Impact:
tmm might continually crash when passing traffic. Traffic disrupted while tmm restarts.
Workaround:
Do not use asymmetric routing with a rate limited license.
Fix:
The VE rate shaper now works correctly when asymmetric routing is configured, tmm does not crash.
608551-3 : Half-closed congested SSL connections with unclean shutdown might stall.
Component: Local Traffic Manager
Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.
Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.
Impact:
Possible stalled flow.
Workaround:
Use SSL client that sends clean shutdown.
Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.
608509-1 : Policy learning is slow under high load
Component: Application Security Manager
Symptoms:
On systems with high load, policy learning is slow and learning suggestions are slow to arrive.
Conditions:
Policy builder generates many learning suggestions on a system that processes intense traffic.
Impact:
Learning suggestions appear with considerable delay, policy learning speed goes down.
Workaround:
No workaround
Fix:
Fixed an issue with slow policy learning on heavily loaded systems.
608424-2 : Dynamic ACL agent error log message contains garbage data
Component: Access Policy Manager
Symptoms:
Starting in BIG-IP version 12.0.0, Dynamic ACL error log messages might contain garbage data.
Conditions:
This occurs when Dynamic ACL detects incorrect syntax of an ACL entry.
Impact:
The system logs garbage data.
Workaround:
Make sure the ACL entry is correct.
Fix:
Dynamic ACL error log messages no longer contain garbage data when Dynamic ACL detects incorrect syntax of an ACL entry.
608408-2 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
Component: Access Policy Manager
Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.
Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.
Impact:
TMM may restart.
Workaround:
None.
Fix:
TMM no longer restarts when internal error happens upon adding new SAML SSO configurations. Instead, the system logs the following error in /var/log/apm to indicate problematic configuration object: Internal error processing sso config <name>.
608373-2 : Some iApp LX packages will not be saved during upgrade or UCS save/restore
Component: iApp Technology
Symptoms:
iApp LX packages that include dependencies on system utilities (like /bin/sh, /bin/bash, python etc.) cannot be imported to iApp LX RPM database.
Conditions:
oApp LX packages that depends on system utilities.
Impact:
iApp LX packages with dependencies will not be restored during upgrade or UCS restore process.
Workaround:
None.
Fix:
iApp LX UCS save process is updated turn off automatic dependency generation by rpmbuild so iApp LX package can be imported during UCS restore or upgrade.
608348-4 : Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system
Component: TMOS
Symptoms:
After deleting an iApp build from the f5.citrix_vdi.v2.3.0 template then running a config sync, the system that received the sync could have a tunnel object left over which should have been deleted.
Running 'tmsh load sys config verify' after this sync would give the following error.
01070734:3: Configuration error: The object (Tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect) is owned by a non-existent application (/Common/test-citrix-app-svc.app/test-citrix-app-svc).
Unexpected Error: Validating configuration process failed.
Conditions:
This occurs when the iApp has been deployed in a sync group, then the iApp is deleted, then a config sync is initiated.
Impact:
Config validation fails, and you must delete the tunnel manually.
Workaround:
On the system that received the sync, edit /config/BIG-IP_base.conf to remove the following objects (replace "test-citrix-app-svc" with the name of the deleted iApp):
a. vlan from net route-domain: /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
b. net fdb tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
c. net tunnels tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
Fix:
The autogenerated tunnel is now successfully removed on receiving devices.
608320-3 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
608304-1 : TMM crash on memory corruption
Solution Article: K55292305
Component: Local Traffic Manager
Symptoms:
In rare cases tmm might crash on memory corruption.
Conditions:
It is not known what sequence of events triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
tmm no longer crashes on memory corruption in rare cases.
608245 : Reporting missing parameter details when attack signature is matched against parameter value
Component: Application Security Manager
Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.
Conditions:
An attack signature was detected in a parameter value.
Impact:
Bad reporting
Workaround:
N/A
608024-3 : Unnecessary DTLS retransmissions occur during handshake.
Component: Local Traffic Manager
Symptoms:
Unnecessary DTLS retransmissions occur during handshake.
Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.
Impact:
Possible DTLS handshake failure on VE platform.
Workaround:
None.
Fix:
This release fixes a possible failed DTLS handshake on VE platforms.
608009-1 : Crash: Tmm crashing when active system connections are deleted from cli
Component: Policy Enforcement Manager
Symptoms:
When the BIG-IP is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address by relay agent, tmm may crash when active system connections are deleted from cli or via aging.
Conditions:
1) BIG-IP in forwarding mode
2) giaddr field in unicast DHCP renewal packet is set to IP address of relay agent (Typically, it is set to 0 by the DHCP client)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This is not a typical network setup. Usually DHCP relay agent will not modify DHCP renewal packet to insert its own address as giaddr.
607961-1 : Secondary blades restart when modifying a virtual server's route domain in a different partition.
Component: TMOS
Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).
Conditions:
- Only happens on chassis.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.
Impact:
Traffic disrupted while secondary blades restart.
Workaround:
None.
Fix:
Secondary blades no longer restart when modifying a virtual server's route domain in a different partition.
607857-1 : Some information displayed in "list net interface" will be stale for interfaces that change bundle state
Component: TMOS
Symptoms:
Changing the bundling on an interface does not clear the following fields in the previously configured interface:
module-description, serial, vendor, vendor-oui, vendor-partnum, vendor-revision.
That information will be correct for the active interface, it is just not cleared for the previously configured interface.
Module description is not correctly reported on unbundled interfaces.
Conditions:
Bundling change on an interface
Impact:
"list net interface" on previously configured interfaces will show stale information. May be confusing.
Module description is missing from "list net interface" on unbundled interfaces.
Workaround:
Stale data will clear on a reboot. This is purely a display issue, it does not affect the functionality of the currently configured interfaces.
607803-3 : DTLS client (serverssl profile) fails to complete resumed handshake.
Solution Article: K33954223
Component: Local Traffic Manager
Symptoms:
DTLS client (serverssl profile) fails to complete resumed handshake.
Conditions:
This occurs when the BIG-IP system acts as a DTLS client.
Impact:
Possible failed resumed handshake.
Workaround:
Disable session reuse.
Fix:
This release fixes a possible failed resumed DTLS handshake.
607724-2 : TMM may crash when in Fallback state.
Solution Article: K25713491
Component: Local Traffic Manager
Symptoms:
There is a chance, when HTTP in Fallback mode, that the HTTP filter will send an Abort event to the TCP filter (causing tear down) prematurely while the Aborting that was triggered by the upper filter/proxy is occurring.
TMM may crash when this happens.
Conditions:
It is not known exactly what conditions trigger this, but it has been known to occur when issuing HTTP::respond in the LB_FAILED event in an iRule, and it has been seen only rarely.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a rarely occurring tmm crash that might be related to issuing HTTP::respond in the LB_FAILED event in an iRule.
607713-3 : SIP Parser fails header with multiple sequential separators inside quoted string.
Component: Service Provider
Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.
Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.
Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.
Workaround:
None.
Fix:
The SIP parser has been improved to ignore multiple sequential separators if within quotes.
607658-1 : GUI becomes unresponsive when managing GSLB Pool
Component: Global Traffic Manager (DNS)
Symptoms:
GUI Locks Up and becomes unresponsive. Most major web browsers will complain about slow javascript and prompt you to kill the script.
Conditions:
Managing an A type GSLB pool when hundereds of virtual servers exist. These virtual servers do not have to be associated with the pool you are attempting to manage.
Impact:
Page takes a significantly long time to load.
Workaround:
Manage pools through tmsh, or wait for it to load.
607524-2 : Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
Component: Local Traffic Manager
Symptoms:
When the last member of a list of multiple DHCP servers is down, the original DHCP packet from client is not freed and memory is leaked.
Conditions:
Multiple DHCP servers are configured, and the last DHCP server configured is down.
Impact:
Packet memory is leaked.
Workaround:
Remove the last DHCP server that is down, or move it to the middle or front of the server member list.
Fix:
Free the original packet memory when last DHCP server is down.
607410-1 : In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible
Solution Article: K81239824
Component: Local Traffic Manager
Symptoms:
When using an iRule to output X509 Certificate's subject and issuer, the display is not OpenSSL compatible.
Conditions:
Using iRule command 'X509::subject' and 'X509::issuer' to get the Cert's subject and issuer.
Impact:
The BIG-IP system fails to produce properly-formatted certificate information.
If logged, it may display incorrectly-parsed attributes similar to the following:
-- In prior versions without the fix the format is:
CN=USERNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US
-- In versions with the fix the format now requires spaces between these attributes:
C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME
Workaround:
None.
Fix:
In the iRule output of X509 Certificate's subject and issuer, the system now outputs the information in a format that is 'OpenSSL X509' compatible.
Behavior Change:
In this release the order of output is reversed for the X509::subject as compared to previous versions. This change was done to make the output of [X509::subject [SSL::cert 0]] OpenSSL-compatible.
-- In prior versions without the fix the format is:
CN=USERNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US
-- In versions with the fix the format now requires spaces between these attributes:
C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME
IMPORTANT: Depending on iRules you have configured, this change might impact application functionality that depends on the old format. If your application expects the output X509::subject to be in the old format, make sure to modify the iRules after upgrading.
To use the new format in any iRules that use the old structure, change the output format of the X.509 certificate subject to use this format:
C=US, O=COMPANY, OU=DEPT, OU=PKI, OU=CONTRACTOR, CN=USERNAME
Additional note:
Comma (,) is a valid character in X509::subject. In this release, the escaping method has changed.
-- In prior versions, the subject string returned by X509::subject escapes comma with backslash (\):
Rule /Common/rule_customer <CLIENTSSL_HANDSHAKE>: Subject DN: CN=user8,OU=DEPT,O=COMPANY\,,L=Tokyo,ST=Tokyo,C=JP
When writing an iRule to validate the string, comma is already escaped by the backslash, but backslash should be escaped by another backslash as follows:
set dn_validation "OU=DEPT,O=COMPANY\\,,L=Tokyo"
-- In versions with the fix, the subject string returned by X509::subject wraps attributes with double quotation marks ("").
Rule /Common/rule_customer <CLIENTSSL_HANDSHAKE>: Subject DN: C=JP, ST=Tokyo, L=Tokyo, O="COMPANY,", OU=DEPT, CN=user8
When writing an iRule to validate the string, the whole attribute should be enclosed with double quotation marks, and each double quotation mark should be escaped by a backslash:
set dn_validation "L=Tokyo, O=\"COMPANY,\", OU=DEPT"
607360-5 : Safenet 6.2 library missing after upgrade★
Component: Local Traffic Manager
Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.
Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.
Impact:
Safenet 6.2 is not functional.
Workaround:
Reinstall Safenet 6.2. Or,
run this command at all blades of BIG-IP after the installation.
ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so
Fix:
Add symbolic link to libgem at time of pkcs11d daemon start/restart.
607314-1 : Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
Solution Article: K25075696
607304-5 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Component: Local Traffic Manager
Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Conditions:
This can occur under normal operation, while running the geo_update command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Running the geo_update command no longer causes this error.
607246-10 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
Component: Local Traffic Manager
Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile
Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.
Impact:
Persistence fails after fallback expired.
Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.
607200-1 : Switch interfaces may seem up after bcm56xxd goes down
Component: TMOS
Symptoms:
'tmsh show net interface' may show that switch ports are still up after bcm56xxd is brought down. This is because bcm56xxd does not notify mcpd that bcm56xxd will go down.
Conditions:
If the switch ports are up and bcm56xxd is brought down, 'tmsh show net interface' will show that the switch ports are still up.
Impact:
The switch ports may seem up, but traffic can't be sent/received.
Workaround:
None.
Fix:
Fix for bcm56xxd to notify mcpd that all ports become uninitialized before it goes down has already been implemented.
607152-1 : Large Websocket frames corrupted
Component: Local Traffic Manager
Symptoms:
If large Websocket frames are being sent by the end-point and this transfer is interleaved with frames being sent by the other endpoint, corrupted frames could be sent by BIG-IP.
Conditions:
Websocket profile is attached to the virtual. Large Websocket frames are sent by the end-point. This transfer is interleaved with frames being sent in the other direction.
Impact:
Connection reset because of corrupted frames being received by the end-point.
606983-3 : ASM errors during policy import
Component: Application Security Manager
Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.
ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.
Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.
Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.
Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.
Fix:
Import failure no longer occurs when importing ASM policy with more than 1000 Session Awareness Data Points. Now, there is a maximum of 1000 Session Awareness Data Points exported into an XML policy export.
606940-3 : Clustered Multiprocessing (CMP) peer connection may not be removed
Component: Local Traffic Manager
Symptoms:
- High memory usage due to connflow allocations
- conn_remove_cf_not_found stat is non-zero
Conditions:
CMP with multiple TMMs. CMP peer connection is removed before it has been established.
Impact:
Low memory may lead to allocation failures that may lead to tmm core
Fix:
Fix validation performed on parsed CMP flow keys that allows unknown CMP connections to be removed.
606875-1 : DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
Component: Application Security Manager
Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.
Impact:
Bad user experience when accessing the website's first page.
Workaround:
N/A
Fix:
The javascript has improved as much as possible to reduce the time to get the website's first page.
606807-1 : i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
Component: TMOS
Symptoms:
If the LCD is not communicating with BIG-IP when the chassis manager daemon starts occasionally LCD errors will be displayed using the sensor number rather than the name "LCD"
Conditions:
chmand restart and LCD unable to commuicate
Impact:
cosmetic
Fix:
LCD error will show name "LCD" rather than sensor number in communication error.
606771-2 : Multiple PHP vulnerabilities
Solution Article: K35799130
606710-10 : Mozilla NSS vulnerability CVE-2016-2834
Solution Article: K15479471
606575-6 : Request-oriented OneConnect load balancing ends when the server returns an error status code.
Component: Local Traffic Manager
Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.
Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.
Impact:
The client remains connected to the server, and no further load-balancing decisions are made.
Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.
To do so, use an iRule similar to the following:
when HTTP_RESPONSE {
if { [HTTP::status] == 200 } { return }
if { [HTTP::status] == 401 } {
set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
# Connection-oriented auth. System should already be doing the right thing
unset auth_header
return
}
unset auth_header
}
catch { ONECONNECT::detach enable }
}.
Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).
Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.
606573-3 : FTP traffic does not work through SNAT when configured without Virtual Server★
Component: Local Traffic Manager
Symptoms:
After upgrading to 12.1.0 or 12.1.1, FTP traffic no longer works correctly with SNAT, when SNAT is configured without a virtual server.
Conditions:
The BIG-IP system configured to allow FTP traffic through, and SNAT is configured without a virtual server.
Impact:
The BIG-IP system does not SNAT port 21 traffic. In rare circumstances this can cause tmm to restart.
Workaround:
None.
Fix:
FTP traffic now works through SNAT when SNAT is configured without a virtual server.
606565-2 : TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
Solution Article: K52231531
Component: Local Traffic Manager
Symptoms:
When the /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection', TMM may crash during a TCP simultaneous 4 way handshake.
Conditions:
1. The /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection'.
2. A TCP 4 way handshake (simultaneous open) occurs as described in RFC 793.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The crash can be avoided, while still mitigating TCP 4 way handshakes, by setting the /sys db tm.simultaneousopen variable to 'drop_pkt'.
606521-1 : Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade
Component: Application Security Manager
Symptoms:
Policy with UTF-8 encoding has disallowed high ASCII meta-characters even after upgrade, which results in suggestions for allowing meta-characters that cannot be accepted.
Conditions:
System with a policy with encoding set to UTF-8 (uppercase).
Upgrading from v11.6.x/v12.x to v12.1.2 or 13.0.0.
Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.
Workaround:
None.
Fix:
The upgrade process now fixes policies that had their encoding stored in uppercase as well.
606518-3 : iControl REST with 3rd party auth does not function as expected with special characters in the username e.g., '$', '@' / email addresses as username.
Solution Article: K00762373
Component: Device Management
Symptoms:
Cannot use usernames containing special characters ('$', '@', '.', etc.) when requesting an authentication token for iControl REST when 3rd party authentication provider being used. An 'at' ( @ ) character is a common instance when using an email address as the username.
Conditions:
-- BIG-IP system uses 3rd party RADIUS or LDAP authentication.
-- Username contains a special character (e.g., an email address).
Impact:
Cannot authenticate and get authentication token using iControl REST.
Workaround:
Do not use username with special characters, e.g., 'at' ( @ ), period ( . ), dollar sign ( $ ), and so on.
Fix:
Updated logic to allow any special characters in username and password when 3rd party authentication system is used on the BIG-IP system.
606509-4 : Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★
Component: TMOS
Symptoms:
Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover.
Conditions:
This occurs when the following conditions are met:
* vCMP provisioned.
* vCMP hypervisor (host) running 12.1.0
* vCMP guest with 2 or more cores deployed and running 11.5.0 or greater.
* vCMP guest has HT-Split enabled (tmsh list sys db scheduler.splitplanes.ltm).
Impact:
vCMP guests may experience control-plane issues (such as failures to send or receive network failover traffic in an HA-pair, causing a failover).
Fix:
This release restores the process nice value of VCMP guest control-plane, so the vCMP guest no longer experiences potential frequent failovers.
606316-4 : HTTPS request to F5 licensing server fails
Component: iApp Technology
Symptoms:
Licensing BIG-IP systems through REST API fails.
Conditions:
Licensing BIG-IP systems using the REST API.
Impact:
Cannot use REST API to license BIG-IP systems.
Workaround:
Use TMUI or TMSH to license BIG-IP systems.
Fix:
Licensing BIG-IP systems through REST API now completes successfully.
606257-3 : TCP FIN sent with Connection: Keep-Alive header for webtop page resources
Solution Article: K56716107
Component: Access Policy Manager
Symptoms:
When using customized webtops (for example, using custom images for the webtop links), sometimes a TCP FIN flag will be sent with a packet with an HTTP "Connection: Keep-Alive" header. Not all clients recover from this.
Conditions:
Use a customized webtop link.
Impact:
The webtop links page does not render correctly.
Fix:
Weptop page resources no longer send FIN flags with Keep-Alive headers.
606110-2 : BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
Component: TMOS
Symptoms:
On AWS and Azure, dataplane interfaces use socket-based networking instead of UNIC modules. After upgrading a version later than 12.1.0, the default module for dataplane interfaces is UNIC modules instead of socket-based networking.
Conditions:
Upgrading BIG-IP VE on AWS or Azure running versions 12.0.0 or 12.1.0.
Impact:
The raw socket-based tmm driver is replaced by a UNIC driver. The socket-based driver eliminates kernel driver dependencies and provides better portability during kernel/driver upgrades.
Workaround:
None.
Fix:
BIG-IP VE socket-based networking driver retained after upgrade on AWS or Azure.
606066-2 : LSN_DELETE messages may be lost after HA failover
Component: Carrier-Grade NAT
Symptoms:
After a failover, an LSN_DELETE message may be lost if the connection continued after the failover.
Conditions:
CGNAT configured as an HA pair, with session logging enabled.
Impact:
An LSN_DELETE message may be missing from the logs.
Fix:
After the fix, the LSN_DELETE message will not be lost.
606035-1 : csyncd crash
Component: Local Traffic Manager
Symptoms:
csyncd crashes and dumps core under certain conditions. You might see messages such as the following: emerg logger: Re-starting csyncd.
Conditions:
csyncd handles filenames that contain certain exotic characters or symbols, or files with very long filenames.
Impact:
csyncd will crash and dump core. csyncd retarts continuously.
Workaround:
None.
Fix:
csyncd now handles filenames that contain certain exotic characters or symbols, and files with very long filenames.
605983-1 : tmrouted may crash when being restarted in debug mode
Component: Local Traffic Manager
Symptoms:
tmrouted may restart after it being manually restarted with debug level equal or higher than 2.
Conditions:
tmrouted is manually restarted with debug level equal or higher than 2.
Multi route-domain setup with independent routing processes enabled on several route-domains.
Impact:
tmrouted may restart additional times which can add delay to getting back to service after manually restarting tmrouted.
Any restart of tmrouted already causes loss of dynamic routing sessions.
Workaround:
Do not use equal or higher than 2 debug level for tmrouted. This should be carried out only under recommendation from F5 Support.
Fix:
tmrouted no longer crashes when being restarted in debug mode
605982-1 : Policy settings change during export/import
Component: Application Security Manager
Symptoms:
Exporting a security policy from one device with specific learning and blocking settings selected, and then imports it to another device, the security policy does not load the expected learning and blocking settings on the target device, and is a mismatch from what is on the source device.
Conditions:
On device A: Security :: Application Security : Policy Building : Learning and Blocking Settings
• Select 'Enable' and 'Learn' under HTTP protocol compliance failed for all the sub-violations.
• Save and export the policy in XML format.
• Import to device B.
Impact:
The loaded policy on device B does not have all the options checked for HTTP protocol compliance failed for all the sub-violations as expected.
When exporting the policy from device B, the name of the exported file does not change to match device B's name, but still remains as device A's name.
Workaround:
For exporting a policy that has Policy Builder enabled, use either of the methods below:
-- Use XML export:
+ On export:
- Stop policy builder.
- Export to XML policy.
- Start policy builder.
+ On import:
- Import the XML policy.
- Start the policy builder on the newly imported policy.
2) Use binary export/import.
Fix:
This release fixes the XML Policy export/import processes so that there are no differences created in the 'HTTP protocol compliance' learning settings
605894-3 : Remote authentication for BIG-IP users can fail
Component: TMOS
Symptoms:
While trying to log into the command line of BIG-IP as a remotely authenticated user, login will intermittently fail. You may see the following in /var/log/secure: "err httpd[19596]: pam_ldap: ldap_simple_bind Can't contact LDAP server" but the LDAP server is up and is accessible by the BIG-IP
Conditions:
Remote authentication configured, users configured to use remote authentication, ssl-check-peer is enabled and one or more of these properties are different than "none": ssl-ca-cert-file, ssl-client-cert, ssl-client-key.
Impact:
The remote authentication service will fail to initiate a connection to the LDAP server with the ssl-check-peer setting enabled, even if the ssl-ca-cert-file is valid. It will terminate the connection and remote authentication will fail.
Workaround:
Disabling ssl-check-peer and setting ssl-ca-cert-file, ssl-client-cert and ssl-client-key to "none" can work around this issue.
605865-4 : Debug TMM produces core on certain ICMP PMTUD packets
Component: Local Traffic Manager
Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.
Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.
Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.
Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.
Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.
605792-1 : Installing a new version changes the ownership of administrative users' files★
Component: TMOS
Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.
Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.
Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.
Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.
Fix:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID. This still happens by design, but no longer applies to the user's SSH configuration files, which stay at UID 0. Therefore, these users are no longer be prevented from using stored public keys in authorized_keys.
605682-2 : With forward proxy enabled, sometimes the client connection will not complete.
Component: Local Traffic Manager
Symptoms:
If forward proxy is enabled, and a required forged certificate is not in the cache, the connection might not complete.
Conditions:
Forward proxy is enabled, and a required forged certificate is not in the cache.
Impact:
Degraded service due to connections not completing.
Workaround:
None.
Fix:
The stalling caused by a missing forged certificate no longer happens.
605675-1 : Sync requests can be generated faster than they can be handled
Component: TMOS
Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.
Conditions:
Configuration changes in quick succession that might generate sync-change messages.
Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.
Workaround:
None.
605649-3 : The cbrd daemon runs at 100% CPU utilization
Solution Article: K28782793
Component: Application Security Manager
Symptoms:
The cbrd daemon runs at 100% CPU utilization.
You may notice this issue while inspecting:
- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.
Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.
Conditions:
This is a rarely occurring event whose cause is not known.
Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).
Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd
As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.
605627 : Selinux denial seen for apmd when it is being shutdown.
Component: Access Policy Manager
Symptoms:
When Apmd process is stopped, you observe a selinux related log which indicates that apmd process does not have the getattr permission for shared memory component owned by tmm.
Conditions:
When apmd is stopped or restarted.
Impact:
No Impact to APMD functionality. APMd stops and starts normally.
605616-1 : Creating 256 Fundamental Security policies will result in an out of memory error
Component: Application Security Manager
Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.
Conditions:
Create 256 fundamental security policies.
Impact:
Out of memory error.
Workaround:
None.
Fix:
Improved memory allocations for shared XML profiles to enable more than 256 fundamental security policies.
605579-8 : iControl-SOAP expat client library is subjected to entropy attack
Solution Article: K65460334
605537-5 : Error when resetting statistics on GSLB Pool Members
Solution Article: K03997964
Component: Global Traffic Manager (DNS)
Symptoms:
GUI error: "An error has occurred while trying to process your request." when attempting to reset the GSLB stats for DNS Pool Members.
Conditions:
-- In the GUI on the Statistics :: Module Statistics : DNS : GSLB :: Pool Members page.
-- Attempting to reset statistics.
Note: This occurs only on Pool Members Statistics. Other Types are unaffected.
Impact:
Inability to reset stats for BID-IP DNS Pool Members statistics from the GUI.
Workaround:
You can attempt to reset using a command line command similar to the following:
$ tmsh reset-stats gtm pool <record> <pool> members { <server_obj>:<member> }.
For example:
$ tmsh reset-stats gtm pool a myPool1 members { LTM107:/Common/myFastL4VS }.
Fix:
Fixed issue on the GSLB Pool Member stats page.
605525-1 : Deterministic NAT combined with NAT64 may cause a TMM core
Component: Carrier-Grade NAT
Symptoms:
TMM crashes when a virtual is configured with nat64 enabled, and a deterministic NAT lsn-pool, and there is traffic.
Conditions:
lsn-pool in deterministic mode is attached to a virtual server with nat64 enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Deterministic NAT is not supported with nat64, and should not be configured.
605480-4 : BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection
Component: Local Traffic Manager
Symptoms:
After completing an active close of an MPTCP connection, the BIG-IP sends MP_FASTCLOSE.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and MPTCP performs an active close of a connection.
Impact:
The BIG-IP retransmits MP_FASTCLOSE after the connection closing is complete until the maximum number of retransmissions is reached.
Fix:
Fixed sequence of events on connection closure.
605476-3 : statsd can core when reading corrupt stats files.
Component: TMOS
Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.
Conditions:
This issue occurs when the following condition is met:
The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.
Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.
Impact:
iStatsd process will restart due to resource exhaustion.
Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:
Impact of workaround: This workaround will cause all statistics in the iStats files to reset.
1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.
3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.
4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.
Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.
605427-1 : TMM may crash when adding and removing virtual servers with security log profiles
Component: Advanced Firewall Manager
Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.
Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.
Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.
Traffic disrupted while tmm restarts.
Fix:
TMM no longer crashes with multiple creation, modification and deletion of many virtual servers with security log profiles attached.
605420-5 : httpd security update - CVE-2016-5387
Solution Article: K80513384
605270-5 : On some platforms the SYN-Cookie status report is not accurate
Component: TMOS
Symptoms:
On a vCMP guest, after a ePVA-enabled virtual server enters SYN Cookie mode, the FPGA will never leave SYN Cookie mode even though BIG-IP has returned to normal mode.
Conditions:
This occurs intermittently on virtual servers with ePVA enabled on a vCMP instance where SYN Protection is triggered.
Impact:
Since this occurs very intermittently, the entire impact is not known. Initially this is an incorrect SYN Cookie status reporting issue for LTM Virtual statistics, but it is possible that if SYN Cookie mode is triggered again, hardware SYN might not be enabled properly.
Workaround:
Upgrade with new fixes for this.
Fix:
BIG-IP FPGAs now correctly report hardware SYN Cookie mode.
605260-1 : [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
Component: Global Traffic Manager (DNS)
Symptoms:
When a listener is created in a partition that has a default route domain set, you cannot make changes to the listener in the GUI via DNS -> Delivery -> Listeners. It gives 'Instance not found' error when you try to save the change. Also, a listener in the /Common partition cannot even be viewed when a partition that has a default route domain other than 0 is selected.
Conditions:
This occurs when using partitions that have default-route-domain set to something other than 0.
Impact:
You will be unable to make changes to the listener.
Workaround:
Use TMSH or through LTM GUI: Local Traffic :: Virtual Servers.
605147-1 : No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections.
Component: Local Traffic Manager
Symptoms:
New connections made when a BIG-IP flow is in TCP TIME-WAIT state are not mirrored. New TCP flows after high availability (HA) reconnections may not be mirrored correctly.
Conditions:
This occurs when a TCP profile is used, along with one of the following:
-- A BIG-IP flow is in TCP TIME-WAIT state.
-- HA connection is reestablished and a mirrored BIG-IP flow has lost some packets.
Impact:
The connections affected are not mirrored.
Workaround:
Disable TIME-WAIT for the TCP profile.
Fix:
Reconnections in TCP TIME-WAIT state are now mirrored correctly. New connections after HA reconnections are now mirrored correctly.
605125-2 : Sometimes, passwords fields are readonly
Component: Fraud Protection Services
Symptoms:
Sometimes, passwords fields are readonly so the user won't be able to type any password.
Conditions:
WebSafe protection enabled on a site
Impact:
the user won't be able to type any password on the site.
Workaround:
N/A
Fix:
N/A
605123-1 : IAppLX objects fail to sync after establishing HA in auto-sync mode★
Component: Device Management
Symptoms:
IAppLX objects are part of REST Framework. REST Framework implements gossip based replication. This replication might not work when restFrameworkVersion in device-group device out of sync with actual restFrameworkVersion
Conditions:
DeviceInfoWorker detects and update the framework version after rest RPM upgrade. But device group device doesn't get updated correctly
Impact:
REST framework objects (Including iAppLX instances, templates, packages) fail to sync to HA peer
Workaround:
Mitigation is to run DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update. Workaround is to patch the restFrameworkVersion manually on the device-group device.
Fix:
Run the DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update.
605039-3 : lwresd and bind vulnerability CVE-2016-2775
Solution Article: K92991044
605010-1 : Thrift::TException error
Component: Application Visibility and Reporting
Symptoms:
Trying to send a scheduled report might fail in some cases with the error "Thrift::TException=HASH(0x9a65410)".
Conditions:
This occurs when sending scheduled reports.
Impact:
Failure on sending scheduled-report.
Workaround:
Modify the script to use the explicit address instead of the 'localhost' value. This can be achieved with the following command:
mount -o remount -rw /usr
sed -i 's/localhost/127\.0\.0\.1/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
mount -o remount -r /usr
Fix:
Changing script to use explicit address instead of 'localhost'.
604977-2 : Wrong alert when DTLS cookie size is 32
Solution Article: K08905542
Component: Local Traffic Manager
Symptoms:
When ServerSSL profile using DTLS receives a cookie with length of 32 bytes, the system reports a fatal alert.
Conditions:
Another LTM with ClientSSL profile issues 32-byte long cookie.
Impact:
DTLS with cookie size 32-byte fails.
Workaround:
None.
Fix:
DTLS now accepts cookies with a length of 32 bytes.
604926-3 : The TMM may become unresponsive when using SessionDB data larger than ~400K
Solution Article: K50041125
Component: Local Traffic Manager
Symptoms:
There is a hard limit on messages sizes sent on the backplane on chassis platforms. Messages larger than the limit (~400K) are refused from being sent at a lower layer but buffered for resending at a higher layer. The messages are never sent which cases backplane communication to lockup.
Conditions:
-- The BIG-IP system is a chassis with more than one blade.
-- Client traffic triggers the creation of SessionDB data larger than ~400K.
Impact:
The TMM becomes unresponsive to client traffic. If left running under load, the TMM might run out of memory from buffering SessionDB data and crash.
Workaround:
The workaround is the avoid sending large SessionDB data. The TMM may be restarted in the event it does become unresponsive.
Fix:
There is no longer a hard limit for sending SessionDB data on the backplane.
604923-5 : REST id for Signatures change after update
Component: Application Security Manager
Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.
Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.
Impact:
The REST id of the modified signatures is changed which may confuse REST clients.
Workaround:
Execution of the following script will repair an affected device:
perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'
Fix:
Updated Signatures now retain the correct REST id.
604885-1 : Redirect/Route action doesn't work if there is an alert logging iRule
Component: Fraud Protection Services
Symptoms:
When "Trigger iRule Events" is enabled in FPS profile and there are configured FPS rules with Route/Redirect actions, the actions will not be performed.
Conditions:
"Trigger iRule Events" is enabled in FPS profile and the virtual server has at least one iRule with ANTIFRAUD_ALERT or ANTIFRAUD_LOGIN events.
Impact:
Configured FPS rules with Route/Redirect actions will not be performed.
Workaround:
Disabling the "Trigger iRule Events" in FPS profile.
Fix:
"Trigger iRule Events" no longer breaks FPS rules with configured Route/Redirect actions.
604880-4 : tmm assert "valid pcb" in tcp.c
Component: Local Traffic Manager
Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed
Conditions:
Unknown.
Impact:
Traffic disrupted while tmm restarts.
604838-1 : TCP Analytics reports incorrectly reports entities as "Aggregated"
Component: Local Traffic Manager
Symptoms:
Although the user has configured TCP Analytics to store statistics for a certain entity, it reports data for that entity in a single "Aggregated" row.
Conditions:
ALL of these conditions must be true:
The TCP Analytics profile is attached to a virtual with both clientside or serverside collection turned off in the profile.
TCP profile has mptcp, rate-pace, tail-loss-probe, fast-open, AND enhanced-loss-recovery all disabled. Also, Nagle, send-buffer, receive-window, proxy-buffer are not in AUTO mode. Finally, rexmt-thresh is 3 and the congestion control algorithm is not delay-based (NewReno, HighSpeed, Cubic). Regrettably, this matches the default TCP profile.
An iRule enables TCP-Analytics when disabled by default in the tcp-analytics profile.
Impact:
Defect eliminates nearly all data granularity for TCP Analytics.
Workaround:
Change the TCP profile on the virtual to violate any of the conditions listed above. The easiest is probably to enable rate pace or mptcp. For all affected versions, this will result in a noticeable CPU performance penalty.
Fix:
Load entity information for both TCP stacks.
604811-3 : Under certain conditions TMM may crash while processing OneConnect traffic
Component: Local Traffic Manager
Symptoms:
TMM may crash while processing OneConnect traffic
Conditions:
Removing the OneConnect profile from a virtual server while passing traffic.
Impact:
TMM crash leading to a failover event
Fix:
TMM now processes profile removals as expected
604767-1 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
Component: Access Policy Manager
Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.
Conditions:
BIG-IP is used as SAML SP.
Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.
Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.
604727-1 : Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★
Component: TMOS
Symptoms:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. After upgrade from 10.2.4 to 12.1.x, you are unable to use the GUI. The system posts the following message: The configuration has not yet loaded. CLI login works, and /var/log/ltm shows that the following message was recorded during the device bootup phase:
emerg load_config_files: "/usr/libexec/bigpipe base daol" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip_sys.conf Line 113): 012e0010:3: The requested value ({ i192_168_0_20_1) is invalid (<trapsess list> ` none) [add ` delete]) for 'trapsess' in 'snmpd'.
Conditions:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. The root cause is that the host parameter in the trap is encapsulated in quotation marks.
Impact:
The upgrade completes, but the configuration does not load when the system restarts.
Workaround:
After the configuration fails to load in this case, you can remove the SNMP trap destination configuration by editing the /config/bigpipe/bigip_sys.conf file, and performing a manual configuration conversion and reload to recover.
Alternatively, to prevent the configuration load failure from occurring, you can remove the SNMP trap destination configuration before you upgrade to BIG-IP 12.1.x. Both procedures require that you re-create the SNMP trap destination configuration once the upgrade to BIG-IP 12.1.x and/or configuration load are complete.
Fix:
Upgrade from 10.2.4 now completes successfully when the host parameter exists in the 10.2.4 configuration includes SNMP traps.
604612-1 : Modified ASM cookie violation happens after upgrade to 12.1.x★
Solution Article: K20323120
Component: Application Security Manager
Symptoms:
False positive modified ASM cookie violation. Perhaps other false positive cookie related violations.
Conditions:
System upgraded to 12.1.x. Existing end users are connected with their browsers to the site.
Impact:
False positive violations. A blocking page will be shown in case the modified ASM cookie is set to blocking (which is the default for this violation in case the policy is in blocking state).
Workaround:
There are three options:
A. Set the modified ASM cookie violation to transparent after an upgrade for some time after the upgrade.
B. Use the erase cookie blocking page as the default blocking page for some time after the upgrade.
C. Use an iRule similar to the following:
when ASM_REQUEST_DONE {
if {[ASM::violation names] contains "VIOLATION_MOD_ASM_COOKIE"} {
log local0. "remove TS01d2cce8 cookie"
HTTP::respond 302 Location "http://sub.some_domain.com/index.html?[ASM::support_id]" "Set-Cookie" "TS01d2cce8=deleteOldTSCookie;expires=Thu, 01 Jan 1970 00:00:01 GMT"
}
Fix:
Modified ASM cookie violation no longer happens after upgrade to this version.
604549-7 : MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data
Component: Local Traffic Manager
Symptoms:
If a DATA_FIN is received with a DATA_ACK that acknowledges data, the BIG-IP will not process the DATA_ACK and will not shutdown the connection properly as it thinks there is still outstanding data to be acknowledged.
Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a DATA_FIN that DATA_ACKs data is received on an MPTCP connection.
Impact:
The connection is not closed properly and eventually times out.
Fix:
Fixed DATA_FIN handling.
604547-1 : Unix daemon configuration may lost or not be updated upon reboot
Solution Article: K21551422
Component: TMOS
Symptoms:
The confpp script is invoked to pass TMOS configuration information to other non-TMOS daemons running on a BIG-IP system. When a BIG-IP system is rebooted, if TMOS configuration elements are parsed or configuration changes or other events occur early in the boot process, the corresponding changes may not be propagated to the confpp.dat file and processed by the confpp script. As a result, configuration information may not be propagated as expected to non-TMOS daemons.
A common symptom of this issue is that syslog-ng configuration is not updated to reflect the selection of the primary blade in a VIPRION chassis.
Conditions:
This issue may occur when booting an affected version of BIG-IP, such as:
- Rebooting blades in a VIPRION chassis.
- Rebooting a BIG-IP appliance or Virtual Edition instance.
Impact:
Expected configuration settings may not be applied to non-TMOS daemons upon a reboot.
For example, syslog-ng configuration may not be updated to include expected logging on the primary blade in a VIPRION chassis.
Workaround:
On a running BIG-IP system that shows symptoms of this issue, changing a db variable will trigger the confpp script to run and update the relevant non-TMOS daemons with appropriate settings from the current configuration. To implement this workaround, use the Traffic Management Shell (tmsh) to update a db variable.
For example:
tmsh modify sys db log.clusterd.level value "Informational"
This issue can be avoided by forcing the MCP configuration to be reloaded from configuration files instead of from the MCP binary database (mcpdb.bin).
For details, see:
K13030: Forcing the mcpd process to reload the BIG-IP configuration.
Fix:
Configuration data/changes that occur early in the BIG-IP boot process are propagated successfully to non-TMOS daemons by the confpp script.
604496-4 : SQL (Oracle) monitor daemon might hang.
Component: Local Traffic Manager
Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.
Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.
Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.
Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.
Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.
604459-1 : On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
Component: TMOS
Symptoms:
The following message appears on the console shortly after the system boots:
emerg logger: Re-starting bcm56xxd.
Conditions:
This occurs as a result of a possible race condition on On i5x00, i7x00 and i10x00 platforms.
Impact:
No functional impact, bcm56xxd daemon restarts successfully.
Workaround:
None.
604371-1 : Pagination controls missing for GSLB pool members
Component: Global Traffic Manager (DNS)
Symptoms:
The pagination controls for GSLB pool members do not appear when there are more items in the list than can be displayed (Record Per Screen)
Conditions:
Customer is running 12.1.0 - 12.1.2
Impact:
Unable to view the status of, or modify GSLB pool members beyond those displayed on the screen
Workaround:
Increase the number of Records Per Screen (System / Preferences / Records Per Screen) to a number larger than the number of items in your pool
604272-1 : SMTPS profile connections_current stat does not reflect actual connection count.
Component: Local Traffic Manager
Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.
Conditions:
This occurs if you have an SMTPS virtual server configured.
Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.
604237-3 : Vlan allowed mismatch found error in VCMP guest
Component: TMOS
Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "
Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."
Impact:
Unable to use VLAN.
Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.
604223-2 : pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"
Component: Local Traffic Manager
Symptoms:
The current signal handler use 'exit' at time of 'SIGTERM'. This may result in a core under some abnormal situations.
Conditions:
When stopping pkcs11d using command like 'bigstart restart pkcs11d' or 'kill pkcs11d'.
Impact:
pkcs11d cores.
Workaround:
pkcs11d automatically comes up again after the core.
Fix:
The system now waits for all threads to finish before the pkcs11d program exits, so the core no longer occurs.
604211-1 : License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★
Solution Article: K72931250
Component: TMOS
Symptoms:
On Azure, after upgrading to any version other than 12.0.0 HF1-EHF14 or 12.1.0-HF1-EHF22, the system boots up as Not Licensed and Inoperative.
Although certain cloud-specific 12.x EHFs such as BIG-IP Virtual Edition 12.1.0 HF1 EHF1 is intended for AWS only, BIG-IP does not prevent you from accidentally downloading and installing it into Azure environments. If you upgrade Azure from BIG-IP Virtual Edition 12.0.0 HF1 EHF14 to the 12.1.0 HF1 EHF1 or 12.0.0-hf4 or 12.1.1, the Azure license becomes nonoperational and gets invalidated.
Conditions:
Upgrading a BYOL instance on Azure to 12.1.0 HF1 EHF1 or 12.1.1. The Azure-specific versions are as follows:
- 12.0.0-HF1-EHF14.
- 12.1.0-HF1-EHF22.
Impact:
License becomes unusable. Re-licensing the instance gets an invalid license.
Workaround:
The workaround for this issue is to boot back into previous boot volume, and then upgrade to 12.1.0-HF1-EHF22 in Azure.
To change default boot volume, choose one of the following methods:
1. tmsh reboot volume volume-name.
2. switchboot utility (interactive mode by default).
3. Admin UI.
For more information about the switchboot utility, see SOL5658: Overview of the switchboot utility, available here: https://support.f5.com/csp/#/article/K5658
Fix:
This release fixes the issue that occurred when the Azure license become nonoperational after upgrading to BIG-IP Virtual Edition 12.1.0 HF1 EHF1 from 12.0.0 HF1 EHF14.
Note: Do not use BIG-IP 12.1.0 HF1 EHF1 in the Azure environments.
604191-1 : AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★
Component: Application Visibility and Reporting
Symptoms:
Loading the configuration after upgrade might fail due to mishandling of scheduled-reports, with an error similar to the following:
err mcpd[5492]: 01071afc:3: Report scheduling requires specifying valid measures for entity asm_repev_ip.
Conditions:
-- AVR provisioned.
-- Having scheduled report defined on a version earlier than v12.1.0, and upgrading to v12.1.0, v12.1.0, or v12.1.0.
Impact:
Loading the configuration after upgrade might fail.
Workaround:
None.
Fix:
Loading the configuration after upgrade of scheduled-reports is now properly handled.
604133-2 : Ramcache may leave the HTTP Cookie Cache in an inconsistent state
Component: Local Traffic Manager
Symptoms:
Ramcache may re-use internal HTTP data without clearing the cookie cache. If other filters later inspect that cache they may read corrupted cookie information, or cause a TMM crash.
Conditions:
Ramcache + another filter or iRule inspecting/modifying cookies in a Ramcache response.
Impact:
The modifications of the corrupt cookie cache may cause HTTP headers to be malformed. Inspecting the cookie cache may cause the TMM to crash with an assert. Traffic disrupted while tmm restarts.
Fix:
Ramcache clears the HTTP cookie cache in its responses.
604061-2 : Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
Component: TMOS
Symptoms:
Traffic does not pass through a trunk interface and /var/log/ltm contains messages such as:
lacpd[6636]: 01160011:6: Link 2.2 Actor Out of Sync
lacpd[6636]: 01160012:6: Link 2.2 Partner Out of Sync
Conditions:
1) BIG-IP 2000/4000 or similar platform where "qprop tmos.lacpd_depends_on_tmm == true"
2) Passive LACP trunk
3) tmm has crashed after box has come up
4) tmm startup delayed by dumping large core file
5) tmm startup delayed by large config or busy control plane
Impact:
Trunks created by LACP do not pass traffic.
Workaround:
Restart lacpd after tmm has come up again: "bigstart restart lacpd"
Alternatively, modify /etc/bigstart/scripts/tmm.finish to restart lacpd on tmm going down
Modify this line:
for d in admd asm avrd dosl7d; do
With these:
for d in lacpd admd asm avrd dosl7d; do
if [ `$BIGSTART singlestatus $d` = "run" ]; then
$BIGSTART restart $d &
fi
done
604011-1 : Sync fails when iRule or policy is in use★
Component: TMOS
Symptoms:
After upgrading and attempting to sync to devices in a sync group, sync fails with the following error:
Load failed from 119.big.ip 01070621:3: Rule priorities for virtual server (vs1) must be unique.
Load failed from /Common/big152 01070712:3: Caught configuration exception (0), Values (/Common/vs1) specified for virtual server policy (/Common/vs1 /Common/asm_auto_l7_policy__vs1): foreign key index (vs_FK) do not point at an item that exists in the database.
Conditions:
- A virtual address exists in the traffic-group-local-only group, meaning that it is not synced
- A CPM policy or iRule is applied to that virtual server
- Conduct a sync
This was seen on an upgrade from 12.0.0 to 12.1.0 HF1 or beyond, but could be triggered on an upgrade from any version from 11.4.0 and beyond to 12.1.0 HF1.
Impact:
Config sync fails.
Workaround:
Disassociate the iRule or policy from the virtual server, then attempt to sync.
603997 : Plugin should not inject nonce to CSP header with unsafe-inline
Component: Fraud Protection Services
Symptoms:
When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may invalidate the application's 'allow inline script' policy, since the more restrictive directive is always applied.
Conditions:
Server response contains either header from the 'Content-Security-Policy' header family.
Impact:
The application's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.
Workaround:
None.
Fix:
CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.
603979-4 : Data transfer from the BIG-IP system self IP might be slow
Component: Local Traffic Manager
Symptoms:
TCP traffic on a BIG-IP system using a self IP address may not correctly honor the MSS size specified during the connection establishment. The result is IP fragmentation of TCP segments sent out on the wire. The expected behavior is that TSO would package the TCP segments in a way that would not require fragmentation.
When a large amount of data needs to be transferred using a self IP address, the BIG-IP system might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput
Conditions:
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set.
This occurs only when TCP segmentation offload (TSO) is enabled, and traffic is using a tmm interface. TSO enabled is the default setting.
Impact:
Data transfer from the BIG-IP system's self IP address might be slow or fail.
Workaround:
To work around this issue, you can disable TSO by issuing the command:
ethtool -K tmm tso off.
Note: This has a different effect from setting the db key tm.tcpsegmentationoffload to 'disable' (which is not a workaround for the issue).
Note: To persist the effect of this command across reboots, use the solution specified in K14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/csp/#/article/K14397. For example,
alert tmmready "Tmm ready" {
exec command="/sbin/ethtool -K tmm tso off"
}
Fix:
Data transfer from the BIG-IP system self IP address has been improved.
603945-2 : BD config update should be considered as config addition in case of update failure
Component: Application Security Manager
Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.
Conditions:
The condition that leads to this scenario is not clear and is still under investigation.
Impact:
The update fails and the entity is not added.
Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.
This fixes the issue in the cases in which it is a single entity.
Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.
603875-2 : The statistic ASM memory Utilization - bd swap size: stats are wrong
Component: Application Visibility and Reporting
Symptoms:
AVR reports incorrect bd swap size statistics.
Conditions:
-- ASM provisioned.
-- Viewing swap size statistics.
Impact:
Wrong value is displayed.
Workaround:
1. Edit /etc/avr/tmstat_tables.xml
2. Change the following line:
From:
<value publishName="swap_size" columnName="swap_size" behavior="total" type="diff"/>
To:
<value publishName="swap_size" columnName="swap_size" behavior="average" type="status"/>
3. Run the following command: restart avrd.
Fix:
The statistic ASM memory Utilization - bd swap size: stats are now correct.
603825-2 : Crash when a Gy update message is received by a debug TMM
Component: Policy Enforcement Manager
Symptoms:
Debug TMM will crash when a Gy update message is received.
Conditions:
- Need a Debug TMM running
- Gy update message must be received by the BIG-IP
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use non-debug TMM.
Fix:
Added checks to detect Gy udpate messages and handle them accordingly in the debug TMM. Thus, preventing a crash in the debug TMM.
603758-1 : Big3D security hardening
Solution Article: K82038789
603755-1 : dwbld core dump when Auto Blacklisting is configured, in a rare scenario
Component: Advanced Firewall Manager
Symptoms:
The dynamic white/black daemon (dwbld) (a Control Plane daemon that supports the AFM IP intelligence feature) generates a core when processing an Auto Blacklisting Entry addition by TMM, when attack traffic causes a blacklist entry to be added.
The problem happens in a rare scenario when dwbld and tmm are out of sync with respect to category names. This might happen for a very short window when configuration changes are made to Blacklist Categories (such as adding or removing a category).
Conditions:
-- DoS Auto Blacklisting feature enabled.
-- Attack traffic generates an Auto Blacklist IP address entry.
-- Configuration change to Blacklist Category occurs at the same time.
Impact:
dwbld crashes and restarts. No significant impact, as after restart, the dwbld should work properly.
Workaround:
None.
Fix:
The release adds handling for the case in which dwbld is not up-to-date with configuration changes to Blacklist Categories when it simultaneously receives an Auto Blacklist Entry.
603746-1 : DCDB security hardening
Component: WebAccelerator
Symptoms:
The DCDB utility, as used in AAM processing, does not use current secure coding practices.
Conditions:
AAM active
Impact:
DCDB usage does not follow current secure coding practices.
Fix:
Update DCDB use to meet current secure coding standards.
603723-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
None.
Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.
603700 : tmm core on multiple SSL::disable calls
Component: Local Traffic Manager
Symptoms:
tmm can crash if SSL::disable is called repeatedly in an iRule event.
Conditions:
Invoking SSL::disable multiple times in the same iRule event
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a crash related to multiple calls of SSL::disable
603667-2 : TMM may leak or corrupt memory when configuration changes occur with plugins in use
Component: Local Traffic Manager
Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.
Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.
Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.
Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).
Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.
603658-1 : AAM security hardening
Solution Article: K25359902
603609-2 : Policy unable to match initial path segment when request-URI starts with "//"
Component: Local Traffic Manager
Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".
Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".
Impact:
The policy does not match in this case.
Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.
603605-1 : Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
Component: iApp Technology
Symptoms:
After installation, the rpm on active device applications will be replicated to the standby. If standby does not have DHD installed, the installation page is never shown.
Conditions:
HA setup for DoS Hybrid Defender, with DHD only installed on Active.
Impact:
HA cannot be supported for DHD application on 12.1.0 and 12.1.1.
Workaround:
None.
Fix:
Can now install DoS Hybrid Defender on standby device in HA pair if it's already installed on active.
603598-3 : big3d memory under extreme load conditions
Component: Global Traffic Manager (DNS)
Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.
This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.
Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.
When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.
For this to happen, the Active queue must be full as well as the Pending queue.
One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.
Thus the Pending queue might become full and the memory leak can occur.
In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.
In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.
Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.
In later versions, the leak is still possible, but is less likely to occur.
Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.
Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.
This will minimize the chances that the Pending queue
does not become full.
There is no mechanism to resize the queues.
Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.
603550-1 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
Solution Article: K63164073
Component: Local Traffic Manager
Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.
As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.
-- Virtual stats 'Current SYN Cache' does not decrease.
Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).
Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.
Workaround:
None.
Fix:
Virtual servers that use both FastL4 and HTTP profiles will have correct syn cache stats.
603397-2 : tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
Component: Service Provider
Symptoms:
tmm will core if the transport config specified in a MR::message route iRule command does not exist.
Conditions:
the transport config specified in a MR::message route iRule command does not exist.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use the correct name for the trasnport-config object.
Fix:
fixed a tmm core.
603236-1 : 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
Component: Local Traffic Manager
Symptoms:
Creating 1024 and 4096 size keys fail when the SafeNet client version installed on BIG-IP is 6.2 and SafeNet appliance firmware is 6.10.9.
Conditions:
-- SafeNet appliance: 6.2.
-- SafeNet client: 6.2.
-- SafeNet firmware: 6.10.9.
Impact:
Cannot create 1024 or 4096 size RSA keys.
Workaround:
None.
Fix:
Removed the config line, RSAKeyGenMechRemap = 1, that was conflicting with 6.10.9 firmware.
603234-3 : Performance Improvements
Component: Fraud Protection Services
Symptoms:
Certain detection algorithms can slow down the client application.
Conditions:
FPS enabled, full AJAX encryption enabled
Impact:
Client side AJAX detection can be slow.
Fix:
The performance of some detection algorithms has been improved
603149-2 : Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
Component: TMOS
Symptoms:
Setting max data limit transmitted (in kilobytes) to a very large limit results in a smaller limit, causing SAs to expire too quickly. Values for ike-phase2-lifetime-kilobytes inside ipsec-policy can reach 2^32-1 kilobytes, but will be processed incorrectly, as if the value were smaller.
Conditions:
When lifetime-kilobytes is large enough, it can act as though it were smaller.
Impact:
Negotiated SAs expire too quickly when size lifetime is calculated too small.
Workaround:
Before the fix, decrease lifetime-kilobytes until properly stable.
Fix:
The fix should make every value no more than 4294967295 kilobytes work correctly, without becoming some smaller value. (Note this value is 2^32-1.) If the size of ike-phase2-lifetime-kilobytes becomes 64-bit in the future, this will also work, causing a 64-bit value for kilobytes to occur in isakmp negotiation.
603082-3 : Ephemeral pool members are getting deleted/created over and over again.
Component: Local Traffic Manager
Symptoms:
When fqdn nodes are configured, you may see ephemeral pool members getting created and deleted continuously. In severe cases, this can cause mcpd to run out of memory and crash.
Conditions:
It is not known exactly what triggers this condition, but it has been observed after running bigstart restart in a configuration containing many fqdn nodes.
Impact:
Traffic disrupted while mcpd restarts.
603032-1 : clientssl profiles with sni-default enabled may leak X509 objects
Component: Local Traffic Manager
Symptoms:
SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.
Conditions:
clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.
Impact:
The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.
Workaround:
No workaround short of not using sni-default.
Fix:
SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.
603019-3 : Inserted SIP VIA branch parameter not unique between INVITE and ACK
Component: Service Provider
Symptoms:
The branch parameter of the inserted VIA header is sometimes the same between an INVITE and ACK message.
Conditions:
If the CSEQ number of a SIP message is the same, the inserted VIA header will contain the same branch parameter.
Impact:
SIP proxy servers which perform strict message validations may reject the call.
Fix:
Included a hash of the branch parameter of the received top-most via header into the branch parameter of the inserted via header. Thus is the received top-most via conforms to the spec and generates a different branch parameter between INVITE and ACK, the inserted via will have a different branch parameter.
602975-1 : Unable to update the HTTP URL's "Header-Based Content Profiles" values
Component: Application Security Manager
Symptoms:
When HTML5 Cross-Domain Request Enforcement is enabled on a URL, Header-Based Content Profiles cannot be updated.
Conditions:
HTML5 Cross-Domain Request Enforcement is enabled on a URL.
Impact:
Header-Based Content Profiles cannot be updated on the URL.
Workaround:
Use the following procedure:
1. Disable HTML5 Cross-Domain Request Enforcement on the URL.
2. Update the Header-Based Content Profiles.
3. Re-enabled HTML5 Cross-Domain Request Enforcement.
Fix:
Updating Header-Based Content Profiles for a URL with HTML5 Cross-Domain Request Enforcement is now successful.
602854-8 : Missing ASM control option from LTM policy rule screen in the Configuration utility
Component: TMOS
Symptoms:
In the Configuration utility, when creating or editing a LTM policy, the ASM control option may be missing from the rule screen.
Conditions:
Whether the ASM control option is present or missing purely depends on the license installed on the system.
The system incorrectly reports certain licensed modules to the Configuration utility, which fails to parse them and ultimately to display the ASM control option. If you wish to determine whether you are affected by this issue, SSH to the advanced shell of the BIG-IP system and run this command:
# grep -E '^active module : [^|]*\|[^|]*$' /config/bigip.license
If any output is returned, then you are affected by this issue.
Impact:
ASM cannot be enabled in LTM policies using the Configuration utility.
Workaround:
Use the TMSH utility to enable ASM in LTM policies.
Fix:
ASM can now be enabled in LTM policies using the Configuration utility regardless of the license installed on the system.
602830-1 : BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode
Component: TMOS
Symptoms:
The LCD display does not indicate diagnostic mode when you stop BIG-IP daemons(bigstart stop) and run platform_check diagnostic command.
Conditions:
Dignostic mode is not displayed on LCD.
Impact:
There is no visible indication on LCD display to indicate when system in diagnostic mode.
Fix:
Diagnostic message display on LCD when system is diagnostic mode.
602708-2 : Traffic may not passthrough CoS by default
Solution Article: K84837413
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may set the packet Quality of Service (QoS) priority to 3 when traffic is processed by an IP forwarding virtual server.
Conditions:
-- IP forwarding virtual server.
-- Traffic received with priority other than 3.
Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.
Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.
Fix:
TMM now correctly passes through CoS by default.
602654-2 : TMM crash when using AVR lookups
Component: Application Visibility and Reporting
Symptoms:
When trying to find/insert data into AVR lookups TMM/AVR core might occur.
Conditions:
AVR lookups in use.
Impact:
tmm crashes. The crash occur when two processes simultaneously try to access the same cell in the lookup. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when using AVR lookups.
602653-1 : TMM may crash after updating bot-signatures
Component: Local Traffic Manager
Symptoms:
TMM may crash after DOSL7 bot signatures config has changed.
Conditions:
This is likely to happen after DOSL7 bot signatures config has changed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Try adding/removing some signatures, this should avoid the crash.
Fix:
Fixed a memory corruption when updating bot signatures.
602566-5 : sod daemon may crash during start-up
Component: TMOS
Symptoms:
sod daemon produces core file during start-up
Conditions:
sod encounters an error during start-up and attempts to recover.
Impact:
sod restarts
Fix:
Reset freed pointers to prevent double free during error recovery.
602502-2 : Unable to view the SSL Cert list from the GUI
Component: TMOS
Symptoms:
When you try to see information about any SSL certificates in the GUI, it displays an error: An error has occurred while trying to process your request.
Conditions:
Can not view any SSL certificates in the GUI if at least one certificate has a double extension(like test.crt.crt) in its name.
Impact:
Unable to view the any SSL Cert from the GUI
Workaround:
Delete such certificate through TMSH and reimport without .crt extension in the certificate name.
delete sys file ssl-cert test.crt.crt
Fix:
Should be able to view/delete/export certificates from GUI.
602434-1 : Tmm crash with compressed response
Component: Application Visibility and Reporting
Symptoms:
AVR decompressed all the traffic in order to do classification.
This can cause tmm core due to too many decompress request.
Conditions:
Sending stressed compressed traffic on virtual with dos profile.
Impact:
Traffic disrupted while tmm restarts.
Fix:
AVR will ask no more than 10 decompressed request simultaneously.
602429-1 : DNS suffix is not restored after disconnecting Network Access
Component: Access Policy Manager
Symptoms:
DNS suffix search list is not restored after disconnecting the VPN connection. The client DNS search list retains the suffix that came from Network Access Resource.
Conditions:
-- On Microsoft Windows.
-- Use APM client to establish VPN tunnel.
Impact:
Certain hostname resolution may fail.
Workaround:
There is no workaround at this time.
Fix:
DNS suffix is restored after disconnecting from VPN.
602385-1 : Add zLib compression
Component: Local Traffic Manager
Symptoms:
Current driver supports only compress GZip and compress deflate.
Conditions:
APM Network Access tunnel has an option for compression. Compression is implemented in GZIP hudfilter which uses COMPRESS_ZLIB compression method. Currently only 'zlib' compression provider (software based) is implementing this method. None of the hardware providers (such as Coleto Creek) support it; they support COMPRESS_DEFLATE and COMPRESS_GZIP. GZIP hudfilter could use all 3 methods, but only ZLIB is compatible with current and older versions of the client. To preserve backward compatibility it must use ZLIB.
Impact:
Current compression hardware (such as Coleto Creek) is needed to support ZLIB method, otherwise compression in APM Network Access tunnel does not scale.
Workaround:
None.
Fix:
zLib compression is now supported.
602376-1 : qkview excludes files
Component: TMOS
Symptoms:
When running the qkview command to generate a diagnostic file, some files are omitted from the qkview.
Conditions:
This occurs when running qkview, when the configuration settings for qkview for the admin user include the --exclude flag. For example if the setting has --exclude core then none of the core files will be included in the qkview even if it is run without the --exclude parameter.
Impact:
Debugging of issues impaired if the missing files were needed to resolve the problem.
Workaround:
None.
Fix:
Corrected errors and made sure all files are included or excluded as designed.
602366-1 : Safenet 6.2 HA performance
Component: Local Traffic Manager
Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.
Conditions:
Safenet 6.2 client is installed and Safenet HA is used.
Impact:
Only one HSM is used for the HA setup.
Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>
Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable
Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test
Fix:
Installation script is updated for Safenet 6.2 HA.
602358-5 : BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
Component: Local Traffic Manager
Symptoms:
During SSL/TLS renegotiation, the TLS standard requires that the new ClientHello version matches the first session.
Usually, SSL/TLS servers require the new ClientHello version to match the previous negotiated (ServerHello) version. The BIG-IP ServerSSL default behavior is to match this requirement.
The problem occurs if the SSL/TLS server requires the ClientHello (both in the Record layer and Handshake Protocol) in the new ClientHello to be exactly the same as the SSL/TLS version of the first ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************
As a result, the SSL/TLS server will reject the renegotiation handshake, causing the connection to terminate.
Conditions:
This occurs when using virtual servers configured with one or more ServerSSL profiles, and an SSL/TLS renegotiation occurs, and the server requires the new ClientHello version to match the first ClientHello instead of the previous ServerHello version.
Impact:
SSL/TLS renegotiation between BIG-IP ServerSSL profile and server may fail, resulting in an unexpected connection close or reset.
Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.
Fix:
A new db variable called ssl.RenegotiateWithInitialClientHello has been added to control the SSL/TLS version in the 2nd ClientHello:
1. The default is disable, which means that the 2nd ClientHello SSL/TLS version will be set to the negotiated version in the 1st round ServerHello.
2. If it is set to enable, both ClientHello versions will be exactly the same.
602326-1 : Intermittent pkcs11d core when stopping or restarting pkcs11d service
Component: Local Traffic Manager
Symptoms:
Sometimes you may see pkcs11d core when stopping/restarting pkcs11d service. This may happen when installing netHSM software or when restarting an existing pkcs11d service.
Conditions:
bigstart issues 'stop' to pkcs11d while pkcs11d receives message.
Impact:
pkcs11d may core intermittently.
Workaround:
pkcs11d may automatically restart without intervention.
Fix:
This release fixes the intermittent pkcs11d core that might have occurred when stopping or restarting the pkcs11d service.
602300-1 : Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
Component: Global Traffic Manager (DNS)
Symptoms:
Zone Runner entries cannot be modified if an IPv6 DNS name server is listed first. This can happen when a user runs the tmsh command
tmsh modify sys dns name-servers add { <IPv6> }
as the first dns name-server.
This will show in the /etc/resolv.conf file (an example)
nameserver 2001::1
nameserver 192.168.100.1
Conditions:
When an IPv6 nameserver is the first server defined.
Impact:
ZoneRunner records cannot be modified.
Workaround:
Do not use DNS server with IPv6 address or add IPv4 server at top of the list.
Fix:
The IP address type was not set properly while communicating with BIND. This does not matter if the first nameserver listed is an IPv4 address or if there are no nameservers listed at all.
If the first nameserver listed is an IPv6 and the IP address type is not set to IPv4 (AF_INET), BIND libraries will attempt to use the IPv6 library from /etc/resolv.conf.
We not properly set the AF_INET type to IPv4.
602221-2 : Wrong parsing of redirect Domain
Component: Application Security Manager
Symptoms:
ASM learns wrong domain names
Conditions:
no '/' after domain name in the redirect domain
Impact:
wrong learning suggestion can lead to wrong policy
Workaround:
N/A
Fix:
Fixing an issue with parsing the URL in the location header
602171-1 : TMM may core when remote LSN operations time out
Component: Carrier-Grade NAT
Symptoms:
TMM configured with LSN may core during high utilization, when local endpoint resources are exhausted, and request for remote resources times out.
Conditions:
LSN remote operation time out. LSN can request remote TMM for resources when local resources are exhausted, when such request time out, this can result in a core in affected versions.
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM LSN remote operations will no longer cause core.
602136-5 : iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server.
Component: Local Traffic Manager
Symptoms:
If you have a client-side iRule that terminates a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.
Conditions:
Client-side iRule that terminates a connection using one of the following commands:
- drop
- discard
- reject
Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
602098-1 : Translation object created in non-Common partition is visible in the policy created for Common partition
Component: Advanced Firewall Manager
Symptoms:
On BIG-IP system, the source translation object created in a non-Common partition is available for use in a policy created for the Common partition.
Conditions:
-- On BIG-IP system, provision the AFM and LTM Modules.
-- Configure a non-Common partition and create a source translation object in that partition.
-- Create a policy in Common partition.
-- Add a rule in the translated source section.
Impact:
While adding a rule in the translated source section, in the dropdown menu, the object created in non-Common partition is available for selection. The policy created in Common partition can use the source translation object created in non-Common partition. This is not a valid usage.
Workaround:
None.
Fix:
When creating policy for specific partition, added validation to display only the objects created in that specific partition.
602061 : i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
Component: TMOS
Symptoms:
When firmware is updated on a i5000, i7000, i10000 series series appliance messages appear on the console indicating the update is in progress. The messages are inconsistent, some give an expected time the update will take and some do not.
Conditions:
Firmware update following the installation of a new iso with new firmware that must be programmed.
Impact:
cosmetic
Workaround:
None
602040-3 : Truncated support ID for HTTP protocol security logging profile
Component: Local Traffic Manager
Symptoms:
The HTTP Protocol Security logging profile yields to incomplete support ID published in the local storage.
Conditions:
Configuration: LTM with Protocol Security Module provisioned, LTM virtual server with HTTP Protocol Security and local-storage logging profile attached. The log-db entries created by the HTTP Protocol Security logging profile have a truncated support ID.
Impact:
The support ID presented to the user does not match the one in the logs because the log entry is truncated (missing a few digits)
Workaround:
There is no workaround
601989-3 : Remote LDAP system authenticated username is case sensitive★
Solution Article: K88516119
Component: TMOS
Symptoms:
Unable to login via ssh, with cause being reported as 'user account has expired'. Wrong role being assigned for remote-user.
Conditions:
The character-case for the username returned from LDAP must match the login username and the configured account name. This can be exposed on an upgrade from 11.6.0 to 12.1.0 or 12.1.1.
Impact:
Unable to login via ssh with remote-user or remote-user being assigned incorrect role when multiple accounts exists with the same name and mixed case.
Workaround:
Avoid configuring the same account username with different case. The authenticated user account in TMOS used to login should exactly match the user account name returned from LDAP.
Fix:
When logging in to BIG-IP via ssh, the case of the logged-in user name is preserved when authenticating against an LDAP source, and matched in a case-sensitive manner to the appropriate locally defined user role.
601938-2 : MCPD stores certain data incorrectly
Solution Article: K52180214
601927-1 : Security hardening of control plane
Solution Article: K52180214
Component: TMOS
Symptoms:
File permissions changes needed as found by internal testing
Conditions:
N/A
Impact:
N/A
Fix:
Apply latest security practices to control plane files.
601924-1 : Selenium detection by ports scanning doesn't work even if the ports are opened
Component: Application Security Manager
Symptoms:
When selenium server package is running on an end point and a traffic being sent from there, proactive bot defense mechanism doesn't see selenium server opened ports.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.
Impact:
Low impact as the selenium detection by ports scan has a low score and doesn't mitigate a client, unless it has another suspicious client properties (for example tor browser)
Workaround:
N/A
Fix:
Ports scanning has fixed - wider range of ports are scanned.
601919-2 : Custom categories and custom url filter assignment must be specific to partition instead of global lookup
Component: Access Policy Manager
Symptoms:
Custom categories lookup and matching is not partition specific.
Conditions:
Create SWG Explicit VS, access policy, per-request policy, custom-category with a glob URL and URL filter in custom partition say partition1
and similarly create similar set in partition2 (Note make sure the glob URL is matched in custom categories in 2 different partitions). Set the browser to explicit proxy:port information of partition1 VS and access the URL to be matched to the custom category.
Impact:
Partition specific custom category match is not available if user specific whitelist needs to be applied.
Workaround:
None
Fix:
Code to check custom categories only for the partition that connflow belongs to and Common partition has been added
601905-1 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
Component: Access Policy Manager
Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.
Conditions:
Most likely, the POST request contains large post data.
Impact:
The POST request will fail.
Workaround:
The following iRule will workaround the issue:
when HTTP_REQUEST {
if {[HTTP::method] eq "POST"}{
# Trigger collection for up to $max_collect of data
set max_collect 1000000
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length $max_collect
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
601893-2 : TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
Solution Article: K89212666
Component: TMOS
Symptoms:
Tmm cores. There might be messages similar to the following notice in /var/log/ltm just before the crash: notice BWC: instance already exist. This is an extremely rarely occurring issue.
Conditions:
This extremely rare issue occurs when the following conditions are met:
Dynamic BWC use with dynamic change in rate for each instance.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use dynamic modification of rates for dynamic policies.
Fix:
You can now successfully use dynamic modification of rates for dynamic policies.
601828-1 : An untrusted certificate can cause tmm to crash.
Solution Article: K13338433
Component: Local Traffic Manager
Symptoms:
If the certificate sent by an SSL server to the server-side BIG-IP profile is untrusted, tmm might crash.
Conditions:
-- Server-side SSL profile is attached to a virtual server.
-- The SSL server sends an untrusted certificate to the BIG-IP system.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The BIG-IP system will now log the certificate name 'unknown' if an SSL server sends an untrusted certificate, and tmm does not restart.
601709-2 : I2C error recovery for BIG-IP 4340N/4300 blades
Solution Article: K02314881
Component: TMOS
Symptoms:
The I2C internal bus for the front switch on BIG-IP 4340N/4300 blades may not work.
Conditions:
This rarely happens.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.
Workaround:
bigstart restart bcm56xxd
Fix:
The system now ensures that the I2C internal bus can recover from occasional errors.
601536-1 : Analytics load error stops load of configuration★
Component: Application Visibility and Reporting
Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.
Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.
Impact:
Configuration fails to load, will not pass traffic.
Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.
Fix:
An analytics configuration that was valid in a previous release now loads successfully in the current release.
601527-4 : mcpd memory leak and core
Component: TMOS
Symptoms:
Mcpd can leak memory during config update or config sync.
Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http
Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.
Fix:
Fixed a memory lean in mcpd
601502-4 : Excessive OCSP traffic
Component: TMOS
Symptoms:
With OCSP configured on a virtual server, you see excessive OCSP requests going to the OCSP server.
Conditions:
Virtual server configured with an OCSP profile
Impact:
OCSP responses are not cached properly and excessive requests are sent to the server.
Workaround:
None.
Fix:
OCSP responses are now cached properly, so excessive requests are no longer sent to the server.
601496-4 : iRules and OCSP Stapling
Component: Local Traffic Manager
Symptoms:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak.
You may notice warning messages similar to the following in /var/log/ltm:
warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.
Conditions:
This occurs when the following conditions are met:
-- Virtual server with OCSP Stabling enabled.
-- iRule attached to the virtual server that uses SSL::renegotiate.
Impact:
TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.
Workaround:
None.
Fix:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile no longer causes OCSP requests to be reissued, so there is no associated memory leak.
601420-3 : Possible SAML authentication loop with IE and multi-domain SSO.
Component: Access Policy Manager
Symptoms:
When APM is configured with SAML authentication and multi-domain SSO, Internet Explorer may encounter authentication loop and never complete the access policy.
Conditions:
APM is configured with SAML authentication and multi-domain SSO.
Impact:
Using Internet Explorer, the client may not be unable to connect to its desired destination.
Workaround:
Chrome and Firefox do not seem to be affected.
Fix:
Use cookie for session for multi-domain if TOKEN lookup fails. Previously, the cookie was ignored for multi-domain response URI. However, with the introduction of TOKEN based session lookup, this causes a failure if the client retries the request (since the TOKEN was consumed in the request prior to the retry).
601378-2 : Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
Component: Application Security Manager
Symptoms:
These errors can be observed in '/var/log/asm':
-------------------------
The caller:[F5::ASMConfig::Entity::Charset::get_policy_encoding_type] did not pass in a value for 'encoding_name' to retrieve the 'encoding_type' for -- aborting.
ASM subsystem error (asm_config_server.pl,): ASM Config server died unexpectedly
ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads.
ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: asm_config_server.pl, Failure: Insufficient number of threads.
-------------------------
Conditions:
ASM provisioned.
Create security policy with "Auto accept" language.
Impact:
ASM daemons restart, numerous errors in asm log.
Workaround:
None.
Fix:
Creating an ASM security policy with "Auto accept" language no longer leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
601309 : Locator LED no longer persists across reboots
Component: TMOS
Symptoms:
The Locator LED (blinking F5 logo ball) state could be retained across reboots if the TMSH config was saved. The intended behavior is to default to disabled on reboot.
Conditions:
Setting the Locator to "enabled" via either the LCD or TMSH, then saving the TMSH config.
Impact:
i5600, i5800, i7600, i7800, i10600, and i10800 appliances
Workaround:
Disable the Locator LED and save the TMSH config
Fix:
Fixed Locator LED state persisting through reboots
601268-5 : PHP vulnerability CVE-2016-5766
Solution Article: K43267483
601255-4 : RTSP response to SETUP request has incorrect client_port attribute
Component: Service Provider
Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)
Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection
Impact:
Unicast media may forwarded to incorrect UDP port (0).
Fix:
Initialize 'client_port' attribute to value received from server when re-writing response to client.
601189-2 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.
Conditions:
-- Fastl4 VS.
-- syncookie mode.
Impact:
TCP packet are sent out of order.
Workaround:
None.
Fix:
The BIG-IP system no longer sends TCP packets out of order in Fastl4 in syncookie mode.
601180-2 : Link Controller base license does not allow DNS namespace iRule commands.★
Solution Article: K73505027
Component: Global Traffic Manager (DNS)
Symptoms:
The Link Controller base license improperly prevents DNS namespace iRule commands.
Conditions:
A Link Controller license without an add-on that allows Layer 7 iRule commands.
Impact:
An administrator cannot add DNS namespace commands to an iRule. Cannot upgrade from a pre-11.5 configuration, where the commands were working, to 11.5.4 through 12.1.2.
Workaround:
To enable upgrade, remove DNS namespace commands from the configuration prior to upgrade.
Fix:
DNS namespace iRule commands are now properly accepted with a Link Controller base license.
601178-6 : HTTP cookie persistence 'preferred' encryption
Component: Local Traffic Manager
Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.
Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.
Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.
601168-1 : Incorrect virtual server CPU utilization may be observed.
Component: TMOS
Symptoms:
The virtual_server_cpu_stat table counters are always at zero.
Conditions:
ASM license is in effect.
Impact:
Wrong CPU utilization per virtual server.
Workaround:
No workaround.
Fix:
An issue in computing CPU averages for virtual server has been resolved.
601083-1 : FPS Globally Forbidden Words lists freeze in IE 11
Component: Fraud Protection Services
Symptoms:
When attempting to move more than 1 item in Globally Forbidden Words in Internet Explorer 11 browser, the lists freeze.
Conditions:
FPS Provisioned
Add 2 or words in "Search for malicious words in the HTML or JavaScript code"
Impact:
FPS GUI freezes
Workaround:
Add 1 item each time and save.
Use tmsh.
Fix:
Internet Explorer 11 will not freeze if moving more than one item at a time.
601076 : Fix watchdog event for accelerated compression request overflow
Component: TMOS
Symptoms:
Accelerated compression requests that exceed 128 in-flight requests can cause a watchdog event.
Conditions:
Very rapid queuing of concurrent accelerated compression requests.
Impact:
TMM generates an HA failover driven by the accelerated compression watchdog timer.
Workaround:
Disable accelerated compression by disabling hardware accelerated compression with:
% tmsh modify sys db compression.strategy value softwareonly
Fix:
Apply a constraint on accelerated compression request DMA ring so no more than 128 in-flight requests are queued at any one time.
601059-6 : libxml2 vulnerability CVE-2016-1840
Solution Article: K14614344
601056 : TCP-Analytics, error message not using rate-limit mechanism can halt TMM
Component: Application Visibility and Reporting
Symptoms:
An error message is displayed when TCP-Analytics fails to save new data. This error message is not rate-limited, as all other TMM error messages are, so if the error situation is encountered very frequently, the message will be displayed only occasionally, and not for every error event.
Since the error message is not rate-limited, hitting this error many times might eventually lead to TMM halt.
Conditions:
-- TCP-Analytics is assigned to virtual server.
-- The aggregation method of TCP Analytics causes a full table situation because of the distribution of the client IP addresses and subnets.
Impact:
TMM can halt. Traffic disrupted while tmm restarts.
Workaround:
Remove TCP-Analytics from virtual servers.
Fix:
Error message is performed with rate-limiting mechanism.
601035 : TCP-Analytics can fail to collect all the activity
Component: Application Visibility and Reporting
Symptoms:
When the traffic reaching the BIG-IP system comes from a very large number of different client IP addresses and subnets, the TCP-Analytics table can get full, which leads to ignoring the activity that follows, until next snapshot of data.
Conditions:
-- TCP-Analytics profile is attached to a virtual server.
-- Incoming traffic represents a large amount of client IP addresses and subnets (the exact number that causes the full table condition depends on machine type and provisioned modules).
Impact:
TCP Analytics is showing only some of the activity, not all of it. In addition, numerous log messages might fill the logs.
Workaround:
Disable TCP-Analytics.
Fix:
Aggregation method of TCP Analytics was fixed, so the system no longer reaches the full table situation, no matter the distribution of the client IP addresses.
600982-5 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
Component: Local Traffic Manager
Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.
Conditions:
No conditions to be set, however this is a very rare occurrence in which a random number generator can technically generate the number Zero ( 0 ) which would trigger this.
Impact:
Traffic disrupted while TMM restarts, and failover occurs if high availability is configured. Mirroring and LB may be lost with renegotiation for certain types of traffic.
Workaround:
None.
Fix:
When SSL is configured, the TMM no longer intermittently crashes with the message: Assertion "cached" failed.
600944-1 : tmsh does not reset route domain to 0 after cd /Common and loading bash
Component: TMOS
Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common
Conditions:
Attempting to see the route table from the /Common partition after leaving another parition
Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.
Workaround:
Quit tmsh and restart.
600894-1 : In certain situations, the MCPD process can leak memory
Component: TMOS
Symptoms:
In certain situations, the MCPD process can leak memory. This has been observed, for example, while updating large external data-group file objects. Each time an external data-group file is updated, MCPD's memory utilization grows a little bit. Once enough iterations have occurred, the system may no longer be able to update the external data-group file, but instead return the following error message:
err mcpd[xxxx]: 01070711:3: Caught runtime exception, std::bad_alloc.
Conditions:
So far, this issue has only been observed while updating a large external data-group file object.
Impact:
The system may no longer be able to update the external data-group file object. It is also possible for MCPD to crash, or be killed by the Linux OOM killer, as a result of the memory leak.
600859-2 : Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★
Component: TMOS
Symptoms:
After upgrading 11.6.0 Hourly instances to 12.1.0 EHF Hourly instances with Instance Registration support, instance license becomes invalid and BIG-IP is unable to acquire a new hourly license.
Conditions:
Upgrading 11.6.0, or earlier Hourly Licensing instance to 12.1.0 HF1 EHF.
Impact:
License is invalidated and instance becomes unusable.
Workaround:
- Run "/usr/libexec/autoLicense -l" from command-line.
Fix:
Module licenses correctly after upgrade from 11.6.0 to 12.1.0 HF2 or later.
600827-8 : Stuck Nitrox crypto queue can erroneously be reported
Solution Article: K21220807
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Hardware Error(Co-Processor): n3-crypto0 request queue stuck.
Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses Nitrox PX or Nitrox 3 encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.
Workaround:
None.
Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.
600812-1 : IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet.
Component: Local Traffic Manager
Symptoms:
tmsh show net ndp shows an incomplete entry for the neighbor
Conditions:
icmp-echo is enabled for an IPv6 virtual address on a IPv6 Host IP forwarding virtual server.
Impact:
The neighbor advertisement reaches the LTM, but the ndp entry for that neighbor is left incomplete, leading to not being able to connect to that neighbor.
Workaround:
This issue can be resolved by disabling the icmp-echo on the virtual IPv6 address or configuring a static mac-address
for the neighbor
Fix:
The neighbor entry in the LTM displays the correct neighbor information.
600811-2 : CATEGORY::lookup command change in behavior★
Component: Access Policy Manager
Symptoms:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions. Only a valid hostname can be used and have its category returned.
In versions prior to v12.1.1, the following iRule command was valid:
when HTTP_REQUEST {
set this_uri http://[HTTP::host][HTTP::uri]
set reply [CATEGORY::lookup $this_uri]
log local0. "Category lookup for $this_uri returns $reply"
}
Starting in v12.1.1, using the previous example, you must remove the HTTP::uri statement. If an HTTP::uri is provided to the command, the system returns an error similar to the following:
err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"
Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:
when HTTP_REQUEST {
set this_uri http://[HTTP::host]
set reply [CATEGORY::lookup $this_uri]
log local0. "Category lookup for $this_uri returns $reply"
}
Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.
Conditions:
- BIG-IP licensed and provisioned for:
o APM and URL Filtering
o URL Filtering (used for SSL Bypass decisions in SSL Air-Gap deployments).
- An iRule that supplies a URI path to the CATEGORY::lookup iRule command.
- Upgrading from pre-v12.1.1 versions that use the CATEGORY::lookup iRule command and use an HTTP::uri or pass in a plain text string that contains anything other than an HTTP hostname.
Impact:
There is an error returned from the command. This can cause errors in existing deployments.
Workaround:
Update the iRule to only pass an HTTP hostname to the CATEGORY::lookup iRule command
Fix:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.
Only a valid hostname can be used and have its category returned.
Behavior Change:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions. Only a valid hostname can be used and have its category returned.
In versions prior to v12.1.1, the following iRule command was valid:
when HTTP_REQUEST {
set this_uri http://[HTTP::host][HTTP::uri]
set reply [CATEGORY::lookup $this_uri]
log local0. "Category lookup for $this_uri returns $reply"
}
Starting in v12.1.1, using the previous example, you must remove the HTTP::uri statement. If an HTTP::uri is provided to the command, the system returns an error similar to the following:
err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"
Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:
when HTTP_REQUEST {
set this_uri http://[HTTP::host]
set reply [CATEGORY::lookup $this_uri]
log local0. "Category lookup for $this_uri returns $reply"
}
Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.
600732-2 : IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description
Component: TMOS
Symptoms:
The IKEv1 racoon daemon can crash when a security association (SA) is deleted (which can be done either explicitly on the command line, or indirectly by changing the ike-peer definition in config via tmsh). Usually this crash also requires that the ike-peer be altered or removed at the same time.
Note: Merely altering a v1 ike-peer causes the racoon daemon to first delete the old ike-peer, and then add a new one. So 'modify' effectively means 'delete' in this bug context.
Conditions:
When a v1 ike-peer is changed in any way while the racoon daemon actually has a valid security association in current use.
Impact:
IKEv1 racoon daemon restarts, and then tunnel outage until new SAs are negotiated.
Workaround:
No workaround is known at this time.
Fix:
When a v1 ike-peer changes, which causes the racoon daemon to delete and then redefine the peer, existing security associations are also deleted (because they were only valid for the last definition). During the process of tearing things down, it was possible for a security association to access the old, destroyed ike-peer during a late-stage followup action. This is now prevented.
600662-9 : NAT64 vulnerability CVE-2016-5745
Solution Article: K64743453
600614-5 : External crypto offload fails when SSL connection is renegotiated
Component: Local Traffic Manager
Symptoms:
If and external crypto offload client is configured with an SSL profile and renegotiation is enabled for the SSL profile, the crypto client connection will fail when the SSL connection is renegotiated.
Conditions:
External crypto offload client configured with an SSL profile with renegotiation enabled.
Impact:
Crypto client connection to the crypto server will fail.
Workaround:
Disable renegotiation on the SSL profile.
Fix:
The crypto client connection to the crypto server will no longer fail when the SSL connection is renegotiated.
600593-1 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
Component: Local Traffic Manager
Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.
Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.
Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.
Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:
when HTTP_PROXY_REQUEST {
if { [HTTP::method] equals "CONNECT" } {
ONECONNECT::reuse disable
}
else {
ONECONNECT::reuse enable
}
}
600558-5 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:
1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
Fix:
Errors are no longer logged after deleting user in GUI.
600385-1 : BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout
Solution Article: K43295141
Component: Local Traffic Manager
Symptoms:
When configuring BIG-IP LTM and BIG-IP DNS monitors, administrators can set the interval value be larger than the timeout value.
Conditions:
Setting interval value to be larger than the timeout value.
Impact:
The misconfigured monitor setting might result in unexpected monitor behavior.
Workaround:
Set the interval value lower than the timeout value.
Fix:
Monitors are no longer allowed to set the interval value be larger than the timeout. This is correct behavior.
Behavior Change:
Monitors are no longer allowed to set the interval value be larger than the timeout. This is correct behavior.
600357-2 : bd crash when asm policy is removed from virtual during specific configuration change
Component: Application Security Manager
Symptoms:
BD restarts and produces a core file
Conditions:
A configuration change which involves headers configuration or a policy re-configuration and at the same time, while this update is taking place the ASM policy is removed from the virtual.
This is more likely to happen in scripted tests than in the field.
Impact:
Traffic gets dropped while the ASM gets restarted.
Workaround:
Don't change ASM configuration at the same time as changing the virtual server configuration.
Fix:
System will still restart but will not produce a core file when this happens.
600232-9 : OpenSSL vulnerability CVE-2016-2177
Solution Article: K23873366
600223-2 : OpenSSL vulnerability CVE-2016-2177
Solution Article: K23873366
600205-9 : OpenSSL Vulnerability: CVE-2016-2178
Solution Article: K53084033
600198-2 : OpenSSL vulnerability CVE-2016-2178
Solution Article: K53084033
600119-3 : DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
Component: Access Policy Manager
Symptoms:
When connected to the vpn and wifi adapter is enabled (not connected to any wlan) access to websites outside the vpn is very slow.
Access is fine when wifi interface is disabled.
Conditions:
- number of DNS servers configured for active network adapters matches the number of DNS servers configured in Network Access resource
Impact:
User experience while navigating servers outside of VPN scope is impacted by increased connection time
Workaround:
Disable unused adapters or change the number of configured DNS servers
Fix:
DNS requests for names outside the VPN scope sent to VPN DNS server are redirected to DNS servers from NIC using Round Robin algorithm
600069-6 : Portal Access: Requests handled incorrectly
Solution Article: K54358225
600052-1 : GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
Component: Local Traffic Manager
Symptoms:
Cannot access SSL certs/keys using the GUI. GUI displays "Internal Server Error" page.
Conditions:
Having large (~3k) number of SSL certs/keys in the system.
Impact:
Cannot use the GUI to view/edit the SSL certs/keys.
Workaround:
User tmsh to access SSL certs/keys.
Fix:
Can now access SSL certs/keys using the GUI
599858-7 : ImageMagick vulnerability CVE-2015-8898
Solution Article: K68785753
599839-3 : Add new keyords to SIP::persist command to specify how Persistence table is updated
Component: Service Provider
Symptoms:
SIP::persist command keywords were not present prior to 12.1.2
Conditions:
Using the SIP::persist command in an iRule
Impact:
Limited control via SIP::persist
Workaround:
N/A
Fix:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.
-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.
Behavior Change:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.
-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.
599816-2 : Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
Component: TMOS
Symptoms:
Packets arriving on members of the VLAN group are CMP redirected. Redirections may be tracked with the tmm/flow_redir_stats table.
Conditions:
VLANs in the VLAN group must have different cmp-hash settings. For example, one VLAN may configure src-ip and another dst-ip.
Impact:
Throughput drops because of the redirections. However, because this is an error in the software disaggregator, components and features which depend on correct disaggregation may fail. Some features of PEM may fail.
Fix:
Packets are correctly disaggregated without redirections.
599803 : TMM accelerated compression incorrectly destroying in-flight contexts.
Component: Performance
Symptoms:
You see a tmm core while using compression profiles.
Conditions:
Related to use of hardware compression.
Impact:
Report of a watchdog event, or an ASSERT generated by the compression layer. Traffic disrupted while tmm restarts.
Workaround:
Disable accelerated compression using the following command:
% tmsh modify sys db compression.strategy value softwareonly.
Fix:
The system now correctly dispatches cancelled in-flight accelerated compression contexts when cancellation comes while hardware is still actively compressing.
599769 : TMM may crash when managing APM clients.
Component: Local Traffic Manager
Symptoms:
When managing APM clients it is possible to encounter a rare tmm crash.
Conditions:
APM enabled and actively managing clients.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
There is no longer a rarely encountered TMM crash when managing APM clients.
599720-2 : TMM may crash in bigtcp due to null pointer dereference
Component: Local Traffic Manager
Symptoms:
TMM crashed in bigtcp_queue_pkt() due to null pointer dereference of clientside flow.
Conditions:
This only occurs for serverside flow whose peer no longer exists.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
A problem of null pointer dereferece in bigtcp has been fixed.
599567 : APM assumes SNAT automap, does not use SNAT pool
Component: Local Traffic Manager
Symptoms:
When a virtual server configured to use a SNAT pool is also associated with APM (for example, when configured as a RDP gateway), the SNAT pool setting is not honored.
Also SNAT configuration of 'None' does not work. It always works as if it is configured with Automap.
Conditions:
SNAT pool configured.
-- APM configured (one example is deploying the Horizon View iApp for APM).
Impact:
The VLAN Self IP address is used instead of the SNAT pool addresses.
Workaround:
First, follow the configuration details in K03113285: Overview of BIG-IP APM layered virtual servers :: https://support.f5.com/csp/article/K03113285, to ensure everything is configured properly.
Then ensure that the appropriate SNAT pool is set on the new layered forwarding virtual sever.
Note: This workaround does not work when using a pool of VMware vCenter Server (VCS) as configured by default with the iApp.
Fix:
The system now honors the virtual server SNAT configuration.
599543-3 : Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile
Component: TMOS
Symptoms:
When PKCS#12 cert and key are in use by SSL profiles, importing key/cert fails with the below error message:
Import Failed: Exception caught in Management::urn:iControl:Management/KeyCertificate::pkcs12_import_from_file_v2()
0107160f:3: Profile /Common/z-cssl's SSL forward proxy CA key and certificate do not match
Conditions:
1. When the cert and key are in the PKCS#12 format.
2. When the cert and key are in use by SSL profiles.
Impact:
When PKCS#12 cert and key are in use by SSL profiles, they can not be directly updated (overwritten) using key/cert import.
Workaround:
Use tmsh to install the PKCS#12 key. For example, suppose the key/cert to be replaced is called orig.key and orig.crt, it can be overwritten using the below command:
tmsh install sys crypto pkcs12 orig from-local-file /shared/eee.pfx
599536-1 : IPsec peer with wildcard selector brings up wrong phase2 SAs
Solution Article: K05263202
599521-5 : Persistence entries not added if message is routed via an iRule
Component: Service Provider
Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.
Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.
Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.
Workaround:
An iRule could be used to route messages directed towards the original client.
Fix:
MRF SIP will add a persistence entry for message routed via an iRule.
599424-2 : iApps LX fails to sync★
Component: iApp Technology
Symptoms:
In a device group, iApps LX applications fail to sync to the other devices. In restjavad.0.log you notice this log entry, approximately once per hour:
[8100/tm/shared/BIG-IP-failover-state BIG-IPFailoverStateWorker] Failed to discover [address]: java.lang.IllegalStateException: Authentication Failure to host [address]. Please check the credentials provided.
Conditions:
- This occurs after upgrading devices in a device group from 12.1.1 to a version higher than 12.1.1, such as 12.1.1 HF1.
- It can also occur on UCS restore.
- This occurs after upgrading devices in a device group from 12.1.0 to a version higher than 12.1.0, such as 12.1.0-HF1 (or above).
- Also found this can occur with a clean install of v12.1.2-Final and upgraded to v12.1.2 HF1.
Impact:
If you do not have iApps LX configured, there should be no impact other than the warning in restjavad.0.log which you can safely ignore. If you have iApps LX configured and the iApp is not syncing, then this will impact traffic if a failover event occurs.
Workaround:
None.
Fix:
iApps LX will now sync correctly.
599423-1 : merged cores and restarts
Solution Article: K24584925
Component: TMOS
Symptoms:
The vCMP host overwrites the stats table with data from guests.
Conditions:
vCMP running SSL traffic for more than one day.
Impact:
An internal value that tracks the interfaces changes, and merged cores and restarts.
Workaround:
None.
Fix:
The host no longer overwrites the reference values in the interface stats table, so merged does not core and restart.
599285-2 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
Solution Article: K51390683
599223-1 : Prevent static destructors in tmipsecd daemon
Component: TMOS
Symptoms:
The tmipsecd daemon can leave a core when it exits main().
Conditions:
When tmipsecd exits deliberately, say in response to an exception, this can crash during program cleanup, despite the cleanup not being necessary. What begins as a clean termination turns into a messy crash.
Impact:
Generation of a distracting core, using disk space and attracting user attention unnecessarily. (Since tmipsecd was restarting anyway, the restart is not extra impact.)
Workaround:
there is no workaround.
Fix:
When a tmipsecd process terminates, cleaning up globals on shutdown is unnecessary, so this has now been prevented. So we cannot get a core when cleanup fails.
599221-1 : ASM Policy cannot be created in non-default partition via the Import Policy Task
Component: Application Security Manager
Symptoms:
An ASM Policy cannot be created in a non-default (/Common) partition using the Import Policy Task (/mgmt/tm/asm/tasks/import-policy).
Conditions:
User attempts to create a new ASM policy in a non-/Common partition using a file or template via the import policy tasks.
Impact:
Policy is created in /Common instead of the specified partition.
Workaround:
1) Create a Policy in the desired partition via a POST to the /mgmt/tm/asm/policies endpoint.
2) Execute the Import Policy Task (/mgmt/tm/asm/tasks/import-policy) using the created policy as the policyReference to overwrite it.
Fix:
Policy Import creates new policies in the specified partition.
599191-2 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
Component: TMOS
Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.
Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync
Impact:
A stale key is left on the FIPS card. There is no impact to functionality.
Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>
599168-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Solution Article: K35520031
599135-2 : B2250 blades may suffer from high TMM CPU utilisation with tcpdump
Component: Local Traffic Manager
Symptoms:
B2250 blades may suffer from continuous TMM CPU utilization when tcpdump has been in use.
Conditions:
Run tcpdump on a B2250 platform
Impact:
Increment in TMM CPU utilization with every run of tcpdump.
Workaround:
Restart TMM, avoid the use of tcpdump.
Fix:
B2250 blades no longer suffer from high TMM CPU utilisation with tcpdump
599121-2 : Under heavy load, hardware crypto queues may become unavailable.
Solution Article: K24036315
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.
Conditions:
BIG-IP system under heavy load and using hardware crypto.
Impact:
HA failover. You might see messages similar to the following:
-- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
-- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
-- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.
Workaround:
None.
Fix:
BIG-IP system now performs an extra check to determine whether the crypto hardware queues are available.
599054-2 : LTM policies may incorrectly use those of another virtual server
Component: Local Traffic Manager
Symptoms:
LTM policies may use policies configured on another virtual server.
Conditions:
- A configurations with several virtual servers and several configured ltm policies attached to those virtual servers.
- Configuration load: manually using the command tmsh load sys conf, or automatically by an upgrade or full config-sync.
Impact:
LTM policies get incrementally added to virtual servers as the policies are compiled, causing unexpected traffic handling decisions based on other policies.
Workaround:
Do not run tmsh load sys conf if you have policies configured. After an upgrade or full config-sync issuing a bigstart restart command or restarting the device will fix this condition.
Fix:
LTM policies no longer incorrectly use those of another virtual server
599033-5 : Traffic directed to incorrect instance after network partition is resolved
Component: TMOS
Symptoms:
After a network partition is resolved, the BIG-IP high availability subsystem may select a different device to handle traffic than the external network.
Conditions:
If the external network does not respond to GARP (Gratuitous ARP) messages to direct IP traffic to the correct device after an Active/Active condition is resolved, then it may continue to send traffic to a device that is now in Standby mode.
Impact:
Traffic will be interrupted since the upstream network is sending traffic to a device that won't process it.
Workaround:
The administrator might be able to manually run a script or command to redirect traffic to the correct device that is hosting the virtual service.
Fix:
When a network partition is resolved, and an Active/Active high availability pair chooses a single Active node, it now invokes a script that can be used to automatically notify the external network infrastructure of the new location for the virtual service. This new script is located in /config/failover/tgrefresh, and is invoked in addition to the transmission of GARP messages.
598983-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Solution Article: K35520031
598981-3 : APM ACL does not get enforced all the time under certain conditions
Solution Article: K06913155
Component: Access Policy Manager
Symptoms:
APM ACL does not get enforced all the time under certain conditions
Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.
Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.
Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.
Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.
598874-2 : GTM Resolver sends FIN after SYN retransmission timeout
Component: Local Traffic Manager
Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.
Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.
Impact:
Firewalls may log the FIN as a possible attack.
Fix:
Do not send anything in response to a SYN retransmission timeout.
598860-4 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
Component: Local Traffic Manager
Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.
Example:
ltm rule test_bug {
when CLIENT_DATA {
log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}
Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1
Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1
Conditions:
using IP::addr to convert an IPv6 to an IPv4 address
Impact:
Address is converted into an IPv4-compatible IPv6 address.
598854-3 : sipdb tool incorrectly displays persistence records without a pool name
Component: Service Provider
Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb
Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.
Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.
Fix:
The fix corrects the sipdb tool so that entries which do not have a pool name will display correctly.
598748 : IPsec AES-GCM IVs are now based on a monotonically increasing counter
Component: TMOS
Symptoms:
IPsec was using random IVs.
With random IVs and shortest packets the complete integrity loss will happen before 8 Gb of data are exchanged over the security association in one direction (assuming probability of collision at 0.1%).
Conditions:
Use of AES-GCM or GMAC in IPsec.
Impact:
The use of random IVs limits the amount of traffic that can be sent with AES-GCM in IPsec.
Workaround:
The workaround is to limit the amount of traffic per above guidelines for long-lived security associations in IPsec.
A re-key before 10 Gbyte of data are exchanged is recommended. For 1 Gbps connection the rekey should happen in under 1 min (100 Mbps -- 15 min, 10 Gbps -- 10 sec).
Fix:
Changed IPsec AES-GCM IV scheme to use a counter-based IV.
This is an improvement that allows maximum amount of traffic to be sent on the same security association for AES-GCM in IPsec.
598724-1 : Abandoned indefinite lifetime SessionDB entries on STANDBY devices.
Component: TMOS
Symptoms:
Memory hold/leak in SessionDB due to poor HA connection. Active device cannot tell the Standby device that an entry has been deleted because of poor HA connection. These entries accumulate on the Standby device, consuming extra memory which is not released.
Conditions:
A poor HA or insufficient connection exists, one that is not capable of handling the required HA traffic between devices.
Impact:
Eventual out-of-memory errors on standby device.
Workaround:
The mitigation steps in ID 555465 apply to this as well:
You can mitigate by temporarily disabling HA:
- Disable session mirroring: tmsh modify sys db statemirror.mirrorsessions value disable
- Wait a minute for HA connections to stabilize
- Sync the config changes
- Reboot the standby
- Re-enable session mirroring: tmsh modify sys db statemirror.mirrorsessions value enable
Fix:
On the Next Active ("Standby") device, SessionDB will remove all Subkey entries that the Next Active did not receive HA (re)mirror messages for during the HA sync that occurs after an HA (re)connect; the Next Active not receiving a (re)mirror for an entry generally indicates that the entry no longer exists on the Active.
598707-4 : Path MTU does not work in self-IP flows
Component: Local Traffic Manager
Symptoms:
While performing an Update Check, the network connection fails. Path MTU is not working in self-IP initiated flows.
Conditions:
Network flows initiated by the Self IP address (in this case it was encountered while running Update Check)
Impact:
If the downstream router sends ICMP Path MTU messages back to the Self IP, the messages will be ignored and MTU will not be adjusted.
598700-6 : MRF SIP Bidirectional Persistence does not work with multiple virtual servers
Component: Service Provider
Symptoms:
Messages received by different virtual servers (sharing the same router) are not able to be properly routed using the call-id persistence.
Conditions:
A router with multiple virtual servers bridging between networks are not able to use the same call-id persistence entry for routing messages. Messages trying to use a persistence entry created by a different virtual server may be routed to the wrong device.
Impact:
Messages received on another virtual server trying to use the persistence entry will be routed to the wrong device.
Fix:
Fix corrects problems identifying which end of the bi-directional persistence the message has arrived on so that it can be forwarded to the proper device.
598697-1 : vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★
Component: TMOS
Symptoms:
After installing v12.1.0 on a vCMP host system the guests don't start anymore and remain in "failed" state.
Errors similar to these are logged in the ltm log file:
Jun 10 08:17:22 slot1/VIP4480-R68-S26 crit vcmpd[14354]: 01510003:2: User "qemu" doesn't exist
<..>
Jun 10 08:17:22 slot1/VIP4480-R68-S26 err vcmpd[14354]: 01510004:3: Guest (test-guest): Failure - Error starting VM.
Jun 10 08:17:22 slot1/VIP4480-R68-S26 info vcmpd[14354]: 01510007:6: Guest (test-guest): VS_STARTING->VS_FAILED
Conditions:
Upgrade vCMP host to v12.1.0 or higher
vCMP host system was originally installed with v11.6.0 or older builds.
Impact:
After installing v12.1.0 on a vCMP host system the guest don't start anymore and remain in "failed" state.
Workaround:
Workaround is to run the following command:
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
then:
bigstart restart vcmpd
598498-7 : Cannot remove Self IP when an unrelated static ARP entry exists.
Component: TMOS
Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.
Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.
Impact:
Must delete static ARP entries in order to delete Self IP addresses.
Workaround:
None.
Fix:
In this release, you can delete Self IP addresses if unrelated static ARP entries exist.
598443-1 : Temporary files from TMSH not being cleaned up intermittently.
Component: TMOS
Symptoms:
/var/tmp/tmsh and /var/system/tmp/tmsh can have left over unused directories if there was an abrupt termination wherein TMSH does not get a chance to clean up remaining directories. This script does not automatically run, but instead provides a way for you to manually clean up these scripts. To execute script run bin # ./clean_tmsh_tmp_dirs and follow the prompts.
Conditions:
This can occur if a running task creates a TMSH tmp file, then gets killed before it finishes its clean-up.
Impact:
This can cause the directories /var/tmp/tmsh and /var/system/tmp/tmsh to fill up and cause out of memory exceptions.
Workaround:
Manually delete all unused files in /var/tmp/tmsh and /var/system/tmp/tmsh.
Fix:
The BIG-IP system now contains a command ("clean_tmsh_tmp_dirs") that can be run to clean-up temporary files in /var/system/tmp/tmsh and /var/tmp/tmsh.
598437-1 : SNMP process monitoring is incorrect for tmm and bigd
Component: TMOS
Symptoms:
The default configuration for SNMP process monitoring causes an error of "Too many bigd running", and "No tmm process running".
snmpwalk -c public -v 2c localhost prErrMessage
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too many bigd running (# = 2)
...
UCD-SNMP-MIB::prErrMessage.6 = STRING: No tmm process running
Conditions:
Depending on system capacity and configuration, more than one "bigd" process may be running, resulting in the incorrect report of "Too many bigd running".
The system does not properly count instances of the "tmm" process. In older releases, the system always detected a single "tmm" process, even if more than one existed. In the affected releases, no "tmm" process is detected.
Impact:
SNMP monitoring of system health incorrectly reports error conditions.
Workaround:
For the 'bigd' problem, the administrator can change the the process-monitor max-processes to allow for more instances of "bigd". For example:
(tmos)# modify sys snmp process-monitors modify { bigd { max-processes infinity } }
max-processes should be set to the same value as the sys dbvar bigdb.numprocs or "infinity" if the dbvar is set to "0", allowing bigd to dynamically adjust the number of processes.
For tmm process count
(twos)# modify sys snap process-monitors modify { tmm { process tmm.0 max-processes 1 } }
Fix:
The system now correctly counts the number of TMM process instances, which is not the same as the number of TMM threads. but is based on the hardware capabilities.
Existing/upgraded configurations need to manually adjust the bigd 'max-processes' attribute as described in the Mitigation section. New configurations will be configured appropriately.
598294-1 : BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
Solution Article: K17119920
598289-4 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
Component: TMOS
Symptoms:
In tmsh, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, tmsh reports the following error:
Unexpected Error: Syntax Error: A port number or service name is missing for "/Common/192.0.2.1:80:80". Please specify a port number or service name using the syntax "/Common/192.0.2.1:80:80.<port>".
It also corrupts bigip.conf so that it no longer loads.
Conditions:
-- Use tmsh to load configuration.
-- LTM pools have members that have names in the format of: <ipv4>:<number>:<service port>.
Impact:
TMSH fails to load system configuration file.
Workaround:
None.
Fix:
TMSH now supports pool members with names in the format of <ipv4>:<number>:<service port>, so the valid pool member passes TMSH checks without error.
598211-1 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
Component: Access Policy Manager
Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.
Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.
Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.
Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.
when HTTP_REQUEST {
if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
HTTP::path "/Citrix/$store_name/"
}
}
Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.
598134-1 : Stats query may generate an error when tmm on secondary is down
Component: TMOS
Symptoms:
Querying for stats results in an error and further iControl messages are incorrect.
Conditions:
Must be on a chassis. The query must be for stats generated by tmm. A secondary tmm must be down.
Impact:
The iControl session must be restarted.
Workaround:
Ensure all tmms are up and running.
Fix:
The request is handled appropriately even if a tmm is down and no unexpected error is generated.
598110-1 : pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic.
Component: Local Traffic Manager
Symptoms:
The pkcs11d daemon shows 'up' when the connections to HSM is not up and the BIG-IP system is not ready to process traffic.
Conditions:
When the connections to HSM is not up and the BIG-IP system is not ready to process traffic.
Impact:
The pkcs11d daemon shows status as 'up'. The traffic will be dropped since the connections to HSM is not up or the BIG-IP system is not ready to process traffic.
Workaround:
There is no workaround.
Fix:
This release fixes the pkcs11d thread session initialization problem.
598085-2 : Expected telemetry is not transmitted by sFlow on the standby-mode unit.
Component: TMOS
Symptoms:
The expected telemetry is not transmitted by sFlow on the standby-mode unit. In a high-availability (HA)/redundant BIG-IP configuration, standby BIG-IP units are failing to generate sFlow telemetry packets containing unit-specific data.
Conditions:
In a high-availability/redundant BIG-IP configuration with sFlow configured.
Impact:
The sFlow data being transmitted by the standby unit consists of packet samples of the HA Heartbeat traffic, and no other telemetry information.
Workaround:
None.
598052-1 : SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
Component: Local Traffic Manager
Symptoms:
When enabling the SSL Forward Proxy "Cache Certificate by Addr-Port" on the client SSL profile, later flows on cached certificate lookups by "Addr-Port" do not hit the cache.
Conditions:
Enable SSL Forward Proxy and use "Cache certificate by Addr-Port".
Impact:
The client side certificate lookup failed, it may trigger the server side SSL handshake.
Fix:
With this fix, the certificate lookup by "Addr-Port" may have a cache hit.
598039-6 : MCP memory may leak when performing a wildcard query
Component: TMOS
Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.
Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).
Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).
Workaround:
Do not perform wildcard queries.
Fix:
Stopped MCP leaking when wildcard queries are performed.
598002-10 : OpenSSL vulnerability CVE-2016-2178
Solution Article: K53084033
597978-2 : GARPs may be transmitted by active going offline
Component: Local Traffic Manager
Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.
Conditions:
Multiple traffic-groups configured and active goes offline.
Impact:
It is not expected that this will cause any impact.
Workaround:
Make the unit standby before forcing offline.
597899-1 : Disabling all pool members may not be reflected in Virtual Server status
Component: Local Traffic Manager
Symptoms:
When all pool members are set to session-disable, the expectation is that persistent connections will be drained, and the Virtual Server should not accept new incoming connections.
- Simply disabling (not forcing down) a node does not bubble up to Pool status, because it switches from Green-Enabled to Green-Disabled (staying green is seen as a non-change).
- Since the Pool enabled/disabled state is not updated, this does not bubble up to the Virtual Server, which also stays Green-Enabled.
Conditions:
-- All pool members are set to session-disable.
-- Persistent connections existing on the associated Virtual Server.
-- New connections to associated Virtual Server.
-- Viewing Virtual Server status.
Impact:
Disabling all members of a Pool may not be reflected in Virtual Server status, indicating it is Green-Enabled when in fact it has been disabled indirectly by disabling all members of the related pool.
Workaround:
N/A
Fix:
When all pool-members are disabled via GUI or tmsh, Virtual Server shows Green-Disabled (visually represented as gray) and is still able to process traffic from an existing connections but not able to accept newer traffic.
Green-Disabled status roll-up to Pool (from Pool Member / Node Address) is still necessary. But instead of marking the Virtual Server Yellow, which would stop existing traffic flows on the Virtual Server, the BIG-IP system propagate the Green-Disabled status to the Virtual Server as well.
So in the case where all the Pools associated with a Virtual Server are Green-Disabled (because all the Pool Members for all the Pools are Green-Disabled), the status of the Virtual Server will become Green-Disabled. As soon as any Pool (Pool Member) becomes Green-Enabled, the Virtual Server will also become Green-Enabled.
Note: Green-Disabled shows up as gray in the GUI.
Behavior Change:
When all pool members are set to session-disable, the virtual server state is set to disabled-by-parent, persistent connections will be drained, and the virtual server does not accept new incoming connections.
597879-1 : CDG Congestion Control can lead to instability
Component: Local Traffic Manager
Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.
Conditions:
Running the Debug TMM with CDG Congestion Control.
Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.
Workaround:
Use a congestion control algorithm other than CDG.
Switch to the default TMM.
Fix:
Fixed congestion window calculation in CDG.
597835-3 : Branch parameter in inserted VIA header not consistent as per spec
Solution Article: K12228503
Component: Service Provider
Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.
Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.
Workaround:
None.
Fix:
The system now ensures the branch field in the via header does not change.
597828-1 : SSL forward proxy crashes in some cases
Component: Local Traffic Manager
Symptoms:
SSL forward proxy crashes when a check in the state machine is called with something other than a fwdp lookup result
Conditions:
SSL forward proxy is enabled.
Impact:
SSL forward proxy crashes sometimes.
Workaround:
None.
Fix:
Fixed a crash in the SSL forward proxy.
597797-4 : Allow users to disable enforcement of RFC 7507 Fallback SCSV
Solution Article: K78449695
Component: Local Traffic Manager
Symptoms:
When RFC 7507 (fallback SCSV) was implemented, some BIG-IP administrators found their TLS/SSL clients were incompatible and could no longer connect to the BIG-IP system.
Conditions:
Client software that attempts to connect to a virtual server using an older, less secure version of the TLS/SSL protocol, for instance, TLS 1.0.
Impact:
Inability to support connections from older TLS/SSL clients that are unable to use the more recent (and more secure) TLS/SSL protocols.
Workaround:
There is no workaround.
Fix:
When SSL.fallback_SCSV is set to disable, the RFC 7507 implementation will be disabled, though it must be acknowledged that this introduces a security hole when negotiating SSLv3.
Behavior Change:
When RFC 7507 was implemented, some BIG-IP administrators found that their SSL clients were incompatible. This change introduces a bigdb variable (SSL.fallback_SCSV) to disable this.
597729-5 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:
1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
597708-4 : Stats are unavailable and vCMP state and status are incorrect
Component: Local Traffic Manager
Symptoms:
Unable to retrieve statistics or statistics are all 0 (zero) when they should not be zero.
This is vCMP related.
Guest virtual-disks always show in-use even when the guest is not in the running state.
When the guest O/S is shut down, the GUI and TMSH do not show accurate information about status.
Conditions:
If a directory is removed from /shared/tmstat/snapshots merged might run at 100% CPU utilization and become unresponsive.
Impact:
No statistics are available. Some statistics, such as traffic stats from TMM, will not be updated, though they may be non-zero. Others, such as system CPU stats that are calculated by merged, will be zero. This will be evident through all management interfaces such as TMSH, TMUI, SNMP, etc.
vCMP guest O/S status is reportedly incorrectly.
Workaround:
If merged has stopped responding, restart the daemon using the following command:
bigstart restart merged
On a chassis with multiple blades or a device with vCMP guests, merged is running on each blade and on each guest. To determine which instance of merged is not responding, ssh to each blade and each vCMP guest, and run the following command to check the CPU utilization of merged:
top -p `pidof merged`
Any merged that has a CPU utilization of over 90% for more than a few seconds is potentially in this state and should be restarted.
To prevent the issue from occurring, disable tmstat snapshots using the following command:
tmsh modify sys db merged.snapshots value false.
Fix:
The merged process no longer becomes unresponsive when a directory is removed from /shared/tmstat/snapshots.
597674-1 : TunnelServer may crash due to division by zero under unknown circumstances while establishing AppTunnels.
Component: Access Policy Manager
Symptoms:
TunnelServer crashes during AppTunnel establishment. Network Access goes to 'Reconnecting' state and then to 'Disconnected' state
Conditions:
The crash happens due to division by zero operation when interval between two events equals to zero ms. This occurs rarely and it is not clear under which circumstances/conditions this occurs.
Impact:
Application Tunnel cannot be established.
597532-1 : iRule: RADIUS avp command returns a signed integer
Component: Local Traffic Manager
Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.
Conditions:
iRules using RADIUS::avp to retrieve data.
Impact:
iRules using the RADIUS::avp command will not work as expected.
Workaround:
The result can be cast to an unsigned integer after obtaining the value, as follows:
ltm rule radius_avp_integer {
when CLIENT_DATA {
set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}
Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.
Fix:
Ensure that the system uses unsigned integers for RADIUS AVPs.
597471 : Some Alerts are sent with outdated username value
Component: Fraud Protection Services
Symptoms:
user-defined, components validation and vtrack Alerts are sent with outdated username value
Conditions:
Log in, then log in again with different user (with conditions to generate an alert)
Impact:
Alert is sent with username of the first login
Fix:
Alerts sending is blocked until after parameters processing is done
597431-2 : VPN establishment may fail when computer wakes up from sleep
Component: Access Policy Manager
Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues
Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation
Impact:
Issues with Network connectivity
Workaround:
Renew DHCP lease by running
ipconfig/renew.
or
reboot the machine.
597394-2 : Improper handling of IP options
Solution Article: K46535047
597309-2 : Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
Component: TMOS
Symptoms:
The Maximum Members Per Trunk limits is 8 or 16 depending on platform. This is due to
1. The limitation of an SDK from a third party vendor.
2. The number of external interfaces actually provided by the platform.
Conditions:
These platform limits are on the BIG-IP 10000 appliance and B2400, B4300, and B4450 blades.
Impact:
The number of interfaces per trunk is limited to either 8 or 16.
Workaround:
None.
Fix:
New limit of 32 is implemented for the BIG-IP 10000 appliance, and on VIPRION 2400 and VIPRION 4300. New limit 64 is implemented for VIPRION 4450N.
597303 : "tmsh create net trunk" may fail
Component: TMOS
Symptoms:
When a trunk is created with "tmsh create net trunk", with LACP enabled or disabled, the addition of a trunk member may fail. When it fails, there will be log in /var/log/ltm like
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: bs_trunk_addr_set: unit=0 Invalid parameter bs_trunk.cpp(2406)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: Trouble setting trunk 1, unit 0 bs_trunk.cpp(2591)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: SDK error Invalid parameter bs_trunk.cpp(2592)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble setting trunk: unit=0, trunk=testTrunk bs_trunk.cpp(1886)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble adding interface to trunk=testTrunk bsx.c(3109)
Conditions:
The problem tends to happen when a trunk is created right after it is deleted. If you wait for over 30 seconds, it is unlikely to happen.
Impact:
A trunk can't be created, and no trunk members can be added.
Workaround:
Wait for over 30 seconds before adding back the same trunk.
Fix:
A fix is already staged, and may show up in a hot fix later.
597270-2 : tcpdump support missing for VXLAN-GPE NSH
Component: TMOS
Symptoms:
The tcpdump utility does not support VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).
Conditions:
Running tcpdump on BIG-IP systems.
Impact:
No support for VXLAN-GPE NSH.
Workaround:
None.
Fix:
tcpdump now has support for VXLAN-GPE NSH.
Behavior Change:
tcpdump now has support for VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).
597214-5 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
You can use an iRule to rename field names in the original code.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
597176-1 : Multiple Wireshark (tshark) vulnerabilities
Solution Article: K01837042
597089-8 : Connections are terminated after 5 seconds when using ePVA full acceleration
Component: Local Traffic Manager
Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.
Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.
Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.
Workaround:
Disabling the PVA resolves the issue.
597023-1 : NTP vulnerability CVE-2016-4954
Solution Article: K82644737
597010-1 : NTP vulnerability CVE-2016-4955
Solution Article: K03331206
596997-1 : NTP vulnerability CVE-2016-4956
Solution Article: K64505405
596815-1 : System DNS nameserver and search order configuration does not always sync to peers
Component: TMOS
Symptoms:
Modifying the System DNS nameserver and search order configuration does not always sync during an incremental sync if modified in the GUI or tmsh modify sys db.
Conditions:
The device is in a failover device group with incremental sync turned on.
In the GUI, modify the DNS Lookup Server List or the DNS Search Domain List fields under System >> Configuration : Device : DNS.
In tmsh, tmsh modify sys db dns.nameserver (or dns.domainname), and in some cases tmsh modify sys dns name-servers (or search)
Impact:
Modifications will not change the sync status nor sync the change to peers.
Workaround:
Perform a full sync or use 'tmsh modify sys dns name-servers replace-all-with' or 'tmsh modify sys dns search replace-all-with'.
Optionally, to get this setting to sync, modify the file /config/BigDB.dat to set realm=common for [DNS.NameServers] and [DNS.DomainName] and restart mcpd on all devices in the failover device group. However, this file may get overridden on a hotfix or upgrade.
Fix:
The sys db variables dns.domainname and dns.nameserver will now always sync across your failover device group.
596814-4 : HA Failover fails in certain valid AWS configurations
Component: TMOS
Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.
Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.
Fix:
Failover now narrows network description by filtering with VPC id.
596809-1 : It is possible to create ssh rules with blank space for auth-info
Component: Advanced Firewall Manager
Symptoms:
In tmsh it is possible to create profile actions that contain blank spaces, such as in this example:
create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }
Conditions:
This occurs when creating profile actions.
Impact:
Actions can be created with blank spaces in them, you should be receiving a validation error. These rules also cannot be deleted.
Workaround:
Do not create profile actions with blank spaces.
Fix:
BIG-IP will now throw a validation error if you create a profile action containing only a blank space.
596685-1 : Request Log failure on request with XML format violation
Solution Article: K76841626
Component: Application Security Manager
Symptoms:
When Request Log entry with violations for XML format violation is selected, it cannot be displayed and an error is returned.
Conditions:
Request Log entry with violations for XML format violation is selected.
Impact:
Request Log entry cannot be displayed.
Workaround:
None.
Fix:
Requests with XML format violations are now displayed correctly.
596674-2 : High memory usage when using CS features with gzip HTML responses.
Component: Application Visibility and Reporting
Symptoms:
AVR use consumes a lot of memory while trying to decompress responses. This can cause tmm core during stress traffic.
Conditions:
-- Enabled Dosl7d virtual server with CS features.
-- The server is sending compressed responses.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
High memory usage no longer occurs when using CS features with gzip HTML responses.
596631-2 : SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
Component: Service Provider
Symptoms:
A SIP media flow deny-listener was to have been deleted but an unrelated listener was deleted instead due to an incorrect address/port match.
For example, when the wrongly deleted listener is later meant to be deleted, there might be a SIGFPE with assertion failure "Assertion "bound listener" failed.".
Conditions:
A SIP MRF media flow existed and was deleted.
An unrelated flow exists with an address/port with wildcards such that it includes that of the media flow.
Impact:
Later when the wrongly deleted listener is referenced, the TMM crashes.
Fix:
When a SIP media flow deny-listener is searched for deletion, an exact match is required that uniquely identifies the deny-listener, so that an unrelated listener is not deleted.
596603-2 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
Component: TMOS
Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.
Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.
Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.
Workaround:
Choose c4.4xlarge or other instance types in AWS.
Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.
596502-1 : Unable to force Bot Defense action to Allow in iRule
Component: Application Security Manager
Symptoms:
When a request is being blocked (or challenged with CAPTCHA) due to being a suspicious browser, the action cannot be forced to allow in the iRule
Conditions:
This occurs when a bot defense action is triggered on suspicious browser, and you wish to allow the request to go through anyway and not send a RST.
Impact:
The bot defense action cannot be forced to "allow", the RST will still be sent.
596488-1 : GraphicsMagick vulnerability CVE-2016-5118.
Solution Article: K82747025
596450-1 : TMM may produce a core file after updating SSL session ticket key
Component: Local Traffic Manager
Symptoms:
When regenerating SSL session ticket key, TMM may restart unexpectedly, leaving a core file.
Conditions:
When the value of ssl.sessionticketkey.regen is reached (every 3 days by default), TMM will regenerate its SSL session ticket key. This operation may lead to an assert: "shared random data inited".
Impact:
TMM core and restart.
Workaround:
None.
Fix:
Resolved a problem that could cause TMM to restart when regenerating the SSL session ticket key
596433-3 : Virtual with lasthop configured rejects request with no route to client.
Component: Local Traffic Manager
Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.
Conditions:
This issue occurs when the following conditions are meet:
- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.
Impact:
Connection is erroneously reset with no route to client.
Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.
596340-8 : F5 TLS vulnerability CVE-2016-9244
Solution Article: K05121675
596242-1 : [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record
Solution Article: K17065223
Component: Local Traffic Manager
Symptoms:
Improperly configured master name server for one zone prevents updates to other, properly configured zones
from propagating to tmm, thus making DNS Express respond with an old record.
Conditions:
Incorrectly configured DNS zone that cannot get updates correctly.
Impact:
DNS Express responds with previous record after zone transfer.
Workaround:
Correct the configuration on the incorrectly configured zone.
Fix:
DNS Express now responds with current record after zone transfer.
596166-1 : Cannot create email using Address Book
Component: Access Policy Manager
Symptoms:
Cannot create email using Address Book, specifically, the To, Cc, and Bcc buttons do not work.
Conditions:
Attempting to create email using Address Book.
1. Use OWA2010.
2. Navigate to the virtual server.
3. Click logon.
4. Type credentials in the Web App form, and logon to OWA.
5. Click New to create new email.
6. Click To (to open Address Book), click To, Cc, and Bcc to choose highlighted user.
7. Once address is in To field Click OK.
Impact:
Email window will be closed and New empty one is opened. Cannot use the To, Cc, and Bcc buttons to add users.
Workaround:
None.
Fix:
Now, clicking the To, Cc, and Bcc buttons opens a new message window addressed to the specified users.
596116-3 : LDAP Query does not resolve group membership, when required attribute(s) specified
Component: Access Policy Manager
Symptoms:
Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.
Conditions:
This occurs when the following conditions are met:
-- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All".
-- The Required Attribute includes the "memberOf" LDAP attribute.
Impact:
Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.
Workaround:
Add the following attribute to the "Required Attributes" list:
"objectClass"
If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list:
"primaryGroupID"
Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.
Fix:
LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.
596104-1 : HA trunk unavailable for vCMP guest★
Solution Article: K84539934
Component: TMOS
Symptoms:
If a vCMP guest is configured with a high availability (HA) trunk with a threshold value greater than 0, the HA trunk configuration fails with a message similar to the following:
err mcpd[5926]: 01071569:3: Ha group ha_group threshold for trunk _your_trunk_name_here_ 1 is greater than the maximum number of members 0.
Conditions:
This occurs when an HA trunk is configured a vCMP guest, with a threshold value greater than 0. This may occur by any of the following means:
1) Attempting to upgrade a guest to an affected version of BIG-IP, with an HA trunk configured with a threshold value greater than 0. The upgrade fails with the indicated error message.
2) Attempting to load a UCS from a guest with an HA trunk configured with a threshold value greater than 0. The UCS load fails with the indicated error message.
3) Creating an HA group and then attempting to modify the threshold value for the HA trunk. The modify command fails with the indicated error message.
Impact:
HA trunks do not work.
You cannot upgrade the vCMP guest to an affected version of BIG-IP or load a configuration with an HA trunk configured with a threshold value greater than 0.
Workaround:
To allow the upgrade to succeed or the configuration to load, configure the HA trunk threshold to 0.
Important! This disables the HA trunk feature.
Fix:
HA trunks with a threshold value greater than 0 are supported on vCMP guests.
596083-1 : Error running custom APM Reports with "session creation time" on Viprion Platform
Component: Access Policy Manager
Symptoms:
Error is encountered when running custom APM Reports with "session creation time" on Viprion Platform
Conditions:
- On Viprion platform
- Create a APM custom report
- Select "Session creation time" field
- Run the report
Impact:
Won't be able to run custom APM report on Viprion platform
596067-2 : GUI on VIPRION hangs on secondary blade reboot
Component: TMOS
Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.
Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.
Impact:
GUI becomes unresponsive
Workaround:
bigstart restart httpd will clear this condition if it occurs.
595900-4 : Cookie Signature overrides may be ignored after Signature Update
Solution Article: K11833633
Component: Application Security Manager
Symptoms:
Cookie Signature overrides may be ignored after Attack Signature Update.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP ASM security policy is configured with an allowed cookie where Check attack signatures on this cookie is cleared (disabled).
-- You install a Security Update Attack Signatures file.
-- Your BIG-IP ASM system processes traffic that matches an attack signature for the URL or cookie that is configured with the attack signature override.
Impact:
The system detects an attack signature violation for the object.
Workaround:
To work around this issue, you can modify the security policy settings and override (disable) the ability to check attack signatures on cookies. To do so, perform the following procedure in accordance with the object that is affected in your security policy:
Impact of workaround: Performing the following procedures should not have a negative impact on your system.
Disabling Check attack signatures on cookies
The following procedure disables checking of attack signatures for the allowed cookie.
1. Log in to the Configuration utility.
2. Navigate to Security :: Application Security :: Headers :: Cookie List.
2. Click the Allowed Cookies tab.
4. Click the name of the cookie.
5. Click the Attack Signatures tab.
6. Clear the Attack Signatures box.
7. Click Update.
8. Click Apply Policy.
Fix:
Cookie Signature overrides are observed correctly, even after Signature Update.
595819-1 : Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
Component: Access Policy Manager
Symptoms:
Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a HTTP/2 enabled browser and HTTP/2 profile attached.
Conditions:
This occurs when the following conditions are met:
- An HTTP/2 enabled browser is in use.
- APM and HTTP/2 are enabled on the same virtual.
Impact:
APM statistics for bytes in and out are not updated.
Workaround:
None.
Fix:
Access session 'Bytes In' and 'Bytes Out' are now getting updated when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595783 : Changing console baud rate for B2100, B2150 and B2250 blades does not work
Component: TMOS
Symptoms:
Changing the console baud rate does not take effect and leaves the setting unchanged.
Conditions:
Whenever the console baud rate is changed via tmsh, GUI, or iControl on the VIPRION B2100, B2150 and B2250 blades.
Impact:
Changing the console baud rate causes the front panel display manager to restart and does not actually modify the baud rate.
Workaround:
None.
Fix:
Added needed object to global config map for VIPRION B2100, B2150 and B2250 blades so modify message no longer fail the object lookup.
595773-4 : Cancellation requests for chunked stats queries do not propagate to secondary blades
Component: TMOS
Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.
Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).
Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.
Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.
595712-1 : Not able to add remote user locally
Component: TMOS
Symptoms:
When a user has logged in remotely, using tmsh to add a user with the same name will fail:
01020066:3: The requested user role partition (raduser TestPartition) already exists in partition Common.
Conditions:
Remote authentication is configured and a remote user has logged in.
Impact:
Changing remote user to local fails.
Workaround:
Use "replace-all-with" for partition access:
create auth user raduser password raduser1 partition-access replace-all-with { TestPartition {role manager }}
595693 : Incorrect PVA indication on B4450 blade
Component: TMOS
Symptoms:
When you run guishell -c "select HAS_PVA, PVA_VERSION from platform" on a B4450 blade (which includes PVA), the output indicates that it does not have PVA.
Conditions:
This occurs when looking at platform information on B4450 blades.
Impact:
PVA acceleration is not detected properly
Fix:
PVA service is now indicated properly on the B4450 blade.
595605 : Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★
Component: TMOS
Symptoms:
An upgrade to BIG-IP v12.0.0 will fail when all of the following conditions are met:
- AVR provisioned
- Upgrading to v12.0.0 from the following versions :
- 11.6.1
Certain engineering hotfixes are also affected.
Conditions:
The following Engineering Hotfixes are affected.
- 11.6.0-hf5 EHF index 110 (Hotfix-BIGIP-11.6.0.5.110.429-HF5-ENG.iso)
- 11.6.0-hf5 EHF Index 214
- 11.6.0-hf5 EHF index 233
- 11.6.0-hf6 EHF index 240
11.6.1 is also affected.
Impact:
The upgrade to 12.0.0 will succeed but the configuration will fail to load.
This can be detected by running tmsh load sys config verify. You will see the following signature:
Unexpected Error: "Can't load keyword definition (analytics-report.device_group)"
Workaround:
12.1.1 is schema compatible with 11.6.1, so upgrade to 12.1.1 instead.
595394-3 : Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★
Component: TMOS
Symptoms:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.
Conditions:
11.5.x/11.6.x Hourly Billing instances with multiple NICs attached.
Impact:
User might not be able to log-in to the instance.
Workaround:
Rebooting the instance corrects the problem.
Fix:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x works with new Hourly billing licenses.
595317-4 : Forwarding address for Type 7 in ospfv3 is not updated in the database
Component: TMOS
Symptoms:
The ospf nssa-external database is not updated when the global address on an interface that is used as a forwarding address is changed
Conditions:
remove the global address on the forwarding interface
Impact:
the packets will be sent to an incorrect interface.
Workaround:
clear ipv6 ospf process
Fix:
The ospf nasa-external data shows correct forwarding address when the global address on the forwarding interface is changed.
595293-4 : Deleting GTM links could cause gtm_add to fail on new devices.
Component: Global Traffic Manager (DNS)
Symptoms:
Once links are auto-discovered, if auto discovery is disabled and the links are deleted, they could become stuck in the Server > Virtual Server list, preventing new devices from joining the sync group. If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.
Conditions:
Links are auto-discovered
Auto discovery is disabled
The links are deleted
Impact:
If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.
Workaround:
None
Fix:
Cleanup all aspects of a GTM link when it is deleted.
595281-1 : TCP Analytics reports huge goodput numbers
Component: Local Traffic Manager
Symptoms:
TCP Analytics reports that 2^32 bytes have been delivered, rather than 0.
Conditions:
When the serverside connection attempt fails.
Impact:
TCP Analytics stats are inaccurate.
Fix:
Handle the failed connection case properly.
595275-5 : Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
Component: Local Traffic Manager
Symptoms:
Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN when pool goes empty.
Conditions:
This occurs when the configuration contains a pool with only one FQDN pool member.
Impact:
VIP can go briefly RED and offline.
Workaround:
Configuring a fallback static IP node or multiple FQDN pool members removes this risk.
595272-1 : Edge client may show a windows displaying plain text in some cases
Component: Access Policy Manager
Symptoms:
Under captive portal environment, sometimes edge client may show a windows with some plain text content.
Conditions:
Edge client is launched when users machine is inside captive portal network.
Impact:
User may not be able to establish VPN
Workaround:
Authenticate to captive portal using browser and Launch edge client again.
595242-1 : libxml2 vulnerabilities CVE-2016-3705
Solution Article: K54225343
595231-1 : libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
Solution Article: K54225343
595227-1 : SWG Custom Category: unable to have a URL in multiple custom categories
Component: Access Policy Manager
Symptoms:
When configuring a url in multiple categories you receive a validation error message:
May 19 16:13:44 bigip12 err mcpd[8992]: 010717f3:3: Custom category (/Common/category_allow_group2) has invalid URL (http://172.16.20.1/*). Reason: You cannot have the same URL in two or more custom categories. URL used in category (/Common/category_allow_group1).
Conditions:
Configuring the same URL in multiple custom categories.
Impact:
Unable to have the same URL in multiple custom categories, and therefore cannot configure the system to have a URL allowed for one group but not for another.
Workaround:
None
Fix:
Validation preventing the configuration of same URL for multiple custom categories has been fixed.
594910-1 : FPS flags no cookie when length check fails
Component: Fraud Protection Services
Symptoms:
You see No Cookie errors for validation errors other than No Cookie.
Conditions:
Malformed component validation cookie
Impact:
No Cookie errors counted when the validation error was not due to No Cookie
Workaround:
No
Fix:
Fixed an issue with No Cookie error counting.
594869-4 : AFM can log DoS attack against the internal mpi interface and not the actual interface
Component: Advanced Firewall Manager
Symptoms:
While under an attack that matches a DoS profile, BIG-IP may indicate that the interface is the internal mpi interface and not the interface that the attack is happening on.
Conditions:
This can occur in CMP-enabled systems.
Impact:
A valid DoS attack will be misreported
594751-3 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN
Solution Article: K90535529
Component: Local Traffic Manager
Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.
Conditions:
1. LLDP is enabled globally and per interface.
2. Interfaces are added to a trunk after it has already been assigned to a VLAN.
For instance, assume the following protocol were followed for creating an LLDP trunk:
tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }
The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.
Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.
Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.
If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
bigstart restart lldpd
Fix:
VLANs are now properly applied to any interfaces added to a trunk if the trunk already belongs to any VLANs.
594642-3 : Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
Component: Local Traffic Manager
Symptoms:
Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
Conditions:
Stream filter is active during low memory situations
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Stream may now be configured to parse xbufs in chunks. This limits the maximum amount of memory required and reduces the chance of an allocation failure.
594496-1 : PHP Vulnerability CVE-2016-4539
Solution Article: K35240323
594426-2 : Audit forwarding Radius packets may be rejected by Radius server
Component: TMOS
Symptoms:
The Accounting-Request packets are missing two required AVPs (Attribute Value Pair), Acct-Session-ID and Acct-Status-Type. Some Radius servers drop Radius Accounting-Requests which are missing these AVPs.
Conditions:
Configured to use audit forwarding with radius and audit messages are not logged on the Radius server.
Impact:
Unable to log audit messages from BIG-IP using audit forwarding.
594366-1 : Occasional crash of icrd_child when BIG-IP restarts
Solution Article: K21271097
Component: TMOS
Symptoms:
When BIG-IP restarts (bigstart restart), or when restjavad restarts (bigstart restart restjavad), there is an occasional crash of the icrd_child thread.
Conditions:
When BIG-IP restarts (bigstart restart), or when restjavad restarts. No other specific conditions.
Impact:
Occasional crash/SEGV exception.
Workaround:
Restart restjavad (bigstart restart restjavad).
Impact of workaround: The iControl REST API for making queries or modifications is temporarily unavailable while the restjavad service restarts.
Fix:
Different approach of handling thread termination is implemented. New approach correctly terminates zombie processes and does not cause SEG fault.
594302-1 : Connection hangs when processing large compressed responses from server
Component: Local Traffic Manager
Symptoms:
When large compressed responses are sent by the server, the connection hangs when trying to send decompressed content to the client.
Conditions:
An LTM policy which enforces decompression for responses is attached to the virtual server. The virtual server also has http compression profile attached to it. Server sends large compressed responses.
Impact:
Connection hangs when trying to process the compressed response in order to send decompressed content to client.
Fix:
The large compressed responses are successfully processed and no connection hangs are seen.
594288-1 : Access profile configured with SWG Transparent results in memory leak.
Component: Access Policy Manager
Symptoms:
Access profile configured with SWG Transparent results in memory leak.
Conditions:
Create an access profile of type SWG Transparent, and assign to a virtual. Run traffic through this virtual.
Impact:
TMM leaks memory.
Workaround:
None
Fix:
Fixed the memory leak caused by access filter for SWG transparent use case.
594127-2 : Pages using Angular may hang when Websafe is enabled
Component: Fraud Protection Services
Symptoms:
Pages using angular may not load correctly when Websafe "inject Javascript into page" is enabled
Conditions:
Application using Angular.js
Websafe: "inject Javascript into page" is enabled
Impact:
Page does not load fully
Fix:
Websafe no longer changes the page's "documentMode"
594075-2 : Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
Component: Advanced Firewall Manager
Symptoms:
With pccd.alwaysfromscratch set to true, the blob doesn't compile and pccd restarts periodically when firewall rules are modified.
Conditions:
1. pccd.alwaysfromscratch is set to true (default value is false)
2. Modify some firewall rules.
Impact:
The blob doesn't compile and pccd keeps restarting without loading new rules.
Workaround:
Remove saved blob files in /var/pktclass/ (rm -f /var/pktclass/*) and restart pccd.
594064-2 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
Solution Article: K57004151
Component: Local Traffic Manager
Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.
Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.
Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>
Typical examples of missing packets include:
-- Serverside syn and syn-ack from FastL4 TCP traffic.
-- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.
Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').
Fix:
tcpdump now successfully captures the first serverside packets.
593925-1 : ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
Component: Advanced Firewall Manager
Symptoms:
When attempting to delete a rule for an ssh profile and committing the changes in the GUI, you get an error: "Operation is not supported on property /security/ssh/profile/~Common~ssh-test/rules."
Conditions:
This occurs if you previously created ssh profile rules that contain spaces in them, such as this example:
create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }
Impact:
Unable to delete the rules
Fix:
You can now delete ssh profile rules that contain spaces for the rules.
593696-1 : Sync fails when deleting an ssh profile
Component: Advanced Firewall Manager
Symptoms:
After creating an ssh profile and successfully syncing it to the sync group, you later delete the profile and sync fails with this error on the target device:
"err mcpd[5178]: 01071488:3: Remote transaction for device group /Common/syncme to commit id 6 6285666289815053813 /Common/bigip2.mysite.com 0 failed with error 01071aaf:3: SSH profile: [/Common/ssh1] default actions is required and cannot be removed."
Conditions:
This is triggered when deleting an ssh profile that has been synced in a sync group. Sync group is configured for manual sync. It is not known if automatic sync also exhibits this behavior.
Impact:
Sync fails.
593530-6 : In rare cases, connections may fail to expire
Solution Article: K26430211
Component: Local Traffic Manager
Symptoms:
Connections have an idle timeout of 4294967295 seconds.
Conditions:
Any IP (ipother) profile is assigned to virtual server.
Impact:
Connections may linger.
Workaround:
None.
Fix:
Fixed idle initialization error when using Any IP (ipother) profile.
593447-1 : BIG-IP TMM iRules vulnerability CVE-2016-5024
Solution Article: K92859602
593390-4 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
Component: Local Traffic Manager
Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.
Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.
Impact:
Higher memory usage than necessary.
Workaround:
Always have iRules select profiles using the complete path.
Fix:
If an iRule attempts to select a profile using only its name, the system now prepends the /Common path prior to looking it up, so there is no potential of instantiating another version of the profile, so no memory issue occurs.
593355 : FPS may erroneously flag missing cookie
Component: Fraud Protection Services
Symptoms:
You see Missing Cookie errors for validation errors other than Missing Cookie.
Conditions:
Any component validation error.
Impact:
Missing Cookie errors counted when the validation error was not due to Missing Cookie
Workaround:
No.
Fix:
Fixed an issue with Missing Cookie error counting.
593139-9 : glibc vulnerability CVE-2014-9761
Solution Article: K31211252
593137-1 : userDefined property for bot signatures is not shown in REST
Component: TMOS
Symptoms:
The user defined property of the signature is not exposed in iControl REST.
Conditions:
Attempting an iControl REST API call to see a signature.
Impact:
The userDefined field is not shown. Impacts external interfaces interacting with the BIG-IP configuration and expecting to see a field and a value there.
Workaround:
None.
Fix:
The userDefined field exists now and has a true/false values.
593078-1 : CATEGORY::filetype command may cause tmm to crash and restart
Component: Access Policy Manager
Symptoms:
If an iRule command is created using the CATEGORY::filetype command, the tmm may eventually suffer a failure, and restart.
Conditions:
This can occur when using the CATEGORY::filetype iRule under normal operation.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash in CATEGORY::filetype
593070-2 : TMM may crash with multiple IP addresses per session
Component: Policy Enforcement Manager
Symptoms:
TMM crash
Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Check for timer expiration prior to processing the timer.
592871-3 : Cavium Nitrox PX/III stuck queue diagnostics missing.
Component: Local Traffic Manager
Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.
Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.
Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.
Workaround:
None.
Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.
592870-2 : Fast successive MTU changes to IPsec tunnel interface crashes TMM
Component: TMOS
Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.
Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.
Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).
592868-3 : Rewrite may crash processing HTML tag with HTML entity in attribute value
Component: Access Policy Manager
Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.
Conditions:
HTML tag like this:
<script src=" " type="text/javascript"></script>
Impact:
Web application may not work correctly.
Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.
Fix:
Now rewrite correctly handles HTML entities in attribute values.
592854-1 : Protocol version set incorrectly on serverssl renegotiation
Component: Local Traffic Manager
Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.
Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.
Impact:
Protocol field is invalid (0), and the server will reset the connection.
Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.
592784-2 : Compression stalls, does not recover, and compression facilities cease.
Component: Local Traffic Manager
Symptoms:
Compression stalls, does not recover, and compression facilities may cease.
Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).
Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.
Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.
Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.
592731-1 : Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.
Solution Article: K34220124
Component: Local Traffic Manager
Symptoms:
Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.
Conditions:
In case of heavy SSL traffic, Cavium Nitrox SSL hardware accelerator card might need more time than the default interval to complete the encryption or decryption.
Impact:
The /var/log/ltm log contains the following message: Hardware Error(Co-Processor): n3-crypto1 request queue stuck. tmm will be in failure state.
Workaround:
Use tmsh to increase the device.request.timeoutfactor db variable to allow more time for encryption or decryption to complete. For example, to increase device.request.timeoutfactor to 200, run the following command: tmsh modify sys db device.request.timeoutfactor value 200.
To clear erroneously stuck queues, you must restart tmm or reboot the BIG-IP system.
Note: Traffic is disrupted while during restarts.
Fix:
The default value of device.request.timeoutfactor is now sufficient to allow the Cavium Nitrox SSL hardware accelerator card to complete the encryption or decryption as expected.
592716-1 : BMC timezone value was not being synchronized by BIG-IP
Component: TMOS
Symptoms:
You notice that errors on the LCD have an incorrect timestamp compared to what is reported in BIG-IP
Conditions:
This can occur when running the 12.1.1 base release on the BIG-IP i-Series platforms.
Impact:
Timestamp is reported in the wrong time zone.
Fix:
Fixed an issue with incorrect timestamp reporting on the LCD display
592699-3 : IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
Component: Local Traffic Manager
Symptoms:
IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP might encounter significant performance impacts when initiated over a BIG-IP data port using IPv6.
Conditions:
-- Protocols: HTTPS, SCP, SSH, DNS, SMTP.
-- IPv6.
Note: Management port is not impacted.
Impact:
Performance impact pulling data over affected ports from the BIG-IP over IPv6.
BIG-IQ performance is impacted trying to manage BIG-IP devices over IPv6.
Workaround:
Disable TSO for IPv6 at the command line by running the following command: ethtool -K tmm tso off.
Note: This command must be run each time after reboot.
Fix:
The issue has been corrected, so that there is no performance impact pulling data over affected ports using HTTPS, SCP, SSH, DNS or SMTP from the BIG-IP over IPv6, and there is no BIG-IQ performance issue managing BIG-IP devices over IPv6.
592682-1 : TCP: connections may stall or be dropped
Component: Local Traffic Manager
Symptoms:
TCP connections stall or get dropped.
Conditions:
Under some network conditions especially with rateshaper enabled TCP connection could stall and ultimately get reset.
Impact:
This usually happens with rateshaper or BWC enabled. Rarely could also happen with very lossy networks.
Fix:
Properly manage re-transmissions after a tail drop by not not doing the exponential back-off. Reset the re-transmit timer for every partial ack received after a tail drop.
592497-1 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
Component: Local Traffic Manager
Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.
Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.
Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.
Workaround:
None.
Fix:
This release honors the idle timeout in FIN_WAIT_2 when server-side expired and HTTP in fallback state.
592485 : Linux kernel vulnerability CVE-2015-5157
Solution Article: K17326
592414-4 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
Component: Access Policy Manager
Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.
Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.
Impact:
Web application malfunction.
Workaround:
None.
Fix:
Fixed.
592363 : Remove debug output during first boot of VE
Component: TMOS
Symptoms:
There was unneeded debug output during 1st boot of VE on Cloud deployments.
Conditions:
Cloud deployment - AWS and Azure.
Impact:
Extra debug output on 1st boot.
Fix:
Debug output was removed.
592354 : Raw sockets are not enabled on Cloud platforms
Component: TMOS
Symptoms:
Cloud VMs come configured with UNIC driver instead of using raw sockets.
Conditions:
Cloud deployment - AWS and Azure.
Impact:
UNIC is used instead of raw sockets.
Workaround:
Manually disabling unic driver will force raw sockets to be used.
Fix:
Enabled raw sockets by default on Cloud deployments.
592344-2 : NTP Security Updates
Component: TMOS
Symptoms:
It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)
A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)
An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)
A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)
A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)
It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)
It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)
It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)
It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)
Conditions:
NTP enabled.
Impact:
ntpd crash.
Workaround:
None.
Fix:
NTP updates applied via RHSA-2016:0780.
592320-5 : ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
Component: TMOS
Symptoms:
When a fastL4 profile's pva-offload-state set to establish (default is embryonic), the corresponding UDP virtual server using that profile won't offload UDP traffic and causes performance degradation.
Conditions:
This issue is introduced during v12.0.0 development and only impacts v12.1.0 and v12.1.1 releases.
A fastL4 UDP virtual server is using a fastL4 profile that has pva-offload-state set to establish.
Impact:
Performance degradation.
Workaround:
Use default setting for pva-offload-state of embryonic for fastL4 profile.
Fix:
With the fix in 12.1.2 and 13.0.0, ePVA will load UDP traffic when pva-offload-state set to establish.
592274-3 : RAT-Detection alerts sent with incorrect duration details
Component: Fraud Protection Services
Symptoms:
If a remote access trojan (RAT) detection alert is encountered immediately upon initialization, the timestamp of the alert will be incorrect.
Conditions:
-- Enable RAT detection.
-- RAT detection alert is countered within 5 seconds of initialization.
Impact:
Rat-detection alerts sent with incorrect duration details, and false-positives for RAT keyboard alerts.
Workaround:
None.
Fix:
When generating RAT Detected alert within 5 seconds from page load, actualCounter in alert details is lower than 5 seconds for example:
"timeToResetCounter":5000,"actualCounter":4296
592113-5 : tmm core on the standby unit with dos vectors configured
Component: Advanced Firewall Manager
Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump
Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured
Impact:
Traffic disrupted while tmm restarts.
592070-5 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
Component: Policy Enforcement Manager
Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.
Conditions:
DHCP virtual created in a non-local traffic group.
Impact:
Variable sharing in the TCL context will not work.
Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.
Fix:
Copy the traffic group from client to server connFlows such that both connFlows have the same traffic group.
592001-1 : CVE-2016-4073 PHP vulnerabilities
Solution Article: K64412100
591918-2 : ImageMagick vulnerability CVE-2016-3718
Solution Article: K61974123
591908-2 : ImageMagick vulnerability CVE-2016-3717
Solution Article: K29154575
591894-2 : ImageMagick vulnerability CVE-2016-3715
Solution Article: K10550253
591881-1 : ImageMagick vulnerability CVE-2016-3716
Solution Article: K25102203
591840-1 : encryption_key in access config is NULL in whitelist
Component: Access Policy Manager
Symptoms:
encryption_key in access config is NULL sometime when applying 404 whitelist action and will result in TMM crash.
Conditions:
All the following must be true:
- Access policy action resulted in a "not found".
- The session corresponding to above action must be expired.
- FIPS platform.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Data required to serve a "not found" action is retrieved and made available early so that such responses can be served correctly.
591828-4 : For unmatched connection, TCP RST may not be sent for data packet
Solution Article: K52750813
Component: Advanced Firewall Manager
Symptoms:
When TCP connection times out (no entry in 'show sys conn'), and subsequent data packet comes in (not SYN), The BIG-IP system does not send a RST to the client to reset the connection.
Conditions:
This issue occurs if AFM is provisioned. Additionally, in BIG-IP v12.1.0 and above, it occurs if ASM is provisioned (regardless of AFM provisioning).
-- Packets other than SYN with no entry in the connection table arrive.
This can occur either after a failover (when mirroring is disabled) when traffic arrives at the newly-active system, or can occur if the relevant virtual server has 'reset-on-timeout' disabled.
Impact:
Client retransmits several times and then terminates TCP connection. There is no RST sent from BIG-IP to client for unmatched connection.
Workaround:
Enable the reset on timeout option to send TCP RST to client when connection times out.
Note: This workaround does not address the circumstances where a newly-active BIG-IP system receives traffic (e.g. after a failover or system reboot).
Fix:
The BIG-IP system now sends a TCP RST for unknown connections so the clients and backend servers can start a new connection.
591806-8 : ImageMagick vulnerability CVE-2016-3714
Solution Article: K03151140
591767-8 : NTP vulnerability CVE-2016-1547
Solution Article: K11251130
591733-4 : Save on Auto-Sync is missing from the configuration utility.
Solution Article: K83175883
Component: TMOS
Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.
Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.
Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.
Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.
Fix:
This release adds per-device-group save_on_auto_sync flag to GUI: flag now shows in GUI and correctly saves.
GUI: The "Sync Type" option in the GUI must be set to "Automatic with Full/Incremental Sync" in order for "Save on Auto-Sync" option to show.
Behavior Change:
Beginning in version 11.5.0, the /cm trust-domain 'save-on-auto-sync' attribute is no longer configured as part of the trust-domain, but is part of the configuration of a device group. With this change, the option to set that attribute becomes available in the GUI on the condition that the "Sync Type" option is set to "Automatic with Full/Incremental Sync".
591732-2 : Local password policy not enforced when auth source is set to a remote type.
Component: TMOS
Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.
Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.
2) The auth source is set to a remote source, such as LDAP, AD, TACACS.
Impact:
The system does not enforce any of the non-default local password policy options.
For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.
Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).
Workaround:
None.
591666-3 : TMM crash in DNS processing on TCP virtual with no available pool members
Component: Local Traffic Manager
Symptoms:
TMM crash when processing requests to a DNS virtual server.
Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.
Ensure datagram LB mode is enabled on UDP DNS virtuals.
Fix:
Product corrected to prevent crash when there are no available members.
591659-5 : Server shutdown is propagated to client after X-Cnection: close transformation.
Solution Article: K47203554
Component: Local Traffic Manager
Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.
Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.
Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.
Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.
Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.
591590-1 : APM policy sync results are not persisted on target devices
Component: Access Policy Manager
Symptoms:
Policy sync results, including profile, sync folder, new partition, statuses, history are not persisted on target devices after sync, when there is no LSO resolution.
Conditions:
1. Create an APM policy with no LSO to resolve, or have an APM policy that has LSO resolved by the previous sync.
2. Start a policy sync.
Impact:
Sync results including the policy profiles are not persisted, so when the BIG-IP system restarts, all the sync data will be lost.
Workaround:
Run tmsh command to save config:
tmsh save sys config
Fix:
Policy sync result will be persisted on target devices so even when those devices restart, the data will still be there.
591495-2 : VCMP guests sflow agent can crash due to duplicate vlan interface indices
Component: TMOS
Symptoms:
When a VCMP guest uses sflow, the sflow agent will crash when it tries to add a row to its internal data structure and finds the key already exists for some other entry.
Conditions:
This issue can occur on systems with VCMP guests, its occurrence is is more likely with a higher number of cores.
Impact:
sflow agent will crash.
Fix:
Make sure the allocated interface index for a vlan is not already taken by another interface object.
591476-7 : Stuck crypto queue can erroneously be reported
Solution Article: K53220379
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck. tmm crash
Conditions:
-- Running on one of the following platforms:
+ BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 2xxx, 4xxx, 5xxx, 7xxx, 10xxx, 11xxx, 12xxx, i2xxx, and i4xxx
+ VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover. Traffic disrupted while tmm restarts.
Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:
tmsh modify sys db crypto.queue.timeout value 0
To clear erroneously stuck queues, you must restart tmm or reboot the BIG-IP system.
Note: Traffic is disrupted while during restarts.
Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue on Nitrox devices.
591455-7 : NTP vulnerability CVE-2016-2516
Solution Article: K24613253
591447-1 : PHP vulnerability CVE-2016-4070
Solution Article: K42065024
591438-7 : PHP vulnerability CVE-2015-8865
Solution Article: K54924436
591358-1 : Oracle Java SE vulnerability CVE-2016-3425
Solution Article: K81223200
591343-5 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
Solution Article: K03842525
Component: Local Traffic Manager
Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.
Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.
Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.
Workaround:
None.
Fix:
The returned session ID in both the SERVERSSL_SERVERHELLO and SERVERSSL_HANDSHAKE events is the one presented by the SSL server.
591328-7 : OpenSSL vulnerability CVE-2016-2106
Solution Article: K36488941
591325-8 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
Solution Article: K75152412
591268-1 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
Component: Access Policy Manager
Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns
Conditions:
Specific client machine configuration
Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue
Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service
Fix:
Now DNS Relay proxy service cleans up DNS cache after initialization mitigating issue described
591261 : BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
Component: TMOS
Symptoms:
The BIG-IP VPR-B4450N blade does not show the correct Object ID for SNMP. An SNMP query will return "unknown".
Conditions:
This issue may occur on VIPRION B4450N blades running affected versions of BIG-IP software.
Impact:
Some network management applications may complain and fail.
Workaround:
None.
Fix:
A new SNMP Object ID is added to TMOS v12.1.1 for VPR-B4450N.
591246-1 : Unable to launch View HTML5 connections in non-zero route domain virtual servers
Component: Access Policy Manager
Symptoms:
Currently APM always attempts to uze the RTDom 0 when VMware View HTML5 client is launched.
This doesn't work with the virtual servers in non-zero route domains.
Conditions:
APM configured as a PCoIP proxy on a VS in non-zero route domain.
Impact:
You cannot use virtuals in non-zero route domains if they need VMware View HTML5 client functionality
Fix:
APM now uses the proper route domain from the virtual server to handle VMware View HTML5 client connections.
591139 : TMM QAT segfault after zlib/QAT compression conflation.
Component: Local Traffic Manager
Symptoms:
TMM can segfault during prolonged mixture of software and hardware accelerated compression.
Conditions:
Continuous and prolonged mixture of software and hardware accelerated compression.
Impact:
TMM segfaults.
Workaround:
Disable hardware accelerated compression with:
tmsh modify sys db compression.strategy value speed
Fix:
TMM QAT compression added pointer-hardening for compression context.
591119 : OOM with session messaging may result in TMM crash
Component: TMOS
Symptoms:
Under out of memory conditions, session messaging may not initialize storage correctly, resulting in a later TMM crash.
Conditions:
Under out of memory conditions, memory allocation for session messaging fails, and storage is not initialized correctly.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Reduce load on box in order to avoid OOM conditions.
Fix:
Initialize storage on memory allocation failure.
591117-3 : APM ACL construction may cause TMM to core if TMM is out of memory
Component: Access Policy Manager
Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.
Conditions:
BIG-IP is extremely loaded and out of memory.
Impact:
Traffic disrupted while tmm restarts.
Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.
591104-1 : ospfd cores due to an incorrect debug statement.
Component: TMOS
Symptoms:
ospfd cores due to an incorrect debug statement.
Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.
Impact:
ospfd might crash, interrupting dynamic routing.
Workaround:
Do not enable debugging in ospf that includes 'route ase'.
Fix:
ospfd no longer crashes when debugging is enabled in imish.
591042-17 : OpenSSL vulnerabilities
Solution Article: K23230229
591039 : DHCP lease is saved on the Custom AMI used for auto-scaling VE
Component: TMOS
Symptoms:
When configuring the instance for auto-scaling purpose and subsequently generating the Custom/Model AMI that is used for autoscaling VEs, the new instances generated from this image, might have the old DHCP lease acquired by the custom instance before an AMI was generated from it. This can collide with the new lease that the new instances get in their boot-up.
Conditions:
This occurs when Auto-scaling VEs.
Impact:
Multiple valid DHClient leases exist, which could result dhclient in BIG-IP choosing wrong IP address for the management interface.
Workaround:
Delete the /var/lib/dhclient/dhclient.leases before shutting down the custom instance and generating a Custom/Model AMI out of it.
Fix:
Auto-scaling AMI will no longer contain a DHCP lease when they are saved.
590993 : Unable to load configs from /usr/libexec/aws/.
Component: TMOS
Symptoms:
In 12.1.0, a new tmsh object 'sys global-settings file-whitelist-path-prefix' controls the path from which config can be loaded. To be allowed as a config storage location, the path must exist in file-whitelist-path-prefix. Because /usr/libexec/ is not part of the path, loading auto-scaling and CloudWatch iCall configuration files from /usr/libexec/aws/ fails.
Conditions:
The issue occurs with AWS auto-scaling- and CloudWatch-related configuration files in TMOS v12.1.0.
Impact:
AWS auto-scaling-related automation and CloudFormation Templates (CFTs) for deploying BIG-IP will not work because 'sys global-settings file-whitelist-path-prefix' disallows /usr/libexec/aws/ is disallowed as legitimate config location.
Workaround:
To work around this, add /usr/libexec/aws/ into the 'sys global-settings file-whitelist-path-prefix'. To do so, run the following tmsh command:
tmsh modify sys global-settings file-whitelist-path-prefix "{/var/local/scf} {/tmp/} {/shared/} {/config/} {/usr/libexec/aws}".
Fix:
Starting in 12.1.0-HF1, F5 Networks has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.
Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.
12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:
The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.
Behavior Change:
Starting in 12.1.0-HF1, the system has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.
Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.
12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:
The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.
590992-3 : If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working
Component: Access Policy Manager
Symptoms:
- If an IP address on an interface changes after the connection to APM is established, DNS resolution stops working if the DNS on that adapter has not changed.
- DNS resolution stops working until DNS relay proxy service is restarted or stopped.
Conditions:
- Using Microsoft Windows version 10.
- Split tunneling configuration with split DNS scope.
- IP address on the network adapter changes after the connection to APM is established, but the DNS on that adapter remains unchanged.
- This might also occur when adapter 1 goes down and adapter 2 with same DNS as adapter 1 comes up.
Impact:
DNS resolution stops working until DNS relay proxy is stopped or restarted.
Workaround:
Stop or restart DNS relay proxy.
Fix:
This issue has been fixed.
590938-3 : The CMI rsync daemon may fail to start
Component: TMOS
Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.
Conditions:
The rsync daemon failed unexpectedly.
Impact:
Sync of file objects will fail with an error like this:
01070712:3: Caught configuration exception (0), Failed to sync files...
Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.
590904-1 : New HA Pair created using serial cable failover only will remain Active/Active
Component: TMOS
Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.
Conditions:
Create a new sync-failover device-group without enabling network failover.
Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.
Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.
Fix:
After creating the sync-failover group with without network failover configured, but a serial failover cable installed, one of the devices becomes Standby and the other remains Active.
590840-2 : OpenSSH vulnerability CVE-2015-8325
Solution Article: K20911042
590820-3 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Component: Access Policy Manager
Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.
Impact:
Very low web application performance when using Microsoft Internet Explorer.
Workaround:
None.
Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.
590805-4 : Active Rules page displays a different time zone.
Component: Advanced Firewall Manager
Symptoms:
Active Rules page displays a different time zone.
Conditions:
When Active Rules page is loaded after the BIG-IP system timezone has changed.
Impact:
GUI shows incorrect timezone.
Workaround:
Run the following command after changing BIG-IP timezone: bigstart restart tomcat.
Fix:
Active Rules page now shows the correct timezone after the BIG-IP system timezone has changed.
590795-1 : tmm crash when loading default signatures or updating classification signature★
Component: Traffic Classification Engine
Symptoms:
When upgrading classification signatures or downgrading to the default signatures, tmm will crash.
Conditions:
This occurs when loading updated classification signatures on versions 12.1.0 and 12.1.1.
Impact:
tmm will crash during the load. Traffic disrupted while tmm restarts.
Fix:
Fixed a crash when loading classification signatures.
590779 : Rest API - log profile in json return does not include the partition but needs to
Component: TMOS
Symptoms:
When querying the log profile via the Rest API, the returned response does not include the partition name in FullPath.
For example, for a log profile named mySample:
https://bigip_ip/mgmt/tm/security/log/profile/~Common~mySample/application/mySample
The JSON returned will contain
"fullPath": "testProfile",
It should contain
"fullPath": "/Common/testProfile",
This can cause BIG-IQ to fail to sync.
Conditions:
Log profile created. This is most visible when using BIG-IQ to sync.
Impact:
Applications relying on the folder path can fail
Fix:
The Rest API will now provide the full path to the log profile.
590608-1 : Alert is not redirected to alert server when unseal fails
Component: Fraud Protection Services
Symptoms:
Alert is not redirected to the alert server when unseal fails and iRule is enabled.
Conditions:
1. Unsealing alert failure.
2. iRule enabled.
Impact:
Alert is not redirected to the alert server and FPS returns 404 response.
Workaround:
Disable iRule.
Fix:
FPS now correctly redirects the alert.
590601-2 : BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
Component: Access Policy Manager
Symptoms:
After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI.
Conditions:
BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP
Impact:
User is not redirected to original request URI.
Workaround:
Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'.
SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri}
After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).
Fix:
SAML SSO requests will now be redirected to the original request URI.
590578-4 : False positive "URL error" alerts on URLs with GET parameters
Component: Fraud Protection Services
Symptoms:
False-positive URL Error alerts are sometimes generated on URLs with GET parameters.
Conditions:
Use of URLs with GET parameters.
Impact:
Unwanted alerts in alert server.
Workaround:
None
Fix:
Hash calculation is done on slightly different URL inputs, causing mismatch.
590428-1 : The "ACCESS::session create" iRule command does not work
Component: Access Policy Manager
Symptoms:
When the "ACCESS::session create" iRule command is used with an APM virtual, the command does not resume properly and causing the sessions to disconnect/hang.
Conditions:
APM virtual configured with an iRule that includes "ACCESS::session create" iRule command.
Impact:
APM virtual won't function correctly.
Workaround:
The "ACCESS::session create" iRule command should be removed from the iRule attached to the virtual.
Fix:
Updated the session DB calls to include req_id parameter so that the TCL context gets updated/saved and used upon resume.
590415-1 : Partition can be removed when remote role info entries refer to it
Component: TMOS
Symptoms:
If you have a partition, and a remote-role info that mentions the partition, then you can delete the partition but the role info is not modified. Once this configuration is saved, future loads fail with an error similar to the following:
01070829:5: Input error: Invalid partition ID request, partition does not exist (your-partition-name)
Conditions:
A partition has been deleted, but the remote role configuration still names the partition.
Impact:
Load fails.
Workaround:
Before removing a partition, ensure that any role-info entries mentioning the partition are also removed.
If you already have encountered a failure to load such a configuration, edit /config/bigip.conf to remove the remote-role entries in the 'auth remote-role' section.
Fix:
It is no longer possible to enter this state. If a partition is referenced by a role-info entry, deleting that partition fails.
590399-1 : Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.
Solution Article: K11304001
Component: TMOS
Symptoms:
Unnecessary logging during startup: err errdefsd[5106]: 01940019:3: Unable to connect to MCPD, will try again in 30 seconds. err errdefsd[5106]: 0194001d:3: Errdefsd is starting. Old shared memory arena is now deprecated.
Conditions:
This occurs during system startup.
Impact:
No to low impact. This message is benign, and you can safely ignore it.
Workaround:
None needed.
Fix:
This release fixes the unnecessary benign error message logging that occurred during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.
590345-1 : ACCESS policy running iRule event agent intermittently hangs
Component: Access Policy Manager
Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.
Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.
Impact:
Policy execution intermittently hangs.
Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}
Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.
590211-2 : jitterentropy-rngd quietly fails to start
Component: TMOS
Symptoms:
If jitterentropy-rngd fails to start, it does so quietly during system start, causing init.d script [ OK ] when it should be [ FAILED ].
This can cause the system to hang indefinitely at boot time at the following step (the key name may vary, depending on what needs to be generated):
Generating /var/named/config/rndc.key ( 09:08:10 ) ...
Similarly, if jitterentropy-rngd fails to start but there are no keys to be generated at boot time, the system will boot successfully. However, the genkeys and genkeys-1024 processes invoked by crontab every hour might hang.
Conditions:
This can occur on any BIG-IP system if jitterentropy-rngd fails to start. The issue has been observed chiefly on vCMP guests running on VIPRION B21x0 blades.
Impact:
1) The system may fail to boot (user intervention will be required at this point to recover the system).
2) As crontab invokes the genkeys and genkeys-1024 processes every hour, these may start but never terminate (any hung processes might eventually cause increased memory and CPU utilization, potentially leading to unpredictable system failures).
Fix:
jitterentropy-rngd now starts up as expected, so no failures occur.
590122-2 : Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
Component: Local Traffic Manager
Symptoms:
Standard TLS rollback detection for TLSv1 or earlier clients might be too strict for clients that do not comply with RFC 2246 and later. These clients may require 'tls-rollback-bug' option set.
Conditions:
Standard behavior of TLS clients is to use ClientHello.client_version in pre-master secret (PMS).
Some clients, incorrectly, might use negotiated version in PMS.
Impact:
Failed TLS handshake.
Workaround:
None.
Fix:
Added support for tls-rollback-bug option for an SSL profile.
This release provides improved support for 'TLS rollback bug workaround' feature described on AskF5 in SSL Administration :: Additional SSL Profile Configuration Options :: Workarounds and other SSL options. (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html).
Behavior Change:
This release provides improved support for 'TLS rollback bug workaround' feature described on AskF5 in SSL Administration :: Additional SSL Profile Configuration Options :: Workarounds and other SSL options. (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html).
The value is set by the existing tls-rollback-bug option, using the command described in create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.
This is an existing option.
When this option is enabled in the client SSL profile, RSA-only ciphersuites will have relaxed treatment of the version field set by the SSL/TLS client as part of the sequence of bytes encrypted to the server RSA key, called pre-master secret (PMS).
With the option enabled, PMS can contain either ClientHello.client_version, or negotiated version. Standard behavior of TLS clients is to use ClientHello.client_version in PMS.
590074-1 : Wrong value for TCP connections closed measure
Component: Application Visibility and Reporting
Symptoms:
In TCP analytics, the measure 'connections closed' displays the wrong value.
Conditions:
TMM_API debug enabled.
Impact:
Wrong value displayed.
Workaround:
Do not turn on debug printing.
Fix:
Memory corruption found and fixed. All debug printing organized together at the beginning of the function.
589862-6 : HA Grioup percent-up display value is truncated, not rounded
Component: TMOS
Symptoms:
The value displayed in "show sys ha-group detail" and "list sys ha-group" is shown as only the integer portion of the actual percent-up value.
Conditions:
When the number of "up" members in an HA Group results in a percent-up value that is not a whole number, the displayed value is truncated, not rounded.
Impact:
Incorrect display of the percent-up value. The score contribution is correct, and displayed rounded properly.
Fix:
The percent-up value is correctly rounded before display.
589661 : PS2 power supply status incorrect after removal
Component: TMOS
Symptoms:
After removing the second power supply (PS2), running system_check indicates that the power supply status is still good:
system_check -d | grep power
Chassis power supply 1: status FAN=good; VINPUT=good; VOUTPUT=good; STATUS=good
Chassis power supply 2: status VINPUT=good; VOUTPUT=good; STATUS=not present
Conditions:
This occurs on 10000-series and 12000-series platforms when removing the PS2 power supply and running system_check
Impact:
Erroneous indication that the power supply is still good
Fix:
Power supply status for PS2 is now correctly indicated when the power supply is removed.
589400-1 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Solution Article: K33191529
Component: Local Traffic Manager
Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.
Impact:
Additional connection latency.
Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.
If init-cwnd is low, raising it might also help.
Disabling abc can also reduce the problem, but might have other negative network implications.
Fix:
Incoming packets are now pulled more aggressively into the send buffer, if there are no negative implications for CPU performance.
589379-2 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
Solution Article: K20937139
Component: TMOS
Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.
Conditions:
OSPF using route health injection for default route.
Impact:
No functional impact. The extraneous LSA is immediately aged out.
Workaround:
Configure a static default route in imish instead of using RHI for the default route.
Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
589318-1 : Clicking 'Customize All' checkbox does not work.
Component: Fraud Protection Services
Symptoms:
Clicking 'Customize All' in Safari browser does not check the checkboxes below, and the settings remain grayed out.
Conditions:
Provision and license FPS.
Impact:
FPS child profile page.
Workaround:
Use tmsh.
Fix:
Clicking 'Customize All' checkbox in Safari browser now checks the checkboxes below and changes the state of the cosponsoring settings.
589256-1 : DNSSEC NSEC3 records with different type bitmap for same name.
Solution Article: K71283501
Component: Global Traffic Manager (DNS)
Symptoms:
For a delegation from a secure zone to an insecure zone, the BIG-IP system returns different type of bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.
Conditions:
For insecure delegations, the DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND, if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which the system dynamically signs.
Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.
Workaround:
None.
Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.
589223-1 : TMM crash and core dump when processing SSL protocol alert.
Component: Local Traffic Manager
Symptoms:
TMM crash and core dump when processing SSL protocol alert.
Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
A problem of TMM restarting when processing SSL protocol alert has been fixed.
589083-2 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
Component: TMOS
Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.
Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.
Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:
Can't create tmsh temp directory "/config/.config.backup" Permission denied
Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.
Impact:
Cannot save the configuration.
Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.
Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.
589006-5 : SSL does not cancel pending sign request before the handshake times out or is canceled.
Component: Local Traffic Manager
Symptoms:
When TMM has many SSL handshake, for ephemeral key, SSL does not sign for ServerKeyExchange message. Then it is possible that sign request is pending on crypto SSL queue. Even the handshake is timeout or canceled, the sign request is still in the queue. This might cause memory accumulation.
Conditions:
When TMM has many SSL handshake, for ephemeral key, SSL should sign for ServerKeyExchange message.
Impact:
Even if the handshake times out or canceled, the sign request is still in the queue. This might cause memory accumulation.
Note: Although this issue was fixed in 11.5.4 HF3, the fix was reverted in 11.5.4 HF4, meaning that the issue is not fixed in 11.5.4 HF4.
Workaround:
None.
Fix:
SSL now cancels sign pending request before it times out or is canceled.
588959-2 : TMM may crash or behave abnormally on a Standby BIG-IP unit
Solution Article: K34453301
Component: Local Traffic Manager
Symptoms:
TMM may crash or behave abnormally on a Standby BIG-IP unit. Memory utilization before the crash can appear to be unusually high.
Conditions:
This is a rare issue, currently known to occur only in WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring. Virtual servers that make use of the standard TCP profile are not affected.
Impact:
The unit is not operational until TMM has finished writing the core file to disk and restarting. If the unit was Active for a different traffic-group, traffic for that traffic-group will be disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes in the rare case of WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring.
588929-2 : SCTP emits 'address conflict detected' log messages during failover
Component: TMOS
Symptoms:
The system may advertise, on the client-side, SCTP alternate addresses that are in a route-domain different from that of the virtual server.
Conditions:
Configuring an SCTP virtual server with alternate-addresses that are not in the correct route domain.
Impact:
No impact to traffic processing. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.
Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.
Fix:
The SCTP profile now screens alternate addresses for route domain membership before advertising them.
588888-3 : Empty URI rewriting is not done as required by browser.
Solution Article: K80124134
Component: Access Policy Manager
Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat this type of URI in a specific way).
Conditions:
A tag with an empty 'src' or 'href' attribute.
Impact:
Web application malfunction, such as incorrect or unexpected behavior or error messages.
Workaround:
Use an application-specific iRule that modifies the empty URI.
-- For example, for JavaScript methods such as setAttribute(), an iRule should change this:
'F5_Invoke_setAttribute(o, "src", uri)'
to this:
'(uri=="")?o.setAttribute("src", uri):F5_Invoke_setAttribute(o, "src", uri)'.
-- As another example, for JavaScript methods such as write(str), writeln(str), innerHTML=str, outerHTML=str, and similar methods, if str contains <img src="" ... >, the iRule must remove the src attribute.
Fix:
This release fixes the issue of rewriting the empty URI the same way at the server side and client side: as empty URI (all browsers treat this type of URI in a specific way).
588879-2 : apmd crash under rare conditions with LDAP
Component: Performance
Symptoms:
apmd crashes during periods of high Active Directory (AD) lookups.
Conditions:
-- APM configured to use LDAP.
-- Might be related to stress testing AD queries.
Impact:
apmd crashes, clients unable to connect.
Workaround:
None.
Fix:
apmd no longer crashes during periods of high Active Directory (AD) lookups.
588794-2 : Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements
Component: TMOS
Symptoms:
SCTP alternate addresses may be advertised on the server-side that are in a route-domain that is different from that of the virtual server.
Conditions:
Alternate-addresses are configured on an SCTP virtual server that aren't in the correct route domain.
Impact:
There is no impact to traffic processing. Alternate-addresses will be advertised even though they are not in the correct domain. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.
Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.
Fix:
The SCTP profile now screens alternate addresses for route domain membership before advertising them.
588771-2 : SCTP needs traffic-group validation for server-side client alternate addresses
Component: TMOS
Symptoms:
Addresses may be advertised in an SCTP INIT chunk even though they are not usable by the BIG-IP.
Conditions:
When an SCTP virtual server has server-side-multihoming enabled and the snatpool used by the virtual server contains addresses from other traffic groups, it will advertise all of the addresses from the snatpool in the INIT chunk.
Impact:
Some of the paths advertised in the SCTP association establishment creation process will be unusable. A conformant SCTP implementation on the server-side should test and disregard these paths, causing no impact to traffic.
Fix:
The SCTP filter in BIG-IP has been fixed so that all of the alternate addresses advertised during SCTP association establishment are in the same traffic group as the virtual server. Configured addresses are checked for the correct traffic group membership before being advertised.
588720-1 : Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.
Solution Article: K44907534
Component: Local Traffic Manager
Symptoms:
Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.
Conditions:
-- TMM is overloaded.
-- UDP datagram load-balancing is used.
Impact:
UDP packets are dropped.
Workaround:
There is no workaround other than to disable datagram-load-balancing in the affected UDP profile. To do so, run the following command:
tmsh modify ltm profile udp <profile_name> datagram-load-balancing disabled
Fix:
The fast-forwarding mechanism now properly handle packets with invalidated flows. The packets are now sent back to the source TMM for reprocessing. The TCP and TCP4 filters are updated to properly work with the changed fast-forwarding implementation.
588686 : High-speed logging to remote logging node stops sending logs after all logging nodes go down
Component: TMOS
Symptoms:
All logging to external logging nodes (such as BIG-IQ) suddenly stop.
Conditions:
This occurs when all of the configured logging nodes go down. Even when they are brought back up, tmm will not send logs to the remote servers.
Impact:
Remote logging stops and will only resume if tmm is restarted.
588456-3 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
Solution Article: K60250444
Component: Policy Enforcement Manager
Symptoms:
When the BIG-IP system is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP (giaddr) instead of ciaddr. BIG-IP DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.
Conditions:
-- The BIG-IP system is configured in forwarding mode.
-- The giaddr field in the unicast DHCP renewal packet is set to the IP address of relay agent. (Typically, it is set to 0 by the DHCP client.)
Impact:
PEM Subscriber Session will age out.
Workaround:
None.
Fix:
PEM no longer deletes existing PEM Subscriber Sessions after the lease time expires, so the DHCP renewal is now processed.
588405-1 : BADOS - BIG-IP Self-protection during (D)DOS attack
Component: Anomaly Detection Services
Symptoms:
Problem: 100% accurate detection may not help to prevent an attack
It's necessary to protect BIG-IP CPU utilization during attack - for BAD actors (in addition to shunlist) and for unknown IPs.
This mechanism should allow bad actors detection and keep CPU utilization in reasonable limits.
Conditions:
High BIG-IP CPU utilization during (D)DOS attack
Impact:
Service impact due to BIG-IP CPU high utilization
Workaround:
No workaround
Fix:
Added additional CPU protection during a (D)DOS attack
588399-1 : BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
Component: Anomaly Detection Services
Symptoms:
BIG-IP CPU utilization can be excessively high even after mitigating bad actors.
Conditions:
This can occur when Bad Actor detection is used
Impact:
CPU utilization will be higher than expected.
Fix:
An issue with referencing bad actors that have been detected and affecting CPU utilization has been fixed.
588351-5 : IPv6 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
IPv6 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.
588327 : Observe "err bcm56xxd' liked log from /var/log/ltm
Component: TMOS
Symptoms:
Some "err bcm56xxd" log is observed from /var/log/ltm that read "err bcm56xxd[10968]: 012c0012:3: bs_module_do_precond:No preconditioning provided for module on port 3/5.0"
Conditions:
This occurs when during system start.
Impact:
The error is benign and can be ignored.
Fix:
The "No preconditioning provided for module" message is now logged at the info level.
588289-1 : GTM is Re-ordering pools when adding pool including order designation
Component: Global Traffic Manager (DNS)
Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.
Conditions:
This occurs when adding pools with a specified order.
Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.
588140 : Pool licensing fails in some KVM/OpenStack environments
Component: TMOS
Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.
Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.
Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.
Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.
588115-1 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
Component: Local Traffic Manager
Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.
Conditions:
- Unit configured with a floating self-IP and allow-service != none.
- More specific route exists via GW to the self-IP.
- Configured gateway for the overlapping route is unreachable.
- Ingress traffic to the floating self-IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.
Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.
588089-3 : SSL resumed connections may fail during mirroring
Component: Local Traffic Manager
Symptoms:
SSL resumed connections when using SSL mirroring may fail during mirroring. This could result in SSL connections being unable to recover after failover.
Conditions:
Mirroring enabled on virtual with an associated client-ssl profile.
Impact:
SSL connections unable to recover after failover.
Workaround:
Disable session cache to prevent connections from resuming.
588087-1 : Attack prevention isn't escalating under some conditions in session opening mitigation
Component: Application Security Manager
Symptoms:
Attack is detected and isn't escalating in session opening
Conditions:
A session opening attack, challenges are being answered by the attacker.
Impact:
The attack continues.
Workaround:
Configure the attack prevention as rate limit.
Fix:
Fixed attack escalation in some cases on session opening.
588058-3 : False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
Component: Fraud Protection Services
Symptoms:
Large numbers of "failed to unseal" Source Integrity alerts.
Conditions:
Source integrity feature enabled. Clients using Internet Explorer 8 to 10.
Impact:
High number of false positive alerts in alert dashboard.
Workaround:
Create alert dashboard signature to ignore source integrity alerts containing "failed to unseal" and Internet Explorer 8 to 10 user agent.
Fix:
Fixed parsing in relevant browsers.
588049-1 : Improve detection of browser capabilities
Component: Application Security Manager
Symptoms:
Browsers can override native functions, and manipulate the PBD capabilities test.
Conditions:
1. Proactive Bot defense is on.
2. Attacker override its native functions.
Impact:
Malicious browsers can go undetected by PBD.
Workaround:
N/A
Fix:
Check that majority of browsers native functions are not overridden.
587966-1 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
Solution Article: K77283304
Component: Local Traffic Manager
Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.
Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.
Impact:
A Type DNS Query dropped intermittently.
Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.
Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.
587791-1 : Set execute permission on /var/lib/waagent
Component: TMOS
Symptoms:
Due to recent changes of the build process /var/lib/waagent didn't have proper execute permission set. This caused failure in executing user custom scripts during deploying.
Conditions:
First deployment of VM in Azure, which requires executing custom scripts.
Impact:
Custom scripts cannot be executed.
Workaround:
N/A
Fix:
Properly set execute permissions to /var/lib/waagent directory.
587780 : warning: HSBe2 XLMAC initial recovery failed after 11 retries.
Component: TMOS
Symptoms:
ltm log contains multiple instances of the following message on VIPRION B4450 blades: warning: HSBe2 XLMAC initial recovery failed after 11 retries.
Conditions:
This often happens when VIPRION 4480 or 4800 chassis with B4450 blades is rebooting.
Impact:
No operation impact. This is a cosmetic message that you can safely ignore.
Workaround:
None needed. This message is cosmetic only.
Fix:
A more robust XLMAC recovery mechanism has been implemented which reduces the maximum retries to four. It does not completely eliminate this warning message (HSBe2 XLMAC initial recovery failed after 11 retries), but its frequency is greatly reduced.
587735 : False alarm on LCD indicating bad fan
Component: TMOS
Symptoms:
During some blade power ON conditions, a false alarm message is displayed on the LCD on the chassis bezel.
This alarm indicates that several chassis fans are bad, however in reality the fans are not bad.
Typically, the messages look like this:
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 2: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 3: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 4: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 5: status (0) is bad.
Conditions:
Erroneous fan warnings may occur when a blade is inserted into a VIPRION 4800 chassis.
Impact:
No functional impact. The user may experience concern over the false alarms.
Workaround:
Press green check button on the front of chassis bezel to clear the alarm.
587705-5 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
Solution Article: K98547701
Component: Local Traffic Manager
Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.
Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.
Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.
Workaround:
None.
Fix:
Persist lookups now succeed for source_addr with match-across-virtual servers when multiple entries exist with different pools.
587698-3 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
Component: TMOS
Symptoms:
bgpd daemon crashes
Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.
Impact:
bgpd daemon crashes leading to route loss and traffic loss.
Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.
587676-2 : SMB monitor fails due to internal configuration issue
Component: Local Traffic Manager
Symptoms:
SMB monitor fails due to internal configuration issue
Conditions:
Configure the SMB monitor
Impact:
SMB monitor fails to execute
Fix:
Fixed an internal configuration issue so that the SMB monitor will load properly
587668 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
Component: TMOS
Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.
Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.
Impact:
Cannot clear the alert using the LCD.
Workaround:
Press the checkmark button followed by the left or right arrow buttons.
Fix:
In this release, unneeded LCD updates that might have clogged the message channel have been optimized, and the keypress passed along at a later time, so it is not lost. So pressing the LCD checkmark button now correctly brings up clearing prompt on VIPRION blades.
587656-2 : GTM auto discovery problem with EHF for ID574052
Component: Global Traffic Manager (DNS)
Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.
Conditions:
After applying EHF9-685.88-ENG
Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.
Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG
Fix:
This problem only occurs with the one faulty EHF9-685.88-ENG and does not occur anywhere else.
587629-2 : IP exceptions may have issues with route domain
Component: Application Security Manager
Symptoms:
The IP exception feature doesn't work as expected.
Conditions:
There are many defined same IPs but with different route domain.
There were config changes to these IPs regarding their exception properties.
Impact:
An ignored IP is not ignored etc.
Workaround:
bigstart restart asm
Fix:
Fixed an issue with IPs and route domain.
587617-1 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.
Conditions:
No GTM server object configured with existent selfip.
Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.
Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671
Fix:
gtmd will not core.
587419-1 : TMM may restart when SAML SLO is performed after APM session is closed
Component: Access Policy Manager
Symptoms:
TMM may core when user performs SAML SLO on external to BIG-IP SP/IdP, and BIG-IP's APM session is no longer valid.
Conditions:
- User initiated SAML SLO on external SAML provider, and external provider redirect users to BIG-IP with SLO request.
- User does not have a valid session on BIG-IP when SLO request is received.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable SAML SLO by removing SLO request/response URLs from configuration
Fix:
TMM will no longer restart in the case described above.
587107-3 : Allow iQuery to negotiate up to version TLS1.2
Component: Global Traffic Manager (DNS)
Symptoms:
big3d accepts only TLS1.0, and gtmd offers only TLS1.0 during iQuery SSL handshake. iQuery does not negotiate up to TLS 1.2.
Conditions:
Establishing iQuery connections.
Impact:
The older, less secure TLS1.0 version is the only possible iQuery connection.
Workaround:
None.
Fix:
big3d now accepts, and gtmd now offers up to, TLS1.2 in iQuery handshakes.
TLS1 and TLS1.1 are still accepted by both ends of the iQuery connection (gtmd and big3d) to enable older clients (gtmd) to connect to newer servers (big3d) and vice versa.
Behavior Change:
big3d now accepts TLS1.2 in iQuery handshakes, and gtmd now offers up to TLS1.2.
587106-1 : Inbound connections are reset prematurely when zombie timeout is configured.
Component: Carrier-Grade NAT
Symptoms:
When an LSN pool is configured in PBA mode with a non-zero zombie timeout, inbound connections are killed and reset prematurely, often in a matter of seconds.
Conditions:
PBA mode configured on the pool, and zombie_timeout set to a non-zero value.
Impact:
Inbound connections to PBA pools with a zombie timeout configured may not be usable.
Workaround:
None.
Fix:
Inbound connections are no longer reset when zombie_timout is configured to a non-zero value.
587077-1 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
Solution Article: K37603172
587016-3 : SIP monitor in TLS mode marks pool member down after positive response.
Component: Local Traffic Manager
Symptoms:
SIP monitor in TLS mode marks pool member down after positive response. The SIP monitor in TLS mode is constantly marked down.
Conditions:
SIP monitor configured in TLS mode.
Server does not send close_notify alert in response to the monitor's close_notify request.
Impact:
Unable to monitor the status of the TLS SIP server.
Workaround:
None.
Fix:
SIP monitor in TLS mode now marks pool member up after positive response. This is correct behavior.
586938-1 : Standby device will respond to the ARP of the SCTP multihoming alternate address
Solution Article: K57360106
Component: TMOS
Symptoms:
When there is a SCTP connection established, the router will request the ARP for the client-side multi-homing alternate address, but the standby device will reply to the ARP request as well.
Conditions:
When an SCTP profile has at least one alternate-address configured, and is used in an high availability (HA) scenario, this issue will manifest.
Impact:
Traffic for the alternate-addresses may be directed to the wrong device in an HA group. The multi-homing function will fail as the alternate connection cannot established on the standby device.
Workaround:
Do not use a VLAN address as an alternate address. Use only routed addresses, and route those addresses to the floating Self-IP address of the BIG-IP system.
Fix:
SCTP multihoming has been fixed to work correctly when used in a high availability setup with VLAN addresses
586887-2 : SCTP tmm crash with virtual server destination.
Solution Article: K25883308
Component: TMOS
Symptoms:
Rare configuration with SCTP can cause TMM core.
Conditions:
Complex configurations including wildcards, virtual servers and SCTP profiles.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes a rare SCTP tmm crash with virtual server destination when using complex configurations including wildcards, virtual servers and SCTP profiles.
586878-4 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
Component: TMOS
Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.
The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.
Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).
Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.
Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
For example, it might look similar to the following:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
"" { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
default { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.
586738-4 : The tmm might crash with a segfault.
Component: TMOS
Symptoms:
The tmm might crash with a segfault.
Conditions:
Using IPsec with hardware encryption.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.
586718-1 : Session variable substitutions are logged
Component: Access Policy Manager
Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged
Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.
Impact:
Session variable substitution should not be logged, even if it is secure.
Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.
Fix:
Session variable substitutions are no longer logged.
586621-7 : SQL monitors 'count' config value does not work as expected.
Solution Article: K36008344
Component: Local Traffic Manager
Symptoms:
SQL monitors 'count' config value does not work as expected.
Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.
Impact:
SQL monitor might use a 'count' value that is incorrect.
Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.
586587-1 : RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.
Component: Local Traffic Manager
Symptoms:
RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. That results in sending data at higher rates than specified Max Rate.
Conditions:
RTT is less than 6ms.
Impact:
Packet loss might happen (queue overflow) due to sending at higher data rate than the specified max rate.
Workaround:
None.
Fix:
RatePaceMaxRate works as expected, irrespective of latency.
586449-1 : Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
Component: Local Traffic Manager
Symptoms:
If an under provisioned TMM runs out of memory, then this may result in allocation failures. Incorrect error handling of allocation failures in HTTP cookie code results in TMM core.
Conditions:
Cookie persistence with encryption required is enabled on the virtual. If an under provisioned TMM runs out of memory, then this may result in allocation failures.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fix error handling in HTTP cookie code. Allocation errors result in connection resets as opposed to core due to assert.
586412-2 : BGP peer-group members address-family configuration not saved to configuration
Component: TMOS
Symptoms:
Deactivation of the ipv6 address-family for an IPv6 BGP neighbor that is a member of a peer group may be removed when the configuration is reloaded or the system restarts.
Conditions:
IPv6 BGP neighbors in a peer group
Individual group members with different address-family configurations than the peer-group
Impact:
BGP behavior may change after reboot
Workaround:
If a neighbor must have different behavior than other peer group members it can be removed from the peer group and configured individually.
Fix:
BGP address-family configuration is now correctly saved and reloaded for neighbors belonging to a peer-group.
586070 : 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
Component: Advanced Firewall Manager
Symptoms:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
Conditions:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
Impact:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
Workaround:
N/A
Fix:
Fixed a typo in GUI
586031-1 : Configuration with LTM policy may fail to load
Solution Article: K40453207
Component: TMOS
Symptoms:
Load may fail with an error similar to the following:
01070726:3: Policy /Common/Drafts/[name] in partition Common cannot reference policy reference /Common/Drafts/[name] /Common/[virtual server name] in partition [partition].
Note: The named object is in partition Common, but the message will incorrectly specify a different partition.
Conditions:
* An LTM policy has been published.
* A draft has been created from this policy.
* The LTM policy has been associated with a virtual server.
* At least one partition other than Common has been created (the policy does not need to be in this partition).
* The system is loading the configuration from the text config files (without a binary config file), e.g., as a result of performing a software upgrade or following the directions in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
Impact:
Configuration will fail to load.
Workaround:
Edit the configuration file to remove the draft policy (but not the published one).
Fix:
This defect has been resolved and the configuration will now load successfully.
586006-1 : Failed to retrieve CRLDP list from client certificate if DirName type is present
Component: Access Policy Manager
Symptoms:
Client certification revocation check will fail.
Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.
Impact:
Users may fail access policy evaluation when client certification is used.
Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.
585905-1 : Citrix Storefront integration mode with pass-through authentication fails
Component: Access Policy Manager
Symptoms:
Citrix Storefront integration mode with pass-through authentication fails. Client fails with error message saying "Authentication service is not reachable"
Conditions:
Citrix Storefront integration mode with only pass-through authentication enabled on the Storefront.
Impact:
Could not use pass through authentication on the storefront for remote access of the store.
Workaround:
None
Fix:
Passthrough authentication could be used for remote-access of the store.
585833-3 : Qkview will abort if /shared partition has less than 2GB free space
Component: TMOS
Symptoms:
In order to inform the user that the /shared partition needed to be cleaned up, qkview was checking for at least 2GB of free space. This isn't a hard requirement to build a qkview which potentially could use much less than the 2GB limit. Additionally, some F5 VE systems are shipped with less than 2GB in /shared, thus qkviews cannot be produced.
Conditions:
The /shared partition is smaller than 2GB or has less than 2GB free.
Impact:
User is unable to create a qkview despite having enough room to build one.
Workaround:
Increase the size of /shared so that it has at least 2GB of free space. See https://support.f5.com/csp/#/article/K14952 for detailed instructions on resizing volumes.
Fix:
A warning about having less than 2GB will still be issued, but the qkview will continue to attempt to finish.
585823-1 : FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)
Component: Advanced Firewall Manager
Symptoms:
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic
Conditions:
Following conditions suffice for the issue:
a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic
AND
b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)
Impact:
Translation failure occurs as described resulting in the connection failures.
Workaround:
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.
Fix:
Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.
585813-3 : SIP monitor with TLS mode fails to find cert and key files.
Solution Article: K22111214
Component: Local Traffic Manager
Symptoms:
SIP monitor with TLS enabled fails to find cert and key in filestore.
Conditions:
SIP monitor with TLS mode.
Impact:
Cannot create SIP monitor with TLS mode enabled and have the pool correctly checked.
Workaround:
Create an external monitor script to invoke the SIP monitor. Supply the correct arguments to the script.
Fix:
SIP monitor with TLS mode now finds cert and key files, so you can create SIP monitor with TLS mode enabled and have the pool correctly checked.
585807-2 : 'ICAP::method <method>' iRule is documented but is read-only
Component: Service Provider
Symptoms:
'ICAP::method' iRule function is documented as 'ICAP::method <REQMOD|RESPMOD>' which is said to get as well as set (modify) the ICAP method type in the ICAP_REQUEST event. Validation has at times rejected an argument, and at times accepted it. In fact the argument is ignored even if validation accepts it: the method type cannot be changed by the iRule. When validation rejects it, the system posts an error similar to the following: 01070151:3: Rule [/Common/icap_test] error: /Common/icap_test:2: error: [unexpected extra argument "REQMOD"][ICAP::method "REQMOD"]
Conditions:
iRule in ICAP_REQUEST event with 'ICAP::method REQMOD' or 'ICAP::method RESPMOD'.
Impact:
Users may attempt to change the method type. Usually the validator rejects it. In some versions the validator accepts it, but the methods only return the existing method type.
Workaround:
Do not attempt to change the method type with 'ICAP::method <method>'.
Fix:
ICAP::method is now documented as simply 'ICAP::method' with no argument, and it simply returns the current method type 'REQMOD' or 'RESPMOD'.
585745-2 : sod core during upgrade from 10.x to 12.x.
Component: TMOS
Symptoms:
The failover daemon (sod) may core during an upgrade, when the peer device upgrade completes and rejoins the trust.
Conditions:
Upgrading a high availability configuration from 10.x to 12.x or later.
Impact:
Corefile generated, and system will temporarily go offline, resulting in an interruption of service.
Workaround:
Upgrade multiple devices in the high availability configuration from 10.x to a supported 11.x release, and then upgrade to the desired 12.x release.
Fix:
The failover daemon (sod) no longer cores during an upgrade, when the peer device upgrade completes and rejoins the trust.
585654 : Enhanced implementation of AES in Common Criteria mode
Component: Local Traffic Manager
Symptoms:
Common Criteria (CC) mode disallows the use of dedicated BIG-IP accelerator. It can be observed that performance of the BIG-IP in CC mode may not be as fast as benchmarks for some implementations AES on CPU.
Conditions:
Common Criteria (CC) mode is enabled.
Impact:
Lower performance with CBC-based AES ciphersuites.
Fix:
Updated AES implementation may achieve higher performance of CBC-based AES ciphersuites.
585562-3 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
Component: Access Policy Manager
Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.
Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.
Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.
Workaround:
when HTTP_REQUEST {
if { [HTTP::header "Origin"] ne "" } {
HTTP::header remove "Origin"
}
}
Fix:
VMware View HTML5 client shipped with Horizon 7 now work sthrough BIG-IP APM in Chrome/Safari.
585547-1 : NTP configuration items are no longer collected by qkview★
Component: TMOS
Symptoms:
qkview was collecting the file "/etc/ntp/keys" which in some cases, contains secret keys used for integrity verification of NTP messages.
Conditions:
Execute qkview to collect diagnostic information.
Impact:
Possibility for keys to be exposed.
Workaround:
1. Do not execute qkview.
2. If executing qkview, do not share this file with untrusted parties.
Fix:
With this release, qkview no longer collects this file.
585485-3 : inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system
Component: TMOS
Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.
The BIG-IP system sends and expect messages with two SPI's inside.
Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.
Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.
Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:
(tmos)# delete net ipsec ipsec-sa ?
Properties:
"{" Optional delimiter
dst-addr Specifies the destination address of the security associations
spi Specifies the SPI of the security associations
src-addr Specifies the source address of the security associations
traffic-selector Specifies the name of the traffic selector
Fix:
The BIG-IP system will remove both SAs associated with one traffic-selector (tunnel) when the peer sends a delete SPI message.
585442-2 : Provisioning APM to 'none' creates a core file
Component: Access Policy Manager
Symptoms:
Provisioning APM level to 'none' may result in apmd creating a core file.
Conditions:
When the APM service is shut down, the apmd daemon may create a core file.
Impact:
There is no impact to functionality. Only a core file is created.
Workaround:
There is no loss in functionality.
Fix:
Provisioning APM level to 'none' no longer results in apmd creating a core file.
585424-1 : Mozilla NSS vulnerability CVE-2016-1979
Solution Article: K20145801
585412-4 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
Component: Local Traffic Manager
Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'
Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.
8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.
Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.
Workaround:
None.
Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.
585352-2 : bruteForce record selfLink gets corrupted by change to brute force settings in GUI
Component: Application Security Manager
Symptoms:
If you update the brute force settings in the GUI, rest_uuid is updated as well, which breaks the self-link in the iControl REST API
Conditions:
Update brute force settings in GUI
Impact:
Unique record part updated
Workaround:
Update brute force settings using the REST API
Fix:
GUI is not changing rest_uuid when brute force settings are updated
585332 : Virtual Edition network settings aren't pinned correctly on startup★
Component: TMOS
Symptoms:
You notice unusually high CPU utilization on Virtual Edition after upgrading to 12.1.0 when compared to a previous release (such as version 11.6.1).
Conditions:
This occurs after upgrading to 12.1.0. In Virtual Edition version 12.1.0, there is an issue where network interface IRQs don't get pinned correctly at startup.
Impact:
Since CPU0 is unusually high compared to previous releases, upgrading could put Virtual Edition into an overloaded state.
Workaround:
bigstart restart tmm will start the network interfaces and pin them to the right IRQ.
Fix:
Fixed an issue where interfaces and their IRQs were not configured correctly during system boot.
585120-1 : Memory leak in bd under rare scenario
Component: Application Security Manager
Symptoms:
Under high traffic, bd may leak memory and cause an ASM restart under certain rare conditions
Conditions:
ASM enabled and under high traffic
Impact:
Causes traffic abort while restart is happening. High swap and memory.
Workaround:
None.
Fix:
A memory leak in the bd was fixed.
585097-1 : Traffic Group score formula does not result in unique values.
Component: TMOS
Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.
Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.
The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.
Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.
Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.
Fix:
The Active device selection logic has been changed to deterministically choose the Active device location, even in cases with identical static scores.
585054-1 : BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
Component: Application Security Manager
Symptoms:
When you import an XML file that contain references to violations in the delay blocking session tracking configuration, extra violations get added to the list.
Conditions:
This occurs when importing delay-type violations in ASM
Impact:
A very large subset of the violations is added to the policy
Fix:
BIG-IP now imports delay-type violations correctly.
584926-1 : Accelerated compression segfault when devices are all in error state.
Component: Local Traffic Manager
Symptoms:
TMM segfaults. Kernel log contains "Uncorrectable Error" and "icp_qa_al err" messages.
Conditions:
All physical or virtual devices concurrently enter error state.
Impact:
Tmm segfaults and restarts. May require a reboot.
Workaround:
Disable QAT compression using tmsh:
tmsh modify sys db compression.strategy value softwareonly
Fix:
TMM QAT compression driver will not fail if all QAT devices concurrently go down.
584921-1 : Inbound connections fail to keep port block alive
Component: Carrier-Grade NAT
Symptoms:
Connections that use a PBA port block should keep the port block from expiring. However inbound connections to a client using a port block will fail to refresh the block, causing the block to expire pre-maturely. An inbound connection can remain active while the port block has been deleted.
Conditions:
An inbound connection with no outbound connections fails to keep a port block alive, resulting in an inbound connection to a client without a corresponding port block.
Impact:
When reverse mapping an inbound connection to a subscriber (e.g. trying to find who was using an ip address/port at a particular time), customers may find no corresponding port block, or a port block belonging to another client when the reverse map is performed at a time when the connection is closed.
Workaround:
When performing a reverse map, customers should use the start time of a connection to determine which port block was in use.
Fix:
Inbound connections properly refresh the port block, preventing premature expiration of the port block.
584865-1 : Primary slot mismatch after primary cluster member leaves and then rejoins the cluster
Component: Local Traffic Manager
Symptoms:
Secondary blades in a Viprion system can disagree about the identity of the Primary blade.
Conditions:
Viprion chassis with 3 or more blades. If the primary is temporarily isolated from the other blades, a new primary will be elected. When the primary rejoins, the non-primary blades do not correctly switch back to the newly re-elected primary.
Impact:
Configuration and status may not be kept properly in sync between blades.
Fix:
Secondary blades properly identify the Primary on changes.
584670 : Output of tmsh show sys crypto master-key
Component: TMOS
Symptoms:
In this release, tmsh show sys crypto master-key has changed and will now display its output as the base 64 encoded form of a SHA512 hash.
Conditions:
You will see this when running tmsh show sys crypto master-key, or f5mku -Z, or f5mku -U
Impact:
None
584661 : Last good master key
Component: TMOS
Symptoms:
When applying a UCS file to a platform that was different from the one the UCS was taken on, for example after RMA, you get a master key decrypt error because the master key is different.
Conditions:
This can occur either when applying a UCS file to an identical platform you received as an RMA exchange, or while performing the platform-migrate command.
Impact:
UCS load fails when extracting a UCS that came from another system.
Fix:
Secure Vault now stores the last good master key, which allows you to set the master key password to be the same as the other device you are importing from, then load the UCS from the other system. If master key decryption fails, the system will load the master key that was in effect before the UCS load was initiated. If that master key matched the master key from the system where the UCS was taken then encrypted attributes in the UCS can be loaded into the configuration.
584655 : platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
Component: TMOS
Symptoms:
If you run the platform-migrate command to migrate from a UCS file generated on a platform running 10.2.4, the password protected master key won't import
Conditions:
You would encounter this when doing platform migration from an older platform running 10.2.4, and using the UCS file from that platform to platform-migrate to 12.1.1. This also only occurs if your 10.2.4 UCS contains secure attributes, such as clientssl or serverssl keys and profiles
Impact:
The platform-migrate command will fail if the 10.2.4 UCS contains a password protected master key.
Fix:
The 12.1.1 release can successfully platform-migrate UCS files from a 10.2.4 configuration if some steps are taken to generate a password protected master key on the 10.2.4 release. Without these steps, this impact exists. The 10.2.4-specific solution https://support.f5.com/csp/#/article/K9420
584642-1 : Apply Policy Failure
Component: Application Security Manager
Symptoms:
Some Policies cannot be successfully applied/activated
Conditions:
Signature overrides on Content Profiles are configured
Impact:
Policy cannot be applied
Workaround:
None.
Fix:
Policies can be successfully applied.
584623-2 : Response to -list iRules command gets truncated when dealing with MX type wide IP
Component: Global Traffic Manager (DNS)
Symptoms:
GTM iRule "members" with the "-list" flag will truncate MX-type WideIP pool members when printed out to a log.
Conditions:
Use the GTM iRule "members" with the "-list" flag to print out the members of an MX WideIP pool during a DNS event.
Impact:
WideIP MX-type pool members are truncated in the log.
Workaround:
None
584583-3 : Timeout error when using the REST API to retrieve large amount of data
Solution Article: K18410170
Component: TMOS
Symptoms:
The Rest API might time out when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API appears as follows: errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET
Conditions:
Configuration containing a large number of GTM pools and pool members (numbering in the thousands).
Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.
Workaround:
There is no workaround at this time.
Fix:
TMSH performance has been improved for this GTM case (improvement ~5-10 times), which is root case for REST failure. Timeout is no longer triggered for this amount of data.
584582-1 : JavaScript: 'baseURI' property may be handled incorrectly
Component: Access Policy Manager
Symptoms:
If generic JavaScript object has 'baseURI' property, it may be handled incorrectly via Portal Access: web application may get 'undefined' value for this property.
Conditions:
User-defined JavaScript object with 'baseURI' property.
Impact:
Web application may work incorrectly.
Workaround:
iRule can be used to remove F5_Deflate_baseURI() calls from rewritten JavaScript code.
Fix:
Now JavaScript objects with 'baseURI' property are handled correctly by Portal Access.
584545-2 : Failure to stabilize internal HiGig link will not trigger failover event
Component: Local Traffic Manager
Symptoms:
The internal HiGig interface potentially and repeatedly report FCS errors or does not become stable in rare cases.
Conditions:
The internal HiGig interfaces experiences FCS or XLMAC link failures.
Impact:
Device is left in a state where it cannot receive or pass traffic or have frame checksum errors.
Workaround:
None.
Fix:
HA failover mechanism is now activated when internal HSB ports on critical data path are consistently unstable.
Behavior Change:
There is a condition in which failures happen on the internal HiGig interfaces on the critical packet path between the HSB and the Broadcom switch, causing traffic interruption. Such failures can be inferred by HSB XLMAC instability or by observing increasing FCS errors. When these HSB XLMAC failures happened in the past, TMOS initiated a recovery mechanism by resetting the HSB MAC interface. However, if the failure persisted even after repeated recovery attempts, TMOS triggered a high availability (HA) failover event to prevent prolonged traffic disruption. The failover triggering condition is set as either the consecutive recovery attempts or consecutive FCS failure events that reach a configurable preset limit. After the HA failover was triggered, the original active unit will still keep trying to recover, and will mark itself ready if the failure condition is no longer observed. The XLMAC reset was existing behavior. The new behavior also applies to FCS failure events.
584471-1 : Priority order of clientssl profile selection of virtual server.
Solution Article: K34343741
Component: Local Traffic Manager
Symptoms:
When a SSL connection with specified server name is received in a virtual server from the client side, the BIG-IP system selects one clientssl profile for this connection based on the given server name. Currently the system matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the common names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.
The issue is, based on RFC6125, common name should be used as a 'last resort'. In other words, the third rule should be the second rule.
Conditions:
The issue occurs when all of the following conditions are met.
(1) The incoming SSL request includes SNI (server name) extension in the clienthello, used to specify its desirable SSL server.
(2) The given server name from the client side does not match any server name configured in all the clientssl profiles of the virtual server.
(3) The certificates used by the clientssl profile of the virtual server have subject alternative names (note that every certificate has common name but not necessarily subject alternative names).
Impact:
The virtual server might select a clientssl profile that is not preferred by the client side.
Workaround:
None.
Fix:
Priority order of clientssl profile selection of virtual server. The system now matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the common names of the certificates used by the clientssl profiles.
So the common-name match is last, which is correct according to RFC6125.
Behavior Change:
If server-name is not configured in the client SSL profile for SNI (server name) matching, SANs (subject alternative names) in the certificate will take precedence over CN (common name) in the certificate, for the SNI-matching process for client SSL profile selection.
584374-2 : iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
Solution Article: K67622400
Component: Global Traffic Manager (DNS)
Symptoms:
iRule command RESOLV::lookup causes tmm crash when resolving an IP address.
Conditions:
Using the RESOLV::lookup iRule command to resolve an IP address.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the RESOLV::lookup command to resolve an IP address.
Fix:
TMM no longer crashes when the iRule command RESOLV::lookup is used.
584373-2 : AD/LDAP resource group mapping table controls are not accessible sometimes
Component: Access Policy Manager
Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds
Conditions:
very long group names and resource names
Impact:
Impossible to delete and move rows in table - still possible to edit tho.
Workaround:
Spread one assign thru multiple rows
Fix:
Scroll bar is appearing when needed
584310-1 : TCP:Collect ignores the 'skip' parameter when used in serverside events
Solution Article: K83393638
Component: Local Traffic Manager
Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.
Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.
Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.
Workaround:
None.
Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.
584213-1 : Transparent HTTP profiles cannot have iRules configured
Component: Local Traffic Manager
Symptoms:
When an HTTP profile is configured in transparent mode, but has a nonexistent iRule attached to it, then tmm will crash.
Conditions:
-- There is iRule.
-- Proxy is transparent.
when HTTP_PROXY_REQUEST {
after 1000
}
-- Change configuration from explicit to transparent while the system is processing in the after command.
-- There is then an attempt to use a configuration that does not exist.
Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.
Workaround:
This is incorrect configuration. Either detach the iRule or configure the profile in a mode other than transparent.
Fix:
Incorrectly configured proxy types from TMOS installations of earlier versions will be corrected at upgrade time. A warning will be logged that describes the change made.
584210-1 : TMM may core when running two simultaneous WebSocket collect commands
Component: Local Traffic Manager
Symptoms:
TMM may core with a SIGFPE when running two or more WebSocket collect commands in parallel.
Conditions:
-- WebSocket profile is attached to the virtual server.
-- Multiple iRules with WebSocket collect commands are attached to the virtual server.
Impact:
TMM may core with a SIGFPE resulting in loss of service.
Workaround:
Behavior is undefined when multiple collect commands are running at the same time. Rewrite iRules to have only one collect command executing at a time.
Fix:
iRule documentation was updated and WebSocket filter state machine was changed to reject multiple collect commands.
584103-2 : FPS periodic updates (cron) write errors to log
Component: Application Security Manager
Symptoms:
FPS periodic updates (run via cron) write errors to log when FPS is not provisioned.
Conditions:
FPS is not provisioned.
Impact:
Errors appears in FPS logs.
584082-3 : BD daemon crashes unexpectedly
Component: Application Security Manager
Symptoms:
bd crashes, with the following log signature immediately before the crash in /var/log/bd.log:
"IO_PLUGIN|ERR |Mar 29 20:48:02.217|17328|plugin_common.c:0085|plugin context doesn't match the argument which was originally set on it".
Conditions:
It is not known exactly what triggers this condition; it can occur intermittently during normal use of ASM.
Impact:
A bd crash, failover, traffic disturbance.
Workaround:
None.
Fix:
Fix a bd crash scenario.
584041 : forward slash '/' is used in the description field, admin user will be demoted to guest.
Component: TMOS
Symptoms:
When creating a new admin user, if a forward slash '/' is used in the description field, the user will be demoted to guest.
Conditions:
Creating a new admin user with a forward slash in the description text.
Impact:
mcp user's admin group demotion to guest.
Workaround:
Do not use forward slashes in the users description.
Fix:
System now allows forward slashes '/' in user description.
584029-6 : Fragmented packets may cause tmm to core under heavy load
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file while processing fragmented packets.
As a result of this issue, you may encounter one or more of the following symptoms:
-- TMM generates a core file in the /shared/core directory.
-- In one of the /var/log/tmm log files, you observe an error message similar to the following example:
notice panic: ../base/flow_fwd.c:255: Assertion "ffwd flag set" failed.
panic: ../net/packet.c:168: Assertion "packet is locked by a driver" failed.
notice ** SIGFPE **
Conditions:
This issue occurs when all of the following conditions are met:
-- The TMM process offloads a fragmented packet by way of an ffwd operation.
-- Your BIG-IP system is under heavy load.
Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.
Workaround:
None.
Fix:
Fragmented packets no longer cause tmm to core under heavy load.
583957-6 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.
Conditions:
-- A HTTP::respond or HTTP::redirect iRule is used.
-- The iRule command is in an event triggered on the client-side.
-- A pipelined HTTP request is being handled.
Impact:
The TMM will be restarted by SOD. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.
583943-1 : Forward proxy does not work when netHSM is configured on TMM interfaces
Solution Article: K27491104
Component: Local Traffic Manager
Symptoms:
Forward proxy feature does not always work when netHSM is configured on TMM interfaces.
Conditions:
When netHSM device is configured on TMM interface.
Impact:
The forward proxy feature does not work. This is an intermittent issue.
Workaround:
None.
Fix:
Forward proxy now works consistently when netHSM is configured on TMM interfaces.
583936-5 : Removing ECMP route from BGP does not clear route from NSM
Component: TMOS
Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.
Conditions:
ECMP routing must be enabled and in-use.
Impact:
ECMP routes are not properly removed from the main routing table.
Fix:
Now properly removing ECMP routes from the routing table.
583754-7 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
Component: TMOS
Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.
Conditions:
TMM must be down.
Impact:
Non-obvious / unhelpful error message is generated, leading to confusion.
Workaround:
N/A
583700-3 : tmm core on out of memory
Solution Article: K32784801
Component: Local Traffic Manager
Symptoms:
tmm memory increases quickly, then crashes on out-of-memory condition.
Conditions:
It is not known exactly what triggers this, but it was observed on a hardware platform processing a large number of ECDH and ECDHE ciphers.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None known.
Fix:
The system now cancels ongoing crypto requests when the handshake is dropped, preventing this error condition.
583686-2 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
Component: Application Security Manager
Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.
Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.
Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered
583678-1 : SSHD session.c vulnerability CVE-2016-3115
Solution Article: K93532943
583631-2 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
Component: Local Traffic Manager
Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.
Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.
Impact:
The connection fails. The system might generate an alert.
Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.
Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.
Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.
583516-2 : tmm ASSERT's "valid node" on Active, after timer fire..
Component: TMOS
Symptoms:
TMM crashes on ASSERT's "valid node".
Conditions:
The cause is unknown, and this happens rarely.
Impact:
tmm crash
Workaround:
no
Fix:
TMM no longer asserts on 'valid node'
583475-1 : The BIG-IP may core while recompiling LTM policies
Component: TMOS
Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.
Conditions:
Creating or modifying LTM policies.
Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.
Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.
Fix:
Not fixed yet.
583402-1 : ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work
Component: Application Security Manager
Symptoms:
The 'Overridden Characters in Value' and 'Overridden Attack Signatures' filter options on the Parameters List screen doesn't work correctly. These filter options appear after you set 'Parameter Value Type' to 'User-input value' and 'Data Type' to 'Alpha-Numeric'.
Conditions:
Attempting to filter parameters by settings the 'Value Type' to 'User-input value', 'Data Type' to 'Alpha-Numeric', and searching for 'At least one' signature override.
Impact:
Search fails.
Workaround:
None.
Fix:
Searching for 'At least one' override now works correctly.
583355-1 : The TMM may crash when changing profiles associated with plugins
Component: Local Traffic Manager
Symptoms:
The TMM may crash when changing profiles associated with plugins.
Conditions:
The must be a profile associated with a plugin already on a virtual server and traffic must be running. When the profile is removed or swapped for another, the crash may occur.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
A safe way to definitely avoid a crash is to stop the plugin before making changes to its profile.
583285-5 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Solution Article: K24331010
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.
Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.
Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.
583272-2 : "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
Component: Access Policy Manager
Symptoms:
Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server.
The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this:
Location: https://[login.example.com]/my.policy
Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.
Conditions:
IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.
Impact:
Client is unable to authenticate.
Workaround:
None.
Fix:
Clients connecting to an APM access policy with on-demand certificate authentication to an IPv6 virtual server now transmit the client certificate correctly when executing the access policy.
583177 : LCD text truncated by heartbeat icon on VIPRION
Component: TMOS
Symptoms:
while looking at informational text on the first line of the LCD display on a VIPRION, the end of the string is truncated by a heartbeat icon.
Conditions:
This occurs on platforms that display a heartbeat icon on the LCD display.
Impact:
The heartbeat icon is displayed over the last character of the string, this is cosmetic.
Fix:
In this release, longer messages on the LCD are now displayed on multiple lines.
583113-1 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials.
when HTTP_PROXY_REQUEST {
if { [HTTP::uri] contains "disable" } {
ACCESS::disable
}
}
Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.
Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.
Workaround:
The following iRule works from HTTP_REQUEST
when HTTP_REQUEST {
if { [HTTP::uri] contains "disable" } {
ACCESS::disable
ECA::disable
}
}
Fix:
When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin"
Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."
583111-1 : BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured
Component: TMOS
Symptoms:
When BGP is configured with 'no bgp default ipv4-unicast,' configuring a peer-group with IPv6 members adds 'neighbor <neighbor> activate' for the IPv6 neighbors under address-family ipv4.
Conditions:
This occurs when the following conditions are met:
-- 'no bgp default ipv4-unicast' is configured in imish.
-- 'neighbor <neighbor> peer-group <peergroup>' is configured.
Impact:
Despite disabling IPv4 unicast for BGP by default, neighbors in the peer group have the IPv4 unicast address family enabled.
Workaround:
Delete the line in the configuration that was automatically added in imish in the 'router bgp' section:
no neighbor <neighbor> activate
Fix:
Configuring IPv6 members of a peer-group when 'no bgp default ipv4-unicast' no longer automatically enables IPv4 unicast for the peer-group members.
583108-1 : Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.
Component: TMOS
Symptoms:
when a neighbor with ipv4 address is disabled in ipv6 address family, show running configuration displays that the neighbor is disabled. However, when we restart or reboot the tmrouted or bgp protocol, the neighbor is enabled again. The configuration persistence is not maintained.
Conditions:
1. disable a neighbor with ipv4 address in ipv6 address family.
2. reboot/restart tmrouted or bgp protocol
Impact:
configuration persistence is not maintained. This impacts the BIGIP upgrades as the configuration loaded is not the same as it was before the upgrade. Similarly, a restart/reboot will also have different configuration loaded than originally used. This might alter the intended behavior of the protocol that the use expects to function.
Workaround:
disable the neighbor again.
Fix:
configuration persistence is maintained for the disabled neighbor with ipv4 address in the ipv6 address family.
583024-1 : TMM restart rarely during startup
Component: Application Security Manager
Symptoms:
A TMM crashes with a core file during startup. It restarts then correctly.
Conditions:
The system starts up.
Impact:
The system startup takes longer. A core file appears. Traffic is not impacted and a failover usually doesn't occur since the system didn't reach the active state.
Workaround:
None.
Fix:
TMM no longer crashes during startup.
583010-4 : Sending a SIP invite with 'tel' URI fails with a reset
Component: Service Provider
Symptoms:
Using a 'INVITE tel:' URI results in SIP error (Illegal value).
Conditions:
Sending a SIP "INVITE tel:" to the BIG-IP system.
Impact:
'INVITE tel:' messages are not accepted by BIG-IP system.
Workaround:
None.
Fix:
'INVITE tel:' messages are now accepted by BIG-IP system.
582792-7 : iRules are not updated in transactions through TMSH or iControl
Component: TMOS
Symptoms:
Updating an iRule in a transaction via TMSH or iControl results in the iRule not being updated, but there is no error indicating this.
Conditions:
Updating an iRule in a transaction using TMSH or iControl.
Impact:
iRule is not updated, and the user is not alerted of this fact.
Workaround:
None.
Fix:
iRules modified through transactions are now updated properly.
582773-5 : DNS server for child zone can continue to resolve domain names after revoked from parent
Solution Article: K48224824
582769-1 : WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
Solution Article: K99405272
Component: Local Traffic Manager
Symptoms:
WebSockets frames are not forwarded with WebSocket profile and ASM enabled on virtual.
Conditions:
Virtual has WebSocket profile attached to it. ASM is enabled on the virtual. WebSockets server replies with a "Connection: upgrade" header. The issue is also seen if multiple header values are present in Connection header.
Impact:
WebSockets frames are not forwarded to the pool member
Workaround:
Use a simple iRule similar to the following:
when HTTP_RESPONSE {
if { [HTTP::status] == 101 } {
HTTP::header replace "Connection" "Upgrade"
}
}
Fix:
The system now accepts "Connection: UPGRADE" or "Connection: upgrade" as valid header for WebSocket handshake, and supports a comma-separated list of values for the Connection response header.
582752-3 : Macrocall could be topologically not connected with the rest of policy.★
Component: Access Policy Manager
Symptoms:
It is possible to create macrocall access policy item that:
1. Belongs to policy items list.
2. Correctly connected to ending.
3. Have no incoming rules (i.e., no items pointing at it).
Conditions:
1. Create access policy with macrocall item in one of the branches.
2. Remove the item which refers to this macrocall item from AP
As a result, macrocall item remains.
Impact:
VPE fails to render this access policy.
Workaround:
Delete macrocall access policy item manually using tmsh commands.
Fix:
Any modification of access policy is not allowed if it makes any access policy item non-referenced.
At upgrade time, non-referenced access policy items are deleted. All subsequent access policy items are deleted as well. Resulting access policies can be rendered correctly by VPE. Note that only active configuration is corrected, saved configuration file (/config/bigip.conf) contains uncorrected version until any new configuration changes are done. Active configuration can be saved by explicit tmsh command ('tmsh save sys config partitions all").
582683-2 : xpath parser doesn't reset a namespace hash value between each and every scan
Component: Application Security Manager
Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.
Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.
Impact:
XML content based routing does not work dependably.
Workaround:
N/A
Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.
582629-1 : User Sessions lookups are not cleared, session stats show marked as invalid
Component: Application Visibility and Reporting
Symptoms:
AVR session statistics may be reported as excessively high, and when the sessions time out they get marked as invalid instead of being removed.
Conditions:
The exact conditions which cause this in a production configuration are unknown, as this was discovered during internal testing.
Impact:
Session statistics will report incorrectly
Fix:
An issue with session statistics not clearing after session timeout has been fixed.
582526-3 : Unable to display and edit huge policies (more than 4000 elements)
Component: Access Policy Manager
Symptoms:
It takes a very long time or is not possible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple halts.
Conditions:
Huge Access Policy, for example, containing 4000 or more elements.
Impact:
Unable to edit policy because VPE times out.
Workaround:
None.
Fix:
VPE loading times for APM policies is greatly improved, so displaying very large policies (for example, 4000 elements) now completes successfully.
582487-2 : 'merged.method' set to 'slow_merge,' does not update system stats
Solution Article: K22210514
Component: Local Traffic Manager
Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats is not updated and remains zero.
Conditions:
Merged.method is set to slow_merge.
Impact:
System stats such as overall CPU usage remain at zero.
Workaround:
Set Merged.method to fast_merge.
Fix:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats are not updated as expected.
582465-1 : Cannot generate key after SafeNet HSM is rebooted
Component: Local Traffic Manager
Symptoms:
After the SafeNet Hardware Security Module (HSM) is restarted, users cannot generate a new key.
Conditions:
The BIG-IP system uses the SafeNet HSM.
Impact:
HSM service is not usable even after restarting pkcs11d. Users must re-authenticate.
Workaround:
To generate a new key, after HSM finishes starting up, run the following commands:
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -c
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -o -p <hsm_partition_password>
Or, you can reinstall SafeNet client.
Fix:
After the SafeNet Hardware Security Module (HSM) is restarted, users can now generate a new key.
582374-1 : Multiple 'Loading state for virtual server' messages in admd.log
Component: Anomaly Detection Services
Symptoms:
When a dosl7d profile is configured on a BIG-IP that's in a device group and the BIG-IP is set to "Forced Offline" in the Device Management settings, admd will log multiple messages to admd.log similar to 47854390298368 Mar 22 02:38:50 [info] virtual bool CVirtualServerImpl::loadState() : Loading state for virtual server
Conditions:
- dosl7d profile attached to a virtual server
- BIG-IP is part of a DSC cluster
- a BIG-IP is forced offline in the cluster
Impact:
Excessive logging occurs to /var/log/adm/admd.log
Workaround:
None
Fix:
An issue with excessive logging to admd.log has been fixed.
582207-7 : MSS may exceed MTU when using HW syncookies
Component: Local Traffic Manager
Symptoms:
Packets larger than the interface's MTU can be transmitted.
Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.
Impact:
Potential packet loss.
Workaround:
Disable HW syncookie mode.
582133-1 : Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
Component: Application Security Manager
Symptoms:
When conditions of "Track Site Change" settings are met the staging flag on "*" entities is supposed to be turned ON in order to learn sub-sequences of site changes without blocking traffic. However it doesn't happen. The staging flag stays OFF.
Conditions:
Staging was set OFF on "*" entity. After that conditions of "Track Site Change" settings are met.
Impact:
in a situation when the protected Web application was changed, ASM can block traffic when it should not be blocked.
Workaround:
Staging flag can be changed manually via GUI
Fix:
The problem was a sub-sequence of other code changes. The code was fixed he way it should count for "Track Site Change" conditions and change Staging flag when it is needed.
582084-1 : BWC policy in device sync groups.
Component: TMOS
Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.
Conditions:
If BWC policy is created both in global sync and local.
Impact:
Configuration error, BWC policies will not be synced due to errors.
Workaround:
Ensure that BWC policy is in global sync only.
Fix:
BWC policy is now configured for device group sync only in the global group and not local.
582029-4 : AVR might report incorrect statistics when used together with other modules.
Component: Application Visibility and Reporting
Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.
Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.
Impact:
AVR reports incorrect statistics: unexpectedly large numbers.
Workaround:
None.
Fix:
AVR now identifies the other modules' activity and collects the activity statistics accordingly.
581991-1 : Logging filter for remote loggers doesn't work correctly with more than one logging profile
Component: Application Security Manager
Symptoms:
A logging message arrived at a remote logger while the remote logger's filter have a criteria that doesn't match.
Conditions:
More than one logging profile is attached to a virtual server, the logging profiles have different filters conditions.
Impact:
A non related messages will be presented at the remote logger
Fix:
Fixed an issue with multiple remote logging with different filters.
581945-2 : Device-group 'datasync-global-dg' becomes out-of-sync every hour
Component: TMOS
Symptoms:
The datasync-global-dg device-group may become out-of-sync unexpectedly without any user changes.
When this happens, you can manually sync the device-group, but after about an hour, the device-group becomes out-of-sync again.
Conditions:
-- This happens only in certain timezones, depending on the timezone configured on the BIG-IP system. (This issue has been seen only in relation to the Europe/London timezone.)
-- The problem starts happening about three days after the first installation of an ASM Signature Update (ASU) or FPS Engine/Signature Update.
Impact:
GUI/shell shows config-sync 'possible change conflict' or 'changes pending' in regards to the datasync-global-dg device-group.
Workaround:
There is no workaround other than manually syncing the device-group approximately every hour.
Fix:
The datasync-global-dg device-group no longer becomes out-of-sync unexpectedly and repeatedly every hour.
581921-2 : Required files under /etc/ssh are not moved during a UCS restore
Solution Article: K22327083
Component: TMOS
Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.
Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.
Impact:
This might impact SSH operations.
Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.
To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.
Fix:
The correct folder is now present when performing a UCS restore operation, so that all of the files required for the operation of SSH are transferred.
581851-2 : mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
Solution Article: K16234725
Component: TMOS
Symptoms:
The Master Control Program Daemon (MCPD) on secondary blades may unexpectedly restart when the BIG-IP system processes multiple, concurrent TMOS Shell (tmsh) commands.
Under these circumstances, a race condition may occur and cause the mcpd process on the secondary blades to fail to correctly process concurrent updates from the primary blade.
As a result of this issue, you may encounter one or more of the following symptoms:
-- The mcpd process on secondary blades unexpectedly restarts.
-- You notice error messages in the /var/log/ltm file on the BIG-IP system that appears similar to the following example:
+ err mcpd[<PID>]: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset
+ err mcpd[<PID>]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset
-- Depending on your high availability (HA) configuration, the device may unexpectedly fail over to another system in the device group.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have a VIPRION platform or Virtual Clustered Multiprocessing (vCMP) guest configuration that uses two or more blades.
-- You attempt to run multiple, concurrent tmsh commands on the BIG-IP system. For example, you run a tmsh command to continually reset persistence records and at the same time run another tmsh command to continually reset the TCP statistics.
Impact:
The BIG-IP system may experience performance degradation when the secondary blades become unavailable while the mcpd process restarts. Depending on your HA configuration, the device may fail over.
Workaround:
None.
Fix:
This issue no longer occurs.
581840-5 : Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.
Solution Article: K46576869
Component: Device Management
Symptoms:
Attempting to use BIG-IQ to manage BIG-IP systems using an Administrator account named other than 'admin' can fail.
Conditions:
-- BIG-IQ managing BIG-IP systems.
-- Using an Administrator account different from 'admin',
Impact:
You cannot manage BIG-IP systems through BIG-IQ.
Workaround:
Use the 'admin' account on BIG-IQ to manage BIG-IP devices.
Fix:
Can now use an Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.
Behavior Change:
Local requests through iControl client are now made on port 80, instead of 443.
581835-1 : Command failing: tmsh show ltm virtual vs_name detail.
Component: TMOS
Symptoms:
The following command fails: tmsh show ltm virtual vs_name detail. The system posts the following error:
01020036:3: The requested profile exchange: virtual server object (exchange_profile_name:vs_name) was not found.
Conditions:
Occurs when an APM Access Profile has an Exchange Profile attached and the access profile is then assigned to a virtual server.
Impact:
No information is displayed by the tmsh show command.
Workaround:
None.
Fix:
The tmsh show command now presents information, and 'tmsh show ltm virtual vs_name detail' shows the expected details without error.
581834-5 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above
Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin
Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above
Fix:
The Firefox plugin now supports all versions.
581824-2 : "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.
Component: Global Traffic Manager (DNS)
Symptoms:
When you attempt to view the monitors' properties, the page throws an "Instance not found" error.
Conditions:
Viewing the GSLB Monitors tcp_half_open, gateway_icmp and bigip_link's properties page.
Impact:
You cannot view some of their monitors' properties.
Fix:
Fixed the "Instance not found" error.
581811 : The blade alarm LED may not reflect the warning that non F5 optics is used.
Component: TMOS
Symptoms:
When non F5 optics is used for front switch ports, the LCD and /var/log/ltm will display some warning message. But the alarm LED may not reflect that.
Conditions:
This is caused by a race condition. When a blade comes up and decides its role as a primary blade or a secondary blade, it will clear the alarm LED. So the last blade coming up may have its alarm LED in the right state, but the blades that came up earlier may have their alarm LEDs cleared.
Impact:
The alarm LED may not reflect the warning.
Workaround:
None.
Fix:
The problem is fixed in TMOS v12.1.1.
581746-1 : MPTCP or SSL traffic handling may cause a BIG-IP outage
Solution Article: K42175594
Component: Local Traffic Manager
Symptoms:
Occasional BIG-IP outages may occur when MPTCP or SSL traffic is being handled by a virtual server.
Conditions:
MPTCP has been enabled on a TCP profile on a virtual server, or SSL is in use.
Impact:
A system outage may occur.
Workaround:
None.
Fix:
An issue with handling of MPTCP and SSL traffic has been corrected.
581438-2 : Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
Component: Global Traffic Manager (DNS)
Symptoms:
Prior to this, only 16 pool members could be chosen during a single load-balancing decision.
Impact:
Cannot return more than 16 pool members in a DNS response.
Fix:
GTM now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.
Behavior Change:
BIG-IP DNS GSLB now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.
581406-1 : SQL Error on Peer Device After Receiving ASM Sync in a Device Group
Component: Application Security Manager
Symptoms:
When:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)
Then upon loading the full sync in the peer an SQL error will appear during the load:
"Failed on insert to PLC.PL_SESSION_AWARENESS_DATA_POINT (DBD::mysql::db do failed: Duplicate entry '<ID>' for key 'PRIMARY')"
Conditions:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)
Impact:
Benign error which does not affect configuration or enforcement.
Workaround:
None
Fix:
SQL error no longer occurs on CMI Sync with Session Awareness
581315-1 : Selenium detection not blocked
Component: Application Security Manager
Symptoms:
When selenium client webdriver is detected running the Chrome browser it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.
Impact:
A bot which running selenium Chrome webdriver isn't mitigated by DoSL7 PBD mechanism.
Workaround:
N/A
Fix:
Only for Desktop Google Chrome browsers, the PBD javascript code checks if a plugin called "Widevine Content Decryption Module" doesn't exists, the browser considered as running via the selenium tool and will be blocked by PBD.
581101-1 : non-admin user running list cmd: can't get object count
Component: TMOS
Symptoms:
Non-admin user running list cmd: can't get object count.
Conditions:
Login as non admin user
Impact:
Very minor
non-admin user got some restrictions to view.
Workaround:
Use admin account.
Fix:
Non admin user rights fixed.
580893-2 : Support for Single FQDN usage with Citrix Storefront Integration mode
Solution Article: K08731969
Component: Access Policy Manager
Symptoms:
Adding a new login account onto Citrix Receiver enumerates the applications and desktop. Logging off and reconnecting using the same account starts failing.
Conditions:
-- Citrix Storefront Integration mode with APM.
-- Using the same FQDN to access both Storefront as well as an APM virtual server.
Impact:
Clients are unable to connect.
Workaround:
No workaround other than using different FQDNs.
Fix:
You can now use the same FQDN to successfully access both Storefront as well as an APM virtual server.
580862-1 : Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes
Component: Application Security Manager
Symptoms:
After the Apply-policy task completes successfully, there is an LTM incremental sync back from the peer unit and the policy is deactivated.
Conditions:
High availability (HA) configuration with an auto-sync failover group with ASM sync enabled.
Impact:
ASM policy is erroneously deactivated several seconds after it has been activated via the Apply-policy task.
Workaround:
Temporarily disable ASM sync on the device group.
Fix:
This release fixes the Apply-policy task so that there is no erroneous deactivation after it has completed.
580753-1 : eventd might core on transition to secondary.
Solution Article: K82583534
Component: TMOS
Symptoms:
Upon transition to secondary, eventd shuts down its consumer list. However, during this shutdown, there could still be queued events yet to be process. This leads to a race condition between processing the events and freeing the memory of the consumer.
Conditions:
This happens when eventd is being shutdown while processing events.
Impact:
Causes eventd segmentation fault and core dump
Workaround:
None.
Fix:
eventd no longer cores on transition to secondary when eventd is being shutdown while processing events.
580747-1 : libssh vulnerability CVE-2016-0739
Solution Article: K57255643
580602-1 : Configuration containing LTM nodes with IPv6 link-local addresses fail to load.
Component: TMOS
Symptoms:
As a result of a known issue a configuration containing LTM nodes with IPv6 link-local addresses may fail to load.
Conditions:
Attempt to load a configuration containing a LTM node with a IPv6 link-local address.
Impact:
Configuration fails to load.
Workaround:
Use IPv6 global addresses instead.
Fix:
The BIG-IP system now loads correctly a configuration containing a LTM node with a IPv6 linbk-local address.
580596-1 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
Solution Article: K14190 K39508724 K10065173
580567-1 : LDAP Query agent failed to resolve nested group membership
Component: Access Policy Manager
Symptoms:
Not all of the nested group membership are resolved for a user
Conditions:
Several conditions need to be met:
1. LDAP Query agent is configured to connect to GC (Global Catalog) in AD environment; AND
2. There are sub domains in the AD environment; AND
3. A user who is a member of a group from one of the sub domains login in.
Impact:
User authentication might fail or not getting all the assigned resources due to missing nested group membership.
Fix:
after fix, LDAP agent retrieve group from server when talking to Global Catalog
580537-1 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
Component: Global Traffic Manager (DNS)
Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.
Conditions:
Attempting to install the City2 GeoIP data.
Impact:
The City2 GeoIP data must be installed manually.
Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:
rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat
Fix:
The geoip_update_data script was updated to support installing City2 GeoIP data.
580500-1 : /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
Component: TMOS
Symptoms:
/etc/logrotate.d/sysstat fails to read /var/log/sa6 or fails to write to /var/log/sa6,, diskspace in /var/log/sa6 is not rotated and disk space reclaimed.
Conditions:
/var/log/sa6 becomes corrupt or disk space becomes full in /var/log/sa6
Impact:
Disk space is not reclaimed in /var/log/sa6
Workaround:
edit /etc/logrotate.d/sysstat
Add "exit 0" after sadf line
Fix:
When /etc/logrotate.d/sysstat's sadf fails, exit cleanly
so logrotate reclaims disk space
580340-1 : OpenSSL vulnerability CVE-2016-2842
Solution Article: K52349521
580313-1 : OpenSSL vulnerability CVE-2016-0799
Solution Article: K22334603
580303-5 : When going from active to offline, tmm might send a GARP for a floating address.
Component: Local Traffic Manager
Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.
Conditions:
Using high availability, and switching a device from active to offline.
Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.
Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.
Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.
580168-4 : Information missing from ASM event logs after a switchboot and switchboot back
Component: Application Security Manager
Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back
Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone
Impact:
Information missing from ASM event logs after a switchboot and switchboot back
Workaround:
N/A
Fix:
N/A
580026-5 : HSM logging error
Solution Article: K74759095
579955-6 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
Solution Article: K01587042
579953 : Updated the list of Common Criteria ciphersuites
Component: Local Traffic Manager
Symptoms:
This is a continuous maintenance of the default set per certification requirements
Conditions:
These changes are only in effect when ccmode script is executed.
Impact:
Current set of ciphersuites is the following, subject to change in future releases:
AES{128,256}-{SHA,SHA256}
ECDHE-RSA-AES128-CBC-{SHA,SHA256}
ECDHE-RSA-AES256-CBC-{SHA,SHA384}
ECDHE-RSA-AES128-GCM-{SHA256,SHA384}
ECDHE-ECDSA-AES128-{SHA,SHA256}
ECDHE-ECDSA-AES256-{SHA,SHA384 }
ECDHE-ECDSA-AES128-GCM-{SHA256,SHA384}
579926-1 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode
Component: Local Traffic Manager
Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.
Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.
Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.
Workaround:
No workaround.
579917-1 : User-defined signature set cannot be created/updated with Signature Type = "All"
Component: Application Security Manager
Symptoms:
When creating a User-Defined Signature Set the Signature Type cannot be set to "All". After saving the setting, it resets back to Request.
Conditions:
Creating a new signature set with Signature Type set to "All" (the dropdown defaults to "Request" when opening the create page).
Impact:
A Custom Signature Set cannot be created for with Request and Response Signatures
Workaround:
No workaround, but can be mitigated by creating two signature sets, or using manual sets.
Fix:
Signature Type can now successfully be set to "All" Signatures
579843-1 : tmrouted may not re-announce routes after a specific succession of failover states
Component: Local Traffic Manager
Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
Conditions:
- Active/Standby HA pair set up
- Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
- Active unit has the following succession of failover states:
Active->Offline->Online->Standby->Active
Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.
Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.
Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
579829-7 : OpenSSL vulnerability CVE-2016-0702
Solution Article: K79215841
579760-3 : HSL::send may fail to resume after log server pool member goes down/up
Solution Article: K55703840
Component: TMOS
Symptoms:
High speed logging (HSL): asymmetric bandwidth loss might result in no bandwidth tracking.
Conditions:
This will occur if the log server pool only has a single member in it, and that member goes down and up while HSL::send is occurring during traffic processing.
Impact:
For a period of time after the logging node comes back up, HSL::send events will not be sent to the log server. Sometimes it never recovers and tmm needs to be restarted.
Workaround:
If possible, configure log server pools with multiple members to avoid this condition.
579529 : Stats file descriptors kept open in spawned child processes
Component: TMOS
Symptoms:
No known user visible impact.
Conditions:
This occurs in all multi-blade platforms where clusterd is running.
Impact:
No known user visible impact.
Workaround:
None.
Fix:
Stats file descriptors are opened so that they are closed when a child process is spawned.
579495-1 : Error when loading Upgrade UCS★
Component: Application Security Manager
Symptoms:
When loading an older version UCS file while ASM is live an error may occur when processing the new configuration. You will see the following error in the asm log:
Mar 9 07:16:06 dut30 err perl[22696]: 01310011:3: ASM configuration error: event code T1499 Failed to update configuration table CONFIG_TYPE_DYNAMIC_TABLES
Conditions:
Loading an older version UCS on a live system.
Impact:
Enforcement of Allowed Methods may be incorrect
Workaround:
Restart ASM
Fix:
Configuration is correctly processed when loading a UCS file for upgrade on a live device.
579371-4 : BIG-IP may generate ARPs after transition to standby
Solution Article: K70126130
Component: Local Traffic Manager
Symptoms:
tmm generates unexpected ARPs after entering standby.
Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.
Impact:
Unexpected ARP requests that might result in packet loops.
Workaround:
None.
Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.
579220-1 : Mozilla NSS vulnerability CVE-2016-1950
Solution Article: K91100352
579210-3 : VIPRION B4400N blades might fail to go Active under rare conditions.
Solution Article: K11418051
Component: TMOS
Symptoms:
Over extended periods of booting and rebooting a VIPRION system containing B4400N blades, a switch port connected to the HSB might fail to initialize properly. In some cases, logs indicate an occurrence of the problem in the following form: hgm_fcs_errs[higig mac #] exceeds 1000.
Conditions:
This happens under very rare conditions on B4400N blades; for example, after approximately 8-12 hours of continuous rebooting.
Impact:
When the problem is manifest, the HSB receives FCS errors at a high-frequency and does not receive any valid traffic from the port switch. The B4400N blade might be unable to go active and join the cluster.
Workaround:
To recover, reboot the system once.
579085-6 : OpenSSL vulnerability CVE-2016-0797
Solution Article: K40524634
578983-4 : glibc: Integer overflow in hcreate and hcreate_r
Solution Article: K51079478
578971-3 : When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
Component: Local Traffic Manager
Symptoms:
When mcpd is restarted on a blade, the clusterd process on that blade may become blocked for some time. This may result in cluster member heartbeat timeouts, which are seen in the /var/log/ltm log file with messages that include:
"Slot 1 suffered heartbeat timeout ..."
This causes cluster members to be marked failed. The condition resolves itself within one minute, and the cluster fully recovers on its own.
Conditions:
Mcpd is restarted on a blade.
Impact:
Though all blades recover on their own, the cluster members being marked fail may result in a failover.
Workaround:
There is no workaround for this issue. It is recommended to avoid restarting mcpd on any blade belonging to the active unit of an HA group. The issue resolves itself within about a minute, and all cluster members will be marked as up again.
Fix:
The clusterd daemon has been fixed to no longer become blocked when mcpd is restarted. This prevents the cluster member heartbeat timeouts from occurring, and thus no cluster members will be marked failed.
578951-2 : TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
Component: Local Traffic Manager
Symptoms:
If a TCP connection is started and contains a valid Fast Open cookie, then times out during the three-way handshake, the failure is not accounted for properly. If this occurs more than a threshold number of times, BIG-IP will stop performing TCP Fast Open.
Conditions:
A TCP connection using TCP Fast Open with a valid Fast Open cookie times out during the three-way handshake.
Impact:
Each connection that times out in this fashion decreases the number of valid pre-established connections that the BIG-IP can support. If the number of connections timed out in this fashion rises above a threshold, BIG-IP will act as if TCP Fast Open is disabled. This threshold cannot be changed.
Fix:
Decrement the pre-established connections counter when a TCP Fast Open connection times out during the initial handshake.
578573-1 : SSL Forward Proxy Forged Certificate Signature Algorithm
Component: Local Traffic Manager
Symptoms:
In SSL Forward Proxy, the signature algorithm used by the CA certificate configured on the client SSL profile can change the signature algorithm used by the server certificate.
For example, if the server certificate uses SHA1 but the CA certificate configured in client SSL profile uses SHA256, the forged certificate will use SHA256. If the server certificate uses SHA256 but the CA certificate configured in client SSL uses SHA1, the forged certificate will use SHA1.
Both scenarios are a problem for a customer.
Conditions:
when the signature algorithm of the CA certificate configured in client SSL profile differs from the signature algorithm of the server certificate.
Impact:
The signature algorithm of forged certificate may differ from the signature algorithm of the server certificate.
Workaround:
Configure the CA certificate in client SSL profile so that the signature algorithm matches that in server certificate.
578570-1 : OpenSSL Vulnerability CVE-2016-0705
Solution Article: K93122894
578564-4 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
Component: Service Provider
Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"
Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.
Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.
Fix:
HTTP::respond works as expected even on an HTTP response returned by an ICAP server after request adaption.
578551-5 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
Component: TMOS
Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot
Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp
Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp
Fix:
the persistence of "network 0.0.0.0/0 route-map Default" in bgp is maintained after a restart/reboot
578415-2 : Support for hardware accelerated bulk crypto SHA256 missing
Component: Local Traffic Manager
Symptoms:
Requests for bulk crypto SHA256 will be performed in software, not by the accelerator.
Conditions:
Any bulk crypto operation that uses SHA256 on the BIG-IP 1600, 3600, 5000, 6900, 7000, 8900, 10000, 11000, 11050, and 12000 platforms, and on VIPRION B2250 blades.
Impact:
The request will be completed in software which may result in increased CPU load.
Workaround:
None.
Fix:
Requests for bulk crypto operations using SHA256 will be assigned to a hardware accelerator, and no longer serviced in software.
578413-1 : Missing reference to customization-group from connectivity profile if created via portal access wizard
Component: Access Policy Manager
Symptoms:
An extra customization group is created for connectivity profile when the profile is created via portal access wizard and the configuration is reloaded.
Conditions:
Use portal access wizard to create configure objects.
Impact:
There is no functional impact since customization is not actually used for connectivity group.
Workaround:
Create configure object manually rather than via wizard.
Fix:
There will be a reference to customization group from connectivity profile when the profile is created by wizard.
578064 : tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
Component: TMOS
Symptoms:
tmsh show sys hardware show "unavailable" for hard disk manufacturer
Conditions:
In VIPRION B4400/B4450 blades, tmsh show sys hardware always shows "unavailable" for hard disk manufacturer.
Impact:
Can't get correct hard disk manufacturer information.
Fix:
Fixed
578036-1 : incorrect crontab can cause large number of email alerts
Component: TMOS
Symptoms:
There is an incorrect crontab entry in /etc/cron.usbflush for /sbin/lsusb
Conditions:
This occurs for the usbflush entry.
Impact:
usbflush does not run, alert email is generated once per minute.
Workaround:
change /etc/cron.usbflush to use /usr/sbin/lsusb
Fix:
Fix /etc/cron.usbflush to use /usr/sbin/lsusb
577863-5 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time
Solution Article: K56504204
Component: Policy Enforcement Manager
Symptoms:
If the routing table on the DHCP server is misconfigured, so that the DHCP server knows how to send packets to the BIG-IP self IP address (used by the BIG-IP system DHCP relay), but does not know how to send packets to DHCP clients, DHCP clients will not receive a DHCP reply for unicast requests and will start to broadcast DHCP renewal. After a while, the BIG-IP system will stop relaying DHCPOFFER and DHCPACK back to DHCP clients altogether.
Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets (with client's IP address as the source IP address).
Impact:
The BIG-IP system stops relaying DHCPOFFER and DHCPACK back
to DHCP clients.
Workaround:
Modify the DHCP server routing table, so that the DHCP server can deliver DHCP reply packets back to clients successfully.
Fix:
DHCP relay now continues forwarding the server DHCPOFFER and DHCPACK messages under these conditions.
577474-3 : Users with auditor role are unable to use tmsh list sys crypto cert
Solution Article: K35208043
Component: TMOS
Symptoms:
The system returns error messages after running the following command: tmsh list sys crypto cert. Error messages appear similar to the following:
-- Key management library returned bad status: -4, Invalid Parameter.
-- Unexpected Error: Can't chmod key management directory: "/var/tmp/key_mgmt", error: [1] Operation not permitted".
Conditions:
-- BIG-IP user accounts configured with the auditor role.
-- Running the command: tmsh list sys crypto cert.
Impact:
BIG-IP users with the auditor role cannot view certificates using the command: list sys crypto cert.
Workaround:
Use the following command: sys file ssl-cert
For example, use either of the following:
-- list sys file ssl-cert default.crt
-- list sys file ssl-cert
Fix:
BIG-IP users with the auditor users can now see certificates using the following command: list sys crypto cert.
576591-6 : Support for some future credit card number ranges
Component: Application Security Manager
Symptoms:
ASM does not block or mask when a specific credit card number range appears in the response.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.
Impact:
The traffic passes unmasked or unblocked to the end client.
Workaround:
A custom pattern is possible for these cases, but should be adjusted to each configuration specifically.
576478 : Enable support for the Purpose-Built DDoS Hybrid Defender Platform
Component: Advanced Firewall Manager
Symptoms:
N/A
Conditions:
Requires new DoS License
Impact:
None
Fix:
This fix adds support for recognition of a Purpose-Built DDoS Hybrid Defender license, and the necessary mechanisms to launch the DDoS Application.
Behavior Change:
There is no change in behavior to existing behavior and functionalities. However, when a DoS License is installed, the Big-IP platform takes on the role of a dedicated DoS protection device. Consequently most non-DoS related functionalities are either disabled or function in limited capacity.
576311-1 : HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present
Solution Article: K41335027
Component: Local Traffic Manager
Symptoms:
A configuration error is encountered when creating or modifying a virtual server with HTTP profile and no "clientssl" (or derived) profile attached, when HTTP Strict Transport Security (HSTS) is enabled.
Conditions:
Creating or modifying a virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled, when no clientssl or derived profile is attached to the virtual server.
Impact:
Error while configuring a virtual server with HTTP profile and no "clientssl" (or derived) profile attached, when HTTP Strict Transport Security (HSTS) is enabled.
Workaround:
Add a "clientssl" (or derived) profile to the virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled.
Fix:
The system now provides validation of HTTP Strict Transport Security (HSTS) to require 'clientssl' (or derived) profile profile to a virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled.
576305-7 : Potential MCPd leak in IPSEC SPD stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IPSEC SPD stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.
576123-3 : ASM policies are created as inactive policies on the peer device
Solution Article: K23221623
Component: Application Security Manager
Symptoms:
ASM policies are created as inactive policies on the peer device.
Conditions:
This occurs when the following conditions are met:
-- ASM Sync is enabled on a Sync-Only auto-sync Device Group.
-- There is either no failover group, or the failover group is a manual sync group.
Impact:
ASM policies are created as inactive policies on the peer device, resulting in an inconsistency between peers.
Workaround:
You can use either of the following workarounds:
-- Set the device group with ASM sync enabled to manual sync.
-- Enable auto-sync for the failover group.
Fix:
This release fixes the ASM Synchronization mechanism so that ASM policies are correctly created on the peer device
575919-3 : Running concurrent TMSH instances can result in error in access to history file
Component: TMOS
Symptoms:
TMSH writes to the ~/.tmsh-history-username file whenever a command is issued. Running concurrent instances of TMSH can result in a race condition in writing this file.
Conditions:
Running multiple instances can cause one instance of TMSH to lock the history file while the other is trying to access it, resulting in an error.
Impact:
Updating the history file fails, so the file does not reflect the actual history of the commands that have been issued.
Workaround:
Only run a single instance of TMSH.
Fix:
Running concurrent TMSH instances no longer results in error in access to history file.
575649-5 : MCPd might leak memory in IPFIX destination stats query
Component: TMOS
Symptoms:
MCPd might leak memory in IPFIX destination stats query.
Conditions:
In some cases, querying IPFIX destination stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPFIX destination stats.
575642-1 : rst_cause of "Internal error"
Component: Local Traffic Manager
Symptoms:
The rst_cause may be logged as "Internal Error". rst_cause of "Internal error" does not give a narrow reason for the reset. It means that one of the other reset causes was not matched but the exact issue cannot be determined from this generic error.
Conditions:
Heavy/normal production network usage.
Impact:
System problem diagnosis is more difficult.
Workaround:
N/A
575629-3 : NTP vulnerability: CVE-2015-8139
Solution Article: K00329831
575591-6 : Potential MCPd leak in IKE message stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IKE message stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IKE message stats.
575589-5 : Potential MCPd leak in IKE event stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IKE event stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IKE event stats.
575587-7 : Potential MCPd leak in BWC policy class stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying BWC policy stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.
575444-1 : Wininfo agent incorrectly reports OS version on Windows 10 in some cases
Component: Access Policy Manager
Symptoms:
If Custom Dialer client is used to establish VPN, Wininfo agent incorrectly reports OS as Win8 on Microsoft Windows 10.
This could result in VPN establishment failure.
Conditions:
Custom Dialer client is used on Windows 10
Access policy uses Wininfo agent.
Impact:
VPN cannot be established.
Workaround:
None.
Fix:
Wininfo agent now correctly reports OS version when running Custom Dialer client on Microsoft Windows 10.
575176-1 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
Solution Article: K58275035
Component: TMOS
Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.
Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.
Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.
Fix:
The BIG-IP system no longer increases Syn Cookie cache statistics on ePVA enabled devices with UDP traffic.
575170-2 : Analytics reports may not identify virtual servers correctly
Component: Application Visibility and Reporting
Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.
Conditions:
This occurs for virtual servers that are configured in one of these ways:
1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.
2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).
Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.
Workaround:
None.
Fix:
Correct identification of the virtual server and the activity reported in the charts is displaying to the right virtual server.
575133-1 : asm_config_server_rpc_handler_async.pl SIGSEGV and core
Component: Application Security Manager
Symptoms:
asm_config_server_rpc_handler_async.pl SIGSEGV and core
Conditions:
Import ASM XML security policy
Impact:
asm_config_server_rpc_handler_async.pl SIGSEGV and core. This occurs after the policy import completes.
Workaround:
N/A
Fix:
The asm_config_server_rpc_handler_async.pl no longer crashes upon import ASM XML security policy.
575066-1 : Management DHCP settings do not take effect
Component: TMOS
Symptoms:
Modifications to /sys management-dhcp do not take effect.
Conditions:
Custom management-dhcp settings configured.
Impact:
DHCP for management interface does not function correctly.
Workaround:
Perform the following procedure:
1. Remount /usr to be read-write.
# mount -o rw,remount /usr
2. Edit the following file, which is a symlink into /usr.
# vi /defaults/config/templates/dhcp.tmpl
3. Change this line around line 7 to add escaped quotes
print "interface \"$mgmt_interface\" {\n";
4. Remount /usr back to read-only.
# mount -o ro,remount /usr
5. Make a change to the list of DHCP requested options.
# tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { ntp-servers }
6. Verify that "eth0" is quoted in this file:
# grep interface /etc/dhclient.conf
interface "eth0" {
7. Create a symbolic link to dhclient.conf
# cd /etc/dhcp
# ln -s ../dhclient.conf .
8. Restart DHCP on the management interface.
# tmsh modify sys global-settings mgmt-dhcp disabled
# tmsh modify sys global-settings mgmt-dhcp enabled
No system reboot should be necessary.
Fix:
Management DHCP settings now take effect as expected when custom management-dhcp settings are configured.
575027-1 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Component: TMOS
Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.
Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)
Workaround:
Use untagged VLANs and hypervisor side tagging.
Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.
575011-1 : Memory leak. Nitrox3 Hang Detected.
Solution Article: K21137299
Component: Local Traffic Manager
Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".
Conditions:
Compression device unavailable during creation of a new context.
Impact:
System can run out of memory.
Workaround:
Disable hardware compression using tmsh:
% tmsh modify sys db compression.strategy softwareonly
Fix:
Repaired memory leak.
574880-3 : Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
Component: Local Traffic Manager
Symptoms:
When connection rate limit is set on a fastL4 virtual server,
client connections hang with high probability.
Conditions:
Set Connection Rate Limit on a fastL4 virtual server.
Impact:
Client connections hang with high probability.
Workaround:
Do rate limiting using iRules.
https://devcentral.f5.com/articles/iruleology-table-based-rate-limiting
Fix:
Fixed Connection Rate Limiting on a fastL4 virtual server.
574526-1 : HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter
Solution Article: K55542554
Component: Local Traffic Manager
Symptoms:
HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter.
Conditions:
when http/2 or spdy is configured and client query URI contains '?' (question mark).
Impact:
No query parameter will be returned.
Workaround:
None.
Fix:
Issue fixed.
574052-4 : GTM autoconf can cause high CPU usage for gtmd
Component: Global Traffic Manager (DNS)
Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.
In large configurations of LTM vses that contain "." (dot) in the name.
Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.
This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.
This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)
Impact:
CPU usage is high, which may impact monitoring and LB decisions.
Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.
1. Rename the virtual servers on the LTM to remove the "."
This would require deleting the GTM configuration and
rediscovering it and recreating pools.
2. Turn off autoconf.
Run autoconf once to populate the config, then turn it
off.
3. Reduce the frequency of autoconf. It will still cause
a high CPU usage scenario, but it will be less frequent.
Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.
Fix:
Change algorithm used to match LTM VS names to GTM VS to reduce linear walk of all VSes on a server.
574020-5 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')
Component: Local Traffic Manager
Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').
Conditions:
This issue occurs when the following conditions are met:
-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').
Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.
Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).
Fix:
Safenet HSM installation script install now completes successfully if partition password contains special metacharacters (!#{}').
Note: When using passwords with non-alphanumeric characters, make sure that they are escaped correctly, so that bash does not attempt to reinterpret or expand the password.
573764-1 : In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
Component: Application Visibility and Reporting
Symptoms:
Statistics from the primary blade remain after upgrade, but not from the other blades.
Conditions:
Upgrade to new version in multi bladed system.
Impact:
Not all statistics are present after upgrade.
Workaround:
No workaround
573643-3 : flash.utils.Proxy functionality is not negotiated
Component: Access Policy Manager
Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.
Conditions:
Presence of flash.utils.Proxy descendants.
Impact:
Customer application malfunction.
Workaround:
None.
573611-1 : Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
Component: Access Policy Manager
Symptoms:
When a user session times out, then subsequently attempts access using the expired session ID, APM may log a log message at "err" level similar to this:
Aug 15 14:54:25 bigip.hostname err tmm[10206]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete, Line:
Conditions:
User is logged into APM and session times out.
Impact:
Error log messages may be confusing to BIG-IP APM administrators. The client is able to successfully reconnect.
Fix:
Erroneous messages of "Access encountered error: ERR_NOT_FOUND" are no longer logged in the APM log.
573602-1 : FQDN pool members not shown by tmsh show ltm monitor
Component: Local Traffic Manager
Symptoms:
The tmsh 'show ltm monitor <monitor-type>' command does not display the status of FQDN pool members.
Conditions:
-- LTM monitor is assigned to FQDN pool members (including FQDN members of an LTM pool to which the monitor is assigned).
-- Running the tmsh command: show ltm monitor <monitor-type>.
Impact:
Unable to view status of FQDN pool members via the tmsh 'show ltm monitor <monitor-type>' command.
Workaround:
There is no workaround at this time.
Fix:
The status of FQDN pool members is displayed by the tmsh 'show ltm monitor <monitor-type>' command. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
573584 : CPLD update success logs at the same error level as an update failure
Component: TMOS
Symptoms:
On booting after a successful CPLD update, you see an error in /var/log/ltm: "err chmand[4933]: 012a0003:3: CPLD not updated after previous power cycle."
Conditions:
This occurs during reboot after a successful firmware update
Impact:
The message is logged as an error, but it actually means that the CPLD version is as it is expected to be. This error can be safely ignored.
Fix:
CPLD update not required is now logged at the info level, not error.
573366-4 : parking command used in the nesting script of clientside and serverside command can cause tmm core
Component: Local Traffic Manager
Symptoms:
tmm cores in configuration using certain iRules
Conditions:
An iRule that parks the interpreter is used in the nesting script of clientside and serverside command. (e.g. when doing a table lookup).
For more information on iRule commands that park, see SOL12962: Some iRule commands temporarily suspend iRule processing, https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html
Impact:
Traffic disrupted while tmm restarts.
Workaround:
move the parking command outside the nesting script.
573343-1 : NTP vulnerability CVE-2015-8158
Solution Article: K01324833
573302-1 : FQDN pool member remains in disabled state after removing monitor
Component: Local Traffic Manager
Symptoms:
If an FQDN pool member has been disabled by a monitor (for example, after the monitor receives the configured recv-disable string from the node) and the monitor is then removed from the pool or member configuration, the FQDN pool member remains in a 'disabled' state (state and session-status are 'disabled') instead of changing to an 'unknown' state.
Conditions:
-- FQDN pool member is marked 'disabled' by a monitor.
-- The monitor is then removed.
Impact:
The FQDN pool member remains in a 'disabled' state and is unable to receive traffic.
Workaround:
There is no workaround at this time.
Fix:
When an FQDN pool member is marked 'disabled' by a monitor, then the monitor is removed, the FQDN pool member is updated to an 'unknown' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
573075-4 : ADAPT recursive loop when handling successive iRule events
Component: Service Provider
Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause 'ADAPT unexpected state transition'.
The adapt profile statistic 'records adapted' reaches a very high number as it counts every attempt.
Conditions:
-- A requestadapt or responseadapt profile is configured.
-- An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
-- The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
-- Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.
Impact:
The connection is aborted with RST cause 'ADAPT unexpected state transition'.
The 'records adapted' statistic reaches a very high number.
Eventually the TMM crashes and the BIG-IP system fails over.
Workaround:
If possible, arrange the iRules to avoid the conditions above.
In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.
Fix:
ADAPT correctly processes successive iRule events exactly once for each adaptation, and the 'records adapted' statistic reports the correct number.
573031-1 : qkview may not collect certain configuration files in their entirety
Component: TMOS
Symptoms:
If the following files exceed 5M in size, they will be truncated when collected by qkview:
/config/partitions/*/bigip.conf
/config/partitions/*/BIG-IP_base.conf
/config/BIG-IP_gtm.conf
Conditions:
Any of the listed files exceeds 5 Mbytes.
Impact:
Fault diagnosis may be affected.
Workaround:
Create a qkview, and examine the qkview_run.data file. If this file indicates that any of the listed files has been truncated, manually copy that file from the BIG-IP device.
572885-1 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
ASM provisioned.
Device group w/ ASM policy sync configured.
ASM Policy is in automatic learning mode.
A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.
572568-2 : Gy CCR-i requests are not being re-sent after initial configured re-transmits
Component: Policy Enforcement Manager
Symptoms:
For Gy interface, if OCS doesn't respond to the initial set of CCR-I requests as per the diameter-endpoint profile (1+ msg-max-retransmits <n>), the new set of CCR-I requests are not being generated, even after provisioning pending timeout happens.
Conditions:
This issues happens only for Gy interface and when initial set of CCR-I request doesn't get a CCA response.
Impact:
The subscriber will be left in Idle state till the default quota is breached and brought down or subscriber can reconnect once OCS CCA response is fixed.
Workaround:
Re-connect the subscriber once the CCA response is fixed in OCS
Fix:
The solution is to resend CCR-I requests once the provisioning timeout happens
572558-1 : Internet Explorer: incorrect handling of document.write() to closed document
Component: Access Policy Manager
Symptoms:
HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page.
Conditions:
HTML page with document.write() calls inside event handlers or another scripts executed after document loading.
Strings passed to document.write() function contain HTML tags with URL or another re-writable content in attributes.
Impact:
HTML page is not shown at all or works incorrectly in Internet Explorer.
Workaround:
No workaround known
Fix:
Now HTML pages with document.write() calls for closed document are handled correctly by Portal Access.
572281-5 : Variable value in the nesting script of foreach command get reset when there is parking command in the script
Component: Local Traffic Manager
Symptoms:
When there is something like the following script:
foreach a [list 1 2 3 4] {
set a 10
after 100
}
There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.
Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962
Impact:
Variable values get reset.
Workaround:
Set(or set again) the variable value after the parking command.
Fix:
Will fix in later release.
572272-5 : BIG-IP - Anonymous Certificate ID Enumeration
Solution Article: K65355492
572234-2 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
Component: Local Traffic Manager
Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.
Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.
The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.
The return route is a pool route.
The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.
Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.
Workaround:
Increase the lasthop module's TCP idle timeout.
echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp
Fix:
TCP connections no longer emit packets that have a source MAC address of 00:98:76:54:32:10.
572133-5 : tmsh save /sys ucs command sends status messages to stderr
Component: TMOS
Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.
Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.
Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.
Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.
Fix:
The command will send the status messages to stdout.
571651-3 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.
Component: Local Traffic Manager
Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:
'n3-cryptoX request queue stuck'.
Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.
An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.
Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.
Workaround:
Disable crypto acceleration.
Fix:
The crypto accelerator is gracefully reset when the accelerator stalls due to a misconfigured request.
Note: This issue resolution is limited to SSL handshake issues, and is not a resolution for all possible causes of a 'queue stuck' event.
571634-1 : tmstat CPU values can be incorrect
Component: TMOS
Symptoms:
The CPU values returned by blades in a chassis may not be sorted correctly and so the returned values might appear confusing or invalid.
Conditions:
Retrieving values for a chassis using the following command: tmstat cpu.
Impact:
Incorrect reporting of TMM CPU utilization using tmstat command.
Workaround:
No workaround.
Fix:
Values are now properly sorted and maintained.
571095-1 : Monitor probing to pool member stops after FQDN pool member with same IP address is deleted
Component: Local Traffic Manager
Symptoms:
If an FQDN pool member resolves to the same IP address (node) as a non-FQDN (static) pool member, and the FQDN pool/member is deleted, no further monitor probes are sent to the remaining non-FQDN (static) pool member.
Conditions:
This occurs if an FQDN pool member resolves to the same IP address (node) as an existing non-FQDN (static) pool member.
Impact:
Loss of health monitoring to remaining non-FQDN (static) pool member.
Workaround:
There is no workaround other than avoiding creating a static pool member with the same IP address that could be resolved to an FQDN name.
Fix:
An FQDN pool member and static (non-FQDN) pool member can no longer be created with the same IP address, preventing loss of monitoring of the static member of the conflicting FQDN pool member is deleted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
570818-4 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
Component: TMOS
Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.
Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.
Impact:
Failure in establishing IPsec SA.
Workaround:
None.
Fix:
Address lease-pool in IKEv2 no longer interferes with IKEv2 negotiations.
570697-1 : NTP vulnerability CVE-2015-8138
Solution Article: K71245322
570667-2 : OpenSSL vulnerabilities
Solution Article: K64009378
570570-5 : Default crypto failure action is now 'go-offline-downlinks'.
Component: Local Traffic Manager
Symptoms:
Previously, if a crypto accelerator encountered a failure, the default action was "none" or "failover". Now, the default behavior is "go-offline-downlinks".
(Note: You can find information on crypto accelerator fail-safe behavior in K16951: Overview of SSL hardware acceleration fail-safe :: https://support.f5.com/csp/article/K16951.)
Conditions:
Crypto accelerator encounters a failure and crypto.ha.action has not been changed from its default.
Impact:
If a hardware accelerator failed on a blade in a chassis, the system would failover, but if there was a second failover back to the chassis with the failed blade, SSL traffic might get dropped.
Workaround:
Set the db variable crypto.ha.action to your desired value.
Fix:
Previously, if a crypto accelerator encountered a failure, the default action was either 'none' or 'failover'. Now, the default behavior is 'go-offline-downlinks'.
Behavior Change:
The default value of the db variable crypto.ha.action has changed to 'go-offline-downlinks'. The only time this has an effect on the system is when a crypto accelerator fails. For a chassis, this value will cause the blade that had the failed crypto device to go offline, leaving the other blades to handle the load, while an appliance will failover to its standby peer. See https://support.f5.com/csp/article/K16951 for more details.
570277-1 : SafeNet client not able to establish session to all HSMs on all blades.
Solution Article: K16044231
Component: Local Traffic Manager
Symptoms:
SafeNet client not able to establish session to all HSMs on all blades.
Conditions:
When the BIG-IP chassis is used with SafeNet HSM high availability (HA), and when BIG-IP tmm interface is used.
Impact:
SafeNet HSM HA is not being used at its maximal capacity.
Workaround:
Restart pkcs11d to mitigate this issue.
Fix:
We have adjusted the startup timing of pkcs11d to wait until tmm initialization finishes. Also we added retry for pkcs11d threads when connecting to HSM.
570217-2 : BIG-IP APM now uses Airwatch v2 API to retreive device posture information
Component: Access Policy Manager
Symptoms:
Airwatch version 8.3 and above no longer use the v1 REST API. APM is not be able to retrieve device information from Airwatch MDM version 8.3 and higher and device posture checking in APM policies fails.
Conditions:
- Airwatch configured on APM
- Airwatch is upgraded to version 8.3 or higher
Impact:
BIG-IP APM is unable to retrieve device information and device posture check will fail.
Workaround:
n/a
Fix:
BIG-IP APM now utilizes the Airwatch v2 API to access device posture information.
Important: you must be using Airwatch release 8.3 and up because older releases do not support the v2 REST API end points.
570057-2 : Can't install more than 16 SafeNet HSMs in its HA group
Component: Local Traffic Manager
Symptoms:
With installation script on the BIG-IP, you can't install more than 16 SafeNet HSMs in its high availability group with versions 5.2 and 5.4.
Conditions:
Attempt to install more than 16 SafeNet HSMs.
Impact:
Installer script failure.
Workaround:
The limit is set by SafeNet. Currently, with F5-supported 5.2 and 5.4 client software, SafeNet doesn't allow more than 16 HSMs in one high availability configuration.
Fix:
Updated SafeNet installation scripts by replacing "vtl" to "lunacm" for high availability group creation and member adding operations for version 6.2.
569814-2 : iRule "nexthop IP_ADDR" rejected by validator
Solution Article: K30240351
Component: Local Traffic Manager
Symptoms:
The nexthop command allows an administrator the ability to specify a forwarding address in an iRule. The form which takes an IP address may be rejected by the validator with an error message of the form:
01070151:3: Rule [/Common/irule_example] error: Unable to find vlan, vlangroup or tunnel (10.0.0.1) referenced at line 2: [nexthop 10.0.0.1]
Conditions:
This occurs when the nexthop command contains only the IP address, for example:
when HTTP_REQUEST {
nexthop 10.0.0.1
}
Impact:
The iRule containing the 'nexthop IP_ADDR' command cannot be associated with a virtual server.
Workaround:
The 'nexthop VLAN IP_ADDR' form of the command does pass the validator. Choose the named vlan on which IP_ADDR can be reached. For example:
when HTTP_REQUEST {
nexthop internal 10.0.0.1
}
Fix:
Validator now allows 'nexthop IP_ADDR' in iRules.
569563-3 : Sockets resource leak after loading complex policy
Component: Access Policy Manager
Symptoms:
File descriptors used by apmd remain unclosed (TCP and UDP) after loading a complex access policy.
After some time, the APM process file descriptor table is exhausted and no more access policies are processed.
The following error messages may be observed in the logs:
err apmd[16013]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 86 Msg: epoll_create() failed [Too many open files].
Conditions:
This can happen at the initial stage after apmd starts, or later when policies are reloaded. Although this is not directly related to log-level, this problem is easier to observe when the access control log-level is Warning or lower (Notice, Info, Debug).
File descriptors leak (remain unclosed) after loading complex policies that contain many agents.
Impact:
The APM process is unable to create new sessions, leading to an inability to process access policy operations.
Workaround:
This can happen at the initial stage after apmd starts, or later when policies are reloaded.
Current preferred workaround is to set log level to ERROR or higher and restart apmd.
When a large number of file descriptors has already been observed, the only way to close them other than disabling logging is to raise log levels to ERROR or above, and then issue the following command:
bigstart restart apmd
Note 1: Do not use sys db variables to change log level for versions 12.0.0 and later.
Note 2: Double-check log levels using the following command: tmsh list apm log-setting all-properties
Note 3: Opened file descriptors do not close until apmd is restarted.
Note 4: When in doubt (about whether file descriptors are leaking), run the following command on the BIG-IP system:
lsof -p `pidof apmd` | grep TCP; lsof -p `pidof apmd` | grep UDP. This gives you the number of open files.
- Detailed steps to change logging-level to ERROR:
Step 1. Modify access control log level using the following command: tmsh modify apm log-setting all access modify { all { log-level { access-control err } } }
Step 2. Check the log levels using the following command: tmsh list apm log-setting all-properties
Step 3. Manually restart apmd using the following command: bigstart restart apmd
Fix:
Sockets are now closed properly, so there is no longer file descriptor leakage when loading or reloading complex access policies.
569542-1 : After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade★
Component: Access Policy Manager
Symptoms:
After upgrade, an existing user-created partition will not be able to load any existing hosted-content file or upload a new one.
The issue happens because the required APM Sandbox directory w.r.t. this partition is missing after the upgrade.
01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_file_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Loading configuration process failed.
REPRODUCTION STEPS:
1) Before upgrade, create a partition (make sure APM is provisioned), say 'p1'.
2) Install the upgrade and reboot.
3) After upgrade, partition 'p1' is created but the required directory '/var/sam/www/webtop/sandbox/files_d/p1_d' is not created.
This can occur on upgrades from prior to 11.6.0 to 11.6.0 through 12.1.0.
Conditions:
Partition is created before the upgrade.
Impact:
Configuration load fails if the existing partition had any hosted-content file before upgrade. If it did not have any hosted-content file before upgrade, the configuration load will be successful, but the user cannot upload/create a new hosted-content file in this partition sandbox.
Workaround:
Workaround is manually create the required sandbox directory using bash command:
mkdir -p /var/sam/www/webtop/sandbox/files_d/p1_d
569467-5 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
Solution Article: K11772107
569355-1 : Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
Solution Article: K50118123
569316-1 : Core occurs on standby in MRF when routing to a route using a transport config
Component: Service Provider
Symptoms:
If routing a message to a route that uses a transport-config to define how to create an outgoing connection, the standby device will core.
Conditions:
routing a message to a route that uses a transport-config to define how to create an outgoing connection.
Impact:
The standby device will core.
Workaround:
NA
Fix:
Fix properly initializes a field on the standby.
569309-3 : Clientside HTML parser does not recognize HTML event attributes without value
Component: Access Policy Manager
Symptoms:
Assignment of a specific HTML content to tag.innerHTML might lead to a JavaScript error. This happens when one or more of tags in HTML text contain HTML event attributes without assigned values (such as <div onclick />).
Error messages similar to the following are logged in the browser JavaScript console:
Unable to get property 'charAt' of undefined or null reference.
Conditions:
Dynamically created HTML page with event attributes without values, for example:
<div onclick />
Impact:
Web application does not work when accessed through Portal Access.
Workaround:
You can use a customized iRule to handle a specific application.
Fix:
Now empty inline event handler attributes are not rewritten on the client side.
569288-6 : Different LACP key may be used in different blades in a chassis system causing trunking failures
Component: Local Traffic Manager
Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.
Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.
Impact:
Non aggregated trunk members won't be able to pass traffic.
Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"
569195-1 : A Set-Cookie for an existing ASM cookie without value change
Solution Article: K41874435
Component: Application Security Manager
Symptoms:
A Set-Cookie command appears for an ASM cookie (TS cookie) where the value has not changed and the set-cookie command is not needed.
Conditions:
-- The policy building is automatic or manual mode.
-- Additional features may also cause TS cookie setting, but usually these will also include cookie changes.
Impact:
The unneeded cookie may disturb caching and cause additional unnecessary bandwidth consumption.
Workaround:
If possible, turn off the policy builder.
Fix:
Unneeded set cookie for an ASM cookie is not issued.
569121-1 : Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
Component: Anomaly Detection Services
Symptoms:
If you have a large CMP configuration using Advanced Detection and rate limiting with a low rate limit applied, the per-core rate limit on attack traffic can end up being lower than the desired overall rate limit.
Conditions:
This was seen during internal testing with a large number of cores (3 blades / 24 cores) and a very low rate limit applied.
Impact:
Overall rate limit is lower than expected.
Fix:
Improvements were made to rate limiting in environments with a high number of tmms
569100-1 : Virtual server using NTLM profile results in benign Tcl error
Component: TMOS
Symptoms:
Tcl error in /var/log/ltm.
Tcl error: bad option "serverside": must be require or preclude while executing "constrain NTLM require clientside {HTTP} serverside {CONNPOOL} preclude FTP
Conditions:
Virtual server using the NTLM profile. Only logged when the first virtual server is created or when TMM restarts.
Impact:
If you are using TMSH to configure virtual server and NTLM profile, validation/constraint is not performed/enforced.
Workaround:
This is a benign, cosmetic error. There should be no functional impact to the system.
Fix:
Fixed the unexpected error message encountered and added validation when creating a virtual server with an NTLM profile.
568672-1 : Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
Component: TMOS
Symptoms:
After an SA goes down, 'show net ipsec traffic-selector' may report that the traffic-selector is up. The Web UI also reports up.
Conditions:
This occurs if a tunnel times out and goes to the down state.
Impact:
Confusion on the true state of the tunnel.
Workaround:
None needed.
Fix:
Now, when a tunnel times out and goes to the down state, the state is shown correctly.
568545-2 : iRules commands that refer to a transport-config will fail validation
Solution Article: K17124802
Component: Service Provider
Symptoms:
If an iRule command refers to a transport-config, the iRule fails validation even if the object exists.
Conditions:
-- iRule command refers to a transport-config.
-- iRule validation occurs.
Example:
create ltm pool p1 members add { 10.2.3.4:5060 }
create ltm message-routing sip transport-config tc1 profiles add { udp sipsession }
create ltm virtual vs1 destination 10.1.1.50:5060 profiles add { udp sipsession siprouter }
create ltm rule r1
ltm rule r1 {
when MR_INGRESS {
MR::message route config tc1 pool p1 <==command refers to tc1 which is a transport-config object
}
}
Impact:
Validation fails even though object exists. Unable to directly refer to a transport-config from an iRule command.
Workaround:
If the name of the transport-config is loaded into a Tcl variable, the Tcl variable can be use to indirectly refer to the transport-config object.
Fix:
iRule validation logic has been improved to check for the existence of a transport config object.
568543-4 : Syncookie mode is activated on wildcard virtuals
Component: Local Traffic Manager
Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.
Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.
Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.
Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.
Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)
567743-2 : Possible gtmd crash under certain conditions.
Solution Article: K70663134
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core leading to a SIGSEV due to a possible race condition.
Conditions:
Due to a possible race condition that occurs under certain conditions (such as a sync event), gtmd might core.
Impact:
This event could lead to an outage.
Workaround:
None.
Fix:
The system now correctly processes this condition so that no race condition occurs.
567546-1 : Files with file names larger than 100 characters are omitted from qkview
Component: TMOS
Symptoms:
If the filename of a file being gathered by qkview happens to be larger than 100 characters, the qkview will simply not include it.
Conditions:
No conditions necessary. Any file with a name larger than 100 characters is automatically omitted.
Impact:
Files with names larger than 100 characters are being omitted from the qkview. Since UNIX files can be 256 characters long, this potentially could omit important files that could help diagnose problems.
Workaround:
One would have to rename any files with names larger than 100 characters to names with less than 100 characters.
Fix:
Qkview was fixed to not use POSIX as the tar format, but instead to use the "GNU" format which allows for up to 256 characters (the system limit). The fixed program now allows any length of characters possible.
567457-2 : TMM may crash when changing the IKE peer config.
Component: TMOS
Symptoms:
TMM might crash when changing the IKE peer config. It can happen with either IKEv1 or IKEv2 (TMM config crash).
Conditions:
This occurs when making changes to IPsec tunnels that causes the configuration to become invalid. For example, changing ISAKMP phase1 from SHA-1 to MD5 results in an invalid configuration.
Note: This occurs in the GUI only. The tmsh 'create' command does not cause this core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use tmsh to make the affected configuration changes... this occurs in the GUI only. The tmsh 'create' command does not cause this core.
Fix:
TMM no longer crashes when changing the IKEv1 or IKEv2 peer config, even if the changes are not valid for the configuration.
567330-1 : tmsh show sys memory on secondaries will generate innocuous error
Component: Local Traffic Manager
Symptoms:
The ltm log file contains these errors: err mcpd[9011]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).
Conditions:
This occurs when logged into secondary member of a cluster (VIPRION blade or vCMP guest) and running the command: tmsh show sys memory.
Impact:
The error indicates that the secondary member cannot display information that is only presented on a primary. This is a spurious error, and you can safely ignore it.
Workaround:
Ignore the specific error with this signature:
0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).
Fix:
no longer displays 'Data publisher not found or not implemented' messages when running the command: tmsh show sys memory on secondary member of a cluster (VIPRION blade or vCMP guest).
567233-1 : Multiple samba vulnerabilities
Solution Article: K92616530
567177-1 : Log all attempts of key export in ltm log
Component: TMOS
Symptoms:
Attempts to export keys are not logged.
Conditions:
-- Exporting keys.
-- Viewing ltm log.
Impact:
No messages logged to indicate the export attempts.
Workaround:
None.
Fix:
iControl:
======================
When any of the following iControl functions is called (either by the GUI or directly by a system user), the system logs it in ltm log. The log will include the iControl function name, key names, and BIG-IP user name.
key_export_to_file
key_export_to_pem
export_all_to_archive_stream
export_to_archive_stream
export_all_to_archive_file
export_to_archive_file
ltm logs example:
======================
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_file()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key, /Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_pem()
-- info iControlPortal.cgi[26687]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: keys (/Common/kc.key, /Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()
tmsh:
======================
The only possibility for using tmsh to export a key is saving a UCS file, so that will be logged.
ltm logs example:
======================
notice tmsh[21886]: 01420012:5: private key export: All keys are being exported by user "admin" via UCS saving.
GUI:
======================
There are 3 ways that a user can get key export from GUI:
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: default : Key Export
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: Archive...
-- System :: Archives :: New Archive...
These are internally implemented by using iControl and tmsh calls, so they will be automatically be logged in ltm log as iControl or tmsh users.
Behavior Change:
With this change, any attempt to export key will be logged in ltm log. Logged attempts include: save a UCS file, archive key files, or export key files, using tmsh/iControl/GUI.
566576-6 : ICAP/OneConnect reuses connection while previous response is in progress
Component: Service Provider
Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.
Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.
Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.
Workaround:
Remove OneConnect.
Fix:
Big-IP with ICAP and OneConnect never reuses a server connection while a previous ICAP transaction is still in progress. Whenever the IVS disconnects prior to completion of an ICAP transaction, the connection is not pooled for reuse.
566507-4 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system. Note: The ZebOS routing protocol suite available for BIG-IP configurations does not support traffic groups, so this issue might still be seen in certain circumstances.
566342 : Cannot set 10T-FD or 10T-HD on management port
Component: Local Traffic Manager
Symptoms:
When setting the B4450 or B4300 mgmt port to 10T-FD or 10T-HD, there is no link LED. However, the peer unit shows the correct link LED for this setting.
Conditions:
B4450 or B4300 blade and you want to set 10T-FD or 10T-HD media type
Impact:
Unable to set this media type.
Fix:
The management port of B4450 and B4300 blades can now be configured with 10T-FD or 10T-HD
566071-5 : network-HSM may not be operational on secondary slots of a standby chassis.
Component: Local Traffic Manager
Symptoms:
pkcs11d may not be running on secondary slots of a chassis.
Conditions:
This might occur when the following conditions are true:
1. Network-HSM installed on BIG-IP chassis.
2. Chassis is in standby state OR Secondary slots do not have management IP configured.
Impact:
If SSL profiles are configured with keys of security-type 'nethsm' when the specified conditions are true, traffic for such profiles will fail when the affected slots process traffic.
Workaround:
Manually install netHSM on each secondary slot.
Fix:
netHSM install no longer depends on management IP of secondary slots and also successfully installs on slots of a standby chassis.
565895-1 : Multiple PCRE Vulnerabilities
Solution Article: K17235
565799-4 : CPU Usage increases when using masquerade addresses
Component: Local Traffic Manager
Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.
Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.
Impact:
Possible performance degradation or reduction in capacity
Fix:
Performance of masquerade address checks is restored.
565347-2 : Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction
Component: Access Policy Manager
Symptoms:
Rewrite engine behaves improperly in case of AS2 SWF with a string in 'push' instruction longer than the instruction length itself.
Conditions:
Any AS2 SWF with a string in 'push' instruction longer than the instruction length.
Impact:
Rewrite coredump.
Workaround:
It can be worked around by adding an Portal Access profile resource item with Flash patcher turned off for improper SWF content.
Fix:
Completely fixed.
565137 : Pool licensing fails in some KVM/OpenStack environments.
Solution Article: K12372003
Component: TMOS
Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the errors such as the following:
-- In /var/log/ltm: Dossier error 16.
-- In /var/log/restjavad: Dossier validation failed. error code: 5.
Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.
Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.
Workaround:
There is no workaround.
Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.
564876-2 : New DB variable log.lsn.comma changes CGNAT logs to CSV format
Component: Carrier-Grade NAT
Symptoms:
New CSV format that does not use quotes as delimiters was not present prior to 12.1.2.
Conditions:
Setting the DB variable log.lsn.comma
Impact:
More control of logging format via the DB variable log.lsn.comma
Workaround:
N/A
Fix:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.
Behavior Change:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.
564771-1 : cron sends purge_mysql_logs.pl email error on LTM-only device
Component: TMOS
Symptoms:
On a device provisioned with LTM only, cron may log or send an email containing the following perl error:
/etc/cron.hourly/purge_mysql_logs.pl:
Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27
This script was only intended to be run with AM, ASM, or ASM provisioned and it generates an error if it is not.
Conditions:
Any device with AM, ASM, and PSM not provisioned. LTM-only devices are impacted.
Impact:
If cron can send email, it will send the perl error in the email once per hour.
564522-2 : cron is configured with MAILTO=root but mailhost defaults to 'mail'
Solution Article: K40547220
Component: TMOS
Symptoms:
The crontab and ssmtp configurations environment is MAILTO="", which means no email and it is difficult to find where the email went.
Conditions:
This exists in the default crontab and ssmtp configurations.
Impact:
- You may receive unexpected messages addressed to "root" at a host named "mail" on your network
OR
- You may encounter messages similar to the following in /var/log/maillog:
Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Unable to connect to "mail" port 25.
Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Cannot open mail:25
Workaround:
Change outbound-smtp mailhub to localhost with tmsh:
tmsh modify /sys outbound-smtp mailhub localhost
Fix:
Default mailhub has been changed to localhost. Starting in 12.0.0, MAILTO is set to root instead of "" in /etc/crontab so that the output of cron jobs can be captured. However, ssmtp is configured by default with a mailhost of 'mail', which may result in either error messages logged to /var/log/maillog or unexpected messages received on another system.
564324-2 : ASM scripts can break applications
Component: Application Security Manager
Symptoms:
ASM originated scripts are injected into places where they are not supposed to be, causing the script not to work and/or the application to break.
Conditions:
ASM is in front of a single page application, where injection is possible only for the main page. \
ASM has the CSRF or web scraping feature enabled.
Impact:
Application malfunctions, shows javascrip errors
Workaround:
Turn off the relevant feature that causes the injection.
564281-3 : TMM (debug) assert seen during Failover with Gy
Component: Policy Enforcement Manager
Symptoms:
When using the debug version of the tmm, HA fail over may cause the tmm to assert when Gy is configured.
Conditions:
Using PEM and Gy is configured.
Impact:
The TMM (debug version) may core and restart, resetting all connections.
Workaround:
Do not use the debug tmm with Gy.
Fix:
This debug assert has been changed to a debug log message.
564058-1 : AutoDoS daemon aborts intermittently after it's being up for several days
Solution Article: K91467162
Component: Advanced Firewall Manager
Symptoms:
AutoDoS daemon aborts intermittently when accessing session db api for memcache interface.
Conditions:
This happens in control plan AutoDoS daemon. This is an intermittent issue that occurs in few platforms under specific stress testing.
Impact:
Core will be seen, but the daemon will restart, and there is no loss of state.
Workaround:
No workaround.
Fix:
AutoDoS daemon no longer aborts intermittently when accessing session db api for memcache interface.
563933-4 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
Component: Local Traffic Manager
Symptoms:
A and AAAA RRsets in the additional section are dropped.
Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.
Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.
Workaround:
Set dns64-additional-section-rewrite is 'any'.
Fix:
v4-only and v6-only options work as expected. Note that DNS64 prefix operations occur after all other DNS processing blocks -- including GTM.
563905-2 : Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
Component: TMOS
Symptoms:
Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on one or more Secondary blades.
Entries similar to the following example are visible in the /var/log/ltm file:
err mcpd[10724]: 01070920:3: Application error for confpp: STDERR/STDOUT text begins Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: STDERR/STDOUT text ends ************************************************************* Nov 20 22:07:22 bigip1 confpp[20403]: reconfig command FAILURE for unix_config_syslog returned: '/etc/init.d/syslog-ng restart 2>&1' Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: [ OK ]
err mcpd[10724]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070920:3: Application error for confpp: STDERR/STDOUT text begins Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: STDERR/STDOUT text ends ************************************************************* Nov 20 22:07:22 bigip1 confpp[20403]: reconfig command FAILURE for unix_config_syslog returned: '/etc/init.d/syslog-ng restart 2>&1' Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: [ OK ]
Conditions:
-- Multi-blade VIPRION system or vCMP guest.
-- The system is rebooted.
Impact:
The blades that encounter this issue take longer to become operational, as they undergo an unnecessary MCPD restart.
Workaround:
None.
Fix:
Multi-blade systems that are rebooted no longer experience unnecessary MCPD restarts.
563727-1 : Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'
Component: Application Security Manager
Symptoms:
A GET request without payload but with payload indication doesn't issue the body in get violation.
Conditions:
A Get request without payload arrives.
The request has a 'transfer-encoding: chunked' header although there is no payload.
Impact:
A suspicious request goes by undetected.
Workaround:
Add an iRule that removes this header from the ASM and issues a custom violation.
Fix:
A GET request without payload but with 'transfer-encoding: chunked' will issue the body in GET sub violation.
563661-2 : Datastor may crash
Component: TMOS
Symptoms:
In rare cases, datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.
Conditions:
WAM provisioned and enabled.
Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This issue has been fixed.
563592 : Content diagnostics and LCD
Component: TMOS
Symptoms:
While running platform_check, you notice this on the LCD:
F5 LCD Server
Clients: 0
Screens: 0
Conditions:
This occurs when running platform_check after running bigstart stop
Impact:
This is cosmetic, the LCD does not indicate that it is in diagnostic mode.
Fix:
When the LCD is unable to communicate with BIG-IP, such as during shutdown or platform_check, the LCD now displays the following:
F5 LCD Server
Host inaccessible or
in diagnostic mode
563135-3 : SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
Component: Access Policy Manager
Symptoms:
When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. http://www.example.com:8080) the first request after authentication will fail.
Conditions:
SWG Explicit Proxy configured
HTTP 407 Authorization configured in Per-Request Policy for authentication
Client requests a non-standard HTTP port in request
Impact:
The first request after authentication will fail.
Workaround:
If the user refreshes their browser request, subsequent requests will work as expected.
562928-2 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
Component: TMOS
Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.
Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.
Impact:
TCP connections do not complete the three way handshake and traffic does not pass.
Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.
Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.
562921-4 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.
Conditions:
The value is hardcoded into the product.
Note: This is completely independent of the TMM profiles or the httpd cipher values.
Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.
Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.
Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"
562636-2 : Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
Solution Article: K05489319
Component: Access Policy Manager
Symptoms:
When certain end user interface pages (e.g. 401 response) are served by the APM, these include a unique parameter in the URL. This results in the leak of objects representing caches for these pages, because their unique parameter renders caching ineffective.
Conditions:
This occurs when the following conditions are met:
-- Use of SWG in Transparent mode.
-- One of the following:
+ Use a logon page agent, an external logon page agent, or a 401 agent in the access policy.
+ Trigger an access policy evaluation when one is already in progress or when accessing a page that requires an established session.
Impact:
A memory leak in the TMM.
Workaround:
None (when the triggering conditions are encountered).
Fix:
This release corrects the possible memory exhaustion issue in access end-user interface pages for transparent proxy/SWG cases.
562267-3 : FQDN nodes do not support monitor alias destinations.
Component: Local Traffic Manager
Symptoms:
FQDN nodes do not support monitor alias destinations.
Conditions:
Configure a monitor with an alias address or port. The system will either prevent you from configuring, or the monitor will only be directed to the node address or port.
Impact:
The BIG-IP system does not send health checks to the configured monitor alias port. Monitor doesn't work as expected.
Workaround:
Depending on the functionality needed, you might be able to work around this by using an alternative configuration.
Fix:
FQDN nodes now support monitor alias destinations.
561892-2 : Kerberos cache is not cleared when Administrator password is changed in AAA AD Server
Solution Article: K08121752
Component: Access Policy Manager
Symptoms:
BIG-IP Administrator's password is changed and AD Query fails.
Conditions:
-- Administrator's password is changed for AAA AD Server.
-- Access policy applied.
Impact:
AD Query fails.
Workaround:
Remove Kerberos cache files (krb5cc_0 and krb5cc_1) manually in /var/run/apmd/krb5cc/ and all subdirectories.
Fix:
Kerberos cache is removed by apmd, if the administrator's password is changed and an access policy is applied.
561500-4 : ICAP Parsing improvement
Component: Service Provider
Symptoms:
If a malformed ICAP message is sent to the Big-IP the ICAP parser can enter a state where it consumes an increasing amount of CPU and memory.
Conditions:
A request-adapt or response-adapt profile is configured.
An ICAP message is received from an ICAP server lacking "ICAP/1.0" as initial header line.
Impact:
Memory and CPU usage increase.
Eventually the TMM may crash causing Big-IP fail-over.
Fix:
ICAP parser checks for correct initial ICAP/1.0 header line and rejects message if missing.
561444-1 : LCD might display incorrect output.
Component: TMOS
Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.
Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.
Impact:
LCD may display incorrect data.
Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.
Fix:
The issue allowing garbled messages between the front panel display daemon (fpdd) and the LCD daemon (LCDd) is now prevented from happening.
561348-7 : krb5.conf file is not synchronized between blades and not backed up
Component: Access Policy Manager
Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.
Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.
Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.
Workaround:
None.
Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.
In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.
Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.
When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.
560471-1 : Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
Component: Local Traffic Manager
Symptoms:
Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down.
Conditions:
Changing the monitor configuration of a pool. For example:
tmsh modify ltm pool http-pool monitor http and tcp
tmsh modify ltm pool http-pool monitor min 1 of { http tcp }
Impact:
Virtual server may be incorrectly marked down, when it should not be.
Fix:
Changing the monitor configuration of a pool no longer causes the virtual server to be marked as down.
560114-6 : Monpd is being affected by an I/O issue which makes some of its threads freeze
Component: Application Visibility and Reporting
Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T
Conditions:
A system I/O issue (maybe caused by /var/log being full).
Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.
Workaround:
Run the following:
find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd
560109-7 : Client capabilities failure
Solution Article: K19430431
559980-1 : Change console baud rate requires reboot to take effect
Component: TMOS
Symptoms:
When you change the console baud rate, you will see garbage characters.
Conditions:
When you make modification to the console baud rate.
Impact:
The console display has garbage characters.
Workaround:
Reboot the system.
Fix:
Console baud rate change now works.
559953-1 : tmm core on long DIAMETER::host value
Component: Service Provider
Symptoms:
tmm crashes and restarts when an iRule is accessed that contains a large DIAMETER::host value.
Conditions:
This occurs with a DIAMETER::host iRule parameter set to a very large value (2000 characters).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Limit the length of the DIAMETER::host parameter to less than 1000 characters.
Fix:
BIG-IP now limits the DIAMETER::host parameter to 1000 characters.
559837-4 : Misleading error message in catalina.out when listing certificates.
Component: TMOS
Symptoms:
GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation. The exceptions are the actual cause of the failure.
java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229].
Conditions:
This occurs when listing certificates, and exceptions are returned.
Impact:
1. Throws table creation exceptions when randomly generated table name contains invalid character ('-').
2. Misleading 'Table not found" message in catalina.out.
Workaround:
Refreshing the page might fix the invalid table name issue because doing so generates a new table name. In some situations a restart of tomcat and httpd may be required.
Fix:
Errors occur when listing certificates that contain invalid characters from the randomly generated table names, so the GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation.
559655 : Post RMA, system does not display correct platform name regardless of license
Component: TMOS
Symptoms:
When you get an RMA and you are licensed for a 4000 and the unit received has been licensed as a 4200, you will have a difference between hardware on site and the new hardware received, regardless of what license you have.
Conditions:
Take a 4000 from manufacturing and license it for a 4200 wipe system and rebuild and license for a 4000 and tmsh show sys hardware and device groups will indicate it to be a 4200
if you have a 4200 from manufacturing and license it as a 4000 it will still indicate that it is a 4200
Affected platforms is following
2000/2200 4000/4200 5000/5200 7000/7200 10000/10200
Impact:
Confusion as to what the actual platform is
559080-5 : High Speed Logging to specific destinations stops from individual TMMs
Component: TMOS
Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.
Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.
Impact:
Logs are silently lost.
Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.
Fix:
The system now resets the expire timer when it initiates the close. If the server fails to reset or complete the close, the flow is aborted on the next expiration event.
559030-1 : TMM may core during ILX RPC activity if a connflow closes before the RPC returns
Solution Article: K65244513
Component: Local Traffic Manager
Symptoms:
TMM core with plugin context refcount error.
Conditions:
-- Using ILX RPC calls.
-- Connflow closes before the RPC returns.
Note: Most likely to occur when using a low-end unit or virtual edition configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
ILX plugin timeout no longer causes TMM core.
559001-1 : Unable to clear LCD messages and Alarm LED state on non-iSeries platforms
Component: TMOS
Symptoms:
You cannot clear alert messages shown on the LCD display from the TMOS console.
In addition, the Alarm LED may continue to reflect an elevated alert status (by display a steady or blinking Red or Amber state) after LCD alert messages are cleared.
Conditions:
-- This may occur when BIG-IP system is running on hardware platforms other than iSeries appliances.
-- Specifically, affected platforms include:
+ VIPRION B4200, B4300-series, B4400-series blades
+ VIPRION C4400, C4480, C4800 chassis
+ VIPRION B2100, B2150, B2250 blades
+ VIPRION C2400, C2200 chassis
+ BIG-IP 2000-series, 4000-series, 5000-series, 7000-series, 10000-series, 12000-series appliances
+ BIG-IP 800, 1600, 1600 LC, 3600, 3900, 6900-series, 8900-series, 11000-series appliances
+ EM 4000 appliances
-- Using the following commands to clear alerts from the LCD display or reset the Alarm LED:
tmsh reset-stats sys alert lcd
lcdwarn -c <level> [<blade>]
Impact:
The alarm state does not clear. The Alarm LED may indicate a previous alert state that has been acknowledged/cleared and is no longer accurate.
Workaround:
It may be possible to work around this issue using either of the following procedures:
-- Clear the LCD alert messages by pressing the appropriate buttons on the front panel LCD display itself.
-- Restart the fpdd daemon:
bigstart restart fpdd
Otherwise, rebooting the BIG-IP system restores the correct LED states.
Fix:
Clearing LCD alert messages from the TMOS console successfully clears alert messages from the LCD display and restores the Alarm LED to the correct status.
557680-4 : Fast successive MTU changes to IPsec tunnel interface crashes TMM
Component: TMOS
Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.
Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.
Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).
557471-3 : LTM Policy statistics showing zeros in GUI
Component: TMOS
Symptoms:
Statistics for LTM Policies, e.g., the total count of policy action invocations and number of successful policy action invocations, are not being updated in the GUI. The GUI shows zeros for both of these stats for every LTM Policy.
Conditions:
Occurs under all conditions.
Impact:
Through the GUI, Administrators cannot see invocation counts for general troubleshooting or to determine which policies are being used.
Workaround:
To work around this issue, you can use the tmsh utility to view BIG-IP LTM traffic policy statistics. To do so, perform the following procedure:
To retrieve stats for all policies, run the following command:
# tmsh show ltm policy.
To retrieve stats for a specific policy, run the following command:
# tmsh show ltm policy <policy-name>.
Fix:
LTM Policy statistics now shows the correct values in the GUI.
557434-4 : After setting a Last Resort Pool on a Wide IP, cannot reset back to None
Component: Global Traffic Manager (DNS)
Symptoms:
After configuring a wide IP with a Last Resort Pool set to something other than None, you can no longer change the Last Resort Pool back to None.
Conditions:
Last Resort Pool is set to something other than None.
Impact:
There is no None option in TMSH or GUI.
Workaround:
Setting the Pool Name to an empty string via tmsh will set it to None.
For example
modify gtm wideip a wip.f5.com last-resort-pool a
Fix:
None options added to tmsh and GUI.
557411-1 : Full Webtop resources appear overlapping in IE11 compatibility mode
Component: Access Policy Manager
Symptoms:
Full Webtop resources appear overlapping each other in MSIE 11 in compartibility mode
Conditions:
MSIE 11, compartibility mode. Full Webtop in use
Impact:
Everything is working but the icons overlap.
Workaround:
1. modify advanced customization of apm.css
#webtop_favorites_inner_container span.favorite span.caption{
...
<? if( $_GET['ctype'] == 'IE' && $_GET['cversion'] < 9){ ?>
zoom: 1;
<? }elseif( $_GET['ctype'] == 'IE' && $_GET['cversion'] == 11){ ?>
zoom: 0;
<? } ?>
}
2. an irule that would change apm.css to
#webtop_favorites_inner_container SPAN.favorite SPAN.caption {
...
zoom: 1; /* <--- set 0 if msie 11 in compartibility mode */
}
Fix:
Everything is back to normal
557358-5 : TMM SIGSEGV and crash when memory allocation fails.
Component: Local Traffic Manager
Symptoms:
TMM SIGSEGV and crash when memory allocation fails.
Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.
Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.
Workaround:
None known at this time.
Fix:
TMM SIGSEGV and crash no longer occur when memory allocation fails due to a command attempting to remove the connection for removal from the SSL queue a second time.
557322-1 : Sensitive monitor parameters recorded in bigd and monitor logs
Component: Local Traffic Manager
Symptoms:
When bigd debug logging is enabled, the resulting bigd debug log may contain sensitive parameters from the monitor configuration.
When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration.
In each case, the monitor parameters logged may include:
- user-account password
- radius/diameter secret
- snmp community string
Conditions:
This may occur under either of the following conditions:
1. bigd debug logging is enabled:
tmsh modify sys db bigd.debug value enabled
2. Monitor instance logging is enabled for one of the following LTM monitor types:
ftp
imap
pop3
smtp
Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the bigd debug log (/var/log/bigdlog) or in the monitor instance logs under /var/log/monitors.
Workaround:
1. Do not enable bigd debug logging.
2. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.
3. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.
Fix:
The password, community and secret parameters will now be redacted by bigd and Tcl monitors when debugging is enabled.
Behavior Change:
The password, community and secret parameters will now be redacted by bigd and Tcl monitors when debugging is enabled.
bigd will no longer log all of the monitor parameters every time that a Tcl monitor is scheduled and bigd debugging is enabled unless logging is specifically enabled for the monitor instance (e.g. a pool member has "logging enabled").
The Tcl worker process will no longer log all of the parameters of a monitor when the monitor is run and bigd debugging is enabled. If parameters information is needed for debugging purposes, this should be handled specifically in the Tcl monitor script.
557190-3 : 'packet_free: double free!' tmm core
Solution Article: K65615624
557155-8 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
Solution Article: K33044393
Component: TMOS
Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
Conditions:
Sustained high packet rate with a very small payload.
Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.
Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
sysctl vm.panic_on_oom=1
Fix:
BIG-IP Virtual Edition becomes unresponsive under extreme load test due to kernel memory exhaustion from over-provisioning.
555039-4 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
Solution Article: K24458124
Component: TMOS
Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop
Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.
Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.
Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.
Workaround:
None.
Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.
554713-2 : Deployment failed: Failed submitting iControl REST transaction
Component: TMOS
Symptoms:
When deploying an access control policy to a sync group, you notice the following error: Deployment failed:
Failed submitting iControl REST transaction 1445978291443908: remoteSender:ip_address
Conditions:
This can happen on policy sync with a large number of ACLs.
Impact:
The system will function properly, but some transactions may take longer than expected. BIG-IQ deployment of APM access control lists is one known case to fail due to timeouts.
Workaround:
None.
Fix:
The audit log contains every database modification request message sent to mcpd. Certain messages once took an unexpectedly long time to render, which has been fixed.
553795-7 : Differing cert/key after successful config-sync
Component: TMOS
Symptoms:
1) If you change a client-ssl profile to a different cert/key, delete the original cert/key, create a new cert/key with the same name as the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip retains a copy of the original key.
2) If you change a client-ssl profile to a different cert/key, then create a new cert/key with a different name from the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the config-sync operation may fail and the peer's client-ssl profile will still use the original cert/key instead of the new one.
Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.
2) High Availability failover systems without FIPS configured with Manual Sync.
Impact:
1) An abandoned FIPS key is left behind.
2) The systems may be out-of-sync, and one system's client-ssl profile uses one cert/key pair, while the other systems' same client-ssl profile uses a different cert/key pair.
Workaround:
1) For the first scenario, you can use either of the following workarounds:
-- Run an extra config-sync before the second change of the client-ssl profile.
-- Delete the FIPS key by-handle on the peer systems.
2) For the second scenario, you can use the following workaround:
-- Perform another config-sync operation in the GUI with the 'Overwrite Configuration' checkbox checked.
Note: If you also deleted your original cert/key pair, perform the following procedure:
1. Go onto the peer systems.
2. Manually delete those cert/key files that were copied during the first config-sync operation.
3. Look for the corresponding cert/key files in these two directories: /config/filestore/files_d/Common_d/certificate_d: /config/filestore/files_d/Common_d/certificate_key_d:
4. Delete the cert/key files in those directories.
Fix:
Systems now have the same cert/key after successful config-sync of High Availability configurations.
551925-3 : Misdirected UDP traffic with hardware acceleration
Component: TMOS
Symptoms:
UDP traffic might be forwarded to the wrong destination when using hardware acceleration.
Conditions:
If the UDP timeout is lower than the embedded Packet Velocity Acceleration (ePVA) aging timeout.
This occurs because UDP connections are accelerated until the ePVA aging timeout expires for the connection. If the ePVA aging timeout is greater than the UDP timeout, then TMM removes the connection from software, but the connection is still accelerated in the ePVA. Subsequent traffic then matches to the original connection, causing it to be sent to the wrong destination.
Impact:
Traffic can be sent to the wrong destination.
Workaround:
You can use either or both of the following workarounds:
-- Increase the UDP timeout (60s or more).
-- Disable UDP hardware acceleration.
551795-1 : Portal Access: corrections to CORS support for XMLHttpRequest
Component: Access Policy Manager
Symptoms:
XMLHttpRequest to external domain should fail if the server does not include 'Access-Control-Allow-Origin' header into response. Current implementation of CORS support in Portal Access does not enforce this failure.
If XMLHttpRequest to same-origin resource is redirected to external one, it has to be treated as cross-domain request. Current implementation of CORS support in Portal Access does not handle this case correctly.
Conditions:
XMLHttpRequest to external domain via Portal Access succeeds even when the server response does not include 'Access-Control-Allow-Origin' header.
XMLHttpRequest to same-origin resource succeeds via Portal Access in spite of response redirection.
Impact:
Web application may work incorrectly; some data access restrictions may not work.
Fix:
Now Portal Access supports CORS in case of response redirection for XMLHttpRequest.
CORS support enforces error in the case when 'Access-Control-Allow-Origin' header is absent in server response.
551349-5 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
Solution Article: K80203854
Component: TMOS
Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.
Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)
Impact:
Monitors appears to function normally but they will have the wrong format in the config file.
Workaround:
None.
Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.
551208-6 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.
Component: Local Traffic Manager
Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.
Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435
Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.
Workaround:
None.
Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.
550547-2 : URL including a "token" query fails results in a connection reset
Component: Access Policy Manager
Symptoms:
Per Request Policy access to URL containing a "token" query parameter fails and results in a connection reset with the following error:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"
Conditions:
Configure an Explicit SWG with a PRP that includes [protocol lookup (https) + category-lookup]
It does not matter ntlm or basic auth.
This is triggered on sites that have "token" in the query parameters.
Impact:
Clients receive this response:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"
Workaround:
Workaround iRule:
when HTTP_REQUEST {
if { [HTTP::query] contains "token" } {
set fix 1
HTTP::query [string map "token aabbcc" [HTTP::query]]
}
}
when HTTP_REQUEST_SEND {
if { [info exists fix] && $fix equals 1 } {
clientside {
HTTP::query [string map "aabbcc token" [HTTP::query]]
unset fix
}
}
}
Fix:
Customization namespace for subsession state prefix with default value as "000fffff" has been added controlled via db variable "tmm.access.subsessionstateprefix" before state/token query param and validation is ensured to check for the prefix value before triggering serialize/deserialize code to avoid RST.
In case if a UCS is being restored and used for a Hotfix, the newly added DB variable may not be present in /config/Bigdb.dat file. The following information needs to be added in /config/Bigdb.dat file followed by a "bigstart restart" to ensure proper working.
#
# This string is used as the prefix for the subsession state value that is sent as
# part of the redirect URI being sent to the client.
#
[Tmm.Access.SubsessionStatePrefix]
default=000fffff
type=string
realm=local
display_name=Tmm.Access.SubsessionStatePrefix
scf_config=true
max=32
550526 : Some time zones prevent configuring trust with a peer device using the GUI.
Solution Article: K84370515
Component: TMOS
Symptoms:
AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT time zones prevent configuring trust with a peer device using the GUI.
Conditions:
-- Setting a BIG-IP system timezone to AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.
-- Using the GUI to add a peer device to a trust configuration.
Impact:
Adding a peer device using the GUI fails.
Workaround:
You can use either of the following workarounds (you might find the first one easier):
-- Temporarily set the device timezone to a non-affected timezone (e.g.; UTC), establish trust, and set it back:
1. Navigate to System :: Platform.
2. Under 'Time Zone', select 'UTC', and click 'Update'
3. Repeat steps one and two to change all devices that are to be part of the trust domain.
4. Establish device trust by navigating to Device Management :: Device Trust :: Add all peers to be part of the trust domain.
5. Once trust is established, navigate to System :: Platform, and change Time Zone back to preferred time zone.
-- Use tmsh to add a peer device in these timezones: AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, or AWDT.
Fix:
You can now use the GUI to add AEST, AEDT, ACDT, ACWST, ACWDT, AWST, Asia/Muscat, and AWDT when adding a peer device.
550161-4 : Networking devices might block a packet that has a TTL value higher than 230.
Component: Local Traffic Manager
Symptoms:
Some networking devices block a packet that has a TTL value higher than 230. The TTL value for the BIG-IP system is set to 255 internally and cannot be changed.
Conditions:
The issue occurs when traffic originates from the BIG-IP system (as a client).
Impact:
No access to the resources.
Workaround:
None.
Fix:
The TTL value can now be changed from the hardcoded value of 255. This supports the requirement that some networking devices have to block a packet whose TTL value is higher than 230.
549329-3 : L7 mirrored ACK from standby to active box can cause tmm core on active
Solution Article: K02020031
Component: Local Traffic Manager
Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.
Conditions:
HA active-standby configuration setup for L7 packet mirroring.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
547479-5 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
Component: TMOS
Symptoms:
TMM crashes with a subkey that has master_record field set to true.
Conditions:
Unknown.
Impact:
Traffic disrupted while tmm restarts.
547053-1 : Bad actor quarantining
Component: Anomaly Detection Services
Symptoms:
An issue was found where bad actors could be released from quarantine due to a timing issue
Conditions:
This is a timing issue related to an having unusually high number of bad actors at the same time.
Impact:
Traffic can be removed from quarantine and passed to the web server
Fix:
An issue was fixed related to bad actor quarantining
546489-1 : VMware View USB redirection stops working after client reconnect
Component: Access Policy Manager
Symptoms:
VMware View USB redirection stops working
Conditions:
VMware View client reconnects due to network interruptions
Impact:
VMware View USB redirection stops working
Fix:
VMware View USB redirection works after client reconnect
546145-1 : Creating local user for previously remote user results in incomplete user definition.
Component: TMOS
Symptoms:
Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI.
Conditions:
Configure remote system authentication. Create a local user for remotely authenticated user.
Impact:
User cannot authenticate. User name does not appear in User List.
Workaround:
After initial creation, modify local user via tmsh to include appropriate partition-access.
545810-3 : TMM halts and restarts
Solution Article: K14304373
Component: Local Traffic Manager
Symptoms:
TMM halts and restarts.
Conditions:
This crash can happen when passing egress traffic on LTM virtual servers that meet the following two configuration criteria:
-- The virtual server is configured with a Fast HTTP profile.
Impact:
Halt and restart of TMM. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Now the system receives only packets that it owns and can be re-used, so this issue no longer occurs.
545796-5 : [iRule] [Stats] iRule is not generating any stats for executed iRules.
Component: Local Traffic Manager
Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.
Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.
Impact:
No iRule usage stats available.
Workaround:
None.
Fix:
iRule now generates stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.
545450-5 : Log activation/deactivation of TM.TCPMemoryPressure
Component: Local Traffic Manager
Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.
Conditions:
TM.TCPMemoryPressure set to "enable".
Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.
Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.
544906-2 : Issues when using remote authentication when users have different partition access on different devices
Solution Article: K07388310
Component: TMOS
Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user.
For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].
Conditions:
Devices configured for remote authentication.
User A on device 1 with role on all-partitions.
User A on device 2 with role restricted to a single partition.
Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.
Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.
Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.
Fix:
User authentication completes successfully for operations on multiple devices on which a single user has different partition access configured.
544477 : New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.
Component: TMOS
Symptoms:
Phone support is not available for hourly billing customers in cloud marketplaces.
Conditions:
All hourly billing VE instances in AWS Marketplace.
Impact:
Phone support is not available for hourly billing VE instances.
Fix:
New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.
Behavior Change:
Changed licensing for hourly billing instances from pre-licensed image to template reg key which must be licensed through the license server.
544033-5 : ICMP fragmentation request is ignored by BIG-IP
Solution Article: K30404012
Component: Local Traffic Manager
Symptoms:
Client sends a large ICMP Echo Request whose size exceeds the MTU of the network the packet traverses requiring the ICMP Echo Response to be fragmented. BIG-IP ignores the fragmentation request and continues sending ICMP Echo Replies that exceed the network MTU.
Conditions:
-- A large (exceeds MTU of network traversed) ICMP Echo Request is directed to a Virtual Address on the BIG-IP system.
-- ICMP Echo Reply is larger than upstream networks MTU resulting in fragmentation needed being sent to BIG-IP.
Impact:
ICMP Echo Reply is not received by the requester.
Workaround:
None.
Fix:
Client now receives correctly ICMP echo response from Virtual Address when echo request has been fragmented.
543344-3 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, an ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in either of these ways:
-- The session ID is embedded in the request.
-- The connection was processed by ACCESS previously.
When neither condition is satisfied, then the current ACCESS iRule cannot find the associated session ID.
Conditions:
This occurs when the following conditions are met:
-- ACCESS iRule such as ACCESS::session data get/set.
-- ACCESS::session exists.
-- Session ID is not provided by the caller.
-- Caller expects the session ID to be resolved internally.
Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.
Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.
Fix:
Fixed to allow ACCESS iRule commands in commands such as HTTP_PROXY_REQUEST where previously there was not enough data for them to execute.
Note: This fix is only for IP address-based sessions where the access policy is not evaluated via iRules, but in the usual method (attached to virtual server). This fix does not address the issue for NTLM-based sessions and sessions that use 'ACCESS::policy evaluate'.
543208-1 : Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★
Component: TMOS
Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:
01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..
Conditions:
This occurs when the following sets of conditions are met:
Condition set 1
===============
-- Your BIG-IP high availability (HA) device group members are running BIG-IP 11.6.0 or 11.6.1.
-- You upgrade a peer HA device to BIG-IP 12.x or later.
-- After you upgrade that peer, a failover event occurs.
Condition set 2
===============
-- Your BIG-IP HA device group members are running BIG-IP 12.0.0, 12.1.0, 12.1.1, or 12.1.2.
-- You upgrade a peer HA device to BIG-IP 13.x or later.
-- After you upgrade that peer, a failover event occurs.
Note: This might be most evident with APM configurations.
Impact:
mcpd on the devices running the affected versions may become unresponsive. Upgrade fails. This is fundamentally the result of device group members running different software versions.
Workaround:
None.
Fix:
This release corrects an issue in which a group of devices in a trust domain could potentially cause mcpd to become unresponsive and log failure messages.
542817-1 : Specific numbers that are not credit card numbers are being masked as such
Solution Article: K11619228
Component: Application Security Manager
Symptoms:
ASM blocks or masks when a specific credit card number range with specific length appears in the response.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card numbers with specific ranges.
Impact:
The traffic passes masked or blocked to the end client.
Workaround:
a partial workaround is to turn off the Data Guard feature, then none of the credit cards numbers will be masked nor blocked.
Fix:
The system now correctly masks and/or blocks only relevant credit cards, specifically not masking credit card numbers starting with specific number that are in a length range.
542097-4 : Update to RHEL6 kernel
Component: TMOS
Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic
Conditions:
Running RHEL6 kernel under heavy disk load, more likely on a vCMP host
Impact:
Unexpected machine reboot causing loss of service
Workaround:
None.
Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:
jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()
541550-3 : Defining more than 10 remote-role groups can result in authentication failure
Component: TMOS
Symptoms:
Authentication fails, indicating the affected user is associated with an "unknown" role:
notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false
Conditions:
Define more than 10 remote-role groups and authenticate with a user having more than 10 roles.
Impact:
User cannot authenticate.
Workaround:
None.
541549-2 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
Component: TMOS
Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.
Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.
Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.
Workaround:
None.
Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
541320-10 : Sync of tunnels might cause restore of deleted tunnels.
Solution Article: K50973424
Component: TMOS
Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.
Conditions:
Viewing tunnels after a full load sync.
Impact:
This might result in a deleted tunnel being restored to the configuration.
Workaround:
None.
Fix:
Sync of tunnels no longer causes restore of deleted tunnels.
540928-1 : Memory leak due to unnecessary logging profile configuration updates.
Component: Application Security Manager
Symptoms:
There is a memory leak in ASM control plane daemons after processing many calls in a long lived process
Conditions:
A) Pool member state changes frequently.
or
B) Manual learning is enabled (versions 12.x)
Impact:
Memory consumption by ASM control plane daemons increases.
Workaround:
Restart ASM - which will cause a failover and a down time
OR just kill asm_config_server by:
-----------------------
pkill -f asm_config_server
-----------------------
which will get restarted back by ASM process watchdog in ~15 seconds and should not cause failover nor downtime.
Fix:
An async worker lifecycle was introduced so long lived processes will now dispatch a fixed number of calls to their workers before retiring them.
540872-1 : Config sync fails after creating a partition.
Component: TMOS
Symptoms:
Config sync fails after creating a partition. A config sync error similar to the following occurs:
Configuration error: Can't associate (/P1/pool1) with folder (/P1) folder does not exist
Conditions:
This error occurs when a folder is created in the same transaction that an object is also created in that folder.
This can be done either by explicitly using tmsh or iControl transaction mechanisms or through incremental sync of APM where folders get created.
Impact:
A transaction will fail or incremental sync on APM will fail on a peer.
Workaround:
In the case of transactions, create partitions and folders in a separate transaction from any object creation.
For incremental sync of APM, force a full sync by using the 'Overwrite Configuration' option in the UI.
539360 : Firmware update that includes might take over 15 minutes. Do not turn off device.
Component: TMOS
Symptoms:
On certain platforms, firmware updates might take over 15 minutes to complete. It is very important to wait until update completes. Do not turn on the device until the operation is finished.
Conditions:
This occurs on the following iSeries platforms: i2000, i4000, i5000, i7000, and i10000.
Impact:
Reboot takes a long time. The GUI posts the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.
Workaround:
None.
Fix:
Although reboot takes a long time on the iSeries platforms, the GUI posts a message containing a time range, similar to the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.
539093-1 : VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.
Solution Article: K26104530
Component: TMOS
Symptoms:
Virtual Edition (VE) deployed with 1 CPU only shows INOPERATIVE status until at least one VLAN is both configured and attached to an interface.
Conditions:
Install the BIG-IP Virtual Edition software on a VM with 1 CPU (1 CPU/2048 MB RAM option available in OVA) and license, but do not create any VLANs (or create VLANs, but do not attach them to an interface).
Impact:
In the CLI, device remains in INOPERATIVE state, but shows ACTIVE in the GUI. This might cause unneeded delay trying to rectify what appears to be a license issue when there is none.
Workaround:
To work around this, configure at least one VLAN and attach it to an interface.
537553-8 : tmm might crash after modifying virtual server SSL profiles in SNI configuration
Component: Local Traffic Manager
Symptoms:
Modifying a Secure Sockets Layer (SSL) profile associated with a virtual server may result in the Traffic Management Microkernel (TMM) producing a core file. As a result of this issue, you may encounter one or more of the following symptoms:
-- BIG-IP system sends an invalid memory access segmentation fault (SIGSEGV) or floating point error (SIGFPE), signal to TMM, resulting in a stack trace that appears in the /var/log/tmm file.
-- TMM restarts and produces a core file in the /shared/core directory.
-- The BIG-IP system generates an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
panic: ../kern/umem.c:3881: Assertion "valid type" failed
Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. A configuration change is made that affects the virtual server. Among others:
-- Configuration is reloaded either manually or automatically after config sync.
-- Change is made to any of the SSL profiles configured on the virtual server.
-- SSL profiles are added or removed from the virtual server profile list.
-- Change is made to the virtual server.
-- Virtual server is deleted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Making SSL profile configuration changes now completes successfully.
536563-7 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
Component: Local Traffic Manager
Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.
Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.
Impact:
Unexpected RSTs (Clientside).
Workaround:
None.
534520-1 : qkview may exclude certain log files from /var/log
Component: TMOS
Symptoms:
After generating a qkview, some log files are missing.
Conditions:
This can occur intermittently while generating a qkview.
Impact:
Certain key log files that might be needed for troubleshooting are missing from the qkview.
Workaround:
None.
Fix:
After generating a qkview, all log files are now present.
534457-4 : Dynamically discovered routes might fail to remirror connections.
Component: Local Traffic Manager
Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.
Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.
Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.
Workaround:
Provide a static route instead of dynamic routes.
Fix:
Remirroring L4 connections using dynamic routes works correctly. (Note that when using dynamic routes it is not guaranteed that the active and standby systems will use the same routes; if the same routing is required on both active and standby fails over, there might be some dropped connections.)
534247-1 : Issue a Body in Get sub violation for GET request with content type header
Component: Application Security Manager
Symptoms:
A GET request without payload but with payload indication doesn't issue the body in get violation.
Conditions:
A Get request without payload arrives.
The request has a content type header although there is no payload.
Impact:
A suspicious request goes by undetected.
Workaround:
Add an iRule that removes this request from the ASM and issues a custom violation.
Fix:
A GET request without payload but with content type header will issue the body in GET sub violation.
533956-3 : Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
Solution Article: K30515450
Component: Access Policy Manager
Symptoms:
Extended Unix Code (EUC) character sets include several white space characters which have no ASCII equivalents. These characters are not recognized as white spaces by Portal Access. This may lead to incorrect handling of HTML pages, XML files and/or JavaScript files in these character sets.
Conditions:
- HTML page, XML file or JavaScript file in any EUC encoding scheme (EUC-JP, for example).
Impact:
Page or file in EUC encoding scheme may not be parsed correctly.
Workaround:
Use an iRule to replace non-ASCII compatible white space characters by ordinal spaces.
Fix:
Now text content using EUC character encoding schemes is handled correctly by Portal Access.
531979-6 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.
Component: Local Traffic Manager
Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.
Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:
SSL Record:
Content Type: Handshake (22)
Version: $LOWEST_VERSION
Handshake Record:
Handshake Type: Client Hello (1)
Version: $HIGHEST_VERSION
The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.
Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.
For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.
Impact:
SSL handshake fails.
Workaround:
There is no workaround for this issue.
Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.
530927-8 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
Component: TMOS
Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.
Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.
Impact:
Interface cannot be added to the trunk.
Workaround:
Remove all interfaces, readd them all at the same time.
Fix:
The BIG-IP system now correctly adds interfaces to a trunk formed from interfaces running at a lowered speed.
530877-7 : TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.
Solution Article: K13887095
Component: Local Traffic Manager
Symptoms:
A specific combination of configuration options might cause iRule processing to run the CLIENT_ACCEPTED event twice.
If the iRule contains a suspending command, the system may eventually stop accepting connections to any TCP virtual servers with that have the Verified Accept option enabled.
Conditions:
This occurs when all of the following conditions are met:
- Standard Virtual Server is configured.
- Virtual Server is configured with a TCP profile in which Verified Accept is enabled.
- Client sends the initial data to be sent on the ACK of the three-way-handshake.
Impact:
Depending on the scenario, this might:
- Result in the specific connection being reset.
- Eventually result in TMM being unable to process any further connections to virtual servers with Verified Accept enabled.
Workaround:
You can use the following workarounds:
- Disable Verified Accept in the TCP profile.
- Modify the iRule to run the commands in the CLIENT_ACCEPTED event once, by setting a variable and checking whether the variable has been set on subsequent runs.
Fix:
The BIG-IP system now correctly processes initial data on the ACK of a three-way handshake when used with Verified Accept so iRule processing does not run the CLIENT_ACCEPTED event twice.
530775-4 : Login page may generate unexpected HTML output
Solution Article: K23734425
530530-6 : tmsh sys log filter is displayed in UTC time
Solution Article: K07298903
Component: TMOS
Symptoms:
When using the time-based log filters hour, minute, and second, tmsh returns results based on UTC time.
Conditions:
Use range filter for 'tmsh show sys log' in either of the following ways:
Filter logs by hour.
Filter logs for less than 8 hours.
Impact:
tmsh does not filter the log correctly with 'range' filter.
Workaround:
Calculate the difference between the local BIG-IP system time and UTC, or change the system time to UTC.
530266-7 : Rate limit configured on a node can be exceeded
Component: Local Traffic Manager
Symptoms:
Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10.
Conditions:
More than 1 tmm needs to be there. Rate limit needs to be configured on the node.
Impact:
Node rate limit feature does not work as intended.
Workaround:
Rate limit can be shifted from the node to pool member and it works.
530109-3 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
Component: Access Policy Manager
Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.
Impact:
OCSP auth might fail as wrong URL is used.
Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.
Fix:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.
Behavior Change:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.
528499-3 : AFM address lists are not sorted while trying to create a new rule.
Component: Advanced Firewall Manager
Symptoms:
AFM address lists are not sorted while trying to create a new rule.
Conditions:
Seen only in the rule creation page.
Impact:
AFM address lists are not sorted in the rule creation page.
Workaround:
none
Fix:
AFM address lists are now sorted in the rule creation page.
527720-1 : Rare 'No LopCmd reply match found' error in getLopReg
Component: TMOS
Symptoms:
An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally:
warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
This message might be followed by a log message similar to one of the following:
err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0.
err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50.
This message might be followed by a log message similar to the following:
warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
Conditions:
This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades.
Impact:
This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored.
Workaround:
None.
527206-5 : Management interface may flap due to LOP sync error
Component: TMOS
Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.
Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.
Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.
Workaround:
None.
Fix:
Rare Management interface flap due to LOP sync error no longer occurs on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.
526708 : system_check shows fan=good on removed PSU of 4000 platform
Component: TMOS
Symptoms:
Running system_check on a 4000 platform with one PSU removed will still show status FAN=good; STATUS=good
Conditions:
This applies only to the BIG-IP 4000 platform.
Impact:
Fan shows status of 'good' when the PSU is removed. Reading the power supply status in the system_check output will show the PSU as down.
Fix:
If a PSU has been removed, system_check will now show status STATUS=not present
525580-1 : tmsh load sys config merge file filename.scf base command does not work as expected
Solution Article: K51013874
Component: TMOS
Symptoms:
The presence of base option indicates that only the base objects in the configuration should be considered for the save operation. The non-base objects in the configuration should be ignored.
However, this is not true for the following command:
tmsh load sys config merge file filename.scf base.
Conditions:
Running the command: tmsh load sys config merge file filename.scf base.
Impact:
This command ignores the base option. When specified with the merge option the base option is ignored. It merges the non-base configuration objects. It does not load only the base config objects as specified in the command.
Workaround:
None.
Fix:
tmsh load sys config merge file filename.scf base command now loads only the base config objects as specified in the command.
525429-11 : DTLS renegotiation sequence number compatibility
Component: Access Policy Manager
Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.
Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.
Impact:
The current APM client is not compatible with new OpenSSL libary.
Fix:
The APM client is now compatible with both the old and new OpenSSL library.
524277-2 : Missing power supplies issue warning message that should be just a notice message.
Component: TMOS
Symptoms:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.
Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.
Conditions:
Running chassis with absent power supplies, or with power not applied, will cause ltm to issue warning messages.
Impact:
Extra logging.
Workaround:
Ignore missing power supply warning messages.
Fix:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.
Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.
523814-3 : When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
Component: Local Traffic Manager
Symptoms:
An HTTP virtual server with OneConnect and RAM Cache will not consistently keep server-side connections alive and idle (for reuse), depending on the HTTP version that the client uses.
Clients that use HTTP/1.1 will result in fewer serverside connections being reused.
Conditions:
HTTP virtual server with HTTP cache enabled (in RAM cache mode, not AAM mode) and OneConnect profile.
Alternately, an iRule that down-steps the HTTP request version to HTTP/1.0
Impact:
Increased server utilization and number of ports in use / timewait / finwait as a result of OneConnect and RAM Cache closing serverside connections more frequently than expected.
Inconsistent behavior as a result of client HTTP version.
Workaround:
An iRule can work around this issue by inserting a Connection: Keep-Alive header.
523797-2 : Upgrade: file path failure for process name attribute in snmp.★
Component: TMOS
Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.
Conditions:
Upgrade from 10.x. to 11.5.1 or later.
Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.
Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.
522302-2 : TCP Receive Window error messages are inconsistent on UI
Component: Local Traffic Manager
Symptoms:
Different invalid inputs for Receive Window resulted in inconsistent error messages in TMUI.
Conditions:
Input invalid options (e.g, -1 and 0) for TCP Receive Window in TMUI.
Impact:
User is presented with two different input ranges whereas for both invalid options one correct input range should have been present.
Workaround:
There is no workaround at this time.
Fix:
TMUI for TCP Receive Window is fixed for invalid inputs.
521370-1 : Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
Component: Application Security Manager
Symptoms:
Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8, which results in suggestions for allowing meta-characters that cannot be accepted.
Conditions:
Auto-Detect Language policy is created, and then set to UTF-8 encoding.
Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.
Fix:
Auto-Detect Language policy no longer contains disallowed high ASCII meta-characters.
521270-1 : Hypervisor might replace vCMP guest SYN-Cookie secrets
Component: TMOS
Symptoms:
Traffic suddenly stops passing on platforms in vCMP mode when SYN-cookie mode is triggered.
Occasionally, under HW-SYN-Cookie mode, HW-SYN-Cookie validation can fail, which triggers the software SYN-Cookie procedure, which does succeed.
Under vCMP guest, you might notice hwalgo_accept increasing under TMCTL table epva_hwvipstat. If this packet's destination is the local high-layer TCP stack, there is no functional impact. Otherwise, there might be a performance impact.
Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, which causes the connection issue.
Conditions:
vCMP provisioning setup.
Impact:
Under vCMP guest, you might notice hwalgo_accept increased under TMCTL table epva_hwvipstat, which, if under HW-SYN-Cookie mode, everything will be validated automatically by FPGA instead.
You might also notice hwalgo_invalid, if the FPGA used
the updated secret for SYN-Cookie generation from the hypervisor, and when guest and hypervisor secret index overlaps.
Even though guest and hypervisor secret index might not be the same, the history secret might be updated by hypervisor, which might trigger additional hwalgo_accept.
Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, so the error rate could be higher.
Workaround:
On the vCMP hypervisor, run the following commands.
1. echo "EPVA::enable_secret_diag true" > /config/tmm_init.tcl.
2. bigstart restart TMM.
On a multiple blade system, you must run these commands on all blades.
Fix:
Hypervisor no longer replaces vCMP guest SYN-Cookie secrets.
521204-2 : Include default values in XML Policy Export
Component: Application Security Manager
Symptoms:
XML Policy Export does not include some entities, unless their values are different from the system's default settings.
Conditions:
-- ASM provisioned.
-- Configuration contains some entities whose values match the defaults.
-- Export security policy in XML format.
Impact:
XML Policy Export does not include those entities; it only includes entities when their values are different from the system's default settings
Workaround:
None.
Fix:
XML policy export operations now exclude defaults only when exporting a minimal XML configuration.
520877-1 : Alerts sent by the lcdwarn utility are not shown in tmsh
Component: TMOS
Symptoms:
Beginning in BIG-IP version 12.1.0, the 'tmsh show sys alert lcd' command displays the list of alerts sent to the LCD front panel display.
The command-line utility lcdwarn can be used to send alert messages to the LCD front panel display.
Alert messages sent to the LCD front panel display by the lcdwarn utility are not included in the list of alerts shown by the 'tmsh show sys alert lcd' command.
Conditions:
This occurs when using the lcdwarn utility to send alert messages to the LCD front panel display. Such messages are typically sent for testing purposes.
This problem occurs on affected BIG-IP software versions running on all BIG-IP and VIPRION hardware platforms.
Impact:
The 'tmsh show sys alert lcd' command may not include all alert messages sent to the LCD front panel display. Messages sent by the lcdwarn utility are not shown.
Workaround:
None. This is a cosmetic issue.
519612-1 : JavaScript challenge fails when coming within iframe with different domain than main page
Component: Application Security Manager
Symptoms:
The JavaScript Challenge fails when coming within an iframe that is on a different domain than the main page.
Conditions:
1. The web application uses an iframe coming from a different domain than the main page, AND
2. Any of the following options are enabled on an ASM Policy or Application DoS Profile attached to the Virtual Server which is handling the iframe:
a. DoS Client-Side Integrity Defense Mitigation (affecting only during attack mitigation)
b. DoS CAPTCHA Mitigation (affecting only during attack mitigation)
c. Device-ID (fingerprint)
d. Web Scraping Bot Detection Challenge
e. Proactive Bot Defense (with/without "Block Suspicious Browsers")
Impact:
On the browser, the iframe will fail to load, leaving a white box, or the following message:
"Please enable browser cookies to view the page content."
There may be error messages in the browser's console.
Workaround:
It is possible to workaround the problem using Proactive Bot Defense (DoS Profile) and iRules.
This works even if the problem is in Web Scraping and DoS profile was not previously used.
The following steps must be done for the Virtual Server handling the iframe, as well as the one handling the main page.
1. Attach a DoS profile to the Virtual Server (if not already attached).
2. Disable TPS-based detection (unless already enabled, or it is desired).
3. Enable Proactive Bot Defense on the DoS profile (if not already enabled).
a. Disable "Block Suspicious Browsers" (unless already enabled, or it is desired).
b. Configure Cross-Domain Requests to "Allow configured domains; validate upon request".
c. Add the domain of the main page to the Related Site Domains.
4. Attach the following iRule to the virtual server:
ltm rule rule_fix_cross_domain_challenges {
when HTTP_REQUEST {
set refdom ""
regexp -nocase {^https?://([^/]*).*$} [HTTP::header referer] -> refdom
log local0. "uri [HTTP::uri] host [HTTP::host] referer [HTTP::header referer] refdom $refdom"
if { $refdom ne "" && $refdom ne [HTTP::host] } {
BOTDEFENSE::cs_allowed false
}
}
}
NOTES:
1. The challenges must run on the main page. The following rule block could be used to force the challenges to run on a specified URL or URLs.
when HTTP_REQUEST {
if { [HTTP::uri] eq "/" } {
BOTDEFENSE::cs_allowed true
}
}
2. If additional URLs are getting blocked or challenged as a result of Proactive Bot Defense and it is unwanted, it is possible to control them in the iRule by checking for URLs and using the "BOTDEFENSE::action allow" command.
Fix:
JavaScript challenges no longer fail when coming within an iframe on a different domain than the main page.
518201-4 : ASM policy creation fails with after upgrading
Component: Application Security Manager
Symptoms:
You cannot create an ASM security policy after upgrading to version 11.6.x. The system posts the following error message:
------------------
# tmsh create asm policy /Common/blabla active encoding utf-8
Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy.
------------------
It does not matter if the security policy was created at the command line or by the Configuration utility.
Conditions:
-- ASM provisioned
-- Upgrade to 11.6.x.
Impact:
ASM policies cannot be created.
Workaround:
As root user, from the command line of the affected BIG-IP system, run these exact commands (tip: you can copy and paste into the command line):
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
IMPORTANT: This operation permanently affects the mentioned database table. It is strongly advised that you first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP:
---------------------
# tmsh save sys ucs /shared/tmp/backup.ucs
---------------------
Before applying the workaround, make sure that you need one. To determine that, run the following command:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
In case this query does not return any output, meaning that there is no need for the workaround.
If you need the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.
Fix:
This version fixes ASM policy creation so that it does not fail after upgrade.
517756-6 : Existing connections can choose incorrect route when crossing non-strict route-domains
Component: Local Traffic Manager
Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.
Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.
Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.
Workaround:
None.
Fix:
Existing connections now choose the correct route when crossing non-strict route-domains.
516736-1 : URLs with backslashes in the path may not be handled correctly in Portal Access
Component: Access Policy Manager
Symptoms:
Safari, Chrome, Edge and Internet Explorer support backslashes in URL path and treat them as slashes. But Portal Access converts backslashes in URLs to slashes explicitly; this may cause unexpected results in some web applications. Note that FireFox has no such support.
Conditions:
HTML page with URL with backslashes in the path, for example:
<a href=http://some.com\some\path/file.ext>
Impact:
Web application may not work correctly.
Workaround:
In some cases it is possible to modify rewritten URLs by iRule.
Fix:
Now URLs with backslashes are supported correctly by Portal Access for all browsers except for Internet Explorer 7--9 and FireFox.
516307-2 : Multiple Relay in DHCP relay is not working.
Solution Article: K35152864
Component: Local Traffic Manager
Symptoms:
If the BIG-IP is behind another DHCP relay, then the packets are not sent to the server, instead they are dropped.
Conditions:
This occurs when a DHCP virtual server is configured with a profile based on dhcpv4_fwd.
Impact:
This previously worked on v11.4.x, so if you are running on version 11.4.x and upgrade to 11.6.x, the virtual server may not function correctly.
Workaround:
To work around this, do the following:
1. Configure a unicast IP address for the BIG-IP DHCPv4 listener destination address field.
2. Configure the same IP address as the DHCP server IP address on DHCP relay agent.
This way the BIG-IP system can load balance DHCP load on to a pool of DHCP servers.
Fix:
Multiple Relay in DHCP relay is now working.
516167-2 : TMSH listing with wildcards prevents the child object from being displayed
Solution Article: K21382264
Component: TMOS
Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.
For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.
Conditions:
tmsh list with a wildcard character specified for parent object.
Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier
Workaround:
None.
Fix:
The tmsh list with a wildcard character specified in the object identifier result contains all the nested objects.
For the example specified, the results would now be as follows:
(tmos)# list ltm pool pool*
ltm pool pool-http-1 {
members {
10.1.3.1:http {
address 10.1.3.1
inherit-profile disabled
profiles {
nvgre { }
}
}
}
}
The missing profile objects are now listed correctly, as expected.
513310-1 : TMM might core when a profile is changed.
Component: Local Traffic Manager
Symptoms:
TMM might core when a profile is changed.
Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.
Impact:
TMM might core. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now reinitializes the TCP proxy filter chain on profile change, so that tmm no longer cores.
513288-7 : Management traffic from nodes being health monitored might cause health monitors to fail.
Component: Local Traffic Manager
Symptoms:
Management traffic from nodes being health monitored might cause health monitors to fail.
Conditions:
Health monitor checking node_ip:port where 1024 is less than or equal to port, which is less than 65536. Node periodically connects back to management service on self IP (e.g., iControl, GUI, SSH).
Impact:
Traffic is not sent to the node while the monitor is failing.
Workaround:
None.
Fix:
Management traffic from nodes being health monitored no longer causes health monitors to fail.
511324-12 : HTTP::disable does not work after the first request/response.
Solution Article: K23159242
Component: Local Traffic Manager
Symptoms:
The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message.
Conditions:
HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it.
Impact:
The connection is reset.
Workaround:
None.
Fix:
HTTP::disable now works correctly after the first request or response.
510631-1 : B4450 L4 No ePVA or L7 throughput lower than expected
Component: Performance
Symptoms:
L4 no ePVA and L7 performance was limited to as little as 146Gbps under some traffic conditions instead of the advertised capability of 160Gbps.
Conditions:
This occurs on the B4450 blade.
Impact:
Performance lower than expected
Fix:
Driver enhancements to 12.1.2 and 13.0 enable full 160G performance
509980-1 : Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.
Component: TMOS
Symptoms:
When a DSC cluster is configured using HA Groups, spurious HA group configuration errors can be displayed when rebooting another member of the DSC cluster.
These messages can appear in the output of the "show cm traffic-group", or on the Device Management -> Traffic Groups page.
Conditions:
HA-DSC Cluster with 2 or members. HA-Groups are configured on one or more traffic groups on all Cluster members.
A Cluster member is rebooted, and an administrator is viewing the Device Management- > Traffic Groups page, or issuing the "show cm traffic-group" .
Impact:
A message displaying that all traffic group(s) should have an HA Group configured may be incorrectly displayed. This has no affect on the operation of the system, and will clear once the cluster member has finished rebooting.
Workaround:
There is no workaround or mitigation other than upgrading to a release with the required fix.
Fix:
HA Daemon has been updated to correctly track the configuration of HA Groups on other devices during device reboots.
509858-5 : BIG-IP FastL4 profile vulnerability
Component: Local Traffic Manager
Symptoms:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
Conditions:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
Impact:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
Fix:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html
508302-2 : Auto-sync groups may revert to full sync
Component: TMOS
Symptoms:
If a large number of configuration changes in the same device group are being applied rapidly, device sync may start to generate full loads instead of incremental patches.
Conditions:
This only affects auto-sync device groups.
Impact:
The system may spuriously start to generate full loads instead of incremental changes.
Workaround:
You can use any of the following workarounds:
-- If a large series of syncs are expected, temporarily disable auto-sync for the device group in question.
-- Wrap all of the changes into a single transaction.
-- Add a short pause in between changes.
508113-3 : tmsh load sys config base merge file <filename> fails
Component: TMOS
Symptoms:
Save sys config file.
(tmos)# save sys config file demo.scf no-passphrase
Saving running configuration...
/var/local/scf/demo.scf
/var/local/scf/demo.scf.tar
Try to load the base configuration within this file.
(tmos)# load sys config base merge file demo.scf
Loading configuration...
/var/local/scf/demo.scf
Syntax Error:(/var/local/scf/demo.scf at line: 6) "apm" unexpected argument
The error is from a system configuration, not user created.
apm report default-report {
report-name sessionReports/sessionSummary
user /Common/admin
}
Basically the configuration fails to load all components for unprovisioned modules and features.
Conditions:
Running the command: load sys config base merge file <filename> when the system contains unprovisioned modules and features.
Impact:
tmsh load sys config base merge file <filename> fails.
Workaround:
None.
Fix:
The provisioning checks were modified to let this command succeed.
507240-4 : ICMP traffic cannot be disaggregated based on IP addresses
Solution Article: K13811263
Component: TMOS
Symptoms:
ICMP traffic might not be disaggregated evenly if there is not enough entropy from the ICMP header.
Conditions:
-- ICMP traffic has low entropy in ICMP header.
-- System is configured to disaggregate traffic.
Impact:
Traffic imbalance.
Workaround:
None.
Fix:
This release supports disaggregation of ICMP traffic based on IP addresses, in addition to ICMP headers. To enable the feature, use the following commands:
In v13.x:
tmsh modify net dag-globals icmp-hash ipicmp
In v12.x:
tmsh modify sys db dag.icmp_hash value ipicmp
Note: This feature cannot be used if the BIG-IP system translates IP addresses for ICMP traffic.
507206-1 : Multicast Out stats always zero for management interface.
Component: TMOS
Symptoms:
Multicast Out stats are always zero for the management interface.
Conditions:
Statistics information on the management interface.
Impact:
The Multicast Out stats can help determine whether multicast network failover is working (from looking at a qkview). The missing stat might also delay or confuse other troubleshooting activities unrelated to network failover.
Workaround:
Run the following command: clsh 'ethtool -S eth0 | grep tx_mcast_packets'.
506543-5 : Disabled ephemeral pool members continue to receive new connections
Component: Local Traffic Manager
Symptoms:
Disabled ephemeral pool members continue to be selected for new connections.
Conditions:
FQDN parent node is disabled causing its derived ephemeral pool members to be marked disabled.
Impact:
Unexpected traffic load balanced to disabled pool members
Workaround:
None.
Fix:
Traffic will no longer be load balanced to disabled ephemeral pool members.
504522-2 : Trailing space present after 'tmsh ltm pool members monitor' attribute value
Component: Local Traffic Manager
Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.
Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.
Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).
Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.
Fix:
Values returned from the tmsh command 'ltm pool pool members monitor' no longer have a trailing space.
503842-4 : Microsoft WebService HTML component does not work after rewriting
Component: Access Policy Manager
Symptoms:
The Microsoft webservice.htc component provides JavaScript interface for SOAP services for Microsoft Internet Explorer (IE). It stops working after rewriting through reverse proxy.
Conditions:
-- Using Microsoft webservice.htc component.
-- Rewriting through reverse proxy.
-- Running IE.
Impact:
Microsoft WebService component stops working.
Workaround:
You can use the following iRule to work around this issue:
---
when HTTP_REQUEST {
# Downgrade IE compatibility mode
set downgrade_ie_compat 0
if { [HTTP::path] contains "PreviewQualitySheet.aspx" } {
set UAString [string tolower [HTTP::header User-Agent]]
if { ! ($UAString contains "msie 8.") and ! ($UAString contains "msie 7.")} {
set downgrade_ie_compat 8
}
}
# do not rewrite WebService HTML Component
# because IE ignores it after rewriting.
# patching a few things manually instead
set ms_webservice_fix 0
if { [HTTP::uri] ends_with "webservice.htc"} {
set ms_webservice_fix 1
HTTP::uri "[HTTP::uri]?F5CH=I"
if { [HTTP::version] eq "1.1" } {
if { [HTTP::header is_keepalive] } {
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
}
}
when HTTP_RESPONSE {
if { $downgrade_ie_compat > 0 && ! [HTTP::header exists X-UA-Compatible] } {
HTTP::header replace "X-UA-Compatible" "IE=$downgrade_ie_compat"
}
if { $ms_webservice_fix == 1 } {
if { [HTTP::header exists "Content-Length"] and \
[HTTP::header "Content-Length"] > 0 and \
[HTTP::header "Content-Length"] <= 1048576 } {
HTTP::collect [HTTP::header Content-Length]
} else {
HTTP::collect 1048576
}
}
}
when HTTP_RESPONSE_DATA {
if { $ms_webservice_fix == 1 } {
set location [string first \
{if (co.userName == null)} \
[HTTP::payload]]
if { $location > 0 } {
HTTP::payload replace $location 0 {loc=F5_WrapURL(loc);}
}
}
HTTP::release
}
Fix:
Microsoft WebService HTML component no longer stops working after rewriting.
503482-2 : BGP cannot redistribute IPv4 routes learned from OSPFv3.
Component: TMOS
Symptoms:
OSPFv3 Route redistribution to BGP does not work.
Conditions:
-- A BIG-IP system with BGP and OSPFv3 configured.
-- Route redistribution enabled.
Impact:
OSPFv3 is capable of learning IPv4 routes from its neighbors. However, BGP is not redistributing IPv4 routes learned from OSPFv3.
Workaround:
None.
Fix:
IPv4 routes learned from OSPFv3 are now correctly redistributed by BGP.
501892-1 : Selenium is not detected by headless mechanism when using client version without server
Component: Application Security Manager
Symptoms:
DoSL7 Proactive Bot Defense (Block requests from suspicious browsers) detects selenium when the selenium server is running and a listener has opened on one of specific ports.
Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.
Impact:
If a bot is running selenium client package only it is not being blocked by DoSL7 Proactive Bot Defense mechanism.
Workaround:
N/A
Fix:
Selenium detection mechanism has improved and if a bot uses FF or Chrome selenium driver it is detected by PBD's javascript code via checking existence of required chrome plugins and FF webdriver.
500452-8 : PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
Solution Article: K28520025
Component: TMOS
Symptoms:
PB4300 blade tries to disaggregate the ESP traffic based on the IPsec ESP Security Parameter Index (SPI) value in hardware. But the blade used doesn't have that capability, which causes ESP traffic being sent to one HSB and results in throughput degradation.
Conditions:
When PB4300 receives ESP traffic.
Impact:
Throughput degradation.
Workaround:
None.
Fix:
The PB4300 blade now uses IP addresses to disaggregate ESP traffic in hardware, so throughput is no longer impacted.
495443-10 : ECDH negotiation failures logged as critical errors.
Solution Article: K16621
Component: Local Traffic Manager
Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.
Conditions:
An SSL negotiation failure involving ECDH key agreement.
Impact:
Spurious critical error logs.
Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.
Fix:
These ECDH failures are now logged as non-critical errors.
495242-3 : mcpd log messages: Failed to unpublish LOIPC object
Component: Local Traffic Manager
Symptoms:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory).
Conditions:
This is an intermittent issue that occurs on standby systems in High Availability (HA) configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either the file has already been removed or it was not created.
Impact:
This is a benign error that can be safely ignored.
Workaround:
None.
Fix:
The system now suppresses logging when attempting to delete non-existent file.
491560-1 : Using proxy for IP intelligence updates
Component: TMOS
Symptoms:
When connecting to the proxy server, the iprepd daemon doesn't send in CONNECT request the value of DB variable iprep.server but its locally resolved IP address.
Conditions:
The following DB variables are configured to use proxy:
proxy.host
proxy.port
This presents a problem when the proxy server is configured to allow only IPs that have a reverse lookup.
Impact:
When the proxy sees the traffic it denies it, because the reverse lookup for that server IP is not present.
Workaround:
Use one of the workarounds:
-- Do not use proxy.
-- Check the server IP address regularly and maintain proxy white list manually.
Fix:
Now the iprepd daemon sends CONNECT request with the value of DB variable iprep.server and lets the proxy server do the DNS lookup.
489572-2 : Sync fails if file object is created and deleted before sync to peer BIG-IP
Solution Article: K60934489
Component: TMOS
Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:
Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...
Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.
Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.
Impact:
Sync fails.
Workaround:
When you create/add a file object, make sure to sync before deleting it.
If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.
487144-2 : tmm intermittently reports that it cannot find FIPS key
Component: Global Traffic Manager (DNS)
Symptoms:
You may see the following critical error message in /var/log/ltm: "FIPS acceleration device failure: cannot locate key"
Conditions:
There is FIPS card in the BIG-IP and the key is retrieved. It is not known the exact conditions that cause this, but it seems to be related to GTM being enabled.
Impact:
SSL can not locate the key from the FIPS card, and SSL will not function properly.
Workaround:
None known, but restarting tmm or rebooting might correct the condition.
Fix:
There is now additional information in the error message that can help resolve the issue.
484542-1 : QinQ tag-mode can be set on unsupported platforms
Component: Local Traffic Manager
Symptoms:
tmsh does not validate QinQ tag-mode and allows invalid values to be set.
Conditions:
This occurs when trying to set QinQ tag-mode to values other than 'none' on unsupported platforms. Only platforms with ePVA support QinQ tagging.
Impact:
Although you can set !in! tag-mode, the configuration has no effect. There is no negative impact on system functionality.
Workaround:
Only configure QinQ tag-mode on the following platforms: BIG-IP 5050s/5250v/7050s/7250v/10050s/10250v and VIPRION B2150 SSD-based models.
Fix:
QinQ tag-mode is now properly validated when configuring a VLAN via tmsh.
483953-1 : Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
Component: Local Traffic Manager
Symptoms:
ICMP type 3 code 4 (needsfrag) messages are elicited when TMM transmits packets at the TM.MinPathMTU size if the path MTU is lower than that value.
Conditions:
Path MTU discovery results are cached by default. If a client responds to an IP datagram with an ICMP needsfrag message with a very small MTU (smaller than the value of the TM.MinPathMTU database variable), the cached path MTU value will be set to the TM.MinPathMTU value even though this still isn't able to traverse the path.
This can affect multiple endpoints when a low MTU is advertised by an endpoint (misconfigured or malicious) behind a shared NAT address.
Impact:
TMM may use and enforce a low path MTU for clients capable of handling a higher path MTU, but may use an MTU too high to reach clients whose path MTU is lower than TM.MinPathMTU.
This metric will live for 10 minutes by default.
Workaround:
This issue has no workaround at this time.
The route metric lifetime can be lowered using route.metrics.timeout db key.
Fix:
Path MTUs lower than the value of TM.MinPathMTU will no longer be cached by TMM.
480983-4 : tmrouted daemon may core due to daemon_heartbeat
Component: TMOS
Symptoms:
In rare instances, tmrouted for dynamic routing may core with a message similar to the following: warning sod[8953]: 01140029:4: HA daemon_heartbeat tmrouted fails action is restart.
Conditions:
This is a rarely occurring issue that occurs due to timing-related interactions in dynamic routing operations.
Impact:
tmrouted cores and restarts.
Workaround:
None.
Fix:
tmrouted now operates normally under these conditions.
479471-1 : CPU statistics reported by the tmstat command may spike or go negative
Solution Article: K00342205
Component: TMOS
Symptoms:
On bladed systems, the results from the 'tmstat' and 'tmstat cpu' commands may spike high or go negative due to a issue with how per-blade statistics are collected.
Conditions:
Error in the timing of statistics collection such that display is incorrect.
Impact:
Incorrect display of CPU statistics.
Workaround:
There is no workaround.
Fix:
The CPU statistics display has been fixed.
478986 : Powered down DC PSU is treated as not-present
Component: TMOS
Symptoms:
When power is removed from the PSU but the PSU remains in the system, 'tmsh show sys hardware' reports the PSU as 'not-present'.
Conditions:
This occurs when an installed DC powered PSU loses power, and the user runs the command 'tmsh show sys hardware'.
Impact:
Only the message is incorrect. Although the PSU is present, the system cannot read its data without power, so the system marks the PSU 'not present'. Once power is restored, all information is available.
Workaround:
Plug the power cable into the PSU. The system can now detect the power supply status and read the PSU info.
474797-7 : Nitrox crypto hardware may attempt soft reset while currently resetting
Component: Local Traffic Manager
Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.
Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.
Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.
Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.
To disable hardware-based crypto acceleration issue the following command:
tmsh modify sys db tmm.ssl.cn.shunt value disable
Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.
Fix:
A crypto soft reset attempt is now allowed to complete before another soft reset attempt can occur.
472860-5 : RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
Component: Policy Enforcement Manager
Symptoms:
The RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
Conditions:
Session created via iRule running on the RADIUS virtual server.
Impact:
RADIUS session statistics are not incremented.
Workaround:
None.
Fix:
The session statistics for sessions created by RADIUS is now incremented whenever the user runs an iRule on the RADIUS virtual server, that creates a new session.
472571-7 : Memory leak with multiple client SSL profiles.
Component: Local Traffic Manager
Symptoms:
If multiple client SSL profiles are attached to a virtual server, memory will leak each time any profile is changed.
Conditions:
Multiple client SSL profiles are attached to a virtual server.
Impact:
Memory will leak a small amount of memory.
Workaround:
None.
Fix:
Multiple client SSL profiles attached to a virtual server no longer causes memory to be leaked.
471860-10 : Disabling interface keeps DISABLED state even after enabling
Solution Article: K16209
Component: TMOS
Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.
Conditions:
This occurs when using both tmsh and the GUI.
Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.
Workaround:
You can reboot correct the indicator.
Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.
471237-2 : BIG-IP VE instances do not work with an encrypted disk in AWS.
Solution Article: K12155235
Component: TMOS
Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.
Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.
Impact:
TMM cores at startup, and does not start.
Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.
Fix:
BIG-IP VE instances can now work with an encrypted disk in AWS.
471029-2 : If the configuration contains a filename with the $ character, then saving the UCS fails.
Component: TMOS
Symptoms:
If the configuration contains a filename or username with the $ character, then saving the UCS fails. Examples of filenames include cm cert cache-path and cm key cache-path.
tmsh save sys ucs <ucs-id> fails for such configuration.
The error displayed appears similar to the following.:
Fatal: executing: md5sum /var/tmp/filestore_temp/files_d/Common_d/certificate_d/:Common:?><.crt_53783_1
Operation aborted.
/var/tmp/configsync.spec: Error creating package.
Conditions:
Filenames or username in configuration contain $ character. For example, cm cert cache-path or cm key cache-path.
Impact:
Saving UCS fails.
Workaround:
Do not use the $ character as part of the filenames or usernames in the configuration.
467709-1 : FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN
Component: Local Traffic Manager
Symptoms:
FQDN nodes and pool members show a status of Green (Available) when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response.
Conditions:
This occurs when the DNS server returns an NXDOMAIN response for the configured FQDN name.
Impact:
FQDN nodes and pool members may appear to be Available when no ephemeral nodes/pool members have been created.
Workaround:
None.
Fix:
FQDN nodes and pool members show a status of Yellow (Unavailable) when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.
Behavior Change:
FQDN ephemeral nodes are now deleted when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response. This change in behavior was introduced by the FQDNv2 feature re-implementation in this version of the software.
466068-1 : Allow setting of the AAA Radius server timeout value larger than 60 seconds
Component: Access Policy Manager
Symptoms:
Sometimes 60 sec timeout for AAA Radius server is not enough especially when users need to provide input. Following error message will be displayed when user tries to set timeout value greater than 60 :
"01090676:3: The requested timeout value (120) out of range for aaa radius server (/Common/test-radius-server). (1-60)"
Conditions:
This only occurs whenever following conditions are met:
- APM is licensed and provisioned
- AAA Radius server is configured
- Radius Auth agent is included in the access policy
Impact:
Users can not set timeout value to more than 60 sec for AAA Radius server. If response time is more than 60 sec from AAA Radius server, users may not login and access resources if two factor auth is configured.
Workaround:
There is no workaround.
Fix:
Increased the AAA Radius Server timeout range from 0-60 to 0-180.
464801-3 : Intermittent tmm core
Component: Local Traffic Manager
Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an intermittent tmm core
464650-4 : Failure of mcpd with invalid authentication context.
Component: TMOS
Symptoms:
MCPd cores.
Conditions:
It is not known what triggers this core.
Impact:
Mcpd restarts
Workaround:
None.
Fix:
Failure of mcpd with invalid authentication context no longer occurs.
463314-2 : Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail
Component: Application Security Manager
Symptoms:
When AJAX blocking response page feature is enabled, ASM's pre-injected javascript code adds a custom header to each outgoing ajax request. Adding the header to a cross domain ajax request forces browsers to send an OPTIONS preflight request, if a back-end server doesn't not treat the pre-flight request properly, the request will fail resulting in broken functionality of a web application.
Conditions:
Provision asm, attach asm policy to a virtual server and configure Enable AJAX blocking response page feature.
Impact:
Broken cross domain ajax requests
Workaround:
Disable AJAX blocking response page feature in ASM policy.
Fix:
Avoid adding custom headers to cross domain ajax request.
463097-3 : Clock advanced messages with large amount of data maintained in DNS Express zones
Component: Local Traffic Manager
Symptoms:
Clock advanced messages with a large amount of data maintained in DNS Express (DNSX) zones, the TMM can suffer from clock advances when performing the DB reload.
Conditions:
Large enough zones into DNSX (several hundred thousand to several million records depending on hardware).
Impact:
Clock advance messages in log. No traffic can be passed for this duration. When DNS Express zones are updated, you may see messages similar to the following in the /var/log/ltm log: notice tmm[25454]: 01010029:5: Clock advanced by 121 ticks.
Workaround:
Prevent all updates to DNSX zones.
Fix:
AXFR and IXFR to DNS Express (DNSX) with large zones has been significantly improved. DNSX DB now reside in /shared to resolve DB size issues.
462043-2 : DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms
Component: Local Traffic Manager
Symptoms:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged.
Conditions:
On 5000 and C2400 platforms.
Impact:
Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0.
Workaround:
None.
Fix:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner', the packets are now handled as expected.
460833-5 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This symptom may occur under the following conditions:
1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.
Fix:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.
459671-4 : iRules source different procs from different partitions and executes the incorrect proc.
Component: Local Traffic Manager
Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.
Conditions:
Multiple iRule procs defined in multiple admin partitions.
Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.
Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.
456376-4 : BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
Solution Article: K53153545
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI. When trying to add '::ffff:0.0.0.0/96' to an address list or directly to a rule the system posts an error: Error parsing IP address: ::ffff:0.0.0.0/96.
Conditions:
-- IPv4-mapped-IPv6 notation in the configuration.
-- Adding prefix length greater than 32.
Impact:
Cannot successfully specify an IPv4-mapped-IPv6 block to be configured in AFM firewall rule (and possibly other AFM configurations as well).
Workaround:
To drop the IPv4-mapped-IPv6 block, enable the following DoS db variable: dos.dropv4mapped.
Fix:
You can now use tmsh for IPv4-mapped-IPv6 notation with prefix length greater than 32.
455975-1 : Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
Component: Access Policy Manager
Symptoms:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.
Conditions:
Using SNMP MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns.
Impact:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.
Workaround:
This issue has no workaround at this time.
Fix:
Access Sessions and Connectivity Sessions are now exposed correctly in SNMP MIBS.
452283-2 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
Component: Local Traffic Manager
Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.
Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.
Impact:
A connection remains that never expires; its idle time periodically resets to 0.
Workaround:
There is no workaround at this time.
Fix:
Fixed MP_FASTCLOSE handling.
448409-1 : 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
Solution Article: K15491
Component: TMOS
Symptoms:
The commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect.
Conditions:
This affects the ConfigSync communication channel if configured.
Impact:
The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted.
Workaround:
You can avoid this issue by using the 'load sys config from-terminal verify' and 'load sys config file <filename> verify' commands 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the following command: tmsh load sys config partitions all.
Fix:
Previously, the commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' did some operations related to sync and provisioning, though they are supposed to check only the validity of the configuration (without changing it). This has been resolved.
447565-5 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Solution Article: K33692321
Component: Access Policy Manager
Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.
Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.
Impact:
End users will be unable to connect.
Workaround:
Correct the problem by running the following command:
bigstart restart eca.
442231-4 : Pendsect log entries have an unexpected severity
Component: TMOS
Symptoms:
Pendsect logs non-errors with a 'warning' severity.
Conditions:
This occurs when pendsect is executed.
Impact:
Unexpected log entries. When pendsect is executed and does not find any disk errors, it logs the following at the warning level: warning pendsect[21788]: pendsect: /dev/sdb no Pending Sectors detected. This is not an error. The message is posted at the incorrect severity level and does not indicate a problem with the BIG-IP system.
Workaround:
None needed. This is cosmetic.
Fix:
Adjusted severity level of various logs generated by pendsect script, so that informational messages are not logged as warnings.
441079-2 : BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
Solution Article: K55242686
Component: Local Traffic Manager
Symptoms:
The BIG-IP system is modifying the source port on NAT connections.
Conditions:
This occurs when NAT is configured on the BIG-IP system. This occurs on BIG-IP 2000/4000 hardware platforms.
Impact:
This impacts any applications where the source port is expected to be preserved.
Workaround:
None.
Fix:
The source port is always preserved for NAT connections.
Behavior Change:
The source port is always preserved for NAT connections.
440620-2 : New connections may be reset when a client reuses the same port as it used for a recently closed connection
Component: Local Traffic Manager
Symptoms:
If a client reuses the same port that it used for a recently closed connection, the new connection may receive a RST in response to the client's SYN.
Conditions:
A client reuses the same port that it used for a recently closed connection. The 4-tuple of local address, local port, remote address, and remote port must be the same to trigger this issue.
Impact:
New connections reusing a 4-tuple may be reset for a brief period following a connection close.
Workaround:
Lowering the "Close Wait" and "Fin Wait 1" timeouts in the TCP profile will shorten the amount of time that a particular 4-tuple remains unusable.
Fix:
Improved abort handling to better clean up hanging connections.
436116-1 : The tcpdump utility may fail to capture packets
Component: TMOS
Symptoms:
Although packets are flowing correctly through the BIG-IP system, the tcpdump utility may capture no packets when certain command options are used.
Conditions:
This issue occurs when all of the following conditions are met:
- You configure tcpdump to listen for packets on a physical interface (e.g., -i 1.1).
- You configure tcpdump to save the packets to a file in binary format (e.g., -w /var/tmp/example.pcap).
- You configure tcpdump to produce verbose output while capturing packets (e.g., -v, -vv or -vvv).
Impact:
The tcpdump utility does not capture any packets, which may create confusion for a BIG-IP Administrator performing troubleshooting on the system. This issue does not affect the traffic-passing abilities of the system, however.
Workaround:
You can work around this issue by starting the tcpdump utility without the -v, -vv or -vvv verbose output options.
434821-1 : Remote logging of staged signatures and staged sets
Component: Application Security Manager
Symptoms:
There is no option to see matched staged signature in the remote logging
Conditions:
A user has remote logger configured. There is no configuration option to see the stage signatures.
Impact:
A user without local logger can't make good decisions about the staged signatures
Workaround:
Add a local logger
Fix:
Added staged signatures ids, names and sets to the remote logger .
434573-6 : Tmsh 'show sys hardware' displays Platform ID instead of platform name
Solution Article: K25051022
Component: TMOS
Symptoms:
While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name.
For example, the 'tmsh show sys hardware' command may display a Platform ID like the following:
Platform
Name D113
instead of the official platform marketing name, such as:
Platform
Name BIG-IP 10000F
Conditions:
This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release.
Note: The source of the platform information comes in a file: /etc/hal/MARKETING-NAMES. With each release, this file is updated to reflect the platforms available at time of release. The marketing-names package version serves as an identifier of the age of the marketing-names package.
Impact:
Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID.
Workaround:
Update platform-identification scripts to include the relevant platform IDs among the recognized match values.
Note: To get the newest marketing-names package, you must upgrade to a newer BIG-IP release, or specifically request an individual engineering hotfix to address the issue.
Fix:
The system now shows marketing names of platforms that were relatively current at the time of each release, but this issue might occur on any release. It is not possible to predict whether this issue will be present on a specific platform for a specific software version.
This is true because the system relies on a specific file to provide all marketing names for BIG-IP platforms. That file might not be updated for every release, and additional hardware might be released after a software version is shipped. Therefore, you might have to use the platform designation rather than the marketing name in your custom automation scripts.
Note: You can find marketing names of platforms here: K9476: The F5 hardware/software compatibility matrix :: https://support.f5.com/csp/article/K9476.
433678-2 : A monitor removed from GTM link cannot be deleted: 'monitor is in use'
Solution Article: K32401561
Component: Global Traffic Manager (DNS)
Symptoms:
A monitor removed from GTM link cannot be deleted. Attempting to delete the monitor results in an error message similar to the following: 01070083:3: Monitor /Common/custom_gtm_mon is in use.
Conditions:
Deleting a custom monitor that was formerly used by a GTM link.
1. Create a custom GTM monitor that can be used on a link.
2. Create a GTM link, and add the custom monitor to it.
3. Remove the monitor from the link.
4. Attempt to delete the monitor.
Impact:
Unable to delete monitor.
Workaround:
Reload the GTM config and delete the monitor.
Fix:
This release enables deletion of a monitor removed from GTM link, and no monitor-in-use error message is returned.
433357 : Management NIC speed reported as 'none'
Component: TMOS
Symptoms:
Sometimes,after mcpd get restarted, mcpd does not get management port NIC speed information from chmand; 'tmsh show net interface' might shows the speed of mgmt interface as 'none'.
Conditions:
Management interface is up, and then restart mcpd.
Impact:
The 'tmsh show net interface' commands cannot show correct management speed.
Workaround:
You can resolve this issue by restarting the chmand process. On appliances (BIG-IP platforms), run the following command:
bigstart restart chmand.
On VIPRION systems, run the following command:
clsh "bigstart restart chmand".
Fix:
The tmsh utility now reliably displays the current media of the BIG-IP system's management port even if the mcpd daemon has restarted.
431840-3 : Cannot add vlans to whitelist if they contain a hyphen
Component: Advanced Firewall Manager
Symptoms:
When attempting to add a vlan to the DoS protection whitelist and the vlan contains a hyphen, the following validation error is returned:
01071792:3: Vlan should be numeric form as vlan number / mask
Conditions:
Adding a vlan containing a hyphen to the whitelist
Impact:
Unable to add vlans that contain a hyphen
Workaround:
Instead of using the vlan by name, just specify the vlan tag #. Ignore the drop down menu offering the vlan names.
424542-5 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
Component: TMOS
Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"
Conditions:
Only happens on clustered or virtual environments, not on appliances.
Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.
Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"
423629-3 : bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
Solution Article: K08454006
Component: Local Traffic Manager
Symptoms:
bigd restarts once, and afterwards, subsequent pings from the monitor fails.
Conditions:
This can occur when assigning an ICMP monitor to a pool member, and specifying a route domain that does not exist.
Impact:
For bigd, a single restart is actually harmless. The invalid config will cause monitor failures, since the route domain no longer exists, the pool member will be marked down.
Workaround:
None.
Fix:
bigd no longer cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted.
423392-6 : tcl_platform is no longer in the static:: namespace
Component: Local Traffic Manager
Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.
Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.
Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.
Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see K14544: The tcl_platform iRules variable is not in the static:: namespace, available here: https://support.f5.com/csp/#/article/K14544.
421797-3 : ePVA continues to accelerate hardware offloaded traffic in Standby.
Component: TMOS
Symptoms:
For several seconds after a failover of redundant BIG-IP units, some application traffic can still be seen egressing the newly standby unit.
Conditions:
This issue occurs when all of the following conditions are met:
-- BIG-IP units are deployed in a redundant configuration.
-- BIG-IP units are hardware models with the ePVA chip.
-- One or more virtual servers employ hardware acceleration.
-- A failover of the units occurs.
-- For some specific reason, the newly standby unit still receives some application traffic (matching hardware offloaded flows) from the network. It is this traffic which continues to be processed (and egressed back to the network) by the ePVA chip.
Impact:
The offloaded flows are eventually evicted from the ePVA after the failover switch period (16 seconds by default). However, traffic in some deployments may be impacted during this time. What determines whether any impact occurs or not is a combination of:
-- Whether MAC masquerading is used or not.
-- How many IP addresses need to be advertised after a failover.
-- The speed and efficiency with which surrounding network equipment learns the IP addresses have moved.
-- Whether hardware offloaded flows and regular software flows share a common virtual address. This matters because even though a hardware offloaded flow can continue to work despite being processed by the standby unit, egressing such packets may cause a MAC address change and/or port movement for a specific IP address on the surrounding network equipment. In turn, this may cause regular software flows for the virtual address to be directed to the standby unit, and these flows fail as TMM does not process them in standby mode.
Workaround:
There are three possible mitigation scenarios:
-- Reduce the likelihood of this issue by configuring MAC masquerading for your Traffic-Groups. This can improve the situation, as the surrounding network equipment no longer has to learn a MAC address change for a given IP address during a failover of the BIG-IP devices (the equipment only has to learn the port move for the MAC masquerade address).
-- Ensure the surrounding network equipment is not limiting GARPs (or broadcast ARP requests/responses in general).
-- Employ the 'link down time on failover' feature to keep links down after a failover for a few seconds (thus preventing the possibility of any traffic egressing the standby unit). This is not possible for vCMP guests, however.
Fix:
There is now a database variable 'pva.standby.flush' which can be enabled to flush accelerated flows after a failover. Setting 'pva.standby.flush' to 1 instructs the BIG-IP system to evict all accelerated flows from the ePVA hardware after it registers a failover event.
Note: If multiple Traffic-Groups are configured, a failover from any of them causes this flush, regardless of the state of any other Traffic-Groups.
-- To enable this functionality:
tmsh modify sys db pva.standby.flush value 1
-- To disable this functionality (the default setting):
tmsh modify sys db pva.standby.flush value 0
Note: The term 'flush' or 'eviction' does not mean flow 'deletion'; flow eviction occurs normally in other situations. The impact from the flush/eviction of flows on other, still active Traffic-Groups results in brief, increased resource consumption until the flows are returned to ePVA acceleration.
419741-3 : Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
Component: Local Traffic Manager
Symptoms:
Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause.
Conditions:
Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade.
Impact:
In rare situations, the TMM crashes.
Workaround:
None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.
418349-2 : Update/overwrite of FIPS keys error
Component: TMOS
Symptoms:
After deleting and re-creating a FIPS key, sync to other devices fails and /var/log/ltm gives the following error:
crit tmm[10817]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 78 status: 0x40000116 : ERR_HSM_ERROR
Note that this error is logged on any FIPS-related error, it might be this issue if you were attempting to replace FIPS keys with an identical name on devices in a device group.
Conditions:
This can occur on FIPS-enabled devices in a device group when a FIPS key is deleted and an identically-named FIPS key is added.
Impact:
Sync of the FIPS key fails.
Workaround:
If you are encountering this, you can do the following workaround.
Impact of workaround: this should have no negative impact to the system since your objective is to replace the FIPS keys.
- Detach all keys/certs from all SSL Profiles and delete all keys via script on the standby System
- Run “tmsh show sys crypto fips” and verify all keys have been deleted
- Run a configsync with override and verify the sync has been carried out successfully.
418009 : Hardware data display inaccuracies
Component: TMOS
Symptoms:
Sensor location fields show truncated. The Part Number and the PCA titles appear to be not right for some platforms because of the specific nature of the titles.
Conditions:
When displaying the hardware details you could see the problems in the sensor data and in the Hardware Version Information. This appears when running the command tmsh show sys hardware
Impact:
Missing sensor location data, and inaccuracy when naming the titles of the hardware characteristics.
Fix:
Fixed the truncation problem for the sensor location increasing the size of the data used for retrieving it; and used Part Number and PCA to have generic titles that apply to all platforms.
412817-3 : BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
Component: TMOS
Symptoms:
The BIG-IP system is unreachable for IPv6 traffic via PCI pass-through interfaces, because current ixgbevf drivers do not support multicast receive.
Conditions:
When configured to see IPv6 traffic on a PCI pass-through interface, the BIG-IP guest is not able to see this traffic.
Impact:
PCI pass-through interfaces are unable to see IPv6 traffic.
Workaround:
None.
Fix:
BIG-IP system is now reachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
409340-1 : https/ssl monitor closes immediately (rather than awaiting remote close-notify)
Solution Article: K63086108
Component: Local Traffic Manager
Symptoms:
SSL-based monitors (such as https) continue to maintain an open connection for up to ~15 seconds after the monitor probe is completed, when connecting to an SSL enabled web server that fails to send close-notify before FIN.
Conditions:
Configuration uses SSL-based monitors (such as https), where your SSL enabled web server fails to send close-notify before FIN.
Impact:
SSL-enabled monitors wait ~15 seconds before closing the connection and reclaiming resources. Although this behavior is correct according to the SSL protocol, it has the potential to introduce a limited amount of connection stacking on the monitored host.
Workaround:
Your SSL enabled web server should send close-notify before FIN for SSL-based monitors to close immediately.
Fix:
Previous behavior for an SSL-based monitor (such as https) sent a shutdown notification to the remote-server, and awaited a close-reply (shutdown acknowledgement) response for up to 15 seconds. When an SSL-enabled web server fails to send close-notify, the SSL-based monitor hangs in CLOSE_WAIT for ~15 seconds before sending FIN and closing the connection. This waiting consumes resources that are unavailable for other monitoring, which is observed to be significant on certain configurations with high https monitor loads.
New behavior is to close the connection immediately after sending shutdown notification to the remote server, and not await a shutdown acknowledgement.
401815-1 : BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic
Component: Service Provider
Symptoms:
The BIG-IP system resets the egress IP ToS to zero (0). As a result of this issue, you may encounter the following symptoms:
-- A packet capture on the affected traffic shows the DSCP value in the DS field is set to zero for SIP packets egressing from the BIG-IP system.
-- Traffic priority failure for SIP traffic egressing from the BIG-IP system, which may also cause voice quality degradation.
Conditions:
This issue occurs when all of the following conditions are met:
-- A virtual server is configured with both a SIP and UDP profile.
-- The IP ToS setting in the UDP profile is set to Pass Through.
The IP ToS setting controls the Differentiated Services Code Point (DSCP) values of the Differentiated Services (DS) field in the IP header. This information is used in Quality of Service (QoS) configurations to give specific traffic priority on the network. By resetting the DSCP values to zero, the SIP traffic egressing from the BIG-IP system does not receive the expected priority while traversing through the network.
Impact:
SIP traffic egressing the BIG-IP system does not receive the expected priority. This issue may cause voice quality degradation.
Workaround:
To work around this issue, you can use the following iRule to preserve the DSCP values when passing through the BIG-IP system:
when CLIENT_ACCEPTED {
set client_tos [IP::tos]
}
when SERVER_CONNECTED {
IP::tos $client_tos
}
Fix:
The BIG-IP system now propagates the ToS bit from ingress flow to the egress flow.
400778 : Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
Component: TMOS
Symptoms:
On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1.
Conditions:
This occurs on VIPRION systems.
Impact:
The ltm log displays messages: -- err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete'. -- err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'.
Workaround:
None. These messages are benign and you can safely ignore them.
400550 : LCD listener error during shutdown
Component: TMOS
Symptoms:
During shutdown you see this error message: 012a0004:4: LCD listener write to LCDd exception: Psuedo Terminal: File I/O Error [Bad file descriptor] at PseudoTermDev.cpp:93
Conditions:
This can occur when shutting down a blade on a VIPRION 4400 platform.
Impact:
This occurs on shutdown and is cosmetic, and can be ignored.
Workaround:
None.
Fix:
The system now detects and handles the interruption during shutdown, to exit cleanly without error messages.
393270-1 : Configuration utility may become non-responsive or fail to load.
Component: TMOS
Symptoms:
While doing normal operations via the configuration utility, the status indicators may become non-responsive or fail to load, the GUI could become very sluggish, and you could be unable to load the GUI, or you could be taken to the license activation screen.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Unable to log into the GUI or GUI shows blank page
Workaround:
Run the command 'bigstart restart tomcat' or reboot the BIG-IP system.
Fix:
Configuration utility now responds as expected when deleting local users (Access Policy :: Local User DB : Manage Users), or under other conditions in which an internal timeout results in GUI non-responsiveness because of an incomplete transaction close.
392121-3 : TMSH Command to retrieve the memory consumption of the bd process
Component: Application Security Manager
Symptoms:
There is no tmsh commands to retrieve the memory consumption of the bd process.
Conditions:
tmsh commands don't show bd process memory usage.
Impact:
Difficult to diagnose memory consumption issues.
Workaround:
Review messages individually in /var/log/ts/bd.log.
### For ASM bd current memory consumption use the following grep command
cat /ts/log/bd.log | grep "UMU: total"
UMU: total 106 ( 0M) VM (1639M) RSS (164M) SWAP ( 0M) trans 0
UMU: total 106 ( 0M) VM (1639M) RSS (163M) SWAP ( 0M) trans 0
UMU: total 5 ( 0M) VM (1612M) RSS (163M) SWAP ( 0M) trans 0
### For XML memory consumption in bd process do the following on a big-ip.
*WARNING*: The following steps enable debug prints to the bd.log it may cause to an excessive io, handle with care on production boxes.
1. add the following 3 lines the /etc/ts/bd/logger.cfg
MODULE=BD_XML;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;
2. Run a CLI tool.
/usr/share/ts/bin/set_active.pl --update_logger_cfg
To stop the debug prints, remove the 3 mentioned lines from the logger.cfg file and run the CLI tool again.
Fix:
The following command now reports memory consumption of the bd process:
tmctl asm_memory_util_stats
For specific fields -s option can be used, for example:
tmctl asm_memory_util_stats -s total_xml_mem_used,total_xml_max_mem
389484-6 : OAM reporting Access Server down with JDK version 1.6.0_27 or later
Component: Access Policy Manager
Symptoms:
Cannot connect to Access Server.
When running eamtest tool to check the functionality between OAM and the access server are working correctly, the following error is seen:
Preparing to connect to Access Server. Please wait.
Access Server you specified is currently down. Please check your Access Server.oamconfig[2368]: Could not configure OAM
Conditions:
The problem occurs only when OAM server is installed with JDK version 1.6.0_27 or later.
Impact:
Cannot connect to backend OAM server using BIG-IP AccessGate.
Workaround:
Install older version of JDK than v1.6.0_27.
Fix:
Applied OAM ASDK patch given by Oracle, so OAM no longer reports Access Server down with JDK version 1.6.0_27 or later.
386517-1 : Multidomain SSO requires a default pool be configured
Component: Access Policy Manager
Symptoms:
When configuring multidomain SSO, a pool must be assigned to the virtual, even if one is not being used. A typical symptom of not assigning the pool is that after logon, the user will be redirected back to another logon page.
Conditions:
Any use case of multidomain SSO where there is no pool configured on the virtual servers, and there is not a webtop assigned.
Impact:
There are two known use cases where this is commonly encountered. 1) LTM + Secure Connectivity virtuals do not usually have a default pool configured.
2) The pool is being configured through an iRule
Workaround:
When configuring multidomain SSO, always assign a default pool to the virtual server.
Fix:
Some of the logic in ACCESS was updated to add consideration of dynamic pool assignments (eg. iRules) in addition to the default pool. Default pool is no longer needed for multidomain SSO.
371164-1 : BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
Component: Local Traffic Manager
Symptoms:
Since traffic groups are not bound to any specific VLAN, so Neighbor Discovery (ND) for link-local addresses go out on all VLANs. This occurs because traffic groups are not bound to any particular VLAN or interface. Since MAC is bound to the traffic group, it is not bounded to particular VLAN either.
Conditions:
Using MAC masquerade addresses on VLANs. TMM creates new link-local address for each masquerading MAC. Thus, the same link-local address might be used on all interfaces, which means that the system might use the same MAC on different VLANs.
For example, in the following configuration, you might expect that traffic-group-1 and MAC 02:23:e9:74:e2:c4 are bound only to VLAN Internal. However, you can create another self IP address, assign it to different VLANs or route domains, and have them be part of the same traffic group. A traffic group is about availability and not about routing or partitioning.
Configuration
===========
net self 10.10.10.10%1 {
address 10.10.10.10%1/23
allow-service {
default
}
floating enabled
traffic-group traffic-group-1
unit 1
vlan Internal
}.
Impact:
Although this is intended functionality, some users might not expect the behavior. BIG-IP sends ND probes for all masquerading addresses on all VLANs. Although switches typically build up forwarding tables per VLAN, there are some switches that might not correctly, which results in failure to forward packets as expected. That might impact other traffic, including IPv4.
Workaround:
Set the db variable tm.macmasqaddr_per_vlan to True. This ensures that a single source MAC is associated with a single VLAN ID, and is guaranteed to be unique per VLAN.
370131-4 : Loading UCS with low GTM Autoconf Delay drops pool Members from config
Component: Global Traffic Manager (DNS)
Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.
Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.
Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.
Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.
Fix:
Loading UCS with low GTM Autoconf Delay now completes correctly.
367226-4 : Outgoing RIP advertisements may have incorrect source port
Component: Local Traffic Manager
Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.
If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.
Conditions:
Multiple TMM instances, RIP routing configured.
Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.
Fix:
TMM no longer modifies the source port of RIP traffic.
366695-1 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed
Component: Global Traffic Manager (DNS)
Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.
Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.
Impact:
Error message thrown
Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.
Fix:
Removed Manager's ability to create/modify/delete GTM data centers, links, servers, prober-pools, and topology objects. This was already prevented through validation code, but now TMSH users only have access to view these objects.
355806-7 : Starting mcpd manually at the command line interferes with running mcpd
Component: TMOS
Symptoms:
Starting mcpd at the command line while mcpd is running causes issues.
Conditions:
Having a running mcpd and executing mcpd at the command line.
Impact:
Various issues on the system, such as some utilities may no longer interact with mcpd, etc.
Workaround:
Don't try to use the mcpd directly.
Fix:
You are now told the PID of the current mcpd and the executed command will exit abnormally.
353229-2 : Buffer overflows in DIAMETER
Solution Article: K54130510
352957-4 : Route lookup after change in route table on established flow ignores pool members
Solution Article: K03005026
Component: Local Traffic Manager
Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.
Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.
Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.
Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.
Fix:
The nexthop for established flows, set using "nexthop vlan addr" in an iRule for CLIENT_ACCEPTED state, does not change when there are changes in the route table. This is correct behavior.
273104-2 : Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps
Component: Local Traffic Manager
Symptoms:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.
Conditions:
Always.
Impact:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.
Fix:
Each TCP connection starts with a random Timestamp. Disabled by default. Sys db tm.tcpsendrandomtimestamp can be used to enable/disable TCP random Timestamp.
251162-3 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
Solution Article: K11564
Component: Local Traffic Manager
Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.
For example:
tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)
Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.
Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.
Workaround:
None.
248914-4 : ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
Solution Article: K00612197
Component: Local Traffic Manager
Symptoms:
When self IP or virtual addresses are configured on a vlangroup, ARP replies for that address will have the locally administered bit set in the ARP payload, but the source MAC of the frame will have this bit clear.
Conditions:
vlangroup in translucent mode with self IP and/or virtual addresses configured.
Impact:
This may cause destination lookup failures on the layer 2 network.
Workaround:
Use transparent mode instead of translucent mode on the vlangroup.
Fix:
ARP and NDP replies sent from the BIG-IP to a vlangroup use the vlangroup MAC address as the layer 2 source address.
246726-1 : System continues to process virtual server traffic after disabling virtual address
Solution Article: K8940
Component: Local Traffic Manager
Symptoms:
A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address.
Conditions:
When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers.
Impact:
Traffic is still processed.
Workaround:
Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/csp/#/article/K8940
Fix:
When disabling a VIP in LTM the VIP no longer passes traffic. This is correct behavior.
Behavior Change:
When disabling a VIP in LTM the VIP no longer passes traffic.
238444-3 : An L4 ACL has no effect when a layered virtual server is used.
Solution Article: K14219
Component: Access Policy Manager
Symptoms:
A layer 4 ACL is not applied to the network access tunnel. As a result of this issue, you may encounter the following symptoms:
-- Unexpected network traffic may be allowed to pass.
-- Expected network traffic may be blocked.
Conditions:
This issue occurs when the following conditions are met:
-- The APM virtual server is targeting a layered virtual server, such as an SSO layered virtual server.
-- The referenced BIG-IP APM access policy is configured with a layer 4 ACL.
-- When an ACL is applied to a BIG-IP APM access policy, the access policy dynamically creates an internal layered virtual server that is used to apply the ACL. However, if the BIG-IP APM virtual server targets a layered virtual server, such as an SSO layered virtual server, traffic bypasses the dynamically-created internal layered virtual server and the ACL is not applied.
Impact:
Access control using a layer 4 ACL will not work. This may allow unwanted traffic to pass, or can block valid traffic.
Workaround:
None. However, a layer 7 ACL may be implemented if the network traffic is HTTP.
Fix:
With this fix, an admin needs to perform below tasks:
1. Create an iRule similar to the following:
when CLIENT_ACCEPTED {
ACL::eval
}
2. Attach this iRule to admin-defined layered virtual servers.
225634-1 : The rate class feature does not honor the Burst Size setting.
Component: Local Traffic Manager
Symptoms:
The rate class feature does not honor a Burst Size setting other than the default of 0 (zero).
The Burst Size setting is intended to specify the maximum number of bytes that traffic is allowed to burst beyond the base rate configured for the rate class. When the burst rate is set to zero, no bursting is allowed.
Conditions:
When using a non-default Burst Size setting for a single rate class, the setting does not have the intended effect of allowing traffic to burst beyond the base rate configured for the rate class. When using a non-default Burst Size setting for a rate class referencing a hierarchical rate class (a child class referencing a parent class), traffic processed by the rate class may cause TMM to panic and generate a core file.
Impact:
Traffic does not burst beyond the base rate configured for the rate class. In the case of hierarchical rate classes, the BIG-IP may temporarily fail to process traffic.
Workaround:
To work around this issue, you can disable the Burst Size setting by changing the value to zero. To do so, perform the following procedure:
Impact of workaround: None.
1. Log in to the Configuration utility.
2. Click Network.
3. Click Rate Shaping.
4. Click the appropriate rate class.
5. Change the Burst Size to 0.
6. Click Update.
Fix:
The fix for this issue results in disabling the burst feature temporarily.
Note: Neither the GUI nor tmsh prevent you from configuring the burst feature, but the settings have no effect.
Behavior Change:
The burst feature is now disabled for rate shaping. Although you can configure the burst size setting, it has no effect.
222034-4 : HTTP::respond in LB_FAILED with large header/body might result in truncated response
Component: Local Traffic Manager
Symptoms:
If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated.
Conditions:
This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client.
Impact:
The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points.
Workaround:
To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see K9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: https://support.f5.com/csp/#/article/K9456.
Known Issues in BIG-IP v12.1.x
TMOS Issues
ID Number | Severity | Solution Article(s) | Description |
694897-4 | 1-Blocking | Unsupported Copper SFP can trigger a crash on i4x00 platforms. | |
652223-1 | 1-Blocking | K50325308 | BWC: Non-TCP data going through Category can make policy active |
603093 | 1-Blocking | AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system | |
544980-5 | 1-Blocking | BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle. | |
990853-6 | 2-Critical | Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway. | |
980325-2 | 2-Critical | Chmand core due to memory leak from dossier requests | |
942549-5 | 2-Critical | Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 | |
929133-5 | 2-Critical | TMM continually restarts with errors 'invalid index from net device' and 'device_init failed' | |
915305-1 | 2-Critical | Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded | |
888341-2 | 2-Critical | HA Group failover may fail to complete Active/Standby state transition | |
854493-1 | 2-Critical | Kernel page allocation failures messages in kern.log | |
831821-6 | 2-Critical | Corrupted DAG packets causes bcm56xxd core on VCMP host | |
817709-1 | 2-Critical | IPsec: TMM cored with SIGFPE in racoon2 | |
817085-1 | 2-Critical | Multicast Flood Can Cause the Host TMM to Restart | |
810593-5 | 2-Critical | K10963690 | Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★ |
792285-4 | 2-Critical | TMM crashes if the queuing message to all HSL pool members fails | |
789973 | 2-Critical | Tmm crash while using IPsec | |
780437-5 | 2-Critical | Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration. | |
777993-4 | 2-Critical | Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same | |
770953-5 | 2-Critical | 'smbclient' executable does not work | |
770741 | 2-Critical | NIC Tx Engine hang causing ixgbevf interface (SR-IOV) flipping | |
758929-5 | 2-Critical | Bcm56xxd MIIM bus access failure after TMM crash | |
756830-3 | 2-Critical | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' | |
755549 | 2-Critical | TMM crash and core | |
746464-4 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis | |
746122-5 | 2-Critical | 'load sys config verify' resets the active master key to the on-disk master key value | |
743271-2 | 2-Critical | Querying vCMP Health Status May Show Stale Statistics | |
711683-4 | 2-Critical | bcm56xxd crash with empty trunk in QinQ VLAN | |
708968-4 | 2-Critical | OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address | |
703669-3 | 2-Critical | Eventd restarts on NULL pointer access | |
698931-3 | 2-Critical | Corrupted SessionDB messages causes TMM to crash | |
693246-1 | 2-Critical | SOD may send SIGABRT to TMM when TMM has not reported its heartbeat for a long enough period of time. | |
680556-2 | 2-Critical | Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted | |
675431-1 | 2-Critical | Non-default value in db variable pvaSynCookies.enabled reverts to default value after reboot or mcpd restart | |
673147-1 | 2-Critical | K01350083 | Virtual server configuration incorrectly allows mutually exclusive iSession and OneConnect profiles. |
667114-1 | 2-Critical | K32622880 | TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth. |
644135 | 2-Critical | K53342451 | 12.1.1-hf1 does not support module tuning for Finisar 100G LR4 optics |
625156 | 2-Critical | K50524736 | Bigd memory leak |
613542-2 | 2-Critical | K81463390 | tmm core while running the iRule STATS:: command |
608511-2 | 2-Critical | K22141268 | Message router profile is not inheriting the traffic-group from the parent folder |
593536-10 | 2-Critical | K64445052 | Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations |
481235-2 | 2-Critical | Rare Watchdog Restart of TMM and Datastor | |
477611-5 | 2-Critical | ICMP monitor does not work on DAG Round Robin enabled VLANs | |
382363-7 | 2-Critical | K30588577 | min-up-members and using gateway-failsafe-device on the same pool. |
987081-6 | 3-Major | Alarm LED remains active on Secondary blades even after LCD alerts are cleared | |
977609-6 | 3-Major | Request logging profile not logging server-side variables on a virtual-server with rate-limit or connection-limit applied | |
977113-2 | 3-Major | Unable to configure dependency for GTM virtual server if pool member dependency exists | |
976013-1 | 3-Major | If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards | |
972785-2 | 3-Major | Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP | |
970829-2 | 3-Major | iSeries LCD incorrectly displays secure mode after changing login password | |
967745-5 | 3-Major | Last resort pool error for the modify command for Wide IP | |
966949-5 | 3-Major | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node | |
965941-5 | 3-Major | Creating a net packet filter in the GUI does not work for ICMP for IPv6 | |
964125-5 | 3-Major | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. | |
956589-5 | 3-Major | The tmrouted daemon restarts and produces a core file | |
947529-4 | 3-Major | Security tab in virtual server menu renders slowly | |
945265-1 | 3-Major | BGP may advertise default route with incorrect parameters | |
943669-6 | 3-Major | B4450 blade reboot | |
930825-1 | 3-Major | System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors | |
928697-5 | 3-Major | Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT | |
927941-1 | 3-Major | IPv6 static route BFD does not come up after OAMD restart | |
927909 | 3-Major | Upgrading a vCMP guest using a block device image may fail on older versions of host software | |
925797-5 | 3-Major | Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members | |
922613-5 | 3-Major | Tunnels using autolasthop might drop traffic with ICMP route unreachable | |
920761-5 | 3-Major | Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values | |
920517-5 | 3-Major | Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI | |
919317-1 | 3-Major | NSM consumes 100% CPU processing nexthops for recursive ECMP routes | |
918693-1 | 3-Major | Wide IP alias validation error during sync or config load | |
915557-6 | 3-Major | The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status. | |
915493-1 | 3-Major | imish command hangs when ospfd is enabled | |
914081-5 | 3-Major | Engineering Hotfixes missing bug titles | |
913829-1 | 3-Major | i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence | |
913433-5 | 3-Major | On blade failure, some trunked egress traffic is dropped. | |
909197-6 | 3-Major | The mcpd process may become unresponsive | |
908021-4 | 3-Major | Management and VLAN MAC addresses are identical | |
907549-5 | 3-Major | Memory leak in BWC::Measure | |
906505-6 | 3-Major | Display of LCD System Menu cannot be configured via GUI on iSeries platforms | |
905749-4 | 3-Major | imish crash while checking for CLI help string in BGP mode | |
901989-6 | 3-Major | Boot_marker writes to /var/log/btmp | |
900485-6 | 3-Major | Syslog-ng 'program' filter does not work | |
899933-6 | 3-Major | Listing property groups in TMSH without specifying properties lists the entire object | |
899085-1 | 3-Major | Configuration changes made by Certificate Manager role do not trigger saving config | |
898705-1 | 3-Major | IPv6 static BFD configuration is truncated or missing | |
898461-6 | 3-Major | Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' | |
898389-5 | 3-Major | Traffic is not classified when adding port-list to virtual server from GUI | |
896553-1 | 3-Major | On blade failure, some trunked egress traffic is dropped. | |
895845-1 | 3-Major | Implement automatic conflict resolution for gossip-conflicts in REST | |
895781-1 | 3-Major | Round Robin disaggregation does not disaggregate globally | |
892445-6 | 3-Major | BWC policy names are limited to 128 characters | |
891337-5 | 3-Major | 'save_master_key(master): Not ready to save yet' errors in the logs | |
886689-2 | 3-Major | Generic Message profile cannot be used in SCTP virtual | |
884729-6 | 3-Major | The vCMP CPU usage stats are incorrect | |
883149-6 | 3-Major | The fix for ID 439539 can cause mcpd to core. | |
882609-4 | 3-Major | ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back | |
879969-1 | 3-Major | FQDN node resolution fails if DNS response latency >5 seconds | |
874857-1 | 3-Major | Hardware-accelerated connections might not be removed from ePVA on transition to standby | |
871705-2 | 3-Major | Restarting bigstart shuts down the system | |
871045-6 | 3-Major | IP fragments are disaggregated to separate TMMs with hardware syncookies enabled | |
867793-5 | 3-Major | BIG-IP sending the wrong trap code for BGP peer state | |
867249-5 | 3-Major | New SNMP authentication type and privacy protocol algorithms not available in UI | |
865241-5 | 3-Major | Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" | |
862693-5 | 3-Major | PAM_RHOST not set when authenticating BIG-IP using iControl REST | |
862525-5 | 3-Major | GUI Browser Cache Timeout option is not available via tmsh | |
858769-1 | 3-Major | Net-snmp library must be upgraded to 5.8 in order to support SHA-2 | |
853617-5 | 3-Major | Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles | |
842901-6 | 3-Major | Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair. | |
842125-1 | 3-Major | Unable to reconnect outgoing SCTP connections that have previously aborted | |
841721-6 | 3-Major | BWC::policy detach appears to run, but BWC control is still enabled | |
841277-2 | 3-Major | C4800 LCD fails to load after annunciator hot-swap | |
838337-6 | 3-Major | The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST. | |
838297-6 | 3-Major | Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication | |
837481-2 | 3-Major | SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID | |
836237-1 | 3-Major | ZRD process restarts observed due to stale files in /var/zrd/zrd-undo/ when UCS file is loaded or any modifications in wide IP configurations. | |
836137 | 3-Major | When BGP recursive nexthop is down, network is down, logs show Type: 0 messages without nexthop. | |
829889 | 3-Major | Invalid opcode: kernel BUG at mm/shmem.c:556! | |
829821-5 | 3-Major | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | |
827021-5 | 3-Major | MCP update message may be lost when primary blade changes in chassis | |
826313-1 | 3-Major | Error: Media type is incompatible with other trunk members★ | |
826265-1 | 3-Major | The SNMPv3 engineBoots value restarts at 1 after an upgrade | |
819281 | 3-Major | HSB and switch interface pause frames | |
819261-1 | 3-Major | Log HSB registers when parts of the device becomes unresponsive | |
818505-6 | 3-Major | Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | |
814353-1 | 3-Major | Pool member silently changed to user-disabled from monitor-disabled | |
814053-1 | 3-Major | Under heavy load, bcm56xxd can be killed by the watchdog | |
812493-6 | 3-Major | When engineID is reconfigured, snmp and alert daemons must be restarted★ | |
811053-5 | 3-Major | REBOOT REQUIRED prompt appears after failover and clsh reboot | |
811041-2 | 3-Major | Out of shmem, increment amount in /etc/ha_table/ha_table.conf | |
810381-5 | 3-Major | The SNMP max message size check is being incorrectly applied. | |
809657-5 | 3-Major | HA Group score not computed correctly for an unmonitored pool when mcpd starts | |
809509-3 | 3-Major | Resource Admin User unable to download UCS using Rest API. | |
808277-1 | 3-Major | Root's crontab file may become empty | |
806881-4 | 3-Major | Loading the configuration may not set the virtual server enabled status correctly | |
806073-6 | 3-Major | MySQL monitor fails to connect to MySQL Server v8.0 | |
804477-1 | 3-Major | Log HSB registers when parts of the device becomes unresponsive | |
803833-1 | 3-Major | On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★ | |
803237-6 | 3-Major | PVA does not validate interface MTU when setting MSS | |
802493-1 | 3-Major | Hardware syncookies on some hardware platforms may retrieve the wrong mss | |
799001-6 | 3-Major | Sflow agent does not handle disconnect from SNMPD manager correctly | |
797829-2 | 3-Major | The BIG-IP system may fail to deploy new or reconfigure existing iApps | |
797221-4 | 3-Major | BCM daemon can be killed by watchdog timeout during blade-to-blade failover | |
795685-4 | 3-Major | Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer | |
791061-4 | 3-Major | Config load in /Common removes routing protocols from other partitions | |
788645 | 3-Major | BGP does not function on static interfaces with vlan names longer than 16 characters. | |
788557-2 | 3-Major | BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior | |
783985 | 3-Major | Grub boot entries not updated on i2600 from iControl SOAP set_boot_location call★ | |
782613-2 | 3-Major | Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp | |
776081 | 3-Major | The F5-BIGIP-SYSTEM-MIB::sysInterfaceMediaActiveSpeed values are not meaningful on a VE | |
775845-4 | 3-Major | Httpd fails to start after restarting the service using the iControl REST API | |
773577-4 | 3-Major | SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted | |
772497-2 | 3-Major | When BIG-IP is configured to use a proxy server, updatecheck fails | |
772117-2 | 3-Major | Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card | |
769029-3 | 3-Major | Non-admin users fail to create tmp dir under /var/system/tmp/tmsh | |
767305-4 | 3-Major | If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried | |
765969-4 | 3-Major | HSB register dump missing from hsb_snapshot | |
764873-5 | 3-Major | An accelerated flow transmits packets to a dated, down pool member. | |
761833 | 3-Major | PostgreSQL database disk usage over 2 GB without AFM provisioned | |
760932-5 | 3-Major | Part of audit log messages are also in other logs when strings are long | |
760259-1 | 3-Major | Qkview silently fails to capture qkviews from other blades | |
760222-4 | 3-Major | SCP fails unexpected when FIPS mode is enabled | |
757709 | 3-Major | Routing daemon NSM cores if any of interface indexes of VLANs, Tunnels or VLAN Groups are identical to loopback and tmm interfaces of Route Domains where these VLANs, Tunnels or VLAN Groups are located | |
755976-7 | 3-Major | ZebOS might miss kernel routes after mcpd deamon restart | |
754132-1 | 3-Major | A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command | |
753860-2 | 3-Major | Virtual server config changes causing incorrect route injection. | |
753423-3 | 3-Major | Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation | |
753001-4 | 3-Major | mcpd can be killed if the configuration contains a very high number of nested references | |
752994-4 | 3-Major | Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod | |
752228-3 | 3-Major | GUI Network Map to account for objects in a Disabled By Parent state | |
751409-4 | 3-Major | MCP Validation does not detect when virtual servers differ only by overlapping VLANs | |
751024-1 | 3-Major | i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd | |
751021-4 | 3-Major | One or more TMM instances may be left without dynamic routes. | |
748608 | 3-Major | IPsec / ESP traffic pinned to TMM 0 for SP-Dag on 4000s/4200v, 2000s/2200v platforms | |
748323 | 3-Major | It is possible for the archive.tm2 file to not get cleaned up | |
747799-3 | 3-Major | 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile | |
746758-5 | 3-Major | Qkview produces core file if interrupted while exiting | |
746657-4 | 3-Major | tmsh help for FQDN node or pool member shows incorrect default for fqdn interval | |
745309 | 3-Major | Self IP route is not updated in a routing table if there is more than one route with the same destination signature | |
744913 | 3-Major | Tmm may be killed during snapshot creation on VMware ESXi | |
744520-4 | 3-Major | virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface | |
744252-4 | 3-Major | BGP route map community value: either component cannot be set to 65535 | |
743895 | 3-Major | Upgrades from 10.2.x fail due to empty virtual address lines in the configuration★ | |
743234-1 | 3-Major | Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons | |
743132-3 | 3-Major | mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile | |
742877 | 3-Major | Tmm may fail a heartbeat on VE if unscheduled by busy hypervisor | |
742753-1 | 3-Major | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | |
740517-4 | 3-Major | Application Editor users are unable to edit HTTPS Monitors via the Web UI | |
740203 | 3-Major | Installing a certificate or key may fail for a remote user | |
740135-4 | 3-Major | Traffic Group ha-order list does not load correctly after reset to default configuration | |
739820-4 | 3-Major | Validation does not reject IPv6 address for TACACS auth configuration | |
739533-3 | 3-Major | In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config | |
739118-4 | 3-Major | Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration | |
738543-1 | 3-Major | Dynamic route with recursive nexthop might cause tmrouted restart | |
738359 | 3-Major | Log output does not reflect BIG-IP system timezone setting | |
737901-1 | 3-Major | Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode | |
737536-5 | 3-Major | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | |
737346-4 | 3-Major | After entering username and before password, the logging on user's failure count is incremented. | |
733585-2 | 3-Major | Merged can use %100 of CPU if all stats snapshot files are in the future | |
727467-3 | 3-Major | Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later. | |
727297-4 | 3-Major | GUI TACACS+ remote server list should accept hostname | |
727191-4 | 3-Major | Invalid arguments to run sys failover do not return an error | |
726416-1 | 3-Major | Physical disk HD1 not found for logical disk create | |
725950-1 | 3-Major | Regcomp() leaks memory if passed an invalid regex. | |
725792-2 | 3-Major | BWC: Measure log-publisher if used might result in memory leak | |
725646-6 | 3-Major | The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly | |
725620 | 3-Major | Corrupted HSB RQM configuration causes HSB receive failures on 5000s/5200v, 5050s/5250v/5250v-F platforms | |
725427 | 3-Major | OPT-0036-01 does not report DDM tx power alarms or tx power warnings | |
724706 | 3-Major | iControl REST statistics request causes CPU spike | |
723579-3 | 3-Major | OSPF routes missing | |
721740-3 | 3-Major | CPU stats are not correctly recorded when snapshot files have timestamps in the future | |
721020-4 | 3-Major | Changes to the master key are reverted after full sync | |
719555-1 | 3-Major | Interface listed as 'disable' after SFP insertion and enable | |
718800-3 | 3-Major | Cannot set a password to the current value of its encrypted password | |
718230-5 | 3-Major | Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented | |
715061-1 | 3-Major | TMM may crash and produce a core file on a vCMP guest when the guest is being shut down from the host. | |
714626-1 | 3-Major | When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect. | |
714198 | 3-Major | Mcpd is blocked when executing the tmsh command 'tmsh -a show net arp all' | |
713708-3 | 3-Major | Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI | |
712266-2 | 3-Major | Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware | |
712033-1 | 3-Major | When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name | |
711879 | 3-Major | Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor. | |
711158-1 | 3-Major | Admin user roles automatically demoted to guest | |
710841 | 3-Major | 12.1.3.3 feature refinement might be lost after upgrade★ | |
710039 | 3-Major | Merging config may not report syslog configuration errors | |
709559-3 | 3-Major | LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name | |
707320-1 | 3-Major | Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs | |
702310-2 | 3-Major | The ':l' and ':h' options are not available on the tmm interface in tcpdump | |
701722-2 | 3-Major | Potential mcpd memory leak for signed iRules | |
701341-2 | 3-Major | K52941103 | If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts |
701289-2 | 3-Major | Static BFD with BIG-IP floating IP address | |
700897-3 | 3-Major | sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG | |
700794-2 | 3-Major | Cannot replace a FIPS key with another FIPS key via tmsh | |
700426-2 | 3-Major | K58033284 | Switching partitions while viewing objects in GUI can result in empty list |
700250-1 | 3-Major | K59327012 | qkviews for secondary blade appear to be corrupt |
698933-3 | 3-Major | Setting metric-type via ospf redistribute command may not work correctly | |
698844 | 3-Major | LCD splash screen may display incorrect platform name on iSeries appliance | |
698599 | 3-Major | K24479486 | Cave Creek Crypto HW accelerated SSL traffic may encounter errors and performance problems. |
698597 | 3-Major | K10300436 | BIG-IP fails to go active after cryptographic hardware has recovered from a failure |
698594 | 3-Major | K53752362 | Cave Creek Crypto hardware reports a false positive of a stuck queue state |
698462 | 3-Major | TCP timestamp rewrite mode not working on the client side of ePVA offloaded connections | |
698171-1 | 3-Major | STP interfaces remain in block state on 40G bundled interfaces after enabling STP | |
698034-2 | 3-Major | PKCS12 file imported via Configuration utility into folder is placed at partition root | |
698013-4 | 3-Major | K27216452 | TACACS+ system auth and file descriptors leak |
696731-1 | 3-Major | K94062594 | The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled |
695090 | 3-Major | In rare situations hardware syncookies may be sent for a L7 virtual server when hardware syncookie protection is disabled | |
693578-1 | 3-Major | switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0 | |
693563-3 | 3-Major | K22942093 | No warning when LDAP is configured with SSL but with a client certificate with no matching key★ |
692753-3 | 3-Major | shutting down trap not sent when shutdown -r or shutdown -h issued from shell | |
692218-5 | 3-Major | Audit log messages sent from the primary blade to the secondaries should not be logged. | |
691749-3 | 3-Major | Delete sys connection operations cannot be part of TMSH transactions | |
690890-3 | 3-Major | Running sod manually can cause issues/failover | |
689779 | 3-Major | VE HyperV packet drops under load due to interrupt distribution | |
689567-3 | 3-Major | Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned | |
688406-3 | 3-Major | K14513346 | HA-Group Score showing 0 |
687797-1 | 3-Major | iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot be used to return the details of all SSL certificates present in the configuration at once. | |
687617-3 | 3-Major | DHCP request-options when set to "none" are reset to defaults when loading the config. | |
687172 | 3-Major | Pools do not appear as expected after deploying iApp via iWorkflow | |
686816-3 | 3-Major | Link from iApps Components page to Policy Rules invalid | |
686626-2 | 3-Major | The BIG-IP system may connect to an OCSP server using an unexpected source IP address | |
684096-1 | 3-Major | stats self-link might include the oid twice | |
683135-4 | 3-Major | Hardware syncookies number for virtual server stats is unrealistically high | |
681782-4 | 3-Major | Unicast IP address can be configured in a failover multicast configuration | |
681009-2 | 3-Major | Large configurations can cause memory exhaustion during live-install★ | |
679605-1 | 3-Major | Device groups with no members will cause upgrade to fail | |
679027 | 3-Major | Rare memory corruption in tmrouted while license is being reset | |
677485-2 | 3-Major | Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error | |
676442-2 | 3-Major | K37113440 | Changes to RADIUS remote authentication may not fully sync |
675742 | 3-Major | Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores | |
675298-1 | 3-Major | F5 MIB value types changed to become RFC compliant | |
674997 | 3-Major | It is not possible to use tmsh to change the password for 'admin' after configuring Remote-APM Based Auth on the BIG-IP system. | |
674957-1 | 3-Major | If a certificate is stored in DER format, exporting it using the GUI corrupts the output. | |
674328-3 | 3-Major | Multicast UDP from BIG-IP may have incorrect checksums | |
673952 | 3-Major | 1NIC VE in HA device-group shows 'Changes Pending' after reboot | |
673640 | 3-Major | Log messages for virtual server status changes are not immediately logged. | |
673241 | 3-Major | Platform AC power supply faults when subjected to temperature above 50C (122F) at low input voltage. | |
671553-2 | 3-Major | iCall scripts may make statistics request before the system is ready | |
671372-2 | 3-Major | K01930721 | When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified. |
671261-2 | 3-Major | K32306231 | MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo |
671236-2 | 3-Major | K27343382 | BGP local-as command may not work when applied to peer-group |
671178 | 3-Major | K20274760 | Date/time change after configuring HA may impair configuration sync |
669585-3 | 3-Major | The tmsh sys log filter is unable to display information in uncompressed log files. | |
669241-1 | 3-Major | Cannot create stateless virtual servers with ip-protocol set to 'gre'. | |
667618-2 | 3-Major | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts | |
667476 | 3-Major | Upgrade and config load can fail if a data group record of type string contains a tab character | |
667082-2 | 3-Major | Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail. | |
666117-4 | 3-Major | Network failover without a management address causes active-active after unit1 reboot | |
662301-6 | 3-Major | 'Unlicensed objects' error message appears despite there being no unlicensed config | |
660895-2 | 3-Major | TMM can crash if TMM count is greater than licensed throughput | |
658036-2 | 3-Major | K04651090 | Honoring negotiated MSS for TCP segmentation |
657834-2 | 3-Major | K45005512 | Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent |
657727-2 | 3-Major | K39694060 | Running tcpdump from TMSH cannot capture the local "tmm" interface |
653928 | 3-Major | On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed with Conflicting configuration error.★ | |
651136-2 | 3-Major | K36893451 | ReqLog profile on FTP virtual server with default profile can result in service disruption. |
648873-3 | 3-Major | K93513131 | Traffic-group failover-objects cannot be retrieved via iControl REST |
648316-3 | 3-Major | K10776106 | Flows using DEFLATE decompresion can generate error message during flow tear-down. |
647834-4 | 3-Major | Failover DB variables do not correctly implement 'reset-to-default' | |
647151-1 | 3-Major | CPU overtemp condition threshold is 75C | |
645206-4 | 3-Major | K23105004 | Missing cipher suites in outgoing LDAP TLS ClientHello★ |
644979-2 | 3-Major | Errors not logged from hourly 1k key generation cron job | |
643799-1 | 3-Major | Deleting a partition may cause a sync validation error | |
642422-2 | 3-Major | BFD may not remove dependant static routes when peer sends BFD Admin-Down | |
641582-1 | 3-Major | Rarely, an HSB transmitter failure occurs | |
641543-1 | 3-Major | bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled. | |
641001 | 3-Major | BWC: dynamic policy category sees lower bandwidth than expected in Congested policies | |
640054-1 | 3-Major | Selective ICMP-echo behavior is inconsistent, depending on where the virtual address is disabled | |
639774-5 | 3-Major | K30598276 | mysqld.err rollover log files are not collected by qkview |
638089-1 | 3-Major | LACP and CMP state simultaneously fail on 2150 or 2250 blades | |
637979-1 | 3-Major | IPsec over isession not working | |
637279 | 3-Major | Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS. | |
633824-2 | 3-Major | K39319200 | Cannot add pool members containing a colon in the node name |
633172 | 3-Major | K12473201 | External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command |
632825-5 | 3-Major | bcm56xxd crash following 'silent' port-mirror configuration failure | |
632204-1 | 3-Major | K22568472 | Local Traffic Policies rule page is incorrectly showing all partition's objects in 'Forward traffic' actions |
631046 | 3-Major | Unable to generate a FIPS key using the GUI | |
629834-4 | 3-Major | istatsd high CPU utilization with large number of entries | |
627760-3 | 3-Major | gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card | |
626226-1 | 3-Major | Large SSL certificate bundle export by GUI silently fails | |
625215-1 | 3-Major | unic: flow redirects for non-default cmp-hash on untagged VLANs | |
624626-3 | 3-Major | Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility | |
624580-1 | 3-Major | K37147352 | BigDB.dat may become truncated |
623488-3 | 3-Major | Custom adaptive reaper settings may be lost at upgrade time★ | |
623371-1 | 3-Major | After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed | |
623367-1 | 3-Major | K57879554 | When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key. |
623265-4 | 3-Major | K15645547 | UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★ |
622378-1 | 3-Major | Inconsistent hardware syncookie protection mode on B2100/B4300 blades and 5000/7000/10000 appliances | |
620969-3 | 3-Major | iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards. | |
619419 | 3-Major | Workaround for Software Installation Failures in TMUI★ | |
618982-1 | 3-Major | IPSEC + chassis behavior for case secondary blades on-off switch. | |
618319-5 | 3-Major | K58255321 | HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked |
617875-1 | 3-Major | vCMP guest may fail to start due to not enough hugepages | |
617643-1 | 3-Major | iControl.ForceSessions enabled results in GUI error on certain pages | |
614648-1 | 3-Major | Unable to upload software image larger than 2GB using the GUI | |
614493-1 | 3-Major | BIG-IP reset on ePVA accelerated flow may contain stale TCP window information. | |
612086-3 | 3-Major | K32857340 | Virtual server CPU stats can be above 100% |
612083 | 3-Major | Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors. | |
609200-2 | 3-Major | Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★ | |
609186-5 | 3-Major | TMM or MCP might core while getting connections via iControl. | |
606330-5 | 3-Major | The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family. | |
606032 | 3-Major | Network Failover-based high availability (HA) in AWS may fail | |
605891-1 | 3-Major | Enable ASM option disappears from L7 policy actions | |
605840-5 | 3-Major | HSB receive failure lockup due to unreceived loopback packets | |
605800-3 | 3-Major | Web GUI submits changes to multiple pool members as separate transactions | |
603772-1 | 3-Major | Floating tunnels with names more than 15 characters may cause issues during config-sync. | |
602193-4 | 3-Major | iControl REST calls fail when payload contains non-UTF8 data | |
601414-1 | 3-Major | Combined use of session and table irule commands can result in intermittent session lookup failures | |
598650-1 | 3-Major | apache-ssl-cert objects do not support certificate bundles | |
597818-2 | 3-Major | Unable to configure IPsec NAT-T to "force" | |
597564-3 | 3-Major | 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items | |
596826-5 | 3-Major | Don't set the mirroring address to a floating self IP address | |
596020-3 | 3-Major | Devices in a device-group may report out-of-sync after one of the devices is rebooted | |
595868-1 | 3-Major | HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. | |
595617-1 | 3-Major | K40420553 | Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA. |
593845-3 | 3-Major | K24093205 | VE interface limit |
593361-1 | 3-Major | The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE. | |
591305-4 | 3-Major | Audit log messages with "user unknown" appear on install | |
589856-2 | 3-Major | IControl REST : possible to get duplicate transaction IDs when transactions are created by multiple clients | |
588646-1 | 3-Major | Use of Standard access list remarks in imish may causes later entries to fail on add | |
588028-1 | 3-Major | Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up | |
587821-5 | 3-Major | vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor. | |
580499-2 | 3-Major | K34082034 | Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled. |
579035-5 | 3-Major | K46145454 | Config sync error when a key with passphrase is converted into FIPS. |
575368-5 | 3-Major | Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card | |
571333-8 | 3-Major | K36155089 | FastL4 TCP handshake timeout not honored for offloaded flows |
570845-3 | 3-Major | K00334323 | Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy |
569968 | 3-Major | snmpd core during startup | |
569859-2 | 3-Major | Password policy enforcement for root user when mcpd is not available | |
569331-1 | 3-Major | Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP | |
569281-6 | 3-Major | K33242855 | L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot |
567490-2 | 3-Major | db.proxy.__iter__ value is overwritten if it's manually set | |
544568-5 | 3-Major | Flows for a FastL4 profile that are forwarded may now be accelerated. | |
542137 | 3-Major | TMM continually restarts due to HSB failure | |
538283-5 | 3-Major | iControl REST asynchronous tasks may block other tasks from running | |
535122-8 | 3-Major | [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects | |
528295-6 | 3-Major | K40735404 | Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later. |
524193-5 | 3-Major | Multiple Source addresses are not allowed on a TMSH SNMP community | |
524123-1 | 3-Major | iRule ISTATS::remove does not work | |
509497-1 | 3-Major | VCMP guests on a specific host may be restarted when that host system experiences large date/time changes | |
499348-5 | 3-Major | System statistics may fail to update, or report negative deltas due to delayed stats merging | |
489499-3 | 3-Major | chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd | |
486997-1 | 3-Major | The vCMP guest lost watchdog heartbeat, and the host restarted it. | |
486712-7 | 3-Major | GUI PVA connection maximum statistic is always zero | |
469366-3 | 3-Major | K16237 | ConfigSync might fail with modified system-supplied profiles |
455066-2 | 3-Major | Read-only account can save system config | |
438574-1 | 3-Major | Web UI: iSession Profile properties page displays incorrect parent profile name. | |
431503-5 | 3-Major | K14838 | TMSH crashes in rare initial tunnel configurations |
410549-1 | 3-Major | Changing the provision.tmmcount db variable value results in continuous tmm restarts | |
385013-6 | 3-Major | Certain user roles do not trigger a sync for a 'modify auth password' command | |
375434-6 | 3-Major | HSB lockup might occur when TMM tries unsuccessfully to reset HSB. | |
291256-5 | 3-Major | Changing 'Minimum Length' and 'Required Characters' might result in an error | |
247527-2 | 3-Major | K14890 | Mgmt interface cannot be disabled via tmsh |
224665-2 | 3-Major | K12711 | Proxy Exclusion List setting is not aware of administrative partitions |
955057-5 | 4-Minor | UCS archives containing a large number of DNS zone files may fail to restore.★ | |
947865-5 | 4-Minor | Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read | |
939757-1 | 4-Minor | Deleting a virtual server might not trigger route-injection update. | |
939517-1 | 4-Minor | DB variable scheduler.minsleepduration.ltm changes to default value after reboot | |
931609 | 4-Minor | After installing a UCS file on a new BIG-IP, some configuration items may fail to load | |
924429-5 | 4-Minor | Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values | |
918013-5 | 4-Minor | Log message with large wchan value | |
911713-5 | 4-Minor | Delay in Network Convergence with RSTP enabled | |
906449-6 | 4-Minor | Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load | |
901985-3 | 4-Minor | Extend logging for incomplete HTTP requests | |
893093-6 | 4-Minor | An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing. | |
892677-2 | 4-Minor | Loading config file with imish adds the newline character | |
869237-2 | 4-Minor | Management interface might become unreachable when alternating between DHCP/static address assignment. | |
858549-1 | 4-Minor | GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs | |
848681-2 | 4-Minor | Disabling the LCD on a VIPRION causes blade status lights to turn amber | |
846793-1 | 4-Minor | SCTP flow may be inappropriately aborted due to 'stream-id out of range' | |
846521-2 | 4-Minor | Config script does not refresh management address entry properly when alternating between dynamic and static | |
838925-2 | 4-Minor | Rewrite URI translation profile can cause connection reset while processing malformed CSS content | |
828625-5 | 4-Minor | User shouldn't be able to configure two identical traffic selectors | |
821745 | 4-Minor | Mcpd core when changing password for BIG-IP remote user | |
819421-5 | 4-Minor | Unable to scp/sftp to device after upgrade★ | |
813165 | 4-Minor | P2P failure on BIG-IP system while connecting with Cisco router | |
808481-2 | 4-Minor | Hertfordshire county missing from GTM Region list | |
805325-5 | 4-Minor | tmsh help text contains a reference to bigpipe, which is no longer supported | |
761981 | 4-Minor | Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors | |
761084-2 | 4-Minor | Custom monitor fields appear editable for Auditor, Operator, or Guest | |
759852-3 | 4-Minor | SNMP configuration for trap destinations can cause a warning in the log | |
759590-2 | 4-Minor | Creation of RADIUS authentication fails with service types other than 'authenticate only' | |
758105 | 4-Minor | Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml | |
756714-4 | 4-Minor | UIDs on /home directory are scrambled after upgrade★ | |
750413 | 4-Minor | UTF-8 character in subject of a certificate used for iQuery cannot be removed | |
746152-4 | 4-Minor | Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column | |
740957 | 4-Minor | 'fips_get_key_attr(): mod_err = 0xa9' message seen in /var/log/ltm | |
740461 | 4-Minor | Certificate or key upload in the GUI may occasionally fail with 'General database error" | |
724994-1 | 4-Minor | API requests with 'expandSubcollections=true' are very slow | |
723111 | 4-Minor | mailx is blocked by SELinux Policy | |
722647-1 | 4-Minor | The configuration of some of the Nokia alerts is incorrect | |
719770-4 | 4-Minor | tmctl -H -V and -l options without values crashed | |
719241 | 4-Minor | Using custom DNS servers on the Azure VNet with the missing 168.63.129.16 causes Waagent provisioning failure. | |
713947-3 | 4-Minor | stpd repeatedly logs "hal sendMessage failed" | |
713138 | 4-Minor | TMUI ILX Editor inserts an unnecessary linefeed | |
713134-3 | 4-Minor | Small tmctl memory leak when viewing stats for snapshot files | |
712241-1 | 4-Minor | A vCMP guest may not provide guest health stats to the vCMP host | |
710410-1 | 4-Minor | TMM hardware accelerated compression not registering for all compression levels. | |
708415 | 4-Minor | Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled | |
706106-1 | 4-Minor | PUT request sent to ltm/virtual failed because of ip-protocol property value any | |
703509-1 | 4-Minor | Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled | |
702615-1 | 4-Minor | During reboot to another volume, the GUI login page becomes prematurely available★ | |
698991 | 4-Minor | K64258832 | CPU utilization on i850 is not a reliable indicator of system capacity |
697766-3 | 4-Minor | Cisco IOS XR ISIS routers may report 'Authentication TLV not found' | |
696363 | 4-Minor | Unable to create SNMP trap in the GUI | |
692172-2 | 4-Minor | rewrite profile causes "No available pool member" failures when connection limit reached | |
691491-3 | 4-Minor | K13841403 | 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces |
690781 | 4-Minor | VIPRION systems with B2100 or B2150 blades cannot run certain combinations of vCMP guest sizes | |
689147-1 | 4-Minor | Confusing log messages on certain user/role/partition misconfiguration when using remote role groups | |
687343-3 | 4-Minor | Running 'load sys config merge verify' will add new users to the PostGres database | |
685233-2 | 4-Minor | K13125441 | tmctl -d blade command does not work in an SNMP custom MIB |
683029-2 | 4-Minor | Sync of virtual address and self IP traffic groups only happens in one direction | |
678117-1 | 4-Minor | 'Can't create a home directory' logged for remote users on secondary blades after configsync | |
675368-2 | 4-Minor | Unable to reorder rules when one of the rule names contain % or / | |
673573-6 | 4-Minor | tmsh logs boost assertion when running child process and reaches idle-timeout | |
670691 | 4-Minor | K02331705 | Unable to list ntlm profile in different root folder or partition |
663911-2 | 4-Minor | When running out of memory, MCP can report an incorrect allocation size | |
659888-1 | 4-Minor | Profiles with names that contain percentage signs cannot be accessed in TMUI | |
655484-1 | 4-Minor | K69912019 | GUI LTM Pool Statistics Page running out of memory with large number of Pools |
655464 | 4-Minor | Incorrect information about number of cores/guests on i11000 platforms | |
650019-2 | 4-Minor | The commented-out sample functions in audit_forwarder.tcl are incorrect | |
647812-3 | 4-Minor | /tmp/wccp.log file grows unbounded | |
646768-4 | 4-Minor | K71255118 | VCMP Guest CM device name not set to hostname when deployed |
640863-2 | 4-Minor | K29231946 | Disabling partition selector in DNS Resolver's Forward Zones |
640489 | 4-Minor | K53571714 | iSeries LCD alerts screen returns to splash screen intermittently |
636823-3 | 4-Minor | Node name and node address | |
636164 | 4-Minor | Remote IP not working in IE 8 | |
636163 | 4-Minor | Certificate Key Chain not working in IE 8 | |
636031-4 | 4-Minor | K23313837 | GUI LTM Monitor Configuration String adding CR for type Oracle |
634014 | 4-Minor | Absolute timers may fire one second early during the leap second event | |
633495 | 4-Minor | Cannot switch between partitions in Local Traffic :: Policies | |
631083-2 | 4-Minor | Some files in home directory are overwritten on password change | |
630795-1 | 4-Minor | No guestagentd entry in merged.conf | |
627221-1 | 4-Minor | iControl SOAP doesn't support displaying all possible media options for interfaces | |
626480-1 | 4-Minor | Restjavad log messages: [ProcessManager] Maximum child processes of 3 has been reached | |
626279-1 | 4-Minor | After reboot LCD reports "unit going standby" even if it has gone active. | |
623313 | 4-Minor | After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default.★ | |
618889-1 | 4-Minor | Clicking the policies list tab does not refresh the policies list on click. | |
611054-1 | 4-Minor | Network failover "enable" setting is sometimes ignored on chassis systems | |
606799-1 | 4-Minor | K16703796 | GUI total number of records not correctly initialized with search string on several pages. |
603693-5 | 4-Minor | K52239932 | Brace matching in switch statement of iRules can fail if literal strings use braces |
587804-1 | 4-Minor | Symmetric Unit Key decrypt failure on base load | |
586348-1 | 4-Minor | Network Map Pool Member Parent Node Name display and Pool Member hyperlink | |
584788-1 | 4-Minor | Directed failover of HA pair using only hardwire failover will fail | |
584504-2 | 4-Minor | K36912228 | Allowing non-English characters on login screen |
583777-5 | 4-Minor | K33230520 | [TMSH] sys crypto cert missing tab completion function |
583084-5 | 4-Minor | K15101680 | iControl produces 404 error while creating records successfully |
582595-2 | 4-Minor | K52029952 | default-node-monitor is reset to none for HA configuration. |
582127-1 | 4-Minor | K55138704 | VE OVA logrotate max-file-size too big for /var/log partition size |
581865-2 | 4-Minor | K11053914 | 6900, 8900, 8950, or 11050 platforms missing swap storage★ |
571727-1 | 4-Minor | K52707821 | 'force-full-load-push' is not tab expandable |
571017-1 | 4-Minor | Extra log messages seen on optics removal. | |
565755 | 4-Minor | Dashboard does not work when custom port is used for management port. | |
528894-9 | 4-Minor | Config sync after sub-partition config changes results extra lines in the partition's conf file | |
514703-1 | 4-Minor | gtm listener cannot be listed across partitions | |
501258-2 | 4-Minor | Unable to modify 'gtm region region-members' via iControl REST | |
484683-4 | 4-Minor | Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. | |
479262-4 | 4-Minor | 'readPowerSupplyRegister error' in LTM log | |
476544-2 | 4-Minor | mcpd core during sync | |
463903-5 | 4-Minor | K68062382 | Behavior Change: HA Score calculation when minimum-threshold attribute is in use |
965457-1 | 5-Cosmetic | OSPF duplicate router detection might report false positives | |
964421-5 | 5-Cosmetic | Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously' | |
769145-4 | 5-Cosmetic | Syncookie threshold warning is logged when the threshold is disabled | |
713519-3 | 5-Cosmetic | Enabling MCP Audit logging does not produce log entry for audit logging change | |
679431-3 | 5-Cosmetic | In routing module the 'sh ipv6 interface <interface> brief' command may not show header | |
676395-1 | 5-Cosmetic | Syslog messages seen with error code while viewing ssl certificate detail with debug turned on. | |
633568 | 5-Cosmetic | Pool statistics page doesn't show all pool members in IE8 with compatibility view | |
617578-2 | 5-Cosmetic | Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware | |
617161-1 | 5-Cosmetic | Cosmetic: duplicated partition names in the 'Resource Management' window when assigning iRules to Virtual Servers. | |
603092-5 | 5-Cosmetic | "displayservicenames" does not apply to show ltm pool members | |
602390-2 | 5-Cosmetic | K87506901 | Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI. |
594228-2 | 5-Cosmetic | Resetting mgmt interface statistics doesn't work on VE or VCMP | |
570013 | 5-Cosmetic | TCP Analytics Profile section in virtual server UI has erroneous caption | |
542347-2 | 5-Cosmetic | Denied message in audit log on first time boot | |
396273-2 | 5-Cosmetic | Error message in dmesg and kern.log: vpd r/w failed |
Local Traffic Manager Issues
ID Number | Severity | Solution Article(s) | Description |
967249-5 | 2-Critical | TMM may leak memory early during its startup process, and may continue to do so indefinitely. | |
949137-6 | 2-Critical | Clusterd crash and vCMP guest failover | |
938545-6 | 2-Critical | Oversize plugin Tcl object results can result in 0-length messages and plugin crash | |
922317 | 2-Critical | Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections | |
912289-5 | 2-Critical | Cannot roll back after upgrading on certain platforms★ | |
910653-1 | 2-Critical | iRule parking in clientside/serverside command may cause tmm restart | |
910213-6 | 2-Critical | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | |
853329-6 | 2-Critical | HTTP explicit proxy can crash TMM when used with classification profile | |
851857-5 | 2-Critical | HTTP 100 Continue handling does not work when it arrives in multiple packets | |
851581-5 | 2-Critical | Server-side detach may crash TMM | |
851385-6 | 2-Critical | Failover takes too long when traffic blade failure occurs | |
841469-2 | 2-Critical | Application traffic may fail after an internal interface failure on a VIPRION system. | |
835505 | 2-Critical | Tmsh crash potentially related to NGFIPS SDK | |
824437-5 | 2-Critical | Chaining a standard virtual server and an ipother virtual server together can crash TMM. | |
807857-2 | 2-Critical | TMM can leak memory under specific traffic and iRule configurations. | |
757510-4 | 2-Critical | Class name mismatch is not caught | |
757441-1 | 2-Critical | Specific sequence of packets causes Fast Open to be effectively disabled | |
757407-3 | 2-Critical | Error reading RRD file may induce processes to mutually wait for each other forever | |
745589-3 | 2-Critical | In very rare situations, some filters may cause data-corruption. | |
726518-5 | 2-Critical | Tmsh show command terminated with CTRL-C can cause TMM to crash. | |
724906-2 | 2-Critical | sasp_gwm monitor leaks memory over time | |
721571-3 | 2-Critical | State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade★ | |
706505-1 | 2-Critical | iRule table lookup command may crash tmm when used in FLOW_INIT | |
696908-2 | 2-Critical | Updating iRule causes TMM to crash | |
683454 | 2-Critical | K99294671 | HTTP::header command may crash TMM on an erroneous argument |
677975-2 | 2-Critical | K59237122 | SSL may cause the TMM to core when forging a certificate due to race condition |
676491-2 | 2-Critical | BIG-IP as a DHCP relay while in a DHCP relay chain will use its self-IP as the relay agent. | |
673095 | 2-Critical | Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid' | |
670893-1 | 2-Critical | Sensitive monitor parameters recorded in monitor logs | |
666889-1 | 2-Critical | K25769531 | Deleting virtual server may cause tmm to segfault |
663925-5 | 2-Critical | Virtual server state not updated with pool- or node-based connection limiting | |
662296-1 | 2-Critical | Under heavy traffic load tcpdump -i 0.0 can impact the VIPRION management cluster IP address | |
634369-2 | 2-Critical | Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes | |
625807-6 | 2-Critical | Tmm cores in bigproto_cookie_buffer_to_server | |
618463-2 | 2-Critical | artificial low route mtu can cause SIGSEV core from monitor traffic | |
609609-1 | 2-Critical | TMM crash, Invalid action | |
603690-2 | 2-Critical | K82210057 | CPU Saver option not working while the 'latency' compression provider selection algorithm is in use. |
598031-1 | 2-Critical | Slow memory growth leading to TMM core | |
586862-1 | 2-Critical | K30859144 | Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule. |
577904-1 | 2-Critical | When a fips key is deleted, its corresponding public key is not deleted from fips card | |
985749-6 | 3-Major | TCP exponential backoff algorithm does not comply with RFC 6298 | |
984897-6 | 3-Major | Some connections performing SSL mirroring are not handled correctly by the Standby unit. | |
971217-5 | 3-Major | AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations. | |
968949-2 | 3-Major | Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile | |
968509-2 | 3-Major | Response headers are not parsed correctly causing subsequent requests stall at BIG-IP | |
967353-6 | 3-Major | HTTP proxy should trim spaces between a header field-name and colon in its downstream responses. | |
963705-5 | 3-Major | Proxy ssl server response not forwarded | |
962913-6 | 3-Major | The number of native open connections in the SSL profile is higher than expected | |
958785-2 | 3-Major | FTP data transfer does not complete after QUIT signal | |
955617-4 | 3-Major | Cannot modify the destination address of a monitor | |
953845-6 | 3-Major | After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart | |
950005-5 | 3-Major | TCP connection is not closed when necessary after HTTP::respond iRule | |
947125-5 | 3-Major | Unable to delete monitors after certain operations | |
945601-1 | 3-Major | An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions. | |
942217-5 | 3-Major | Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available' | |
936593-1 | 3-Major | Invalid server-side SSL profile options can be configured in tmsh | |
936441-5 | 3-Major | Nitrox5 SDK driver logging messages | |
934017-2 | 3-Major | Problems may occur after creating a node named '_auto_<IP address>' | |
922413-6 | 3-Major | Excessive memory consumption with ntlmconnpool configured | |
921541 | 3-Major | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. | |
920789-6 | 3-Major | UDP commands in iRules executed during FLOW_INIT event fail | |
920205-2 | 3-Major | Rate shaping might suppress TCP RST | |
918277-6 | 3-Major | Slow Ramp does not take into account pool members' ratio weights | |
915773-5 | 3-Major | Restart of TMM after stale interface reference | |
915605-3 | 3-Major | Image install fails if iRulesLX is provisioned and /usr mounted read-write★ | |
914061-5 | 3-Major | BIG-IP may reject a POST request if it comes first and exceeds the initial window size | |
912517-6 | 3-Major | MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | |
910473 | 3-Major | Tmm crash when applying config changes | |
906653-6 | 3-Major | Server side UDP immediate idle-timeout drops datagrams | |
904625-6 | 3-Major | Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync | |
904041-6 | 3-Major | Ephemeral pool members may be incorrect when modified via various actions | |
899905 | 3-Major | N3FIPS kernel driver crash | |
898681 | 3-Major | SafeNet install fails with the message 'path not allowed' | |
895205-6 | 3-Major | A circular reference in rewrite profiles causes MCP to crash | |
892385-4 | 3-Major | HTTP does not process WebSocket payload when received with server HTTP response | |
891145-1 | 3-Major | TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal | |
887045-6 | 3-Major | The session key does not get mirrored to standby. | |
885325-6 | 3-Major | Stats might be incorrect for iRules that get executed a large number of times | |
883049-7 | 3-Major | Statsd can deadlock with rrdshim if an rrd file is invalid | |
876569 | 3-Major | QAT compression codec produces gzip stream with CRC error | |
874317-5 | 3-Major | Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN | |
873677-2 | 3-Major | LTM policy matching does not work as expected | |
862597-2 | 3-Major | Improve MPTCP's SYN/ACK retransmission handling | |
862069-5 | 3-Major | Using non-standard HTTPS and SSH ports fails under certain conditions | |
862001-5 | 3-Major | Improperly configured NTP server can result in an undisciplined clock stanza | |
853613-6 | 3-Major | Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp | |
852873-5 | 3-Major | Proprietary Multicast PVST+ packets are forwarded instead of dropped | |
852325-5 | 3-Major | HTTP2 does not support Global SNAT | |
851121-5 | 3-Major | Database monitor DBDaemon debug logging not enabled consistently | |
846977-5 | 3-Major | TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★ | |
846873-1 | 3-Major | Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure | |
845333-1 | 3-Major | An iRule with a proc referencing a datagroup cannot be assigned to Transport Config | |
842425-5 | 3-Major | Mirrored connections on standby are never removed in certain configurations | |
841369-6 | 3-Major | HTTP monitor GUI displays incorrect green status information | |
841341-1 | 3-Major | IP forwarding virtual server does not pick up any traffic if destination address is shared. | |
840785-5 | 3-Major | Update documented examples for REST::send to use valid REST endpoints | |
827441-4 | 3-Major | Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail | |
823825-2 | 3-Major | Renaming HA VLAN can disrupt state-mirror connection | |
820333-6 | 3-Major | LACP working member state may be inconsistent when blade is forced offline | |
819329 | 3-Major | Specific FIPS device errors will not trigger failover | |
818097-1 | 3-Major | Plane CPU stats too high after primary blade failover in multi-blade chassis | |
816205-1 | 3-Major | IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side | |
815405-2 | 3-Major | GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI) | |
815089-6 | 3-Major | On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations | |
813701-1 | 3-Major | Proxy ARP failure | |
810533-6 | 3-Major | SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile | |
806937 | 3-Major | CPM policy stops matching after adding rule | |
803629-5 | 3-Major | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | |
801549-5 | 3-Major | Persist records do not expire properly if mirroring is configured incorrectly | |
801541-4 | 3-Major | Persist records do not expire properly if HA peer is unavailable | |
801329 | 3-Major | When OneConnect profile is used, pool selection might be pinned to one pool | |
795933-5 | 3-Major | A pool member's cur_sessions stat may incorrectly not decrease for certain configurations | |
794505-1 | 3-Major | OSPFv3 IPv4 address family route-map filtering does not work | |
793669-3 | 3-Major | FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value | |
786517-6 | 3-Major | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | |
785509 | 3-Major | Modifying fields such as chain, trusted certificate authorities in client SSL profile, and/or chain in cert-key-chain belonging to the same client SSL profile might not be reflected in TMM | |
783145-1 | 3-Major | Pool gets disabled when one of its pool member with monitor session is disabled | |
781753-4 | 3-Major | WebSocket traffic is transmitted with unknown opcodes | |
781041-5 | 3-Major | SIP monitor in non default route domain is not working. | |
767341-6 | 3-Major | If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. | |
766593-3 | 3-Major | RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20 | |
761869-2 | 3-Major | WMI monitor may return negative values | |
761477-4 | 3-Major | Client authentication performance when large CRL is used | |
760406-6 | 3-Major | HA connection might stall on Active device when the SSL session cache becomes out-of-sync | |
760050-5 | 3-Major | cwnd warning message in log | |
758437-3 | 3-Major | SYN w/ data disrupts stat collection in Fast L4 | |
758436-5 | 3-Major | Optimistic ACKs degrade Fast L4 statistics | |
758041-5 | 3-Major | Pool Members may not be updated accurately when multiple identical database monitors configured | |
757827-4 | 3-Major | Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution | |
757505-1 | 3-Major | peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket | |
757029-5 | 3-Major | Ephemeral pool members may not be created after config load or reboot | |
756812 | 3-Major | Nitrox 3 instruction/request logger may fail due to SELinux permission error | |
756647-4 | 3-Major | Global SNAT connections do not reset upon timeout. | |
756313-5 | 3-Major | SSL monitor continues to mark pool member down after restoring services | |
755791-5 | 3-Major | UDP monitor not behaving properly on different ICMP reject codes. | |
755631-4 | 3-Major | UDP / DNS monitor marking node down | |
755250 | 3-Major | Clock advanced messages when modifying a virtual server with 1000 SSL profiles | |
754604-1 | 3-Major | iRule : [string first] returns incorrect results when string2 contains null | |
753526-4 | 3-Major | IP::addr iRule command does not allow single digit mask | |
752530-4 | 3-Major | TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. | |
752334-4 | 3-Major | Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation | |
752078-3 | 3-Major | Header Field Value String Corruption | |
751427 | 3-Major | LTM policy rule condition does not match server-name in ssl-extension | |
750204-1 | 3-Major | Add support for P-521 curve in the X.509 chain to SSL LTM | |
750200-4 | 3-Major | DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode | |
747077-2 | 3-Major | Potential crash in TMM when updating pool members | |
746355 | 3-Major | A client SSL handshake fails when client hello extension contains only unsupported groups | |
745663-1 | 3-Major | During traffic forwarding, nexthop data may be missed at large packet split | |
743900-4 | 3-Major | Custom DIAMETER monitor requests do not have their 'request' flag set | |
743896 | 3-Major | Gratuitous ARP not sent on interface up | |
742838-4 | 3-Major | A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition | |
741345 | 3-Major | Adaptive monitor gateway_icmp does not function correctly with two nodes | |
738450-4 | 3-Major | Parsing pool members as variables with IP tuple syntax | |
734692-1 | 3-Major | Incorrect prefix of ICMP error messages in NAT64 | |
727469-1 | 3-Major | ProxySSL leaks profile reference | |
726734-2 | 3-Major | DAGv2 port lookup stringent may fail | |
726319-3 | 3-Major | 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses | |
725592 | 3-Major | Outgoing RIP advertisements may have incorrect source port | |
723306-5 | 3-Major | Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition | |
723112 | 3-Major | LTM policies does not work if a condition has more than 127 matches | |
718867-3 | 3-Major | tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★ | |
718790-5 | 3-Major | Virtual Server reports unavailable and resets connection erroneously | |
717346-4 | 3-Major | K13040347 | [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total |
716952-3 | 3-Major | With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete. | |
716492-1 | 3-Major | K59332523 | Rateshaper stalls when TSO packet length exceeds max ceiling. |
715756-3 | 3-Major | Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only | |
714642-5 | 3-Major | Ephemeral pool-member state on the standby is down | |
714503-3 | 3-Major | When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl | |
714495-3 | 3-Major | When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl" | |
714384-5 | 3-Major | DHCP traffic may not be forwarded when BWC is configured | |
713585-1 | 3-Major | K31544054 | When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long |
712489-3 | 3-Major | TMM crashes with message 'bad transition' | |
710996-1 | 3-Major | VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP | |
709963-4 | 3-Major | Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members. | |
709837-3 | 3-Major | Cookie persistence profile may be configured with invalid parameter combination. | |
707691-2 | 3-Major | BIG-IP handles some pathmtu messages incorrectly | |
704764-2 | 3-Major | SASP monitor marks members down with non-default route domains | |
702439-3 | 3-Major | K04964898 | Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset |
701690-3 | 3-Major | K53819652 | Fragmented ICMP forwarded with incorrect icmp checksum |
701033-1 | 3-Major | Tcl actions not run if conditions have overlapping IP ranges | |
700639 | 3-Major | The default value for the syncookie threshold is not set to the correct value | |
700080-1 | 3-Major | A db var compression.zlibinflateratio.threshold is added to force stopping inflating | |
696755-2 | 3-Major | HTTP/2 may truncate a response body when served from cache | |
695707-3 | 3-Major | BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection | |
695109-3 | 3-Major | K15047377 | Changes to fallback persistence profiles attached to a Virtual server are not effective |
691992 | 3-Major | MSTP: CIST bridge priority changes after adjusting the MSTI priority. | |
691785-3 | 3-Major | The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes | |
690778-3 | 3-Major | K53531153 | Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule |
690316 | 3-Major | Software syncookies are sent for FastL4 virtual server with software syncookies disabled | |
688570-3 | 3-Major | BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes | |
687807-3 | 3-Major | The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/ causes a GUI exception | |
687044-2 | 3-Major | tcp-half-open monitors might mark a node up in error | |
686563-3 | 3-Major | WMI monitor on invalid node never transitions to DOWN | |
686547-3 | 3-Major | WMI monitor sends logging data for credentials when no credentials specified | |
686101-3 | 3-Major | K73346501 | Creating a pool with a new node always assigns the partition of the pool to that node. |
683706-1 | 3-Major | Pool member status remains 'checking' when manually forced down at creation | |
683061-2 | 3-Major | Rapid creation/update/deletion of the same external datagroup may cause core | |
681673-2 | 3-Major | tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results | |
679613-2 | 3-Major | K23531420 | i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1' |
678450-3 | 3-Major | No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve. | |
678066 | 3-Major | LTM Policy Tcl-enabled values require 'tcl:' prefix★ | |
677841-1 | 3-Major | Server SSL TLS session reuse with changed SNI uses incorrect session ID | |
677666-3 | 3-Major | /var/tmstat/blades/scripts segment grows in size. | |
677442 | 3-Major | During bulk crypto processing for SSL traffic, tmm might restart in rare cases. | |
676643 | 3-Major | FTP passive monitor uses IP address from PASV (not monitor destination) | |
674459 | 3-Major | Users are not expected to change security.commoncriteria DB variable through TMSH | |
670520-3 | 3-Major | FastL4 not sending keepalive at proper interval when other side gets response | |
670258-2 | 3-Major | Multicast pings not forwarded by TMM | |
666127-1 | 3-Major | Flows are incorrectly processed on a standby system. | |
664000 | 3-Major | TMM restart/core possible if key/cert is modified while SSL handshakes are ongoing | |
660807 | 3-Major | Clientside command with parking command crashes TMM | |
660119-1 | 3-Major | K36005385 | Monitor configured with timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down. |
655767-5 | 3-Major | MCPD does not prevent deleting an iRule that contains in-use procedures | |
654981-3 | 3-Major | Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action | |
653228-2 | 3-Major | K34312110 | SNAT does not work properly on FTP VIP2VIP |
653137-1 | 3-Major | K24159492 | Virtual flaps when FQDN node and pool configured with autopopulate |
652370-1 | 3-Major | The persist cookie insert iRule command may leak memory | |
649897 | 3-Major | Using the REST API, making a change to an FQDN pool causes the pool member availability to become unknown. | |
649275-2 | 3-Major | RSASSA-PSS client certificates support in Client SSL | |
646440-7 | 3-Major | TMSH allows mirror for persistence even when no mirroring configuration exists | |
645674-2 | 3-Major | 'bigd' message send to 'mcpd' failure is not logged | |
645635-2 | 3-Major | Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests | |
643860-4 | 3-Major | K41573401 | Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly |
642786-3 | 3-Major | K01833444 | TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'. |
640395-1 | 3-Major | K26144701 | When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly |
637613-3 | 3-Major | K24133500 | Cluster blade being disabled immediately returns to enabled/green |
633464-2 | 3-Major | Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual. | |
633110-2 | 3-Major | K09293022 | Literal tab character in monitor send/receive string causes config load failure, unknown property |
632604-1 | 3-Major | SSL::sessionid iRule command returns incorrect result | |
632553-2 | 3-Major | K14947100 | DHCP: OFFER packets from server are intermittently dropped |
630257-1 | 3-Major | Monitor send/receive strings cannot end with trailing single-backslash★ | |
628696-1 | 3-Major | Under rare circumstances, all blades in cluster claim not primary during start up | |
624917 | 3-Major | First few handshakes fail after chassis/appliance reboot when using HSM | |
624044-1 | 3-Major | K42806722 | LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load★ |
623084-2 | 3-Major | mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★ | |
622870 | 3-Major | When using a Thales key, SSL handshake failed after restarting pkcs11d | |
620556-1 | 3-Major | Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule | |
620053-1 | 3-Major | Gratuitous ARPs may be transmitted by active unit being forced offline | |
618131-1 | 3-Major | Latency for Thales key population to the secondary slot after reboot | |
618104-1 | 3-Major | Connection Using TCP::collect iRule May Not Close | |
614410-3 | 3-Major | Unexpected handling of TCP timestamps in HA configuration | |
613483-2 | 3-Major | K18133264 | Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec. |
611652-3 | 3-Major | iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command. | |
610682-2 | 3-Major | LTM Policy action to reset connection only works for requests | |
607166-1 | 3-Major | Hidden directories and files are not synchronized to secondary blades | |
605175 | 3-Major | Backslashes in monitor send and receive strings | |
598204-3 | 3-Major | K54284420 | In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK. |
597369-1 | 3-Major | Reopen TCP's receive window based on initial receive window size after a zero window | |
597253-1 | 3-Major | HTTP::respond Tcl command may incorrectly identify parameters as iFiles | |
596278 | 3-Major | ILX workspace created by iApp made from template not deleted when iApp deleted | |
595921-1 | 3-Major | VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses. | |
590156-3 | 3-Major | Connections to an APM virtual server may be reset and fail on appliance and VE platforms. | |
586660-1 | 3-Major | HTTP/2 and RAM Cache are not compatible. | |
585248-1 | 3-Major | Resetting crypto client statistics can crash TMM and disrupt traffic handling. | |
584948-5 | 3-Major | Safenet HSM integration failing after it completes. | |
584414 | 3-Major | Deleting persistence-records via tmsh may result in persistence being created to different nodes | |
582331-1 | 3-Major | Maximum connections is not accurate when TMM load is uneven | |
582234-6 | 3-Major | When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again. | |
579252-3 | 3-Major | Traffic can be directed to a less specific virtual during virtual modification | |
572142-2 | 3-Major | Config sync peer may fail to monitor newly added pool member after it is added via sync | |
542104-2 | 3-Major | K33458192 | In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades. |
537209-5 | 3-Major | Fastl4 profile sends RST packet when idle timeout value set to 'immediate' | |
522241-3 | 3-Major | Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete | |
516280-4 | 3-Major | bigd process uses a large percentage of CPU | |
512490-14 | 3-Major | Increased latency during connection setup when using FastL4 profile and connection mirroring. | |
510395-5 | 3-Major | K17485 | Disabling some events while in the event, then running some commands can cause tmm to core. |
505037-2 | 3-Major | K01993279 | Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop |
486735-5 | 3-Major | Maximum connections is not accurate when TMM load is uneven | |
451627-2 | 3-Major | If key associated with monitor is stored in external hsm, monitor fails. | |
433572-4 | 3-Major | DTLS does not work with rfcdtls cipher on the B2250 blade | |
431480-1 | 3-Major | K17297 | Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message |
405898-2 | 3-Major | If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected | |
374067-7 | 3-Major | K14098 | Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections |
369640-1 | 3-Major | K17195 | Folder path objects in iRules can have only a single context per script |
315765-5 | 3-Major | The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled. | |
987885-1 | 4-Minor | Half-open unclean SSL termination might not close the connection properly | |
982993-1 | 4-Minor | Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail | |
962433-1 | 4-Minor | HTTP::retry for a HEAD request fails to create new connection | |
962181-5 | 4-Minor | iRule POLICY command fails in server-side events | |
962177-5 | 4-Minor | Results of POLICY::names and POLICY::rules commands may be incorrect | |
935593-1 | 4-Minor | Incorrect SYN re-transmission handling with FastL4 timestamp rewrite | |
932553-1 | 4-Minor | An HTTP request is not served when a remote logging server is down | |
931469-3 | 4-Minor | Redundant socket close when half-open monitor pings | |
929429-6 | 4-Minor | Oracle database monitor uses excessive CPU when Platform FIPS is licensed | |
922005-7 | 4-Minor | Stats on a certain counter for web-acceleration profile may show excessive value | |
911853-2 | 4-Minor | Stream filter chunk-size limits filter to a single match per ingress buffer | |
898753-1 | 4-Minor | Multicast control-plane traffic requires handling with AFM policies | |
898201-6 | 4-Minor | Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server. | |
890881 | 4-Minor | ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address | |
880697-6 | 4-Minor | URI::query command returning fragment part, instead of query part | |
865341 | 4-Minor | SSL::collect and SSL::release in an iRule causes connection reset | |
838305-1 | 4-Minor | BIG-IP may create multiple connections for packets that should belong to a single flow. | |
834217-2 | 4-Minor | Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window. | |
832233-5 | 4-Minor | The iRule regexp command issues an incorrect warning | |
814037-3 | 4-Minor | No virtual server name in Hardware Syncookie activation logs. | |
812949 | 4-Minor | P2P failure while connecting with Cisco router when firewall is enabled. | |
801705-1 | 4-Minor | When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC | |
787905-1 | 4-Minor | Improve initializing TCP analytics for FastL4 | |
773253-1 | 4-Minor | The BIG-IP may send VLAN failsafe probes from a disabled blade | |
772297-4 | 4-Minor | LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade | |
763197-1 | 4-Minor | Flows not mirrored on wildcard Virtual Server with opaque VLAN group | |
761913-1 | 4-Minor | iRule checksum created in GUI might cause config load failure in tmsh | |
760683-3 | 4-Minor | RST from non-floating self-ip may use floating self-ip source mac-address | |
757777-1 | 4-Minor | bigtcp does not issue a RST in all circumstances | |
748333-3 | 4-Minor | DHCP Relay does not retain client source IP address for chained relay mode | |
747628-4 | 4-Minor | BIG-IP sends spurious ICMP PMTU message to server | |
743253-5 | 4-Minor | TSO in software re-segments L3 fragments. | |
743116-1 | 4-Minor | Chunked responses may be incorrectly handled by HTTP/2 | |
738045-2 | 4-Minor | HTTP filter complains about invalid action in the LTM log file. | |
724746-2 | 4-Minor | Incorrect RST message after 'reject' command | |
722534-4 | 4-Minor | load sys config merge not supported for iRulesLX | |
717806-5 | 4-Minor | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | |
702281-2 | 4-Minor | OneConnect header transformations may cause some Websocket connections to reset. | |
699076-3 | 4-Minor | URI::path iRules command warns end and start values equal | |
697988-2 | 4-Minor | K34554754 | During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100% |
697626 | 4-Minor | iRules LX: Cannot modify workspace imported by "Import From Workspace" | |
693966-2 | 4-Minor | TCP sndpack not reset along with other tcp profile stats | |
693901-3 | 4-Minor | Active FTP data connection may change source port on client-side | |
689231 | 4-Minor | MSSQL filter assumes 64-bit token done row count field | |
688557-3 | 4-Minor | K50462482 | Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull' |
688542-1 | 4-Minor | SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request | |
680680-2 | 4-Minor | The POP3 monitor used to send STAT command on v10.x, but now sends LIST command | |
677270-2 | 4-Minor | K76116244 | Trailing comments in iRules are removed from the config when entered/loaded in TMSH or Configuration Utility |
665777 | 4-Minor | TMM0 on the secondary blade sends out extra ARP replies | |
664596-1 | 4-Minor | One LTM policy causes a different policy to not execute | |
657118-1 | 4-Minor | Tmm crash | |
652577-2 | 4-Minor | Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address | |
651005-3 | 4-Minor | FTP data connection may use incorrect auto-lasthop settings. | |
646495-2 | 4-Minor | BIG-IP may send oversized TCP segments on traffic it originates | |
640704 | 4-Minor | K20418658 | A BIG-IP HA pair upgraded directly from 10.2.x to 12.1.x may lose the primary and secondary mirror IP addresses★ |
636348-3 | 4-Minor | BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset. | |
635871-1 | 4-Minor | tmsh validation of hash persistence timeout setting is incorrect | |
632901-1 | 4-Minor | K03112333 | JET documentation incorrect for RESOLV::lookup |
622876-1 | 4-Minor | Certificate serial number is not displayed properly in OCSP Stapling logs. | |
621843-1 | 4-Minor | the ipother proxy is sending icmp error messages to the wrong side | |
603380-6 | 4-Minor | Very large number of log messages in /var/log/ltm with ICMP unreachable packets. | |
599048-1 | 4-Minor | BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option | |
594547 | 4-Minor | LTM policy TCP address selector offers only the condition 'match any of' | |
593396-1 | 4-Minor | Stateless virtual servers may not work correctly with route pools or ECMP routes | |
592620-1 | 4-Minor | iRule validation does not catch incorrect 'after' syntax | |
586138-1 | 4-Minor | K84112154 | Inconsistent display of route-domain information in administrative partitions. |
584772 | 4-Minor | ssldump may crash when decrypting bad records | |
571622-1 | 4-Minor | 'Exceeding pool member limit' error with FQDN pool members and non-LTM license | |
564634-5 | 4-Minor | Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool | |
552988-2 | 4-Minor | Cannot enable MPTCP on some profiles in GUI. | |
544958-4 | 4-Minor | Monitors packets are sent even when pool member is 'Forced Offline'. | |
539026-5 | 4-Minor | Stats refinements for reporting Unhandled Query Actions :: Drops | |
527004-4 | 4-Minor | Monitor delete-and-create within a transaction fails | |
499404-1 | 4-Minor | K15457342 | FastL4 does not honor the MSS override value in the FastL4 profile with syncookies |
477992-3 | 4-Minor | K07450534 | Instance-specific monitor logging fails for pool members created in iApps |
474901-1 | 4-Minor | Profiles with a large number of regexps can cause excessive memory usage. | |
470807-3 | 4-Minor | iRule data-groups are not checked for existence | |
370573-2 | 4-Minor | iRule STREAM command internal error causes connection drop | |
222409-6 | 4-Minor | K9952 | The HTTP::path iRule command may return more information than expected |
979213-5 | 5-Cosmetic | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. | |
897437-1 | 5-Cosmetic | First retransmission might happen after syn-rto-base instead of minimum-rto. | |
873249-5 | 5-Cosmetic | Switching from fast_merge to slow_merge can result in incorrect tmm stats | |
859717-5 | 5-Cosmetic | ICMP-limit-related warning messages in /var/log/ltm | |
687579 | 5-Cosmetic | TMSH incorrectly allows settings snat-translation ip-idle-timeout to zero. | |
625156-2 | 2-Critical | K50524736 | Bigd memory leak |
Performance Issues
ID Number | Severity | Solution Article(s) | Description |
632838-1 | 3-Major | Deterministic NAT performance may be degraded | |
567513-4 | 3-Major | Erroneous syncookie flag in HSB return descriptor causes the BIG-IP system to pass through the ACK packets after the session is closed. | |
616021-1 | 4-Minor | K93089152 | Name Validation missing for some GTM objects |
Global Traffic Manager (DNS) Issues
ID Number | Severity | Solution Article(s) | Description |
933405-6 | 1-Blocking | K34257075 | Zonerunner GUI hangs when attempting to list Resource Records |
960437-5 | 2-Critical | The BIG-IP system may initially fail to resolve some DNS queries | |
918597-3 | 2-Critical | Under certain conditions, deleting a topology record can result in a crash. | |
913729-2 | 2-Critical | Support for DNSSEC Lookaside Validation (DLV) has been removed. | |
905557-4 | 2-Critical | Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure | |
837637-7 | 2-Critical | K02038650 | Orphaned bigip_gtm.conf can cause config load failure after upgrading★ |
722741-4 | 2-Critical | Damaged tmm dns db file causes zxfrd/tmm core | |
685915-1 | 2-Critical | Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured | |
675731-2 | 2-Critical | Certain types of GTM Pools not displaying while listing WideIPs | |
264701-1 | 2-Critical | K10066 | GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608) |
990929-6 | 3-Major | Status of GTM monitor instance is constantly flapping | |
987709-2 | 3-Major | Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition | |
973341-6 | 3-Major | Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt | |
973261-6 | 3-Major | GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects | |
969553-5 | 3-Major | DNS cache returns SERVFAIL | |
967737-6 | 3-Major | DNS Express: SOA stops showing up in statistics from second zone transfer | |
966461-3 | 3-Major | Tmm leaks memory after each DNSSEC query when netHSM is not connected | |
958325-5 | 3-Major | Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB | |
936777-6 | 3-Major | Old local config is synced to other devices in the sync group. | |
926593-5 | 3-Major | GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' | |
921625-6 | 3-Major | The certs extend function does not work for GTM/DNS sync group | |
921549-1 | 3-Major | The gtmd process does not receive updates from local big3d. | |
920817-2 | 3-Major | DNS Resource Records can be lost in certain circumstances | |
911241-2 | 3-Major | The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug | |
903521-6 | 3-Major | TMM fails to sign responses from BIND when BIND has 'dnssec-enable no' | |
899253-2 | 3-Major | [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist | |
890285-3 | 3-Major | DNS resolver cannot forward DNS query to local IPv6 virtual server | |
863917-5 | 3-Major | The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. | |
851341 | 3-Major | DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs | |
799657-1 | 3-Major | Name validation missing control characters for some GTM objects | |
781829-3 | 3-Major | GTM TCP monitor does not check the RECV string if server response string not ending with \n | |
760615-5 | 3-Major | Virtual Server discovery may not work after a GTM device is removed from the sync group | |
758772-5 | 3-Major | DNS Cache RRSET Evictions Stat not increasing | |
757464-4 | 3-Major | DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record | |
756177-3 | 3-Major | GTM marks pool members down across datacenters | |
754901-4 | 3-Major | Frequent zone update notifications may cause TMM to restart | |
749222-4 | 3-Major | dname compression offset overflow causes bad compression pointer | |
744787-1 | 3-Major | K04201069 | Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias |
739553-4 | 3-Major | Setting large number for Wide IP Persistence TTL breaks Wide IP persistence | |
737529-1 | 3-Major | [GTM] load or save configs removes backslash \ from GTM pool member name | |
723095-1 | 3-Major | tmsh "modify gtm pool <type> all ... " commands fail | |
716701-2 | 3-Major | In iControl REST: Unable to create Topology when STATE name contains space | |
714507-4 | 3-Major | [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server | |
712500-2 | 3-Major | Unhandled Query Action Drops Stat does not increment after transparent cache miss | |
704176-1 | 3-Major | K22540391 | Monitor instances may not get deleted during configuration merge load |
701232-1 | 3-Major | Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation | |
700118-2 | 3-Major | rrset statistics unavailable | |
699512-3 | 3-Major | UDP packet may be dropped when queued in parallel with another packet | |
698211-3 | 3-Major | K35504512 | DNS express response to non-existent record is NOERROR instead of NXDOMAIN. |
689583-3 | 3-Major | Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption. | |
689117-1 | 3-Major | Transfer Complete log message now includes the SOA Serial number | |
688335-3 | 3-Major | K00502202 | Big3d may restart in a loop on secondary blades of a chassis system |
679316-1 | 3-Major | iQuery connections reset during SSL renegotiation | |
677526-2 | 3-Major | Memory leak may occur during connflow failures. | |
659930-1 | 3-Major | Enterprise Manager may receive malformed data if there are multiple monitors on a pool | |
529896-2 | 3-Major | DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared | |
523198-1 | 3-Major | DNS resolver multiplexing might cause unexpected behaviors | |
517609-3 | 3-Major | K77005041 | GTM Monitor Needs Special Escape Character Treatment |
222220-1 | 3-Major | Distributed application statistics | |
959613-6 | 4-Minor | SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason | |
947217-1 | 4-Minor | Fix of ID722682 prevents GTM config load when the virtual server name contains a colon★ | |
889801-5 | 4-Minor | Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE. | |
885201-5 | 4-Minor | BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log | |
853585-4 | 4-Minor | REST Wide IP object presents an inconsistent lastResortPool value | |
839361-1 | 4-Minor | iRule 'drop' command does not drop packets when used in DNS_RESPONSE | |
790113-5 | 4-Minor | Cannot remove all wide IPs from GTM distributed application via iControl REST | |
767989-1 | 4-Minor | DNSSEC RRSIG Inception Offset | |
752216-3 | 4-Minor | K33587043 | DNS queries without the RD bit set may generate responses with the RD bit set |
740284-3 | 4-Minor | Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM' | |
717113-1 | 4-Minor | It is possible to add the same GSLB Pool monitor multiple times | |
688266-3 | 4-Minor | big3d and big3d_install use different logics to determine which version of big3d is newer | |
674754-2 | 4-Minor | ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact | |
666258-2 | 4-Minor | GTM/DNS manual resume pool member not saved to config when disabled | |
665117-2 | 4-Minor | K33318158 | DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping |
648806-1 | 4-Minor | Invalid "with the first highest ratio counter" logging for pool member ratio load balance | |
643455-2 | 4-Minor | Update TTL for equally trusted records only | |
480795 | 4-Minor | GTM: Move address from one high availability (HA) redundant LTM to another might cause BIG-IP monitor failure | |
588229-1 | 5-Cosmetic | DNS protocol default profiles can be deleted after being modified. |
Application Security Manager Issues
ID Number | Severity | Solution Article(s) | Description |
940249-5 | 2-Critical | Sensitive data is not masked after "Maximum Array/Object Elements" is reached | |
903453-1 | 2-Critical | TMM crash following redirect when Proactive Bot Defense is used | |
879841-1 | 2-Critical | Domain cookie same-site option is missing the "None" as value in GUI and rest | |
865461-5 | 2-Critical | BD crash on specific scenario | |
784337 | 2-Critical | False positive header related violation | |
725887-2 | 2-Critical | BD crash on specific scenario | |
612584-1 | 2-Critical | K34500121 | Server side blocking/asm cookie setting may not work under some circumstances |
591113-2 | 2-Critical | K45901635 | CSRF injection leading to blank page |
974513-5 | 3-Major | Dropped requests are reported as blocked in Reporting/charts | |
966613-1 | 3-Major | Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’ | |
962497-6 | 3-Major | BD crash after ICAP response | |
962493-1 | 3-Major | Request is not logged | |
962489-1 | 3-Major | False positive enforcement of parameters with specific configuration | |
955017-6 | 3-Major | Excessive CPU consumption by asm_config_event_handler | |
940897-6 | 3-Major | Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached | |
926845-2 | 3-Major | Inactive ASM policies are deleted upon upgrade | |
923221-6 | 3-Major | BD does not use all the CPU cores | |
920961-5 | 3-Major | Devices incorrectly report 'In Sync' after an incremental sync | |
907337-6 | 3-Major | BD crash on specific scenario | |
905681-2 | 3-Major | Incorrect enforcement of policy parameters | |
898825-6 | 3-Major | Attack signatures are enforced on excluded headers under some conditions | |
888289-5 | 3-Major | Add option to skip percent characters during normalization | |
868721-5 | 3-Major | Transactions are held for a long time on specific server related conditions | |
857633-5 | 3-Major | Attack Type (SSRF) appears incorrectly in REST result | |
853989-6 | 3-Major | DOSL7 Logs breaks CEF connector by populating strings into numeric fields | |
842257 | 3-Major | Unable to create 'Login Page' from 'Brute Force Protection' | |
829029-4 | 3-Major | Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error | |
797813-1 | 3-Major | TMM memory grows on custom bot signature with empty domain | |
785529-4 | 3-Major | ASM unable to handle ICAP responses which length is greater then 10K | |
781605-2 | 3-Major | Fix RFC issue with the multipart parser | |
781021-4 | 3-Major | ASM modifies cookie header causing it to be non-compliant with RFC6265 | |
764373-5 | 3-Major | 'Modified domain cookie' violation with multiple enforced domain cookies with different paths | |
760949-1 | 3-Major | Empty hostname in remote log after modification | |
751710-1 | 3-Major | False positive cookie hijacking violation | |
746682 | 3-Major | ASM unable to display *any* event logs, unless they are searched for by support ID | |
739618-4 | 3-Major | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | |
718232-1 | 3-Major | Some FTP servers may cause false positive for ftp_security | |
711818-1 | 3-Major | Connection might get reset when coming to virtual server with offload iRule | |
701025-1 | 3-Major | BD restart on a device where 'provision.tmmcountactual' is set to a non-default value | |
694934-3 | 3-Major | bd crashes on a very specific and rare scenario | |
694657-2 | 3-Major | ASM GUI displaying inconsistent policy sync version information | |
689987-2 | 3-Major | Requests are not logged on new virtual servers after UCS load while ASM is running | |
689982-1 | 3-Major | FTP Protocol Security breaks FTP connection | |
678322 | 3-Major | Missing Response Page for 'Login' is not populated upon upgrade | |
674256-3 | 3-Major | K60745057 | False positive cookie hijacking violation |
670501-5 | 3-Major | K85074430 | ASM policies are either not (fully) created or not (fully) deleted on the HA peer device |
660326-2 | 3-Major | Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★ | |
657531-2 | 3-Major | K02310615 | High memory usage when using the ICAP server |
636412-1 | 3-Major | ASM start process fail with 'Protobuf message exceeds max defined size' on machines with thousands of ASM configuration entities | |
633454-1 | 3-Major | Older versions of Chrome get blocked when Proactive Bot Defense is enabled. | |
631715-1 | 3-Major | ASM::disable does not disable client side challenges | |
625108-1 | 3-Major | Learn flags of subviolations are incorrectly updated when all violations are updated by REST | |
590851-4 | 3-Major | "never log" IPs are still reported to AVR | |
589606-2 | 3-Major | CSRF enabled within iframe request causes to unpredictable behavior on a website. | |
574113-2 | 3-Major | Block All - Session Tracking Status is not persisted across an auto-sync device group | |
841985-6 | 4-Minor | TSUI GUI stuck for the same session during long actions | |
824093-2 | 4-Minor | Parameters payload parser issue | |
761091 | 4-Minor | Missing charset specification in response page after upgrade | |
759008 | 4-Minor | DoSL7 site_severity always equals "1" in remote log | |
747905 | 4-Minor | 'Illegal Query String Length' violation displays wrong length | |
747760 | 4-Minor | Attack Signatures page: filter applied by another user may replace currently applied filter | |
746984-2 | 4-Minor | False positive evasion violation | |
734241 | 4-Minor | 'Detection Evasion' violations might not report violation details in their reports or in the GUI | |
720588 | 4-Minor | Pages not loading correctly when AJAX response page is enabled | |
720581-3 | 4-Minor | Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files | |
708576-1 | 4-Minor | Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour | |
706930 | 4-Minor | "Enforce Ready" button has no effect for Signatures for Inactive Policy | |
702350 | 4-Minor | FingerPrint JS might be injected although it is disabled in all ASM features, and no DoS | |
700989-2 | 4-Minor | Better detecting browser extentsions | |
699898-3 | 4-Minor | Wrong policy version time in policy created after synchronization between active and stand by machines. | |
698917 | 4-Minor | Unexpected additional policy is created while creating a policy from a template via REST | |
688833-2 | 4-Minor | Inconsistent XFF field in ASM log depending violation category | |
640751-2 | 4-Minor | No PCRE Validation Performed For Regular Expression Parameters | |
637686-2 | 4-Minor | relax_unicode_in_xml should become the default behavior | |
627144 | 4-Minor | Two users cannot create policies at the same time. | |
623779-2 | 4-Minor | Adding a client side challenge whitelist URL wildcard list | |
618693-3 | 4-Minor | Web Scraping session_opening_anomaly reports the wrong route domain for the source IP | |
618503-1 | 4-Minor | Irrelevant fields visible in Logging profile | |
547428-3 | 4-Minor | Unexpected storage-format string causes asm restart | |
513887-8 | 4-Minor | The audit logs report that there is an unsuccessful attempt to install a mysql user on the system |
Application Visibility and Reporting Issues
ID Number | Severity | Solution Article(s) | Description |
828937-5 | 2-Critical | K45725467 | Some systems can experience periodic high IO wait due to AVR data aggregation |
932137-2 | 3-Major | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | |
869049-1 | 3-Major | Charts discrepancy in AVR reports | |
852577-4 | 3-Major | [AVR] Analytic goodput graph between different time period has big discrepancy | |
740086-2 | 3-Major | AVR report ignore partitions for Admin users | |
713283-2 | 3-Major | Missing transaction count in = application security report under view by IP Intelligence | |
707204 | 3-Major | If the system has more than 264 analytics profiles, the upgrade fails. | |
703196-3 | 3-Major | Reports for AVR are missing data | |
702933 | 3-Major | Loading UCS with different provisioning can cause a single TMM crash | |
700035-3 | 3-Major | /var/log/avr/monpd.disk.provision not rotate | |
688826-1 | 3-Major | Charts discrepancy in AVR reports | |
688813-1 | 3-Major | K23345645 | Some ASM tables can massively grow in size. |
683177-2 | 3-Major | Can't drilldown or filter by 'Client Countries' | |
665425-4 | 3-Major | K24182390 | AVR Max metrics shows wrong values |
654915-3 | 3-Major | Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address | |
652222-1 | 3-Major | Sending scheduled-reports will fail due to lack of backend support | |
636104-2 | 3-Major | If pool member is defined with port 0, member may not be visible on the HTTP dimension pane. | |
605414-1 | 3-Major | K23230852 | Mysqld and bcm56xxd seem to run at 100% on vCMP host. |
600634-2 | 3-Major | Schedule-reports can break the upgrade process★ | |
588626 | 3-Major | Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member). | |
493524 | 3-Major | ASM attack appear ongoing forever if restarting dosl7d during an attack | |
473755-1 | 3-Major | It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side | |
896641 | 4-Minor | Large /var/avr/.AVR_TMP_MERGE_STEP101 file continues to grow | |
754330 | 4-Minor | Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected | |
930217-6 | 5-Cosmetic | Zone colors in ASM swap usage graph are incorrect |
Access Policy Manager Issues
ID Number | Severity | Solution Article(s) | Description |
926689-1 | 1-Blocking | K31523705 | [APM] ActiveX-based RDP AppTunnel fails on 12.1.2.5 for all users★ |
904441-6 | 2-Critical | APM vs_score for GTM-APM load balancing is not calculated correctly | |
889497 | 2-Critical | Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage | |
708005-3 | 2-Critical | K12423316 | Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources |
701944-2 | 2-Critical | K42284762 | machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6 |
670367-2 | 2-Critical | K39391280 | On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation. |
668849-1 | 2-Critical | Upgrade failure for apm-log-setting objects★ | |
660826-1 | 2-Critical | BIG-IQ Deployment fails with customization-templates | |
658103 | 2-Critical | K00652162 | TMM core while adding logging action to APM SWG |
647590-2 | 2-Critical | Apmd crashes with segmentation fault when trying to load access policy | |
633349-3 | 2-Critical | K86613330 | localdbmgr hangs and eventually crashes |
618637-1 | 2-Critical | Sometimes f5fpc cannot establish Network Access connection and incorrectly reports 'Session timed out' error | |
614364-1 | 2-Critical | Linux client NA components cannot be installed neither using sudo password nor root password | |
582440-4 | 2-Critical | Linux client does not restore route to the default GW on Ubuntu 15.10 | |
574318-3 | 2-Critical | Unable to resume session when switching to Protected Workspace | |
969317-1 | 3-Major | "Restrict to Single Client IP" option is ignored for vmware VDI | |
942953-3 | 3-Major | Keyboard locks during Windows Edge client logon when just a control button is pressed. | |
932781-3 | 3-Major | K14154376 | VPN fails to establish on Windows systems where 'Secure Boot' is enabled. |
925573-5 | 3-Major | SIGSEGV: receiving a sessiondb callback response after the flow is aborted | |
915509-5 | 3-Major | RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true | |
899781-1 | 3-Major | Custom dialup does not establish VPN | |
863453 | 3-Major | Internet Explorer restart is required after VPN plugin is upgraded to 12.1.5 | |
846425 | 3-Major | APM configsnapshot are not created when blade transitions from secondary to primary | |
825813-2 | 3-Major | Notarize APM Clients to support macOS Catalina | |
815753-5 | 3-Major | TMM leaks memory when explicit SWG is configured with Kerberos authentication | |
760974-2 | 3-Major | TMM SIGABRT while evaluating access policy | |
754201-3 | 3-Major | Windows Logon Integration throws Invalid Handle error | |
750823-4 | 3-Major | Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD | |
750649-3 | 3-Major | K74214174 | Windows Logon Integration does not work |
750631-3 | 3-Major | There may be a latency between session termination and deletion of its associated IP address mapping | |
748632 | 3-Major | APM Endpoint inspection fails on macOS Mojave | |
747337 | 3-Major | AAA CRLDP configurations configured using the 'No Server' option may be rendered incorrectly while using IE v11 | |
746771-2 | 3-Major | APMD recreates config snapshots for all access profiles every minute | |
744316-3 | 3-Major | Config sync of APM policy fails with Cannot update_indexes validation error. | |
738865-5 | 3-Major | MCPD might enter into loop during APM config validation | |
724571-3 | 3-Major | Importing access profile takes a long time | |
711056-3 | 3-Major | License check VPE expression fails when access profile name contains dots | |
710044-1 | 3-Major | Portal Access: same-origin AJAX request may fail in some case. | |
707953-1 | 3-Major | Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page | |
697590-5 | 3-Major | APM iRule ACCESS::session remove fails outside of Access events | |
695985-1 | 3-Major | Access HUD filter has URL length limit (4096 bytes) | |
687213-1 | 3-Major | When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED | |
686206-1 | 3-Major | Machine Info agent does not collect complete information on disconnected network adapters | |
682751-5 | 3-Major | Kerberos keytab file content may be visible. | |
679735-1 | 3-Major | Multidomain SSO infinite redirects from session ID parameters | |
677646-1 | 3-Major | K62171231 | System cannot boot up due to prior aborted installation★ |
676854-1 | 3-Major | CRL Authentication agent will hang waiting on unresponsive authentication server. | |
676300-5 | 3-Major | K04551025 | EPSEC binaries may fail to upgrade in some cases★ |
670456-3 | 3-Major | Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number | |
667518 | 3-Major | SSO Configurations update is failing from UI | |
666233-1 | 3-Major | Localdbmgr process cores | |
658278-3 | 3-Major | Network Access configuration with Layered-VS does not work with Edge Client | |
640924-1 | 3-Major | On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly | |
636866-3 | 3-Major | Access Policy with a secure attribute object can fail at runtime for users, if admins perform AP export/import at the same time | |
632958-2 | 3-Major | APM MIB gauges not reset on standby device | |
625165-3 | 3-Major | Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers. | |
621158-1 | 3-Major | F5vpn does not close upon closing session | |
619667-1 | 3-Major | K34751151 | Allow Local DNS Servers is not honored on Mac OS X |
617629-1 | 3-Major | Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab | |
614072-1 | 3-Major | Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session. | |
611485-1 | 3-Major | APM AAA RADIUS server address cannot be a multicast IPv6 address.★ | |
610077-2 | 3-Major | Access Policy Manager CRL cache is locked out for CRLDP authentication | |
609043-1 | 3-Major | When BIG-IP processes SAML Single logout request/response, tmm cores intermittently. | |
605018-2 | 3-Major | K47516511 | Citrix StoreFront integration mode with pass through authentication fails for browser access |
600985-4 | 3-Major | Network access tunnel data stalls | |
600872-1 | 3-Major | Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms. | |
592591-2 | 3-Major | Deleting/Modifying access profile prompts for apply access policy for other untouched access profiles | |
591060-1 | 3-Major | APMD high CPU utilization | |
584716-1 | 3-Major | SAML XML Canonicalization on BIG-IP as IdP may return invalid value if AuthnRequest is formed in a special way | |
582606-1 | 3-Major | IPv6 downloads stall when NA IPv4&IPv6 is used. | |
578989-5 | 3-Major | Maximum request body size is limited to 25 MB | |
572519-1 | 3-Major | More than one header name/value pair not accepted by ACCESS::respond | |
571503-1 | 3-Major | Windows Edge client cannot detect local LAN in some cases | |
560601-1 | 3-Major | HTML5 File API and MediaSource URLs are blocked in Portal Access | |
559402-4 | 3-Major | Client initiated form based SSO fails when username and password not replaced correctly while posting the form | |
559082-2 | 3-Major | Tunnel details are not shown for MAC Edge client | |
554504 | 3-Major | Client OS version not logged in Browser/OS Reports for iOS client devices | |
552444-1 | 3-Major | Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD | |
547692-3 | 3-Major | Firewall-blocked KPASSWD service does not cause domain join operation to fail | |
541622-2 | 3-Major | APD/APMD Crashes While Verifying CAPTCHA | |
535119-1 | 3-Major | APM log tables initial rotation in MySQL may be wrong | |
534187-2 | 3-Major | Passphrase protected signing keys are not supported by SAML IDP/SP | |
530092-2 | 3-Major | AD/LDAP groupmapping is overencoding group names with backslashes | |
527119-4 | 3-Major | An iframe document body might be null after iframe creation in rewritten document. | |
526519-1 | 3-Major | APM sessiondump command can produce binary data | |
525378 | 3-Major | iRule commands do not validate session scope | |
520500-4 | 3-Major | Connection inside Windows VPN tunnel may break if renegotiation is enabled in SSL profile | |
509596-1 | 3-Major | K44043455 | iFrames with 'javascript:' scheme in SRC may not work |
494135-1 | 3-Major | K43101043 | HTML Event handlers may not work if 'eval' is redefined |
482625-1 | 3-Major | Pages with utf-8 Content-Type and utf-16 META tag do not render | |
470346-5 | 3-Major | Some IPv6 client connections get RST when connecting to APM virtual | |
450136-3 | 3-Major | Occasionally customers see chunk boundaries as part of HTTP response | |
435419-4 | 3-Major | K10402225 | Install of partial EPSEC file causes mcpd to crash, followed by multiple cores. |
417819-2 | 3-Major | K69046914 | APM - when Edge Clients, some JS contents are different causing warning |
414713-1 | 3-Major | K51880413 | Hosted Content connected object import issues |
369407-3 | 3-Major | Access policy objects are created inconsistently depending on whether created using wizard or manually. | |
362511 | 3-Major | K52162658 | HTML entities in inline CSS style attributes may cause incorrect rewriting of URLs |
944093-5 | 4-Minor | Maximum remaining session's time on user's webtop can flip/flop | |
766761-5 | 4-Minor | Ant-server does not log requests that are excluded from scanning | |
747234-3 | 4-Minor | Macro policy does not find corresponding access-profile directly | |
734595-1 | 4-Minor | sp-connector is not being deleted together with profile | |
712542-1 | 4-Minor | Network Access client caches the response for /pre/config.php | |
712321 | 4-Minor | Missing reference to customization-group from connectivity profile if created via network access wizard | |
708176 | 4-Minor | SNMP OIDs (NA throughput) incorrect when compression is disable | |
686722-2 | 4-Minor | When BIG-IP systems are deployed as SAML IdP, the Single Logout Request processing fails the optional field 'Name ID' is missing in the request. | |
686718 | 4-Minor | VPN tunnel adapter stays up in some cases | |
679751-4 | 4-Minor | Authorization header can cause a connection reset | |
666497-3 | 4-Minor | Some of the Korean translations in Windows Edge Client were incorrect | |
627384-1 | 4-Minor | eamtest tool fails with Segmentation fault after initialization. | |
619099 | 4-Minor | 'General Database Error' while changing the Admin UI authentication type | |
612758-1 | 4-Minor | K46453748 | Exception within function F5_Inflate_innerHTML. |
611327-1 | 4-Minor | K35559723 | Using an established app tunnel may display a Java exception error message. |
610436-3 | 4-Minor | K13222132 | DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10. |
608453-1 | 4-Minor | Shrink/Expand imgs of Webtop Section is customizable | |
607684 | 4-Minor | tmsh provides option to delete all URLs from a custom category, which is not possible | |
604050 | 4-Minor | Failed to get master key (ERR_NOT_FOUND) in apm log on first boot | |
589367-2 | 4-Minor | Some Edge Client's German translations are incorrect | |
579652-1 | 4-Minor | Multidomain SSO Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed. | |
567503-1 | 4-Minor | K03293396 | ACCESS:session remove can result in confusing ERR_NOT_FOUND logs |
563651-2 | 4-Minor | Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★ | |
523158-1 | 4-Minor | In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails | |
510034-2 | 4-Minor | Access Policy memory is not cleared between access policy executions | |
496621-1 | 4-Minor | Portal Access incorectly rewrites expressions with JavaScript typeof operator | |
478450-5 | 4-Minor | Improve log details when "Detection invalid host header ()" is logged |
WebAccelerator Issues
ID Number | Severity | Solution Article(s) | Description |
598908-2 | 2-Critical | K07353428 | Passing an empty URI to AAM might cause tmm to core. |
900825-4 | 3-Major | WAM image optimization can leak entity reference when demoting to unoptimized image | |
890573-4 | 3-Major | BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart | |
890401-4 | 3-Major | Restore correct handling of small object when conditions to change cache type is satisfied | |
792045-4 | 3-Major | Prevent WAM cache type change for small objects | |
701977-3 | 3-Major | Non-URL encoded links to CSS files are not stripped from the response during concatenation | |
596569-3 | 3-Major | Memory leak on Central device in Symmetric deployment | |
751383-3 | 4-Minor | Invalidation trigger parameter values are limited to 256 bytes | |
748031-4 | 4-Minor | Invalidation trigger parameter containing reserved XML characters does not create invalidation rule | |
686318 | 4-Minor | Inter TMM Caching Delay | |
674992-3 | 4-Minor | AAM traffic report's time period doesn't always apply | |
489960-2 | 4-Minor | Memory type stats is incorrect | |
467589-4 | 4-Minor | Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error. |
Service Provider Issues
ID Number | Severity | Solution Article(s) | Description |
814097-5 | 2-Critical | Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. | |
745397-4 | 2-Critical | Virtual server configured with FIX profile can leak memory. | |
689343-3 | 2-Critical | Diameter persistence entries with bi-directional flag created with 10 sec timeout | |
898997-6 | 3-Major | GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes | |
891385-6 | 3-Major | Add support for URI protocol type "urn" in MRF SIP load balancing | |
882273-2 | 3-Major | MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow | |
815529-5 | 3-Major | MRF outbound messages are dropped in per-peer mode | |
811745-5 | 3-Major | Failover between clustered DIAMETER devices can cause mirror connections to be disconnected | |
804313-5 | 3-Major | MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. | |
790949-5 | 3-Major | MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior. | |
759077-6 | 3-Major | MRF SIP filter queue sizes not configurable | |
755630-3 | 3-Major | MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes | |
755311-4 | 3-Major | No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down | |
754617-3 | 3-Major | iRule 'DIAMETER::avp read' command does not work with 'source' option | |
753501-4 | 3-Major | iRule commands (such as relate_server) do not work with MRP SIP | |
751179-4 | 3-Major | MRF: Race condition may create to many outgoing connections to a peer | |
749603-4 | 3-Major | MRF SIP ALG: Potential to end wrong call when BYE received | |
749528-4 | 3-Major | IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap | |
748253-4 | 3-Major | Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection | |
747995-1 | 3-Major | MBLB SIP dropping packets with unknown methods | |
746731-4 | 3-Major | BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set | |
744275-4 | 3-Major | BIG-IP system sends Product-Name AVP in CER with Mandatory bit set | |
742829-4 | 3-Major | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | |
738070-3 | 3-Major | Persist value for the RADIUS Framed-IP-Address attribute is not correct | |
727288-4 | 3-Major | Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC | |
698911 | 3-Major | Periodically SIP requests are not sent to the server | |
696348-1 | 3-Major | "GTP::ie insert" and "GTP::ie append" do not work without "-message" option | |
691048-3 | 3-Major | K34553736 | Support DIAMETER Experimental-Result AVP response |
676709-2 | 3-Major | K37604585 | Diameter virtual server has different behavior of connection-prime when persistence is on/off |
669978-4 | 3-Major | K15204204 | SIP monitor - Via header's branch parameter collision. |
647158-3 | 3-Major | K76581555 | Internal virtual server inherits CMP hash mode from parent virtual server |
612143-2 | 3-Major | Potential tmm core when two connections add the same persistence record simultaneously. | |
583101-2 | 3-Major | ADAPT::result bypass after continue causes bad state transition | |
913125-1 | 4-Minor | Ratio session based Load balancing does not work | |
600431-6 | 4-Minor | DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP |
Advanced Firewall Manager Issues
ID Number | Severity | Solution Article(s) | Description |
938165-5 | 2-Critical | TMM Core after attempted update of IP geolocation database file | |
717909-2 | 2-Critical | tmm can abort on sPVA flush if the HSB flush does not succeed | |
713629-1 | 2-Critical | Applying firewall policy to self-ip can cause tmm crash | |
697265 | 2-Critical | MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled. | |
685820-1 | 2-Critical | Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not | |
632839 | 2-Critical | UDP Flood does not get detected if the vector limits are infinite | |
622204-1 | 2-Critical | K14141640 | If a virtual server's name has a "." in it then a DoS profile cannot be attached to it |
620844-1 | 2-Critical | DoS: tmm core after delete packet type from Device Sweep vector | |
867321-1 | 3-Major | Error: Invalid self IP, the IP address already exists. | |
806905 | 3-Major | TMM may crash when using AFM with sPVA and DoS vectors enabled | |
703165 | 3-Major | shared memory leakage | |
693515 | 3-Major | A '+' character in a log profile name causes import to fail | |
686043-3 | 3-Major | dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets | |
679722-2 | 3-Major | Configuration sync failure involving self IP references | |
677302 | 3-Major | Unable to save descriptions for firewall objects | |
663946-2 | 3-Major | The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments | |
651169-3 | 3-Major | The Dashboard does not show an alert when a power supply is unplugged | |
632723-1 | 3-Major | K05079458 | tmm core with remote logging pool in non-zero route domain |
627447 | 3-Major | Sync fails after firewall policy deletion | |
613844 | 3-Major | iApp may fail to install if AFM is provisioned | |
592819-2 | 3-Major | Enabling of whitelists on a protected object requires disabling DoS protection support in hardware | |
592211-1 | 3-Major | Stress CPU on BIG-IP will also take into the packets dropped by hardware. | |
591505-1 | 3-Major | Policy may become unsyncable after changing contexts | |
581668 | 3-Major | DNS/SIP whitelisted packets not reported | |
935865-1 | 4-Minor | Rules that share the same name return invalid JSON via REST API | |
714704 | 4-Minor | ICMP unreachable messages sent only from active to standby | |
701555-3 | 4-Minor | DNS Security Logs report Drop action for unhandled rejected DNS queries | |
632246-1 | 4-Minor | Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades. | |
568458 | 5-Cosmetic | DoS vectors must be enabled in both DoS Profile and Device Configuration |
Policy Enforcement Manager Issues
ID Number | Severity | Solution Article(s) | Description |
829657 | 2-Critical | Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses | |
760518-2 | 2-Critical | PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement | |
750491-1 | 2-Critical | PEM Once-Every content insertion action may insert more than once during an interval | |
750490-1 | 2-Critical | PEM content insertion action may insert more than once with Once-Every method | |
726665-1 | 2-Critical | tmm core dump due to SEGFAULT | |
886653-1 | 3-Major | Flow lookup on subsequent packets fail during CMP state change. | |
875401-5 | 3-Major | PEM subcriber lookup can fail for internet side new connections | |
842989-2 | 3-Major | PEM: tmm could core when running iRules on overloaded systems | |
814941-2 | 3-Major | PEM drops new subscriber creation if historical aggregate creation count reaches the max limit | |
797949-1 | 3-Major | PEM::subscriber delete can leak a connection | |
781485-1 | 3-Major | PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition | |
756311-2 | 3-Major | High CPU during erroneous deletion | |
753163-1 | 3-Major | PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days | |
747065-1 | 3-Major | PEM iRule burst of session ADDs leads to missing sessions | |
726011-1 | 3-Major | PEM transaction-enabled policy action lookup optimization to be controlled by a sys db | |
670994-2 | 3-Major | There is no validation for IP address on the ip-address-list for static subscriber | |
640548-1 | 3-Major | In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked. | |
624187-1 | 3-Major | Relocate TUC AVP to group AVP USU | |
564431-3 | 4-Minor | Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail |
Carrier-Grade NAT Issues
ID Number | Severity | Solution Article(s) | Description |
723658 | 2-Critical | TMM core when processing an unexpected remote session DB response. | |
722919 | 3-Major | Memory leak when using SP-DAG and a small LSN pool. | |
751232 | 4-Minor | LSN pool real-time stats are not persisted over reboot | |
721579-1 | 4-Minor | LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing | |
667295-1 | 4-Minor | K51601122 | 'RTSP::header exists' iRule command always returns True |
Fraud Protection Services Issues
ID Number | Severity | Solution Article(s) | Description |
695401 | 3-Major | QS user defined alerts may not be sent if there is no URL with qs configured on FPS profile | |
680298 | 3-Major | FPS may introduce latency even for unprotected pages | |
674297-1 | 3-Major | Custom headers are removed on cross-origin requests | |
660759-4 | 3-Major | Cookie hash persistence sends alerts to application server. | |
652530 | 4-Minor | Parameter names are case sensitive in Internet Explorer 9 only |
Anomaly Detection Services Issues
ID Number | Severity | Solution Article(s) | Description |
818465-1 | 3-Major | Unnecessary memory allocation in AVR module | |
767045-6 | 3-Major | TMM cores while applying policy | |
743464 | 3-Major | DoSL7 attack is not detected when using multiple profiles with Behavioral Detection | |
617324-2 | 3-Major | Service health calculation creates unjustified CPU utilization | |
653573 | 4-Minor | ADMd not cleaning up child rsync processes |
Traffic Classification Engine Issues
ID Number | Severity | Solution Article(s) | Description |
927185 | 2-Critical | TMM ENGHF-12.1.4.1.0.25.6 SIGFPE Assertion "maximum pages" failed | |
913453 | 2-Critical | URL Categorization: wr_urldbd cores while processing urlcat-query | |
887609-1 | 2-Critical | TMM crash when updating urldb blacklist | |
974205-6 | 3-Major | Unconstrained wr_urldbd size causing box to OOM | |
948573 | 3-Major | wr_urldbd list of valid TLDs needs to be updated | |
797277-1 | 3-Major | URL categorization fails when multiple segments present in URL path and belong to different categories. | |
785605-1 | 3-Major | Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group | |
745733-4 | 3-Major | TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup | |
649441-2 | 3-Major | Classification memory allocation |
Device Management Issues
ID Number | Severity | Solution Article(s) | Description |
710809-6 | 2-Critical | Restjavad hangs and causes GUI page timeouts | |
942521-2 | 3-Major | Certificate Managers are unable to move certificates to BIG-IP via REST | |
839597-1 | 3-Major | Restjavad fails to start if provision.extramb has a large value | |
767613-4 | 3-Major | Restjavad can keep partially downloaded files open indefinitely | |
667661-2 | 3-Major | K69015104 | Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath' |
688177-2 | 4-Minor | Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade | |
619397-5 | 4-Minor | K04055706 | LCD shows error screen on boot or after license expires |
iApp Technology Issues
ID Number | Severity | Solution Article(s) | Description |
758520 | 2-Critical | Deploying the f5_microsoft_exchange_2010_2013 template generates erroneous APM policy customization-group. | |
974193-5 | 3-Major | Error when trying to create a new f5.vmware_view.v1.5.9 iApp | |
842193-5 | 3-Major | Scriptd coring while running f5.automated_backup script | |
818069-1 | 3-Major | GUI hangs when iApp produces error message | |
768085-1 | 4-Minor | Error in python script /usr/libexec/iAppsLX_save_pre line 79 |
Known Issue details for BIG-IP v12.1.x
990929-6 : Status of GTM monitor instance is constantly flapping
Component: Global Traffic Manager (DNS)
Symptoms:
Status of GTM monitor instance is constantly flapping.
Conditions:
GTM devices in a GTM sync group configured with IP addresses that can not communicate with each other.
Impact:
Resources are marked offline constantly.
Workaround:
Remove from the GTM server object definition the IP addresses that do not communicate with each other.
990853-6 : Mcpd restarts on Secondary VIPRION blades upon modifying a vCMP guest's management IP address or gateway.
Component: TMOS
Symptoms:
The mcpd daemon restarts on all secondary VIPRION blades after logging error messages similar to the following example to the /var/log/ltm file:
-- err mcpd[6250]: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition
-- err mcpd[6250]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.3%1) for a VCMP Mgmt IP in partition () references a route domain (1) in a different partition (part1). Objects may only reference objects in the same or the 'Common' partition... failed validation with error 17238410.
Conditions:
-- Multi-blade VIPRION system provisioned as vCMP host.
-- The system is configured with partitions using non-default route-domains.
-- Using the GUI, an Administrator attempts to modify the management IP address or management gateway of a vCMP guest.
-- A non-Common partition is selected in the GUI Partition drop-down menu when making the change.
Impact:
MCPD restarts, causing all other daemons on the blade to restart as well. The vCMP guests running on the affected blades suffer an outage and are unable to process traffic while the daemons restart.
Workaround:
Ensure that when you make management IP address or gateway changes to a vCMP guest, you do so while the Common partition is selected in the GUI.
987885-1 : Half-open unclean SSL termination might not close the connection properly
Component: Local Traffic Manager
Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.
Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.
Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.
Workaround:
None.
987709-2 : Static target string as CNAME pool member might cause config load failure if wide IP with same name exists in another partition
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config fails to load with errors similar to this:
01070726:3: Pool 5 /Common/cnamepool1 in partition Common cannot reference GTM wideip pool member 5 /Common/cnamepool1 gslb.mycompany.com /App2/gslb.mycompany.com 1 in partition App2
Unexpected Error: Loading configuration process failed
Conditions:
There is a wide IP with the same name in another partition as the static target CNAME pool member.
Impact:
Gtm config fails to load.
Workaround:
Create the wide IP first and then add the static target CNAME pool member.
987081-6 : Alarm LED remains active on Secondary blades even after LCD alerts are cleared
Component: TMOS
Symptoms:
When a condition occurs which causes an alert message to be logged to the LCD display for a VIPRION chassis, the Alarm LED on the blade where the condition was reported may be set (to solid or flashing amber or red) according to the severity of the reported condition.
When the LCD alert messages are cleared, the Alarm LED on the Primary blade in the chassis will be cleared (or set according to remaining alert messages if only a subset of messages are cleared).
However, the Alarm LED on the Secondary blades in the chassis will not be cleared, and will continue to indicate the highest severity of the previously reported alert messages.
Conditions:
This occurs when:
-- A condition is reported by a Secondary blade in the chassis which causes its Alarm LED to be set (to solid or flashing amber or red) and a message logged to the chassis LCD display.
-- The LCD alert messages are cleared, such as by issuing the 'tmsh reset-stats sys alert lcd' command.
Impact:
The Alarm LED on one or more Secondary blades in the chassis continues to indicate an alert condition even after the previously reported alert messages have been cleared.
Workaround:
To restore the Secondary blade LEDs to their proper state, restart the fpdd daemon on each affected blade.
For example, if the Alarm LED is not reset on the blade in slot 4, issue one of the following commands from the console of the Primary blade in the chassis:
-- clsh --slot=4 "bigstart restart fpdd"
-- ssh slot4 "bigstart restart fpdd"
Alternately, you may log in to the console of the affected blade and issue the 'bigstart restart fpdd' command directly.
985749-6 : TCP exponential backoff algorithm does not comply with RFC 6298
Component: Local Traffic Manager
Symptoms:
The algorithms used for TCP exponential backoff are different for SYN and non-SYN packets.
Conditions:
Using TCP.
Impact:
Retransmission timeout interval depends on the inclusion/exclusion of SYN flag.
Workaround:
None
984897-6 : Some connections performing SSL mirroring are not handled correctly by the Standby unit.
Component: Local Traffic Manager
Symptoms:
Some of the connections performing SSL mirroring do not advance through TCP states as they should on the Standby unit.
Additionally, these connections do not get removed from the connection table of the Standby unit when the connections close. Instead, they linger on until the idle timeout expires.
Conditions:
A virtual server configured to perform SSL connection mirroring.
Impact:
Should the units fail over, some connections may not survive as expected.
Additionally, given a sufficient load and a long idle timeout, this could cause unnecessary TMM memory utilization on the Standby unit.
Workaround:
None.
982993-1 : Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail
Component: Local Traffic Manager
Symptoms:
Gateway ICMP monitors configured with IPv6 destinations and IPv6 transparent nexthop do not work if the IPv6 destination address is not directly connected, but reachable via an intermediate hop.
Conditions:
An IPv6 monitor's destination address is not directly connected, but reachable via intermediate hop.
Impact:
Monitor status remains DOWN.
Workaround:
Consider monitoring the actual target.
980325-2 : Chmand core due to memory leak from dossier requests
Component: TMOS
Symptoms:
Chmand leaks memory and crashes.
Conditions:
Repeated/excessive dossier requests to chmand from the get_dossier program.
Impact:
Chmand crashes; potential traffic impact.
Workaround:
None.
979213-5 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
Component: Local Traffic Manager
Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.
The spikes may report unrealistically high levels of traffic.
Note: Detailed throughput graphs are not affected by this issue.
Conditions:
This issue occurs when the following conditions are met:
-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.
Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.
Workaround:
None.
977609-6 : Request logging profile not logging server-side variables on a virtual-server with rate-limit or connection-limit applied
Component: TMOS
Symptoms:
Pool-name, server IP address, and port are missing in the syslog message.
Conditions:
Request Logging template using '$VIRTUAL_POOL_NAME', '$SERVER_IP', '$SERVER_PORT'.
ltm profile request-log with:
request-log-template "Virtual: $VIRTUAL_NAME Pool: $VIRTUAL_POOL_NAME Server IP: $SERVER_IP Server Port: $SERVER_PORT"
}
Impact:
The request logs are intermittently missing information for VIRTUAL_POOL_NAME, SERVER_IP, SERVER_PORT.
Workaround:
None.
977113-2 : Unable to configure dependency for GTM virtual server if pool member dependency exists
Component: TMOS
Symptoms:
The following error is displayed when configuring GTM virtual server dependency:
01020037:3: The requested GTM depends (/Common/Generic-Host GH-VS1 /Common/DC1-DNS1 /Common/VS1) already exists.
Conditions:
The pool member dependency exists for the same virtual server.
Impact:
Not able to configure GTM virtual server dependency at GTM server level.
Workaround:
First creating GTM virtual server dependency at GTM server level, and then create pool member dependency.
976013-1 : If bcm56xxd starts while an interface is disabled, the interface cannot be enabled afterwards
Component: TMOS
Symptoms:
A disabled interface is not getting enabled.
Conditions:
-- An interface is disabled
-- bcm56xxd is restarted
Impact:
The interface remains on disable state and no traffic passes via that interface.
Workaround:
Restart bcm56xxd again.
974513-5 : Dropped requests are reported as blocked in Reporting/charts
Component: Application Security Manager
Symptoms:
Dropped requests are reported as blocked in Reporting/charts.
Conditions:
Request is dropped (or client side challenge / captcha is not answered) as part of a brute force mitigation or a slow post attack causes dropping of a request.
Impact:
Data reported might be incorrect. There is a filter for dropped requests which, when selected, does not show anything, even when there are drops.
Workaround:
None.
974205-6 : Unconstrained wr_urldbd size causing box to OOM
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
974193-5 : Error when trying to create a new f5.vmware_view.v1.5.9 iApp
Component: iApp Technology
Symptoms:
Error when trying to create a f5.vmware_view.v1.5.9 iApp
Configuration Warning: New virtual address (/Common/10.10.10.10) used by server with access profile attached has traffic group (/Common/traffic-group-1) that is different from existing one (/Common/traffic-group-exchange). Change it to the existing one
Conditions:
-- Create a new f5.vmware_view.v1.5.9 iApp
-- iApp uses a traffic group other than the default traffic-group-1
Impact:
Unable to create new f5.vmware_view.v1.5.9 iApp
Workaround:
None.
973341-6 : Customized device certs will break scripts relying on /config/httpd/conf/ssl.crt/server.crt
Component: Global Traffic Manager (DNS)
Symptoms:
Bigip_add, big3d_install, gtm_add will not work.
Conditions:
Device cert is customized.
Impact:
Bigip_add, big3d_install, gtm_add not work.
Workaround:
Copy the content of the new cert to default file "/etc/httpd/conf/ssl.crt/server.crt".
973261-6 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:
err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.
Conditions:
GTM HTTPS monitor with non-default cert/key.
Impact:
Unable to use HTTPs monitor.
972785-2 : Unable to create virtual server with a non-zero Route Domain for custom partition via iControl SOAP
Component: TMOS
Symptoms:
While creating a virtual server using iControl SOAP you get an error:
error_string : 0107004d:3: Virtual address (/VPN_WEB_01/0.0.0.0%201) encodes IP address (0.0.0.0%201) which differs from supplied IP address field (1.1.1.5%201).'
Conditions:
-- Using iControl SOAP to create a virtual server
-- The virtual server is assigned to a partition that uses a non-default route domain.
Impact:
Unable to create the virtual server with the iControl SOAP command.
Workaround:
First create the virtual server with a default Virtual Address ("0.0.0.0") and then update the virtual address the desired address.
Example:
ltm.LocalLB.VirtualServer.create([{'name': 'vs_test_9095', 'address': '0.0.0.0', 'port': 9090, 'protocol': 'PROTOCOL_TCP'}], ['255.255.255.255'], [{'type': 'RESOURCE_TYPE_POOL'}], [[{'profile_context': 'PROFILE_CONTEXT_TYPE_ALL', 'profile_name': 'fastL4'}]])
ltm.LocalLB.VirtualServer.set_destination_v2(['vs_test_9095'],[{'address': '10.10.10.50', 'port': 9090}])
971217-5 : AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations.
Component: Local Traffic Manager
Symptoms:
An HTTP Security profile can be created and enabled within Advanced Firewall Manager's Protocol Security options. The HTTP Security Profile contains various protocol checks that can be enabled and disabled to allow customization of security checks. When the "Unparsable request content" check is selected, BIG-IP will incorrectly indicate that HTTP POST requests with Content-Length:0 are not allowed assuming that these requests are unparsable. POST requests with Content-Length:0 can still be checked by enabling the "POST request with Content-Length: 0" option in the same profile.
Conditions:
-- HTTP Protocol Security Profile configured with the "Unparsable request content" check.
-- Client sends HTTP POST request with Content-Length:0
Impact:
POST requests of Content-Length 0 cannot be disabled separately from general "Unparsable request content".
Workaround:
None.
970829-2 : iSeries LCD incorrectly displays secure mode after changing login password
Component: TMOS
Symptoms:
In certain cases on iSeries platforms, changing the login password for admin can disrupt communication with the LCD, causing it to continuously display secure mode.
Conditions:
This can occur after changing the admin password to anything other than the default on iSeries platforms.
Impact:
LCD continuously displays secure mode.
/var/log/touchscreen_lcd will fill up with error messages like the following:
err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401
Workaround:
None.
969553-5 : DNS cache returns SERVFAIL
Component: Global Traffic Manager (DNS)
Symptoms:
- A DNS cache returns SERVFAIL responses to clients, despite the BIG-IP system receiving a good (albeit delayed) response from upstream servers.
- When this happens, the BIG-IP system can be seen reject the responses from the upstream servers with ICMP errors (Destination unreachable - Port unreachable).
- If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs:
debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point
Conditions:
This issue occurs when the following conditions are met:
- A DNS cache is in use on the BIG-IP system.
- The DNS cache is configured with a forward-zone that uses multiple servers to perform resolutions.
- The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain.
- 'Randomize Query Character Case' is enabled in the DNS cache.
If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.
Impact:
Clients of the BIG-IP DNS cache are not returned an answer. As a result, application failures may occur.
Workaround:
You can work around this issue by disabling 'Randomize Query Character Case' in the DNS cache.
969317-1 : "Restrict to Single Client IP" option is ignored for vmware VDI
Component: Access Policy Manager
Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.
Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.
Impact:
A connection from the second client is allowed, but it should not be allowed.
968949-2 : Keepalives aren't sent in FIN_WAIT_2 when using a TCP profile
Component: Local Traffic Manager
Symptoms:
When a client-side connection goes into FIN_WAIT_2, BIG-IP doesn't send keepalives even if they are being sent on the server-side connection.
Conditions:
- Virtual server configured with a TCP profile and network listener.
Impact:
Client-side connections timeout prematurely.
As a result, the server-side connections end up being open indefinitely.
Workaround:
No workaround currently known.
968509-2 : Response headers are not parsed correctly causing subsequent requests stall at BIG-IP
Component: Local Traffic Manager
Symptoms:
Web browsers are able to connect to a virtual server and send a POST request, but subsequents fail.
Conditions:
-- Standard virtual server with the default http profile
-- Client sends a POST request with Expect: 100-continue header, but does not send a POST body
-- Back-end web server returns 401 Not Authorized and a long response body
Impact:
Subsequent client requests stall at the BIG-IP.
967745-5 : Last resort pool error for the modify command for Wide IP
Component: TMOS
Symptoms:
System reports error for the modify command for Wide IP.
01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.
Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.
Impact:
The object is not modified, and the system reports an error.
Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.
Append the command with last-resort-pool a <pool_name>, for example:
modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test
967737-6 : DNS Express: SOA stops showing up in statistics from second zone transfer
Component: Global Traffic Manager (DNS)
Symptoms:
Start of Authority (SOA) record is not displayed in zone statistics.
Conditions:
The issue appears after the 2nd zone transfer.
Impact:
This is a cosmetic issue without any actual impact.
Workaround:
None
967353-6 : HTTP proxy should trim spaces between a header field-name and colon in its downstream responses.
Component: Local Traffic Manager
Symptoms:
Client receives no response along with a connection reset by the BIG-IP system.
Conditions:
-- HTTP Profile is enabled on the BIG-IP system.
-- Server sends HTTP response with one or more header field names separated with the trailing colon by a space.
Impact:
HTTP responses that should be delivered to the client by the proxy are not being sent out.
Workaround:
None
967249-5 : TMM may leak memory early during its startup process, and may continue to do so indefinitely.
Component: Local Traffic Manager
Symptoms:
TMM leaks memory in the packet and xdata components. The aggressiveness of the leak depends on how much traffic TMM receives from the Linux host subsystem.
Conditions:
- A BIG-IP system running more than 1 TMM instance.
- Early during its startup process, TMM begins receiving traffic from the Linux host subsystem destined to the network (e.g., remote syslog traffic routed to its destination through TMM).
- Depending on the system's configuration, TMM attempts to set up flow forwarding for the aforementioned traffic. This may happen, for instance, if the egress VLAN is configured for 'cmp-hash src-ip'.
- TMM hasn't fully completed its startup process yet.
Impact:
TMM leaks memory.
If the flow set up during early TMM startup continues to receive a constant stream of new packets, then the flow may live on indefinitely, and TMM may continue to leak memory indefinitely.
In the example of remote syslog traffic, this could happen, for instance, if the box keeps logging messages at a sustained rate.
Eventually, TMM may be unable to allocate any more memory and crash. Traffic disrupted while tmm restarts.
Workaround:
You can work around this issue by ensuring that TMM does not receive any traffic from the Linux host subsystem for forwarding during early startup.
In the example of remote syslog destinations, you could specify the management IP address of the system as the source IP address for the traffic, thus forcing the traffic out of the management port instead of TMM. This implies the management port has a suitable working route to the destination.
966949-5 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
966613-1 : Cannot create XML profile based on WSDL when wsdl contains empty soap:address – getting error ‘Column 'object_uri' cannot be null’
Component: Application Security Manager
Symptoms:
Perl error returned when saving new XML content profile using wsdl file with empty soap:address node "<soap:address/>".
Conditions:
Creating a new content profile using a wsdl file which contains a "<soap:address/>" node which does not have a "location" attribute value.
When this content profile is saved, ASM attempts to create an associated URL with no value, which fails validation.
Impact:
After trying to save the content profile, you see an error message: "Could not create XML Profile; Error: DBD::mysql::db do failed: Column 'object_uri' cannot be null"
Workaround:
Delete the node "<soap:address/>" from the wsdl file
966461-3 : Tmm leaks memory after each DNSSEC query when netHSM is not connected
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm memory increases per DNSSEC query.
Conditions:
NetHSM is configured but is disconnected
Impact:
Tmm high memory consumption.
Workaround:
Connect the netHSM.
965941-5 : Creating a net packet filter in the GUI does not work for ICMP for IPv6
Component: TMOS
Symptoms:
When using the GUI to create a 'net packet-filter' rule to block ICMP packets, the filter does not block IPv6 packets.
Conditions:
-- Using the GUI to create a packet filter rule to block incoming ICMP packets.
-- Attempting to block an IPv6 address.
Impact:
Packets get through the filter unexpectedly.
Workaround:
Modify the packet filter manually using tcpdump syntax. For example, the following syntax is used to block ICMP packets for both IPv4 and IPv6:
icmp or icmp6
965457-1 : OSPF duplicate router detection might report false positives
Component: TMOS
Symptoms:
OSPF duplicate router detection might report false positives
Conditions:
Router sends LSA that is looped in network and sent back to its origin.
Impact:
Cosmetic
964421-5 : Error '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously'
Component: TMOS
Symptoms:
The error message '01070734:3: Configuration error: Signing key and signing certificate must be set simultaneously' is unclear.
It fails to indicate which rewrite profile has failed validation, and it is not clear that the error has something to do with the validation of rewrite profiles.
Conditions:
A BIG-IP Administrator is attempting to configure an invalid rewrite profile (one where the 'signing certificate' and 'signing key' options are not simultaneously set).
Impact:
A confusing error message is logged, which makes it difficult to know what to do next.
964125-5 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
Component: TMOS
Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.
There is more then one avenue where node statistics would be queried.
The BIG-IP Dashboard for LTM from the GUI is one example.
Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.
Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.
963705-5 : Proxy ssl server response not forwarded
Component: Local Traffic Manager
Symptoms:
A server response may not be forwarded after TLS renegotiation.
Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs
Impact:
Server response may not be not forwarded
962913-6 : The number of native open connections in the SSL profile is higher than expected
Component: Local Traffic Manager
Symptoms:
The number of native open connections in the SSL profile shows a value that is higher than expected.
Conditions:
SSL renegotiation is enabled. Other conditions are unknown.
Impact:
The SSL stats are incorrectly reading higher than expected.
Workaround:
Disable SSL renegotiation.
962497-6 : BD crash after ICAP response
Component: Application Security Manager
Symptoms:
BD crash when checking ICAP job after ICAP response
Conditions:
BD is used with ICAP feature
Impact:
Traffic disrupted while BD restarts.
Workaround:
N/A
962493-1 : Request is not logged
Component: Application Security Manager
Symptoms:
A request is not logged in the local and/or remote logs.
Conditions:
A request has evasions detected on very large parameters.
Impact:
A missing request in the log.
Workaround:
N/A
962489-1 : False positive enforcement of parameters with specific configuration
Component: Application Security Manager
Symptoms:
False positive parameters are being detected in the payload and enforced wrongly.
Conditions:
The URL is not defined (also not as wildcard - not defined at all) and the request has a payload.
Impact:
False positive enforcement - may lead to wrong violations and wrong blocking of requests.
Workaround:
None.
962433-1 : HTTP::retry for a HEAD request fails to create new connection
Component: Local Traffic Manager
Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.
Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version
Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.
962181-5 : iRule POLICY command fails in server-side events
Component: Local Traffic Manager
Symptoms:
BIG-IP provides an iRule command POLICY to retrieve information on or manipulate an LTM policy attached to a virtual. This command fails when it is used in server-side event like HTTP_RESPONSE.
Conditions:
-- Configure a virtual server with one or more LTM policies.
-- The virtual server has an iRule with a POLICY command executed on a server side (e.g. HTTP_RESPONSE).
Impact:
A command returns an incorrect value and may cause unexpected outcomes in an iRule execution.
962177-5 : Results of POLICY::names and POLICY::rules commands may be incorrect
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
960437-5 : The BIG-IP system may initially fail to resolve some DNS queries
Component: Global Traffic Manager (DNS)
Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.
Subsequent queries for the same domain name, however, work as expected.
Only some domain names are affected.
Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.
- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).
- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.
Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure cascades to the client.
In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.
For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.
Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.
1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6.
4, Select Update.
You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.
959613-6 : SIP/HTTPS monitor attached to generic-host virtual server and pool shows 'blank' reason
Component: Global Traffic Manager (DNS)
Symptoms:
When you double-monitor a Generic Host Virtual Server (pool level + virtual server level) using the same SIP/HTTPS monitor, the 'Reason' is omitted from the output. 'tmsh show gtm server <server> virtual-servers' shows a "blank" reason for monitoring failure/success.
Conditions:
Double-monitor a Generic Host virtual server (pool level + virtual server level) using the same SIP/HTTPS monitor.
Impact:
Impedes your ability to identify the failure/success reason quickly.
Workaround:
Do not use the same monitor on both the virtual server and the pool level.
958785-2 : FTP data transfer does not complete after QUIT signal
Component: Local Traffic Manager
Symptoms:
When a QUIT signal is sent over an FTP connection to an FTP virtual server during a data transfer, the data connection is closed immediately instead of waiting until the transfer is complete.
Conditions:
- BIG-IP configured with an FTP virtual server
- A client connects to the FTP virtual server
- Client starts an FTP data transfer
- Client sends a QUIT signal before the data transfer completes.
Impact:
FTP data connections are closed prematurely, causing incomplete data transfers.
Workaround:
This does not occur if the FTP profile for the FTP virtual server has inherit-parent-profile set to enable.
958325-5 : Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB
Component: Global Traffic Manager (DNS)
Symptoms:
Dangling monitor rule after pool deletion.
# tmsh delete gtm monitor tcp tcp_test
01070083:3: Monitor /Common/tcp_test is in use
Conditions:
Using transaction to delete pool and create pool of same name with different monitor.
Impact:
Unable to delete the remaining monitor.
Workaround:
Run:
1. # bigstart restart mcpd
Or
2. Do not combine deletion and re-create pool in the same transaction.
956589-5 : The tmrouted daemon restarts and produces a core file
Component: TMOS
Symptoms:
The tmrouted daemon restarts and produces a core file.
Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover
Impact:
Traffic disrupted while tmrouted restarts.
Workaround:
None
955617-4 : Cannot modify the destination address of a monitor
Component: Local Traffic Manager
Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.
0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor
Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.
Impact:
Monitor properties can't be modified if they are in use by a pool.
Workaround:
Remove monitor, modify it, and then add it back.
955057-5 : UCS archives containing a large number of DNS zone files may fail to restore.★
Component: TMOS
Symptoms:
This issue can manifest in the following ways:
- Failure to restore a UCS archive to the currently active boot location (i.e. restoring a backup).
- Failure to restore a UCS archive to a different boot location by means of using the cpcfg utility (or the the "Install Configuration" option when changing boot locations in the Web UI).
- Failure to restore a UCS archive as part of a software upgrade (if rolling forward the configuration was requested, which is the default BIG-IP behavior).
In all cases, error messages similar to the following example are returned to the user:
/bin/sh: /bin/rm: Argument list too long
Fatal: executing: /bin/sh -c rm -fr /var/named/config/namedb/*
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.
Conditions:
This issue occurs when a large number of DNS zone files are already present in the /var/named/config/namedb directory of the boot location to which the UCS archive is being restored.
Impact:
The UCS archive fails to restore. Additionally:
- If the UCS archive was being restored on the currently active boot location, the named and zrd daemons may not be running after the failure, leading to traffic outages.
- If the UCS archive was being restored as part of an upgrade, the installation will fail and the destination boot location will be marked as failed (thus preventing a BIG-IP Administrator from activating it).
Workaround:
Depending on the failure mode, perform one of the following workarounds:
- If you were restoring a UCS archive on the currently active boot location, run the following command, and then attempt the UCS archive restore operation again:
find /var/named/config/namedb -mindepth 1 -delete
- If you encountered the failure during an upgrade, it should mean you were installing an Engineering Hotfix (otherwise the /var/named/config/namedb directory on the destination boot location would have been empty).
Installing an Engineering Hotfix will actually perform two separate installations - first the base version, and then the hotfix on top of that. Each installation restores the source location's UCS archive.
The UCS installation performed during the base installation will work, and the one performed during the hotfix installation will fail (because DNS zone files are already in place now, and they will fail to be deleted).
In this case, you can work around the issue by performing two distinct installations (to the same destination boot location). First the base version by itself, and then the hotfix installation by itself:
Perform the first installation with the liveinstall.moveconfig and liveinstall.saveconfig db keys disabled. Perform the second installation after enabling the liveinstall.moveconfig and liveinstall.saveconfig db keys again.
- If you encountered the failure while using the cpcfg utility (or equivalent WebUI functionality), take a UCS archive instead, download it off of the BIG-IP or save it in a shared directory (e.g. /var/tmp), boot the system into the destination boot location, run the below command, and then restore the UCS archive:
find /var/named/config/namedb -mindepth 1 -delete
955017-6 : Excessive CPU consumption by asm_config_event_handler
Component: Application Security Manager
Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync
Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.
Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.
Workaround:
Disable the signature staging action item for all policies.
953845-6 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart
Component: Local Traffic Manager
Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.
This can occur when using administrative commands such as:
-- tmsh run util fips-util init
-- fipsutil init
-- tmsh run util fips-util loginreset -r
-- fipsutil loginreset -r
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
+ vCMP guest on i5820-DF / i7820-DF
+ vCMP guest on 10350v-F
Impact:
BIG-IP is unable to communicate with the onboard HSM.
Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.
Immediately before doing this:
-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:
sys fipsuser f5cu {
password $M$Et$b3R0ZXJzCg==
}
951705-5 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
Solution Article: https://support.f5.com/csp/article/K03009991
950005-5 : TCP connection is not closed when necessary after HTTP::respond iRule
Component: Local Traffic Manager
Symptoms:
HTTP does not close the TCP connection on the client if response is sent via HTTP::respond.
Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE_RELEASE).
- HTTP sends "Connection: close" header.
Impact:
TCP connection lives longer than needed.
Workaround:
None
949137-6 : Clusterd crash and vCMP guest failover
Component: Local Traffic Manager
Symptoms:
Clusterd crashes and a vCMP guest fails over.
Conditions:
The exact conditions under which this occurs are unknown. It can occur during normal operation.
Impact:
Memory corruption and clusterd can crash, causing failover.
Workaround:
None.
948573 : wr_urldbd list of valid TLDs needs to be updated
Component: Traffic Classification Engine
Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.
Conditions:
New TLD is being queried
Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.
Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.
947865-5 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read
Component: TMOS
Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:
err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer
Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.
Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.
947529-4 : Security tab in virtual server menu renders slowly
Component: TMOS
Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.
Conditions:
Large number of virtual servers using the same ASM policy
Impact:
Loading of Security tab of a virtual server takes a long time
Workaround:
NA
947217-1 : Fix of ID722682 prevents GTM config load when the virtual server name contains a colon★
Component: Global Traffic Manager (DNS)
Symptoms:
GTM is unable to load the configuration.
Conditions:
-- GTM has been upgraded to a version with fix for ID722682 from a version that does not have the fix for ID722682
-- A GTM server has a name with no colon
-- That GTM server has a virtual server with colon in the name
-- That virtual server is added to a pool
Impact:
GTM config file cannot be loaded successfully after upgrade.
Workaround:
Edit bigip_gtm.conf manually to delete "\\" or replace colon ":" with other non-reserved char. such as "-".
947125-5 : Unable to delete monitors after certain operations
Component: Local Traffic Manager
Symptoms:
Unable to delete monitor with an error similar to:
01070083:3: Monitor /Common/my-mon is in use.
Conditions:
-- HTTP monitors are attached directly to pool members, or node-level monitors exist.
-- Performing an operation that causes the configuration to get rebuilt implicitly, such as "reloadlic".
Impact:
Unable to delete object(s) no longer in use.
Workaround:
When the system gets into this state, save and reload the configuration:
tmsh save sys config && tmsh load sys config
945601-1 : An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions.
Component: Local Traffic Manager
Symptoms:
An incorrect LTM policy rule is picked up e.g. a rule which should match first is omited.
Conditions:
Policy contains multiple rules which employ TCP address matching condition.
Impact:
Inocorrect LTM policy is applied.
945265-1 : BGP may advertise default route with incorrect parameters
Component: TMOS
Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.
Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.
Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.
Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>
944093-5 : Maximum remaining session's time on user's webtop can flip/flop
Component: Access Policy Manager
Symptoms:
When an Access Policy is configured with Maximum Session Timeout, the rendered value of maximum remaining session's time can flip/flop in seconds on a user's webtop
Conditions:
Access Policy is configured with Maximum Session Timeout >= 60000 secs
Impact:
End users will see the remaining time being continually reset.
943669-6 : B4450 blade reboot
Component: TMOS
Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.
Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.
Impact:
Traffic disrupted while the blade reboots.
Workaround:
None.
942953-3 : Keyboard locks during Windows Edge client logon when just a control button is pressed.
Component: Access Policy Manager
Symptoms:
Using APM Edge client version 7210.2020.827.422-5307.0, users on Microsoft Windows cannot type in the login window.
Conditions:
-- Edge Client for Windows.
-- The CTRL key is pressed in the login dialog.
Impact:
The Edge Client user is unable to type anything until they press the CTRL button one more time.
Workaround:
The APM end user must press the CTRL button a second time.
942549-5 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Component: TMOS
Symptoms:
During boot of a i15xxx system you see the message:
Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
Conditions:
There are no specific conditions that cause the failure.
This can occur on any i15xxx device, although some devices exhibit the failure consistently around 50% of boots and others never exhibit the issue.
Impact:
When this failure occurs in a system, the system is inoperable.
Workaround:
There is no workaround for systems that do not have software capable of resetting the hardware device during the HSB load process.
942521-2 : Certificate Managers are unable to move certificates to BIG-IP via REST
Component: Device Management
Symptoms:
You cannot upload a cert/key via the REST API if you are using a certificate manager account
Conditions:
-- Using the REST API to upload a certificate and/or key
-- User is logged in as a Certificate Manager
Impact:
Unable to upload certificates as Certificate Manager
Workaround:
Use admin account instead of using Certificate Manager account to upload certs and keys
942217-5 : Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'
Component: Local Traffic Manager
Symptoms:
With certain configurations, virtual server keeps rejecting connections for rstcause 'VIP down' after 'trigger' events.
Conditions:
Required Configuration:
-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop'.
-- The pool member has rate-limit enabled.
Required Conditions:
-- Monitor flap, or adding/removing monitor or configuration change made with service-down-immediate-action.
-- At that time, one of the above events occur, the pool member's rate-limit is active.
Impact:
Virtual server keeps rejecting connections.
Workaround:
Delete one of the conditions.
Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.
940897-6 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached
Component: Application Security Manager
Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".
Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.
Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.
Workaround:
N/A
940249-5 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached
Component: Application Security Manager
Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.
Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.
Impact:
Data after last allowed element is not masked.
939757-1 : Deleting a virtual server might not trigger route-injection update.
Component: TMOS
Symptoms:
When using multiple virtual-servers sharing the same destination address (virtual-address), deleting a single virtual-server that contributes to a virtual-address status might not trigger a route-injection update.
Conditions:
-- Multiple virtual-servers sharing the same destination address.
-- Virtual-server is deleted.
Impact:
Route remains in a routing table and/or Route is not removed from a routing table.
Workaround:
Disable and re-enable the virtual-address after deleting a virtual-server.
939517-1 : DB variable scheduler.minsleepduration.ltm changes to default value after reboot
Component: TMOS
Symptoms:
Running the command 'tmsh list /sys db scheduler.minsleepduration.ltm'
shows that the value is -1.
The db variable 'scheduler.minsleepduration.ltm' is set to -1 on mcpd startup.
This overwrites a custom value.
Conditions:
-- The db variable 'scheduler.minsleepduration.ltm' has a non-default value set.
-- A reboot occurs.
Impact:
The db variable 'scheduler.minsleepduration.ltm' reverts to the default value. When the db variable reverts to the default value of unset -1, tmm uses more CPU cycles when idle.
Workaround:
None
938545-6 : Oversize plugin Tcl object results can result in 0-length messages and plugin crash
Component: Local Traffic Manager
Symptoms:
Bd crashes.
Conditions:
-- ASM enabled.
-- iRule used.
-- Command arguments are greater than maximum MPI message size.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None.
938165-5 : TMM Core after attempted update of IP geolocation database file
Component: Advanced Firewall Manager
Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.
Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Revert to using the previously working version of the IP-geolocation file.
For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.
937637-6 : BIG-IP APM VPN vulnerability CVE-2021-23002
Solution Article: https://support.f5.com/csp/article/K71891773
936777-6 : Old local config is synced to other devices in the sync group.
Component: Global Traffic Manager (DNS)
Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.
Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.
Impact:
Config on other DNS/GTM devices in the sync group are lost.
Workaround:
You can use either of the following workarounds:
-- Make a small DNS/GTM configuration change before adding new devices to the sync group.
-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.
936593-1 : Invalid server-side SSL profile options can be configured in tmsh
Component: Local Traffic Manager
Symptoms:
TMSH allows you to configure the options 'msie-sslv2-rsa-padding' and 'ssleay-080-client-dh-bug tls-d5-bug' and 'tls-d5-bug' on server-side SSL profiles, but these are client-side options only.
Conditions:
-- Using a server-side SSL profile.
-- Configuring one or more of the 'msie-sslv2-rsa-padding', 'ssleay-080-client-dh-bug tls-d5-bug', or 'tls-d5-bug' options on the server-side SSL profile.
Impact:
The options configuration does not take effect.
Workaround:
Do not use these options.
936441-5 : Nitrox5 SDK driver logging messages
Component: Local Traffic Manager
Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):
Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1
The above set of messages seems to be logged at about 2900-3000 times a second.
These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.
Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.
Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.
Workaround:
None.
935865-1 : Rules that share the same name return invalid JSON via REST API
Component: Advanced Firewall Manager
Symptoms:
When retrieving rule stats on a firewall policy, if two rules that share the same name but one of which is directly attached to the policy while the other is attached via a rule list, then a invalid JSON is returned. The JSON has identical keys for each entry associated with the rule. This is an invalid JSON structure that cannot be parsed correctly (Or data for one of the rules is lost)
Conditions:
A firewall policy that has one of rule directly attached to the policy while the other is attached via a rule list, and both rules share the same name.
Impact:
Invalid JSON structure returned for stat REST API call
Workaround:
Ensure that no rule shares its name with another rule.
935593-1 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
Component: Local Traffic Manager
Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.
Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.
Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.
Workaround:
Do not use TCP timestamp rewrite.
934017-2 : Problems may occur after creating a node named '_auto_<IP address>'
Component: Local Traffic Manager
Symptoms:
If a node is created and named '_auto_<IP address>', various problems may occur, including but not limited to:
-- If the node is configured as an FQDN template node, no ephemeral nodes may be created based on the FQDN name.
-- If the node is configured as an FQDN template node, when the node is deleted, an ephemeral node may be created based on the FQDN name of the deleted node.
-- If the node is configured as an FQDN template node with autopopulate enabled, when the node is deleted, ephemeral nodes may be created based on the FQDN name of the deleted node, but with no FQDN template node.
-- If the node is configured as an FQDN template node and then deleted, any ephemeral nodes remaining must be deleted manually.
Conditions:
This may occur if:
-- A node is created with a name of the form '_auto_<IP address>', such as:
- _auto_10.10.10.10 (IPv4 address 10.10.10.10).
- _auto_fe80..f811.3eff.fe06.9ab9 (IPv6 address fe80::f811:3eff:fe06:9ab9)
-- FQDN template nodes are configured (including the node described above) with FQDN names that resolve to the IP address embedded in the node name.
Impact:
-- Ephemeral nodes (and pool members) may not be created based on resolution of the FQDN name in the configured node.
-- Ephemeral nodes may be created unexpectedly after the configured node is deleted.
-- Ephemeral nodes created unexpectedly after the configured node is deleted must be deleted manually.
Workaround:
Do not create any node with a name beginning with '_auto_'.
That is a reserved name used for creation of FQDN ephemeral nodes.
933405-6 : Zonerunner GUI hangs when attempting to list Resource Records
Solution Article: K34257075
Component: Global Traffic Manager (DNS)
Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.
Conditions:
Attempt to list Resource Records in Zonerunner GUI.
Impact:
Zonerunner hangs.
Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.
932781-3 : VPN fails to establish on Windows systems where 'Secure Boot' is enabled.
Solution Article: K14154376
Component: Access Policy Manager
Symptoms:
VPN fails to connect.
Conditions:
-- 'Secure Boot' is enabled on Microsoft Windows systems.
-- Running Windows 10.
-- IP Filtering Engine is enables in the Network Access settings.
-- Connecting to VPN.
Impact:
End user clients cannot establish a VPN connection.
Workaround:
There are two workarounds for this issue:
-- Disable 'Secure Boot' on Windows systems.
Note: Some systems running Windows 10 have a feature called 'Secure Boot' enabled by default to ensure that client computers boot using only software trusted by the computer.
-- Disable IP Filtering Engine setting in the Network Access settings.
932553-1 : An HTTP request is not served when a remote logging server is down
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.
Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.
Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.
Workaround:
None.
932137-2 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
931609 : After installing a UCS file on a new BIG-IP, some configuration items may fail to load
Component: TMOS
Symptoms:
The FIPS card goes offline.
Conditions:
After switching to new BIG-IP, load the ucs file containing a configuration from a previously working BIG-IP device.
Impact:
Config load errors occur:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 12.1.5 Loading schema version: 12.1.5.2 01070712:3: FIPS 140 operations not available on this system Unexpected Error: Loading configuration process failed.
The FIPS card is offline.
Workaround:
Reboot the device and the errors should resolve themselves.
931469-3 : Redundant socket close when half-open monitor pings
Component: Local Traffic Manager
Symptoms:
Sockets and log files are closed and re-opened twice instead of one time when the half-open TCP monitor pings successfully.
Conditions:
This occurs when the half-open monitor pings successfully.
Impact:
Minor performance impact.
Workaround:
None.
930825-1 : System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors
Component: TMOS
Symptoms:
The following symptoms may be seen when the HSB is experiencing a large number of XLMAC errors and is unable to recover from the errors. After attempting XLMAC recovery fails, the current behavior is to failover to the peer unit and go-offline and down links.
This can be seen the TMM logs:
-- notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
-- notice HA failover action is triggered due to XLMAC/FCS errors on HSB1 on bus 3.
-- notice HSBE2 1 disable XLMAC TX/RX at runtime.
-- notice HA failover action is cleared.
Followed by a failover event.
Conditions:
It is unknown under what conditions the XLMAC errors occur.
Impact:
The BIG-IP system fails over.
Workaround:
Modify the default high availability (HA) action for the switchboard-failsafe to reboot instead of go offline and down links.
930217-6 : Zone colors in ASM swap usage graph are incorrect
Component: Application Visibility and Reporting
Symptoms:
In GUI ASM memory utilization chart, 'BD swap size, Total swap size' graph show inconsistent background colors. It looks like these colors are assigned with an assumption that swap usage is shown as percentage but it is shown as absolute value.
Conditions:
-- ASM is provisioned.
-- Viewing ASM memory utilization chart/
Impact:
Potential confusion viewing colors in ASM memory utilization chart.
Workaround:
None. This is a cosmetic issue only.
929429-6 : Oracle database monitor uses excessive CPU when Platform FIPS is licensed
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle LTM monitor.
-- Add a pool member to the Oracle monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
929133-5 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
Component: TMOS
Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.
Conditions:
Vlan name that starts with "eth"
Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.
Workaround:
Rename all vlans that start with "eth"
928697-5 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
Component: TMOS
Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.
Conditions:
The initiator sends more than one proposal.
Impact:
Diagnosing connection issues is more difficult.
Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.
927941-1 : IPv6 static route BFD does not come up after OAMD restart
Component: TMOS
Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"
Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.
Impact:
BFD session is not shown in 'show bfd session'.
Workaround:
Restart tmrouted:
bigstart restart tmrouted
927909 : Upgrading a vCMP guest using a block device image may fail on older versions of host software
Component: TMOS
Symptoms:
Upgrading a vCMP guest fails with the block-device-image option (where the actual images reside on the host),
Attempts to upgrade vCMP guest volumes fail, showing a failed status:
tmsh show sys software
...
HD1.2 1 none none none no failed (archive read or checksum error).
Conditions:
Attempt to upgrade vCMP guest from image residing on the host, for example:
$ tmsh install sys software block-device-image BIGIP-15.1.0.3-0.0.12.iso volume HD1.2
Impact:
Unable to upgrade software on vcmp guest.
Workaround:
Copy upgrade image to guest and upgrade directly, for example:
$ tmsh install sys software image BIGIP-15.1.0.3-0.0.12.iso volume HD1.2
927185 : TMM ENGHF-12.1.4.1.0.25.6 SIGFPE Assertion "maximum pages" failed
Component: Traffic Classification Engine
Symptoms:
TMM coring during pages allocation
Impact:
TMM coring causing a failover event for the customer, they're concerned about stability.
Workaround:
No workaround
926845-2 : Inactive ASM policies are deleted upon upgrade
Component: Application Security Manager
Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.
Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy
Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.
Workaround:
None.
926689-1 : [APM] ActiveX-based RDP AppTunnel fails on 12.1.2.5 for all users★
Solution Article: K31523705
Component: Access Policy Manager
Symptoms:
After upgrading from 12.1.2.2.0.276 to 12.1.2.5, end users complain that they are unable to use RDP.
Conditions:
Connect to RDP via AppTunnel which loads the ActiveX control.
Impact:
You cannot connect via RDP.
Workaround:
None.
926593-5 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
Component: Global Traffic Manager (DNS)
Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.
Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.
Impact:
IPv6 virtual servers are marked down unexpectedly.
Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets
925797-5 : Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members
Component: TMOS
Symptoms:
There there are thousands of FQDN nodes and thousands of pools that have FQDN pool members, mcpd can run out of memory during a full config sync.
The mcpd process might fail and restart or it might remain running but have its virtual memory so fragmented that queries to mcpd might fail to allocate memory.
One of signs that this has occurred is a non-zero free_fail count in the tmstat table vmem_kstat.
Conditions:
-- Thousands of FQDN nodes
-- Thousands of pools with FQDN pool members
-- Full config sync.
Impact:
-- The mcpd process might restart.
-- The config save operation fails:
tmsh save /sys config fails
-- Other queries to mcpd fail.
Workaround:
None.
925573-5 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted
Component: Access Policy Manager
Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.
Conditions:
APM Per-Request is processing a flow that has already been reset (RST) by another filter, such as HTTP or HTTP/2.
Impact:
Connections might reset. You might experience a tmm crash. This is an intermittent issue.
Workaround:
None.
924429-5 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
Component: TMOS
Symptoms:
While restoring a UCS archive, you get an error similar to the following example:
/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.
As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.
The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.
This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.
Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.
Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.
Workaround:
None.
923221-6 : BD does not use all the CPU cores
Component: Application Security Manager
Symptoms:
Not all the CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.
Conditions:
BIG-IP is installed on a device with more than 32 cores.
Impact:
ASM does not use all of the available CPU cores.
Workaround:
1. Modify the following file on the BIG-IP system:
/usr/local/share/perl5/F5/ProcessHandler.pm
Change this:
ALL_CPUS_AFFINITY => '0xFFFFFFFF'
To this:
ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',
2. Restart the asm process:
bigstart restart asm.
922613-5 : Tunnels using autolasthop might drop traffic with ICMP route unreachable
Component: TMOS
Symptoms:
Traffic that should be encapsulated and sent via tunnel might get dropped with an ICMP error, destination unreachable, unreachable route. This happens in a scenario where no route exists towards the remote tunnel endpoint and the BIG-IP system relies on autolasthop to send the encapsulated traffic back to the other end of the tunnel.
Conditions:
No route exists to the other end of the tunnel.
Impact:
Traffic dropped with ICMP error, destination unreachable, unreachable route.
Workaround:
Create a route towards the other remote end of the tunnel.
922413-6 : Excessive memory consumption with ntlmconnpool configured
Component: Local Traffic Manager
Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.
Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.
Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.
Workaround:
None.
922317 : Using the LSN::persistence_entry command in an iRule may cause crashes and/or stalled connections
Component: Local Traffic Manager
Symptoms:
-- Stalled serverside connections visible in connection table.
-- No traffic going out towards pool member.
-- Sometimes tmm crashes may occur.
Conditions:
The LSN::persistence_entry Tcl command is used inside of an iRule triggered by a serverside event, e.g., SERVER_CONNECTED.
Impact:
-- Traffic not reaching pool members.
-- System disruption while tmm restarts in case of crash.
Workaround:
Do not use the LSN::persistence_entry command in iRules triggered by serverside events.
922005-7 : Stats on a certain counter for web-acceleration profile may show excessive value
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system is configured to use the RAM Cache feature, a corresponding profile may report an excessively large value for the cache_misses_all counter under certain conditions.
Conditions:
-- The BIG-IP system has a virtual server with web-acceleration profile without an application (RAM Cache feature).
-- The virtual receives uncacheable requests which are interrupted by a client or are not served by a server.
Impact:
A value for cache_misses_all incurs an arithmetic overflow, and shows an excessive number comparable with 1.8e19. The issue has no functional impact; the system operates as normal.
Workaround:
None.
921625-6 : The certs extend function does not work for GTM/DNS sync group
Component: Global Traffic Manager (DNS)
Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.
As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.
The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.
You might see messages similar to the following:
-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....
Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device.
-- Configuration is as follows:
1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
2. GTMDNS1 has a self-authorized CA cert.
3. You add a BIG-IP server that is is reachable but with which GTMDNS1 has not exchanged SSL certs.
Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.
Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.
921549-1 : The gtmd process does not receive updates from local big3d.
Component: Global Traffic Manager (DNS)
Symptoms:
Oversized server.crt file causes gtmd (other devices in a same syncgroup) from receiving from local big3d.
Conditions:
One GTM/DNS device in the syncgroup has an oversized server.crt file (approximately 4000 or larger) and sends a client cert direct message to peer GTM/DNS devices.
Impact:
The gtmd process marks resources down unexpectedly and does not receive persist updates.
Workaround:
1. For each GTM/DNS device, use bigip_add to add all BIG-IP servers configured in bigip_gtm.conf file.
2. Restart each GTM/DNS that is affected.
921541 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
Component: Local Traffic Manager
Symptoms:
The HTTP session initiated by curl hangs.
Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.
Impact:
Connection hangs, times out, and resets.
Workaround:
Use software compression.
920961-5 : Devices incorrectly report 'In Sync' after an incremental sync
Component: Application Security Manager
Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.
Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).
Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.
Workaround:
Modify the underlying LTM policy to be 'legacy':
# tmsh modify ltm policy <LTM Policy Name> legacy
920817-2 : DNS Resource Records can be lost in certain circumstances
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Zone syncing is missing Resource Records.
Conditions:
This occurs when a large number of configuration changes, including Wide IP changes, are made simultaneously on multiple GTM/DNS devices in a sync group.
Impact:
DNS Resource Records can be missing from the BIND DNS database.
The impact of this is that if GSLB Load Balancing falls back to BIND, the DNS Resource Records may not be present.
Workaround:
Restrict configuration (Wide IP) changes to one GTM/DNS device in a device group.
Note: It is also possible to turn off Zone Syncing. GTM/DNS configuration is still synced, but the you lose the ability to sync non-Wide IP changes to the BIND DB. If you do not utilize ZoneRunner to add additional non-Wide IP records, this is a problem only when GSLB resorts to Fallback to BIND. This can be mitigated with DNSX and DNS (off device) for non Wide IP Resource Records.
920789-6 : UDP commands in iRules executed during FLOW_INIT event fail
Component: Local Traffic Manager
Symptoms:
UDP commands in iRules executed during FLOW_INIT event fail.
Conditions:
An iRule that contains UDP commands is executed on the FLOW_INIT event.
Impact:
UDP commands in iRules executed during FLOW_INIT event fail.
Workaround:
None.
920761-5 : Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values
Component: TMOS
Symptoms:
In the GUI if you change a virtual server from one type to another, there may be changes automatically applied to some of the settings. If you change the type back to its original value, those changes remain, and are saved when you click Update.
Conditions:
-- Modifying a virtual server from one type to another, and then changing it back to the original type.
-- Clicking Update.
Impact:
Unexpected configuration changes, which can lead to unexpected behavior of the BIG-IP system.
Workaround:
To prevent unwanted changes, when you change a virtual server's type and then change it back within the same session, click Cancel instead of Update.
920517-5 : Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI
Component: TMOS
Symptoms:
When creating a Rate Shaping Rate Class in the GUI, the default values for 'Queue Method' and 'Drop Policy' are not correct.
Conditions:
-- Creating a Rate Shaping Rate Class in the GUI.
-- Leaving 'Queue Method' and 'Drop Policy' settings as their defaults.
Impact:
Unexpected values in the configuration: 'Queue Method' is 'sfq' and 'Drop Policy' is 'tail'.
Workaround:
You can use either of the following workarounds:
-- Manually set the 'Queue Method' and 'Drop Policy' when creating a Rate Shaping Rate Class object. These settings are available in the 'Advanced' view of the 'General Properties' section. 'Queue Method' should be 'pfifo' and 'Drop Policy' should be 'fred'.
-- Use TMSH to create Rate Shaping Rate Class objects.
920205-2 : Rate shaping might suppress TCP RST
Component: Local Traffic Manager
Symptoms:
When rate shaping is configured, the system might suppress TCP RSTs issued by itself.
Conditions:
Rate shaping is configured.
Impact:
The rate-shaping instance drops TCP RSTs; the endpoint is not informed about the ungraceful shutdown.
Workaround:
Do not use rate-shaping.
919317-1 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes
Component: TMOS
Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.
Conditions:
ECMP routes reachable via recursive nexthops.
Impact:
NSM is stuck at 100% CPU usage.
Workaround:
Avoid using EMCP routes reachable via recursive nexthops.
918693-1 : Wide IP alias validation error during sync or config load
Component: TMOS
Symptoms:
DB validation exception occurs during sync or config load:
01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.
Conditions:
-- Wide IP has an alias associated with it.
-- Sync or load the config.
Impact:
You are unable to load config or full sync from peer GNS/GTM.
Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.
918597-3 : Under certain conditions, deleting a topology record can result in a crash.
Component: Global Traffic Manager (DNS)
Symptoms:
During a topology load balancing decision, TMM can crash.
Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.
Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.
Workaround:
None.
918277-6 : Slow Ramp does not take into account pool members' ratio weights
Component: Local Traffic Manager
Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.
Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.
Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.
Workaround:
None.
918013-5 : Log message with large wchan value
Component: TMOS
Symptoms:
A message is logged with a very large wchan (waiting channel, WCHAN :: Sleeping in Function) value that corresponds to -1 when read as signed instead of unsigned.
Conditions:
This happens in normal operation.
Impact:
The message is not accurately reporting the wchan value
Workaround:
Look at the /proc/PID/stack file for the correct wchan value.
915773-5 : Restart of TMM after stale interface reference
Component: Local Traffic Manager
Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
915605-3 : Image install fails if iRulesLX is provisioned and /usr mounted read-write★
Component: Local Traffic Manager
Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.
tmsh show software status will report the status for the target volume:
Could not access configuration source.
Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.
Impact:
Unable to upgrade or more generally install an image on a new or existing volume.
Workaround:
Re-mount /usr as read-only:
mount -o remount,ro /usr
915557-6 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
Component: TMOS
Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:
General database error retrieving information.
Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.
Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.
Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.
915509-5 : RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true
Component: Access Policy Manager
Symptoms:
After enabling 'show-extended-error' on the RADIUS Auth agent, instead of seeing the expected message: 'The username or password is not correct. Please try again.', the system reports the message: (error: Access-Reject).
Conditions:
RADIUS Auth with 'show-extended-error' enabled.
Impact:
The content of the Reply Message is not reported. The actual reported error message is confusing and provides no assistance in resolving the condition causing the access error: username, password, passcode, or tokencode.
Workaround:
None.
915493-1 : imish command hangs when ospfd is enabled
Component: TMOS
Symptoms:
Running the imish command hangs when ospfd is enabled.
Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.
Impact:
The imish operation hangs.
Workaround:
Restart the ospfd daemon.
915305-1 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
Component: TMOS
Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.
Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.
Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.
Workaround:
Use static routing to provide a path to remote tunnel endpoint.
914081-5 : Engineering Hotfixes missing bug titles
Component: TMOS
Symptoms:
BIG-IP Engineering Hotfixes may not show the summary titles for fixed bugs (as appear for the affected bugs published via Bug Tracker).
-- The 'tmsh show sys version' command displays the bug numbers for fixes included in Engineering Hotfixes.
-- If a given bug has been published via Bug Tracker, the summary title of the bug is expected to be displayed as well.
-- Running BIG-IP Engineering Hotfixes built on or after March 18, 2019.
Conditions:
For affected BIG-IP Engineering Hotfixes, titles are not displayed for any bugs fixed in the Engineering Hotfix.
Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.
Workaround:
For bugs that are published via Bug Tracker, you can query for the affected bug in Bug Tracker (https://support.f5.com/csp/bug-tracker).
Note: Not all bugs fixed in BIG-IP Engineering Hotfixes are published to Bug Tracker.
For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.
914061-5 : BIG-IP may reject a POST request if it comes first and exceeds the initial window size
Component: Local Traffic Manager
Symptoms:
HTTP/2 protocol allows a negative flow-control window on initial stage of communication while first 65,535 bytes of payload are delivered from a peer. BIG-IP may break this requirement.
Conditions:
-- BIG-IP has a virtual server with http2 profile.
-- A configured receive window size in the http2 profile is below 64K (default 32K).
-- A peer sends POST request with payload exceeding initial receive window size over HTTP/2 connection.
Impact:
BIG-IP denies the POST request and sends RST_STREAM.
913829-1 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
Component: TMOS
Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic
Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.
For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.
Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.
Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.
913729-2 : Support for DNSSEC Lookaside Validation (DLV) has been removed.
Component: Global Traffic Manager (DNS)
Symptoms:
Following the deprecation of DNSSEC lookaside validation (DLV) by the Internet Engineering Task Force (IETF), support for this feature has been removed from the product.
Conditions:
Attempting to use DLV.
Impact:
Cannot use DLV.
Workaround:
None. DLV is no longer supported.
913453 : URL Categorization: wr_urldbd cores while processing urlcat-query
Component: Traffic Classification Engine
Symptoms:
The webroot daemon (wr_urldbd) cores.
Conditions:
This can occur while passing traffic when webroot is enabled.
Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.
Workaround:
None.
913433-5 : On blade failure, some trunked egress traffic is dropped.
Component: TMOS
Symptoms:
When a blade fails, other blades may try to forward traffic using trunked interfaces on the down blade.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- A blade is pulled or powered off.
Impact:
Some traffic is dropped until the failed blade is detected by clusterd (10 seconds by default.)
Workaround:
None.
913125-1 : Ratio session based Load balancing does not work
Component: Service Provider
Symptoms:
Ratio session based Load balancing does not work over MRF framework with Diameter, SIP protocols; all traffic is directed to a single pool member.
Conditions:
-- MRF virtual server configured with either a Diameter or SIP protocol profile.
-- The pool's load balancing method is set to Ratio-Session.
Impact:
All of the SIP traffic is directed to a single server, or the actual Ratio is not maintained correctly depending on the actual calls/configuration
Workaround:
FIRST WORKAROUND:
Create duplicate pool members using the same server. For example if you have two servers, server A and B, and you want a ratio of 2:3, configure multiple pool members to achieve the desired ratio:
A:5060
A:5061
B:5060
B:5061
B:5062
Impact of workaround: You must also disable port translation for the virtual server, and you must configure round robin load balancing. Also, the ratio is not preserved if one of the pool members goes down.
SECOND WORKAROUND:
If you are unable to use multiple ports on the same server, you could also use multiple IP addresses. The following pool configuration also achieves a 2:3 ratio between server A and server B:
A1:5060
A2:5060
B1:5060
B2:5060
B3:5060
Impact of workaround: you must also configure round robin load balancing. Also, the ratio is not preserved if one of the pool members goes down.
THIRD WORKAROUND:
Implement a ratio algorithm in an iRule. After checking to see if the message is of type INVITE, select a pool member based on a computed algorithm in the iRule.
For example you can declare an array of pool member ip:port, then loop through them. A pool member can be selected via:
pool <pool name> member <ip> <port>
Impact of workaround: The iRule should also check the pool member status to ensure it is up.
LB::status can be used to check status of pool member
912517-6 : MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
912289-5 : Cannot roll back after upgrading on certain platforms★
Component: Local Traffic Manager
Symptoms:
On certain platforms, after upgrade to particular software versions, you will not be able to boot back into an earlier software version. Contact F5 Support for the reversion process if this is required.
- BIG-IP v15.1.1 or later in the v15.x branch of code
- BIG-IP v16.0.0 or later
Conditions:
-- Using the following platforms:
+ i5820-DF / i7820-DF
+ 5250v-F / 7200v-F
+ 10200v-F
+ 10350v-F
-- Upgrade the software to one of the following software versions:
+ BIG-IP v15.1.1 or later in the v15.x branch of code
+ BIG-IP v16.0.0 or later
-- Attempt to roll back to a previous version.
Impact:
Cannot boot into a previous version. Contact F5 Support for the reversion process if this is required.
Workaround:
None.
911853-2 : Stream filter chunk-size limits filter to a single match per ingress buffer
Component: Local Traffic Manager
Symptoms:
The chunk-size profile setting of the stream filter limits memory by capping the match string allocated from an ingress buffer to <chunksize> bytes. This implicitly limits the maximum size of the match, potentially resulting in missed matches beyond chunk-size within the same ingress buffer. For more information, see:
https://support.f5.com/csp/article/K39394712
Conditions:
A stream filter is configured with the chunk-size parameter set and ingress data arrives which contains matches beyond the configured chunk-size in the buffer.
Impact:
Potential matches beyond the configured chunk-size will be sent unmodified by the stream filter, potentially resulting in missed matches.
Workaround:
None.
911713-5 : Delay in Network Convergence with RSTP enabled
Component: TMOS
Symptoms:
The BIG-IP system does not to Rapid Spanning Tree Protocol (RSTP) Bridge Protocol Data Units (BPDUs) with only the proposal flag ON (i.e., without the agreement flag ON).
Conditions:
-- Neighbor Switch sends RSTP BPDU with only proposal flag ON.
-- The agreement flag is not ON.
Impact:
Network convergence takes more time than expected.
Workaround:
None.
911241-2 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
Component: Global Traffic Manager (DNS)
Symptoms:
The iqsyncer utility leaks memory.
Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.
Impact:
The iqsyncer utility exhausts memory and is killed.
Workaround:
Do not set log.gtm.level equal to or higher than debug.
910653-1 : iRule parking in clientside/serverside command may cause tmm restart
Component: Local Traffic Manager
Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.
Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.
For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.
910473 : Tmm crash when applying config changes
Component: Local Traffic Manager
Symptoms:
Core observed after modifying the config to change the cipher lists.
Conditions:
Changing the LTM configuration at runtime. The exact conditions under which this occurs are unknown.
Impact:
Tmm crashes, and the BIG-IP system generates a core file. Traffic disrupted while tmm restarts.
Workaround:
None.
910213-6 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status
Component: Local Traffic Manager
Symptoms:
Use of the LB::down command in an iRule may not have the desired effect.
Specifically, the pool member is marked down within the tmm thread executing the iRule, but the status change is not updated to mcpd, or to other tmm threads.
As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.
Conditions:
Using the LB::down command in an iRule.
Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.
If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.
Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.
Workaround:
No direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.
909197-6 : The mcpd process may become unresponsive
Component: TMOS
Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.
Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.
Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.
Workaround:
None.
908021-4 : Management and VLAN MAC addresses are identical
Component: TMOS
Symptoms:
The 'tmsh show sys mac-address' command indicates the management interface is using the same MAC address as a VLAN.
Conditions:
This can occur on chassis based systems and on VCMP guests. The MAC address pool does not reserve specific MAC addresses for the management interfaces and so pool entries may be reused for VLANs.
Impact:
The management MAC address is the same as the VLAN MAC address, resulting in issues relating to the inability to differentiate traffic to the management port or to traffic ports.
Workaround:
None.
907549-5 : Memory leak in BWC::Measure
Component: TMOS
Symptoms:
Memory leak in BWC calculator.
Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.
Impact:
A memory leak occurs.
Workaround:
None.
907337-6 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
A specific scenario that results in memory corruption.
Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.
Workaround:
None.
906653-6 : Server side UDP immediate idle-timeout drops datagrams
Component: Local Traffic Manager
Symptoms:
With immediate idle-timeout, flows may be closed before a datagram is forwarded.
Conditions:
-- Immediate idle-timeout is set on the server context of a UDP virtual server.
Impact:
Datagrams are dropped periodically depending on traffic load.
Workaround:
None.
906505-6 : Display of LCD System Menu cannot be configured via GUI on iSeries platforms
Component: TMOS
Symptoms:
In the BIG-IP Graphical User Interface (TMUI), display of the System Menu on the LCD front panel of most BIG-IP platforms can be enabled or disabled under System :: Configuration :: Device :: General.
However, on iSeries appliances, the 'Display LCD System Menu' option does not appear on this page.
Conditions:
This occurs on the following iSeries appliances:
-- i850
-- i2000-series (i2600/i2800)
-- i4000-series (i4600/i4800)
-- i5000-series (i5600/i5800/i5820-DF)
-- i7000-series (i7600/i7600-D/i7800/i7800-D/i7820-DF)
-- i10000-series (i10600/i10600-D/i10800/i10800-D)
-- i11000-series (i11600/i11800/i11400-DS/i11600-DS/i11800-DS)
-- i15000-series (i15600/i15800)
Impact:
The 'Display LCD System Menu' option cannot be configured via the GUI.
Workaround:
You can enable display of the LCD System Menu using the Command Line (CLI) by running the following commands, in sequence:
tmsh mod sys global-settings lcd-display [enabled|disabled]
tmsh mod sys db lcd.showmenu value [enabled|disabled]
906449-6 : Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
Component: TMOS
Symptoms:
The text that describes the monitor state of an LTM node, pool member, or monitor instance also contains a timestamp that initially indicates when the monitor set the affected node or pool member to the indicated state. This timestamp can be affected by other actions, such as incremental or full config sync and config load.
The monitor-state description and timestamp can be viewed in the CLI (CLI/TMSH) and GUI (TMUI) as follows:
-- From the CLI/TMSH:
tmsh show ltm monitor <monitor_type> <monitor_name>
This command shows the state of ltm nodes or pool members currently monitored by the specified ltm health monitor, as in the following example:
-------------------------------------
LTM::Monitor /Common/mysql_test
-------------------------------------
Destination: 10.10.200.28:3296
State time: down for 1hr:58mins:42sec
| Last error: No successful responses received before deadline. @2020.03.25 14:10:24
-- From the GUI:
+ Navigate to Local Traffic :: Nodes : Node List :: <node_name>. The 'Availability' field shows text describing the node's monitored state with a timestamp.
+ Navigate to Local Traffic :: Pools : Pool List :: <pool_name>, under the Members tab, click the pool member name. The 'Availability' field shows text describing the pool member's monitored state with a timestamp.
Conditions:
This may occur under the following conditions:
-- If an incremental config sync occurs from one high availability (HA) member to another member or to the device group:
+ The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
+ If a Node or Pool Member has been marked DOWN by a monitor, its timestamp may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.
-- If a full/forced config sync occurs from one HA member to another member or to the device group:
+ The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
+ The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.
-- If a config load occurs:
+ The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on the HA member where the config load occurred.
+ The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on the HA member where the config load occurred.
Impact:
The timestamp indicated next to the monitored-state description for an LTM Node or Pool Member indicates when the Node or Pool Member was updated in ways other than by its configured monitor. Thus, this timestamp may not indicate the actual time of the monitor event suggested by the description text.
Workaround:
None.
905749-4 : imish crash while checking for CLI help string in BGP mode
Component: TMOS
Symptoms:
imish crashes while checking the help strings of '(no) neighbor x.x.x.x fall-over bfd ?' when Border Gateway Protocol (BGP) is configured.
Conditions:
-- Configure BGP.
-- Check for help strings in imish using the '?' (question mark) character.
Impact:
imish crash.
Although imish crashes, BGP functionality is not impacted.
Workaround:
Avoid using '?' while entering the commands.
905681-2 : Incorrect enforcement of policy parameters
Component: Application Security Manager
Symptoms:
A parameter is not enforced correctly (i.e., it shows as a false positive or a false negative).
Conditions:
-- The parameter is configured as a global wildcard parameter.
-- The parameter also appears as an explicit parameter on a different policy.
-- Other conditions related to the name of the parameter may apply (e.g., numerical suffix).
Impact:
Enforcement returns false-positive or false-negative results.
Workaround:
Change the parameters to either explicit parameters or URL-level parameters assigned to all the URLs.
905557-4 : Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure
Component: Global Traffic Manager (DNS)
Symptoms:
A TMM daemon logs a SIGSEGV error, halts, and then be restarted.
Conditions:
-- A BIG-IP system configured to perform DNS/GTM Global Server Load Balancing.
-- High Speed Logging (HSL) is configured.
-- Multiple HSL destinations are configured.
-- The enabled HSL settings include 'replication'.
-- At least one HSL destination is up.
-- At least one HSL destination is down.
-- A pool resource changes state from up to down.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure HSL with only a single log destination.
904625-6 : Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync
Component: Local Traffic Manager
Symptoms:
The GUI saves SSL certificate/CSR subject fields data into SSL.CertRequest.* DB variables to use them in pre-populating subject fields for subsequent modifications.
Conditions:
-- SSL certificate/CSR modification through GUI.
-- Changing the content of the SSL.CertRequest.* DB variables.
-- High availability (HA) configuration.
Impact:
HA devices go out of sync.
Workaround:
SSL.CertRequest.* DB variables are used only as GUI SSL certificate/CSR pre-populated suggestions.
You can still review and modify them before completing SSL certificate/CSR modification operation, so it is safe to sync them onto the high availability (HA) peer.
904441-6 : APM vs_score for GTM-APM load balancing is not calculated correctly
Component: Access Policy Manager
Symptoms:
Output from the 'show ltm virtual <vs> detail' command reports an incorrect value for the APM Module-Score.
Conditions:
-- Using GTM/DNS and APM.
-- Configure an access profile attached to a virtual server.
-- Configure a non-zero number for 'Max Concurrent Users' for the access profile.
-- Access the virtual server.
Impact:
GTM/DNS load balancing does not work as expected.
Workaround:
None.
904041-6 : Ephemeral pool members may be incorrect when modified via various actions
Component: Local Traffic Manager
Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.
For example:
A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.
B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.
Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"
Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.
Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.
Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.
For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.
903521-6 : TMM fails to sign responses from BIND when BIND has 'dnssec-enable no'
Component: Global Traffic Manager (DNS)
Symptoms:
TMM fails to sign responses from BIND.
Conditions:
BIND has 'dnssec-enable no' in named.conf.
Impact:
TMM fails to sign responses from BIND.
Workaround:
Remove 'dnssec-enable no' from named.conf in options section.
903453-1 : TMM crash following redirect when Proactive Bot Defense is used
Component: Application Security Manager
Symptoms:
TMM may rarely crash when Proactive Bot Defense is enabled.
Conditions:
TMM may rarely crash under specific configurations when Proactive Bot Defense is used.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None.
901989-6 : Boot_marker writes to /var/log/btmp
Component: TMOS
Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.
A message similar to:
Apr 21 09:19:52 bigip1 warning sshd[10901]: pam_lastlog(sshd:session): corruption detected in /var/log/btmp
... may be logged to /var/log/secure.
Conditions:
-- Rebooting a BIG-IP.
Impact:
Since this file is unknowingly corrupt at first boot, any potential investigation needing this data may be compromised.
Workaround:
After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp
901985-3 : Extend logging for incomplete HTTP requests
Component: TMOS
Symptoms:
Logging is not triggered for incomplete HTTP requests.
Conditions:
- HTTP profile is configured.
- Request-log profile is configured.
- HTTP request is incomplete.
Impact:
Logging is missing for incomplete HTTP requests.
Workaround:
None.
900825-4 : WAM image optimization can leak entity reference when demoting to unoptimized image
Component: WebAccelerator
Symptoms:
WAM image optimization can leak entity reference when demoting to unoptimized image.
WAM allows PNG files to be optimized to WEBP and JPG files to be optimized to JPEG XR formats, based on capabilities inferred from the client's User-Agent value. Once the optimized version is in the cache, internal check failures might cause the entity/document to be reverted to the unoptimized version. If this unoptimized version is already present in the cache, a reference to the corresponding entity is leaked, thus causing the entity to be held in memory along with attached resource/document objects and associated storage (UCI).
Conditions:
-- WAM-optimized PNG files (to WEBP) and JPG files (to JPEG XR) on tye system.
-- A policy change occurs that causes an internal check to fail.
Note: This can also occur in some cases without actual changes to the policy if the optimization step is skipped by wamd.
Impact:
WAM image optimization might leak entity reference.
Workaround:
None.
900485-6 : Syslog-ng 'program' filter does not work
Component: TMOS
Symptoms:
The 'program' filter type does not work with the BIG-IP system's version of syslog-ng.
Conditions:
-- Using the 'program' expression in a syslog-ng filter.
Impact:
Unable to filter messages as expected.
Workaround:
None.
899933-6 : Listing property groups in TMSH without specifying properties lists the entire object
Component: TMOS
Symptoms:
When listing a property group, if you do not specify any specific properties within that group, the entire object is listed.
Conditions:
-- Using TMSH to list a property group of an object.
-- Not specifying any properties within the property group.
Impact:
Unexpected output.
Workaround:
None.
899905 : N3FIPS kernel driver crash
Component: Local Traffic Manager
Symptoms:
The N3FIPS driver crashes and BIG-IP reboots.
Conditions:
Conditions are unknown. This occurs rarely.
Impact:
Traffic disruption due to BIG-IP system reboot
Workaround:
None.
899781-1 : Custom dialup does not establish VPN
Component: Access Policy Manager
Symptoms:
Attempting to establish a VPN using a custom dialup does not establish the connection, and reports an error:
...finished with code, -1073740512
Conditions:
-- Setup simple Network Access resource.
-- Download the client package onto the client system and install it.
-- Use WinLogon Integration/Custom dialup to establish VPN.
Impact:
WinLogon Integration/Custom dialup fails to establish VPN.
Workaround:
Use EdgeClient or F5 Helper Applications to establish VPN.
899253-2 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
Component: Global Traffic Manager (DNS)
Symptoms:
Making changes to wide IP pools through GUI management do not take effect.
Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.
Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.
Workaround:
Use TMSH.
899085-1 : Configuration changes made by Certificate Manager role do not trigger saving config
Component: TMOS
Symptoms:
Configuration changes made in the BIG-IP GUI by a user with role 'Certificate Manager' do not result in the configuration being saved.
If the system is rebooted (or MCPD restarted) without saving the configuration, those changes will be lost.
Conditions:
-- User with role 'Certificate Manager'.
-- Changes made in GUI.
-- System rebooted.
Impact:
Loss of configuration changes.
Workaround:
Users with a 'Certificate Manager' role can save the configuration from tmsh:
tmsh save /sys config
Alternately, another user can save the configuration.
898997-6 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
Component: Service Provider
Symptoms:
GTP message parsing fails and log maybe observed as below:
GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).
Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes
Impact:
- message parsing fails, traffic maybe interupted
898825-6 : Attack signatures are enforced on excluded headers under some conditions
Component: Application Security Manager
Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).
Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.
Impact:
False positive enforcement for header signature.
Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.
898753-1 : Multicast control-plane traffic requires handling with AFM policies
Component: Local Traffic Manager
Symptoms:
AFM virtual-server specific rules are being matched against control-plane traffic.
Conditions:
-- Broadcast OSPF configured.
-- AFM provisioned.
-- OSPF neighbor configured.
Impact:
OSPF neighborship is not formed.
Workaround:
Add an AFM route-domain policy.
898705-1 : IPv6 static BFD configuration is truncated or missing
Component: TMOS
Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.
-- IPv6 static BFD configuration entries go missing during a daemon restart.
Conditions:
IPv6 static BFD configuration.
Impact:
The IPv6 static BFD configuration does not persist during reloads.
-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.
Workaround:
None.
898681 : SafeNet install fails with the message 'path not allowed'
Component: Local Traffic Manager
Symptoms:
SafeNet Luna Client installation fails with the message 'path not allowed.
Conditions:
-- Attempting to install SafeNet Luna Client with the shell script nethsm-safenet-install.sh.
Impact:
Cannot install SafeNet Luna Client.
Workaround:
1. Open the file "/config/ssh/scp.whitelist" in an editor
2. Add the line "/usr/safenet/lunaclient"
3. Save the changes.
4. Try the install again.
898461-6 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
Component: TMOS
Symptoms:
The following SCTP iRule commands:
-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port
Are unavailable in the following MRF iRule events:
-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS
Attempts to use these commands in these events result in errors similar to:
01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].
Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.
Impact:
Unable to use these iRule commands within these iRule events.
Workaround:
None.
898389-5 : Traffic is not classified when adding port-list to virtual server from GUI
Component: TMOS
Symptoms:
Traffic is not matching to the virtual server.
Conditions:
Using the GUI to configure traffic-matching-criteria by adding port-list to the virtual server.
Impact:
Traffic loss.
Workaround:
Creating traffic-matching-criteria from the command line
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm traffic-matching-criteria tmc_name_here destination-address-inline <IP ADDR>%10 route-domain <Route domain name>
898201-6 : Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.
Component: Local Traffic Manager
Symptoms:
After reboot, no access to services host using fqdn nodes.
-- fqdn nodes are not populated with IP addresses.
-- Unable to access virtual servers served by pools using fqdn nodes.
Conditions:
The issue happens after the BIG-IP is rebooted.
-- when DNS server is accessed through a local virtual server.
-- Single arm cloud BIG-IP with virtual server listening for DNS requests to redirect.
Impact:
-- FQDN DNS requests bypassing the listening virtual server.
-- Unable to access the pools of those configured fqdn nodes.
Workaround:
-- restarting dynconfd.
-- Running a script to trigger off "Tmm ready" and either delete the bad flow(s) or a specific connflow entry.
-- change the dummy dns server to be something in the same subnet as the single interface.
897437-1 : First retransmission might happen after syn-rto-base instead of minimum-rto.
Component: Local Traffic Manager
Symptoms:
If a TCP profile is configured with a syn-rto-base value that is lower than minimum-rto, the first retransmission might happen after syn-rto-base.
This behavior is encountered only if the BIG-IP system is unable to compute the new RTO value before the retransmission timer expires, meaning:
-- The BIG-IP system has not received a packet with a TCP timestamp reply.
-- The BIG-IP system has not received an ACK for a timed sequence number.
Conditions:
Configured value of syn-rto-base is lower than minimum-rto.
Impact:
Retransmission might happen sooner than expected.
Workaround:
There are two possible workarounds:
-- Avoid using a syn-rto-base value that is lower than the minimum-rto value (the default values are 3 seconds for syn-rto-base and 1 second for minimum-rto).
-- Consider enabling timestamps to allow faster RTT measurement.
896641 : Large /var/avr/.AVR_TMP_MERGE_STEP101 file continues to grow
Component: Application Visibility and Reporting
Symptoms:
A very large /var/avr/.AVR_TMP_MERGE_STEP101 file is on one of a VIPRION system, and the file continues to grow until /var is full.
Conditions:
Using a multi-blade VIPRION platform. The exact conditions under which this occurs are unknown.
Impact:
Disk partition /var is becoming full.
Workaround:
Delete the /var/avr/.AVR_TMP_MERGE_STEP101 file.
896553-1 : On blade failure, some trunked egress traffic is dropped.
Component: TMOS
Symptoms:
When a blade fails (but not administratively disabled), other blades take 10 seconds (configured with db variable clusterd.peermembertimeout) to detect its absence. Until the blade failure is detected, egress traffic which used the failed blade's interfaces is dropped.
Conditions:
-- A multi-blade chassis.
-- Interfaces are trunked.
-- Some blades do not have directly attached interfaces.
-- A blade which does have directly attached interfaces fails.
Impact:
Some traffic is dropped until the failed blade is detected (10 seconds by default.)
Workaround:
Attach interfaces to all blades.
895845-1 : Implement automatic conflict resolution for gossip-conflicts in REST
Component: TMOS
Symptoms:
The devices in a high availability (HA) environment are out of sync in strange ways; config sync status indicates 'In Sync', but iApps such as SSL Orchestrator are out of sync.
Conditions:
-- high availability (HA) environment with two or more devices.
-- Gossip used for config sync. (Note: Gossip sync is used by BIG-IQ for BIG-IP config sync by iAppLX.)
-- A gossip conflict occurs for some reason.
You can detect gossip conflicts at the following iControl REST endpoint:
/mgmt/shared/gossip-conflicts
You can check gossip sync status at the following iControl REST endpoint:
/mgmt/shared/gossip
Impact:
If there are gossip conflicts, the devices requires manual intervention to get back in sync.
Workaround:
When two devices are out of sync with different generation numbers due to gossip conflict, you can use the following guidance to resolve the conflict:
1. Update devices info to use the same generation number.
2. This info found on REST Storage worker. Storage worker uses the selflink plus a generation number as the key to a given set of data.
3. Add the data from the unit with the highest generation number to the other unit.
4. Must also take care to increase the generation number on the new data to match that of the highest generation
Commands used:
1. Look for GENERATION_MISSING and gossip-conflict objects:
tmsh list mgmt shared gossip-conflicts
2. Get the 'selflink in remoteState' attribute. This self link is same across all devices and checks on the browser with each device to discover the device that is on the highest generation number:
tmsh list mgmt shared gossip-conflicts <OBJECT_ID>
3. Now you know what device contains the most recent version of your data, run this command to get up-to-date data:
restcurl /shared/storage?key=<everything after 'https://localhost/mgmt/' on selflink>
4. Make a post to the out-of-date device that includes the info from the up-to-date device as the post body:
restcurl -X POST /shared/storage -d '{<data from above command>}'
895781-1 : Round Robin disaggregation does not disaggregate globally
Component: TMOS
Symptoms:
Traffic is not disaggregated uniformly as expected.
Conditions:
-- A multi-blade chassis with one HSB.
-- Traffic is received on blade one.
-- The imbalance is more pronounced when the IP variation is small.
Impact:
Some TMMs may use relatively more CPU.
Workaround:
None.
895205-6 : A circular reference in rewrite profiles causes MCP to crash
Component: Local Traffic Manager
Symptoms:
MCPD crash when modifying rewrite profile.
Conditions:
-- More than one rewrite profile is configured.
-- At least two rewrite profiles are referencing each other circularly.
Impact:
MCPD crash. For a Device Service Cluster this results in a failover. For a standalone system, this results in an outage.
Workaround:
Do not create circular references with profiles.
893093-6 : An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
Component: TMOS
Symptoms:
The intended screen does not show when you navigate in the WebUI to either of the following locations:
-- System :: Certificate Management :: Device Certificate Management->Device Trust Certificates
-- DNS :: GSLB :: Servers :: Trusted Server Certificates
The system returns the following error:
An error has occurred while trying to process your request.
Additionally, a Java stack trace is also logged to the /var/log/tomcat/catalina.out file.
Conditions:
An extraneous SSL CSR file is present in the /config/big3d or /config/gtm directory.
-- When the extraneous file is in the /config/big3d directory, the System :: Certificate Management :: Device Certificate Management :: Device Trust Certificates screen is affected.
-- When the extraneous file is in the /config/gtm directory, the DNS :: GSLB :: Servers :: Trusted Server Certificates screen is affected.
Impact:
The WebUI cannot be used to inspect those particular SSL certificate stores.
Workaround:
The /config/big3d and /config/gtm directories are meant to contain only one file each (client.crt and server.crt, respectively).
You can resolve this issue by inspecting those directories and removing any file that may have been accidentally copied to them.
For more information on those directories, refer to: K15664: Overview of BIG-IP device certificates (11.x - 15.x) :: https://support.f5.com/csp/article/K15664.
892677-2 : Loading config file with imish adds the newline character
Component: TMOS
Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.
In particular, this affects the bigip_imish_config Ansible module.
Conditions:
Loading a config with 'imish -f <f_name>' commands.
Note: This command is used with the bigip_imish_config Ansible module.
Impact:
Regex expressions are not created properly.
Workaround:
You can use either of the following workarounds:
-- Delete and re-add the offending commands using the imish interactive shell.
-- Restart tmrouted:
bigstart restart tmrouted
892445-6 : BWC policy names are limited to 128 characters
Component: TMOS
Symptoms:
A 128-character limit for BWC policy object names is enforced and reports an error:
01070088:3: The requested object name <name> is invalid.
Conditions:
Attempting to create a BWC policy object with a name longer than 128 characters.
Impact:
Unable to create BWC policy objects with names that have more than 128 characters.
Workaround:
Use fewer than 128 characters when creating a BWC policy.
892385-4 : HTTP does not process WebSocket payload when received with server HTTP response
Component: Local Traffic Manager
Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.
Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.
Impact:
-- WebSocket connection hangs.
Workaround:
None.
891385-6 : Add support for URI protocol type "urn" in MRF SIP load balancing
Component: Service Provider
Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.
Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.
Impact:
SIP messages with urn URIs are rejected.
891337-5 : 'save_master_key(master): Not ready to save yet' errors in the logs
Component: TMOS
Symptoms:
During config sync, you see error messages in the logs:
save_master_key(master): Not ready to save yet.
Conditions:
UCS load or configuration synchronization that includes encrypted objects.
Impact:
Many errors seen in the logs.
Workaround:
None.
891145-1 : TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
Component: Local Traffic Manager
Symptoms:
SYNs received with TSVal <= TS.Recent are dropped without sending an ACK in FIN-WAIT-2 state.
Conditions:
-- Timestamps are enabled in TCP profile.
-- Local TCP connection is in FIN-WAIT-2 state.
-- Remote TCP connection abandoned the flow.
-- A new TCP connection sends a SYN with TSVal <= TS.Recent to the local connection.
Impact:
The new TCP connection cannot infer the half-open state of Local TCP connections, which prevents faster recovery of half-open connections. The local TCP connection stays around for a longer time.
Workaround:
There are two workarounds:
-- Reduce the Fin Wait 2 timeout (the default: 300 sec) so that TCP connection is terminated sooner.
-- Disable TCP Timestamps.
890881 : ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address
Component: Local Traffic Manager
Symptoms:
Traffic drop occurs.
Conditions:
Source MAC in the ARP header and the Ethernet header do not match.
Impact:
The BIG-IP system drops these packets.
Workaround:
None.
890573-4 : BigDB variable wam.cache.smallobject.threshold may not pickup its value on restart
Component: WebAccelerator
Symptoms:
BIG-IP WAM/AAM provides a faster cache store called small object cache. To get into this cache, an object must have its size below a threshold defined in BigDB variable wam.cache.smallobject.threshold. BIG-IP does not always pickup this value after a restart of TMM.
Conditions:
- WAM/AAM is provisioned;
- A virtual server is configured with a webacceleration profile having a web application.
Impact:
When small object cache has a non-default value, it may incorrectly place an object into Small Object cache (faster cache store) or MetaStor (slower cache store), causing performance impact.
Workaround:
Reset wam.cache.smallobject.threshold value.
890401-4 : Restore correct handling of small object when conditions to change cache type is satisfied
Component: WebAccelerator
Symptoms:
BIG-IP system software allows you to cache HTTP responses with WAM/AMM web applications. There is a special storage location for small-size objects. If a caching object is about to exceed a threshold limit, the BIG-IP system might change its caching storage to MetaStor. A fix for ID 792045 introduced an issue for instances in which it does not, which resulted in not serving a cached object.
Conditions:
-- WAM/AAM is provisioned.
-- Virtual server has a webacceleration profile with a web application.
-- The BIG-IP software contains a fix for ID 792045.
Impact:
The BIG-IP system resets a connection with an error, a cached object is not served, and the rendering of a client's webpage is not correct.
Workaround:
None.
890285-3 : DNS resolver cannot forward DNS query to local IPv6 virtual server
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS resolver is not sending backend dns request to local IPV6 virtual servers.
Conditions:
DNS resolver referring to local IPV6 virtuals.
Impact:
Unable to resolve dns requests properly.
889801-5 : Total Responses in DNS Cache stats does not increment when an iRule suspending command is present under DNS_RESPONSE.
Component: Global Traffic Manager (DNS)
Symptoms:
Upon close inspection of the statistics of a particular DNS Cache, for example by running the command 'tmsh show ltm dns cache resolver <name>', you realize that the 'Total Responses' counter for the cache is not incrementing as much as it should be.
Specifically, by comparing the counter with packet captures or the stats of the DNS Profile, you realize the system is under-reporting 'Total Responses'.
Conditions:
The virtual server using the DNS Cache also uses an iRule which happens to include a suspending command (e.g., 'table') under the DNS_RESPONSE event.
Impact:
The incorrect DNS Cache statistics may confuse or mislead a BIG-IP Administrator.
No traffic impact exists as part of this issue. Responses are still being served from the cache even when the counter says they are not.
Workaround:
None.
889497 : Deleting a log profile results in urldb and urldbmgrd CPU utilization increase to over 90% usage
Component: Access Policy Manager
Symptoms:
The urldb and urldbmgrd process CPU utilization increases to over 90%.
Conditions:
-- SWG provisioned.
-- Creating an APM Event log profile and then deleting it.
Impact:
High CPU utilization by urldb and urldbmgrd.
Workaround:
Do not delete an APM Event log profile.
If an APM Event log has already been deleted, restart urldb and urldbmgrd to return CPU processing.top
888341-2 : HA Group failover may fail to complete Active/Standby state transition
Component: TMOS
Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:
-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.
Note: You can confirm sod process uptime in tmsh:
# tmsh show /sys service sod
Conditions:
HA Group failover configured.
Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:
o VLAN failsafe failover.
o Gateway failsafe failover.
o Failover triggered by loss of network failover heartbeat packets.
o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).
Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.
Workaround:
There is no workaround.
The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
888289-5 : Add option to skip percent characters during normalization
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
887609-1 : TMM crash when updating urldb blacklist
Component: Traffic Classification Engine
Symptoms:
TMM crashes after updating the urldb blacklist.
Conditions:
-- The BIG-IP system is configured with URL blacklists.
-- Multiple database files are used.
Impact:
TMM restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
887045-6 : The session key does not get mirrored to standby.
Component: Local Traffic Manager
Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.
Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives
Impact:
The session key does not get mirrored to standby.
Workaround:
None
886689-2 : Generic Message profile cannot be used in SCTP virtual
Component: TMOS
Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:
01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)
Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.
Impact:
You are unable to combine the Generic Message profile with the SCTP profile.
886653-1 : Flow lookup on subsequent packets fail during CMP state change.
Component: Policy Enforcement Manager
Symptoms:
When there is a failover event, there is a chance that some sessions will not move over to new active blade.
Conditions:
-- High availability (HA) environment.
-- A CMP state change occurs.
Impact:
For certain IP addresses that have failed to move to the new active device, a new session create request does not create/replace the current session because it is in inconsistent state.
Workaround:
None.
885325-6 : Stats might be incorrect for iRules that get executed a large number of times
Component: Local Traffic Manager
Symptoms:
iRules that execute a lot can make stats counters large enough to overflow in a relatively short amount of time (e.g., a couple of months).
Conditions:
Execute an iRule a lot (e.g., make the total number of executions greater than 32 bits) and check its stats.
Impact:
After the total number exceeds 32 bits, the counter stats are no longer valid.
Workaround:
None.
885201-5 : BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log
Component: Global Traffic Manager (DNS)
Symptoms:
Err (error) level messages in /var/log/gtm log when DNS (GTM) SSL monitors such as https are used and are unable to connect to the monitored target IP address:
err big3d[4658]: 01330014:3: CSSLSocket:: Unable to get the session.
These messages do not indicate the IP address or port of the target that failed to connect, and this ambiguity may cause concern.
Conditions:
-- SSL-based DNS (GTM) monitor assigned to a target, for example https
-- TCP fails to connect due to a layer 2-4 issue, for example:
- No route to host.
- Received a TCP RST.
- TCP handshake timeout.
Impact:
The system reports unnecessary messages; the fact that the monitor failed is already detailed by the pool/virtual status change message, and the target changing to a red/down status.
These messages can be safely ignored.
Workaround:
If you want to suppress these messages, you can configure a syslog filter.
For more information, see K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932.
884729-6 : The vCMP CPU usage stats are incorrect
Component: TMOS
Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.
Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.
Impact:
The vCMP CPU usage stats are intermittently incorrect.
Workaround:
None.
883149-6 : The fix for ID 439539 can cause mcpd to core.
Component: TMOS
Symptoms:
Mcpd cores during config sync.
Conditions:
This has only been observed once. The device was going from standby to active, and the connection between the BIG-IP peers stalled out.
Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.
Workaround:
NA
883049-7 : Statsd can deadlock with rrdshim if an rrd file is invalid
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors:
-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.
Conditions:
Truncation of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.
Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd
882609-4 : ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
Component: TMOS
Symptoms:
After setting a device's ConfigSync IP to 'none' and then back to an actual IP address, the device remains in a disconnected state, and cannot establish ConfigSync connections to other BIG-IP systems in its trust domain.
MCPD periodically logs messages in /var/log/ltm:
err mcpd[27610]: 0107142f:3: Can't connect to CMI peer a.b.c.d, TMM outbound listener not yet created.
Conditions:
--- BIG-IP system is in a trust domain with other BIG-IP systems.
--- Local device's ConfigSync IP is set to 'none', and then back to an actual IP address.
Impact:
Devices unable to ConfigSync.
Workaround:
This workaround will disrupt traffic while TMM restarts:
1. Ensure the local ConfigSync IP is set to an IP address.
2. Restart TMM:
bigstart restart tmm
This workaround should not disrupt traffic:
Copy and paste the following command into the Advanced Shell (bash) on a BIG-IP system, and then run it. This sets the ConfigSync IP for all device objects to 'none', and then back to their correct values.
TMPFILE=$(mktemp -p /var/tmp/ ID882609.XXXXXXX); tmsh -q list cm device configsync-ip > "$TMPFILE"; sed 's/configsync-ip .*$/configsync-ip none/g' "$TMPFILE" > "$TMPFILE.none"; tmsh load sys config merge file "$TMPFILE.none"; echo "reverting back to current"; tmsh load sys config merge file "$TMPFILE"
882273-2 : MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow
Component: Service Provider
Symptoms:
Memory leak can cause tmm to crash and memory usage to grow.
Conditions:
-- Diameter transmission setting is enabled and action should be retrans.
-- auto-init should be enabled.
-- And server is down.
Impact:
Memory corruption will lead to tmm crash in longer run and memory leak make memory usage to grow in linear order. Traffic disrupted while tmm restarts.
Workaround:
None.
880697-6 : URI::query command returning fragment part, instead of query part
Component: Local Traffic Manager
Symptoms:
The iRule URI commands are designed to parse a given URI string to each components such as scheme (URI::protocol) or authority (URI::host). The URI::query command is designed to return the query part of an URI, but the returned string contains the fragment part. For example, for the URI "foo://example.com:8042/over/there?name=ferret#nose" (an example from Section 3, RFC 3986), URI::query returns "name=ferret#nose". The "#nose" part should not be present in the return value
Conditions:
Create a test rule with URI having '#' like this.
when HTTP_REQUEST {
# from RFC 3986 Section 3
set url "foo://example.com:8042/over/there?name=ferret#nose"
log local0. "query: [URI::query $url]"
}
Impact:
URI operations that involve #fragments may fail.
Workaround:
NA
879969-1 : FQDN node resolution fails if DNS response latency >5 seconds
Component: TMOS
Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.
Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses
Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.
Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.
879841-1 : Domain cookie same-site option is missing the "None" as value in GUI and rest
Component: Application Security Manager
Symptoms:
There isn't an option to add to a domain cookie with the attribute "SameSite=None". The value "None" which appears as an option is used will not add the attribute at all.
Conditions:
You want to have SameSite=none attribute added to a domain cookie.
Impact:
You are unable to set SameSite=None
Workaround:
Set the SameSite=None cookie value in the application. An iRule could also be added that inserts the cookie. For more information on the iRule, see the following DevCentral article: https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM
876569 : QAT compression codec produces gzip stream with CRC error
Component: Local Traffic Manager
Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.
Conditions:
This occurs when the following conditions are met:
-- The following platforms with Intel QAT are affected:
+ 4450 blades
+ i4600/i4800
+ i10600/i10800
+ i7600/i7800
+ i5600/i5800
+ i11600/i11800
+ i11400/i11600/i11800
+ i15600/i15800
-- The compression.qat.dispatchsize variable is set to any of the following values:
+ 65535
+ 32768
+ 16384
+ 8192
-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:
+ 65355*32768
+ 8192*32768
Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.
Workaround:
Disable hardware compression and use software compression.
875401-5 : PEM subcriber lookup can fail for internet side new connections
Component: Policy Enforcement Manager
Symptoms:
PEM subcriber lookup can fail for internet side new connections, as PEM might use the remote address to look up the session, which is not the subscriber.
Conditions:
-- PEM enabled and configured
-- Subscriber session has multiple IP's
-- Each IP lands on a different tmm
Impact:
PEM subscriber lookup can fail on the internet side
Workaround:
No workaround.
874857-1 : Hardware-accelerated connections might not be removed from ePVA on transition to standby
Component: TMOS
Symptoms:
This issue only affects certain platforms, such as the B4450. For affected platforms, when the active BIG-IP unit in a redundant configuration becomes the standby unit after a failover event, the traffic sent to the virtual servers with hardware acceleration enabled continues to be accelerated by the ePVA hardware on the original active unit (now the standby unit). These entries should be flushed on transition to standby if PVA standby flush is enabled.
Conditions:
When a failover event occurs on a device with hardware-accelerated virtual servers and PVA standby flush is enabled.
Impact:
Hardware-accelerated entries may stay active on the standby unit, processing network traffic.
Workaround:
Disable hardware-accelerated (ePVA) connections.
874317-5 : Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN
Component: Local Traffic Manager
Symptoms:
When BIG-IP is configured with at least two VLANs/interfaces, and a virtual server with auto-lasthop disabled, then when that virtual server receives a SYN from a client and sends the SYN/ACK directly back to the client on a different VLAN/interface, it currently expects the ACK to be received on the outgoing interface unless the client is not directly connected and the connection is using a default gateway.
Conditions:
-- The BIG-IP is configured with two VLANs/interfaces for a client (one for incoming packets, one for outgoing packets, i.e. asymmetric routing).
-- The client using asymmetric routing is connecting to a virtual server with auto-lasthop disabled.
-- The outgoing route to the client (from the BIG-IP) is directly connected to the client (i.e. on the same network; not going through a gateway).
-- The DB variable connection.vlankeyed has the value "enabled" (which is the default).
Impact:
The mismatch could lead to connections failing to establish.
Workaround:
Use only a single VLAN on the client side, or disable the DB variable "connection.vlankeyed".
873677-2 : LTM policy matching does not work as expected
Component: Local Traffic Manager
Symptoms:
Policy matching may fail to work as expected
Conditions:
Having many conditions with the same operand may trigger an issue where the wrong transition is taken.
This may also be triggered by very complex policies with large numbers of rules.
Impact:
LTM policy matching does not work as expected.
Workaround:
None.
873249-5 : Switching from fast_merge to slow_merge can result in incorrect tmm stats
Component: Local Traffic Manager
Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.
Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.
Impact:
Incorrect reporting for TMM stats.
Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.
These files are roll-ups and will be re-created as necessary.
871705-2 : Restarting bigstart shuts down the system
Component: TMOS
Symptoms:
The 'bigstart restart bigstart' command shuts down the system without displaying or informing the BIG-IP system user that this command can interrupt service. The system goes directly to the inoperative state as soon as the command is run.
Conditions:
-- Running the command bigstart restart bigstart.
-- Running 'systemctl restart systemd-bigstart' twice.
Impact:
Different versions appear to have different behavior:
-- v12.1.5: shell hangs on bigstart command, but the BIG-IP system stays Active.
-- v13.1.0.7: The BIG-IP system goes inoperative upon 'bigstart restart bigstart'.
-- 1v4.1.2.3: The 'bigstart restart bigstart' command cannot find the 'bigstart' service, but 'systemctl restart systemd-bigstart' shows this behavior.
Workaround:
None.
871045-6 : IP fragments are disaggregated to separate TMMs with hardware syncookies enabled
Component: TMOS
Symptoms:
With hardware syncookies enabled, HTTP POST requests that are fragmented into separate segments are processed by different TMMs.
Connection is subsequently reset with a TCP RST cause reported as: No flow found for ACK.
Conditions:
-- Hardware syncookies triggered.
-- IP fragmented HTTP POST request.
Impact:
Connection is subsequently reset with TCP RST, cause 'No flow found for ACK'.
Workaround:
None.
869237-2 : Management interface might become unreachable when alternating between DHCP/static address assignment.
Component: TMOS
Symptoms:
When the Management IP address assignment is changed and the IP address obtained from DHCP lease is used for static interface configuration, the management port might become unreachable after the DHCP lease expiration time, even though interface has a static IP configured.
Conditions:
-- Management IP assignment is changed from dynamic (DHCP) to static.
-- The static IP address that is configured is identical to the DHCP address that was assigned.
Impact:
Remote management access is lost after the DHCP lease expires.
Workaround:
When changing the management interface configuration from DHCP to static, first delete the old configuration, then create new configuration. This can be done with TMSH:
(tmos)# modify sys global-settings mgmt-dhcp disabled
(tmos)# del sys management-ip 10.14.30.111/24
(tmos)# create sys management-ip 10.14.30.111/24 { description configured-statically }
869049-1 : Charts discrepancy in AVR reports
Component: Application Visibility and Reporting
Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.
Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).
Impact:
Stats on DB get corrupted and incorrect.
Workaround:
None.
868721-5 : Transactions are held for a long time on specific server related conditions
Component: Application Security Manager
Symptoms:
Long request buffers are kept around for a long time in bd.
Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.
Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.
Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.
867793-5 : BIG-IP sending the wrong trap code for BGP peer state
Component: TMOS
Symptoms:
When BGP peer is going down, the BIG-IP system sends the wrong 'bgpPeerState: 6(established)' with its SNMP trap.
Conditions:
-- BIG IP system is connected with a Cisco router to verify the traps.
-- BGP peer between the BIG-IP system and the Cisco router is going down.
-- Both devices release an SNMP trap.
Impact:
The BIG-IP system sends the wrong code with its SNMP trap. It should be 'bgpPeerState: idle(1)' when the peer is not connected.
Workaround:
None.
867321-1 : Error: Invalid self IP, the IP address already exists.
Component: Advanced Firewall Manager
Symptoms:
When loading a configuration, the config load fails with an error:
Invalid self IP, the IP address <ip_addr> already exists.
Conditions:
-- Config contains an IPv4 SelfIP
-- Config contains an IPv4-mapped IPv6 address that is assigned to the same vlan
BIG-IP does not prevent you from creating this condition and will allow you to save it.
Impact:
During configuration load will fail:
0107176c:3: Invalid self IP, the IP address <ip_addr> already exists.
Unexpected Error: Loading configuration process failed.
Workaround:
Delete one of the SelfIP addresses and load the configuration.
867249-5 : New SNMP authentication type and privacy protocol algorithms not available in UI
Component: TMOS
Symptoms:
You are unable to configure the new SNMP authentication type and privacy protocol algorithms from the BIG-IP Configuration utility.
Conditions:
A BIG-IP with net-snmp libraries v5.8
Impact:
The new authentication type and privacy protocol algorithms cannot be configured via the GUI.
Workaround:
Specify the auth-protocol and privacy-protocol values using TMSH.
modify /sys snmp users add { <user> { access rw security-level auth-privacy auth-protocol sha256 auth-password defaultPassword privacy-protocol aes privacy-password defaultPassword username <user> } }
865461-5 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crash on specific scenario
Conditions:
A brute force attack mitigation using captcha or client side challenge.
Impact:
BD crash, failover.
Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.
865341 : SSL::collect and SSL::release in an iRule causes connection reset
Component: Local Traffic Manager
Symptoms:
Using SSL::collect and SSL::release in an iRule alongside a policy with a 'Set Variable' action resets the connection, and reports an error:
01220001:3: TCL error: no connection established SSL::collect needs an established connection! (line 1) invoked from within "SSL::collect".
Conditions:
-- SSL::collect and SSL::release in an iRule.
-- Policy with a 'Set Variable' action.
Impact:
The system resets the connection.
Workaround:
None.
865241-5 : Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0"
Component: TMOS
Symptoms:
When BGP tries to print the address of the default route's peer but there is no matching address for IPv4 or IPv6 so the system returns a NULL and attempting to print results in a crash.
Conditions:
-- Running the show command: sh bgp ipv6 ::/0.
-- There is no matching IPv4 or IPv6 address for the peer.
The conditions that cause this to occur are unknown.
Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.
Workaround:
None.
863917-5 : The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval.
Component: Global Traffic Manager (DNS)
Symptoms:
Messages similar to the following may be seen in the DNS (GTM) logs:
The list processing time (32 seconds) exceeded the interval value. There may be too many monitor instances configured with a 30 second interval.
This message was introduced in 15.0.0 as an aid to help identifying overloaded DNS (GTM) systems, but it triggers too easily and can be logged when the device is not overloaded.
Conditions:
-- DNS (GTM) servers are present.
-- Virtual servers are configured on those DNS (GTM) servers.
-- A monitor is applied to the DNS (GTM) server.
Impact:
Messages are logged that imply the system is overloaded when it is not.
Workaround:
Create a log filter to suppress the messages
sys log-config filter gtm-warn {
level warn
message-id 011ae116
source gtmd
}
863453 : Internet Explorer restart is required after VPN plugin is upgraded to 12.1.5
Component: Access Policy Manager
Symptoms:
After browser components are updated and user tries to establish VPN from Internet Explorer, user sees an error message saying 'Failed to initialize local Tunnel Server'.
Conditions:
- User established VPN from Internet Explorer before using older F5 Internet Explorer browser plugin
- The same instance of Internet Explorer is used to establish VPN after BIG-IP was upgraded to 12.1.5
Impact:
VPN cannot be established until user restarts browser.
Workaround:
Restart browser.
862693-5 : PAM_RHOST not set when authenticating BIG-IP using iControl REST
Component: TMOS
Symptoms:
The missing PAM_RHOST setting causes the radius packet to go out without the calling-station-id avp
Conditions:
1. Configure radius server and add it to BIG-IP
tmsh create auth radius system-auth servers add { myrad }
2. modify auth source type to radius
tmsh modify auth source { type radius }
3. try to authenticate to BIG-IP using iControl REST
Impact:
Remote authentication using iControl REST is not allowed based on calling-station-id
862597-2 : Improve MPTCP's SYN/ACK retransmission handling
Component: Local Traffic Manager
Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.
Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP option in the TCP profile.
862525-5 : GUI Browser Cache Timeout option is not available via tmsh
Component: TMOS
Symptoms:
In BIG-IP v10.x it was possible to change the browser cache timeout from bigpipe using the command:
bigpipe httpd browsercachetimeout
In 14.1.2.1 and newer, it is still possible to change the value in the GUI using "System :: Preferences :: Time To Cache Static Files.
However there is no tmsh equivalent in any version.
Conditions:
This is encountered when you try to configure the GUI browser cache timeout setting using tmsh.
Impact:
Unable to modify browser cache timeout except from GUI
Workaround:
Using GUI to configure this field. GUI System :: Preferences :: Time To Cache Static Files.
862069-5 : Using non-standard HTTPS and SSH ports fails under certain conditions
Component: Local Traffic Manager
Symptoms:
On all versions 12.1.0 or later, if you change the HTTPS port (e.g., to 8443, as is required for '1NIC' BIG-IP Virtual Edition (VE) deployments) and then expose the management UI via a self IP in a non-zero route domain, you cannot access the system via the GUI or CLI, and the system does not pass traffic as expected.
In versions 14.1.0 and later on VE installations, attempting to manage a BIG-IP system over a self IP can fail if all these conditions are met:
-- Non-standard HTTPS port used.
-- No TMM default route configured.
-- No route to the client IP address configured.
Conditions:
-- Modify the default HTTPS and/or default SSH ports.
And either of the following:
On 12.1.0 and above:
-- Expose the management UI and/or CLI via a self IP in a non-zero route domain.
On 14.1.0 and above:
-- No TMM default route configured.
-- No route to the client IP address configured.
Impact:
-- Unable to access BIG-IP GUI on non-standard HTTPS port.
-- Unable to access BIG-IP CLI on non-standard SSH port.
Workaround:
None.
862001-5 : Improperly configured NTP server can result in an undisciplined clock stanza
Component: Local Traffic Manager
Symptoms:
There can be an undisciplined clock stanza in /etc/ntp.conf, resulting in an undisciplined clock.
NTP documentation:
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
Conditions:
This might occur in at least the following ways:
-- No server is specified in 'sys ntp servers {}'.
-- A server does exist, but an improper method was used to configure the NTP server.
Impact:
When the LOCAL undisciplined clock is left as a valid time-source, it delays the system synchronizing time to a real NTP server. It can also result in time being adjusted incorrectly if the the remote time-source becomes unreachable.
Workaround:
Configure a dummy server via 'ntp servers {}' that does not respond.
While this removes the undisciplined local clock, it does result in ntpd having an unreachable time source, and could be flagged in diagnostics, misdirect other troubleshooting, generate unnecessary traffic, etc.
However, if the 'dummy' source starts responding, it could become a rogue time source.
859717-5 : ICMP-limit-related warning messages in /var/log/ltm
Component: Local Traffic Manager
Symptoms:
'ICMP error limit reached' warning messages in /var/log/ltm:
warning tmm3[23425]: 01200015:4: Warning, ICMP error limit reached.
Conditions:
Viewing /var/log/ltm.
Impact:
Potentially numerous error messages, depending on the traffic and the BIG-IP configuration. No clear indication of how to remedy the situation.
Workaround:
None.
858769-1 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2
Component: TMOS
Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.
Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.
Impact:
The longer keys lengths for SNMPv3 cannot be used.
858549-1 : GUI does not allow IPv4-Mapped IPv6 Address to be assigned to self IPs
Component: TMOS
Symptoms:
When you try to use an IPv4-mapped IPv6 address as the self VI via GUI you get an error: '
Some fields below contain errors. Correct them before continuing.
Invalid IP or Hostname
Conditions:
Assign IPv4-mapped IPv6 address to self IPs via GUI.
Impact:
Cannot add the self IP to the BIG-IP system.
Workaround:
None.
857633-5 : Attack Type (SSRF) appears incorrectly in REST result
Component: Application Security Manager
Symptoms:
After ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, a mistaken value for Attack Type (SSRF) appears incorrectly in REST query results.
Conditions:
ASM Signature update ASM-SignatureFile_20191117_112212.im is installed, even if another ASM Signature update is installed subsequently.
Impact:
A mistaken value for Attack Type (SSRF) appears incorrectly in REST query results. This impacts BIG-IQ usage and other REST clients.
Workaround:
Workaround:
1) Install a newer ASU to reassociate the affected signatures with the correct attack type
2) Run the following SQL on the affected BIG-IP devices:
DELETE FROM PLC.NEGSIG_ATTACK_TYPES WHERE attack_type_name = "Server-Side Request Forgery (SSRF)";
854493-1 : Kernel page allocation failures messages in kern.log
Component: TMOS
Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:
swapper/16: page allocation failure: order:2, mode:0x104020
After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.
Conditions:
This issue is known to occur on the following VIPRION blade models:
- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)
Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.
Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.
Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.
It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)
You must do this on each blade installed in the system.
When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.
-- If you want the workaround to survive reboots only, perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"
-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:
1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.
2) Run the following commands (with the desired amount in KB):
# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup
Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.
Once the issue is fixed in a future BIG-IP version, remove the workarounds:
-- To remove the first workaround:
1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
-- To remove the second workaround:
1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.
2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.
To verify the workaround is in place, run the following command (this should return the desired amount in KB):
# clsh "cat /proc/sys/vm/min_free_kbytes"
853989-6 : DOSL7 Logs breaks CEF connector by populating strings into numeric fields
Component: Application Security Manager
Symptoms:
Dosl7 remote logger messages breaks ArcSight CEF connector when using ArcSight destination format. CEF Logs are dropped.
Conditions:
- ASM provisioned
- Dos profile attached to a virtual server
- Dos application protection enabled
- Logging profile configured with ArcSight format attached to a virtual
Impact:
ArcSight server might be broken after getting dosl7 attack detection messages from the BIG-IP.
Workaround:
BIG-IP iRule or another proxy can be used to intercept ArcSight messages and strip the a string portion from ArcSight numeric type fields.
853617-5 : Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
Component: TMOS
Symptoms:
Validation does not prevent specific configuration, but reports errors. In newer versions:
-- err tmm1[7019]: 01010008:3: Proxy initialization failed for /Common/vs_test. Defaulting to DENY.
-- err tmm1[7019]: 01010008:3: Listener config update failed for /Common/vs_test: ERR:ERR_ARG
In older versions:
-- err tmm[23118]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
-- err tmm[23118]: 01010007:3: Config error: add virtual server profile error
Conditions:
Creating a virtual server with UDP, HTTP, SSL, (and OneConnect) profiles.
Impact:
Virtual server is defined and in configuration, but does not pass traffic.
On v12.1.x and v13.0.0, attempts to recover from this configuration can leave TMM in a bad state, which can then result in a TMM crash.
Workaround:
None.
853613-6 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
Component: Local Traffic Manager
Symptoms:
A TCP connection hangs occasionally.
Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.
Impact:
TCP connections hangs, and data transfer cannot be completed.
Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.
853585-4 : REST Wide IP object presents an inconsistent lastResortPool value
Component: Global Traffic Manager (DNS)
Symptoms:
The output of a REST call to tm/gtm/wideip/<wideip_kind> returns objects that contain inconsistent values for the property 'lastResortPool'. For instance, for the kind 'aaaa', the output might be:
...
"lastResortPool": "aaaa \"\""
...
Conditions:
The BIG-IP admin has modified a Wide IP object via tmsh and used the following command structure:
tmsh modify gtm wideip <wideip_kind> www.example.com last-resort-pool <pool_kind>
Impact:
The lastResortValue in the REST response might be confusing for an external orchestrator that consumes the BIG-IP configuration via iControl REST. BIG-IQ, for instance. BIG-IQ might not work as expected with these values.
Workaround:
Change the Wide IP object via the GUI and set the Last Resort Pool to None, then save the changes.
853329-6 : HTTP explicit proxy can crash TMM when used with classification profile
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.
Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.
Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.
Workaround:
None.
852873-5 : Proprietary Multicast PVST+ packets are forwarded instead of dropped
Component: Local Traffic Manager
Symptoms:
Because the BIG-IP system does not recognize proprietary multicast MAC addresses such as PVST+ (01:00:0c:cc:cc:cd) and STP (01:80:c2:00:00:00), when STP is disabled the system does not drop those frames. Instead the system treats those as L2 multicast frames and forwards between 2 interfaces.
Conditions:
-- STP disabled
-- All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850.
Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC is forwarded instead of discarded, even when STP is disabled.
Workaround:
None.
852577-4 : [AVR] Analytic goodput graph between different time period has big discrepancy
Component: Application Visibility and Reporting
Symptoms:
The incorrect goodput value is showing on the GUI > Analytics > TCP > Goodput.
Conditions:
AVR is provisioned
Running TCP related traffic (with the amount that can exceeds the MAX_INT value in any aggregation level).
Impact:
AVR statistics for TCP goodput may be incorrect.
Workaround:
There is no workaround at this time.
852325-5 : HTTP2 does not support Global SNAT
Component: Local Traffic Manager
Symptoms:
The Global SNAT feature does not work with HTTP2.
Conditions:
-- Global SNAT is used
-- HTTP2 is used.
Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.
Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.
851857-5 : HTTP 100 Continue handling does not work when it arrives in multiple packets
Component: Local Traffic Manager
Symptoms:
If a 100 Continue response from a server arrives in mulitple packets, HTTP Parsing may not work as expected. The later server response payload may not be sent to the client.
Conditions:
The server responds with a 100 Continue response which has been broken into more than one packet.
Impact:
The response is not delivered to the client. Browsers may retry the request.
Workaround:
None.
851581-5 : Server-side detach may crash TMM
Component: Local Traffic Manager
Symptoms:
TMM crash with 'server drained' panic string.
Conditions:
-- Server-side flow is detached while the proxy is still buffering data for the pool member and the client continues to send data.
-- The detach may be triggered by the LB::detach iRule commands or internally.
Impact:
TMM crash, failover, brief traffic outage. Traffic disrupted while tmm restarts.
Workaround:
-- In cases in which the detach is triggered internally, there is no workaround.
-- In cases in which the detach is triggered by LB::Detach, make sure the command is not executed when a request may still be in progress by using it in response events, for example HTTP_RESPONSE, USER_RESPONSE, etc.
851385-6 : Failover takes too long when traffic blade failure occurs
Component: Local Traffic Manager
Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.
If the blades are physically pulled from the chassis,
the failure occurs within 1 second.
Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI
Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover
851341 : DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache respond with records exceeding cache-maximum-ttl.
Conditions:
1. Multiple TMMs compared with single TMM.
2. Reassembled DNS response from previous cached records.
Impact:
DNS cache responds with records exceeding cache-maximum-ttl for multiple TMMs, but not with single TMMs. Inconsistent behavior might lead to confusion.
Workaround:
None.
851121-5 : Database monitor DBDaemon debug logging not enabled consistently
Component: Local Traffic Manager
Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (mssql, mysql, postrgresql, oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled vs. disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, etc. may not be logged consistently.
Conditions:
-- Using multiple database health monitors (mssql, mysql, postrgresql, oracle)
-- Enabling debug logging on one or more database health monitors, but not all
Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).
# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}
Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.
Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.
848681-2 : Disabling the LCD on a VIPRION causes blade status lights to turn amber
Component: TMOS
Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.
Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable
Impact:
Blade status lights change to amber, even if nothing is wrong with the system.
Workaround:
None.
846977-5 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero★
Component: Local Traffic Manager
Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.
Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:
/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].
Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.
Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.
Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.
846873-1 : Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
Component: Local Traffic Manager
Symptoms:
Traffic fails to pass through a virtual server.
Conditions:
-- Virtual server is removed and a new one is added in a single transaction.
-- Virtual server references a plugin profile.
For example, create a CLI transaction:
- delete ltm virtual vs_http
- create ltm virtual vs_https destination 1.1.1.1:443 vlans-enabled profiles replace-all-with { http ntlm oneconnect }
- submit cli transaction
Impact:
Traffic failure on the new virtual server.
Workaround:
Create a virtual server that does not accept any traffic, but keeps the NTLM MPI plugin channel alive:
tmsh create ltm virtual workaround destination 1.1.1.1:1 profiles replace-all-with { http oneconnect ntlm } vlans-enabled vlans none && tmsh save sys config
846793-1 : SCTP flow may be inappropriately aborted due to 'stream-id out of range'
Component: TMOS
Symptoms:
SCTP flow may be aborted due to 'stream-id out of range' even both client and server send SCTP chunk with correct stream-id.
The out-of-range stream-id happens because the BIG-IP system fails to store the stream-id during ingress, so it is incorrectly restored on egress.
When this occurs, a message similar to the following may be found in /var/log/ltm:
notice tmm[19016]: 01900032:5: SCTP serverside association (10.65.125.108:388 -> 10.65.135.103:563) aborted (stream-id out of range).
Conditions:
- Standard SCTP virtual deployment.
- SCTP client sends ordered data chunk.
- SCTP server responds with unordered data chunk.
- VLAN tagging is used.
Impact:
Traffic is interrupted due to SCTP connection is aborted unintentionally.
Workaround:
None.
846521-2 : Config script does not refresh management address entry properly when alternating between dynamic and static
Component: TMOS
Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.
Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.
Impact:
Remote management access is lost after DHCP lease expires.
Workaround:
Restart BIG-IP after changing the management IP address.
846425 : APM configsnapshot are not created when blade transitions from secondary to primary
Component: Access Policy Manager
Symptoms:
In a chassis, when a secondary blade transitions to the primary blade it is responsible for keeping APM configuration snapshots current. However, prior to 13.1.0, APM configuration snapshots are not maintained.
Conditions:
-- APM configured in a multi-bladed chassis.
-- Secondary blade transitions to primary blade.
Impact:
Cannot access any APM functionality
Workaround:
Restart the apd process using the following command on the new primary blade:
# bigstart restart apmd
845333-1 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
Component: Local Traffic Manager
Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]
Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.
Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.
Workaround:
Make the datagroup a Tcl variable to bypass validation.
842989-2 : PEM: tmm could core when running iRules on overloaded systems
Component: Policy Enforcement Manager
Symptoms:
When sessions usage iRules are called on an already overloaded system it might crash.
Conditions:
Session iRule calls on heavily overloaded BIG-IP systems.
Impact:
Tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Reduce the load on tmm or modify the optimize the irule.
842901-6 : Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.
Component: TMOS
Symptoms:
Although the effect differs for different topologies, in general, the multicast traffic is interrupted for 5-to-180 seconds after failover.
Conditions:
Fast failover of PIM-DM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) configuration.
Impact:
The multicast traffic is interrupted for 5-to-180 seconds after a failover event.
Workaround:
None. This is an improvement request.
842425-5 : Mirrored connections on standby are never removed in certain configurations
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
842257 : Unable to create 'Login Page' from 'Brute Force Protection'
Component: Application Security Manager
Symptoms:
Not able to Login page from Brute Force Protection.
Conditions:
Clicking create after creating a 'Login page' from Security :: Application Security :: Anomaly Detection :: Brute Force Attack Prevention and entering all required values.
Impact:
The login page is not created.
Workaround:
None.
842193-5 : Scriptd coring while running f5.automated_backup script
Component: iApp Technology
Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:
-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING
-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.
-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED
Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.
Impact:
Scriptd core.
Workaround:
Increasing the sys scriptd max-script-run-time higher then the default of 300 seconds might be helpful if the higher timeout allows the script to complete.
For example, if the script is saving a UCS and the save takes 400 seconds, then increasing the max-script-run-time to 430 seconds would allow the script to finish and would work around this issue.
842125-1 : Unable to reconnect outgoing SCTP connections that have previously aborted
Component: TMOS
Symptoms:
When an outgoing SCTP connection is created using an ephemeral port, the connection may appear to be open after an SCTP connection halt. This prevents new connections to the same endpoint, as the connection appears to already exist.
Conditions:
-- A virtual server configured with an SCTP profile.
-- An outgoing SCTP connection after an existing connection to the same endpoint has halted.
Impact:
New connections are unable to be created resulting in dropped messages.
Workaround:
None.
841985-6 : TSUI GUI stuck for the same session during long actions
Component: Application Security Manager
Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).
Conditions:
Long-running task is performed, such as export/import/update signatures.
Impact:
GUI is unresponsive for that session.
Workaround:
If you need to continue working during long task is performed, you can log in via another browser.
841721-6 : BWC::policy detach appears to run, but BWC control is still enabled
Component: TMOS
Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.
Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.
Impact:
The detached policy continues to work.
Workaround:
None.
841469-2 : Application traffic may fail after an internal interface failure on a VIPRION system.
Component: Local Traffic Manager
Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.
For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.
Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.
For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:
slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.
You can run the following command to inspect the CMP state of each slot:
clsh 'tmctl -d blade -s cmp_state tmm/cmp'
All slots should report the same state, for instance:
# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
15
=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
15
=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
15
=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
15
When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:
-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
And a CMP transition will be visible in the /var/log/tmm file similar to the following example:
-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb
For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.
Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.
Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.
Workaround:
F5 recommends the following to minimize the impact of this potential issue:
1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).
The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.
To ensure this functionality will trigger, the following configuration requirements must be met:
a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).
Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.
2) For 'regular' standalone units.
If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.
3) For a standalone chassis which belongs to a pool on an upstream load-balancer.
If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.
An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.
The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.
Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.
When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:
-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.
-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.
841369-6 : HTTP monitor GUI displays incorrect green status information
Component: Local Traffic Manager
Symptoms:
LTM HTTP monitor GUI displays incorrect green status when related pool is down.
TMSH shows correct information
Conditions:
LTM HTTP monitor destination port does not match with pool member port.
Impact:
LTM HTTP marks the node down, but the Instances tab of the monitor in the GUI reports the status as green
Workaround:
You can use either of the following workarounds:
-- Use TMSH to get correct info.
-- Ensure that LTM HTTP monitor destination port does match pool member port.
841341-1 : IP forwarding virtual server does not pick up any traffic if destination address is shared.
Component: Local Traffic Manager
Symptoms:
Virtual servers do not forward any traffic but the SNAT does.
Conditions:
-- Multiple wildcard IP forwarding virtual servers with the same destination address.
-- SNAT is configured.
Impact:
IP forwarding virtual server does not pick up any traffic.
Workaround:
Delete and then re-create virtual servers.
841277-2 : C4800 LCD fails to load after annunciator hot-swap
Component: TMOS
Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.
Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.
Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.
Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable
2. Wait 10 seconds.
3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.
This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.
840785-5 : Update documented examples for REST::send to use valid REST endpoints
Component: Local Traffic Manager
Symptoms:
The documented examples for REST::send refers to REST endpoints that are not valid.
Conditions:
Viewing the documentation at https://clouddocs.f5.com/api/irules/REST__send.html.
Impact:
Invalid examples lead to potential confusion.
Workaround:
Use valid REST endpoints, documented at https://clouddocs.f5.com/api/icontrol-rest/APIRef.html.
839597-1 : Restjavad fails to start if provision.extramb has a large value
Component: Device Management
Symptoms:
Rolling restarts of restjavad occur every few seconds and the following messages are seen in the daemon log:
daemon.log: emerg logger: Re-starting restjavad
The system reports similar message at the command line.
No obvious cause is logged in rest logs.
Conditions:
-- System DB variable provision.extramb has an unusually high value*:
+ above ~2700-2800 MB for v12.1.0 and earlier.
+ above ~2900-3000 MB for v13.0.0 and later.
-- On v13.0.0 and later, sys db variable restjavad.useextramb needs to have the value 'true'
*A range of values is shown. When the value is above the approximate range specified, constant restarts are extremely likely, and within tens of MB below that point may be less frequent.
To check the values of these system DB varaiables use:
tmsh list sys db provision.extramb
tmsh list sys db restjavad.useextramb
Impact:
This impacts the ability to use the REST API to manage the system.
Workaround:
If needing sys db restjavad.useextramb to have the value 'true', keep sys db provision.extramb well below the values listed (e.g., 2000 MB work without issue).
To set that at command line:
tmsh modify sys db provision.extramb value 2000
If continual restarts of restjavad are causing difficulties managing the unit on the command line:
1. Stop restjavad (you can copy this string and paste it into the command line on the BIG-IP system):
tmsh stop sys service restjavad
2. Reduce the large value of provision.extramb if necessary.
3. Restart the restjavad service:
tmsh start sys service restjavad
839361-1 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE
Component: Global Traffic Manager (DNS)
Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.
Conditions:
iRule drop is used under DNS_RESPONSE event.
Impact:
DNS response may be improperly forwarded to the client.
Workaround:
Use DNS::drop instead.
838925-2 : Rewrite URI translation profile can cause connection reset while processing malformed CSS content
Component: TMOS
Symptoms:
Malformed CSS where one of the style rules is missing a closing brace could cause LTM Rewrite profile to stop processing file or reset connection.
Conditions:
-- LTM Rewrite (URI translation) profile is attached to virtual server.
-- Content rewriting is enabled in Rewrite profile settings.
-- CSS file contains style rule with missing closing brace.
Impact:
URLs are not modified within affected files, starting from the missing closing brace. Intermittent connection resets occur.
Workaround:
Before rewriting, insert the missing symbol into CSS content either directly on the backend server or with an iRule.
838337-6 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
Component: TMOS
Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.
Conditions:
None.
Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.
This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.
Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):
zdump -v <timezone>
For example:
zdump -v America/Sao_Paulo
Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.
For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.
838305-1 : BIG-IP may create multiple connections for packets that should belong to a single flow.
Component: Local Traffic Manager
Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.
Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.
Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.
838297-6 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
Component: TMOS
Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.
Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.
Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).
Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication
Workaround:
Clear the value of shadowLastChange within AD.
837637-7 : Orphaned bigip_gtm.conf can cause config load failure after upgrading★
Solution Article: K02038650
Component: Global Traffic Manager (DNS)
Symptoms:
Configuration fails to load after upgrade with a message:
01420006:3: Can't find specified cli schema data for x.x.x.x
Where x.x.x.x indicates an older version of BIG-IP software than is currently running.
Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.
-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.
Impact:
Configuration fails to load after upgrade.
Workaround:
Before upgrading:
If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:
mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
tmsh load sys config gtm-only
After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:
mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
tmsh restart sys service all
837481-2 : SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
Component: TMOS
Symptoms:
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.
Conditions:
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.
Impact:
SNMPv3 can only work for one member of a configsync group.
Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.
Workaround:
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019)
engineID needs to be unique per device
- Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync
We must NOT sync these parameters as they need to match the individual device engineID
display-name "Authoritative (security) engineID for SNMPv3"
display-name "Authentication pass phrase for SNMPv3 messages"
display-name "Privacy pass phrase used for encrypted SNMPV3 messages"
display-name "User's passphrase"
display-name "Privacy passphrase"
### Mount usr as rw see see K11302
mount -o remount,rw /usr
pico /defaults/config_base.conf
# use Control-w to search for the display names above
# change "configsyncd yes" to "configsyncd no" if necessary in each location
# use Control-x y to exit with saving
# Restore usr as ro
mount -o remount,ro /usr
tmsh load sys config
Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using
tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} }
tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } }
Then each device should respond OK to query for that same pass phrase
snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv
For more information about SNMP, see the following articles.
K15681: Customizing the SNMP v3 engineID
K6821: SNMP v3 fails if the SNMP engine ID is not unique
K3727: Configuring custom SNMP traps
836237-1 : ZRD process restarts observed due to stale files in /var/zrd/zrd-undo/ when UCS file is loaded or any modifications in wide IP configurations.
Component: TMOS
Symptoms:
Due to stale files in /var/zrd/zrd-undo, UCS loading is failing. Stale files are causing differences in zone information between named.conf and /var/zrd/zrd-undo files which is leading to restart of the zrd process (the ZoneRunner daemon).
Conditions:
-- Creating a wide IP with one or more aliases.
-- Deleting the configurations along with the ZoneRunner file.
-- Loading the UCS file.
Impact:
UCS configuration load fails, resulting in zrd restarts.
Workaround:
Note: Before loading the UCS file, remove stale files in /var/zrd/zrd-undo/:
1. Halt the zrd and named processes:
bigstart stop zrd named
2. Delete the GTM wide IP:
tmsh delete gtm wideip a all
3. Remove the stale zrd files:
\rm /var/zrd/zrd-undo/*
4. Edit named.conf (vi /var/named/config/named.conf) and remove all the zones.
5. Remove the stale named files:
\rm /var/named/config/namedb/db.* /var/named/config/dummy
6. Restart the zrd and named processes:
bigstart start zrd named
836137 : When BGP recursive nexthop is down, network is down, logs show Type: 0 messages without nexthop.
Component: TMOS
Symptoms:
While BGP is configured to use recursive routes and OSPF is used to provide a route to the recursive routes, you see repeated messages 'Type: 0'.
Conditions:
Due to network unreachable issue, ZebOS is shown all type :0 message.
1. BGP recursive routes are configured.
2. OSPF is configured to provide routing to the recursive routes.
3. OSPF flaps, or the network connection to the next hop is lost somehow.
Impact:
BGP logs do not contain helpful diagnostic information.
Workaround:
None.
835505 : Tmsh crash potentially related to NGFIPS SDK
Component: Local Traffic Manager
Symptoms:
Tmsh crash occurs rarely. The NGFIPS SDK may generate a core as well.
Conditions:
The exact conditions that trigger this are unknown.
It can be encountered when running the following tmsh command:
tmsh -a show sys crypto fips key field-fmt include-public-keys all-properties
Impact:
Tmsh may crash. You are exited from tmsh if you were using it as a shell.
Workaround:
None.
834217-2 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
Component: Local Traffic Manager
Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.
Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).
Impact:
Degraded TCP performance.
Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).
Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.
832233-5 : The iRule regexp command issues an incorrect warning
Component: Local Traffic Manager
Symptoms:
At validation time, mcpd issues a warning similar to the following:
warning mcpd[7175]: 01071859:4: Warning generated : /Common/test1:2: warning: ["\1" has no meaning. Did you mean "\\1" or "1"?][{(test) (\1)}]
Conditions:
Use arguments such as "\1", "\2", "\3" etc., in command regexp.
Impact:
A warning is generated, "\1" has no meaning, even though it is valid.
Workaround:
Ignore the warning.
831821-6 : Corrupted DAG packets causes bcm56xxd core on VCMP host
Component: TMOS
Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.
Conditions:
Unknown.
Impact:
Device goes offline, traffic disruption.
829889 : Invalid opcode: kernel BUG at mm/shmem.c:556!
Component: TMOS
Symptoms:
A blade reboots due to a kernel panic with the following message:
crit kernel: kernel BUG at mm/shmem.c:556!
Conditions:
The exact conditions that trigger this are unknown.
Impact:
Kernel panic followed by blade reboot.
Workaround:
None.
829821-5 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
Component: TMOS
Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.
Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).
Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).
Workaround:
None.
829657 : Possible TMM crash with a multi-IP PEM subscriber configured with more than 16 IP addresses
Component: Policy Enforcement Manager
Symptoms:
TMM crash.
Conditions:
PEM configured with a multi-IP subscriber with more than 16 IP addresses.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not create a PEM subscriber with more than 16 IP addresses.
829029-4 : Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
Component: Application Security Manager
Symptoms:
Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error.
Conditions:
At least two REST calls adding Attack Signatures and/or Attack Signature Sets which are sent in quick succession to the BIG-IP system.
Impact:
REST calls after the first may not be successful, resulting in failure to modify configuration as desired.
Workaround:
Retry the subsequent REST calls.
828937-5 : Some systems can experience periodic high IO wait due to AVR data aggregation
Solution Article: K45725467
Component: Application Visibility and Reporting
Symptoms:
Systems with a large amount of statistics data collected in the local database (i.e., systems not working with BIG-IQ) can have high IO Wait CPU usage, peaking at 10 minutes, 1 hour, and 24 hours. This is caused by the data aggregation process that is running on the local database. Notice that large memory footprints, particularly for avrd might be a symptom for the phenomenon.
Conditions:
-- The BIG-IP system is collecting statistics locally (i.e., not sending data to BIG-IQ or another external device).
-- There is a large amount of statistics data.
-- May occur even if AVR is not explicitly provisioned.
Impact:
High IO can impact various processes on BIG-IP systems. Some of them can experience timeouts and might restart.
Workaround:
The most effective workaround is to lower the amount of data collected by setting the 'avr.stats.internal.maxentitiespertable' DB variable to a lower value. The recommended values are 20000 (on larger, more powerful systems with more than 16 cores) or 2148 (on smaller systems).
Note: After you lower the database value, continue to monitor the BIG-IP system for long I/O wait times and high CPU usage. If symptoms persist and the system continues to experience resource issues, you may need to reset the BIG-IP AVR statistics. For information about resetting BIG-IP AVR statistics, refer to K14956: Resetting BIG-IP AVR statistics :: https://support.f5.com/csp/article/K14956.
828625-5 : User shouldn't be able to configure two identical traffic selectors
Component: TMOS
Symptoms:
Config load fails by issuing "tmsh load sys config verify"
01070734:3: Configuration error: Duplicate traffic selector is not allowed
Unexpected Error: Validating configuration process failed.
Conditions:
Duplicate IP addresses on multiple traffic-selectors attached to different ipsec-policies.
Impact:
Config load will fail after a reboot
Workaround:
Delete duplicate traffic-selectors.
827441-4 : Changing a UDP virtual server with an immediate timeout to a TCP virtual server can cause connections to fail
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends a TCP SYN to the back-end server, but ignores the server's SYN-ACK response.
Conditions:
A virtual server that contains a UDP profile with idle-timeout immediate is modified to replace the UDP profiles with TCP profiles.
Impact:
Connections from the BIG-IP system to backend servers fails.
Workaround:
Delete and recreate the virtual server.
827021-5 : MCP update message may be lost when primary blade changes in chassis
Component: TMOS
Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.
Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.
Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.
For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.
Workaround:
None.
826313-1 : Error: Media type is incompatible with other trunk members★
Component: TMOS
Symptoms:
Loading system configuration is failing after upgrade with an error message
01070619:3: Interface 5.0 media type is incompatible with other trunk members
Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.
Impact:
The system configuration is failing to load.
Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.
826265-1 : The SNMPv3 engineBoots value restarts at 1 after an upgrade
Component: TMOS
Symptoms:
Many SNMPv3 clients pay attention to the engineBoots value as part of server authentication. When the BIG-IP system is upgraded, the engineBoots value is not retained, so it restarts at 1.
Conditions:
Upgrading a BIG-IP system whose engineBoots value is greater than 1.
Impact:
The engineBoots value is reset to 1. This may look like an error condition for the SNMPv3 client.
Workaround:
1. Run the following command (where n = the value at which you want to start the engineBoots):
tmsh modify sys snmp include 'engineBoots n'
2. Restart SNMPD.
825813-2 : Notarize APM Clients to support macOS Catalina
Component: Access Policy Manager
Symptoms:
MacOS Catalina requires an installation package be notarized.
Conditions:
Installing EdgeClient on MacOS Catalina.
Impact:
EdgeClient cannot be installed on MacOS Catalina without notarization.
Workaround:
None.
824437-5 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:
Assertion "xbuf_delete_until successful" failed.
Conditions:
This issue occurs when the following conditions are met:
-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.
-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.
824093-2 : Parameters payload parser issue
Component: Application Security Manager
Symptoms:
Incorrect parameter parsing occurs under some conditions. For example, in a signature violation, the 'Actual Parameter Name' value appears as 'attachment; filename'.
Conditions:
-- ASM in use.
-- Request contains multipart headers.
Impact:
Incorrect policy enforcement.
Workaround:
None.
823825-2 : Renaming HA VLAN can disrupt state-mirror connection
Component: Local Traffic Manager
Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.
Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.
Impact:
System might crash eventually.
Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an HA configuration.
821745 : Mcpd core when changing password for BIG-IP remote user
Component: TMOS
Symptoms:
While changing a BIG-IP remote password, mcpd hangs during the LDAP authentication process, and crashes.
Conditions:
The exact conditions that trigger this are unknown; it occurred while changing the password for a remote user on the BIG-IP system.
Impact:
Mcpd stops responding, then crashes. Traffic disrupted while mcpd restarts.
Workaround:
None.
820333-6 : LACP working member state may be inconsistent when blade is forced offline
Component: Local Traffic Manager
Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.
Conditions:
LACP updates while blade is going offline.
Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.
819421-5 : Unable to scp/sftp to device after upgrade★
Component: TMOS
Symptoms:
Users with numeric usernames are unable to log in via scp.
Conditions:
-- Logging in via scp/sftp.
-- User account with a numeric username.
Impact:
Unable to log in via scp.
Workaround:
Include alpha characters in username.
819329 : Specific FIPS device errors will not trigger failover
Component: Local Traffic Manager
Symptoms:
When the FIPS device experiences a hardware failure during idle-time, the device may not fail over.
Conditions:
-- FIPS hardware failure occurs, but the device is idle
Impact:
The device may not fail over on FIPS hardware failure.
819281 : HSB and switch interface pause frames
Component: TMOS
Symptoms:
The interface between the HSB and switch may experience a high number of pause frames, which can be observed in the switch interface stats counters.rx_pause value.
This may also be seen by impacted traffic in the ltm logs, such as lacpd errors:
-- info lacpd[8992]: 01160010:6: Link 2.3 removed from aggregation
-- info lacpd[8992]: 01160011:6: Link 2.3 Actor Out of Sync
-- info lacpd[8992]: 01160012:6: Link 2.3 Partner Out of Sync
Conditions:
This issue can occur if there are hardware-accelerated flows and IPv6 traffic.
Impact:
Network traffic is dropped.
Workaround:
Although there is no workaround, the fix for this issue has been added to HSB firmware images for BIG-IP v14.1.x. This includes the B4450N and iSeries platforms.
819261-1 : Log HSB registers when parts of the device becomes unresponsive
Component: TMOS
Symptoms:
Part of the HSB becomes unresponsive, and there is no logging of additional registers to assist in diagnosing the failure.
Conditions:
It is unknown under what conditions the HSB becomes unresponsive.
Impact:
Limited visibility into the HSB state when it becomes unresponsive.
Workaround:
None.
818505-6 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Component: TMOS
Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
Conditions:
Modifying a virtual address using an iControl PUT command.
Impact:
An unintentional change to the virtual address's netmask.
Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.
818465-1 : Unnecessary memory allocation in AVR module
Component: Anomaly Detection Services
Symptoms:
Internal Bados indicator is not updated correctly, creating unnecessary memory allocation in AVR module.
Conditions:
Using AVR.
Impact:
Unnecessary memory consumption
Workaround:
None.
818097-1 : Plane CPU stats too high after primary blade failover in multi-blade chassis
Component: Local Traffic Manager
Symptoms:
The data, control, and analysis plane stats are too high as reported by tmsh show sys performance system detail.
Conditions:
The primary blade in a multi-blade chassis fails over to another blade.
Impact:
The plane CPU stats are too high.
Workaround:
Remove the /var/tmstat/blade/statsd file on the previous primary blade and restart merged on that blade.
818069-1 : GUI hangs when iApp produces error message
Component: iApp Technology
Symptoms:
If lengthy Tcl errors are displayed in the GUI while creating an iApp, the GUI can hang.
Conditions:
-- Creating an iApp that contains a syntax error.
-- A large error message is emitted.
Impact:
GUI hangs.
Workaround:
Restart the tomcat process:
tmsh restart sys service tomcat
817709-1 : IPsec: TMM cored with SIGFPE in racoon2
Component: TMOS
Symptoms:
TMM asserted and cored in racoon2 with this panic message:
panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.
Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
817085-1 : Multicast Flood Can Cause the Host TMM to Restart
Component: TMOS
Symptoms:
A vCMP host tmm is restarted.
Conditions:
The vCMP host is processing heavy multicast traffic.
Impact:
The host TMM restarts and traffic stops for the guests.
Workaround:
An adjustment to the scheduling can be made by this setting of the vCMP Host configuration:
# echo "realtime yield 90" > /config/tmm_init.tcl
# bigstart restart tmm
The bigstart restart tmm must be performed individually on all blades on the vCMP host. These changes also must be done on all vCMP hosts with guests in a high availability (HA) setup.
816205-1 : IPsec passthrough scenario may not forward ICMP unreachable messages from the server-side
Component: Local Traffic Manager
Symptoms:
ICMP protocol 50 unreachable messages are not forwarded from the server-side to the client-side when a SNAT Virtual Server handles ESP flows that are not encapsulated in UDP port 4500 (RFC 3948). Other ICMP messages related to the server-side ESP flow may be similarly affected.
Conditions:
-- BIG-IP system is forwarding ESP (protocol 50) packets.
-- Virtual Server is configured with a SNAT pool or automap.
-- The server-side IPsec peer sends ICMP protocol errors in response to the ESP packets.
Impact:
ICMP packets arriving on the server-side are not forwarded to the client-side.
Workaround:
Option 1:
-- Enable NAT Detection (RFC 3947) on the IPsec peers.
NOTE: NAT Detection (RFC 3947) is the correct way to implement IPsec peers when network address translation occurs between the two IPsec peers.
Option 2:
-- Remove NAT from the Virtual Server.
-- Set the following sys db values:
# tmsh modify sys db ipsec.lookupip value "enable"
# tmsh modify sys db ipsec.lookupspi value "disable"
NOTE: The sys db settings in option 2 do not resolve the ICMP issue if NAT is configured on the Virtual Server.
815753-5 : TMM leaks memory when explicit SWG is configured with Kerberos authentication
Component: Access Policy Manager
Symptoms:
Memory usage of filter keeps increasing over time and becomes one of major consumers of the TMM memory.
Conditions:
This issue happens if the following conditions are met:
1. Access profile type is SWG-explicit.
2. Access policy contains HTTP 407 Response policy item with HTTP Auth Level being Negotiate.
3. Kerberos is used to authenticate a user.
Impact:
TMM sweeper enters aggressive mode and reaps connections.
Workaround:
None.
815529-5 : MRF outbound messages are dropped in per-peer mode
Component: Service Provider
Symptoms:
When a Message Routing profile is configured with a peer consisting of an outbound virtual server, transport config, no pool, and per-peer mode, messages may be dropped when the outgoing connection is persisted to a different tmm than the message was received on.
Conditions:
-- Message Routing Profile.
-- A peer configured for outbound traffic with a virtual server and transport config in per-peer mode, no pool.
-- Persistence is enabled.
-- Multiple outbound messages with the same destination address.
Impact:
Outbound traffic with the same destination address may be dropped at random.
Workaround:
Change the peer connection mode to 'Per TMM'.
815405-2 : GUI update of Child FastL4 profile overwrites CLI-only customized settings (options that are not available in GUI)
Component: Local Traffic Manager
Symptoms:
Child FastL4 profile is being reset after clicking Update from GUI.
Conditions:
-- Create child SSL FastL4, profile inheriting settings from a parent FastL4 profile.
-- From the command line, change any of the CLI-only visible settings in the child FastL4 profile (e.g., pva-acceleration, explicit-flow-migration, etc.), and save the changes.
-- In the GUI, click the Update button in the child FastL4 profile without making any change.
Impact:
The operation overwrites the CLI changes made in the child profile, and inherits those values from the parent settings instead.
Workaround:
None.
815089-6 : On a system with no VLANs, you can create virtual servers or SNATs that have identical address/port combinations
Component: Local Traffic Manager
Symptoms:
If you have a system with no VLANs configured, and you attempt to create virtual servers or SNATs that have the same address/port combinations, you will be able to do so without validation errors.
Conditions:
-- A BIG-IP system with no VLANs configured.
-- Creating virtual servers or SNATs that have identical address/port combinations.
Impact:
An invalid configuration is allowed.
Workaround:
None.
814941-2 : PEM drops new subscriber creation if historical aggregate creation count reaches the max limit
Component: Policy Enforcement Manager
Symptoms:
PEM subscriber create fails, usually seen across multiple high availability (HA) failover events
Conditions:
When the aggregate subscriber create reaches the maximum subscriber limit per tmm which is configured using sys db, sys db statemirror.mirrorsessions
Impact:
Unable to bringup any more subscribers
Workaround:
Restart tmm when the limits are reached
814353-1 : Pool member silently changed to user-disabled from monitor-disabled
Component: TMOS
Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:
'Available (Disabled) pool members is available, monitor disabled'.
To:
'Available (Disabled), pool member is available, user disabled'.
Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.
Impact:
Pool member goes to 'user-disabled'.
Workaround:
To recover, re-enable the pool member.
814097-5 : Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event.
Component: Service Provider
Symptoms:
When using the Generic Message router to convert SIP messages from TCP to UDP, BIG-IP fails to raise the SERVER_CONNECTED iRule event.
Conditions:
Converting the transport of SIP messages with the Generic Message router.
Impact:
Any code that waits for the SERVER_CONNECTED event will not run.
814053-1 : Under heavy load, bcm56xxd can be killed by the watchdog
Component: TMOS
Symptoms:
bcm56xxd crashes, and the device fails over on heartbeat error:
warning sod[7244]: 01140029:4: HA daemon_heartbeat bcm56xxd fails action is restart.
notice sod[7244]: 010c006c:5: proc stat: [0] pid:12482 comm:(bcm56xxd) state:S utime:16612520 stime:879057 cutime:11 cstime:21 starttime:1601425044 vsize:2189299712 rss:527927 wchan:18446744073709551615 blkio_ticks:0 [-1] pid:12482 comm:(bcm56xxd) state:S
Conditions:
-- HA configured.
-- Programming the DAG while it is under heavy load (i.e., a large number of objects that have to be programmed into the switches).
Impact:
The bcm56xxd daemon may restart and produce a core file. It then continues trying to program the DAG.
This causes a system to go offline and stop processing traffic.
Workaround:
None.
814037-3 : No virtual server name in Hardware Syncookie activation logs.
Component: Local Traffic Manager
Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:
notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.
Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.
Impact:
Difficult to determine which virtual server actually got the Syncookie activated.
Workaround:
None.
813701-1 : Proxy ARP failure
Component: Local Traffic Manager
Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.
Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.
Impact:
ARP replies are dropped, leading to connection failures.
Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.
813165 : P2P failure on BIG-IP system while connecting with Cisco router
Component: TMOS
Symptoms:
P2P connection is stuck when AFM basic firewall is enabled.
Conditions:
The db variable tm.fw.defaultaction is set to drop/reject. (The default is 'accept'.)
Impact:
The BIG-IP system cannot establish a connection with Cisco in P2P configurations.
Workaround:
Set the value of tm.fw.defaultaction to 'allow':
tmsh modify sys db tm.fw.defaultaction value allow
812949 : P2P failure while connecting with Cisco router when firewall is enabled.
Component: Local Traffic Manager
Symptoms:
When P2P is configured and a firewall policy is set, OSPF status is set to 'exstart' when AFM is provisioned and tm.fw.defaultaction is set to 'drop'/'reject'.
Conditions:
P2P is configured and a firewall policy is set.
Impact:
OSPFv3 does not work.
Workaround:
Set tm.fw.defaultaction to allow:
tmsh modify sys db tm.fw.defaultaction value allow
812493-6 : When engineID is reconfigured, snmp and alert daemons must be restarted★
Component: TMOS
Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.
Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.
Impact:
This may confuse the SNMP client receiving the trap.
Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade
tmsh restart sys service snmpd alertd
811745-5 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
Component: Service Provider
Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.
Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.
Impact:
Loss of mirroring between BIG-IP systems.
Workaround:
None.
811053-5 : REBOOT REQUIRED prompt appears after failover and clsh reboot
Component: TMOS
Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.
Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.
Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #
Any blade with this prompt must be rebooted again.
Workaround:
None currently known.
811041-2 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf
Component: TMOS
Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.
Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.
Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.
Workaround:
None.
810593-5 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★
Solution Article: K10963690
Component: TMOS
Symptoms:
The vCMP guests go to 'INOPERATIVE' after upgrade.
Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5.
Impact:
The vCMP guests go to the 'INOPERATIVE' state and do not pass traffic.
Workaround:
There is no workaround. You must upgrade the VCMP host to a fixed version, for example, 15.1.0.
810533-6 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
Component: Local Traffic Manager
Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.
Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.
Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.
Workaround:
Specify a valid server name in the server name field of the client SSL profile.
810381-5 : The SNMP max message size check is being incorrectly applied.
Component: TMOS
Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.
Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.
Impact:
Responses time out.
Workaround:
Do not send SNMPv3 requests to the BIG-IP system.
809657-5 : HA Group score not computed correctly for an unmonitored pool when mcpd starts
Component: TMOS
Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) group do not contribute to the HA group's score.
Conditions:
-- HA group configured with at least one pool.
-- At least one of the pools assigned to the HA group is not using monitoring.
-- mcpd is starting up (due to bigstart restart, or a reboot, etc.).
Impact:
Incorrect HA Group score.
Workaround:
Remove the unmonitored pools from the HA group and re-add them.
809509-3 : Resource Admin User unable to download UCS using Rest API.
Component: TMOS
Symptoms:
Resource Admin User cannot download UCS file using REST API. The system returns a message:
Authorization failed
Conditions:
-- BIG-IP user with Resource Administrator role.
-- Try to Download UCS file using REST API.
Impact:
Resource Administrator user cannot download UCS file using REST API.
Workaround:
The Resource Administrator user can use the GUI to download the file.
808481-2 : Hertfordshire county missing from GTM Region list
Component: TMOS
Symptoms:
Hertfordshire county is missing from Regions in the United Kingdom Country/State list.
Conditions:
-- Creating a GTM region record.
-- Attempting to select Hertfordshire county for the United Kingdom.
Impact:
Cannot select Hertfordshire county from United Kingdom Country/State list.
Workaround:
None.
808277-1 : Root's crontab file may become empty
Component: TMOS
Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.
Conditions:
Low disk space on the /var filesystem.
Impact:
System and user entries in root's crontab file stop executing.
Workaround:
None.
807857-2 : TMM can leak memory under specific traffic and iRule configurations.
Component: Local Traffic Manager
Symptoms:
-- TMM leaks memory in the 'bigip_connection' component.
-- Depending on the specific iRule configuration, other components, such as 'tcl' and 'tclrule_pcb', may also leak.
-- A 'double flow removal Oops' message may be visible in the tmm and ltm log files.
-- 'TCL error' messages may be visible in the ltm log file.
Conditions:
This issue is known to occur only under rare circumstances in conjunction with specific traffic and iRule configurations.
Impact:
After a prolonged amount of time spent leaking memory, TMM may not be able to fulfil new memory allocations and crash. This results in a traffic interruption, a core file, and a failover on redundant units. Traffic disrupted while TMM restarts.
Workaround:
None.
806937 : CPM policy stops matching after adding rule
Component: Local Traffic Manager
Symptoms:
LTM Centralized Policy Matching (CPM) policy conditions stop matching some traffic.
Conditions:
-- Very specific LTM policy configuration.
-- Adding a matching rule.
For this case, an example scenario might involve a rule with two conditions and two actions. The two conditions check for one of two HTTP hosts, and checking that the HTTP URI path starts with some substring. The two actions are typically disabling server SSL, and forwarding to a specific pool. The last rule is called DropAll and matches all traffic.
Impact:
This might cause the policy to stop matching for nearly all rules, including the rule that check for 'All Traffic'.
Workaround:
None.
806905 : TMM may crash when using AFM with sPVA and DoS vectors enabled
Component: Advanced Firewall Manager
Symptoms:
TMM may crash when using AFM/sPVA with Network and DNS Security vectors.
Conditions:
AFM is configured with hardware DoS (sPVA) enabled, along with Network and DNS security vectors.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
-- Use only DNS security vectors.
-- Disable hardware DoS (sPVA):
tmsh modify sys db dos.forceswdos value true
806881-4 : Loading the configuration may not set the virtual server enabled status correctly
Component: TMOS
Symptoms:
When loading the configuration, if the virtual address is disabled but the virtual server is enabled, the virtual server may still pass traffic.
Conditions:
-- Loading the configuration.
-- A virtual server's virtual address is disabled.
Impact:
Virtual servers unexpectedly process traffic.
Workaround:
Manually re-enable and disable the virtual address.
806073-6 : MySQL monitor fails to connect to MySQL Server v8.0
Component: TMOS
Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.
Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.
Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.
805325-5 : tmsh help text contains a reference to bigpipe, which is no longer supported
Component: TMOS
Symptoms:
The 'sys httpd ssl-certkeyfile' tmsh help text contains a reference to bigpipe, which is no longer supported.
Conditions:
Viewing tmsh help for 'sys httpd ssl-certkeyfile'.
Impact:
Incorrect reference to bigpipe.
Workaround:
You can use the following command sequence to change the key:
modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }
804477-1 : Log HSB registers when parts of the device becomes unresponsive
Component: TMOS
Symptoms:
Part of the HSB becomes unresponsive and there is no logging of additional registers to assist in diagnosing the failure.
Conditions:
It is unknown under what conditions the HSB becomes unresponsive.
Impact:
Limited visibility into the HSB state when it becomes unresponsive.
Workaround:
None.
804313-5 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
Component: Service Provider
Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.
Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.
Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.
Workaround:
None
803833-1 : On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host★
Component: TMOS
Symptoms:
An upgrade or UCS restore fails on the host with an error message:
err mcpd[1001]: 01071769:3: Decryption of the field (sym_unit_key) for object (<guest name>) failed.
Conditions:
-- An upgrade or UCS restore of the vCMP host.
-- Having a vCMP guest's sym-unit-key field populated.
-- Having changed the host's master key.
Impact:
The upgrade or UCS restore fails with an MCPD error.
Workaround:
Comment out the sym-unit-key field and load the configuration.
803629-5 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
Component: Local Traffic Manager
Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.
Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure
The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.
Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.
The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.
Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.
Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.
803237-6 : PVA does not validate interface MTU when setting MSS
Component: TMOS
Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.
Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.
Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.
Workaround:
Increase MTU size.
802493-1 : Hardware syncookies on some hardware platforms may retrieve the wrong mss
Component: TMOS
Symptoms:
When hardware syncookie is activated, the system may retrieve the wrong MSS (TCP maximum segment size) value for the flow. This impacts all BIG-IP hardware platforms except BIG-IP 2000/4000.
Conditions:
-- Using any BIG-IP platform except BIG-IP 2000/4000.
-- Hardware syncookies used.
Impact:
Connection failures and/or excessive TCP segment retransmissions.
Workaround:
Use software syncookies and disable hardware syncookie protection.
801705-1 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
Component: Local Traffic Manager
Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.
Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.
Impact:
There is no space preceding the attribute. RFC is violated.
Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.
801549-5 : Persist records do not expire properly if mirroring is configured incorrectly
Component: Local Traffic Manager
Symptoms:
-- TMM memory growth with improper high availability (HA) configuration.
-- New connections may be routed to the wrong pool member due to outdated persist records.
Conditions:
- The device mirror-ip is not configured properly, along with either of the following:
+ Persistence mirroring is configured.
+ Connection mirroring of a virtual server with a persistence profile.
Impact:
-- Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.
-- New connections may be routed to the wrong pool member due to outdated persist records.
Workaround:
- Properly configure the cm device mirror-ip and/or mirror-secondary-ip. After doing this, the memory utilization should drop.
- Disable mirroring on the persistence profiles and/or virtual servers. After doing this, the memory utilization will not drop until tmm is restarted.
801541-4 : Persist records do not expire properly if HA peer is unavailable
Component: Local Traffic Manager
Symptoms:
-- TMM memory utilization growth due to persist records not expiring.
-- New connections may be routed to the wrong pool member due to outdated persist records.
Conditions:
The next-active device in the high availability (HA) configuration is down, and either of the following:
-- Persistence mirroring is configured.
-- Connection mirroring of a virtual server with a persistence profile is configured.
Impact:
-- Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.
-- New connections may be routed to the wrong pool member due to outdated persist records.
-- If tmm out-of-memory failure occurs, traffic disrupted while tmm restarts.
Workaround:
Disable persistence and/or connection mirroring if the standby device will be down for an extended period of time.
801329 : When OneConnect profile is used, pool selection might be pinned to one pool
Component: Local Traffic Manager
Symptoms:
Pool selection is pinned to one pool.
Conditions:
-- OneConnect profile is used on a virtual server that is passing traffic.
-- The pool for the virtual server is changed.
Impact:
Traffic is not distributed to the other pool.
Workaround:
None.
799657-1 : Name validation missing control characters for some GTM objects
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, big3d fails to mark the resource up due to XML parsing error.
The following GTM objects are susceptible to this control character issue:
- gtm datacenter
- gtm prober-pool
- gtm device
- gtm application
- gtm region entry
- gtm virtual server
- gtm server
- gtm link
- gtm pool
Conditions:
A GTM object with a control character in the name.
Impact:
The resource whose name having those control characters will not be marked up with big3d error messages:
warning big3d[5729]: 012b2004:4: XML parsing error not well-formed (invalid token) at line 21.
Workaround:
Remove control characters prior to creating GTM objects.
799001-6 : Sflow agent does not handle disconnect from SNMPD manager correctly
Component: TMOS
Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.
Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.
Impact:
Snmpd service restarts repeatedly
Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.
797949-1 : PEM::subscriber delete can leak a connection
Component: Policy Enforcement Manager
Symptoms:
Using the PEM::subscriber delete iRule command can lead to a leaked connection.
Conditions:
PEM::subscriber delete is used.
Impact:
Connections which cannot be freed.
Workaround:
None.
797829-2 : The BIG-IP system may fail to deploy new or reconfigure existing iApps
Component: TMOS
Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:
script did not successfully complete: ('source-addr' unexpected argument while executing
The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.
The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.
Conditions:
This issue occurs when:
-- The BIG-IP system is configured with multiple users of varying roles.
-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.
-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.
Note: You can inspect the number of child processes already created by scriptd by running the following command:
pstree -a -p -l | grep scriptd | grep -v grep
However, it is not possible to determine their current 'security context'.
Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.
Workaround:
Restart scriptd. To restart scriptd, run:
bigstart restart scriptd
Running this command has no negative impact on the system.
The workaround is not permanent; the issue may occasionally recur depending on your system usage.
797813-1 : TMM memory grows on custom bot signature with empty domain
Component: Application Security Manager
Symptoms:
The TMM memory of type 'mco db' can grow to its maximum, which can reach over a 1 GB of RAM, when creating a custom bot signature with an empty string.
Conditions:
Creating a custom DoS Bot Signature object with a domain name of an empty string ("").
Impact:
Unnecessary growth of TMM memory.
Workaround:
It is redundant and invalid to define a bot signature with an empty domain name. Removing the empty domain name from the signature and restarting tmm prevents this issue.
797277-1 : URL categorization fails when multiple segments present in URL path and belong to different categories.
Component: Traffic Classification Engine
Symptoms:
When a URL path contains multiple segments, where each segment belongs to a different URL category, the Webroot URL categorization engine does not store the results correctly and can return the wrong categories for these path segments.
Conditions:
-- URL path contains multiple segments(example: /abc/def/ghi)
-- Each segment belongs to a different URL category
+ abc: News
+ def: Search_Engine
-- URL categorization (Webroot) lookup results in cloud lookup (sending the query to Webroot remote server because of missing match in the local database).
Impact:
URL categorization does not categorize all of the segments in the path correctly when the query results in a cloud lookup to the Webroot BrightCloud server.
Workaround:
None.
797221-4 : BCM daemon can be killed by watchdog timeout during blade-to-blade failover
Component: TMOS
Symptoms:
The BCM daemon deletes entries from tables during blade to blade failover. If tables are very large, the entry-by-entry deletion may take too long, such that the daemon is restarted by the watchdog timeout.
Conditions:
Very large L2 tables during blade-to-blade failover.
Impact:
There is a BCM core file on the primary blade after the failover.
Workaround:
None.
795933-5 : A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
Component: Local Traffic Manager
Symptoms:
Under certain conditions, a pool member's cur_sessions stat may increase, but not decrease when it should.
Conditions:
- The virtual server using the pool has an iRule attached that references global variables.
- The virtual server using the pool has an ASM security policy attached to it.
- Traffic flows to the pool member.
Impact:
Incorrect stats.
795685-4 : Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
Component: TMOS
Symptoms:
If the BIG-IP system receives a BGP notification for OUT_OF_RESOURCES from its BGP peer, then displaying the peer information on the BIG-IP system causes bgpd to crash (running show ip bgp neighbor).
Conditions:
-- Receive a BGP notification for OUT_OF_RESOURCES from the BGP peer.
-- Run the 'show ip bgp neighbor' command to display the BGP peer information.
Impact:
Bgdp crashes. Routing may be affected while bgpd restarts.
Workaround:
None.
794505-1 : OSPFv3 IPv4 address family route-map filtering does not work
Component: Local Traffic Manager
Symptoms:
Filtering IPv4 routes using route-map does not work. All the IPv4 redistributed routes fail to redistribute if the route-map is attached to the OSPFv3 IPv4 address-family.
Conditions:
1. Configure two OSPF sessions, one for the IPv4 address-family and the other for the IPv6 address family.
2. Redistribute kernel routes.
3. Check routes are propagated.
4. Add a route map to allow any IPv4 kernel route matching IP address.
Impact:
All routes fail to propagate and show that the IPv6 OSPF database external is empty. All IPv4 routes are blocked to redistribute instead of the routes mentioned in the route-map/prefix-list.
Workaround:
None.
793669-3 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
Component: Local Traffic Manager
Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.
Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (e.g., Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover
Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.
Workaround:
None.
792285-4 : TMM crashes if the queuing message to all HSL pool members fails
Component: TMOS
Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.
Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
792045-4 : Prevent WAM cache type change for small objects
Component: WebAccelerator
Symptoms:
Transfer stalls.
Conditions:
- AAM is provisioned.
- Small object cache is configured.
- Response is a few bytes less than the small object threshold.
Impact:
Transfer stalls.
Workaround:
None.
791061-4 : Config load in /Common removes routing protocols from other partitions
Component: TMOS
Symptoms:
While loading the /Common partition, config routing protocols on other partition route-domains will be removed.
Conditions:
-- Configure route-domains on other partitions with routing-protocols.
-- Load the /Common partition config alone.
Impact:
Routing protocols config from other partitions are removed.
Workaround:
Reload the config with the command:
load sys config partitions all
790949-5 : MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.
Component: Service Provider
Symptoms:
Default values differ between tmsh and GUI documentation, and actual behavior. The special value 0 is documented to either disable the respective limit or apply a default value. Actual behavior for 0 is to silently apply internal default values of 32768 bytes and 256 messages, regardless of the protocol. These defaults might not match the profile default values for a given MRF protocol such as Diameter, SIP, or MQTT.
For some protocols such as Diameter, there is no validation of whether the maximum pending messages value falls within the acceptable range of 1-65535, and values outside that range are silently truncated to 16-bits and then 0 is treated according to the actual behavior described above.
Some documented and actual default values have changed across releases.
Conditions:
An MRF router profile is configured with the 'Maximum Pending Bytes' or 'Maximum Pending Messages' parameter set to a non-default value or 0.
Affected MRF router profiles are: 'diameter', 'sip', 'mqtt' and 'generic'.
Impact:
Depending on the protocol, the limits might not take effect as configured.
Incorrect documentation and/or lack of validation could lead to configuring an invalid value.
Workaround:
None.
790113-5 : Cannot remove all wide IPs from GTM distributed application via iControl REST
Component: Global Traffic Manager (DNS)
Symptoms:
The following tmsh command allows you to delete all wide IPs using an 'all' specifier:
modify gtm distributed-app da1 wideips delete { all }
There is no equivalent iControl REST operation to do this.
Conditions:
This can be encountered while trying to delete all wide IPs from a distributed application via iControl REST.
Impact:
iControl REST calls that should allow you to remove all wide IPs from a GTM distribution application return an error, leaving you unable to complete the task via iControl REST.
Workaround:
You can use one of the following workarounds:
-- Use the WebUI.
-- Use the tmsh utility, for example:
tmsh modify gtm distributed-app da1 wideips delete { all }
-- Invoke tmsh from within the bash iControl REST endpoint, for exmaple:
curl -u username:password -s -H 'Content-Type: application/json' -X POST -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh modify gtm distributed-app da1 wideips delete { all }'\"}" https://<IP>/mgmt/tm/util/bash
789973 : Tmm crash while using IPsec
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- Passing IPsec traffic.
-- One of the BIG-IP IKEv2 peers is running version 12.x.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
788645 : BGP does not function on static interfaces with vlan names longer than 16 characters.
Component: TMOS
Symptoms:
If a VLAN, VLAN group, or tunnel has a name with more than 15 characters, BGP does not function properly on that interface.
Conditions:
-- BGP Dynamic routing in use.
-- Interface name greater than 15 characters.
Impact:
BGP Dynamic Routing is not working.
Workaround:
1. Rename the interface using 15 or fewer characters.
2. Remove Static Binding and Bind to all interfaces.
788557-2 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
Component: TMOS
Symptoms:
GRST - BGP graceful reset.
The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.
After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.
Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.
Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.
Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
None.
787905-1 : Improve initializing TCP analytics for FastL4
Component: Local Traffic Manager
Symptoms:
TCP analytics for FastL4 might stay uninitialized under specific circumstances.
Conditions:
System clock advances while initializing TCP analytics for FastL4.
Impact:
TCP analytics for FastL4 might stay uninitialized for a while and miss some analytics data.
Workaround:
N/A
786517-6 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
Component: Local Traffic Manager
Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.
- Running the command 'tmsh load /sys config' reports an error:
01070038:3: Monitor /Common/a-tcp address type requires a port.
Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.
Impact:
Monitors are sent to an incorrect IP address.
tmsh load /sys config will fail to load the configuration.
Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.
-- Fix the monitor definition using tmsh.
785605-1 : Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group
Component: Traffic Classification Engine
Symptoms:
If Feed List is created on Standby unit, it will not be synchronized to other units in Traffic Group, and will become unusable.
Conditions:
-- Create Feed List on a Standby unit.
-- Attempt to use URLCAT with Custom DB.
Impact:
URL Categorization based on Custom DB does not work.
Workaround:
Create Feed List on the Active unit and synchronize to Standby.
785529-4 : ASM unable to handle ICAP responses which length is greater then 10K
Component: Application Security Manager
Symptoms:
ASM drops ICAP and HTTP connections when a multipart request arrives to the ASM enforcer and then forwarded to the ICAP server for virus inspection, and the ICAP server replies with a large (greater then 10 KB) response.
Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Antivirus service IP and port defined in the BIG-IP GUI under Options :: Integrated Services.
-- Antivirus protection enabled in the ASM policy.
Impact:
ASM drops ICAP and HTTP connections.
Workaround:
Configure the ICAP server to send back responses smaller than 10 KB.
785509 : Modifying fields such as chain, trusted certificate authorities in client SSL profile, and/or chain in cert-key-chain belonging to the same client SSL profile might not be reflected in TMM
Component: Local Traffic Manager
Symptoms:
Modifying fields such as chain, trusted certificate authorities, and others, in client SSL profile, or chain in cert-key-chain belonging to the same client SSL profile, might not be reflected in TMM.
Conditions:
Modifying fields such as chain, trusted certificate authorities in client SSL profile or chain in cert-key-chain belonging to the same client SSL profile.
Impact:
Even after modifying trusted certificate authorities, chain, or other fields, those changes might not be reflected in the actual configuration in TMM.
Workaround:
Following workarounds may be applied:
1. Update the client SSL profile again.
2. Restart TMM.
3. Restart mcpd.
784337 : False positive header related violation
Component: Application Security Manager
Symptoms:
The system reports a false-positive, header-related violation.
Conditions:
-- A custom header is added to the system.
-- A header related violation is turned on.
Impact:
The system reports a false-positive violation.
Workaround:
None.
783985 : Grub boot entries not updated on i2600 from iControl SOAP set_boot_location call★
Component: TMOS
Symptoms:
After calling iControl SOAP System::SoftwareManagement::set_boot_location, the switchboot information correctly shows that the volume should be changed, but grub still shows the current active volume to be unchanged. Upon reboot, the system boots into the unchanged default volume.
The system records the following when the iControl call is made/var/log/messages :
warning grub_default: unkeyed boot entry found (BIG-IP 12.1.2 Build 0.0.249 <HD1.1>); assigning st.u0
M
Conditions:
This occurs on BIG-IP iSeries platforms:
1. iControl SOAP system::SoftwareManagement::set_boot_location
2. Check grub_default -l
Impact:
Unable to upgrade systems via iControl SOAP due to the inability to reboot into the newly installed software.
Workaround:
The following iControlREST call works correctly:
curl -k -u<username>:<passwd> https://<IP-addr>/mgmt/tm/sys -X POST -H "Content-type: application/json" -d '{"command":"reboot", "volume":"<volume>"}'
{"kind":"tm:sys:rebootstate","command":"reboot","volume":"<volume>"}
783145-1 : Pool gets disabled when one of its pool member with monitor session is disabled
Component: Local Traffic Manager
Symptoms:
A pool which has at least two pool members and one of its pool members associated with a monitor is disabled, the entire pool gets marked disabled-by-parent.
Conditions:
-- Monitor assigned to a single pool member.
-- That member is manually disabled.
Impact:
The pool status for the entire pool is marked disabled-by-parent.
Workaround:
None.
782613-2 : Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
Component: TMOS
Symptoms:
If a security firewall policy is part of an iApp inside a folder created by that iApp, then when the iApp is deleted, any config sync peer will not delete the policy when it deletes the rest of the iApp.
Conditions:
-- iApp with folder and security firewall policy is deleted.
-- High availability (HA) config sync configuration.
Impact:
The security policy is gone on the system where the iApp was initially deleted, but the peer still has that object, and it can't be deleted because it's part of an iApp.
Workaround:
None.
781829-3 : GTM TCP monitor does not check the RECV string if server response string not ending with \n
Component: Global Traffic Manager (DNS)
Symptoms:
GTM TCP monitor marks resource down.
Conditions:
TCP server respond string not ending with '\n'.
Impact:
Available resources are marked down.
Workaround:
If the TCP server is sending a text response, reconfigure the server to make sure it terminates the output with '\n'.
If the TCP server can not be changed (for example if it produces binary output), it may be possible to create an external gtm monitor instead.
781753-4 : WebSocket traffic is transmitted with unknown opcodes
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not preserve WebSocket frames. Frame headers and payload may be reordered such that a header for a second frame may be sent out in the middle of a first frame's payload. Frame boundaries get skewed and payload gets interpreted as headers.
Conditions:
A request logging profile is configured on a WebSocket virtual server.
Impact:
WebSocket frames are not preserved such that traffic appears to be garbage.
-- If request logging is enabled, client frames may not be preserved.
-- If response logging is enabled, server frames may not be preserved.
Workaround:
Remove the request logging profile.
781605-2 : Fix RFC issue with the multipart parser
Component: Application Security Manager
Symptoms:
False positive or false negative attack signature match on multipart payload.
Conditions:
Very specific parsing issue.
Impact:
A parameter specific excluded signature may be matched or un-matched.
Workaround:
N/A
781485-1 : PEM with traffic group can lead to local cache leaks on STANDBY if there is an ACTIVE-ACTIVE transition
Component: Policy Enforcement Manager
Symptoms:
PEM spm_local_cache could get leaked on the STANDBY chassis.
Conditions:
-- If the high availability (HA) cluster switches to ACTIVE-ACTIVE mode during its lifetime.
-- PEM running in a Traffic-group configuration.
Impact:
Memory on the STANDBY chassis get leaked.
Workaround:
None.
781041-5 : SIP monitor in non default route domain is not working.
Component: Local Traffic Manager
Symptoms:
SIP pool members in non-default route domain are being marked as unavailable even though they are available. This may be intermittent depending on which device is assigned to do the monitoring.
Conditions:
- SIP pool members in non default route domain.
- Probing device attempts to probe from anything other than route domain 0.
Impact:
SIP service unavailable.
781021-4 : ASM modifies cookie header causing it to be non-compliant with RFC6265
Component: Application Security Manager
Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
-- No space after the semicolon
-- A cookie with no value is sent without the equals sign
Conditions:
-- ASM Security Policy is used.
-- Request includes an ASM cookie.
Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.
Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false
780437-5 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
Component: TMOS
Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.
As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.
The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.
Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.
Symptoms for this issue include:
-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.
-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.
-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):
qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img
qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img
-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]
Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.
-- Large configuration with many guests.
-- The VIPRION chassis is rebooted.
-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
Impact:
-- Loss of entire configuration on previously working vCMP guests.
-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.
-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.
Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.
If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.
777993-4 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
Component: TMOS
Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.
Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.
Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.
Workaround:
None.
776081 : The F5-BIGIP-SYSTEM-MIB::sysInterfaceMediaActiveSpeed values are not meaningful on a VE
Component: TMOS
Symptoms:
The MIB variable sysInterfaceMediaActiveSpeed is reported correctly on the BIG-IP hardware systems. However, on BIG-IP Virtual Edition (VE) configurations, the values are incorrectly reported. It may be reported as a 10 or as a 0 (zero), both of which are incorrect.
Conditions:
Querying the F5-BIGIP-SYSTEM-MIB::sysInterfaceMediaActiveSpeed variable on a VE-based BIG-IP running 12.x, or earlier, software.
Impact:
This may be confusing when looking at the sysInterface information with SNMP.
Workaround:
None.
775845-4 : Httpd fails to start after restarting the service using the iControl REST API
Component: TMOS
Symptoms:
After restarting httpd using the iControl REST API, httpd fails to start, even with a subsequent restart of httpd at the command line.
Similar to the following example:
config # restcurl -u admin:admin /tm/sys/service -X POST -d '{"name":"httpd", "command":"restart"}'
{
"kind": "tm:sys:service:restartstate",
"name": "httpd",
"command": "restart",
"commandResult": "Stopping httpd: [ OK ]\r\nStarting httpd: [FAILED]\r\n(98)Address already in use: AH00072: make_sock: could not bind to address n.n.n.n:n\nno listening sockets available, shutting down\nAH00015: Unable to open logs\n"
}
config # tmsh restart sys service httpd
Stopping httpd: [ OK ]
Starting httpd: [FAILED]
Conditions:
Restarting httpd service using iControl REST API.
Impact:
Httpd fails to start.
Workaround:
To recover from the failed httpd state, you can kill all instances of the httpd daemon and start httpd:
killall -9 httpd
tmsh start sys service httpd
773577-4 : SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
Component: TMOS
Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, traps are not properly crafted.
Conditions:
security-name is the same as an SNMPv3 username.
Impact:
SNMP traps cannot be decoded
Workaround:
Delete or rename user.
773253-1 : The BIG-IP may send VLAN failsafe probes from a disabled blade
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core
Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.
Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.
Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.
Impact of workaround: Traffic disrupted while tmm restarts.
772497-2 : When BIG-IP is configured to use a proxy server, updatecheck fails
Component: TMOS
Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.
Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.
Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.
Workaround:
You can use either of the following workarounds:
I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:
1. Locate the following section in the script:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
SSL_hostname => $service_name,
2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
@LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,
II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
# sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck
772297-4 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
Component: Local Traffic Manager
Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.
Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.
Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.
Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.
772117-2 : Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card
Component: TMOS
Symptoms:
A key being overwritten is not removed from the FIPS card, so it becomes an abandoned key in the FIPS card, which cannot be used and properly tracked by the BIG-IP system.
An abandoned key appears similar to the following:
[root@big8:Active:Standalone] config # tmsh show sys crypto fips
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
=== private keys (1)
ID MOD.LEN(bits)
d3d8ecc5a489c64b8dfd731945d59950 2048 <==== properly tracked and configured key in BIG-IP
/Common/fffff.key
e35e900af8b269d2f10b20c47e517fd1 2048 <==== no name, abandoned
Conditions:
The issue is seen when all the following conditions are met:
1. High availability (HA) setup formed by multiple BIG-IP systems with FIPS cards.
2. An Administrator of one of the BIG-IP systems deletes its FIPS key, and creates another FIPS key using the same name.
3. high availability (HA) sync occurs from another BIG-IP system (with the older config) back to the first BIG-IP system (i.e., the operation overwrites the newly created FIPS key with the old FIPS key).
Impact:
It leads to orphan keys on the FIPS card, meaning that the keys are not present in the BIG-IP configuration as a configured key, so the key cannot be used by the BIG-IP system.
Workaround:
Manually delete the abandoned key from the FIPS card using the following command.
tmsh delete sys crypto fips key <key-id>
For example, for the abandoned key specified earlier, use the following command:
tmsh delete sys crypto fips key "e35e900af8b269d2f10b20c47e517fd1"
770953-5 : 'smbclient' executable does not work
Component: TMOS
Symptoms:
Service Message Block (SMB) monitor is not functional.
Conditions:
This occurs under all conditions.
Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.
Workaround:
None.
770741 : NIC Tx Engine hang causing ixgbevf interface (SR-IOV) flipping
Component: TMOS
Symptoms:
NIC Tx Engine hang is a rarely occurring issue for which there are no known scenarios. In cases in which it occurs, an adapter reset is required to recover the system without reboot. The driver is currently not resetting the adapter, and the issue remains until reboot of system.
Conditions:
-- Running BIG-IP Virtual Edition (VE).
-- No specific conditions. This is a rarely occurring issue.
Impact:
Traffic loss and overall system functionality is impacted, which sometimes it leads to kernel panic.
Workaround:
No known workaround. You must reboot VE could recover the interface to normal functioning.
769145-4 : Syncookie threshold warning is logged when the threshold is disabled
Component: TMOS
Symptoms:
Setting connection.syncookies.threshold to zero disables the threshold, but the system still reports log messages similar to:
warning tmm3[18189]: 01010055:4: Syncookie embryonic connection counter 38 exceeded sys threshold 0
Conditions:
Setting connection.syncookies.threshold to zero.
Impact:
Warnings that do not provide valid information. If the threshold value is a non-zero value, it does indicate an issue. However, this message is benign when the end of the message reads 'exceeded sys threshold 0'.
Workaround:
None.
769029-3 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
Component: TMOS
Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.
During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.
Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.
Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:
01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.
After some time this /var/system/tmp/tmsh permission is updated automatically.
Workaround:
To prevent this issue, run the following in one of two ways:
-- As root user in bash shell.
-- As a cronjob running in a per-case frequency.
root@bigip# export TARGET=/var/system/tmp/tmsh; [ ! -d $TARGET ] && mkdir -p $TARGET; chmod 1777 $TARGET; unset TARGET
768085-1 : Error in python script /usr/libexec/iAppsLX_save_pre line 79
Component: iApp Technology
Symptoms:
While creating a UCS file, you see a confusing error message, and the UCS file is not created:
Failed task: %s: %s"%(taskUri, taskResult['message']))"
Conditions:
This can be encountered while trying to create a UCS file.
Impact:
Certain failure messages are not interpreted correctly by the script, resulting in the actual error message not being displayed.
Workaround:
None.
767989-1 : DNSSEC RRSIG Inception Offset
Component: Global Traffic Manager (DNS)
Symptoms:
When a DNSSEC key is used to generate an RRSIG record for the first time, the inception time of the record is set to the current BIG-IP system time. If the system that validates that signed DNS response has a clock skew towards the past relative to the BIG-IP system, then that system will see the RRSIG as if it was generated for a future timestamp and is not yet valid.
Conditions:
-- DNSSEC is used to sign responses for a particular DNS zone.
-- The clock of the validating resolver is running behind the clock of the BIG-IP system.
Impact:
This may cause validation of a DNSSEC response to fail if the validator finds that there are no valid RRSIG records signing the response.
Workaround:
None.
767613-4 : Restjavad can keep partially downloaded files open indefinitely
Component: Device Management
Symptoms:
Files that restjavad makes available for download (such as UCS files in /var/local/ucs) can be held open indefinitely if a requesting client does not complete the download. Since these files remain open, the total number of available file handles for the process decreases, and the disk space for the files cannot be recovered. Symptoms may include errors like 'Too many open files', low disk space even after deleting the associated files, and items listed with '(deleted)' in lsof output.
Conditions:
-- Files restjavad makes available for download.
-- The requesting client does not complete the download.
Impact:
Various errors ('Too many open files.'), low disk space, items listed with '(deleted)' when listed using lsof.
Workaround:
To free the file handles, restart restjavad:
tmsh restart sys service restjavad
Files that were deleted now have their space reclaimed.
767341-6 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
Component: Local Traffic Manager
Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.
Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.
This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.
Filesystem error might be due to power loss, full disk or other reasons.
Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.
Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.
Another workaround is clean install, if possible/acceptable
767305-4 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
Component: TMOS
Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:
No Such Instance currently exists at this OID
The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.
Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.
Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.
Workaround:
Restart all services together, i.e., running the command: bigstart restart.
Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.
If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:
bigstart restart
767045-6 : TMM cores while applying policy
Component: Anomaly Detection Services
Symptoms:
TMM core and possible cores of other daemons.
Conditions:
The exact conditions are unknown.
Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
766761-5 : Ant-server does not log requests that are excluded from scanning
Component: Access Policy Manager
Symptoms:
Based on Request/Response Analytics agent 'Exclude Types' settings, the requests that are excluded from scanning should log a message that states, 'Response content is in excluded content list'.
Conditions:
Response or Request Analytics agent in the Per-Request Policy.
Impact:
These particular logs are not available.
Workaround:
None.
766593-3 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
Component: Local Traffic Manager
Symptoms:
RESOLVE::lookup returns empty string.
Conditions:
Input bytes array is at length of 4, 16, or 20.
For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]
Impact:
RESOLVE::lookup returns empty string.
Workaround:
Use lindex 0 to get the first element of the array.
For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]
765969-4 : HSB register dump missing from hsb_snapshot
Component: TMOS
Symptoms:
Running hsb_snapshot tool fails on B4450 blades with the following message:
Too many rows in tmm/hsb_internal_pde_info table
This issue also occurs on iSeries i15xxx.
Conditions:
When vCMP is provisioned on VIPRION B4450 blades or on the iSeries i15xxx platforms.
Impact:
HSB register dump is not available in hsb_snapshot or qkview for diagnostic purpose.
Workaround:
None.
764873-5 : An accelerated flow transmits packets to a dated, down pool member.
Component: TMOS
Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.
Conditions:
A flow changes the pool member it goes to while the flow is accelerated.
Impact:
The traffic continues to target the dated pool member that is not available.
Workaround:
Disable HW acceleration.
Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only
764373-5 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths
Component: Application Security Manager
Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.
Conditions:
Server sends enforced cookies with the same name but with different paths.
Impact:
A valid request might be rejected.
Workaround:
None.
763197-1 : Flows not mirrored on wildcard Virtual Server with opaque VLAN group
Component: Local Traffic Manager
Symptoms:
In an high availability (HA) configuration using an opaque VLAN group and a default (wildcard, 0.0.0.0/0) virtual server configured for connection mirroring, the standby device does not create the mirrored connection.
Conditions:
-- VLAN group configured and set to opaque.
-- db vlangroup.forwarding.override is set to 'disable'.
-- Default virtual server configured for all ports (destination 0.0.0.0/0 :0) with connection mirroring.
Impact:
In the event of a failover, connections that are expected to be mirrored will fail, which can cause traffic loss and client disruption.
Workaround:
None.
761981 : Information in snmpd.conf files may be overwritten causing SNMP v3 queries to recieve 'Unsupported security level' errors
Component: TMOS
Symptoms:
During daemon startup, the snmpd daemon zeroes out sensitive data in the snmpd.conf files. This is done so that passwords are not available to be read on disk. This can cause problems when other daemons using the net-snmp shared libraries access snmpd.conf files for data that they need during startup.
If you have 'zeroed out' data under /config/net-snmp/snmpd.conf, the system reports 'Unsupported security level' errors in response to SNMP v3 query, for example:
snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "testuser" -l authPriv localhost sysSystemUptime.0.
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).
Conditions:
Custom SNMP v3 users created and exist in /config/net-snmp/snmpd.conf 'zeroed out' data:
Example from /config/net-snmp/snmpd.conf where user 'testuser' has some data that is 'zeroed out' (0x 0x):
usmUser 1 3 0x80001f88808047605278d46d5b "testuser" "testuser" NULL .1.3.6.1.6.3.10.1.1.1 0x .1.3.6.1.6.3.10.1.2.1 0x 0x
Impact:
Daemons usually start in an orderly fashion and usually do not conflict with each other. However, it is possible that they might fail to load correctly due to the zeroing out of data.
For example this can cause SNMP v3 access errors for users with 'zeroed out' data under /config/net-snmp/snmpd.conf:
snmpget -v 3 -u testuser -a SHA -A "testuser" -x AES -X "f5testuser" -l authPriv localhost sysSystemUptime.0.
snmpget: Unsupported security level (Sub-id not found: (top) -> sysSystemUptime).
Workaround:
Use tmsh to configure SNMP users.
761913-1 : iRule checksum created in GUI might cause config load failure in tmsh
Component: Local Traffic Manager
Symptoms:
tmsh config load may fail and issue the message indicating mismatching checksum, similar to the following:
01071493:3: iRule (/Common/pool_select_rule) content does not match the checksum.
Unexpected Error: Loading configuration process failed.
Conditions:
-- Select a new or existing iRule on the Local Traffic :: iRules :: iRules List page, and click 'Add Checksum".
-- SSH into the BIG-IP system and run the following command:
tmsh load sys config
Impact:
tmsh config load fails.
Workaround:
Do not add checksums to iRules you create in the GUI.
761869-2 : WMI monitor may return negative values
Component: Local Traffic Manager
Symptoms:
Incorrect or unexpected load balancing results.
If you have enabled snmp.snmpdca.log then you will see negative values logged to /shared/tmp/WMIHttpAgent.log
Conditions:
-- Load Balancing Method is set to either Dynamic Ratio (member) or Dynamic Ratio (node)
-- Metric monitored on server returns very large value
For example: when monitored server has more then 4GB memory allocated
Impact:
WMI monitor returns negative value and incorrect Dynamic Ratio score is calculated.
761833 : PostgreSQL database disk usage over 2 GB without AFM provisioned
Component: TMOS
Symptoms:
PostgreSQL uses a large amount of disk when AFM is licensed.
Conditions:
AFM being licensed but not in use.
Impact:
Increase in database file size.
Workaround:
Follow the procedure to dump/load the database.
The dump-load procedure used as follows:
1. pg_dumpall -U postgres |gzip -1v >/shared/tmp/pgdump$(date +%s).gz
2. bigstart stop pgadmind
3. rm -rf /var/local/pgsql/
4. bigstart start pgadmind
5. sleep 3; while pidof initdb; do sleep 1; done; sleep 3
6. zcat /shared/tmp/pgdump$(date +%s).gz|psql -U postgres template1
7. bigstart restart pgadmind
761477-4 : Client authentication performance when large CRL is used
Component: Local Traffic Manager
Symptoms:
Search for revoked certificate is done serially on the BIG-IP system. This causes performance impact when a large CRL (e.g., one with ~60K entries) is used.
Conditions:
-- Client authentication configured with a CRL containing a large number of entries (~60K).
-- Associated with virtual server.
-- Client connection requests arrive to be authenticated.
Impact:
CRL checking spikes up TMM CPU usage. Performance may be impacted.
Workaround:
None.
761091 : Missing charset specification in response page after upgrade
Component: Application Security Manager
Symptoms:
Blocking response pages are missing charset specification after upgrade, and appear garbled for non-UTF-8 policies.
Conditions:
-- A blocking response page is configured with non-UTF-8 characters.
-- ASM is upgraded.
Impact:
Blocking response pages appear garbled.
Workaround:
To workaround this issue, follow this procedure:
1. Change the policy to transparent and save.
2. Change it back to blocking and save.
4. Apply policy.
Now the response page now appears correctly.
761084-2 : Custom monitor fields appear editable for Auditor, Operator, or Guest
Component: TMOS
Symptoms:
Mozilla Firefox browser shows custom monitor fields editable for Auditor, Operator, or Guest role users.
Conditions:
You can experience this issue by following these steps:
1. Create custom monitor (e.g., http, mysql, tcp).
2. Use FireFox browser to logon to the BIG-IP system Configuration utility with a user role that is Auditor, Operator, or Guest.
3. Access the custom monitor. Note that Send String, Receive String, and Receive Disable String are all grayed out.
4. Click the browser Back button.
5. Click the browser Forward button.
Impact:
Send String, Receive String, and Receive Disable String are now editable fields. Although the Auditor, Operator, or Guest. user can edit the fields, the Update button is still grayed out, so any entry is not saved.
Workaround:
None.
760974-2 : TMM SIGABRT while evaluating access policy
Component: Access Policy Manager
Symptoms:
TMM cores while evaluating access policy.
Conditions:
-- Secure Web Gateway is configured and in use.
-- An access policy is being evaluated.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use an iRule similar to the following:
when ACCESS_POLICY_COMPLETED {
set res [ACCESS::session data get "session.policy.result"]
if {[string compare $res "in_progress"] == 0} {
log local0.notice "rejecting"
reject
}
log local0.notice "result :$res"
}
760949-1 : Empty hostname in remote log after modification
Component: Application Security Manager
Symptoms:
The hostname is empty in ASM remote log after certain modifications to hostname.
Conditions:
Device hostname is modified such that the new value precedes the old value alphabetically.
Impact:
The hostname is empty in ASM remote log.
Workaround:
Restart ASM after modifying hostname.
760932-5 : Part of audit log messages are also in other logs when strings are long
Component: TMOS
Symptoms:
Parts of audit logs are found also in other logs like /var/log/user.log and /var/log/messages.
Conditions:
-- When audit log message strings are long.
Impact:
Log messages are duplicated. There is no indication of system functionality, and you can safely ignore them.
Workaround:
Modify the syslog-ng maximum length of incoming log messages from 8192 to 16384 bytes:
tmsh modify sys syslog include "options { log-msg-size(16384); };"
760683-3 : RST from non-floating self-ip may use floating self-ip source mac-address
Component: Local Traffic Manager
Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.
Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.
Impact:
An L2 switch may update the fwd table incorrectly.
Workaround:
None.
760615-5 : Virtual Server discovery may not work after a GTM device is removed from the sync group
Component: Global Traffic Manager (DNS)
Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.
Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.
-- Those devices remain present in the GTM configuration as 'gtm server' objects.
-- iQuery is connected to those members.
Impact:
Virtual servers are not discovered or added automatically.
Workaround:
You can use either of the following workarounds:
-- Manually add the desired GTM server virtual servers.
-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.
760518-2 : PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement
Component: Policy Enforcement Manager
Symptoms:
Some PEM action enforcement does not work with flow filter with PEM attribute set.
Conditions:
Flow filter has the Differentiated Services Code Point (DSCP) attribute set
Impact:
Some PEM actions such as http-redirect do not perform as expected.
Workaround:
Set the DSCP to the default value
760406-6 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync
Component: Local Traffic Manager
Symptoms:
You see 'SSL handshake timeout' error messages in LTM log, and high availability (HA) system performance becomes degraded.
Conditions:
This might occur in either of the following scenarios:
Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.
Scenario 2
-- Saving configuration on an HA Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.
Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.
-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.
In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.
-- The HA system performance becomes degraded due to SSL connection timeout.
Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.
-- Set device management sync type to Automatic with incremental sync.
760259-1 : Qkview silently fails to capture qkviews from other blades
Component: TMOS
Symptoms:
When capturing a qkview on a chassis, there are no warnings provided if the qkview utility is run to gather a qkview from other blades.
Conditions:
-- On a chassis system, rename/move the qkview binary from a given blade.
-- Execute qkview on another blade, verify that no warnings or errors are produced.
Impact:
There is no warning that the qkview failed for a given blade.
Workaround:
There is no workaround other than running the qkview on the actual blade.
760222-4 : SCP fails unexpected when FIPS mode is enabled
Component: TMOS
Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.
Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.
Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.
Workaround:
None.
760050-5 : cwnd warning message in log
Component: Local Traffic Manager
Symptoms:
The following benign message appears in the log: cwnd too low.
Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.
Impact:
None. TCP resets the congestion window to 1 MSS.
Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.
759852-3 : SNMP configuration for trap destinations can cause a warning in the log
Component: TMOS
Symptoms:
The snmpd configuration parameters can cause net-snmp to issue a warning about deprecated syntax.
Conditions:
The use of a sys snmp command similar to the following to modify the snmpd.conf file:
sys snmp v2-traps { TRAP1 { host 1.2.3.4 community somestring } }
Impact:
net-snmp issues a warning that the syntax has been deprecated and reports a warning message in the log.
Workaround:
None.
759590-2 : Creation of RADIUS authentication fails with service types other than 'authenticate only'
Component: TMOS
Symptoms:
RADIUS authentication can only have an initial service type of 'authenticate only'.
Conditions:
This is encountered when configuring RADIUS authentication via the GUI.
Impact:
If you change the Service Type to anything except Authenticate Only (default), Authentication creation fails, and the following error appears in /var/log/webui.log:
01020066:3: The requested RADIUS Authentication Configuration (/Common/system-auth) already exists in partition Common.
Workaround:
After configuring RADIUS authentication with 'authenticate only' as the service type, go back and change the service type to the desired option.
759077-6 : MRF SIP filter queue sizes not configurable
Component: Service Provider
Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.
Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.
Impact:
Messages may be dropped.
Workaround:
None.
759008 : DoSL7 site_severity always equals "1" in remote log
Component: Application Security Manager
Symptoms:
Log always shows site_severity as '1'.
Conditions:
- Enable DoSL7.
- Configure remote logger.
- Send traffic.
Impact:
Logged DoSL7 attack severity shows as '1'.
Workaround:
None.
758929-5 : Bcm56xxd MIIM bus access failure after TMM crash
Component: TMOS
Symptoms:
Bcm56xxd daemon running on certain BIG-IP devices might experience MIIM bus access failure after a tmm crash. The system posts a message similar to the following in the ltm log:
info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)
Conditions:
-- Heavily stressed system
-- Using one of the following platforms:
+ VIPRION B2250 Blade (A112)
+ VIPRION B2150 Blade (A113)
+ VIPRION B4300 Blade (A108)
+ BIG-IP 5250v
+ BIG-IP i5820
+ BIG-IP i7800
Impact:
The affected BIG-IP system fails to pass traffic. If configured for high availability (HA), failover occurs.
Workaround:
Reboot the affected BIG-IP platform / VIPRION blade.
758772-5 : DNS Cache RRSET Evictions Stat not increasing
Component: Global Traffic Manager (DNS)
Symptoms:
In the DNS Cache stats, the 'Resource Record Cache' statistic of 'Evictions' does not increase.
Conditions:
This occurs when the cache is full enough for records to be evicted.
Impact:
The 'Evictions' statistics do not increase when those records are evicted. Incorrect statistics accounting.
Workaround:
None.
758520 : Deploying the f5_microsoft_exchange_2010_2013 template generates erroneous APM policy customization-group.
Component: iApp Technology
Symptoms:
There is an erroneously named APM policy customization-group after importing a BIG-IP system into BIG-IQ, where the BIG-IP system already has a deployed iApp based on the f5_microsoft_exchange_2010_2013 template:
[ERROR]... Missing cache path for Kind: tm:apm:policy:customization-group:templates:templatesstate, Object:
/Common/Exchange_2013_internal.APM.app/logon.inc.
Conditions:
-- The BIG-IP system has a deployed iApp based on the f5_microsoft_exchange_2010_2013 template (f5.microsoft_exchange_2010_2013_cas.v1.6.2).
-- Importing the BIG-IP system into the BIG-IQ for managing.
Impact:
The resulting configuration contains an incorrectly named APM policy customization-group.
For example, the group name is:
/Common/Exchange_2013_internal.APM.app/exch_custom_logon:logon.inc
The name should be:
/Common/Exchange_2013_internal.APM.app/exch_custom_logon_ag:logon.inc"
Specifically, the '_ag' suffix on the first part of the filename is missing.
Workaround:
You have two options:
-- Modify the bigip.conf file by searching to 'app-service /Common/Exchange_2013_internal.APM.app/Exchange_2013_internal.APM' and changing 'app:exch_custom_logon' to 'app:exch_custom_logon_ag'.
-- Upgrade to the latest Exchange iApp and iApp deployed to BIQ-IQ with version 6.1.0-0.0.1224.0.
758437-3 : SYN w/ data disrupts stat collection in Fast L4
Component: Local Traffic Manager
Symptoms:
Fast L4 analytics reports very large integers for goodput.
Conditions:
BIG-IP receives SYNs with attached data.
Impact:
Goodput data is unreliable.
Workaround:
None.
758436-5 : Optimistic ACKs degrade Fast L4 statistics
Component: Local Traffic Manager
Symptoms:
Fast L4 Analytics reports very large integers for goodput.
Conditions:
Endpoints send ACKs for data that has not been sent.
Impact:
Goodput statistics are not usable in certain data sets.
Workaround:
None.
758105 : Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml
Component: TMOS
Symptoms:
Below messages get logged to /var/log/messages
-- notice syslog-ng[15662]: Configuration reload request received, reloading configuration;
-- warning pendsect[31898]: skipping drive -- Model: WDC WD1005FBYZ-01YCBB2
-- warning pendsect[31898]: No known drives detected for pending sector check. Exiting
Conditions:
Using hardware containing drive model WDC WD1005FBYZ-01YCBB2.
Impact:
The system logs the messages because the drive model is not listed in /etc/pendsect/drives.xml.
Workaround:
Manually edit /etc/pendsect/drives.xml as follows:
1. Give write permissions to modify file:
chmod u+w /etc/pendsect/drives.xml
2. Open the file and add the following at the end of the file, before default:
<snip>
<WD1005FBYZ>
<offset firmware="RR07">0</offset>
<offset firmware="default">0</offset>
<family> "wd_Gold"</family>
<wd_name>"Gold"</wd_name>
</WD1005FBYZ>
<DEFAULT>
<firmware version="default">
<offset>0</offset>
</firmware>
<name> "UNKNOWN"</name>
<family> "UNKNOWN"</family>
<wd_name>"UNKNOWN"</wd_name>
</DEFAULT>
</model>
</drives>
3. Save and close the file.
4. Remove write permissions so that no one accidentally modifies this file:
chmod u-w /etc/pendsect/drives.xml
5. Run the following command and check /var/log/messages to verify no errors are seen:
/etc/cron.daily/pendsect
758041-5 : Pool Members may not be updated accurately when multiple identical database monitors configured
Component: Local Traffic Manager
Symptoms:
When two or more database monitors (MSSQL, MySQL, PostgreSQL, Oracle) with identical 'send' and 'recv' strings are configured and applied to different pools (with at least one pool member in each), the monitor status of some pool members may not be updated accurately.
Other parameters of the affected monitors that differ (such as 'recv row' or 'recv column' indicating where the specified 'recv' string should be found in the result set) may cause pool members using one of the affected monitors to connect to the same database to be marked UP, while pool members using another affected monitor may be marked DOWN.
As a result of this issue, pool members that should be marked UP or DOWN by the configured monitor may instead be marked according to another affected monitor's configuration, resulting in the affected pool members being intermittently marked with an incorrect state.
After the next monitor ping interval, affected pool members members may be marked with the correct state.
Conditions:
This may occur when multiple database monitors (MSSQL, MySQL, PostgreSQL, Oracle) are configured with identical 'send' and 'recv' parameters, and applied to different pools/members.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv none
send "select version();"
...
}
Impact:
Monitored pool members using a database monitor (MSSQL, MySQL, PostgreSQL, Oracle) randomly go offline/online.
Workaround:
To avoid this issue, configure each database monitor with values that make the combined parameters unique by changing either the 'send' or the 'recv' parameters, or both.
For example:
ltm monitor mysql mysql_monitor1 {
...
recv none
send "select version();"
...
}
ltm monitor mysql mysql_monitor2 {
...
recv 5.7
send "select version();"
...
}
757827-4 : Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.
-- The BIG-IP version in use contains the fix for ID 726319 :: Bug ID 726319: 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses :: https://cdn.f5.com/product/bugtracker/ID726319.html.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected. As a result, some pools may not have any active pool members, and do not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes ('##' is the desired number of seconds between successive DNS queries to resolve the configure FQDN name):
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
757777-1 : bigtcp does not issue a RST in all circumstances
Component: Local Traffic Manager
Symptoms:
bigtcp does not issue a TCP reset, e.g. when using the iRule reject command on CLIENT_ACCEPTED
Conditions:
bigtcp in use, tcp connection, connection ungracefully shut down via a 'reject' command in an iRule
Impact:
TCP RST is not sent, and the SYN is silently dropped.
Workaround:
none
757709 : Routing daemon NSM cores if any of interface indexes of VLANs, Tunnels or VLAN Groups are identical to loopback and tmm interfaces of Route Domains where these VLANs, Tunnels or VLAN Groups are located
Component: TMOS
Symptoms:
Routing daemon NSM crashes and generates a core file, then the watchdog daemon, tmrouted notices that NSM is down and restarts it, then NSM crashes and generates a core file and everything starts all over again.
Conditions:
This very rare situation occurs when there is a BIG-IP system with the following routing configuration:
-- At least one Route Domain on a BIG-IP has the tmm and loopback interfaces generated (when Route Domain was created) in such way that one of their internal interface indexes (ifindex) is the same as the ifindex of the suspected object, in this example, it's a VLAN.
-- The suspected Route Domain has a routing protocol enabled.
-- The suspected object, VLAN, is added to the suspected Route Domain.
In general, this rarely occurring issue occurs in response to the way route domains and VLANs are organized on the BIG-IP system and how they interact with each other in NSM, and how a collision occurs.
Impact:
Routing Daemon NSM crashes and generates a core file.
Workaround:
Reboot the BIG-IP system.
If this does not resolve the issue, you must re-create all VLANs.
757510-4 : Class name mismatch is not caught
Component: Local Traffic Manager
Symptoms:
The datagroup referenced in irule is different from data group definition and the error is not caught at validation. During config load, you see this error:
01070151:3: Rule [/Common/myrule] error: Unable to find value_list
Conditions:
The datagroup referenced in an iRule is different from data group definition.
Impact:
The error is not caught at validation, and TMM errors out at run time.
Workaround:
Use the right name.
Note: The name is case sensitive.
757505-1 : peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket
Component: Local Traffic Manager
Symptoms:
When a session is restored using a session-ticket, the peer-cert-mode setting is not acknowledged.
Conditions:
-- Session tickets are enabled.
-- The peer-cert-mode in the client SSL profile is set to `always'.
-- A session is restored using a ticket.
Impact:
The SSL client is validated only once, instead of each time.
Workaround:
Disable session ticket.
757464-4 : DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record
Component: Global Traffic Manager (DNS)
Symptoms:
Attempt to delete a DNS Validating Resolver cache record from the 'Key' cache does not remove the record. Also displays a negative TTL for that record.
tmm crash
Conditions:
-- Populate the DNS Validating Resolver Cache.
-- Attempt to delete a record from the 'Key' cache.
Impact:
Undesired behavior due to records not being deleted as instructed. Also negative TTL.
Workaround:
The only workaround is to restart tmm to generate a completely empty DNS cache. Traffic disrupted while tmm restarts.
757441-1 : Specific sequence of packets causes Fast Open to be effectively disabled
Component: Local Traffic Manager
Symptoms:
You see this warning in the logs:
warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.
Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.
Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).
Workaround:
TCP ECN option can be disabled.
757407-3 : Error reading RRD file may induce processes to mutually wait for each other forever
Component: Local Traffic Manager
Symptoms:
If an error occurs while statsd is reading a file that contains performance data, certain control-plane processes may wait for each other indefinitely.
In some instances, error messages about files in the /var/rrd directory may appear in /var/log/ltm.
Conditions:
Errors occur when performance-monitoring processes attempt to read files in the BIG-IP's internal Round-Robin Database.
Impact:
Attempts to issue commands using "tmsh" may hang up.
No "qkview" datasets can be successfully generated.
Workaround:
If damaged data files in /var/rrd can be identified, delete them and run "bigstart restart statsd".
757029-5 : Ephemeral pool members may not be created after config load or reboot
Component: Local Traffic Manager
Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.
Conditions:
This may occur on affected BIG-IP versions when:
-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.
Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and do not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.
Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.
756830-3 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
Component: TMOS
Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.
Conditions:
Connections match a virtual server that has following settings:
- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.
In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.
Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.
Workaround:
You can try either of the following:
-- Do not use the Source Port setting of 'Preserve Strict'.
-- Disable connection mirroring on the virtual server.
756812 : Nitrox 3 instruction/request logger may fail due to SELinux permission error
Component: Local Traffic Manager
Symptoms:
When the tmm Nitrox 3 queue stuck problem is encountered, the Nitrox 3 code tries to log the instruction/request, but it may fail due to SELinux permissions error.
The system posts messages in /var/log/ltm similar to the following:
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 00:09.7, discarded 54).
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Failed to open instruction log file '/shared/nitroxdiag/instrlog/tmm01_00:09.7_inst.log' err=2.
Conditions:
-- tmm Nitrox 3 queue stuck problem is encountered.
-- The Nitrox 3 code tries to log the instruction/request.
Impact:
Error messages occur, and the tmm Nitrox 3 code cannot log the instruction/request.
Workaround:
None.
756714-4 : UIDs on /home directory are scrambled after upgrade★
Component: TMOS
Symptoms:
UIDs of /home/$USER files and /home file are scrambled after upgrade.
Conditions:
Upgrade from 12.1.3.7 to 13.1.0.8.
Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.
Workaround:
None.
756647-4 : Global SNAT connections do not reset upon timeout.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not send reset packets when a connection times out.
Conditions:
BIG-IP configured with global SNAT.
Impact:
Client or server might unnecessarily keep the connection open.
Workaround:
You can use either of the following workarounds:
-- Use forwarding virtual server with snatpool instead of global SNAT.
-- Modify tmm_base.tcl as follows:
profile bigproto _bigproto {
reset_on_timeout enable
}
756313-5 : SSL monitor continues to mark pool member down after restoring services
Component: Local Traffic Manager
Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.
Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.
Impact:
Services are not automatically restored by the health monitor.
Workaround:
-- To restore the state of the member, remove it and add it back to the pool.
-- Remove !TLSv1 and -TLSv1 from the cipher string, if possible.
756311-2 : High CPU during erroneous deletion
Component: Policy Enforcement Manager
Symptoms:
The utilization of some CPU cores increases and remains high for a long time. Rebooting just one blade can cause the high CPU usage to move to another blade in the chassis.
There might be messages similar to the following in tmm logs:
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.
-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557
Conditions:
The exact conditions under which this occurs are not fully understood, but one way it can be triggered is when a single TMM is crashing on a chassis system.
Impact:
The CPU usage is coming from an erroneous cleanup function, which is only running on a TMM when it's not busy; traffic is not expected to have a significant impact. However, recovering may result in a cluster-wide TMM restart, if the CPU usage does not subside. Traffic disrupted while tmm restarts.
Workaround:
Delete all subscribers from the CLI.
756177-3 : GTM marks pool members down across datacenters
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool members are marked down even though the monitored resource is available.
GTM debug logs indicate that each GTM is relying on the other GTM to conduct probing:
debug gtmd[13166]: 011ae039:7: Check probing of IP:Port in DC /Common/dc1.
debug gtmd[13166]: 011ae03a:7: Will not probe in DC /Common/dc1 because will be done by other GTM (/Common/gtm2).
---
debug gtmd[7991]: 011ae039:7: Check probing of IP:Port in DC /Common/dc2.
debug gtmd[7991]: 011ae03a:7: Will not probe in DC /Common/dc2 because will be done by other GTM (/Common/gtm1).
Conditions:
-- GTM configured in different data centers.
-- GTM pool configured with a single monitor, and the monitor uses an alias address that can be pinged from both data centers.
-- GTM pool members configured from different data centers.
Impact:
Pool members are marked down.
Workaround:
Instead of a single monitor, use a monitor created specifically for each data center.
755976-7 : ZebOS might miss kernel routes after mcpd deamon restart
Component: TMOS
Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).
One of the most common scenario is a device reboot.
Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.
Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.
Workaround:
There are several workarounds; here are two:
-- Restart the tmrouted daemon:
bigstart restart tmrouted
-- Recreate the affected virtual address.
755791-5 : UDP monitor not behaving properly on different ICMP reject codes.
Component: Local Traffic Manager
Symptoms:
Unexpected or improper pool/node member status.
Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.
Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.
Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.
755631-4 : UDP / DNS monitor marking node down
Component: Local Traffic Manager
Symptoms:
The UDP / DNS monitor marks nodes down.
Conditions:
-- UDP or DNS monitor configured.
-- Interval is multiple of timeout.
-- The response is delayed by over one interval.
Impact:
Pool member is marked down.
Workaround:
Increase the interval to be greater than the response time of the server.
755630-3 : MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
Component: Service Provider
Symptoms:
The media flows get terminated after the UDP idle timeout expires on a Standby device.
Conditions:
-- High availability (HA) configuration.
-- SIP media calls on a SIP-ALG with SNAT feature enabled.
Impact:
SIP calls fail to deliver media when high availability (HA) failover occurs.
Workaround:
Partial mitigation is to set the UDP idle timeout to a higher value.
755549 : TMM crash and core
Component: TMOS
Symptoms:
TMM crashes and generates a core file under unknown conditions.
Conditions:
The conditions required for this issue to occur are not well understood, but might be related to a MCP message handling failure (during virtual server creation) in an AAM with LTM configuration.
The issue might be related to an unsupported configuration, as follows:
The BIG-IP system does not prevent you from configuring a server-side iSession profile and a OneConnect profile on the same virtual server. This is not a valid configuration, however. Virtual server configuration should allow either a server-side iSession profile or a OneConnect profile, but not both.
Impact:
TMM crash and core. Traffic disrupted while tmm restarts.
Workaround:
Correct the misconfiguration (specifically, OneConnect and iSession being mutually exclusive features), and try the operation again.
755311-4 : No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down
Component: Service Provider
Symptoms:
When TMM is shutting down with active DIAMETER connections, it does not send out any Disconnect-Peer-Request messages to its DIAMETER pool members.
Conditions:
- DIAMETER in use.
- Active connections from the BIG-IP system to its DIAMETER pool members.
- TMM is shutting down.
Impact:
The remote server is not notified of the change in DIAMETER peer status.
Workaround:
None.
755250 : Clock advanced messages when modifying a virtual server with 1000 SSL profiles
Component: Local Traffic Manager
Symptoms:
The system posts clock advanced messages when modifying a virtual server. You might also experience an Active/Active situation because tmm might be too busy to send high availability (HA) packets. The messages appear similar to the following:
notice tmm1[12549]: 01010029:5: Clock advanced by 556 ticks
Conditions:
-- Virtual server has 1000 or more SSL profiles defined.
-- A client SSL profile gets its defaults from another profile.
-- You change the cipher settings in that other profile.
Impact:
The system logs clock advanced messages, and sod kills tmm when you run the following command: tmsh load sys config Traffic disrupted while tmm restarts.
Workaround:
To work around this, do the following:
-- Remove some of the SSL profiles from the virtual server.
-- Reset the cipher settings to default.
754901-4 : Frequent zone update notifications may cause TMM to restart
Component: Global Traffic Manager (DNS)
Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.
Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.
Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.
Workaround:
None.
754617-3 : iRule 'DIAMETER::avp read' command does not work with 'source' option
Component: Service Provider
Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.
The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".
Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.
Impact:
'DIAMETER::avp read' does not work with the 'source' option.
Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.
754604-1 : iRule : [string first] returns incorrect results when string2 contains null
Component: Local Traffic Manager
Symptoms:
In an iRule such as 'string first $string1 $string2' returns incorrect results when $string2 contains a null byte and $string1 is not found within $string2. Performing the same search in tclsh, the expected -1 (not found) result is returned.
Conditions:
-- 'string first $string1 $string2' iRule.
-- string2 in an iRule contains a null byte.
Impact:
Operation does not return the expected -1 (not found) result, but instead returns an unexpected, random result.
Workaround:
None.
754330 : Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected
Component: Application Visibility and Reporting
Symptoms:
Monpd attempts to load a batch of CSV files that exceed the partition threshold. This might cause Monpd to falsely detect a corrupted database.
Conditions:
-- Monpd is down for a given interval, and needs to load a batch of CSV files.
-- Monpd gets lower priority for CPU and does not manage loading CSV files within a specific timeframe.
-- Some of the reports are more demanding than others, and create CSV files more often, which makes it harder for Monpd to load efficiently.
Impact:
Stats for AVR might not be loaded to the database within an expected interval.
Workaround:
None.
754201-3 : Windows Logon Integration throws Invalid Handle error
Component: Access Policy Manager
Symptoms:
Previously, with Windows Logon Integration, the network logon using dial-up connection failed with invalid handle error:
Connecting Error 6: The handle is invalid.
Conditions:
Windows Logon Integration is used for dial-up / establish VPN.
Impact:
APM end user cannot establish VPN tunnel via Windows Logon Integration.
Workaround:
None.
754132-1 : A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command
Component: TMOS
Symptoms:
A default route is not propagated in Network Layer Reachability Information (NLRI) by a routing framework on a command: 'clear ip bgp <neighbor router-id> soft out'.
-- Enter to imi(Integrated Management Interface) shell.
[root@hostname:Active:Standalone] config # imish
hostname[0]>
-- Issue a command inside imish. 10.0.0.4 is neighbor BGP router-id.
hostname[0]>clear ip bgp 10.0.0.4 soft out
Conditions:
-- There is a BIG-IP system with the following routing configuration:
imish output:
hostname[0]#sh run
!
no service password-encryption
!
interface lo
!
... <skip other default information, like interfaces.>
!
router bgp 1
bgp router-id 10.17.0.3
bgp graceful-restart restart-time 120
neighbor 10.17.0.4 remote-as 1
!
-- There is a default route, which is advertised by this BGP configuration. Here is one way to check it:
hostname[0]:sh ip ospf database
... <skip less important info>
AS External Link States
Link ID ADV Router Age Seq# CkSum Route Tag
0.0.0.0 10.17.0.3 273 0x80000002 0x5c4e E2 0.0.0.0/0 0
The 'clear ip bgp 10.17.0.4 soft out' command is issued, and there is no NLRI with a default route generated. You can confirm that by running tcpdump and reading what is in the generated Link-state advertisement (LSA), messages or by watching OSPF debug logs.
Note: The source from which you gather the default route and advertise it to the neighbors does not matter. It might be the usual BGP route learned from another router, a locally created route, or it might be configured by 'neighbor <neighbor router-id> default-originate'.
Impact:
A default-route is not propagated in NLRI by 'soft out' request, even with default-originate configured.
Workaround:
There is no specific workaround for 'clear ip bgp <neighbor router-id> soft out' command, but if you want to make routing protocol propagate a NLRI with a default route, you can do either of the following:
-- Remove the default route from advertised routes. This workaround is configuration-specific, so there there are no common steps.
+ If you have default-originate configured for your neighbor, then delete that part of the configuration and re-add it.
+ If you create a default route as a static route, recreate it.
+ And so on.
The idea is to remove a root of default route generation and then add it back.
-- Run a 'soft in' command from your neighbor. If a neighbor you want to propagate a NLRI is a BIG-IP device, or is capable of running this type of command, you can issue a imish command on the neighbor:
# neighbor-hostname[0]: clear ip bgp <neighbor router-id> soft in
Note: This time, the 'soft in' command requests the NLRIs.
753860-2 : Virtual server config changes causing incorrect route injection.
Component: TMOS
Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.
Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.
Impact:
Incorrect routes are injected into routing protocols.
Workaround:
None.
753526-4 : IP::addr iRule command does not allow single digit mask
Component: Local Traffic Manager
Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.
Conditions:
The address mask is single digit.
Impact:
Validation fails.
Workaround:
Assign address/mask to a variable and use the variable in the command.
753501-4 : iRule commands (such as relate_server) do not work with MRP SIP
Component: Service Provider
Symptoms:
Some iRule commands (such as relate_server) fail when used in conjunction with Message Routing Protocol (MRP) SIP configurations using message routing transport.
Conditions:
-- MRP SIP configuration uses transport-config.
-- iRule command 'relate_server' is configured on the corresponding virtual server.
Impact:
iRule commands such as relate_server cannot be used with MRF SIP.
Workaround:
None.
753423-3 : Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
Component: TMOS
Symptoms:
Working-mbr-count not showing correct number of interfaces.
Conditions:
Slot got disabled and re-enabled immediately.
Impact:
Interfaces may be removed from an aggregation permanently.
Workaround:
Disable and re-enable the slot with time gap of one second.
753163-1 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
Component: Policy Enforcement Manager
Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash
Conditions:
-- Using PEM.
-- high availability (HA) failover occurs after 26 days.
Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.
Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart
Note: Traffic disrupted while tmm restarts.
753001-4 : mcpd can be killed if the configuration contains a very high number of nested references
Component: TMOS
Symptoms:
mcpd can be killed by sod if the configuration contains a very high number of nested references. This results in a core file due to a SIGABRT signal.
Conditions:
A very high number of nested configuration references (such as SSL certificate file objects).
Impact:
Failover or outage (if not HA). The system sends no traffic or status while mcpd restarts.
Workaround:
None.
752994-4 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
Component: TMOS
Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.
Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.
Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no high availability (HA) configured).
Workaround:
None.
752530-4 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
Component: Local Traffic Manager
Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.
Conditions:
This occurs when either of the following conditions are met:
-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.
Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.
Workaround:
None.
752334-4 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
Component: Local Traffic Manager
Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.
Conditions:
When FAST L4 receives out-of-order packets.
Impact:
Fast L4 reports an incorrect goodput value for the connection.
Workaround:
None.
752228-3 : GUI Network Map to account for objects in a Disabled By Parent state
Component: TMOS
Symptoms:
When an object has a Disabled By Parent state, it is counted in the Unknown status instead of evaluating its actual Availability status.
Conditions:
Viewing objects with Disabled By Parent state in Network Map.
Impact:
The status shown in the map and summary view does not reflect the correct status.
Workaround:
Use the object list views to filter by status to see the correct status.
752216-3 : DNS queries without the RD bit set may generate responses with the RD bit set
Solution Article: K33587043
Component: Global Traffic Manager (DNS)
Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.
Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.
Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.
Workaround:
None.
752078-3 : Header Field Value String Corruption
Component: Local Traffic Manager
Symptoms:
This is specific to HTTP/2.
In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP system.
Conditions:
-- The header field value string is exceptionally long, and has embedded whitespace characters.
-- HTTP/2 is used.
Impact:
A header such as:
x-info: very_long_string that has whitespace characters
may be sent to the client as:
x-info: ery_long_string that has whitespace characters
Workaround:
None.
751710-1 : False positive cookie hijacking violation
Component: Application Security Manager
Symptoms:
A false positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
N/A
751427 : LTM policy rule condition does not match server-name in ssl-extension
Component: Local Traffic Manager
Symptoms:
An LTM policy that attempts to match the server name of an SSL extension does not get executed, even though the server name in the client hello packet is a match for the condition.
Conditions:
Using an LTM policy that has a rule which has a condition that attempts to match on the server name of the an SSL extension.
Impact:
The LTM policy is not executed.
Workaround:
An iRule may be used instead.
751409-4 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs
Component: TMOS
Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.
Errors like this may be seen in the ltm log:
err tmm1[29243]: 01010009:3: Failed to bind to address
Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs
Impact:
Traffic does not get routed properly.
Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.
751383-3 : Invalidation trigger parameter values are limited to 256 bytes
Component: WebAccelerator
Symptoms:
Invalidation trigger parameter values are limited to a internal representation of 256 bytes. The values are escaped for regex matching, so the effective value size from the user perspective can be somewhat smaller than 256 bytes. Oversize values result in invalidation of all content on the target policy node.
Conditions:
-- AAM policy with invalidation trigger.
-- Invalidation trigger request with parameter value larger than 256 bytes.
Impact:
All content on target policy node is invalidated rather than the specific content targeted.
Workaround:
None.
751232 : LSN pool real-time stats are not persisted over reboot
Component: Carrier-Grade NAT
Symptoms:
After rebooting a VIPRION device or blade for which Port Block Allocation (PBA) is done, the PBA allocation is persisted, but the stats are not.
Conditions:
Reboot the VIPRION device or a blade
Impact:
LSN pool real-time stats are not persisted over reboot. The stats are not consistent with the connection DB.
Workaround:
There is no direct workaround, but you can make the stats consistent by deleting the PBA allocation or wait for it to age out of the LSN DB. Subsequent PBA allocations will be reflected correctly in the stats and will be consistent with the LSN DB.
751179-4 : MRF: Race condition may create to many outgoing connections to a peer
Component: Service Provider
Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.
Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.
Impact:
More than one connection to a peer is created.
Workaround:
None.
751024-1 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
Component: TMOS
Symptoms:
Messages similar to the following appear in /var/log/ltm:
info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:
Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.
Impact:
Changes in optic state may be ignored while I2C bus is unavailable.
Workaround:
For each SFP, perform the following procedure:
1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.
Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.
751021-4 : One or more TMM instances may be left without dynamic routes.
Component: TMOS
Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.
However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.
An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.
Conditions:
This issue is known to occur when all of the following conditions are met:
- The system is a multi-blade VIPRION or vCMP cluster.
- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.
Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.
Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:
# clsh "bigstart restart tmrouted"
However, there is no strict guarantee this will resolve the issue, given the nature of the issue.
Alternatively, you could temporarily replace the dynamic routes with static routes.
750823-4 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
Component: Access Policy Manager
Symptoms:
Memory usage in TMM keeps going up.
Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:
TCL error: ... - Failed to forward request to apmd.
Impact:
Memory leaks in TMM, which cause a TMM crash eventually.
Workaround:
Limit the amount of data that will be forwarded to APMD.
750649-3 : Windows Logon Integration does not work
Solution Article: K74214174
Component: Access Policy Manager
Symptoms:
Windows Logon Integration, the network logon using dial-up connection failed with error message and VPN could not be established:
Connecting - Error 1471: Unable to finish the requested operation because the specified process is not a GUI process.
Conditions:
Windows Logon Integration is used for dial-up / establish VPN.
Impact:
APM end user cannot establish a VPN tunnel via Windows Logon Integration.
Workaround:
None.
750631-3 : There may be a latency between session termination and deletion of its associated IP address mapping
Component: Access Policy Manager
Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.
Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.
Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy
750491-1 : PEM Once-Every content insertion action may insert more than once during an interval
Component: Policy Enforcement Manager
Symptoms:
Successful PEM content insertion accounting is lost during re-evaluation, resulting in more insertions per insertion interval.
Conditions:
During re-evaluation to update the existing flow.
Impact:
More than expected Insert content action with Once-Every method of insert content action
Workaround:
None.
750490-1 : PEM content insertion action may insert more than once with Once-Every method
Component: Policy Enforcement Manager
Symptoms:
PEM content insertion action data is being reset even if there is no PEM policy update.
Conditions:
During re-evaluation to update the existing flow.
Impact:
More than expected Insert content action with Once-Every method of insert content action.
Workaround:
None.
750413 : UTF-8 character in subject of a certificate used for iQuery cannot be removed
Component: TMOS
Symptoms:
If certificate subject which is added to 'Trusted Device Certificates' or 'Trusted Server Certificates' contains UTF-8 characters, it cannot be removed via GUI or edited via TMSH. When removing such a certificate GUI posts the following error:
Key management library returned bad status: -2, Not Found.
Conditions:
-- Using a certificate with UTF-8 character in its subject.
-- The cert is in 'Trusted Device Certificates' or 'Trusted Server Certificates'.
-- Try to remove this certificate.
Impact:
Certificates from 'Trusted Device Certificates' or 'Trusted Server Certificates' are not editable via TMSH. The only way of removing them is to edit /config/big3d/client.crt or /config/gtm/server.crt
Workaround:
Edit /config/big3d/client.crt or /config/gtm/server.crt to remove the certificates containing the UTF-8 character in subject of a certificate.
750204-1 : Add support for P-521 curve in the X.509 chain to SSL LTM
Component: Local Traffic Manager
Symptoms:
SSL is unable to verify certificate signed with EC P-521 key.
Conditions:
N/A
Impact:
Client/server authentication (X.509 signature verification) will failed when using certificate signed with EC P-521 key.
Workaround:
Client/server has to use certificate signed with supported EC curve (P-256/P-384).
750200-4 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
Component: Local Traffic Manager
Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.
Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.
Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.
Workaround:
None.
749603-4 : MRF SIP ALG: Potential to end wrong call when BYE received
Component: Service Provider
Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.
Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.
Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.
Workaround:
None.
749528-4 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
Component: Service Provider
Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.
Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.
Impact:
IVS traffic might not be routed properly.
Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.
749222-4 : dname compression offset overflow causes bad compression pointer
Component: Global Traffic Manager (DNS)
Symptoms:
DNS requests receive error response:
-- Got bad packet: bad compression pointer.
-- Got bad packet: bad label type.
Conditions:
When the DNS response is large enough so that dname redirects to an offset larger than 0x3f ff.
Impact:
DNS response is malformed. Because the DNS record is corrupted, zone transfer fails.
Workaround:
None.
748632 : APM Endpoint inspection fails on macOS Mojave
Component: Access Policy Manager
Symptoms:
When there are two or more endpoint checks that require OPSWAT libraries, the endpoint checks fail on macOS Mojave.
Conditions:
Access Policy profile with two or more endpoint checks such as AntVirus, Firewall, System Patch.
Impact:
Network Access (VPN) is denied.
748608 : IPsec / ESP traffic pinned to TMM 0 for SP-Dag on 4000s/4200v, 2000s/2200v platforms
Component: TMOS
Symptoms:
Traffic pinned to TMM 0 using Source/Destination Disaggregation (SP-DAG) on 4000s/4200v, 2000s/2200v platforms.
Conditions:
-- IPsec / ESP packets.
-- SP-DAG configured.
-- Using 4000s/4200v, 2000s/2200v platforms.
Impact:
Traffic disaggregation does not operate as expected. Traffic pinned to TMM 0.
Workaround:
None.
748333-3 : DHCP Relay does not retain client source IP address for chained relay mode
Component: Local Traffic Manager
Symptoms:
The second relay in a DHCP relay chain modifies the src-address. This is not correct.
Conditions:
Using DHCP chained relay mode.
Impact:
The src-address is changed when it should not be.
Workaround:
None.
748323 : It is possible for the archive.tm2 file to not get cleaned up
Component: TMOS
Symptoms:
The istats daemon maintains a file (/var/tmstat2/blade/archive.tm2) that is used to track the addition and deletion of dynamic statistics. It is possible for this file to grow so large that it causes the istats daemon to use too much CPU.
Conditions:
This rarely happens, but it is due to loss of state, such that stale statistics are maintained when they should have been deleted.
Impact:
The istats daemon can use too much of the control plane CPU in this error condition.
Workaround:
Remove the /var/tmstat2/archive.tm2 file. The system recovers after one cycle of processing the archive file.
748253-4 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
Component: Service Provider
Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.
Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.
Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.
Workaround:
To mitigate this issue:
1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).
748031-4 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule
Component: WebAccelerator
Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.
Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters
Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.
Workaround:
No workaround exists.
747995-1 : MBLB SIP dropping packets with unknown methods
Component: Service Provider
Symptoms:
Traffic sent to a MBLB SIP LB is dropped if the SIP method is unknown.
Conditions:
Packets encountered SIP methods not already known to the BIG-IP system.
Impact:
Packet is dropped.
Workaround:
None.
747905 : 'Illegal Query String Length' violation displays wrong length
Component: Application Security Manager
Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.
Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.
Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.
Workaround:
None.
747799-3 : 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile
Component: TMOS
Symptoms:
During upgrade, the configuration fails to load due to an invalid client SSL profile cert/key configuration. The system posts an error: Unable to load the certificate file.
This occurs as a result of an invalid configuration that can be created as a result of a bug (614675) that exists in 11.5.4-HF2 (and only in 11.5.4-HF2). Because of the bug, it is possible to create a client SSL profile with an empty cert-key-chain, as shown in the following example:
ltm profile client-ssl /Common/cssl {
app-service none
cert none
cert-key-chain {
"" { } <=============== empty cert-key-chain
defualt_rsa_ckc { <==== typo: 'defualt'
cert /Common/default.crt
key /Common/default.key
}
}
key none
}
Note: This upgrade failure has an unique symptom: the typo 'defualt_rsa_ckc'. However, the name has no specific negative impact; the issue is with the empty cert-key-chain.
After upgrading such a configuration from 11.5.4-HF2 to any later version of the software, the system posts a validation error, and the configuration fails to load.
Conditions:
The issue occurs when all the following conditions are met:
-- You are using 11.5.4-HF2.
-- The 11.5.4-HF2 configuration contains an invalid client SSL profile (i.e., a client SSL profile containing an empty cert-key-chain).
-- You upgrade to any software version later than 11.5.4-HF2.
Impact:
After upgrade, the configuration fails to load. The system posts an error message similar to the following:
-- "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 11.5.4 Loading schema version: 13.1.0.8 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.
Workaround:
You can fix the profile configuration in /config/bigip.conf either before the upgrade (in 11.5.4-HF2), or after the upgrade failure.
To do so:
1. Replace 'cert none' with a cert name, such as /Common/default.crt.
2. Replace 'key none' with a key name, such as /Common/default.key.
3. Remove the entire line containing the following: "" { }.
4. Correct the spelling of 'defualt' to 'default'. Although there are no negative consequences of this typo, it is still a good idea.
The new profile should appear similar to the following:
ltm profile client-ssl /Common/cssl {
app-service none
cert /Common/default.crt
chain none
cert-key-chain {
default_rsa_ckc {
cert /Common/default.crt
key /Common/default.key
}
}
key /Common/default.key
}
747760 : Attack Signatures page: filter applied by another user may replace currently applied filter
Component: Application Security Manager
Symptoms:
If user switches between different policies in the Policy Attack Signature page, and at the same time another user changes Policy Attack Signature properties on the same page, after policy is changes - filter applied by second user is applied for the first user.
Conditions:
2 different users work on the Policy Attack Signature page simultaneously
Impact:
Incorrect filter applied at some scenarios, which may be confusing for user
747628-4 : BIG-IP sends spurious ICMP PMTU message to server
Component: Local Traffic Manager
Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.
Conditions:
-- The server side allows timestamps and the client side does not negotiate them.
-- The client-side MTU is lower than the server-side MTU.
-- There is no ICMP message on the client-side connection.
Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).
Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.
747337 : AAA CRLDP configurations configured using the 'No Server' option may be rendered incorrectly while using IE v11
Component: Access Policy Manager
Symptoms:
When a user tries to see a AAA CRLP server which has been configured with a 'No Server' option, the server connection shows up as Direct when it is in fact 'No Server'. This is not the case in other browsers, such as Google Chrome v69 or Mozilla Firefox v57. They show the configured object value correctly for the AAA CRLP Server, which is 'No Server'.
Conditions:
Using the Microsoft Internet Explorer (IE) browser v11.
Impact:
Inaccurate configuration information shown for the server connection.
Workaround:
Use Firefox version 57 or Chrome version 69.
Alternatively, view the correct value using the following tmsh command:
tmsh list apm aaa crldp all-properties
747234-3 : Macro policy does not find corresponding access-profile directly
Component: Access Policy Manager
Symptoms:
The discovery task runs but does not apply the 'Access Access Policy' for the access policy for which the Provider is configured.
Conditions:
-- Auto-discovery is enabled for a provider.
-- Discovery occurs.
Impact:
The Access Policy is not applied after successful auto-discovery. The policy must be applied manually.
Workaround:
Apply the Access Policy manually after auto-discovery.
747077-2 : Potential crash in TMM when updating pool members
Component: Local Traffic Manager
Symptoms:
In very rare cases, TMM can crash while updating pool members.
Conditions:
The conditions that lead to this are not known.
Impact:
TMM crashes, which can cause a failover or outage.
Workaround:
There is no workaround.
747065-1 : PEM iRule burst of session ADDs leads to missing sessions
Component: Policy Enforcement Manager
Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.
Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.
Impact:
Policies available in the missing session cannot be accessed.
Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.
746984-2 : False positive evasion violation
Component: Application Security Manager
Symptoms:
When Referer header contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.
Conditions:
-- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled.
-- Referer header contains a backslash character ('\') in query string part.
Impact:
False positive evasion technique violation is raised for Referer header.
Workaround:
Turn off 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property on the HTTP Header Properties screen.
746771-2 : APMD recreates config snapshots for all access profiles every minute
Component: Access Policy Manager
Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD detects that the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle repeats every minute, posting log messages:
-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...
-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...
-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
Conditions:
The conditions under which the access profile configurations in APMD and MCPD become out of sync is unknown.
Impact:
TMM memory usage increases due to excessive config snapshots being created.
Workaround:
Restart APMD to clear the APMD and MCPD out-of-sync condition.
746758-5 : Qkview produces core file if interrupted while exiting
Component: TMOS
Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.
Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.
Impact:
A core file is produced.
Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.
746731-4 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 267 0
}
}
}
746682 : ASM unable to display *any* event logs, unless they are searched for by support ID
Component: Application Security Manager
Symptoms:
After an upgrade, ASM is unable to display *any* event logs, unless they are searched for by support ID.
Conditions:
Either the numerical value returned from this query:
mysql> SELECT request_log_id FROM PRX.REQUEST_LOG_CLEARED;
Or the numerical value returned from this query:
mysql> SELECT MAX(request_log_id) FROM PRX.REQUEST_LOG_PROPERTIES WHERE flg_is_deleted = 1;
Are larger than the numerical value returned from this query:
mysql> SELECT MAX(id) FROM PRX.REQUEST_LOG;
Impact:
ASM is unable to display *any* event logs, unless they are searched for by support ID.
Workaround:
mysql> UPDATE PRX.REQUEST_LOG_CLEARED SET PRX.REQUEST_LOG_CLEARED.request_log_id = (SELECT MAX(PRX.REQUEST_LOG.id) FROM PRX.REQUEST_LOG);
mysql> DELETE FROM PRX.REQUEST_LOG_PROPERTIES WHERE PRX.REQUEST_LOG_PROPERTIES.request_log_id NOT IN (SELECT PRX.REQUEST_LOG.id FROM PRX.REQUEST_LOG);
746657-4 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
Component: TMOS
Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the FQDN 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.
Conditions:
This occurs when viewing tmsh help text.
Impact:
FQDN nodes and pool members may be created with a different FQDN refresh interval than intended.
Workaround:
When creating an FQDN node or pool member, specify the desired FQDN 'interval' value (either TTL, or the desired number of seconds).
746464-4 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
746355 : A client SSL handshake fails when client hello extension contains only unsupported groups
Component: Local Traffic Manager
Symptoms:
If the supported groups extension in the client hello contains only groups that are not supported by the BIG-IP system, the handshake fails.
Conditions:
-- (ec)dhe ciphers are used.
-- The supported groups extension does not contain any groups supported by the BIG-IP system.
Impact:
Client connections to the BIG-IP system fail.
Workaround:
There is no workaround other than not configuring (ec)dhe ciphers.
746152-4 : Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
Component: TMOS
Symptoms:
The DMA drop packet and bytes registers (rqm_dma_drp_pkts and rqm_dma_drp_bytes in tmm/hsbe2_internal_pde_ring
table) can have huge numbers, which appear to be close to multiples of 4G (2^32). The count reported in the register from hsb_snapshot shows very small number:
from tmm/hsbe2_internal_pde_ring
name active bus rqm_dma_drp_pkts rqm_dma_drp_bytes
---------------- ------ --- ---------------- -----------------
lbb0_pde1_ring2 1 2 17179869185 4398046511186
lbb0_pde1_ring3 1 2 8589934597 2199023256108
lbb0_pde2_ring0 1 2 0 0
lbb0_pde2_ring1 1 2 0 0
lbb0_pde2_ring2 1 2 8589934592 2199023255552
lbb0_pde2_ring3 1 2 0 0
lbb0_pde3_ring0 1 2 0 0
lbb0_pde3_ring1 1 2 0 0
lbb0_pde3_ring2 1 2 8589934592 2199023255552
lbb0_pde3_ring3 1 2 0 0
lbb0_pde4_ring0 1 2 0 0
lbb0_pde4_ring1 1 2 0 0
lbb0_pde4_ring2 1 2 8589934592 2199023255552
lbb0_pde4_ring3 1 2 0 0
lbb1_pde1_ring1 1 3 0 0
lbb1_pde1_ring2 1 3 4294967298 1099511627952
From hsb_snapshot for pde1's ring 0 to ring 3:
50430: 00000000 rqm_dma_drp_pkt_cnt_4
50530: 00000000 rqm_dma_drp_pkt_cnt_5
50630: 00000001 rqm_dma_drp_pkt_cnt_6
50730: 00000005 rqm_dma_drp_pkt_cnt_7
Conditions:
The register reads sometimes return a 0 value.
Impact:
The DMA drop stats are not accurate
Workaround:
Restart tmm can reset the stats, but it will disrupt traffic.
746122-5 : 'load sys config verify' resets the active master key to the on-disk master key value
Component: TMOS
Symptoms:
Master key is reset to an older value which may differ from the 'active' value.
Conditions:
Configuration is validated via 'tmsh load sys config verify'.
Impact:
Configuration elements may be encrypted with a different key leading to a corrupt configuration state. If the configuration is saved, future loads will fail.
Workaround:
None.
745733-4 : TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup
Component: Traffic Classification Engine
Symptoms:
TMSH command "tmsh show ltm urcat-query" does not perform cloud lookup when there is no entry in the local database.
Conditions:
- TMSH command "show ltm urlcat-query abc.com" is executed.
- abc.com doesn't have an entry in the local webroot database.
Impact:
- Cloud lookup is not executed for unknown URL entries.
745663-1 : During traffic forwarding, nexthop data may be missed at large packet split
Component: Local Traffic Manager
Symptoms:
When splitting large packages, nexthop data is used for the first small packet, but missed in subsequent packets.
Conditions:
Forward of host LRO packet (e.g., FTP data-channel).
Impact:
Heavy packet loss, re-transmissions, and delays.
Workaround:
None.
745589-3 : In very rare situations, some filters may cause data-corruption.
Component: Local Traffic Manager
Symptoms:
In very rare situations, an internal data-moving function may cause corruption.
Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.
tmm crash
Conditions:
The affected filters are used, and some very rare situation occurs.
Impact:
This may cause silent data corruption, or a TMM crash. If there is a TMM crash, traffic disrupted while tmm restarts.
Workaround:
None.
745397-4 : Virtual server configured with FIX profile can leak memory.
Component: Service Provider
Symptoms:
System memory increases with each transmitted FIX message. tmm crash.
Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.
Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.
Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.
745309 : Self IP route is not updated in a routing table if there is more than one route with the same destination signature
Component: TMOS
Symptoms:
When Self IP address is added/updated via tmsh, Configuration utility, or "tmsh load sys config merge" command, BIG-IP routing daemon updates routing information in the routing table. If Dynamic Routing is configured on BIG-IP and affected Self IP route has the same destination as routes, gathered from routing protocols, then on adding or changing this Self IP address, the corresponding route from routing table has to be updated, usually it means that a new route is added to the routing table and the old one is removed, but a new route is added and then gets deleted from the routing table instead of old one.
Conditions:
1) There is a route in the routing table with the same destination signature as a Self IP address' route we are planning to add or update. Usually this situation occurs when Dynamic Routing is configured on BIG-IP and a dynamic route is added to the routing table.
2) The Self IP is added or updated.
Impact:
The routing information isn't updated. The Self IP route isn't involved in routing decisions and therefore traffic, which has to use Self IP route for routing, uses out of date, incorrect routing information and is sent to a wrong destination.
Workaround:
There is no workaround at this time.
744913 : Tmm may be killed during snapshot creation on VMware ESXi
Component: TMOS
Symptoms:
tmm is sometimes killed by sod during snapshot creation when running on VMware ESXi.
Conditions:
An attempt to snapshot a running BIG-IP guest is made. This can cause the instance to be descheduled by the host upon which it is running which prevents tmm from touching its watchdog. Upon being scheduled to run, if sod runs before tmm can update the watchdog, it will kill tmm. A message indicating that tmm did not run for an extended period of time may be logged such as:
01010029:5: Clock advanced by 40124 ticks
This message indicates generally that tmm did not run and can indicate other types of issues as well.
Impact:
Traffic processing can be severely impacted while the snapshot operation is proceeding regardless of whether tmm restarts or not. If tmm is restarted, production traffic will not be processed until it is finished restarting.
Workaround:
There is no workaround at this time.
744787-1 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
Solution Article: K04201069
Component: Global Traffic Manager (DNS)
Symptoms:
WideIP alias will be replaced.
Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.
Impact:
The previous WideIP will be replaced.
Workaround:
Avoid adding existing WideIP for other WideIP.
744520-4 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
Component: TMOS
Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.
Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.
Impact:
Traffic drop.
Workaround:
There is no workaround.
744316-3 : Config sync of APM policy fails with Cannot update_indexes validation error.
Component: Access Policy Manager
Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target
The system posts errors similar to the following:
Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"
Conditions:
This occurs in the following scenario:
1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
+ Launch VPE for the policy.
+ Add a macro.
+ In macro add an agent, e.g., Message box.
+ Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.
Impact:
Unable to sync configuration in a failover device group.
Workaround:
You can work around this using the following procedure:
1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.
744275-4 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
Component: Service Provider
Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.
Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.
Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.
Workaround:
Configure an iRule in the MRF transport-config, for example:
ltm rule workaround {
when DIAMETER_EGRESS {
if {[serverside] && [DIAMETER::command] == "257" } {
DIAMETER::avp flags set 269 0
}
}
}
744252-4 : BGP route map community value: either component cannot be set to 65535
Component: TMOS
Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.
Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.
Impact:
Unable to use the full range of BGP route map community values
Workaround:
There is no workaround at this time.
743900-4 : Custom DIAMETER monitor requests do not have their 'request' flag set
Component: Local Traffic Manager
Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.
Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.
Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response
Workaround:
None.
743896 : Gratuitous ARP not sent on interface up
Component: Local Traffic Manager
Symptoms:
Gratuitous ARP not seen when an interface comes up: different behavior depending on software version.
On BIG-IP software version 11.6.x and on BIG-IP Virtual Edition (VE), version 13.1.x, when interface is UP, after 3 seconds, the BIG-IP system sends GARP out.
On version 12.1.2,the BIG-IP system does not send GARP upon interface UP.
Conditions:
The interface transition from DOWN to UP state.
Impact:
No GARP for self-ip addresses on interfaces.
Workaround:
None.
743895 : Upgrades from 10.2.x fail due to empty virtual address lines in the configuration★
Component: TMOS
Symptoms:
In 10.2.x it is possible to have 'empty' virtual address lines in the configuration like this:
virtual address 10.10.10.10 {}
Lines such as these cause failures when upgrading to any version of BIG-IP software that includes the functionality to to add 'arp disable' to virtual addresses that do not have an explicit configuration for their ARP setting. This functionality is present beginning with software version 11.5.0.
Conditions:
-- 'Empty' virtual address lines in the configuration.
-- Upgrading to a version of BIG-IP software that includes the functionality to to add 'arp disable' to virtual addresses that do not have an explicit configuration for their ARP setting.
Impact:
The upgrade fails without a clear error message.
Workaround:
Upgrade to 11.5.0 first, and then upgrade to the desired version.
743464 : DoSL7 attack is not detected when using multiple profiles with Behavioral Detection
Component: Anomaly Detection Services
Symptoms:
Setting up multiple DoS Application Profiles on the same Virtual Server via either iRules or LTM Policies causes DoSL7 attacks to not be detected or mitigated, if one of the profiles has Behavioral Detection enabled.
Conditions:
-- Multiple DoS profiles are configured on a single Virtual Server, either using the iRule DOSL7::enable command, or LTM Policies controlling the DoS profile.
-- One of the DoS profiles on the Virtual Server has Behavioral Detection enabled, even if the Stress-Based Operation Mode is set to Off.
Impact:
DoSL7 attacks are not detected and not mitigated, with no indication that they are not.
Workaround:
Disable Behavioral Detection on all of the DoS profiles that are directly or indirectly associated with the Virtual Server. If Stress-Based Operation Mode is set to Off, then you might need to temporarily set Stress-Based to Transparent, disable the Behavioral checkboxes, and then set Stress-Based Operation mode back to Off.
743271-2 : Querying vCMP Health Status May Show Stale Statistics
Component: TMOS
Symptoms:
Stale statistics collected while the guest was running a pre-13.1.0 version may periodically be seen when querying vCMP health status in the Configuration Utility or via tmsh show vcmp health commands.
Conditions:
This issue may be seen when all of the following conditions are met:
- the vCMP guest is deployed on more than one blade
- the vCMP guest is upgraded from a pre-13.1.0 release to 13.1.0 or above
Impact:
Health status is not always accurately reported
Workaround:
The issue may be resolved by setting the guest status temporarily to configured and then back to deployed.
743253-5 : TSO in software re-segments L3 fragments.
Component: Local Traffic Manager
Symptoms:
FastL4 does not re-assemble fragments by default, but on a system with software-enabled TSO (sys db tm.tcpsegmentationoffload value disable), those fragments are erroneously re-segmented.
Conditions:
The behavior is encountered on BIG-IP Virtual Edition when setting sys db tm.tcpsegmentationoffload value disable, but does not cause a tmm core on Virtual Edition.
Impact:
Already-fragmented traffic is fragmented again.
Workaround:
None
743234-1 : Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons
Component: TMOS
Symptoms:
Configuring EngineID for SNMPv3 does not take effect until
the SNMP and Alert daemons are restarted.
Conditions:
Configure the EngineID for SNMPv3 using the tmsh command:
modify sys snmp include 'EngineType n'
Impact:
The SNMPv3 value does not take effect.
Workaround:
Restart the daemons after changing the EngineID:
restart /sys service snmpd
restart /sys service alertd
Note: The SNMP daemon should be restarted before the Alert daemon.
743132-3 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
Component: TMOS
Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.
Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.
Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.
Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.
743116-1 : Chunked responses may be incorrectly handled by HTTP/2
Component: Local Traffic Manager
Symptoms:
When a chunked HTTP response is serialized by HTTP/2, the chunking headers should be removed. This does not occur in some cases.
Conditions:
The HTTP/2 filter is used. Some other profiles are used on the same virtual. (In particular, the request logging profile triggers this issue.)
Impact:
The HTTP/2 payload will include chunking headers, corrupting it.
Workaround:
An iRule may be used to detect a HTTP/2 client, and forcibly turn on unchunking in the HTTP_RESPONSE event.
Example:
ltm rule unchunk_http2 {
when HTTP_REQUEST {
set is_http2 [HTTP2::active]
}
when HTTP_RESPONSE {
if { $is_http2 } {
HTTP::payload unchunk
}
}
}
742877 : Tmm may fail a heartbeat on VE if unscheduled by busy hypervisor
Component: TMOS
Symptoms:
Tmm is killed by sod and restarts after failing to send a heartbeat message.
Conditions:
BIG-IP Virtual Edition (VE) running on a busy host system.
Impact:
Tmm restarts and recovers. Traffic disrupted while tmm restarts.
Workaround:
None.
742838-4 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
Component: Local Traffic Manager
Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:
"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"
This happens in both the GUI and TMSH.
Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.
Impact:
Inability to edit the published policy.
Workaround:
None.
742829-4 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
Component: Service Provider
Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.
Conditions:
RTP media port defined in the SIP message is set to 0.
Impact:
Improper media channel creation.
Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.
742753-1 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
741345 : Adaptive monitor gateway_icmp does not function correctly with two nodes
Component: Local Traffic Manager
Symptoms:
An adaptive gateway-icmp monitor attached to two nodes, and configured with an even interval value (such as '2' or '4' seconds) may cause the node to be marked 'down' even when that node is available.
Conditions:
-- An adaptive gateway-icmp monitor is applied to two nodes.
-- The value configured is an even interval number (such as '2' or '4' seconds).
-- The associated node is available.
Impact:
A node associated with the gateway-icmp monitor might be marked 'down', when it should be marked 'up'.
Workaround:
You can use either of the following workarounds:
-- Configure an interval with an odd number of seconds (such as '3' or '5' seconds).
-- Create a separate adaptive gateway-icmp monitor for each node.
740957 : 'fips_get_key_attr(): mod_err = 0xa9' message seen in /var/log/ltm
Component: TMOS
Symptoms:
When a newly created FIPS key with long name (greater than 32 characters) gets synced over an FIPS high availability (HA) setup, the daemon.log shows that the name gets truncated:
key_label '/Common/testtmsh.with.long.name.and.config.sync.ran.with.TMSH.version1' exceed max len of 32, truncating to 'nfig.sync.ran.with.TMSH.version1).
And the ltm log shows the following message:
fips_get_key_attr(): mod_err = 0xa9.
Conditions:
The issue is intermittent.
-- HA setup with FIPS.
-- Perform a config sync operation after creating FIPS keys with names longer than 32 characters.
Impact:
The newly created FIPS key's name gets truncated to 32 characters. The truncated FIPS key is config-sync'd to the peer system, however, so there is no other impact.
Workaround:
There is no workaround, limit FIPS key names to 32 characters or fewer to prevent truncating.
740517-4 : Application Editor users are unable to edit HTTPS Monitors via the Web UI
Component: TMOS
Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)
Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor
Impact:
The user must use TMSH to modify an HTTPS Monitor.
Workaround:
Run the following tmsh command: modify ltm monitor https"\
740461 : Certificate or key upload in the GUI may occasionally fail with 'General database error"
Component: TMOS
Symptoms:
When uploading an SSL certificate or key via the TMUI, the upload might occasionally fail with a 'General database error.'
The /var/log/webui.log shows an error similar to the following:
-- ERROR [TP-Processor2] ssl_certificate.SSLCertificateImportHandler:importCertificateToMcpd - /shared/tmp/upload__36aadee9_16539dee776__8000_00001003.tmp (No such file or directory).
This issue occurs rarely and is intermittent.
Conditions:
Uploading an SSL certificate or key via the GUI.
Impact:
Upload via the GUI fails.
Workaround:
Retry the upload.
740284-3 : Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'
Component: Global Traffic Manager (DNS)
Symptoms:
Virtual servers on generic-hosts may be marked as Yellow, with a message of 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'.
Conditions:
The conditions under which this occurs are not known.
Impact:
Virtual server is marked Yellow erroneously 'In Maintenance Mode'.
Workaround:
Use any of the following to reset the condition:
-- Restart gtmd by issuing the following command:
bigstart restart gtmd
-- Restart the system.
-- Remove any monitors from the affected server, save the configuration, and then add any required monitors.
-- Delete the affected server from the configuration and recreate it.
740203 : Installing a certificate or key may fail for a remote user
Component: TMOS
Symptoms:
iControl REST may return an error to a remote user attempting to install an SSL key or certificate. The same install process runs successfully for a local user.
Conditions:
-- Use a remotely authenticated user, such as via Active Directory (AD), with the admin role assigned to the user.
-- Using iControl REST, upload an SSL certificate (and/or key) to the BIG-IP system and attempt to install the certificate (and/or key).
Impact:
Inability to install a certificate.
Workaround:
If the request to install the certificate fails, change the permissions (chmod 640) on the .key and .crt files to 640.
740135-4 : Traffic Group ha-order list does not load correctly after reset to default configuration
Component: TMOS
Symptoms:
After resetting the BIG-IP configuration to default (i.e., 'tmsh load sys config default'), if a configuration is loaded where the name of the self-device changes, this may cause the self-device to be removed from any traffic group high availability (HA) Order lists.
Conditions:
-- Must be loading a configuration after resetting to default.
-- Must have at least one traffic group using the 'HA Order' Failover Method.
Impact:
Incorrect high availability (HA) configuration.
Workaround:
Reload the configuration a second time.
740086-2 : AVR report ignore partitions for Admin users
Component: Application Visibility and Reporting
Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.
Reports generated for specific partition include data from all partitions.
Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.
Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.
Workaround:
One workaround is to have non-Admin users generate reports.
For non-Admin users, the partition is honored.
739820-4 : Validation does not reject IPv6 address for TACACS auth configuration
Component: TMOS
Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like
Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)
Conditions:
Use the GUI or TMSH to create or modify a TACACS server
Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.
Workaround:
Do not configure IPv6 address for TACACS server
739618-4 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
Component: Application Security Manager
Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.
Conditions:
- AWAF or MSP license
Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.
Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}
739553-4 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
Component: Global Traffic Manager (DNS)
Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.
Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.
Impact:
Wide IP persistence does not work.
Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.
739533-3 : In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config
Component: TMOS
Symptoms:
If mcpd loses connection with a peer in the middle of a config sync operation when a large file is being transferred, the temporary copy of that file in /config/filestore/.snapshots_d/ might not be deleted. If this happens enough times with large enough files, those temporary files might fill the /config filesystem.
Conditions:
-- A config sync of a large file is happening.
-- The mcp connection between peers is lost.
Impact:
When that happens, the temporary files that should be deleted, might not be. This is not a problem until the issue has occurred many times, leaving many temporary files, at which point /config can run out of space. /config may get to 100% full. Having /config at 100% full might cause config sync to fail, prevent configuration changes, and other issues.
Workaround:
Delete all files in /config/filestore/.snapshots_d that are more than an hour old.
739118-4 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
Component: TMOS
Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.
Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.
Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.
Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.
Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.
738865-5 : MCPD might enter into loop during APM config validation
Component: Access Policy Manager
Symptoms:
Mcpd crashes after a config sync.
Conditions:
This can occur during configuration validation when APM is configured.
Impact:
Mcpd may take too long to validate the APM configuration and is killed by watchdog, causing a core
Workaround:
Use the Visual Policy Editor to configure access policy instead of tmsh commands.
The Visual Policy Editor does not allow policies to be created if they contain loops.
738543-1 : Dynamic route with recursive nexthop might cause tmrouted restart
Component: TMOS
Symptoms:
Tmrouted restart.
Conditions:
- Dynamic routing enabled.
- Routing update with recursive nexthop.
Impact:
Stability of the dynamic routing daemons. TMM cannot learn or advertise routes while the daemon restarts.
Workaround:
There is no workaround other than not exporting routes with recursive nexthop.
738450-4 : Parsing pool members as variables with IP tuple syntax
Component: Local Traffic Manager
Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.
Conditions:
Tcl variable is used for the IP tuple instead of a plain value.
Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.
Note: There is no warning in the GUI.
Workaround:
Use plain value instead of variable.
738359 : Log output does not reflect BIG-IP system timezone setting
Component: TMOS
Symptoms:
Running the command 'tmsh show sys log' for any module in a specified range displays results according to the UTC timezone, despite the setting on the BIG-IP system.
Conditions:
-- Run the following command:
tmsh show sys log <any_module> range <range options>
-- View the output.
Impact:
Log filtering may not return results because of the difference between timezone settings.
Workaround:
Set timezone to UTC setting.
738070-3 : Persist value for the RADIUS Framed-IP-Address attribute is not correct
Component: Service Provider
Symptoms:
Using the RADIUS Framed-IP-Address attribute as a persistence value does not work correctly.
Conditions:
Using RADIUS and persisting on the Framed-IP Address attribute (RADIUS AVP 8).
Impact:
RADIUS requests may not get persisted to the servers they should be.
Workaround:
Use an iRule to persist instead, e.g.:
ltm rule radius-persistence {
when CLIENT_DATA {
persist uie [RADIUS::avp 8]
}
}
738045-2 : HTTP filter complains about invalid action in the LTM log file.
Component: Local Traffic Manager
Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)
Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.
Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):
when HTTP_REQUEST {
HTTP::collect
NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
HTTP::release
}
when HTTP_REQUEST_SEND {
log local0. "Entering HTTP_REQUEST_SEND"
}
-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.
Impact:
The second request gets reset, and the system logs errors in the LTM log file.
Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.
737901-1 : Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
Component: TMOS
Symptoms:
On iSeries platforms, when a VLAN is attached to a vCMP guest, the management MAC address and the host VLAN MAC address will be the same.
Conditions:
-- Creating a VLAN on the host and attaching it to a vCMP guest.
-- iSeries platforms.
Impact:
The management MAC address is the same as the Host VLAN MAC address, resulting in the same MAC being used for the VLAN traffic originating from the vCMP Host along with the Host's mgmt Interface traffic, potentially resulting in issues relating to the inability to differentiate traffic to mgmt port or traffic ports.
Workaround:
There is no workaround at this time.
737536-5 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
Component: TMOS
Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|
Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.
Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:
OSPF router config examples:
***
OSPF 1:
!router ospf 1
ospf router-id 10.13.0.7
redistribute ospf
network 10.13.0.0/16 area 0.0.0.1
default-information originate
OSPF 2:
router ospf 1
ospf router-id 10.14.0.5
redistribute ospf
network 10.14.0.0/16 area 0.0.0.1
BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
***
-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.
# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
ospf router-id 10.13.0.2
network 10.13.0.0/16 area 0.0.0.1
router ospf 2
ospf router-id 10.14.0.9
network 10.14.0.0/16 area 0.0.0.1
default-information originate
Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.
Workaround:
None.
737529-1 : [GTM] load or save configs removes backslash \ from GTM pool member name
Component: Global Traffic Manager (DNS)
Symptoms:
GTM config fails to load, and posts an error similar to the following:
Syntax Error:(/config/bigip_gtm.conf at line: 47) the "create" command does not accept wildcard configuration identifiers
Conditions:
GTM server virtual server name contains a backslash (\) character.
Impact:
GTM config fails to load.
Workaround:
Edit bigip_gtm.conf manually and add the \ character.
Important: The system removes the \ (which results in further validation failures) in response to any of the following actions:
-- Load the GTM config.
-- Make changes to the GTM config, and you or the system saves it.
-- cpcfg operation.
-- Upgrade the system.
737346-4 : After entering username and before password, the logging on user's failure count is incremented.
Component: TMOS
Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.
Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.
Note: This does not apply to GUI or iControl REST logins.
Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.
Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.
734692-1 : Incorrect prefix of ICMP error messages in NAT64
Component: Local Traffic Manager
Symptoms:
When ICMPv4 error messages are returned for NAT64 connections, the source address of the ICMPv6-translated error message uses ::ffff as the IPv6 prefix, creating an IPv4-mapped IPv6 address.
Conditions:
-- NAT64 enabled.
-- ICMPv4 error messages are returned from IPv4 hosts and routers.
Impact:
The ICMP error messages cannot be routed to the client and are dropped by intermediate routers. This can prevent clients from properly detecting errors such as unreachable hosts and networks. This causes failures in utilities such as ping and traceroute.
Workaround:
There is no workaround at this time.
734595-1 : sp-connector is not being deleted together with profile
Component: Access Policy Manager
Symptoms:
If a profile is connected to an SSO SAML IdP configuration with an SP connector, the sp-connector is not available for delete when the profile is deleted.
Conditions:
-- Profile is connected to an SSO SAML IdP configuration with an SP connector.
-- Deleting the profile and attempting to delete the sp-connector.
Impact:
The SP connector is not listed for delete when the profile is deleted.
Workaround:
To delete the SP connector, run the following command:
tmsh delete apm sso saml-sp-connector NAME
734241 : 'Detection Evasion' violations might not report violation details in their reports or in the GUI
Component: Application Security Manager
Symptoms:
Evasion technique details are not presented in the request log.
Conditions:
This occurs in either of the following scenarios:
-- Many evasion techniques occur in a single request.
-- The evasion techniques that occur are not set as enabled in the policy configuration.
Impact:
'Detection Evasion' attacks are reported the logs, but there are no violation details to help clarify what actually triggered.
Workaround:
None.
733585-2 : Merged can use %100 of CPU if all stats snapshot files are in the future
Component: TMOS
Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.
Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.
Impact:
Merged using %100 of the CPU.
Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.
727469-1 : ProxySSL leaks profile reference
Component: Local Traffic Manager
Symptoms:
Proxy SSL leaks server SSL profile references whenever a virtual server is uninitialized or reinitialized.
Conditions:
-- One or more Client SSL profiles are in use
-- SSL profile has the 'Proxy SSL' (proxy-ssl) setting enabled.
-- The profile is re-initialized; this can occur when a profile is modified.
Impact:
Memory leaks. Tmm can crash. Traffic disrupted while tmm restarts.
Workaround:
None.
727467-3 : Some iSeries appliances can experience traffic disruption when the high availability (HA) peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
Component: TMOS
Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
+ In /var/log/ltm:
- err tmm4[21025]: 01340004:3: high availability (HA) Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
+ In /var/log/tmm:
- notice DAGLIB: Invalid table size 12
- notice DAG: Failed to consume DAG data
Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).
Important: This issue may also affect iSeries high availability (HA) peers on the same software version if the devices do not share the same model number.
Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.
Impact:
- High CPU usage.
- Traffic disruption.
Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.
For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up high availability (HA) group and make sure the 12.1.3 Active unit's high availability (HA) score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online
At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.
727297-4 : GUI TACACS+ remote server list should accept hostname
Component: TMOS
Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.
Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.
Impact:
Validation does not accept a hostname. Cannot add hostname as a server.
Workaround:
Use tmsh to add a hostname.
727288-4 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
Component: Service Provider
Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.
Conditions:
Diameter Message Routing Framework (MRF) in use
Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).
Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.
727191-4 : Invalid arguments to run sys failover do not return an error
Component: TMOS
Symptoms:
If an invalid device name is used in the sys failover command, the device name reject is logged in /var/log/ltm and failover does not occur. No error or failure message is displayed on the command line.
Note: In prior versions, the system incorrectly performed a force-to-standby operation (no 'device' specified), rather than a directed failover operation (failover to specified 'device'). Although this resulted in the active device becoming standby, it did not cause the system to choose the (nonexistent) device specified.
Conditions:
Run a tmsh command similar to the following:
sys failover standby traffic-group traffic-group-1 device invalid_name
Impact:
Since no failover occurs and no error/warning is returned, this may result in some confusion.
Workaround:
There is no workaround.
726734-2 : DAGv2 port lookup stringent may fail
Component: Local Traffic Manager
Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.
Conditions:
Active FTP with mirroring enabled.
Impact:
Connection cannot get established.
Workaround:
There is no workaround other than to disable mirroring.
726665-1 : tmm core dump due to SEGFAULT
Component: Policy Enforcement Manager
Symptoms:
tmm core dump due to SEGFAULT.
Conditions:
System under load in network. Other conditions required to recreate this are unknown, but indicated a potential memory-handling issue.
Impact:
The blade reboots resulting in failover. Traffic disrupted while tmm restarts.
Workaround:
None.
726518-5 : Tmsh show command terminated with CTRL-C can cause TMM to crash.
Component: Local Traffic Manager
Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]
Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not terminate tmsh show commands with CTRL-C.
726416-1 : Physical disk HD1 not found for logical disk create
Component: TMOS
Symptoms:
The blade error 'Physical disk HD1 not found for logical disk create' is observed when bigstart restart happens on primary blade of chassis-based systems using solid state drives (SSD).
/var/log/ltm shows messages similar to the following:
-- localhost.localdomain debug chmand[25459]: 012a0007:7: mcp_logical_disk mcp_create received
-- localhost.localdomain debug chmand[25459]: 012a0007:7: logical_disk create received: name[HD1] media[general_use_ssd]
-- localhost.localdomain err chmand[25459]: 012a0003:3: Physical disk HD1 not found for logical disk create
-- localhost.localdomain debug chmand[25459]: 012a0007:7: mcp_physical_disk mcp_create received
-- localhost.localdomain debug chmand[25459]: 012a0007:7: physical_disk create received: serial number[S3F3NX0K810723] name[HD1]
and/or
err chmand[4712]: 012a0003:3: Physical disk HD1 not found for logical disk create
ltm log implies that logical disk create is requested before physical disk creation.
Conditions:
This occurs on chassis-based systems (more than one blade) using SSD, when bigstart restart happens on primary blade.
Impact:
The system posts the following error under ltm log:
err chmand[3370]: 012a0003:3: Physical disk HD1 not found for logical disk create.
When system posts the error, it just skips executing couple of lines of code, to be precise two API calls.
These API calls are related to updating DiskInfo and disk wearout information.
This message is benign and can be safely ignored
Workaround:
There is no workaround.
726319-3 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
Component: Local Traffic Manager
Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:
err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.
Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.
This may occur intermittently depending on timing conditions.
Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.
Workaround:
None.
726011-1 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
Component: Policy Enforcement Manager
Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.
Conditions:
If the PEM classification tokens do not change.
Impact:
Time-based actions such as insert content may not get applied to such flows.
Workaround:
None.
725950-1 : Regcomp() leaks memory if passed an invalid regex.
Component: TMOS
Symptoms:
Because of memory leak, big3d's memory usage increased over time
Conditions:
Pass invalid expression to regcomp.
Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory.
Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}
725887-2 : BD crash on specific scenario
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
-- Specific traffic conditions.
-- A loaded system.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
725792-2 : BWC: Measure log-publisher if used might result in memory leak
Component: TMOS
Symptoms:
When Measure is used in BWC with log publisher defined, it might result in a memory leak in tmm.
Conditions:
-- BWC dynamic policy is configured.
-- Measure is enabled.
-- Log-publisher is defined.
Impact:
Memory leak in errdef.
Workaround:
There is no workaround other than not to enable Measure in the BWC dynamic policy.
725646-6 : The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
Component: TMOS
Symptoms:
A tmsh core occurs when multiple tmsh instances are spawned and terminated quickly
/var/log/kern.log:
info kernel: tmsh[19017]: segfault ...
system messages in /var/log/messages:
notice logger: Started writing core file: /var/core/-tmsh ...
/var/log/audit:
notice -tmsh[19010]: 01420002:5: AUDIT - pid=19010 ...
Conditions:
This issue occurs intermittently in the following scenario:
1. Open multiple instances of tmsh using the following command pattern:
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
...
2. Quickly terminate them using Ctrl-D or by closing terminal.
Impact:
The tmsh utility crashes and produces a core file in the /shared/core directory. The BIG-IP system remains operational.
Workaround:
Restart tmsh if the problem occurs.
To prevent the issue from occurring: Do not quickly terminate tmsh instances using Ctrl-D.
725620 : Corrupted HSB RQM configuration causes HSB receive failures on 5000s/5200v, 5050s/5250v/5250v-F platforms
Component: TMOS
Symptoms:
In rarely occurring cases, HSB RQM queues configuration becomes corrupted, which leads to HSB receive failures. In some cases, all queues above 64 are all disabled, although the lower queues are configured and enabled with no packet drop. In some other cases, all queues are disabled.
Conditions:
-- Using 5000s/5200v, 5050s/5250v/5250v-F platforms.
-- Specific conditions under which this occurs have not been reproduced.
Impact:
The receive failure leads to HSB lockup, and will impact traffic.
Workaround:
Reboot to recover, or disable ePVA to avoid lockup at the cost of some performance degradation.
725592 : Outgoing RIP advertisements may have incorrect source port
Component: Local Traffic Manager
Symptoms:
TMM may change the source port of Routing Information Protocol (RIP) packets sent by ripd to something other than port 520. Neighbor routers will not accept these packets and RIP routing will not work.
If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.
Conditions:
-- Multiple TMM instances.
-- RIP routing configured.
-- After reboot.
Impact:
Dynamic routing using RIP does not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.
Workaround:
Delete the sys connection for RIP; the new connection is expected to use the correct port.
725427 : OPT-0036-01 does not report DDM tx power alarms or tx power warnings
Component: TMOS
Symptoms:
The OPT-0036 optic does not report Tx alarms or warnings. The optic does report transmit power readings, but does not generate warnings or alarms if the transmit readings are outside the threshold ranges. OPT-0036-01 does not support SFF-8636.
Conditions:
-- Hardware using this optic:
- vendor-oui 00176a
- vendor-partnum OPT-0036
- vendor-revision 01
-- DDM is enabled.
Impact:
OPT-0036-01 does not report DDM transmit alarms or warnings.
Workaround:
DDM Receive power alarms and warnings are correctly reported. You can view the transmit power readings and thresholds to manually determine if the power is outside the DDM transmit threshold values.
Note: When the OPT-0036 is disabled, the transmit laser is disabled and the transmit power is 0mW.
724994-1 : API requests with 'expandSubcollections=true' are very slow
Component: TMOS
Symptoms:
Submitting an iControl REST query using the option 'expandedSubcollections=true' takes significantly longer to return than one without that option. For example, the command 'https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true' takes significantly longer than the command 'https://localhost/mgmt/tm/ltm/virtual'.
Conditions:
Submitting a query using expandedSubcollections=true.
Impact:
The response takes significantly longer to return
Workaround:
The additional processing time occurs because the 'expandedSubCollections' parameter fetches all the related associated elements. You can use the following alternative to retrieve the virtual configuration:
1. Run the following query:
GET mgmt/tm/ltm/virtual
2. Obtain the list of virtual servers by:
2a. parsing either the selfLink or the fullPath properties in the response items array, where the response is from step 1.
2b. writing an iControlLX worker that does this.
Note: Writing a worker abstracts the parsing logic into a user-defined endpoint. It provides API access to the data.
3. Iterate over the virtual servers querying each with the option 'expandSubcollections=true'.
724906-2 : sasp_gwm monitor leaks memory over time
Component: Local Traffic Manager
Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.
Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.
Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.
Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.
724746-2 : Incorrect RST message after 'reject' command
Component: Local Traffic Manager
Symptoms:
BIG-IP sends RST containing "Internal error in tcpproxy invalid state for repick" instead of correct "iRule execution (reject command)".
Conditions:
Virtual Server with a HTTP profile, and an iRule using 'reject' command.
Impact:
Investigating RST causes may be confusing.
Workaround:
There is no workaround at this time.
724706 : iControl REST statistics request causes CPU spike
Component: TMOS
Symptoms:
BIG-IQ makes iControl REST requests to BIG-IP systems to get statistics. Regardless of the page size setting, the request causes the CPU to spike to 100% utilization.
Conditions:
An iControl REST API request from a BIG-IQ device for a few stats for an object on a BIG-IP system.
Note: A request for a single statistic usually does not cause a spike.
Impact:
Frequent requests by BIG-IQ for stats causes repeated spikes.
Workaround:
None.
724571-3 : Importing access profile takes a long time
Component: Access Policy Manager
Symptoms:
It takes a long time for the 'Apply Access Policy' link to show up on the admin UI after importing an access profile.
Conditions:
-- Access policy with many macros.
-- Import exported profile multiple times with Reuse Existing Objects checked
-- As the number of imports increases, so does the latency.
Impact:
The imported access policy takes a long time to be imported and ready to use.
Workaround:
None.
723658 : TMM core when processing an unexpected remote session DB response.
Component: Carrier-Grade NAT
Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.
The system writes messages to /var/log/tmm* similar to the following:
notice CDP: exceeded 1/2 timeout for PG 1
notice CDP: PG 1 timed out
notice CDP: New pending state 0f -> 0d
notice Immediately transitioning dissaggregator to state 0xd
notice cmp state: 0xd
notice CDP: New pending state 0d -> 0f
...
notice cmp state: 0xf
notice CDP: exceeded 1/2 timeout for PG 1
Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
723579-3 : OSPF routes missing
Component: TMOS
Symptoms:
When newer link-state advertisement (LSA) (with greater seq) comes in, the Open Shortest Path First (OSPF) discards the old one by marking it DISCARD. The SPF calculation function suspends the calculation every 100 vertexes. If the discard happens during such a suspend, then after the calculation resumes, the discarded LSAs are ignored,n which can cause route unreachable, and eventually route withdraws.
Conditions:
A very large number (~500, beyond best practices) of routers in a single OSPF area.
Impact:
Intermittent route flaps occur that might cause unreachable destination or increased network traffic due to the non-optimal route choice.
Workaround:
There is no workaround.
723306-5 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
Component: Local Traffic Manager
Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:
01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.
Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.
Impact:
Inability to load config, with created internal virtual server.
Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on a different partition.
723112 : LTM policies does not work if a condition has more than 127 matches
Component: Local Traffic Manager
Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.
Conditions:
LTM policy that has a condition with more than 127 matches.
Impact:
LTM policy does not match the expected condition.
Workaround:
There is no workaround at this time.
723111 : mailx is blocked by SELinux Policy
Component: TMOS
Symptoms:
The mail command is not functional with the SELinux Policy.
Conditions:
Using mailx to send mail.
Impact:
Cannot use mailx to send mail. This is a function of the SELinux Policy, which does not allow execution of the mailx commands.
Workaround:
To work around this issue, you can configure the BIG-IP system to communicate with an SMTP mail server using the method appropriate for your BIG-IP version. For specific procedures, see K3667: Configuring alerts to send email notifications :: https://support.f5.com/csp/article/K3667.
723095-1 : tmsh "modify gtm pool <type> all ... " commands fail
Component: Global Traffic Manager (DNS)
Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)
or
01020036:3: The requested Pool (<type> /Common/poolname) was not found.
Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.
or
Attempting to use the command "tmsh modify gtm pool <type> all <attribute>", for example "tmsh modify gtm pool a all enabled"
Impact:
Unable to apply a single tmsh command to all pools of a given type
Workaround:
There is no workaround at this time, other than that to apply the command individually to each pool.
722919 : Memory leak when using SP-DAG and a small LSN pool.
Component: Carrier-Grade NAT
Symptoms:
High memory usage by objects of type cmp. Using SP-DAG and a small Large Scale NAT (LSN) pool, some TMMs may not have any local translation addresses. If connections are routed out a VLAN that has cmp-hash src-ip, a small amount of memory may be leaked.
Conditions:
-- Using SP-DAG.
-- Using small LSN pools.
-- Having TMMs that do not not have any local translation addresses.
-- Connections are routed out a VLAN that has cmp-hash src-ip.
Impact:
A small amount of memory may be leaked. The aggressive sweeper might kill connections. TMM may crash. Traffic disrupted while tmm restarts.
Workaround:
Using the default DAG with small LSN Pools gives all TMMs local translation endpoints.
To prevent the leak, allow only VLANs with cmp-hash dst-ip in the LSN pool egress interface list.
722741-4 : Damaged tmm dns db file causes zxfrd/tmm core
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd/tmm cores on startup.
Conditions:
Damaged tmm dns db file.
Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.
Workaround:
Delete the damaged db files.
722647-1 : The configuration of some of the Nokia alerts is incorrect
Component: TMOS
Symptoms:
The categories for perceived severity in the alert_nokia.conf file are 0-4, 10-11, but there is an entry in the file with a value of 6.
Conditions:
-- Traps are enabled to support SNMP alerts in the Nokia NetAct format, e.g., using the following command:
tmsh modify sys db alertd.nokia.alarm value enable
-- The values in the alert_nokia.conf file are applied.
Impact:
Some of the values are incorrect. Handling of the trap/clear for the mislabeled trap is incorrect.
Workaround:
Edit the alert_nokia.conf file and restart the alert daemon.
722534-4 : load sys config merge not supported for iRulesLX
Component: Local Traffic Manager
Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:
# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"
Conditions:
The configuration being merged contains iRulesLX.
Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.
Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.
721740-3 : CPU stats are not correctly recorded when snapshot files have timestamps in the future
Component: TMOS
Symptoms:
One symptom is that a message similar to the following comes out in the log files frequently.
May 24 16:31:53 lusia_60.F5.COM warning merged[6940]: 011b0914:4: No individual CPU information is available.
Merged CPU stats will be 0.
Conditions:
If all of the snapshot stats files have timestamps in the future, CPU stats will not be correctly merged.
Impact:
Frequent error messages in the logs, and incorrect merged CPU stats.
Workaround:
Remove all of the stats snapshot files that have timestamps in the future and restart merged.
721579-1 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing
Component: Carrier-Grade NAT
Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.
Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.
Impact:
lsndb shows misleading stats.
Workaround:
There is no workaround at this time.
721571-3 : State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade★
Component: Local Traffic Manager
Symptoms:
BIG-IP devices running 12.1.3.x (12.1.3 or a 12.1.3 point release) and 13.x or 14.x software versions in a high-availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.
Conditions:
-- The HA configuration is one of the following:
+ The active system is running v12.1.3.x, and the standby system is running v13.x or v14.x, as a result of an in-progress upgrade.
+ The active system is running v13.x or v14.x and the standby system is running v12.1.3.x.
-- State mirroring configured on two or more BIG-IP systems.
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.
Impact:
TMM may crash on a standby system during upgrade.
This issue should not disrupt traffic, because the TMM is coring only on the standby unit.
Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.x or v14.x, or complete the upgrade of both devices to v13.x or v14.x.
1. You can disable mirroring using either the GUI or the command line.
1a. In the GUI: -- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.
1b. From the command-line: -- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config
Important: This action results in connection state loss on failover.
2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IP addresses removed previously.
Note: F5 recommends that BIG-IP systems in HA configurations run with the same software version on all devices.
721020-4 : Changes to the master key are reverted after full sync
Component: TMOS
Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.
Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.
Impact:
Subsequent configuration loads fail on the device.
Workaround:
There is no workaround.
720588 : Pages not loading correctly when AJAX response page is enabled
Component: Application Security Manager
Symptoms:
Enabling AJAX response page may prevent assets from loading properly due to a conflict with back-end JavaScript.
Browser console shows errors such as:
Uncaught TypeError: Cannot read property 'readyState' of undefined.
Conditions:
-- AJAX response page is enabled.
-- Back-end JavaScript conflicts with ASM JavaScript.
Impact:
Content within pages may fail to load.
Workaround:
None.
720581-3 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
Component: Application Security Manager
Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.
Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.
Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.
Workaround:
None.
719770-4 : tmctl -H -V and -l options without values crashed
Component: TMOS
Symptoms:
When the -H, -V or -l options were passed to tmctl without a following value, then tmctl crashed.
Conditions:
Use one of these options without the required value.
Impact:
Core file. No other impact.
Workaround:
Be sure to pass the required value with these options.
719555-1 : Interface listed as 'disable' after SFP insertion and enable
Component: TMOS
Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.
Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.
Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.
Workaround:
This issue is cosmetic; the interface is functional so it may be used.
To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface
719241 : Using custom DNS servers on the Azure VNet with the missing 168.63.129.16 causes Waagent provisioning failure.
Component: TMOS
Symptoms:
During the BIG-IP or BIG-IQ system boot-up, waagent is unable to get a response from the intended wire server endpoint, which stops it from running custom script extensions. This happens because of the missing route to the Azure virtual public IP address of 168.63.129.16.
The var/log/waagent.log contains error messages similar to the following:
-- INFO Protocol endpoint not found: WireProtocol, [ProtocolError] [Wireserver Exception] [HttpError] [HTTP Failed] GET http://n.n.n.n,n.n.n.n/?comp=versions -- IOError [Errno -3] Temporary failure in name resolution -- 6 attempts made
Conditions:
-- BIG-IP or BIG-IQ system is deployed in Azure VNet with a custom DNS server.
-- The DHCP server has assigned a classless-static-route in its dhclient lease (/var/lib/dhclient/dhclient.leases) which contains a custom route to 168.63.129.16.
Impact:
Waagent custom script extensions do not complete, failing the BIG-IP or BIG-IQ provisioning that waagent intends to perform during startup.
Workaround:
Add 168.63.129.16 route on mgmt interface during BIG-IP or BIG-IQ system initialization to facilitate correct waagent custom script extension execution.
718867-3 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★
Component: Local Traffic Manager
Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).
Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.
Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.
Workaround:
Reset the variable's custom value after upgrade.
718800-3 : Cannot set a password to the current value of its encrypted password
Component: TMOS
Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':
modify auth user <username> encrypted-password password
Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):
modify auth user <username> password password
Conditions:
Changing a password to the value of encrypted-password.
Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.
(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)
Workaround:
First, change the password to something else. Then, change it back to the correct value.
718790-5 : Virtual Server reports unavailable and resets connection erroneously
Component: Local Traffic Manager
Symptoms:
A Virtual Server will respond to client SYN packets with RST and note an internal F5 reset cause of "VIP disabled (administrative)" despite having resources available or fallback functionality configured.
Conditions:
There are a number of different scenarios where this can occur:
1. All pool members marked administratively down, HTTP profile and Fallback Host configured
2. All pool members marked administratively down, iRule configured to select a different, available pool.
3. Pool members available, pool member status modified by ConfigSync operation.
Impact:
Client traffic is rejected by Virtual Server despite it's ability to successfully handle the traffic.
Workaround:
There are different workarounds based on the scenario:
1. If all pool members are marked administratively down, ensure at least one pool member is in a different state (Available, Offline etc).
2. If one or more pool members are available and a ConfigSync operation caused the behavior, fail over to the Standby BIG-IP and reboot the affected BIG-IP.
718232-1 : Some FTP servers may cause false positive for ftp_security
Component: Application Security Manager
Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.
Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.
Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.
Workaround:
There is no workaround at this time.
718230-5 : Attaching a BIG-IP monitor type to a server with already defined virtual servers is not prevented
Component: TMOS
Symptoms:
In certain circumstances, attaching a BIG-IP monitor type to a non-BIG-IP server with already defined virtual servers is allowed by the system when it should not be allowed.
Conditions:
Attempting to attach a BIG-IP monitor type to a non-BIG-IP server.
Impact:
The BIG-IP monitor can be added to a non-BIG-IP server without error. This causes a configuration load error, such as after a reboot, tmm restart, or tmsh load sys config, and results in an error message such as:
-- localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all gtm-only" - failed. -- Loading schema version: 12.1.3 Loading schema version: 12.1.5.1 01071033:3: Server (/Common/generic_server_object) contains monitor (/Common/bigiptest) which is an invalid type. Unexpected Error: Loading configuration process failed.
Workaround:
None.
717909-2 : tmm can abort on sPVA flush if the HSB flush does not succeed
Component: Advanced Firewall Manager
Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash
Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).
Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
717806-5 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
Component: Local Traffic Manager
Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.
Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.
Impact:
No performance impact
Workaround:
None
717346-4 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
Solution Article: K13040347
Component: Local Traffic Manager
Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.
Conditions:
Rarely occurring, unstable network could be one of the reasons.
Impact:
Cannot use stats for troubleshooting.
Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket
717113-1 : It is possible to add the same GSLB Pool monitor multiple times
Component: Global Traffic Manager (DNS)
Symptoms:
After adding a monitor in the Web GUI and updating, the monitor does not get removed from the Available list and can be added again.
Conditions:
This issue affects the GSLB Pool create and properties pages.
Impact:
The impact is only for those adding the monitor. No extra system resources are used when adding multiple identical monitors to a pool.
Workaround:
None.
716952-3 : With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.
Component: Local Traffic Manager
Symptoms:
When TCP Nagle enabled, the data sent from server is handled by the SSL filter to offload data processing. The SSL filter forwards the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message to TCP4 filter. Because Nagle is enabled, this leaves the last offloaded packet 'stuck' in the TCP4 filter.
Conditions:
-- Nagle is enabled.
-- SSL filter is in the chain.
Impact:
The last data packet waits until all other packets have been ACKd.
Workaround:
None.
716701-2 : In iControl REST: Unable to create Topology when STATE name contains space
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use iControl REST to create topology records when whitespace exist in a STATE name.
Conditions:
STATE name contains a space (e.g., New Mexico).
Impact:
Unable to create a topology record using iControl REST.
Workaround:
Use TMSH with quotes or escaping to create topology records for a STATE with whitespace in the name.
716492-1 : Rateshaper stalls when TSO packet length exceeds max ceiling.
Solution Article: K59332523
Component: Local Traffic Manager
Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.
Conditions:
TSO packet length exceeds the rateshaper's configured max ceiling.
Impact:
The flow stalls. Subsequent flows cannot go to the rateshaper from that particular tmm.
Workaround:
If you are running BIG-IP software v12.1.3.2 (or later) or v13.1.0(.x), you can use the following workaround:
There is a sys db variable called 'rateshaper.cmpdivide', which is enabled by default. When enabled, the system internally divides the bandwidth (rate/ceiling/burst) between the available tmm cores. If this issue occurs, set 'rateshaper.cmpdivide' to enabled.
There is no workaround for other versions.
715756-3 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
Component: Local Traffic Manager
Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.
Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.
Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.
Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.
715061-1 : TMM may crash and produce a core file on a vCMP guest when the guest is being shut down from the host.
Component: TMOS
Symptoms:
TMM on a vCMP guest may crash and produce a core file when the guest is being shut down from the host system.
Conditions:
The vCMP guest is being shut down by an Administrator from the host system.
Impact:
Because the vCMP guest is in the process of being shut down, there is no impact to application traffic. However, the core file may take up disk space on the vCMP guest.
Workaround:
To mitigate the disk space problem, manually delete the core file from the /var/core directory once the vCMP guest is brought back on-line.
714704 : ICMP unreachable messages sent only from active to standby
Component: Advanced Firewall Manager
Symptoms:
When the self IP has a firewall rule to reject ICMP unreachable, the system will be sent from active to standby and not from standby to active.
This is correct behavior, but v13.x might show ICMP unreachable messages sent from standby to active along with those from active to standby.
Conditions:
-- AFM firewall rule is applied to the self IP as reject ICMP unreachable messages.
-- Active/standby high availability (HA) cluster.
Impact:
No functional impact. ICMP unreachable messages not showing has no effect on BIG-IP system functionality.
Note: If there is a firewall to block traffic on self IPs, but still want ICMP unreachable messages, that configuration is not valid, and HA will not work.
Workaround:
There is no workaround.
714642-5 : Ephemeral pool-member state on the standby is down
Component: Local Traffic Manager
Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.
Conditions:
Re-enabling a forced-down FQDN node on the primary system.
Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).
Workaround:
None.
714626-1 : When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
Component: TMOS
Symptoms:
When the BIG-IP system is behind a proxy server, the licensing process does not work, despite having set the db variables for proxy.host, proxy.port, proxy.protocol, etc.
Conditions:
-- The BIG-IP system is behind a proxy server that gates internet access.
-- Attempting to license (or revoke the license of) the BIG-IP system is not possible using GUI or tmsh since communications with the license server will fail.
Impact:
The --proxy option is required in order to use the SOAPLicenseClient to license, reactivate the license, or revoke the license of the BIG-IP system.
Workaround:
Instead of using GUI or tmsh, run the following command, substituting your proxy specification for <proxy> and your license registration key for <reg-key>:
/usr/local/bin/SOAPLicenseClient --proxy <proxy> --basekey <reg-key> --certupdatecheck
714507-4 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
Component: Global Traffic Manager (DNS)
Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool
Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.
Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
# tmsh save sys config gtm-only
Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1
714503-3 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
Component: Local Traffic Manager
Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).
Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.
Impact:
Cannot view or delete the iRule from the iRulesLX GUI.
Workaround:
Do not name rules with the .tcl extension. The system will do that for you.
714495-3 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
Component: Local Traffic Manager
Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).
Conditions:
Creating a new iRulesLX iRule in TMSH.
Impact:
Cannot view or delete the iRule from the iRulesLX GUI.
Workaround:
Do not name rules with the '.tcl' extension.
714384-5 : DHCP traffic may not be forwarded when BWC is configured
Component: Local Traffic Manager
Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.
Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.
Impact:
DHCP traffic may not be forwarded.
Workaround:
There is no workaround other than to remove the BWC policy.
714198 : Mcpd is blocked when executing the tmsh command 'tmsh -a show net arp all'
Component: TMOS
Symptoms:
Mcpd/tmm stops responding to the query sent from tmsh for
'tmsh -a show net arp all'.
Conditions:
This can occur when executing the command 'tmsh -a show net arp all'.
Impact:
Mcpd becomes blocked and you are unable to run other commands, such as qkview.
Workaround:
None.
713947-3 : stpd repeatedly logs "hal sendMessage failed"
Component: TMOS
Symptoms:
On non-primary clustered blades in a BIG-IP chassis environment, stpd may repeatedly log "hal sendMessage failed"
Conditions:
Two or more blades clustered in a chassis with STP enabled on one or more ports.
Impact:
All BIG-IP blades
Workaround:
No workaround except to ignore log messages - they are spurious and have no ill effect on the system besides log spam.
713708-3 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
Component: TMOS
Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.
Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.
Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.
Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.
713629-1 : Applying firewall policy to self-ip can cause tmm crash
Component: Advanced Firewall Manager
Symptoms:
Applying a firewall policy to a self-ip can cause a tmm crash. This is due to an uninitialized local variable that cause memory corruption on a stat memory location.
Conditions:
No specific condition for this to happen. This can happen in any config. However, it should be a vary rare occurrence.
Impact:
Temporary traffic disruption while tmm restarts.
Workaround:
There is no workaround. Tmm should recover automatically and function normally.
713585-1 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
Solution Article: K31544054
Component: Local Traffic Manager
Symptoms:
Config load could be very long and CPU usage very high.
Conditions:
There are many iRule and they are installed on many virtual servers.
Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.
Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.
713519-3 : Enabling MCP Audit logging does not produce log entry for audit logging change
Component: TMOS
Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.
Conditions:
This occurs when enabling MCP audit logging.
Impact:
The audit logging change itself is not logged in the audit logs.
Workaround:
None.
713283-2 : Missing transaction count in = application security report under view by IP Intelligence
Component: Application Visibility and Reporting
Symptoms:
Transactions without an IP reputation threat are not listed on application security reports under viewed by IP Intelligence.
Conditions:
-- All transactions without an IP reputation threat.
-- Application security reports.
Impact:
Transaction count statistics are missing.
Workaround:
None.
713138 : TMUI ILX Editor inserts an unnecessary linefeed
Component: TMOS
Symptoms:
If you use the TMUI edit for ILX, the system will append a linefeed character every time you save. This is not usually apparent, but if you edit the file, then delete your changes, and then save it, it will still register as changed.
A message indicates the need to refresh the workspace, and the actual content of the file will change, but not the functionality.
Conditions:
Edit a workspace file in ILX via the TMUI editor (i.e., the GUI).
Impact:
File contents can change unexpectedly and have needless characters at the end.
Workaround:
Use TMSH or a different editor, that is not TMUI, to change those files.
713134-3 : Small tmctl memory leak when viewing stats for snapshot files
Component: TMOS
Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:
tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>
Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access
Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).
Workaround:
None.
712542-1 : Network Access client caches the response for /pre/config.php
Component: Access Policy Manager
Symptoms:
The Network Access client caches the response for /pre/config.php.
Conditions:
-- APM is provisioned.
-- Network Access is configured.
Impact:
Caching the response for /pre/config.php might reveal configuration information. However, a URL is public information by definition. The only sensitive information revealed are server names, which have to be revealed in order for the client to know where to connect.
Workaround:
None.
712500-2 : Unhandled Query Action Drops Stat does not increment after transparent cache miss
Component: Global Traffic Manager (DNS)
Symptoms:
After a transparent cache miss, if the LTM DNS profile has Unhandled Query Action set to Drop, the request is dropped without incrementing the Unhandled Query Action Drops stat.
Conditions:
LTM DNS profile with a Transparent Cache and Unhandled Query Action set to Drop.
Impact:
Inaccurate statistics for the Unhandled Query Action Drops
Workaround:
None.
712489-3 : TMM crashes with message 'bad transition'
Component: Local Traffic Manager
Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition
Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.
Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
712321 : Missing reference to customization-group from connectivity profile if created via network access wizard
Component: Access Policy Manager
Symptoms:
Connectivity profile generated from the use of network access wizard will not contain a reference to a customization-group.
Conditions:
Use network access wizard to create configure objects.
Impact:
There is no functional impact since customization is not actually used for connectivity group.
Workaround:
Configure the connectivity profile object manually from tmui (GUI) or tmsh (command line) rather than via wizard. Replace the connectivity profile created from the virtual server within the virtual server with the manually created connectivity profile.
712266-2 : Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware
Component: TMOS
Symptoms:
Messages like the following may show up in /var/log/ltm:
-- crit tmm5[28908]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=11): ctx dropped.
This occurs because the decompression of large compressed data failed.
Conditions:
This issue occurs when compressed data cannot be decompressed in a single request to the Nitrox 3 hardware accelerator.
Impact:
Requests fail with a connection reset.
Workaround:
Use zlib software decompression.
712241-1 : A vCMP guest may not provide guest health stats to the vCMP host
Component: TMOS
Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision
These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.
These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest
Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.
Impact:
There is no functional impact to the guests or to the host, other than these lost tables.
-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
/var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.
Workaround:
There is no workaround at this time.
712033-1 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
Component: TMOS
Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:
# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
"kind": "tm:ltm:pool:members:membersstats",
"generation": 3,
"selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
"entries": {
"https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {
Conditions:
When making a REST request to an object in /stats that is an association list.
Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.
Workaround:
None.
711879 : Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor.
Component: TMOS
Symptoms:
The web GUI displays an incorrect value for cert and key for a GTM monitor.
Conditions:
The GTM monitor has the same name as an LTM monitor.
Impact:
Incorrect data can be presented regarding the GTM monitor's cert and key.
Workaround:
Use TMSH to display the correct cert and key.
711818-1 : Connection might get reset when coming to virtual server with offload iRule
Component: Application Security Manager
Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.
Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.
Impact:
Connection receives a RST.
Workaround:
There is no workaround at this time.
711683-4 : bcm56xxd crash with empty trunk in QinQ VLAN
Component: TMOS
Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.
Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.
Impact:
bcm56xxd continuously crashes.
Workaround:
Use either of the following workarounds:
-- Add members to the trunk.
-- Remove the trunk from the QinQ VLAN.
711158-1 : Admin user roles automatically demoted to guest
Component: TMOS
Symptoms:
Newly created admin users are immediately demoted to guest.
Conditions:
-- A sync-failover device group exists.
-- The REST framework's 'gossip' mechanism is configured.
-- Create a new admin user using a command similar to the following examples:
tmsh
-----
tmsh create auth user test123 password **** partition-access add { all-partitions { role admin } }
GUI
-----
via WebUI System menu :: Users
User Name: test123
Password: **** Confirm: ****
Role: Administrator Partition: All
Click Finish button
Note: Correct REST framework 'gossip' mechanism configuration should occur automatically, but might not be ready. You can confirm whether this is the case by running the following command: restcurl shared/resolver/device-groups/tm-shared-all-big-ips/devices. The output must show all your devices, and show that they all have the same 'version' and the same 'restFrameworkVersion'.
Impact:
In a few seconds, the newly created admin user account reverts to a guest role. User does not have the expected admin access.
Workaround:
On the primary BIG-IP system, do the following:
1. Disable failover by running the following command:
restcurl -X PATCH tm/shared/bigip-failover-state -d '{"isEnabled": false}'
2. Clear REST devices from the device group by running the following command:
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-big-ips/devices
711056-3 : License check VPE expression fails when access profile name contains dots
Component: Access Policy Manager
Symptoms:
License Check Agent always flows down fallback branch. Logs show the following pattern:
-- err apmd[13738]: 01490190:3: /Common/my.profile.name:Common:2a392ccd: Key 'tmm.profilelicense./Common/my.profile.name#' was not found in MEMCACHED.
-- err apmd[13738]: 01490086:3: /Common/my.profile.name:Common:2a392ccd: Rule evaluation failed with error: can't use empty string as operand of "-"
Conditions:
-- Access profile contains '.' (dot) characters in its name.
-- License Check agent is used in the VPE to check against profile license.
Impact:
License check always fails, resulting in denied logon.
Workaround:
Use a different policy name without '.' characters.
710996-1 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
Component: Local Traffic Manager
Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP
Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.
Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.
Workaround:
There is no workaround at this time.
710841 : 12.1.3.3 feature refinement might be lost after upgrade★
Component: TMOS
Symptoms:
If you upgrade from 12.1.3.3 (or later) to 13.1.0 or 13.1.0.1, you will lose the VE-specific 12.1.3.3 feature refinements you gained.
Conditions:
Upgrade from 12.1.3.3 (or later) to 13.0.x, 13.1.0, or 13.1.0.1.
Impact:
Feature refinement provided in 12.1.3.3 will be lost after upgrade. Other functionality is unaffected.
Workaround:
Only upgrade from 12.1.3.3 or later to 13.1.0.2 or later.
710809-6 : Restjavad hangs and causes GUI page timeouts
Component: Device Management
Symptoms:
Restjavad stops responding, causing GUI page timeouts.
Conditions:
The conditions behind this issue are not known.
Impact:
restjavad is active, but all endpoints are nonresponsive.
Workaround:
Restart restjavad.
710410-1 : TMM hardware accelerated compression not registering for all compression levels.
Component: TMOS
Symptoms:
DEFLATE/gzip compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.
Conditions:
-- Compression requests for DEFLATE/gzip levels other than level 1.
-- BIG-IP devices using Cave Creek SSL hardware acceleration.
Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.
Workaround:
None.
710044-1 : Portal Access: same-origin AJAX request may fail in some case.
Component: Access Policy Manager
Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.
Conditions:
- HTML page with explicit default port in base URL, for example:
<base href='https://some.com:443/path/'>
- Same-origin AJAX request from this page, for example:
var xhr = new XMLHttpRequest;
xhr.open('GET', 'some.file');
Impact:
Web application may not work correctly.
Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:
when RULE_INIT {
# hex-encoded string for 'https://some.com'
set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
# '3a343433' is hex-encoded form for ':443'
set ::pattern "/f5-w-${encoded_backend}3a343433\$"
set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
set ::remove_start [ expr {$::remove_end - 7} ]
}
when HTTP_REQUEST {
if { [HTTP::path] starts_with "$::pattern" } {
set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
HTTP::path "$path"
}
}
710039 : Merging config may not report syslog configuration errors
Component: TMOS
Symptoms:
A 'load sys config verify merge' may return successfully, but 'load sys config merge' without the 'verify' argument might fail.
Conditions:
Running the 'load sys config merge' without the 'verify' argument.
Impact:
False positive might be received in response to a successful config verify. However, the syslog system is not actually configured during a 'verify', so it does not report errors.
Workaround:
None.
709963-4 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
Component: Local Traffic Manager
Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.
Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.
Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.
Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.
709837-3 : Cookie persistence profile may be configured with invalid parameter combination.
Component: Local Traffic Manager
Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.
Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.
Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.
Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.
709559-3 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
Component: TMOS
Symptoms:
Loading configuration fails on upgrade
Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2
Impact:
The system won't be functional
Workaround:
Delete or rename "/Common/ssh"
708968-4 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
Component: TMOS
Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.
Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.
Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.
Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.
708576-1 : Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour
Component: Application Security Manager
Symptoms:
Errors may be sent in system emails once an hour due to a runtime error in the dosl7d_tcpdumps_cleaner which is run in an hourly cron job.
Here is an example of such an email:
From: root (Cron Daemon)
To: root
Subject: Cron <root@servername> run-parts /etc/cron.hourly
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
/etc/cron.hourly/dosl7d_tcpdumps_cleaner:
Use of uninitialized value $s in division (/) at /etc/cron.hourly/dosl7d_tcpdumps_cleaner line 111.
Conditions:
- The administrator configures the BIG-IP system to deliver locally generated email messages, or the administrator checks local emails to root, on the BIG-IP.
- The hardware supports RAID, even if RAID is not configured.
Impact:
- Email messages with errors being sent once an hour.
- DoSL7 tcpdump files may not be automatically cleaned if used in the DoS profile.
Workaround:
None
708415 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
Component: TMOS
Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.
Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.
For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:
# modify net interface 1.1 flow-control tx-rx
# show net interface 1.1 all-properties
Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.
Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.
Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.
708176 : SNMP OIDs (NA throughput) incorrect when compression is disable
Component: Access Policy Manager
Symptoms:
SNMP OIDs related to Network Access VPN tunnel or connectivity traffic are not updated if compression is not enabled. However, the definitions for connectivity traffic make it seem like they should be updated.
Conditions:
1. Create an access policy with Network Access resource (no compression enabled). Also, connectivity profile with no compression.
2. Assign this to a virtual server.
3. Establish a VPN tunnel, and download a large file.
4. Compare the SNMP OID values before and after this large file download via VPN tunnel.
Impact:
Confusion and graphs that don't seem to show the expected traffic.
Workaround:
Turn on compression to see the stats updated.
708005-3 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
Solution Article: K12423316
Component: Access Policy Manager
Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.
Conditions:
This occurs when the following conditions are met:
-- BIG-IP APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.
Impact:
End user cannot launch VMware View resources with View HTML5 client.
Workaround:
You can use the following workarounds:
-- If you are already running Horizon 7.4, use native View clients instead.
-- If you have not upgraded to Horizon 7.4, stay on an older Horizon release until this issue is resolved.
-- If you are running BIG-IP APM release 13.1.0, you can add the following iRule to the virtual server that handles HTML5 client connections:
when HTTP_REQUEST {
if { ([info exists tmm_apm_view_uuid]) &&
([HTTP::method] == "GET") &&
([HTTP::uri] ends_with "/portal/webclient/sessiondata")} {
HTTP::cookie remove "sessionDataServiceId"
}
}
when HTTP_RESPONSE {
if { ([info exists tmm_apm_view_uuid]) } {
set cookieNames [HTTP::cookie names]
foreach aCookie $cookieNames {
set path [HTTP::cookie path $aCookie]
if {[string length $path] > 0} {
HTTP::cookie path $aCookie "/f5vdifwd/vmview/$tmm_apm_view_uuid$path"
}
}
}
}
Important:
-- After applying the iRule and before attempting a connection, be sure to clear all cache and cookies from the client systems. Otherwise, the test operation may need to be executed before exhibiting successful behavior.
-- The iRule workaround is for BIG-IP APM release 13.1.0. It is not supported for older BIG-IP releases.
707953-1 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
Component: Access Policy Manager
Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.
Conditions:
Viewing APM and APM Lite licenses in the GUI.
Impact:
Cannot distinguish the difference in types of licenses.
Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).
707691-2 : BIG-IP handles some pathmtu messages incorrectly
Component: Local Traffic Manager
Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.
Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).
Impact:
pmtu message is erroneously ignored.
Workaround:
There is no workaround at this time.
707320-1 : Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs
Component: TMOS
Symptoms:
A pre-12.0.0 WideIP with ipv6-no-error-response enabled and a IPv4 last-resort-pool will only spawn an A-type WideIP after the upgrade
Conditions:
Pre-12.0.0 WideIP with an IPv4 last-resort-pool and ipv6-no-error-response enabled.
Impact:
Loss of the AAAA-type WideIP configuration item
Workaround:
There is no workaround at this time.
707204 : If the system has more than 264 analytics profiles, the upgrade fails.
Component: Application Visibility and Reporting
Symptoms:
If the system is upgraded from version 11.5.4-hf2, 11.6.0-hf4 and has more then 264 analytics profiles, the upgrade will fail.
Conditions:
1. The system has more than 264 different analytics profiles.
2. Upgrade from version 11.5.4-hf2,hhf3... or from version 11.6.0-hf4,hf5...
Impact:
The upgrade will fail.
Workaround:
Delete/reduce the number of analytics profiles before the upgrade.
706930 : "Enforce Ready" button has no effect for Signatures for Inactive Policy
Component: Application Security Manager
Symptoms:
The "Enforce Ready" button has no effect for Signatures on Inactive Policies.
Conditions:
The user accesses "Enforcement Readiness" page for an Inactive Policy.
Impact:
Pressing "Enforce Ready" button has no effect.
Workaround:
Signature Staging can be disabled from "Application Security > Attack Signatures" page, or via REST.
706505-1 : iRule table lookup command may crash tmm when used in FLOW_INIT
Component: Local Traffic Manager
Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.
Conditions:
iRule table lookup command is used in FLOW_INIT.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use table lookup in the events after the flow is constructed.
706106-1 : PUT request sent to ltm/virtual failed because of ip-protocol property value any
Component: TMOS
Symptoms:
PUT request to ltm/virtual fails unexpectedly because ip-protocol property value any
Conditions:
When sending PUT request to ltm/virtual
Impact:
PUT request modifies properties that user includes in the request and resets the rest of property value to default.
Workaround:
Using PATCH request
704764-2 : SASP monitor marks members down with non-default route domains
Component: Local Traffic Manager
Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.
Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:
ltm pool rd_test {
members {
test_1:http {
address 12.34.56.78%99
}
}
monitor my_sasp
}
Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.
Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.
The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.
Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.
704176-1 : Monitor instances may not get deleted during configuration merge load
Solution Article: K22540391
Component: Global Traffic Manager (DNS)
Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.
-- err mcpd[8982]: 01020036:3: The requested monitor instance (/Common/bigip 10.10.9.39 443 gtm-vs) was not found.
-- err mcpd[8982]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bigip 10.10.9.39 443 gtm-vs) was not found.... failed validation with error 16908342.
Conditions:
Merge a GTM config file to update a virtual server's monitor.
Impact:
There is a leaked/extra monitor instance. Restarting secondary slot will result in a restart loop.
Workaround:
Remove the MCPD binary database on the Primary blade and restart services:
# touch /service/mcpd/forceload
# bigstart restart
Note: This might change the primary slot.
703669-3 : Eventd restarts on NULL pointer access
Component: TMOS
Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.
Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.
Impact:
Causes eventd to crash.
Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.
703509-1 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
Component: TMOS
Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.
...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.
Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.
Impact:
User is unable to save the configuration.
Workaround:
A user with the administrator role can save the config.
The root user can save the config.
703196-3 : Reports for AVR are missing data
Component: Application Visibility and Reporting
Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.
Conditions:
Using AVR statistics.
Impact:
Expected AVR statistics may be missing.
Workaround:
Run the following shell command on BIG-IP:
sed -i "s|\(\s\)*SET\ p_aggr_to_ts.*$|$1$(grep "SET p_aggr_to_ts" /var/avr/avr_srv_code.sql | sed 's/truncate(/CEILING/' | sed 's/,0)//')|" /var/avr/avr_srv_code.sql
703165 : shared memory leakage
Component: Advanced Firewall Manager
Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).
Conditions:
Many shmem segments allocated and used by tmm.
Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.
Workaround:
There is no workaround at this time.
702933 : Loading UCS with different provisioning can cause a single TMM crash
Component: Application Visibility and Reporting
Symptoms:
Saving a UCS file on one system and loading it on another that has different provisioning, can lead to TMM crash.
Note: The crash will take place only once and the next process of TMM that will be automatically restarted will work without problems.
Conditions:
-- Save a UCS on a system that has AVR or ASM with DoS configured.
-- Load the UCS on a system that does not have AVR nor ASM provisioned.
Impact:
When the system restarts after loading the UCS, TMM can crash but second process of TMM will work fine.
There is no actual impact, since the system is not operational anyway during UCS load, it only takes more time to bring the system to active state after loading the UCS.
Workaround:
When loading a UCS that was saved on a system that had AVR or ASM, make sure the same modules are provisioned first, and then load the UCS.
702615-1 : During reboot to another volume, the GUI login page becomes prematurely available★
Component: TMOS
Symptoms:
Less than a minute after a reboot to another volume is initiated from the GUI, the GUI reports that the reboot is complete and displays the login page. Normally, a reboot takes about 5 minutes.
Conditions:
User initiates a reboot to another volume from the GUI.
Impact:
Misleading information is shown in the GUI. The GUI reports that the reboot is completed and displays the login prompts. However this is not correct because the reboot is still in progress.
Workaround:
Check the reboot status from the console or simply wait about 5 minutes before attempting to login to the system again.
702439-3 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
Solution Article: K04964898
Component: Local Traffic Manager
Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.
Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.
Impact:
HTTP/2 connections will be unusable.
Workaround:
Set the header table size argument back to its default.
702350 : FingerPrint JS might be injected although it is disabled in all ASM features, and no DoS
Component: Application Security Manager
Symptoms:
Fingerprinting is injected while no ASM feature using it is asking for it.
Conditions:
-- Web-scraping is configured in the policy history.
-- Policy iss configured using REST.
Impact:
FingerPrint JS is injected for each request.
Workaround:
1. Turn on Bot detection and click Save.
2. Turn off Bot detection, FP flag, and suspicious clients detection, and click Save.
3. Apply Policy.
702310-2 : The ':l' and ':h' options are not available on the tmm interface in tcpdump
Component: TMOS
Symptoms:
The ':l' and ':h' options are not available on the tmm interface in tcpdump.
Conditions:
Running tcpdump.
Impact:
Packet capture on the tmm interface from the Linux side or the host side of tmm interface is not possible.
Workaround:
There is no workaround at this time.
702281-2 : OneConnect header transformations may cause some Websocket connections to reset.
Component: Local Traffic Manager
Symptoms:
During the Websocket handshake, if OneConnect is on, the Websocket header is set as "connection: close", then OneConnect will transform the header to be "X-Cnection: close". If the header is set as "connection: upgrade" as well as "connection: close", then OneConnect will transform both to be "X-Cnection: close" and "X-Cnection: upgrade", respectively. This causes some Websocket handshakes to fail.
Conditions:
Virtual server has HTTP and OneConnect profiles. The request has "Connection: close" and "Connection: upgrade" headers during the Websocket handshake.
Impact:
Websocket handshakes fail resulting in connection reset.
Workaround:
Remove OneConnect or use iRule to re-add "Connection: upgrade"
701977-3 : Non-URL encoded links to CSS files are not stripped from the response during concatenation
Component: WebAccelerator
Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.
Conditions:
White space in the URLs.
Impact:
As above.
Workaround:
No workaround at this time.
701944-2 : machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6
Solution Article: K42284762
Component: Access Policy Manager
Symptoms:
Machine certificate check crashes a Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when 'match issuer' is specified in the configuration.
Conditions:
- Machine certificate check configured for with 'match issuer' configuration.
- macOS Sierra 10.12.6 (16G29).
- BIG-IP Edge client.
- F5 EPI.
Impact:
Machine certificate check does not pass because Edge client crashes.
Workaround:
None.
701722-2 : Potential mcpd memory leak for signed iRules
Component: TMOS
Symptoms:
There is an MCP memory leak that occurs when th message "Signature encryption failed" is seen in /var/log/ltm.
Conditions:
Signing of iRules must be in use. Signature encryption must be problematic.
Impact:
MCP leak memory.
Workaround:
Resolve the signature encryption issue.
701690-3 : Fragmented ICMP forwarded with incorrect icmp checksum
Solution Article: K53819652
Component: Local Traffic Manager
Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.
Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).
Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.
Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.
701555-3 : DNS Security Logs report Drop action for unhandled rejected DNS queries
Component: Advanced Firewall Manager
Symptoms:
DNS Security Logs report Drop action for unhandled rejected DNS queries.
Conditions:
DNS profile set unhandled-query-action reject.
Impact:
Incorrect event log. This is an incorrectly logged event and doe not indicate an issue with the system
Workaround:
None.
701341-2 : If /config/BigDB.dat is empty or the file is corrupt, mcpd continuously restarts
Solution Article: K52941103
Component: TMOS
Symptoms:
If an issue causes /config/BigDB.dat to be empty or its contents become corrupted, mcpd fails to start up.
System commands report errors about being unable to read DB keys. 'bigstart' outputs errors:
--dbval: Unable to find variable: [security.commoncriteria]
Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.
Impact:
The system fails to start up, and mcpd continually restarts. The BIG-IP system fails to process traffic while the mcpd process is restarting.
Workaround:
To work around this issue, you can remove the empty or corrupted BigDB.dat file. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
1. Log in to bash.
2. To remove the zero-byte or corrupted BigDB.dat file, type the following command:
rm /config/BigDB.dat
701289-2 : Static BFD with BIG-IP floating IP address
Component: TMOS
Symptoms:
In a HA configuration BFD session on both Active and Standby nodes can be configured with the same floating Self IP as a source IP address. This ends up with both Active and Standby nodes to actively send BFD Control packets to BFD neighbor. Responses from BFD neighbor are delivered to the Active node only. In effect not only the state of the session mismatches on Active and Standby node, also BFD Control packets send different information that disturbs the session.
Conditions:
- BFD sessions on HA Active and Standby have the same floating Self IP as a source IP address.
Impact:
BFD session gets disturbed both on HA Active node and BFD neighbor that might end up with invalidation of the route to the BIG-IP.
Workaround:
Workaround can be to manually disable BFD session on Standby node, however on failover the session would need to be manually restored.
Other workaround can be to use non-floating Self IP as a source IP address of BFD Control packets, this however might require some additional logic on the BFD neighbor side.
701232-1 : Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation
Component: Global Traffic Manager (DNS)
Symptoms:
Two GTM devices that have the same local IP address are not able to establish an iQuery connection, even when a translated address is configured.
Conditions:
This condition may occur if two GTM servers have the same self IP address on separate networks that are attempting to use address translation to establish a connection.
Impact:
When one or more GTM devices attempt to establish an iQuery connection to another device, it actually establishes a connection with itself instead of the other device.
Workaround:
To resolve the issue,
1. Configure the devices to have different self IP addresses.
2. Change the addresses and translated addresses of the corresponding GTM servers to match the new configuration using the following example command:
tmsh modify gtm server <server_name> addresses ...
701033-1 : Tcl actions not run if conditions have overlapping IP ranges
Component: Local Traffic Manager
Symptoms:
Overlapping CIDR subnets in rule's condition cause unexpected result.
Conditions:
-- LTM policy with more than one IP-address-based condition.
-- The IP address ranges overlap.
-- An associated action that invokes a Tcl command.
Impact:
Tcl action is not run.
Workaround:
None.
701025-1 : BD restart on a device where 'provision.tmmcountactual' is set to a non-default value
Component: Application Security Manager
Symptoms:
BD restarts with this error:
Plugin configuration load timeout. Exiting.
Conditions:
The db variable 'provision.tmmcountactual' is set to a number lower than the actual CPU count.
Impact:
BD restarts continuously.
Workaround:
You can use any of these workarounds:
-- In the GUI, set 'RWThreads' under Security :: Options : Application Security : Advanced Configuration : System Variables.
-- Use the 'add_del_internal' utility:
----------------------
# /usr/share/ts/bin/add_del_internal
USAGE:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal update <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal delete <param_name>
----------------------
-- Set the bd internal parameter num_rw_threads to the amount of plugin channels that TMM expects.
-- Revert 'provision.tmmcountactual' sys db to the default value.
700989-2 : Better detecting browser extentsions
Component: Application Security Manager
Symptoms:
Browser extensions are not always detected
Conditions:
enabling "Web Scraping -> Suspicious Clients -> Detect browsers with Scraping Extensions", and choosing disallowed extensions.
Impact:
Browsers with disallowed extensions are not blocked.
Workaround:
None.
700897-3 : sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG
Component: TMOS
Symptoms:
sod consumes excessive amount of CPU time, and the traffic-group Active and Next-Active locations do not stabilize.
Conditions:
When the number of devices in the failover device group or the number of traffic groups is large. The limit varies by platform capacity, but any Device Service Cluster with more than 4 devices or more than 32 traffic groups can experience this issue.
Impact:
If the Active location is unstable, traffic will not be processed correctly. Excessive CPU consumption and network traffic interferes with other control plane functions including the UI.
Workaround:
There is no workaround at this time.
700794-2 : Cannot replace a FIPS key with another FIPS key via tmsh
Component: TMOS
Symptoms:
If you try to replace an existing FIPS key using "tmsh install sys crypto key" the command fails with "is already FIPS". This can also occur when issuing the commands via the REST API.
Conditions:
If a FIPS key already created/installed via tmsh, it can not be replaced or overwritten via "tmsh install sys crypto" command.
Impact:
Fail to overwrite a FIPS key with another FIPS key via tmsh
700639 : The default value for the syncookie threshold is not set to the correct value
Component: Local Traffic Manager
Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.
Conditions:
This issue may be encountered when a virtual server uses syncookies.
Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.
Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000
700426-2 : Switching partitions while viewing objects in GUI can result in empty list
Solution Article: K58033284
Component: TMOS
Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.
Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.
For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.
Impact:
The list of pools is empty despite the fact that there are pools available.
Workaround:
Return to the first page of objects before switching to any other partition.
700250-1 : qkviews for secondary blade appear to be corrupt
Solution Article: K59327012
Component: TMOS
Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.
Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.
Impact:
The system posts the following messages:
gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.
Workaround:
None.
700118-2 : rrset statistics unavailable
Component: Global Traffic Manager (DNS)
Symptoms:
When cache entries of any kind are deleted, the rrset statistics for the cache may not be available
Conditions:
This occurs when dns cache entries are deleted
Impact:
Rrset statistics may not be available
700080-1 : A db var compression.zlibinflateratio.threshold is added to force stopping inflating
Component: Local Traffic Manager
Symptoms:
A zip bomb can be sent to a BIG-IP system. When it is unzipped, its content can consume too much space.
Conditions:
This happens when the inflation ratio is very high.
Impact:
It can cause buffer overflow, or out of memory.
Workaround:
None.
700035-3 : /var/log/avr/monpd.disk.provision not rotate
Component: Application Visibility and Reporting
Symptoms:
the log file may fill-up /var partition
Conditions:
there is no special condition for this issue - if the log is big it won't rotate
Impact:
the log file may fill-up /var partition
Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision
699898-3 : Wrong policy version time in policy created after synchronization between active and stand by machines.
Component: Application Security Manager
Symptoms:
After synchronization, the policy version time in the policy created on the standby BIG-IP system is different from the policy version time on the original policy on the active BIG-IP system.
Conditions:
Synchronizing the new policies on the active system with new policies on the standby system.
Impact:
Policy version timestamp on standby system is not synchronized properly.
Workaround:
Run full synchronization again from active system to the group.
699512-3 : UDP packet may be dropped when queued in parallel with another packet
Component: Global Traffic Manager (DNS)
Symptoms:
UDP packets may be dropped.
Conditions:
-- UDP packets are received in quick succession with matching IP/Port pairs.
-- The UDP virtual server does not use datagram LB mode.
-- One of the following:
+ A DNS profile is attached to a virtual server.
+ Rate limit is applied.
Impact:
UDP packets may be dropped.
Workaround:
Configure the virtual server with a UDP profile with datagram LB mode enabled.
699076-3 : URI::path iRules command warns end and start values equal
Component: Local Traffic Manager
Symptoms:
URI::path iRules command warns end and start values equal
Conditions:
The end and start values equal
Impact:
Warning message shows in console.
Workaround:
Ignore the warning.
698991 : CPU utilization on i850 is not a reliable indicator of system capacity
Solution Article: K64258832
Component: TMOS
Symptoms:
Unlike previous platforms, the i850 may report between 50-70% CPU utilization when at full capacity. The specific number is workload dependent, and therefore should not be used as an indicator of system headroom for sizing purposes.
Conditions:
Running BIG-IP software on an i850.
Impact:
Confusion of actual capacity usage.
Workaround:
Refer to the BIG-IP stats and published capabilities to determine utilized capacity under a specific workload.
698933-3 : Setting metric-type via ospf redistribute command may not work correctly
Component: TMOS
Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.
Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"
Impact:
Metric type is not changed.
Workaround:
Change metric-type using a route-map applied to the redistribute command.
698931-3 : Corrupted SessionDB messages causes TMM to crash
Component: TMOS
Symptoms:
TMM SegFaults and restarts
Conditions:
This was reported once during normal tmm operation.
Impact:
Traffic disrupted while tmm restarts.
698917 : Unexpected additional policy is created while creating a policy from a template via REST
Component: Application Security Manager
Symptoms:
An unexpected additional policy is created while creating a policy from a template via REST while modifying other attributes.
Conditions:
The user creates a policy from a template via REST while modifying other attributes.
Impact:
An unexpected additional policy is created.
Workaround:
Use the import-policy task to create a new policy from a template in REST. Alternatively, if using the /policies endpoint, create the policy with just the name and template, and make any other changes as a separate update afterwards.
698911 : Periodically SIP requests are not sent to the server
Component: Service Provider
Symptoms:
When rate-limiting is configured on the virtual server and/or pool using a SIP profile, periodically SIP requests may not be forwarded to the server despite rate being under limit.
Conditions:
SIP profile associated with virtual server and rate-limit configured.
Impact:
SIP requests may not be forwarded to the server.
Workaround:
There is no workaround other than disabling rate-limiting.
698844 : LCD splash screen may display incorrect platform name on iSeries appliance
Component: TMOS
Symptoms:
The LCD on an iSeries appliance may show the incorrect platform name after a license is applied.
Conditions:
The platform name may be incorrect on the LCD until the first reboot.
Impact:
Display only, no functional impact
Workaround:
Use "tmsh show sys hardware" to see the correct platform name.
698599 : Cave Creek Crypto HW accelerated SSL traffic may encounter errors and performance problems.
Solution Article: K24479486
Component: TMOS
Symptoms:
Cave Creek Hardware-accelerated Secure Sockets Layer (SSL) traffic may encounter errors and performance problems.
The BIG-IP system may experience SSL connection failures or reduced performance.
Following logs show an example of errors seen:
/var/log/ltm
-- crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
-- warning tmm3[11707]: 01260009:4: Connection error: ssl_basic_rx:1015: decrypt request error (20)
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP system uses Cave Creek SSL hardware acceleration.
-- You are experiencing a high SSL traffic load.
Impact:
The BIG-IP system may experience SSL connection failures or reduced performance.
Workaround:
To work around this issue, you can increase the crypto.queue.timeout database key. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system. This procedure will mitigate future occurrences. A reboot of the BIG-IP system is required to clear a currently occurring condition.
1. Log in to the Traffic Management Shell (tmsh) as an administrative user.
2. Run the following command: modify /sys db crypto.queue.timeout value 300
3. Reboot the BIG-IP system.
698597 : BIG-IP fails to go active after cryptographic hardware has recovered from a failure
Solution Article: K10300436
Component: TMOS
Symptoms:
A BIG-IP system might not become active after a crypto-failsafe condition even after it has recovered from a cryptographic hardware failure.
As a result of this issue, you might see output of the tmsh show sys ha-status command similar to the following example:
Feature Key Action Fail Feature Take Client Proc Timeout
crypto-failsafe qa-crypto3-3 failover yes yes yes 0 tmm3 0
The /var/log/ltm file contains messages similar to the following examples:
-- crit tmm[9184]: 01010025:2: Device error: crypto codec cn-crypto-0 queue is stuck.
-- notice sod[8874]: 01140029:5: HA crypto_failsafe_t cn-crypto-0 fails action is failover.
Conditions:
This issue occurs when all of the following conditions are met:
-- Using BIG-IP 2000/2200, 4000/4200, or i2600/i2800 platforms.
-- The crypto-failsafe action is set to failover.
-- The failsafe condition is triggered.
-- The cryptographic hardware has recovered from its failure.
Impact:
The BIG-IP system stays down, even after the cryptographic hardware has recovered. When the system is in this condition, traffic is not being processed.
Workaround:
When your BIG-IP system is in this state, you can recover by restarting the Traffic Management Microkernel (TMM) process. To do so, perform the following procedure:
Impact of workaround: Because so there is no traffic being passed, there is no traffic impact to performing this procedure.
1. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh
2. Restart TMM by running the following command:
restart /sys service tmm
Note: There is no way to easily determine whether the cryptographic hardware has recovered from the failure. Unfortunately, therefore, performing this mitigation step might not return the BIG-IP system to an active state. There are other issues with similar symptoms. If your system is experiencing one of those issues instead, this mitigation step will not produce successful results.
Here are three other Known Issues that produce almost exactly the same error messages, but involve different configurations. You might find additional assistance here::
+ K53752362: The BIG-IP system may erroneously detect a stuck crypto queue in Cave Creek devices :: https://support.f5.com/csp/article/K53752362
+ K53220379: The BIG-IP system may erroneously detect a stuck crypto queue :: https://support.f5.com/csp/article/K53220379
+ K16632: A vCMP host may stop processing SSL and HTTP compressed traffic for a vCMP guest due to a worker-lite system timeout :: https://support.f5.com/csp/article/K16632
698594 : Cave Creek Crypto hardware reports a false positive of a stuck queue state
Solution Article: K53752362
Component: TMOS
Symptoms:
In some cases, a stuck crypto queue may be erroneously detected on Cave Creek-based systems. This includes BIG-IP 2x00, 4x00, i850, i2x00, i4x00, and HRC-i2800.
The system writes messages similar to the following example to the /var/log/ltm file:
crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
warning sod[4949]: 01140029:4: HA crypto_failsafe_t qa-crypto3-3 fails action is failover.
Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses the Cave Creek encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.
Workaround:
To work around this issue, you can modify the crypto queue timeout value. To do so, perform the following procedure.
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
1. Log in to the BIG-IP system as an administrative user.
2. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh
3. To change the crypto queue timeout value, run the following command:
modify /sys db crypto.queue.timeout value 300
4. Save the change by running the following command:
save sys config
Increasing the crypto queue timeout gives the hardware enough time to process all queued request.
698462 : TCP timestamp rewrite mode not working on the client side of ePVA offloaded connections
Component: TMOS
Symptoms:
When the tcp-timestamp-mode is set to 'rewrite', not the default 'preserve', the client side TSecr is not set correctly for the FIN packets. When the flow is evicted due to FIN processing in ePVA, the process copies the timestamp from the server sending the FIN/ACK. This unexpected behavior causes the TCP client to halt at the FIN-WAIT-2 because the client thinks the FIN/ACK from the BIG-IP system includes illegitimate timestamp options, and drops it.
Conditions:
-- tcp-timestamp-mode is set to 'rewrite'.
-- FastL4 profile.
-- Systems with ePVA feature support.
Impact:
TCP client cannot handle the FIN packets properly, causing connection issues.
Workaround:
Use the default 'preserve' mode for FastL4 profiles.
698211-3 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
Solution Article: K35504512
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.
Conditions:
Delete a wildcard resource record to the related DNS express zone.
Impact:
DNS returns the incorrect response.
Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.
698171-1 : STP interfaces remain in block state on 40G bundled interfaces after enabling STP
Component: TMOS
Symptoms:
STP interfaces are in a blocked state.
Conditions:
40G bundled interface is enabled with STP.
Impact:
No STP BPDU gets send out and the STP state is blocked.
698034-2 : PKCS12 file imported via Configuration utility into folder is placed at partition root
Component: TMOS
Symptoms:
When importing a certificate (cert) using the GUI Configuration utility, you can specify a partition folder, and the system imports the cert into that partition folder. However, specifying a partition folder when importing a PKCS12 cert imports it to the root partition folder, Common.
Conditions:
Login to GUI:
- Navigate to:
System :: Certificate Management : Traffic Certificate Management : SSL Certificate List.
- Click Import:
Select 'PKCS'.
- Give the cert a name:
sync_group/pk12gui
Impact:
PKCS12 files imported using the GUI Configuration utility are placed at root partition folder, Common, rather than the partition folder.
Workaround:
You can use either workaround:
-- Once the PKCS12 file has been imported, export the cert and key, and then re-import into the partition folder.
-- Import PKCS12 file using TMSH.
698013-4 : TACACS+ system auth and file descriptors leak
Solution Article: K27216452
Component: TMOS
Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.
This might eventually lead to lack of HTTP-based access to the BIG-IP system.
Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.
Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.
Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.
697988-2 : During config sync, if many client-ssl profiles are on a virtual server the CPU may briefly spike to 100%
Solution Article: K34554754
Component: Local Traffic Manager
Symptoms:
During config sync, if many (hundreds) of client-ssl profiles are attached to a virtual server, the CPU may spike to 100%.
Conditions:
-- Many (hundreds) of client-ssl profiles are attached to a virtual server.
-- Config sync is executed.
Impact:
If enough client-ssl profiles are attached, the watchdog could fire, crashing tmm and causing service disruption. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround other than not attaching hundreds of client-ssl profiles to a virtual server, or disabling config sync.
697766-3 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
Component: TMOS
Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen
isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.
Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.
In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:
router isis isisrouter
is-type level-2-only
authentication mode md5
authentication key-chain keychain-isis
lsp-refresh-interval 5
max-lsp-lifetime 65535
net 49.8002.00c1.0000.0000.f523.00
Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.
Workaround:
None.
697626 : iRules LX: Cannot modify workspace imported by "Import From Workspace"
Component: Local Traffic Manager
Symptoms:
The permissions of an iRules LX workspace copy created from the "Import..." "From Workspace" are set to 775 (drwxr-xr-x) for directories and 444 (-r--r--r--) for files including the node and tcl code files. This causes the "Could not save file: <file>" error upon modification of the code.
Conditions:
Attempting to modify imported workspace.
Impact:
Cannot save changes.
Workaround:
A. Create an "archive file" first and use it for importing.
B. After creating a copy using "From Workspace", run chmod command to add +w to the group and others: e.g., chmod -R g+w,o+w <Workspacename>.
697590-5 : APM iRule ACCESS::session remove fails outside of Access events
Component: Access Policy Manager
Symptoms:
ACCESS::session remove fails
Conditions:
iRule calling ACCESS::session remove outside of Access events.
Impact:
APM iRule ACCESS::session remove fails to remove session
Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.
697265 : MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.
Component: Advanced Firewall Manager
Symptoms:
MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.
/var/log/ltm contains messages similar to the following:
-- err clusterd[7274]: 013a0004:3: IO error on recv from mcpd - connection lost
-- info sod[7953]: 010c0009:6: Lost connection to mcpd - reestablishing.
-- notice chmand[7594]: 012a0005:5: resetting chmand services
-- err snmpd[7952]: 010e0001:3: Cannot communicate with MCPD server.
-- err mysqlhad[7596]: 014e0006:3: MCP Failure: 1.
-- err zxfrd[7962]: 0153e0f7:3: Lost connection to mcpd.
-- err tmrouted[6299]: 01910013:3: FATAL error: 6 irrecoverable MCP I/O error (Unknown error 16908291).
-- err alertd[7280]: 01100042:3: Failed with MCPD at: MCP msg receive (16908291).
-- err alertd[7280]: 01100042:3: Failed with MCPD at: Socket read (16908291).
Conditions:
-- AFM configuration.
-- Devices in a device group trust configuration.
-- Device group configured with Autosync enabled.
-- Importing a configuration with a very large number of nested address lists (for example, 12000 nested address lists).
Impact:
mcpd cores.
Workaround:
Split the configuration into smaller chunks (e.g., 1000 address lists each) and load them one at a time.
696908-2 : Updating iRule causes TMM to crash
Component: Local Traffic Manager
Symptoms:
A tmm core occurs when reloading an iRulesLX (iLX) Plugin. You might see error messages:
notice ** SIGFPE **
pgo_use x86_64 vadc TMM Version 13.1.3.2.0.0.4
panic: Tcl Object 5600092578f8 is currently on free list
Conditions:
iRulesLXPlugin was reloaded into Workspace.
Impact:
Crash in TMM caused by updating an iLX instance. Traffic disrupted while tmm restarts.
Workaround:
None.
696755-2 : HTTP/2 may truncate a response body when served from cache
Component: Local Traffic Manager
Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.
Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.
Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.
Workaround:
Adding the following iRule causes the body to be displayed:
when HTTP_RESPONSE_RELEASE {
set con_len [string trim [HTTP::header value Content-Length]]
HTTP::header remove Content-Length
HTTP::header insert Content-Length "$con_len"
}
696731-1 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
Solution Article: K94062594
Component: TMOS
Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.
Conditions:
Administrative disabling an interface on BIG-IP
Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.
Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.
696363 : Unable to create SNMP trap in the GUI
Component: TMOS
Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.
Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.
Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.
Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.
Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.
696348-1 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option
Component: Service Provider
Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:
[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]
Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option
Impact:
The commands still be executed during runtime but the warning message may confuse user.
695985-1 : Access HUD filter has URL length limit (4096 bytes)
Component: Access Policy Manager
Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.
Conditions:
Any URL with a request consisting of more than 4096 bytes.
Impact:
The URL cannot be processed, and client gets a RST.
Workaround:
None.
695707-3 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
Component: Local Traffic Manager
Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.
Conditions:
Close an MPTCP connection.
Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.
Workaround:
There is no workaround at this time.
695401 : QS user defined alerts may not be sent if there is no URL with qs configured on FPS profile
Component: Fraud Protection Services
Symptoms:
when FPS signature update defines a URL with a query string, and defines a custom alert for that URL, the alert will not be sent if there is no URL with a query string configured on the FPS profile.
Conditions:
1. Custom alert for a URL with query string.
2. There are. no URLs with query string configured on FPS profile
Impact:
System does not send alert.
Workaround:
Define a URL (potentially a placeholder URL) with query string on FPS profile.
695109-3 : Changes to fallback persistence profiles attached to a Virtual server are not effective
Solution Article: K15047377
Component: Local Traffic Manager
Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.
Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.
Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.
Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.
695090 : In rare situations hardware syncookies may be sent for a L7 virtual server when hardware syncookie protection is disabled
Component: TMOS
Symptoms:
In rare situations, hardware syncookies may be sent for the traffic received on a L7 virtual server even though hardware syncookie protection is disabled on the virtual server.
Conditions:
It is unknown what triggers this error condition at this point.
Impact:
Some of the TCP options are not supported under hardware syncookie protection mode.
Workaround:
There is no workaround at this time.
694934-3 : bd crashes on a very specific and rare scenario
Component: Application Security Manager
Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.
Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.
Impact:
bd crashes.
Workaround:
None.
694897-4 : Unsupported Copper SFP can trigger a crash on i4x00 platforms.
Component: TMOS
Symptoms:
PFMAND can crash when an unsupported Proline Copper SFP is inserted in the 1G interfaces.
Conditions:
-- Using Proline CuSFP, Part number FCLF8521P2BTLTAA.
-- Inserted into 1 GB interfaces.
-- On i4x00 platforms.
Impact:
PFMAND cores.
Workaround:
Use only F5 branded Copper SFPs
694657-2 : ASM GUI displaying inconsistent policy sync version information
Component: Application Security Manager
Symptoms:
There is an inconsistency in how ASM-config derives the current policy revision, and in how it determines what is the 'latest' revision number for a policy.
When upgrading machine the system attempts to restore the 'last active version' of each policy. The system determines the latest version by the highest revision number, which is now wrong. So an older version of the policy is restored.
Conditions:
Inactivate policy and activate again.
Impact:
The policy revision numbers start again, so the GUI appears to be displaying incorrect information, which can cause confusion.
Workaround:
None.
693966-2 : TCP sndpack not reset along with other tcp profile stats
Component: Local Traffic Manager
Symptoms:
TCP sndpack stat added is not being properly reset when a tmsh reset-stats command is issued.
Conditions:
When tmsh reset-stats command is issued.
-- tmsh reset-stats /ltm profile tcp <profile-name>
Impact:
TCP sndpack stat doesn't reset when tmsh reset-stats command is issued.
Workaround:
There is no workaround.
693901-3 : Active FTP data connection may change source port on client-side
Component: Local Traffic Manager
Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.
Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.
Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.
Workaround:
None.
693578-1 : switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
Component: TMOS
Symptoms:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
Conditions:
None
Impact:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
Workaround:
None
693563-3 : No warning when LDAP is configured with SSL but with a client certificate with no matching key★
Solution Article: K22942093
Component: TMOS
Symptoms:
When LDAP auth is configured with SSL:
- Authentication attempts fail
- Packet captures between the BIG-IP system and the LDAP server show the BIG-IP system sending FIN after TCP handshake.
Conditions:
LDAP auth is configured with SSL with client cert set but no matching key.
Impact:
LDAP auth fails. There is no warning that the auth failed.
Workaround:
Configure a key that matches the specified client certificate.
693515 : A '+' character in a log profile name causes import to fail
Component: Advanced Firewall Manager
Symptoms:
When there is a '+' character in log profile name, importing the module on BIG-IQ fails as '+' is treated as a reserved character.
Conditions:
Configuration of '+' character in log profile name
Impact:
Import fails due to reserved character
Workaround:
Do not use '+' in the name.
693246-1 : SOD may send SIGABRT to TMM when TMM has not reported its heartbeat for a long enough period of time.
Component: TMOS
Symptoms:
This seems to happen very infrequently. Symptoms vary from a simple TMM restart up to a blade reset. LTM log will show a sod message complaining about TMM heartbeats, followed later by SIGABRT messages from TMM.
Conditions:
TMM has not reported its heartbeat for a long enough period of time. The specific circumstances are unknown, but the issue has been seen with moderate-to-heavy system loads.
Impact:
Interruptions in data path processing. The interruption can be short for a simple TMM restart, longer for a full blade restart. Though these events altogether are rare, when they happen, it appears the simple TMM restart is more common than the blade restart.
Workaround:
None.
692753-3 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell
Component: TMOS
Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.
Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.
Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.
Workaround:
None
692218-5 : Audit log messages sent from the primary blade to the secondaries should not be logged.
Component: TMOS
Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.
Conditions:
Multi-blade platform.
Impact:
Unnecessary messages in the log file.
Workaround:
None.
692172-2 : rewrite profile causes "No available pool member" failures when connection limit reached
Component: TMOS
Symptoms:
ltm rewrite profile (with mode uri-translation) can cause connections on ltm forwarding virtual server to be terminated with reason "No available pool member".
Conditions:
Virtual server configured with ltm rewrite profile. Default pool has request queuing enabled and connection limits configured for all its nodes.
Impact:
When the connection limit is reached, further connections are terminated with "No available pool member" cause instead of being queued.
Workaround:
An iRule which selects default pool on HTTP_REQUEST:
when HTTP_REQUEST priority 1000 {
pool [LB::server pool]
}
691992 : MSTP: CIST bridge priority changes after adjusting the MSTI priority.
Component: Local Traffic Manager
Symptoms:
Changing the priority of a non-zero region MSTP instance results in BPDUs advertising a change to the CIST Bridge Priority, but not for the expected MSTID instance.
Conditions:
Issue a STP MSTID priority modify request.
Impact:
Changing the MSTID priority for forcing the BIG-IP system to become the root bridge, does not work as expected.
Note: F5 Networks recommends against having the BIG-IP system become the root bridge.
Workaround:
After modifying the MSTID priority, also restart the STP daemon (stpd) to have the BPDUs advertising the expected CIST/MSTID priorities.
691785-3 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
Component: Local Traffic Manager
Symptoms:
The bcm570x driver will cause TMM to core with the log message:
panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.
Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.
Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
691749-3 : Delete sys connection operations cannot be part of TMSH transactions
Component: TMOS
Symptoms:
TMSH operations that delete sys connection cannot be part of transactions. Once the TMSH transaction is submitted, TMSH freezes up if a 'delete sys connection ...' command is included.
Conditions:
Include delete sys connection operations in TMSH transactions.
Impact:
TMSH freezes up and transactions do not complete.
Workaround:
Only use tmsh delete sys connection outside of TMSH transactions.
691491-3 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Solution Article: K13841403
Component: TMOS
Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.
Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.
Workaround:
Use OID sysInterfaceMediaActiveSpeed.
691048-3 : Support DIAMETER Experimental-Result AVP response
Solution Article: K34553736
Component: Service Provider
Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.
Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.
Impact:
The server side flow is aborted.
Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.
690890-3 : Running sod manually can cause issues/failover
Component: TMOS
Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.
Conditions:
Accidentally or intentionally executing the command 'sod'.
Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.
Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.
690781 : VIPRION systems with B2100 or B2150 blades cannot run certain combinations of vCMP guest sizes
Component: TMOS
Symptoms:
VIPRION systems equipped with B2100 or B2150 blades cannot run any more vCMP guests in addition to three 1-slot 8-core guests.
So if a system has four blades, any additional guests created on the remaining blade will not be operational.
Although the system allows all guests to be created and started, the ones deployed last will not work correctly.
Specifically, the guests deployed last will fail to access TMM networks.
Additionally, the vCMP host logs messages similar to the following example to the /var/log/ltm file:
-- info bcm56xxd[13741]: 012c0016:6: FP(unit 0) Error: Group (6) no room.
-- err bcm56xxd[13741]: 012c0011:3: entry create failed: SDK error No resources for operation bs_field.cpp(447)
-- err bcm56xxd[13741]: 012c0011:3: geteid_qualify_egress failed: SDK error No resources for operation bs_field.cpp(2009)
-- err bcm56xxd[13741]: 012c0011:3: program dest mod/port rule failed: SDK error No resources for operation bs_vtrunk.cpp(5353)
-- err bcm56xxd[13741]: 012c0011:3: vdag class L4 redirect failed: SDK error No resources for operation bs_vtrunk.cpp(3261)
Conditions:
This issue occurs when the following conditions are met:
-- A C2400 VIPRION chassis is equipped with four B2100 or B2150 blades.
-- A vCMP configuration consisting of at least three 1-slot 8-core guests was put in place (in other words, three full-blade guests).
-- One or more vCMP guests are created on the remaining VIPRION blade in the chassis.
Impact:
One or more guests do not function properly as they cannot access TMM networks. All traffic fails to pass.
Workaround:
This issue is caused by a hardware limitation on B2100 and B2150 blades preventing this specific vCMP configuration from instantiating correctly.
As a workaround, you must specify different vCMP guest sizes.
For instance, you could use the following configuration:
-- Four 2-slot 4-core vCMP guests instead of four 1-slot 8-core vCMP guests
Although not the same, both configurations yield the same total number of TMM instances per guest.
690778-3 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
Solution Article: K53531153
Component: Local Traffic Manager
Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.
Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.
Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.
Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.
690316 : Software syncookies are sent for FastL4 virtual server with software syncookies disabled
Component: Local Traffic Manager
Symptoms:
If a virtual server using FastL4 is configured with software SYN cookies disabled and global hardware SYN cookies disabled using the pvasyncookies.enabled DB setting, then software SYN cookies may still be sent if a SYN flood occurs on the VIP.
This can be observed by seeing that the virtual server went into syncookie mode in the LTM logfile.
Conditions:
If the FastL4 profile has software-syn-cookie disabled, hardware-syn-cookie enabled, and the pvasyncookies.enabled db setting is set to false.
Impact:
The VIP enters SYN cookie mode.
Workaround:
Both hardware-syn-cookie and software-syn-cookie should be disabled in the FastL4 profile.
689987-2 : Requests are not logged on new virtual servers after UCS load while ASM is running
Component: Application Security Manager
Symptoms:
Requests are not logged on new virtual servers after UCS load while ASM is running.
Conditions:
UCS file is loaded with different virtual servers while ASM is running.
Impact:
Requests are not logged on newly added Virtual Servers.
Workaround:
You can use either of the following workarounds:
-- Restart ASM.
-- Disassociate the logging profile and re-associated it with all affected virtual servers.
Note: As a best practice, it is recommended that you always perform a full restart after UCS load. To do so, run the following command: bigstart restart.
689982-1 : FTP Protocol Security breaks FTP connection
Component: Application Security Manager
Symptoms:
FTP Protocol Security breaks FTP connection.
Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.
Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.
Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.
1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.
689779 : VE HyperV packet drops under load due to interrupt distribution
Component: TMOS
Symptoms:
A small number of dropped inbound packets to the BIG-IP system while under load.
Network captures on a virtual port mirror show that the packets are making it to the BIG-IP VE, but the packets are not seen by tmm or Linux by tcpdumping on 0.0, 1.1, or eth1.
Conditions:
HyperV Virtual Edition (VE) v12.1.x or earlier.
Impact:
Performance and network degradation due to packet loss.
Workaround:
None.
689583-3 : Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.
Component: Global Traffic Manager (DNS)
Symptoms:
Running big3d from the command line with arguments other than '-v' or '-version' might cause a GTM disruption. When viewing /var/log/gtm, you might see messages similar to the following:
notice big3d[4131]: 012b0020:5: Executable /shared/bin/big3d timestamp is newer than (or the same as) /usr/sbin/big3d.
notice big3d[4137]: 012b0018:5: Respawning to run /shared/bin/big3d.
err big3d[4026]: 012b1015:3: Error 'Address already in use' attempting to bind to socket.
Conditions:
This occurs when attempting to get the big3d version and accidentally typing an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit. Here are some examples (note the double-dash in the first example):
big3d --version
big3d
big3d -xyz
big3d -d
Impact:
GTM server goes red momentarily.
Workaround:
There is no workaround other than not specifying an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit.
689567-3 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
Component: TMOS
Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.
Conditions:
You have an iSeries platform with no AAM license.
Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.
Workaround:
No workaround at this time.
689343-3 : Diameter persistence entries with bi-directional flag created with 10 sec timeout
Component: Service Provider
Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds
Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.
Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.
Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.
689231 : MSSQL filter assumes 64-bit token done row count field
Component: Local Traffic Manager
Symptoms:
Virtual server with MSSQL profile gets tds internal error (Out of bounds) error message. This occurs when the row count of token done is not 64-bit, in which case the connection will be closed with a reset.
Conditions:
-- This occurs using the MSSQL profile for the virtual server.
-- Pool member is running Microsoft SQL Server 2016 with TDS version is 7.1 or earlier.
Impact:
Get reset cause: Packet capture RST cause: [23db241:1807] tds internal error (Out of bounds).
Unable to use TDS 7.1 or earlier with MSSQL filter.
Workaround:
Use TDS 7.2 or later. TDS 7.2 and later use 64-bit row count field for token done.
689147-1 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
Component: TMOS
Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.
Errors similar to the following appear in /var/log/ltm:
-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition
Errors similar to the following appear in /var/log/secure:
tac_authen_pap_read: invalid reply content, incorrect key?
Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.
Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.
Workaround:
Check /var/log/ltm for more specific error messages.
689117-1 : Transfer Complete log message now includes the SOA Serial number
Component: Global Traffic Manager (DNS)
Symptoms:
It was hard to track the serial numbers of completed xfers.
Conditions:
When an AXFR or IXFR completes, the log message does not indicate what serial number was transferred.
Impact:
If there are many, frequent updates to the master zone, it can be difficult to track what serial number(s) have already been transferred from the master server to the DNS Express server.
Workaround:
None.
688833-2 : Inconsistent XFF field in ASM log depending violation category
Component: Application Security Manager
Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.
Conditions:
Viewing the XFF results in ASM log.
Impact:
This might cause problems with the syslog filters configured on the remote loggers.
Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.
688826-1 : Charts discrepancy in AVR reports
Component: Application Visibility and Reporting
Symptoms:
When filtering on a specific virtual server on the 'last week' interval, the total requests are shown. Then, when you drill down by client IP address, a lower number is reported.
Conditions:
-- Number of records in the database exceeds the maximum amount of data that AVR can aggregate between different table-resolutions.
-- Filter AVR report by client IP address.
Impact:
Stats are incorrect.
Workaround:
None.
688813-1 : Some ASM tables can massively grow in size.
Solution Article: K23345645
Component: Application Visibility and Reporting
Symptoms:
/var/lib/mysql mount point gets full.
Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).
Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.
Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.
688570-3 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
Component: Local Traffic Manager
Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.
Conditions:
An MPTCP connection is closed.
Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.
Workaround:
There is no workaround at this time.
688557-3 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
Solution Article: K50462482
Component: Local Traffic Manager
Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.
Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.
Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.
Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
688542-1 : SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request
Component: Local Traffic Manager
Symptoms:
The version of the SASP monitor requests updates only from the SASP GWM (Global Workload Manager) for members whose state has changed from what the GWM last reported. The previous version of the SASP monitor requested periodic updates for all members monitored by the GWM.
Conditions:
Running the version of the SASP (Server/Application State Protocol) monitor included in post-12.1.2 BIG-IP software.
Note: This behavior does not occur with previous versions of the SASP monitor, included in pre-12.1.2 versions of BIG-IP software.
Impact:
This change in behavior from the previous SASP monitor implementation has not been confirmed to cause any observable symptoms. If any symptoms are observed which are suspected to be the result of this change, a support request should be opened with F5 support for further investigation.
Workaround:
None.
688406-3 : HA-Group Score showing 0
Solution Article: K14513346
Component: TMOS
Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.
Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.
Impact:
The total score is not calculated. An incorrect score value is displayed.
Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.
688335-3 : Big3d may restart in a loop on secondary blades of a chassis system
Solution Article: K00502202
Component: Global Traffic Manager (DNS)
Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.
Conditions:
The following conditions are required to encounter this issue:
-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system. (in other words, can incorrectly overwrite big3d on the remote system with an older version of big3d)
Impact:
Big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.
However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.
Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
bigstart restart big3d
To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
big3d_install -use_ssh <target IP>
688266-3 : big3d and big3d_install use different logics to determine which version of big3d is newer
Component: Global Traffic Manager (DNS)
Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.
This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.
Conditions:
A user runs the big3d_install utility.
Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.
If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.
Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.
If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.
688177-2 : Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade
Component: Device Management
Symptoms:
Following a BIG-IP software upgrade (for example, from version 11.5.4 to version 11.6.1), local users with Administrator role may be changed to Guest role.
Conditions:
The BIG-IP configuration includes one or more local accounts with Administrator role (other than the 'admin' user).
Please note that this issue does not occur on every upgrade, but has roughly a 10% probability of occurring.
Impact:
Administrator users other than 'admin' have no access after the upgrade.
The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.
Workaround:
The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.
687807-3 : The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/ causes a GUI exception
Component: Local Traffic Manager
Symptoms:
When there is a file named *.crt.csr in folder /config/ssl/ssl.csr/, the GUI posts an error on page: System :: Device Certificates : Device Certificate :: Device Certificate: An error has occurred while trying to process your request.
Conditions:
The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/.
Impact:
-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
+ Inconsistently manages those files improperly.
+ May return errors on System :: Device Certificates : Device Certificate :: Device Certificate (e.g., 'An error has occurred while trying to process your request.').
+ May confuse objects (e.g., 'web-server.crt' and 'web-server.crt.csr').
+ GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing these files, and reports an error.
Workaround:
Rename the csr file suffix from '.crt.csr' to '.csr'.
687797-1 : iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot be used to return the details of all SSL certificates present in the configuration at once.
Component: TMOS
Symptoms:
iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot return the details of all SSL certificates present in the configuration at once.
Requests to said endpoint may return a 400 HTTP status code and a stack trace indicating a timeout exception.
Conditions:
This issue is more likely to occur with configurations that include a large number of SSL certificates.
Impact:
The iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot be used to return the details of all SSL certificates present in the configuration at once.
Workaround:
You can request the details of one SSL certificate at a time from that particular endpoint (for instance, /mgmt/tm/sys/crypto/cert/~Common~my1.crt).
Or you can request the details of all SSL certificates present in the configuration at once by using the /mgmt/tm/sys/file/ssl-cert endpoint (which is not affected by this issue).
687617-3 : DHCP request-options when set to "none" are reset to defaults when loading the config.
Component: TMOS
Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.
Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".
Impact:
User configuration is reverted as a side-effect of config load.
Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.
687579 : TMSH incorrectly allows settings snat-translation ip-idle-timeout to zero.
Component: Local Traffic Manager
Symptoms:
The configuration setting ' ip-idle-timeout' on the snat-translation object allows zero as a possible value.
Conditions:
Entering the following tmsh command:
tmsh create ltm snat-translation <snat-address> ip-idle-timeout 0
Impact:
The configuration will be invalid. This may cause issues with upgrades and the BIG-IP may not pass traffic correctly or as expected.
Workaround:
Do not set the snat-translation ip-idle-timeout to 0 using tmsh.
687343-3 : Running 'load sys config merge verify' will add new users to the PostGres database
Component: TMOS
Symptoms:
Running 'load sys config merge verify' will add new users to the PostGres database. The system posts an error similar to the following:
010719a2:3: PostgreSQL database error: ERROR: duplicate key value violates unique constraint "auth_user_pkey"
DETAIL: Key (name)=(admin1) already exists.
Conditions:
Issue occurs only under the following conditions:
-- 'load config merge verify' of configurations including user definition.
-- Attempt to create user with same name using 'load config merge', 'create user', or GUI options.
Impact:
It is not possible to use the verify argument when using 'load sys config merge' with configurations containing user definitions.
'verify' argument to 'load sys config' does not prevent or rollback side effects
Workaround:
Manually remove the user data from the PSQL database; from a bash prompt:
psql -U postgres
\c tmdb
DELETE FROM auth_user WHERE name='admin1';
DROP OWNED BY admin1;
DROP ROLE admin1;
DROP SCHEMA admin1 CASCADE;
\q
687213-1 : When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED
Component: Access Policy Manager
Symptoms:
When access to APM is denied, Edge Client goes into ALWAYS_DISCONNECTED mode. Hence, it does not retry to establish VPN tunnel.
Conditions:
-- Edge Client installed in ALWAYS_CONNECTED mode (locked client).
-- Access to APM is denied.
Impact:
No VPN tunnel is established, even if APM becomes accessible momentarily.
Workaround:
None.
687172 : Pools do not appear as expected after deploying iApp via iWorkflow
Component: TMOS
Symptoms:
Only two of three pools are visible in the iApp view on the BIG-IP system after deploying via iWorflow 2.2, though the pool can be found as expected in the Pools view.
Conditions:
-- After deploying via iWorflow 2.2.
-- Using iApp to view configured pools.
Impact:
Unreliable query response can result in unexpected behavior.
Workaround:
Do not rely on the iApps Component View, but inspect
BIG-IP (management GUI) Local Traffic pages such as
Local Traffic :: Pools : Pool List or examine the
/config/bigip.conf file to ascertain whether a desired
BIG-IP configuration has been created.
687044-2 : tcp-half-open monitors might mark a node up in error
Component: Local Traffic Manager
Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.
Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.
Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.
Workaround:
You can use any of the following workarounds:
-- Configure bigd to run in single process mode by running the following command:
tmsh modify sys db bigd.numprocs value 1
-- Use a tcp monitor in place of the tcp-half-open monitor.
-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.
686816-3 : Link from iApps Components page to Policy Rules invalid
Component: TMOS
Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.
Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.
Impact:
Cannot navigate to the policy rule directly from the Components page.
Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.
686722-2 : When BIG-IP systems are deployed as SAML IdP, the Single Logout Request processing fails the optional field 'Name ID' is missing in the request.
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is deployed as SAML Identity Provider (IdP), during the processing of the Single Logout Request, if NameID is empty in the request, the Single Logout Request fails.
Conditions:
This occurs when the SAML Single Logout Request has empty NameID field in the request.
Impact:
The processing of the SAML Single Logout request fails.
Workaround:
None.
686718 : VPN tunnel adapter stays up in some cases
Component: Access Policy Manager
Symptoms:
In some cases, the VPN tunnel adapter created by the VPN client stays up even when the tunnel is disconnected.
Conditions:
-- Application launch on VPN establishment is configured on APM.
-- Launched application is not closed.
Impact:
This is a cosmetic issue with no functionality impact. Subsequent launch of VPN creates a new tunnel adapter.
Workaround:
Close the launched application.
686626-2 : The BIG-IP system may connect to an OCSP server using an unexpected source IP address
Component: TMOS
Symptoms:
BIG-IP systems configured to perform OCSP Stapling may connect to an OCSP server using an unexpected source IP address.
The source IP address picked by the BIG-IP system may be something that doesn't exist at all in its configuration.
Additionally, the source IP address picked by the BIG-IP system may appear corrupted or invalid to an Administrator (for example: 0.0.0.112).
Conditions:
Required configuration:
1) The BIG-IP system is running a version prior to 13.0.0.
2) The BIG-IP system is deployed as an IPv4/IPv6 multihoming device.
3) The DNS Resolver used by the OCSP Stapling configuration belongs to a non-0 route domain.
4) The virtual servers performing OCSP Stapling belong to a non-0 route domain different than the one used by the DNS Resolver.
5) Virtual servers using OCSP Stapling include both IPv4 and IPv6 destinations.
6) The OCSP server FQDN resolves to an A record.
With these conditions in place, the issue occurs when a client attempts a connection to one of the OCSP Stapling-enabled IPv6 virtual servers, and this needs to connect to an IPv4 OCSP server.
The source IP address used by the BIG-IP system will be an IPv4 address containing the last 4 bytes of an IPv6 Self-IP address configured on the BIG-IP system.
Impact:
The BIG-IP system fails to perform OCSP Stapling, and the unusual traffic may trigger alarms on your network.
The actual impact is limited, as clients who request validation of the certificate status and do not get it should be able to perform it on their own.
Workaround:
Where possible, you can work around this issue by re-configuring the BIG-IP system so that some of the conditions required for this issue to occur no longer apply.
686563-3 : WMI monitor on invalid node never transitions to DOWN
Component: Local Traffic Manager
Symptoms:
A WMI monitor configured for an invalid node defaults to 'UP', and never transitions to 'DOWN'. Upon loading a configuration, a node defaults to 'UP' as an initial probe is sent based on the monitor configuration, and the node is then marked 'DOWN' as probes timeout or monitor responses indicate an error. However, an WMI monitor probe sent to a non-existent node is not detected as an error, and that node may persist in an 'UP' state (not transitioning to 'DOWN' as expected, such as after expiration of the configured monitor timeout).
Conditions:
WMI monitor is configured for an invalid node address, or for a node address on which no WMI service is running.
Impact:
The node persists in an 'UP' state, even though no WMI service is available, or that node does not exist.
Workaround:
An additional node monitor can be created to confirm the node is available (which may be a partial solution in some configurations). Using a non-WMI monitor (such as TCP) to probe availability of the WMI service on the target node may be possible in other scenarios.
686547-3 : WMI monitor sends logging data for credentials when no credentials specified
Component: Local Traffic Manager
Symptoms:
A properly configured WMI monitor requires username and password credentials; but when these are omitted from the configuration, logging data is sent in place of the username and password (with the monitored object likely being marked 'down'). Because username/password credentials are required, the monitor should have been identified as wrongly configured before the monitor is marked down.
Conditions:
A WMI monitor is configured without including the required username/password credentials.
Impact:
The monitored object will be marked 'down'.
Workaround:
Configure the WMI monitor to include the username/password credentials.
686318 : Inter TMM Caching Delay
Component: WebAccelerator
Symptoms:
In some rare circumstances on VE instances, the transmission of updated cache information from TMM to TMM can be delayed.
Conditions:
VE instances.
Impact:
Different TMM hot content caches may serve different versions of the same document from cache.
Workaround:
None
686206-1 : Machine Info agent does not collect complete information on disconnected network adapters
Component: Access Policy Manager
Symptoms:
On Mac OS X, the BIG-IP APM Machine Info agent does not collect information for disconnected network adapters.
On Microsoft Windows, the BIG-IP APM Machine Info agent does not collect the MAC address of disconnected network adapters.
Conditions:
Machine info agent is configured in the access policy.
Impact:
Access policy evaluation may yield incorrect results if a access policy node depends on this information.
Workaround:
There is no workaround at this time.
686101-3 : Creating a pool with a new node always assigns the partition of the pool to that node.
Solution Article: K73346501
Component: Local Traffic Manager
Symptoms:
When creating a node while creating a pool, the partition of the node is set to the one of the pool regardless of what was expected. For example, after running the command below, the new node will be assigned to differentpartition:
root@(v13)(Active)(/differentpartition)(tmos)# create ltm pool my_pool2 members add { /Common/172.16.199.33:0 }
Conditions:
Creating a node while creating a pool in a partition different from the node.
Impact:
The node is displayed in the wrong partition.
Workaround:
Create a node separately and then add it to the pool.
686043-3 : dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets
Component: Advanced Firewall Manager
Symptoms:
ICMP/ICMPv6 fragmented packet with size larger than dos.maxicmpframesize is not counted in stats for
'ICMP frame too large' DoS vector.
Conditions:
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is received.
-- ICMPv6 fragmented packet with size larger than dos.maxicmpframesize is received.
Impact:
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is not dropped.
-- ICMP fragmented packet with size larger than dos.maxicmpframesize is not counted in stats for 'ICMP frame too large' DoS vector.
-- ICMPv6 fragmented packet with size larger than dos.maxicmp6framesize is not dropped.
-- ICMPv6 fragmented packet with size larger than dos.maxicmp6framesize is not counted in stats for 'ICMP frame too large' DoS vector.
Workaround:
None.
685915-1 : Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured
Component: Global Traffic Manager (DNS)
Symptoms:
If a DNS Express zone that has Verify Notify TSIG checked gets a notify with no TSIG at all, unsigned notifies are not processed.
Conditions:
Unigned notify is received when Verify Notify TSIG is checked.
Impact:
Unsigned notifies are not processed
Workaround:
There is no workaround at this time.
685820-1 : Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not
Component: Advanced Firewall Manager
Symptoms:
If ASM licensed and provisioned, but AFM is not licensed/provisioned, active connections are silently dropped after HA-failover.
In earlier versions, active connections were reset after HA-failover if only ASM was licensed/provisioned. When AFM is also licensed/provisioned, existing active connections were always silently dropped after HA-failover.
Conditions:
-- ASM licensed and provisioned, but AFM is not licensed/provisioned.
-- HA-failover occurs.
Impact:
ASM client connections are not reset, but are silently dropped after HA-failover event.
Workaround:
None.
685233-2 : tmctl -d blade command does not work in an SNMP custom MIB
Solution Article: K13125441
Component: TMOS
Symptoms:
tmctl -d blade commands run in an SNMP custom MIB fail.
Conditions:
-- Using an SNMP custom MIB.
-- Running tmctl -d blade commands.
Impact:
Unable to configure a custom MIB to gather data via a tmctl -d blade command.
Workaround:
Instead of tmctl -d blade, use the following command:
tmctl -d /var/tmstat/blade.
684096-1 : stats self-link might include the oid twice
Component: TMOS
Symptoms:
The object ID might be erroneously embedded in the self-link twice.
Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats
Impact:
incorrect self-link returned
Workaround:
be mindful when parsing the self-link
683706-1 : Pool member status remains 'checking' when manually forced down at creation
Component: Local Traffic Manager
Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.
Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.
Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http
Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.
Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.
683454 : HTTP::header command may crash TMM on an erroneous argument
Solution Article: K99294671
Component: Local Traffic Manager
Symptoms:
An iRule command 'HTTP::header insert' or 'HTTP::header remove' allows manipulation of HTTP headers. The iRule accepts arguments that might result in an error if they have an invalid format. TMM generates an internal Tcl error for the argument but continues to process the command. This might cause TMM to crash.
Conditions:
-- iRule is associated with a virtual server.
-- The iRule contains either or both of the 'HTTP::header insert' and 'HTTP::header remove' commands.
-- An argument in the command generates a Tcl error.
Impact:
TMM crashes causing failover and possible disruption in processing traffic.
Workaround:
Sanitize arguments for the command to prevent TCL error.
683177-2 : Can't drilldown or filter by 'Client Countries'
Component: Application Visibility and Reporting
Symptoms:
When drilling down or filtering by 'Client Countries' (Security :: Reporting : Application : Charts) there is an error in the GUI.
Conditions:
-- ASM is provisioned.
-- Attempt to drill down or filter by 'Client Countries'.
Impact:
Internal Error is displayed in the GUI.
Workaround:
1. Edit file: /etc/avr/monpd/monp_asm_entities.cfg.
2. Delete line 171: (dim_authz_filter=vip_crc).
3. Issue the command: bigstart restart monpd.
683135-4 : Hardware syncookies number for virtual server stats is unrealistically high
Component: TMOS
Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.
These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.
Conditions:
Virtual server with hardware syncookie protection enabled.
Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.
Workaround:
Disable the TCP Synflood vector in mitigate mode.
Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.
683061-2 : Rapid creation/update/deletion of the same external datagroup may cause core
Component: Local Traffic Manager
Symptoms:
Notice and error messages and core when during rapid creation/update/deletion of the same external datagroup.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.
Conditions:
Using an external datagroup, rapidly creating and updating, and then deleting it.
Impact:
TMM crashes and generates a core. Traffic disrupted while tmm restarts.
Note: This is a timing-related crash that might not occur every time.
Workaround:
Allow the tmm process enough time to finish processing external datagroup changes before starting another operation.
Depending on the size of the datagroup, this might require from 1 second to 10 seconds or more. You can examine the LTM log for the create=finished message to help determine how much wait time is required.
683029-2 : Sync of virtual address and self IP traffic groups only happens in one direction
Component: TMOS
Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.
Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)
Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.
Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.
682751-5 : Kerberos keytab file content may be visible.
Component: Access Policy Manager
Symptoms:
Kerberos keytab file content may be visible.
Conditions:
Import a Kerberos keytab file.
From the command line, check the file permissions. It is readable.
Impact:
keytab is similar to a private key file and should not be readable.
Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.
681782-4 : Unicast IP address can be configured in a failover multicast configuration
Component: TMOS
Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.
Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.
Impact:
Failover multicast configuration does not work.
Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.
681673-2 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
Component: Local Traffic Manager
Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.
Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.
Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.
Workaround:
None.
681009-2 : Large configurations can cause memory exhaustion during live-install★
Component: TMOS
Symptoms:
system memory can be exhausted and the kernel will kill processes as a result.
Conditions:
During live-install, if configuration roll-forward is enabled, and the compressed configuration size is of a similar order of magnitude as total system memory.
Impact:
The kernel will kill any number of processes; any/all critical applications could become non-functional.
Workaround:
Make sure there are no un-intended large files included in the configuration. Any file stored under /config is considered part of the configuration.
If the configuration is, as intended, on the same order of magnitude as total system memory, do not roll it forward as part of live install. Instead, save it manually and restore it after rebooting to the new software.
to turn off config roll forward; setdb liveinstall.saveconfig disable
to save/restore configuration manually; see
https://support.f5.com/csp/article/K13132
680680-2 : The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
Component: Local Traffic Manager
Symptoms:
in BIG-IP version 10.x, the POP3 monitor sent STAT command (which returned a count of messages in the mailbox). Now, the monitor sends the LIST command (which returns a list of messages and their sizes).
Conditions:
POP3 monitor set up on a mailbox.
Impact:
If the polled mailbox used in the monitoring has a huge amount of messages, the STAT command might fail to return results in time.
Workaround:
1. Create a mail account that does not receive many emails.
2. Make sure that the mailbox is nearly empty all the time (copy /dev/null periodically to the mailbox file).
680556-2 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
Component: TMOS
Symptoms:
TMM crashes with a subkey that has master_record field set to true.
Conditions:
The specific conditions under which this occurs are not known.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
680298 : FPS may introduce latency even for unprotected pages
Component: Fraud Protection Services
Symptoms:
Depending on TCP profile parameters, FPS may introduce latency even for unprotected pages due to re-chunking of response.
The latency introduction may arise when re-chunking causes a small TCP segment that the BIG-IP system's TCP stack or upstream device chooses to buffer (for example, due to Nagle's algorithm)
Conditions:
1. FPS attached to virtual server.
2. TCP profile parameters (Nagle's Algorithm, MSS, etc.).
3. Chunked response from server.
Impact:
FPS unprotected pages may suffer 10's to 100's ms latency
Workaround:
Experience shows that disabling Nagle's Algorithm (for example) might overcome FPS latency, but it should be noted that this sort of mitigation should be carefully examined as it is influenced by many parameters (traffic patterns, other TCP profile parameters, SSL profile, etc.).
679751-4 : Authorization header can cause a connection reset
Component: Access Policy Manager
Symptoms:
APM resets connections and reports an ERR_ARG from a simple web request.
Conditions:
-- APM profile with User Identification Method as HTTP.
-- APM profile with User Identification Method as OauthToken.
-- HTTP traffic arrives with certain types of Authorization headers.
Impact:
Connections are reset and APM logs ERR_ARG, which is not helpful for understanding the cause.
Workaround:
iRule workaround:
when HTTP_REQUEST {
if { [HTTP::header "Authorization"] contains "Bearer" && [string tolower [HTTP::header "User-Agent"]] contains "onenote" } {
HTTP::header replace Authorization [string map {"Bearer" ""} [HTTP::header Authorization]]
}
}
679735-1 : Multidomain SSO infinite redirects from session ID parameters
Component: Access Policy Manager
Symptoms:
If an application uses a URL parameter of 'sid', 'sess', or 'S', the APM can enter an infinite redirect loop.
In a packet capture, the policy completes on the auth virtual server. After policy completion, the client is redirected back to the resource virtual server. The resource virtual server cannot find the session, and redirects back to the auth virtual server. This begins the infinite loop of redirecting between resource and auth virtual servers.
Conditions:
Application with URL paramater containing 'sid', 'sess', or 'S' while using multidomain SSO.
Impact:
Applications that use 'sid', 'sess', or 'S' parameters cannot be fronted by an APM.
Workaround:
None.
679722-2 : Configuration sync failure involving self IP references
Component: Advanced Firewall Manager
Symptoms:
Configuration sync fails, generating an error similar to the following:
Caught configuration exception (0), Values (self-IP) specified for self IP (<name>): foreign key index (fw_enforced_policy_FK) do not point at an item that exists in the database..
Conditions:
-- There is another object, such as a firewall policy, that references a self IP address.
-- The self IP address is non-syncable; that is, its traffic group is set to 'traffic-group-local-only'.
Impact:
Sync operation fails.
Workaround:
Set the self IP address' traffic group to a value other than 'traffic-group-local-only', and then force a full load push from the first device.
679613-2 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
Solution Article: K23531420
Component: Local Traffic Manager
Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.
Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.
Impact:
Incorrect routing/switching of traffic.
Workaround:
Use VLANs with a tag value different from '1'.
679605-1 : Device groups with no members will cause upgrade to fail
Component: TMOS
Symptoms:
An empty device group will fail upgrade with this error message:
Syntax Error:(/config/bigip_base.conf at line: 37) "save-on-auto-sync" unexpected argument
Conditions:
This only affects systems with empty device groups.
Impact:
Configuration will fail to load after the upgrade.
Workaround:
Remove the empty device group before upgrading. An empty device group has no effect on the system, so this is a safe action to take.
679431-3 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header
Component: TMOS
Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header
Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.
Impact:
The header is not shown.
Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief
679316-1 : iQuery connections reset during SSL renegotiation
Component: Global Traffic Manager (DNS)
Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.
Note: iQuery connections automatically perform SSL renegotiation every 24 hours.
Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.
Note: This is a subtly different issue from the one (with a very similar error, 140940F5 virtual server 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).
This issue occurs even in versions where ID 477240 is fixed. There is no fix for this specific trigger of the same message.
Note: The iQuery communication issue is fixed through Bug ID 760471: GTM iQuery connections may be reset during SSL key renegotiation :: https://cdn.f5.com/product/bugtracker/ID760471.html.
Workaround:
There is no workaround at this time, but the problem is fixed via changes made in ID760471
679027 : Rare memory corruption in tmrouted while license is being reset
Component: TMOS
Symptoms:
tmrouted core due to memory corruption while license is being reset.
Conditions:
Rarely, when license file is being reset, tmrouted could core.
Impact:
restart of tmrouted daemon
678450-3 : No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.
Component: Local Traffic Manager
Symptoms:
When 'Source Port: Preserve Strict' option is configured in performance L4 virtual servers, the 'F5RST port in use' packet is not sent, and connection hangs until timeout.
Conditions:
-- Connect to client and launch:
# nc -p 8080 -v 10.10.10.40 80
-- Connect to client2 and launch:
# nc -p 8080 -v 10.10.10.40 80
-- Modify virtual server vs_web type on LTM and repeat.
When the virtual server is standard "F5RST port in use" is sent. When the virtual server is performance L4 is not.
Impact:
Connection hangs. No increase for port-in-use stats when using the following commands:
tmsh show /net rst-cause.
Workaround:
None.
678322 : Missing Response Page for 'Login' is not populated upon upgrade
Component: Application Security Manager
Symptoms:
In a rare case, an error appears due to missing 'Login' Response Page when viewing Response Pages in ASM policy.
Conditions:
An ASM policy is missing a record for 'Login' Response Page. It's not clear how this condition was caused.
Impact:
An error appears:
Could not retrieve Login Page Response; Error: Could not get the ResponsePage 'Persistent Flow Response Page Properties', No matching record was found.
Workaround:
Missing Response Page can be added using this query:
mysql> INSERT IGNORE INTO PL_ALTERNATE_RESPONSES (policy_id, cause, response_type, alternate_response_header, alternate_response_content, redirect_url, ajax_action_type, ajax_redirect_url, ajax_popup_message, ajax_custom_content, rest_uuid) SELECT p.id as policy_id, cause, response_type, alternate_response_header, alternate_response_content, redirect_url, ajax_action_type, ajax_redirect_url, ajax_popup_message, ajax_custom_content, rp.rest_uuid
FROM PL_POLICIES p JOIN PL_ALTERNATE_RESPONSE_DEFAULTS rp where rp.flg_load_defaults = 1;
678117-1 : 'Can't create a home directory' logged for remote users on secondary blades after configsync
Component: TMOS
Symptoms:
When a remotely authenticated user logs in, a new entry is created in /config/bigip/auth/userrolepartitions. During config sync operations, the secondary blade of the device receiving the config, logs the following errors:
-- err mcpd[7575]: 01070261:3: Can't create a home directory for username /home/<username> (Failed opening home directory: /home/<username> - No such file or directory)
There is no /home/<username> on the device used as the source of the config sync.
The error message is logged on the secondary blade (of the target system) but not the primary one.
Conditions:
1. Remote user username in /config/bigip/auth/userrolepartitions.
2. No home directory for the remote user in /home/.
Impact:
There is no apparent impact beyond the error message, which sounds quite serious, but has no functional impact.
Workaround:
Create local user account for remote authenticated users.
To do so using the GUI, navigate to System :: Users : User List, and click Create.
678066 : LTM Policy Tcl-enabled values require 'tcl:' prefix★
Component: Local Traffic Manager
Symptoms:
Prior to BIG-IP v12.1.0, LTM Policy implicitly allowed certain fields to contain Tcl expressions, which would be evaluated and used at runtime. Version 12.1.0 expanded the number of LTM Policy action fields that allow Tcl expressions, and also added the restriction that these fields must begin with the 4-character prefix tcl: to differentiate between a Tcl runtime expansion and a simple text string.
Conditions:
Pre-v12.1.0 LTM Policy containing an action that has a Tcl expression in one of the following actions, and does not begin with 'tcl:' prefix
http-uri - value
- path
- query string
or
http-reply - location
Impact:
The migration process, which should find this situation and automatically correct it, can miss in certain cases, leaving a configuration that may fail validation and not load.
Workaround:
Edit configuration file, manually add the 'tcl:' (without the quotes) prefix for the following actions:
http-uri plus value/path/query
http-reply plus location
677975-2 : SSL may cause the TMM to core when forging a certificate due to race condition
Solution Article: K59237122
Component: Local Traffic Manager
Symptoms:
In SSL-O environment, due to race condition, SSL may cause the TMM to core.
Conditions:
-- After server side completes the SSL handshake.
-- Client side SSL starts to forge a server certificate.
Impact:
Some contexts may be changed due to race condition. TMM might crash. Traffic disrupted while tmm restarts.
Workaround:
None.
677841-1 : Server SSL TLS session reuse with changed SNI uses incorrect session ID
Component: Local Traffic Manager
Symptoms:
If an iRule changes the SNI then the wrong session ID will be retrieved (using the original SNI).
Conditions:
Occurs when SNI is being modified by an iRule to an SNI that is different from the one specified in the server SSL profile.
Impact:
Connection may be rejected by the client if checking at the client occurs (Apache commonly does this). If the client finds that the SNI does not match the SNI in the session information, the connection may be rejected.
Workaround:
Disable SSL session cache. This has the side effect of reducing performance.
677666-3 : /var/tmstat/blades/scripts segment grows in size.
Component: Local Traffic Manager
Symptoms:
Over time the /var/tmstat/blade/scripts file size grows. This can eventually lead to the system no longer providing up-to-date statistics.
Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.
Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out-of-memory condition as well as out-of-date statistics.
Workaround:
No known workarounds.
677646-1 : System cannot boot up due to prior aborted installation★
Solution Article: K62171231
Component: Access Policy Manager
Symptoms:
System stuck at boot up and never comes up.
Conditions:
Running the rpm command was aborted.
Impact:
BIG-IP system not operational.
Workaround:
Run the following command to remove the extraneous files:
rm -f /shared/lib/rpm/__db.??? && shutdown -r now
677526-2 : Memory leak may occur during connflow failures.
Component: Global Traffic Manager (DNS)
Symptoms:
Memory leak may occur during connflow failures.
Conditions:
Connflow failures occur.
Impact:
TMM memory usage grows.
Workaround:
None.
677485-2 : Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error
Component: TMOS
Symptoms:
After initially configuring a DSC cluster, iControl-REST on BIG-IP systems might fail to decrypt the secure values due to a stale BIG-IP master key in its cache, and returns the secure values encrypted by the BIG-IP master key. BIG-IQ is unable to decrypt these secure values and fails to discover the BIG-IP system.
Conditions:
-- DSC cluster.
-- iControl REST.
-- BIG-IP system with stale BIG-IP master key in its cache.
-- BIG-IQ attempts to decrypt the secure values.
Impact:
Discovery fails due to secure value decryption error.
Workaround:
Restart iControl-REST server on the BIG-IP system.
On BIG-IP v12.0.0 and later:
-- In TMSH, run the following command:
restart sys service restjavad
-- On the console, run the following command:
bigstart restart restjavad
On BIG-IP v11.x.x:
-- In TMSH, run the following command:
restart sys service icrd
-- On the console, run the following command:
bigstart restart icrd
677442 : During bulk crypto processing for SSL traffic, tmm might restart in rare cases.
Component: Local Traffic Manager
Symptoms:
Processing bulk crypto traffic may cause tmm to crash and restart.
Conditions:
When processing bulk crypto requests handled by the Nitrox-based accelerators, a rare memory-corruption condition might occur. Specific circumstances that trigger the corruption are not known.
Impact:
Segmentation fault and core dump. Traffic disrupted while tmm restarts.
Workaround:
None.
677302 : Unable to save descriptions for firewall objects
Component: Advanced Firewall Manager
Symptoms:
System erases Description field of Address list/Port list objects when the object is modified.
Conditions:
-- Modifying an address/port definition for Address Lists or Port Lists/
-- Object contains a defined Description.
Impact:
Save operation erases Description.
Workaround:
Use tmsh to modify objects.
677270-2 : Trailing comments in iRules are removed from the config when entered/loaded in TMSH or Configuration Utility
Solution Article: K76116244
Component: Local Traffic Manager
Symptoms:
Comments at the bottom of an iRule (outside of any event stanza) end up missing from the config.
Conditions:
-- Merging an iRule in a config file in TMSH or entering the iRule manually in TMSH or entering the iRule in the iRules Editor of the BIG-IP Configuration Utility.
-- iRule comments are outside of any event stanza.
Impact:
Trailing comments in iRules are lost.
Workaround:
Use one or both of the following workarounds:
-- Make sure comments are inside of an event stanza.
676854-1 : CRL Authentication agent will hang waiting on unresponsive authentication server.
Component: Access Policy Manager
Symptoms:
Some authentication requests never complete. APMD responsiveness degrades over time and eventually restarts.
Conditions:
The CRL Authentication server must be alive enough to accept connections but busy enough to drop requests without closing connections.
Impact:
APMD responsiveness degrades over time, usually weeks, before eventually restarting.
Workaround:
Restarting the CRL Authentication server usually releases the waiting threads and restores APMD responsiveness.
Using a BIG-IP monitor for the CRL backend can detect the issue and allow recovery before the need for APMD to restart.
676709-2 : Diameter virtual server has different behavior of connection-prime when persistence is on/off
Solution Article: K37604585
Component: Service Provider
Symptoms:
When using an Diameter MBLB profile with per-AVP persistence enabled and connection priming enabled, not all pool members may have a connection established as part of priming.
Conditions:
-- Diameter MBLB profile.
-- Per-AVP persistence enabled.
-- Connection priming enabled.
Impact:
It is possible that not all pool members will have a connection established as part of priming.
Workaround:
None.
676643 : FTP passive monitor uses IP address from PASV (not monitor destination)
Component: Local Traffic Manager
Symptoms:
A curl-based Tcl monitor for an FTP passive monitor uses the IP address from the FTP PASV command, rather then the IP address from the monitor destination. This is different from legacy behavior, which ignored the IP address obtained in the PASV command (to always establish a data connection to the IP address defined in the monitor destination). FTP passive monitors reliant upon the legacy behavior may stop working (with the pool member always being marked 'down').
Conditions:
FTP monitor is configured for passive, where the FTP PASV command provides an IP address.
Impact:
This new behavior is correct (the FTP passive monitor should use the IP address from the PASV command). However, configurations assuming legacy behavior to ignore the IP address in the PASV command and instead rely upon the IP address in the monitor destination may stop working (with the pool member always being marked 'down').
Workaround:
This behavior is correct, but to avoid using the IP address in the PASV command, configure the FTP monitor for active mode.
676491-2 : BIG-IP as a DHCP relay while in a DHCP relay chain will use its self-IP as the relay agent.
Component: Local Traffic Manager
Symptoms:
DHCP request is relayed to backend DHCP servers with Self-IP as relay agent instead of DHCP Virtual IP in case of Relay Chaining.
DHCP server will not be able to use the giaddr field to make a subnet determination while providing an IP address to a client.
Conditions:
DHCP relay chain, BIG-IP should be the relay agent right before the pool of DHCP servers.
Impact:
In a DHCP relay chain, BIG-IP does not relay agent right before the pool of DHCP servers.
Workaround:
1. The relay chain should be used across a single subnet if the DHCP server uses the giaddr to determine subnets for the clients.
2. If the use case is to load balance across multiple DHCP servers and the 3rd part DHCP relay cannot do so, LTM load balancing can be used.
676442-2 : Changes to RADIUS remote authentication may not fully sync
Solution Article: K37113440
Component: TMOS
Symptoms:
With multiple devices in a sync group, changes to remote authentication (for example, changes made using commands such as: tmsh modify auth radius system-auth servers replace-all-with { AAA_a AAA_b } ) will be effective on the device where the change was made.
And although the changes are synced to tmsh config on the other devices in the group, the changes are not effective on those devices, as may be observed by checking that the changes do not appear in /config/bigip/auth/pam.d/system-auth and /config/bigip/auth/pam.d/radius/system-auth.conf.
Conditions:
Devices in a sync group that will sync system-auth config.
Impact:
Changes to RADIUS authentication will not be effective throughout the device group.
Workaround:
After syncing RADIUS changes, run the following command on all devices:
tmsh save sys config && tmsh load sys config.
676395-1 : Syslog messages seen with error code while viewing ssl certificate detail with debug turned on.
Component: TMOS
Symptoms:
Log message starting with 'Filemap returns Error 1 for file' gets logged into syslog while viewing certificate details.
Conditions:
1. Turn on debug using the following command:
tmsh modify sys syslog daemon-from debug
2. Go to Certificate Management and navigate to view certificate details.
Impact:
No known impact other than the logged message.
Workaround:
Turn off debug using the following command:
tmsh modify sys syslog daemon-from notice
676300-5 : EPSEC binaries may fail to upgrade in some cases★
Solution Article: K04551025
Component: Access Policy Manager
Symptoms:
Windows client may fail to upgrade endpoint security package in some cases. This happens due to a corrupted registration of old endpoint security components.
Conditions:
Corrupted registry entry related to endpoint security components.
Impact:
Client may not be able to upgrade to latest endpoint package hosted on APM.
Workaround:
Remove the following registry keys from the registry:
Note: Use extra care editing the registry. Only remove the following keys, and no others.
"HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_CLASSES_ROOT\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
675742 : Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores
Component: TMOS
Symptoms:
Using the platform-migrate option to load a UCS from a different platform may show this error from loaddb:
01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.
The UCS loads successfully, other than the DB variable, but this error message is printed and the DB variables are not loaded.
Conditions:
-- Migrating a UCS from physical platform hardware to a Virtual Edition (VE) configuration.
-- License has an attribute limiting the maximum number of cores, and the incoming UCS has a value of the DB variable 'license.maxcores' that contradicts this.
Impact:
The DB variable file fails to load, generating the error message, but that does not stop the loading of the regular configuration files in BIG-IP*.conf.
Workaround:
The 'license.maxcores' value is ignored on hardware devices, so set it to 8 before saving the UCS.
675731-2 : Certain types of GTM Pools not displaying while listing WideIPs
Component: Global Traffic Manager (DNS)
Symptoms:
If you have a CNAME Pool and an AAAA, MX, NAPTR, or SRV pool in the same WideIP, running a 'list' command in TMSH shows only the CNAME pool.
Conditions:
-- A WideIP with a CNAME-type pool and an AAAA-, MX-, NAPTR-, or SRV-type pool.
-- Running a 'list' command in TMSH.
Impact:
-- Unable to properly view full configuration through TMSH.
-- Unable to save the configuration that is not displayed by the 'list' command.
Workaround:
None.
675431-1 : Non-default value in db variable pvaSynCookies.enabled reverts to default value after reboot or mcpd restart
Component: TMOS
Symptoms:
The db variable pvaSynCookies.enabled value changes to true on reboot or mcpd restart
Conditions:
Db variable pvaSynCookies.enabled value false
Impact:
Hardware syn-cookies enabled after reboot or mcpd restart
675368-2 : Unable to reorder rules when one of the rule names contain % or /
Component: TMOS
Symptoms:
Unable to reorder rules when one of the rule names contain % or /
Conditions:
One of the rule names contain % or /
Impact:
The rules cannot be reordered
Workaround:
Rename rules to make sure they don't contain % or /
675298-1 : F5 MIB value types changed to become RFC compliant
Component: TMOS
Symptoms:
In BIG-IP Version 12.1.2 several F5 MIB variables changed from 64-bit counter types to 32-bit gauge types. This change was made to make the MIBs RFC compliant. In a mixed environment, where some BIG-IPs are running 11.x and some running 12.x this can cause problems with the management station. If the management station cannot load MIBs dependent upon BIG-IP version then those variables can cause errors to be reported on the management station due to type mismatch.
Conditions:
An environment where a management station is managing BIG-IP systems with a mix of version 11.x and 12.x. The station may import a MIB version whose types do not match the MIBs on the BIG-IP system with regards to the type changes made in version 12.x.
Impact:
The management station reports errors due to type mismatch for some variables.
Workaround:
None.
674997 : It is not possible to use tmsh to change the password for 'admin' after configuring Remote-APM Based Auth on the BIG-IP system.
Component: TMOS
Symptoms:
With APM-based system authentication, using tmsh to make changes to the password for user 'admin' will apparently succeed, but the password will be unchanged.
Conditions:
-- APM-based system authentication configured.
-- Using tmsh to make changes to the password for user 'admin'.
Impact:
Unable to change password for default system account.
Workaround:
Switch to local system authentication, change the password for 'admin', then switch back to remote authentication.
674992-3 : AAM traffic report's time period doesn't always apply
Component: WebAccelerator
Symptoms:
AAM traffic report's time period doesn't always apply.
Conditions:
Select a time period on the AAM traffic report page other than last hour.
Impact:
The table and graph still display last hour data.
674957-1 : If a certificate is stored in DER format, exporting it using the GUI corrupts the output.
Component: TMOS
Symptoms:
When a certificate stored in DER format is exported, all bytes with values larger than 0x7E are replaced with 0x3F, and there is one more byte added (0x0a) at the end of the binary file.
Conditions:
Using the GUI to export a certificate stored in DER format.
Impact:
Corrupted certificate.
Workaround:
You will need to use openssl to create a copy of the certificate in .pem or .der format. For example, to export the der certificate myder.crt to a mycert.pem certificate in .pem format, run the following command:
openssl x509 -out mycert.pem -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:myder.crt_75978_1 -inform der
Note: This works for system users who can access the bash command, specifically, those with the administrator role.
674754-2 : ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact
Component: Global Traffic Manager (DNS)
Symptoms:
Changing the email address in ZoneRunner and using a '@' character does not work. System validation catches that the '@' is invalid, but the operation fails silently, and the new email address is not stored.
Note. The '@' character is invalid for the email field because it has other uses in zone files. A dot should be used instead of '@'.
Conditions:
Zone already exists in ZoneRunner.
Trying to update it with a new email address.
Impact:
Confusion as to why the GUI is ignoring the new email address they entered.
Workaround:
The '@' (at sign) character is invalid for ZoneRunner email fields because it has other uses in zone files. Use a '.' (dot, or period) character instead of '@'.
674459 : Users are not expected to change security.commoncriteria DB variable through TMSH
Component: Local Traffic Manager
Symptoms:
Changing the security.commoncriteria db variable to true, and then attempting to change it back to false through TMSH causes validation errors related to SSHD configuration. Users are not expected to change this value without using the ccmode script.
Conditions:
Changing the security.commoncriteria db variable to true, and then back to false.
Impact:
Validation errors. The BIG-IP system remains stuck in Common Criteria mode when it is not desired.
Workaround:
None.
674328-3 : Multicast UDP from BIG-IP may have incorrect checksums
Component: TMOS
Symptoms:
BIG-IP may transmit UDP datagrams with a bad checksum.
Conditions:
Outgoing link-local multicast UDP traffic from the Linux host, such as RIP.
Impact:
Packets may be dropped by adjacent devices.
Workaround:
Disable checksum offloading on the virtual NIC for affected VLANS, e.g. "ethtool --offload vlan1274 rx on tx off"
674297-1 : Custom headers are removed on cross-origin requests
Component: Fraud Protection Services
Symptoms:
Custom headers are removed on cross-origin requests.
Conditions:
A cross domain FPS request uses the FPS custom header. For example: AJAX encryption from one domain to another.
Impact:
The request will be blocked, FPS functionality breaks.
Workaround:
For HOST <HOST NAME> and FPS custom header <HEADER NAME>, a variant of the following iRule can be used:
when HTTP_REQUEST {
if {[HTTP::method] equals "OPTIONS" && [HTTP::host] equals "<HOST NAME>"} {
set modify_allowed_headers 1
}
}
when HTTP_RESPONSE {
if { [info exists modify_allowed_headers] && $modify_allowed_headers equals "1"} {
if { [HTTP::header exists "Access-Control-Allow-Headers"] } {
set hdr [HTTP::header value "Access-Control-Allow-Headers"]
append hdr ", <HEADER NAME>"
HTTP::header replace Access-Control-Allow-Headers $hdr
}
}
}
674256-3 : False positive cookie hijacking violation
Solution Article: K60745057
Component: Application Security Manager
Symptoms:
A false positive cookie hijacking violation.
Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.
Impact:
False positive violation / blocking.
Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.
673952 : 1NIC VE in HA device-group shows 'Changes Pending' after reboot
Component: TMOS
Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:
notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all
Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.
Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of an HA device-group, then this will result in a commit id update and the units will show 'Changes pending'.
Workaround:
None.
673640 : Log messages for virtual server status changes are not immediately logged.
Component: TMOS
Symptoms:
Log messages for virtual server status changes are not immediately logged.
Conditions:
-- Virtual server status due to lasthop-pool going down or coming back up.
-- Viewing associated logs.
Impact:
No status-change messages are present.
Workaround:
None.
673573-6 : tmsh logs boost assertion when running child process and reaches idle-timeout
Component: TMOS
Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.
The errors in /var/log/ltm begin with the following text:
'boost assertion failed'
Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.
Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.
Workaround:
None.
673241 : Platform AC power supply faults when subjected to temperature above 50C (122F) at low input voltage.
Component: TMOS
Symptoms:
BIG-IP i15600, i15800 appliances utilizing a single 1500W AC power supply (PWR-0341-XX) shut down and trigger a fault.
Conditions:
This occurs when all of the following conditions are met:
-- PWR-0341-XX Single Supply.
-- input voltage is less than or equal to 100VAC.
-- System is is drawing maximum power (greater than 1000W).
-- Inlet temperature of the power supply is greater than 50C (122F).
Impact:
The power supply shuts down to protect itself. This results in appliance shutdown.
Workaround:
You can avoid this issue by doing any of the following:
-- Installing two PSUs in the unit.
-- Ensuring that input voltage is above 100VAC.
-- Operating the system at a temperature lower than 50C (122F).
673147-1 : Virtual server configuration incorrectly allows mutually exclusive iSession and OneConnect profiles.
Solution Article: K01350083
Component: TMOS
Symptoms:
The system does not prevent you from configuring a server-side iSession profile and a OneConnect profile on the same virtual server. This is not a valid configuration. Virtual server configuration should allow either a server-side iSession profile or a OneConnect profile, but not both. Although the virtual server configuration completes, three errors are logged to /var/log/tmm:
1) notice ISESSION: 172.27.114.10.443 ! 172.27.14.10.43321: connection error: isession_setup_ssl:1645: server-side SSL hudfilter replacement failed: ERR_NOT_FOUND
2) notice hudchain contains precluded serverside filter: CONNPOOL
3) notice MCP message handling failed in 0x898c80 (16977920): Jul 7 12:34:19 - MCP Message:
notice create {
notice virtual_server_profile {
notice virtual_server_profile_vs_name "/Common/http_optimize_client"
notice virtual_server_profile_profile_name "/Common/oneconnect"
notice virtual_server_profile_object_id 159423
notice virtual_server_profile_profile_class_id profile_connpool
notice virtual_server_profile_profile_type 13
notice virtual_server_profile_profile_context 0
notice virtual_server_profile_partition_id "Common"
notice virtual_server_profile_leaf_name "http_optimize_client"
notice virtual_server_profile_folder_name "/Common"
notice virtual_server_profile_transaction_id 62
notice }
notice }
Loading a configuration containing a virtual server with both a server-side iSession profile and a OneConnect profile succeeds, but logs a mutually exclusive profile error:
notice hudchain contains precluded serverside filter: CONNPOOL
Conditions:
Three conditions must be satisfied.
1) The BIG-IP has AAM licensed.
2) A server-side iSession profile is added to a virtual server.
3) A OneConnect profile is added to the same virtual server.
Conditions 2 and 3 can be done in either order.
Impact:
OneConnect and iSession are mutually exclusive features, because both implement connection pooling. Configuring
a virtual server with both server-side iSession and
OneConnect profiles will break connection pooling, causing
connections associated the virtual server to hang.
Workaround:
Avoid configuring both server-side iSession and a OneConnect profiles on the same virtual server, as this is never a valid configuration.
673095 : Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid'
Component: Local Traffic Manager
Symptoms:
Unable to load a UCS due to a VLAN validation error.
Conditions:
QinQ VLANs saved in a UCS file.
Impact:
Unable to reload the saved config.
Workaround:
Before loading the config, use tmsh to delete all VLANs. Then config will load successfully.
671553-2 : iCall scripts may make statistics request before the system is ready
Component: TMOS
Symptoms:
iCall scripts may make statistics requests before statsd (a necessary service for stats collection) is ready.
Conditions:
Early during startup.
Impact:
The Tcl script may generate an error and stop working.
Workaround:
Use Tcl's 'catch' command to detect and handle the error.
671372-2 : When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
Solution Article: K01930721
Component: TMOS
Symptoms:
When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
Conditions:
-- Creating a pool.
-- Modifying all of its members in a single tmsh transaction.
Impact:
The pool will be created but the members will not be modified.
Workaround:
Create a pool in one transaction; followed by modifying members in another transaction.
671261-2 : MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo
Solution Article: K32306231
Component: TMOS
Symptoms:
When selecting 'Notify Status to Virtual Address' on a virtual server, and using the 'Selective' setting of ICMP Echo for a corresponding virtual address, MCP does not recognize that this setting has changed and does not modify the ICMP echo settings of the virtual address accordingly. The previous setting will continue to take effect until another (unrelated) change is made to the virtual address.
Conditions:
The 'Selective' setting of ICMP Echo is used for a virtual address, and the user selects 'Notify Status to Virtual Address' on a virtual server associated with that address.
Impact:
The previous setting will continue to take effect, until an (unrelated) change is made to the virtual address, at which point the new setting will take effect.
Workaround:
After changing the 'Notify Status to Virtual Address' on a virtual server (where 'Selective' setting of ICMP Echo is used for the corresponding virtual address), make another change to the virtual address to cause the new setting to take effect.
671236-2 : BGP local-as command may not work when applied to peer-group
Solution Article: K27343382
Component: TMOS
Symptoms:
Using the BGP level command neighbor <peer-group> local-as <AS> might fail to apply on peers in the peer group.
Conditions:
Applying the BGP local-as command to a peer group.
For instance:
neighbor <peer-group> local-as <AS>.
Impact:
The command fails to apply, and the actual local AS sent to the peer is that of the BGP process and not the one specified in the command.
Workaround:
Apply the BGP local-as directly to the peer, not the peer-group.
671178 : Date/time change after configuring HA may impair configuration sync
Solution Article: K20274760
Component: TMOS
Symptoms:
Configuration not syncing among units in high availability (HA) group.
Conditions:
Date/time is set to an earlier date/time after HA is already configured.
Note: Changes are synced as expected when changing date/time to a later value; only setting to a earlier one results in this issue.
Impact:
-- Configuration changes are not recognized, and changes are not synced, however, system sync status incorrectly reports as 'in-sync'.
-- The 'Time Since Last Sync' displayed when running 'tmsh show /cm device-group' is negative. Note: This is only a cosmetic issue and has no effect on the system.
Workaround:
Note: Devices should be configured with NTP.
To restore consistency to the group, you can do one of the following:
-- Reset the time to be consistent with peers and make another config change.
-- Make a change on the peer device with the farthest future system time.
-- Force a sync to another device with the farthest future system time using a command similar to the following:
tmsh modify cm device-group <device group name> devices modify { <sync-to-device-name> { set-sync-leader } }.
670994-2 : There is no validation for IP address on the ip-address-list for static subscriber
Component: Policy Enforcement Manager
Symptoms:
You can add IP address for a static subscriber with a subnet mask, and the system creates a subscriber by discarding the subnet mask without any error message.
Conditions:
This occurs when you add a ip address with a subnet mask to the ip address list for a static subscriber.
Impact:
An invalid ip address is added without warning or error.
670893-1 : Sensitive monitor parameters recorded in monitor logs
Component: Local Traffic Manager
Symptoms:
When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration, including:
- user-account password
- radius/diameter secret
- snmp community string
Conditions:
This may occur under the following conditions:
1. LTM monitor type is one of the following:
ldap
mssql
mysql
nntp
oracle
postgresql
radius
radius-accounting
smb
snmp-dca
snmp-dca-base
wap
On BIG-IP versions prior to v11.6.0, the LTM monitor type is one of the above, or one of the following:
ftp
imap
pop3
smtp
2. Monitor instance logging or monitor debug logging is enabled by one of the following methods:
a. Monitor instance logging is enabled by setting the 'logging' element to 'enabled' for an LTM node or pool member using the monitor.
b. Monitor debug logging is enabled by setting the 'debug' element to 'yes' for an applicable LTM monitor.
Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors.
Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.
2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.
670691 : Unable to list ntlm profile in different root folder or partition
Solution Article: K02331705
Component: TMOS
Symptoms:
Unable to list NTLM profiles when they are in a different root folder or partition than the currently active folder or partition.
Conditions:
This occurs when attempting to list a partition that exists in another folder or partition.
For example:
-- The active folder or partition is /Common.
-- The NTLM profile 'my_ntlm' exists in the '/NTLM_Profile' folder or partition.
-- You run a command similar to the following to show details of an NTLM profile: list ltm profile ntlm /NTLM_Profile/my_ntlm.
Impact:
Unable to display NTLM profiles that reside outside of the active folder or partition. The system posts error messages similar to the following:
Error in ntlm: "/NTLM_Profile/my_ntlm" not found.
01020036:3: The requested Config Instance ( /NTLM_Profile/my_ntlm) was not found.
Workaround:
Change folders or partition before listing NTLM profiles.
670520-3 : FastL4 not sending keepalive at proper interval when other side gets response
Component: Local Traffic Manager
Symptoms:
FastL4 not sending keepalive at proper interval when other side gets response. With FastL4, when a response to an LTM-initiated keepalive is received from a device on one side is received, it is forwarded to the other.
It appears that causes a keepalive to not be sent on that other side. The keepalive interval is 20 seconds. If the LTM is scheduled to send a keepalive to the server, but receives a keepalive response on the client side, before it sends the serverside keepalive, the client side keepalive response is forwarded, but the actual keepalive is not sent to the server.
Conditions:
FastL4 and keepalive.
Impact:
Potential for failure as in FastL4: the timeout timer is not updated unless a response is returned. Since the LTM does not send the keepalive, there is not going to be a response for that interval.
Workaround:
None.
670501-5 : ASM policies are either not (fully) created or not (fully) deleted on the HA peer device
Solution Article: K85074430
Component: Application Security Manager
Symptoms:
Policies are either not (fully) created or not (fully) deleted on the peer device
Conditions:
-- Device Service Clustering configured.
-- High availability (HA) configuration with Sync-Only (no failover) device group (Auto, incremental) with ASM sync enabled.
-- Create/delete active/inactive ASM policies via TMSH/GUI.
Impact:
Policies are either not created/deleted, or not fully created/deleted.
Note: Fully created and fully deleted meaning that the following commands agree with each other:
# tmsh list asm policy one-line all-properties
# tmsh list asm policy one-line
Workaround:
Issue a forced full sync from the originating device to the device group.
670456-3 : Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number
Component: Access Policy Manager
Symptoms:
Flash AS3 mx.core::CrossDomainRSLItem() wrapper fails when being called with a number of arguments different than 7.
Conditions:
Any flash that have a call of mx.core::CrossDomainRSLItem() with a number of arguments different than 7.
Impact:
Flash application malfunction.
670367-2 : On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.
Solution Article: K39391280
Component: Access Policy Manager
Symptoms:
On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.
The limit of customization group object that the BIG-IP Virtual Edition (VE) can load is approximately 13 KB.
Conditions:
Large number of policies (thousands) and customization objects (tens of thousands).
Impact:
Unable to load configuration.
Workaround:
Turn off watchdog for mcpd via tmsh using the following command:
tmsh modify sys daemon-ha mcpd heartbeat disabled
Important! Remember to re-enable tmsh watchdog after the config loads successfully. To do so, run the following command:
tmsh modify sys daemon-ha mcpd heartbeat enabled
670258-2 : Multicast pings not forwarded by TMM
Component: Local Traffic Manager
Symptoms:
When multicast routing is configured, ICMP or ICMP6 pings are not forwarded by TMM even though UDP and other protocol traffic to the same group addresses works.
Conditions:
Multicast routing configured, VIP configured to forward ICMP traffic.
Impact:
Multicast group addresses cannot be reached with ICMP or ICMP6 echo requests.
Workaround:
n/a
669978-4 : SIP monitor - Via header's branch parameter collision.
Solution Article: K15204204
Component: Service Provider
Symptoms:
When there is a failover in a high availability (HA) setup with SIP monitors, the SIP backend servers start flapping on both units. The reason this occurs is that after the failover, the two BIG-IP systems send SIP monitoring messages to the pool members with the same branch parameter on their Via headers. The backend server internal logic gets confused by the request coming from LB2 because it uses the same branch parameters of the request coming from LB1.
Conditions:
SIP branch hash string length is small enough that when sufficient SIP monitor messages were inundated, possible branch collision.
Impact:
This causes the backend server erroneously to send a response message to LB1 instead of LB2.
Workaround:
None.
669585-3 : The tmsh sys log filter is unable to display information in uncompressed log files.
Component: TMOS
Symptoms:
You notice missing log information when reviewing system logs using the tmsh show sys log command.
Conditions:
One or more of the BIG-IP sytem backup log files, designated with .1, .2, etc are not compressed.
Note: Backup log files should end with the .gz extension. For example, ltm.1.gz.
You use the tmsh show sys log command to view log information for one or more days in the past.
Impact:
Unable to view the full range of backup log information.
Workaround:
To log in to the Advanced shell (bash).
To ensure all backup logs for a particular log type are compressed, use the following command syntax:
gzip /var/log/<log>.*
For example, to compress the full set of backup logs for the ltm log type, type the following command:
Note: The following message is expected if the log file is already compressed: gzip: /var/log/<log>.gz already has .gz suffix -- unchanged'
gzip /var/log/ltm.*
669241-1 : Cannot create stateless virtual servers with ip-protocol set to 'gre'.
Component: TMOS
Symptoms:
Stateless virtual servers can be used only for UDP traffic.
Conditions:
Attempt to create a stateless virtual server with ip-protocol set to 'gre'.
Impact:
Operation does not succeed. Cannot create stateless virtual servers with ip-protocol set to 'gre'.
Workaround:
None.
668849-1 : Upgrade failure for apm-log-setting objects★
Component: Access Policy Manager
Symptoms:
After upgrade to 13.1.0, the configuration will fail to load with error: 01070734:3: Configuration error: In apm log-config (/p1/f1/sso-log-setting-Critical) there can only be one instance of access log configuration
Unexpected Error: Loading configuration process failed.
Conditions:
If before upgrade, you have sso form-basedv2 object or saml sso config objects in your configuration
Impact:
mcpd will fail to start
Workaround:
manually edit the bigip.conf and remove all the sso form-basedv2 objects and saml sso config objects and then do tmsh load sys config
667661-2 : Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'
Solution Article: K69015104
Component: Device Management
Symptoms:
Adding a secondary HA device to Access Group fails with error 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'.
Conditions:
Fails when adding a HA device to Access Group.
Impact:
Device cannot be added to Access Group.
Workaround:
None.
667618-2 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
Component: TMOS
Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection will continue to be unsupported until the machine exit hardware SYN cookies.
Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.
Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.
Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options will not be taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.
Note that if no good traffic hits the virtual server, syncookies will also fail to deactivate, but will do so once both good traffic has been seen, and the attack has ended.
Workaround:
Restarting TMM or rebooting the device will clear the HSB issue
667518 : SSO Configurations update is failing from UI
Component: Access Policy Manager
Symptoms:
SSO Configurations update is failing from the GUI.
Conditions:
While creating SSO form with SSO configuration, Update is failing with UI Javascript error.
Impact:
From UI user not able to update the SSO Configurations, with SSO Form creation.
Workaround:
Create separate SSO form and assign to SSO configuration. Or use TMSH to create both.
667476 : Upgrade and config load can fail if a data group record of type string contains a tab character
Component: TMOS
Symptoms:
When a datagroup record is of type 'string' and contains a tab (\t) the record loads but when the configuration is saved the record is not save with enclosing quotes.
Conditions:
-- Data group whose type is string.
-- Record entry that contains a tab character along with other non-whitespace characters.
Note: If other whitespace characters are present the string will have enclosing quotes and this issue will occur.
Impact:
Saved config does not load when running the command: tmsh load /sys config.
Upgrade fails to load the configuration.
Workaround:
In order to either load the configuration or upgrade, you must manually edit the bigip.conf file and enclose the string in quotation marks, as shown in the following example:
Existing config
==================
ltm data-group internal /Common/sample_dg {
records {
entry1 {
data /BIG-IP BAD
...
Modified config:
ltm data-group internal /Common/sample_dg {
records {
entry1 {
data "/BIG-IP BAD"
...
667295-1 : 'RTSP::header exists' iRule command always returns True
Solution Article: K51601122
Component: Carrier-Grade NAT
Symptoms:
Using the 'RTSP::header exists' command in an iRule returns true even if the header is not present.
Conditions:
Using the 'RTSP::header exists' command in an iRule, e.g., [RTSP::header exists "Transmitting"].
Impact:
Returns 1 (TRUE) even if the header is not present. Should return 2 (ERR_NOT_FOUND) on failure.
Workaround:
None.
667114-1 : TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.
Solution Article: K32622880
Component: TMOS
Symptoms:
TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.
Conditions:
-- BWC policy applied.
-- TCP traffic passes through the IP forwarding or L2 forwarding virtual server.
Impact:
Lower throughput than expected.
Workaround:
When using BWC, use a proxy virtual server instead of IP forwarding or L2 forwarding virtual servers.
667082-2 : Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.
Component: TMOS
Symptoms:
Failure occurs when attempting to configure or load OSPF configurations in imish using an interface-level command similar to the following:
ip ospf <IP> message-digest-key <key index> md5 <password>.
Conditions:
This occurs when using the following command:
ip ospf <IP> message-digest-key.
Impact:
The command causes an error and cannot be used or loaded. This may cause OSPFv2 adjacencies to fail.
Workaround:
If possible, use the non-IP version of the interface-level command, similar to the following:
ip ospf message-digest-key <key index> md5 <password>.
666889-1 : Deleting virtual server may cause tmm to segfault
Solution Article: K25769531
Component: Local Traffic Manager
Symptoms:
Deleting virtual server may cause tmm to segfault.
Conditions:
-- Virtual server is rate-limited.
-- In-progress connections exist.
-- Virtual server is deleted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
666497-3 : Some of the Korean translations in Windows Edge Client were incorrect
Component: Access Policy Manager
Symptoms:
Some of the Korean translations in Microsoft Windows Edge Client's main windows are incorrect.
Conditions:
User uses Edge Client application on Windows.
Impact:
Confusion due to inaccurate translation.
Workaround:
None.
666258-2 : GTM/DNS manual resume pool member not saved to config when disabled
Component: Global Traffic Manager (DNS)
Symptoms:
manual-resume disabled pool member becomes available after reboot.
Conditions:
GTM pool is configured with manual-resume enabled and its pool member was once unavailable.
Impact:
Unexpected available pool member which should be disabled.
Workaround:
After the pool member becomes disabled, manually run:
# tmsh save sys config gtm-only
666233-1 : Localdbmgr process cores
Component: Access Policy Manager
Symptoms:
You see continuous "emerg logger: Re-starting localdbmgr" messages and localdbmgr continually cores.
Conditions:
When localdbmgr process tries to persist local user information to the MySQL Database.
Impact:
localdbmgr cores, APM local user database does not initialize.
Workaround:
None.
666127-1 : Flows are incorrectly processed on a standby system.
Component: Local Traffic Manager
Symptoms:
Standby system incorrectly processes flows, even if there is no other traffic group active on that system.
Conditions:
-- Spanning is enabled for a virtual address.
-- No other traffic group active on a standby system.
Impact:
Flows are incorrectly processed.
Workaround:
None.
666117-4 : Network failover without a management address causes active-active after unit1 reboot
Component: TMOS
Symptoms:
An appliance in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.
Conditions:
Device Service Cluster with only self-ips configured for the failover network.
Impact:
Unexpected failover may cause traffic interruption.
Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.
665777 : TMM0 on the secondary blade sends out extra ARP replies
Component: Local Traffic Manager
Symptoms:
TMM0 on the secondary blade can send out more than one ARP reply when it receives an ARP request.
Conditions:
ARP request is received by TMM0 on the secondary blade.
Impact:
The BIG-IP system sends out extra ARP replies.
Workaround:
None.
665425-4 : AVR Max metrics shows wrong values
Solution Article: K24182390
Component: Application Visibility and Reporting
Symptoms:
In the AVR HTTP Page, metrics Max TPS and Max Throughput display incorrect values.
Conditions:
The root-cause is 32bit overflow, so the incorrect values are displayed when there are high volumes of traffic.
Impact:
Displayed metrics do not correctly show activity.
Workaround:
There is no workaround at this time.
665117-2 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
Solution Article: K33318158
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Server status flapping from red-green-red.
Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.
Impact:
Server status flaps from red to green and back.
Workaround:
Check Transparent for these monitors.
664596-1 : One LTM policy causes a different policy to not execute
Component: Local Traffic Manager
Symptoms:
Under certain circumstances, the presence of one LTM policy will preclude another LTM policy from running.
Conditions:
Two policies present on a virtual server, one policy with a condition at HTTP_RESPONSE time will prevent a policy that unconditionally acts at HTTP_REQUEST time.
Impact:
Expected LTM policy does not run.
Workaround:
None.
664000 : TMM restart/core possible if key/cert is modified while SSL handshakes are ongoing
Component: Local Traffic Manager
Symptoms:
Dynamic configuration changes with live traffic may have or cause complicated issue or unpredictable behaviors. TMM might restart and generate a core file when modifying key/cert on a profile while ongoing SSL handshakes are using it. System posts messages similar to the following:
-- crit tmm3[13499]: 01010260:2: Hardware Error(Co-Processor): cn3 request queue stuck
-- warning sod[6005]: 01140029:4: HA crypto_failsafe_t cn-crypto-3 fails action is failover.
Conditions:
The key/cert on a profile is modified while ongoing SSL handshakes are holding it.
In one case, OCSP was removed from all the SSL profiles at some point after the handshake started, so the handshake picked up the new profile without refreshing or invalidating the handshake's copy of the key_cert.
Impact:
Normal functionality might be disrupted. Traffic disrupted while tmm restarts.
Note: There is no support currently for dynamic profile configuration changes while there are ongoing connections using the profile.
Workaround:
Do not try to modify key/certs on a profile while there are a lot of ongoing connections using it.
663946-2 : The vCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
Component: Advanced Firewall Manager
Symptoms:
On a vCMP platform with host and guest using different BIG-IP versions, when DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.
Conditions:
-- vCMP platform with host and guest using different BIG-IP versions.
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).
Impact:
May result in lower than expected DNS load test results.
Workaround:
You can use any of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.
-- Disable hardware offload with sys db Dos.VcmpHWdos.
Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.
663925-5 : Virtual server state not updated with pool- or node-based connection limiting
Component: Local Traffic Manager
Symptoms:
Rate- or connection-limited pool members and nodes do not immediately affect virtual server status.
Conditions:
The connection count reaches the configured connection limit.
Impact:
Virtual server is automatically disabled when connection limit is reached and returns from the unavailable state after connections decrease.
The actual functionality of connection-limiting is occurring at the tmm level (you can see connections rejection after reaching the max limit in logs). The system is just not logging status in mcp as update_status is not being called automatically.
Workaround:
None.
663911-2 : When running out of memory, MCP can report an incorrect allocation size
Component: TMOS
Symptoms:
If MCP runs out of memory, it may attempt to log how much memory it was allocating when this happened, with a message similar to the following:
Failed to allocate memory for size 260 at clone_message:952.
The memory size indicated in the message may be incorrect.
Conditions:
MCP runs out of memory while attempting an allocation.
Impact:
Misleading logs that make it more difficult to troubleshoot mcpd memory issues.
Workaround:
None.
662301-6 : 'Unlicensed objects' error message appears despite there being no unlicensed config
Component: TMOS
Symptoms:
An error message appears in the GUI reading 'This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.' Examination of the configuration and license shows that there are no configuration error or unlicensed configuration objects. The device is operational.
Conditions:
The BIG-IP system is licensed and the configuration loaded.
Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.
Workaround:
Restart mcpd by running the following command:
bigstart restart mcpd
662296-1 : Under heavy traffic load tcpdump -i 0.0 can impact the VIPRION management cluster IP address
Component: Local Traffic Manager
Symptoms:
Management connectivity loss over the management cluster IP address. This is caused by a secondary blade temporarily taking over the cluster primary due to starvation of clusterd on the blade running tcpdump.
Conditions:
-- A multi-bladed configuration with full traffic load.
-- Run tcpdump -i 0.0.
Impact:
Loss of connectivity to the cluster floating IP address. The /var/log/ltm clusterd shows timeouts and temporary change of primaryship.
Workaround:
Mitigation:
-- Judicious use of tcpdump -i 0.0.
Workaround:
-- Kill tcpdump from the SSH session to the slot IP address directly or using the console.
-- Restart tmm to fix the issue with MPI stream connection loss.
660895-2 : TMM can crash if TMM count is greater than licensed throughput
Component: TMOS
Symptoms:
The rate shaper used for BIG-IP virtual Edition (VE) divides the total licensed throughput amongst the running TMMs to determine a per-TMM throughput. If the TMM count is greater than the licensed throughput, then this causes a 0-per-tmm throughput limit, which is unfortunately used as a divisor later in rate shaper operations, and which might result in an eventual divide-by-zero error and a crash. This might repeat indefinitely.
Conditions:
Install a license on a VE with a bandwidth limit where the number of megabits per second (Mbps) is less than the number of TMM instances (typically, the number of CPU cores), for example, Use a 2 Mbps license and configure 4 CPUs on a VE system.
Note: This has been observed on evaluation licenses, but might be possible in other circumstances.
Impact:
Traffic is disrupted while TMM restarts, potentially repeatedly.
Workaround:
Change the number of vCPUs available to the BIG-IP guest to be less than the licensed throughput.
660826-1 : BIG-IQ Deployment fails with customization-templates
Component: Access Policy Manager
Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.
Conditions:
Simulation by tmsh for what's done in BIG-IQ:
1) Add a log-on agent in your policy.
2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.
3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.
cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2
cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc
4) tmsh
5) create /cli transaction
6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }
7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }
8) submit /cli transaction
Impact:
BIG IQ operation failed with scenario involving change to customization group.
Workaround:
There is no workaround.
660807 : Clientside command with parking command crashes TMM
Component: Local Traffic Manager
Symptoms:
iRule parking command 'table lookup' inside clientside crashes TMM.
Conditions:
iRule parking command 'table lookup' inside clientside.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
If possible, move the parking command outside clientside/serverside.
660759-4 : Cookie hash persistence sends alerts to application server.
Component: Fraud Protection Services
Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.
Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.
(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)
Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.
Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:
ltm rule /Common/cookie_persist_exclude_alerts {
when HTTP_REQUEST {
#enable the usual persistence cookie profile.
if { [HTTP::path] eq "/<alert-path>/" } {
persist none
}
}
}
660326-2 : Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★
Component: Application Security Manager
Symptoms:
Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.
Conditions:
-- Websecurity profile assigned to a virtual server.
-- ASM not provisioned.
-- Upgrade to v12.1.0 or later.
Impact:
Upgrade fails.
Note: Although this is an invalid configuration, upgrade should not fail.
Workaround:
There are two workarounds.
-- Provision ASM.
-- Remove all websecurity profiles (and LTM policies that control ASM) from all virtual servers
Note: The first workaround must be done before the update. The second can be done before the upgrade, or by editing the config files and re-loading config (first base, then all) using the following command:
tmsh -c 'load sys config partitions all base; load sys config partitions all'
660119-1 : Monitor configured with timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.
Solution Article: K36005385
Component: Local Traffic Manager
Symptoms:
When the monitor is configured with a timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.
Conditions:
Monitor configured with timeout plus interval larger than 86400.
Impact:
Periodically service taken offline which may result in persistence issues or impact service availability.
Workaround:
Reduce the monitor's timeout to less than (86400 - interval).
659930-1 : Enterprise Manager may receive malformed data if there are multiple monitors on a pool
Component: Global Traffic Manager (DNS)
Symptoms:
Enterprise Manager (EM) may receive malformed data if there are multiple monitors on a pool. big3d returns malformed xml. Messages similar to the following appear in /var/log/em:
Could not parse xml for device.
Conditions:
-- Flapping pool monitor has more than two HTTP-type monitors.
-- iControl data returned from big3d LTM is malformed xml.
Impact:
Malformed data causes EM to not be able to gather stats from big3d.
Workaround:
None.
659888-1 : Profiles with names that contain percentage signs cannot be accessed in TMUI
Component: TMOS
Symptoms:
Clicking profiles on the list page in the Configuration Utility (GUI) with names that contain a percentage sign does not take you to the profile page.
Conditions:
-- Clicking profile names with percentage signs.
-- The profiles list page in the GUI.
Impact:
The profile pages cannot be accessed from the profiles list page in the GUI.
Workaround:
Use tmsh or rename your profiles so their name does not include a percentage sign.
658278-3 : Network Access configuration with Layered-VS does not work with Edge Client
Component: Access Policy Manager
Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.
Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.
Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.
Workaround:
None.
658103 : TMM core while adding logging action to APM SWG
Solution Article: K00652162
Component: Access Policy Manager
Symptoms:
TMM core while adding logging action to APM SWG.
Conditions:
-- Use of an application lookup perflow variable (perflow.application_lookup.result.*) in an SWG per-request Logging Agent.
-- No Application Lookup Agent found prior in the chain.
For example
- The following example will crash:
start : logging : allow
- The following will succeed:
start : application lookup : logging : allow
Impact:
TMM core. Traffic disrupted while tmm restarts.
Workaround:
There are two possible workarounds:
-- Remove the applicable perflow variables from the logging agent.
-- Add an application lookup before trying to log application lookup perflow variables.
658036-2 : Honoring negotiated MSS for TCP segmentation
Solution Article: K04651090
Component: TMOS
Symptoms:
Following are the symptoms:
1. When the BIG-IP system's MTUs are larger than the smallest MTU in the end-to-end path:
-- The BIG-IP system does not mark coalesced packets larger than egress MSS but smaller than egress MTU in the BIG-IP system for segmentation. Therefore, the BIG-IP system receives 'ICMP fragmentation needed' messages from an intermediate router which drops the packets when the Don't Fragment (DF) bit is set in IP header.
2. When the BIG-IP system's MTUs are less than 1500:
-- On ingress, the BIG-IP system rejects coalesced packets larger than ingress MTU and less than 1500 and having DF bit set in IP header. the BIG-IP system sends 'ICMP fragmentation needed' message to sender.
Conditions:
* Generic Receive Offload (GRO) and Large Receive Offload (LRO) for data plane interfaces are supported and enabled (both in host and guest).
* Packets are sent with DF bit set.
* For #1:
-- FastL4 profile in use.
-- The BIG-IP system's VLAN MTUs are larger than the smallest MTU in the end-to-end path.
* For #2:
-- The BIG-IP system's MTUs are set to a value that is less than 1500.
-- The packets' DF bits are set.
Impact:
No traffic or very low throughput.
Workaround:
Disable LRO and GRO for data plane interfaces using the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.
Note: For KVM virtio devices, LRO/GRO need to be turned off in host NIC.
657834-2 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
Solution Article: K45005512
Component: TMOS
Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.
Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.
Note: The greater the number of routes flapping, the more likely to see the condition.
Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.
However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.
Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.
657727-2 : Running tcpdump from TMSH cannot capture the local "tmm" interface
Solution Article: K39694060
Component: TMOS
Symptoms:
Cannot run tcpdump against the "tmm" interface. System posts errors similar to the following:
tcpdump: pcap_loop: Device /Common/tmm not found
tcpdump: ioctl: No such device
This occurs because the 'tmm0' interface was renamed to 'tmm' beginning in v12.1.0, but the libbigpacket conditional logic to handle "special device names" still references 'tmm0'.
Conditions:
-- When running tmsh, an environment variable ("TMOS_PATH") is set.
-- The user logs in to the CLI with a default shell of tmsh (either as configured, or with a role assigned via remote-roles), or tries to run tcpdump via tmsh.
Impact:
Cannot run tcpdump on the 'tmm' internal interface.
Workaround:
Unset the 'TMOS_PATH' environment variable before running tcpdump.
657531-2 : High memory usage when using the ICAP server
Solution Article: K02310615
Component: Application Security Manager
Symptoms:
High UMU memory when using the ICAP server.
Conditions:
-- ICAP is in use.
-- There are long requests (requests longer than 128 KB) that should get to the ICAP server.
Impact:
UMU memory goes up.
Workaround:
-- Decrease the max concurrent long requests.
-- Decrease the size for the long requests buffer size.
-- Make sure the ICAP server is up and running and responding quickly (the issue will be more visible when the ICAP server is lagging).
657118-1 : Tmm crash
Component: Local Traffic Manager
Symptoms:
TMM crashes while passing traffic and generates core file.
Conditions:
Unknown.
Impact:
Traffic disrupted while tmm restarts.
655767-5 : MCPD does not prevent deleting an iRule that contains in-use procedures
Component: Local Traffic Manager
Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.
MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:
01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).
However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.
Conditions:
Must be using iRules that call into other iRules.
Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.
Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.
655484-1 : GUI LTM Pool Statistics Page running out of memory with large number of Pools
Solution Article: K69912019
Component: TMOS
Symptoms:
When there is a large number of configured Pools, it can adversely affect Pool Statistics Page display, causing an Out of Memory error.
Conditions:
Configure 2200 or more pools, and go to the Pool Statistics page.
Impact:
The page does not display because it causes Tomcat to run out of memory and restart automatically.
Workaround:
You can increase the memory allocated to Tomcat. For more information, see K9719: Error Message: java.lang.OutOfMemoryError, available at https://support.f5.com/csp/article/K9719
655464 : Incorrect information about number of cores/guests on i11000 platforms
Component: TMOS
Symptoms:
-- Commands 'getconf _NPROCESSORS_CONF' and 'guishell -c 'select max_vcmp_guests from blade_info'' show different information.
-- Command 'tmsh create vcmp guest <guest_name>' fails and reports an error:
Could not allocate vCMP guest (<guest_name>) because fragmented resources.
Conditions:
-- i11000 hardware with 36 cores.
-- vCMP guests are utilizing 32 cores of the system (4, 8-core guests are installed).
-- Try to install a new guest.
Impact:
-- vCMP guest GUI page shows 36 cores are available, but only 32 cores are actually available for vCMP guests.
-- After installation of 4, 8-core guests, the BIG-IP system should not allow new guest installations. If you try to install a new guest, the system reports an error that does not describe the real issue:
Could not allocate vCMP guest (<guest_name>) because fragmented resources.
Workaround:
Limit the number of vCMP guests to the number reported by the command:
guishell -c 'select max_vcmp_guests from blade_info'
654981-3 : Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action
Component: Local Traffic Manager
Symptoms:
Local Traffic Policies configured for First Match mode may not stop executing after the first matched rule.
Conditions:
This happens when the first matched rule has no action (i.e. is set to ignore).
Impact:
This may cause Local Traffic Policies to execute an unintended action.
Workaround:
Rework the rules in your affected Local Traffic Policies so that every rule has at least one associated action.
654915-3 : Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address
Component: Application Visibility and Reporting
Symptoms:
For traffic capturing, if a pool member is assigned a special name (e.g., 'for internal activity'), the external AVR log will report the internal IP address instead of the pool member name.
Conditions:
1. Assign name to internal pool member.
2. Enable HTTP traffic capturing.
3. Allow AVR to collect HTTP statistics.
4. View pool member name in external AVR log.
Impact:
External log reports internal IP address instead of pool member name.
Workaround:
There is no workaround at this time.
653928 : On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed with Conflicting configuration error.★
Component: TMOS
Symptoms:
On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed due to an incorrect configuration. The system posts a Conflicting configuration message in response to the error.
Conditions:
There are multiple ways to encounter this:
-- The BIG-IP system has a working configuration and is running normally. If the configuration becomes invalid, due to hardware configuration changes, a configuration mistake, or a typo in one of the configuration files, the MCPD never reaches the running state due to the configuration load error.
-- If the BIG-IP system is managed by a BIG-IQ device, and the BIG-IQ device revokes the BIG-IP system's license, the configuration load might start failing if the BIG-IP system's configuration contains advanced features that require an active license.
Impact:
If the misconfiguration occurs during a upgrade from 10.2.4 to 12.1.x, the operation fails with the DHCP error.
In these cases, when you try to load the default configuration through 'tmsh load sys config default', the configuration load fails with this error:
/Common/management-ip: Conflicting configuration. Management-ip can't be created manually while DHCP is enabled. Within tmsh run 'modify sys global-settings mgmt-dhcp disabled' before manually changing the management-ip.
MCPD never reaches the running state and the BIG-IP system does not function as expected.
Workaround:
Once this problem occurs, there is no way to force 'load sys config default' without first resolving the 'base config load failure' mcpd status, which requires repairing the configuration errors that caused the initial base configuration load failure.
To do so, review the log files to determine the specific misconfiguration and remove it from the corresponding configuration file. Then try the configuration load operation again.
653573 : ADMd not cleaning up child rsync processes
Component: Anomaly Detection Services
Symptoms:
ADMd daemon on the device is spinning up rsync processes and not cleaning them up properly, which can result in zombie processes.
Conditions:
The rsync process ends via exit (which might occur if there is an issue with the process).
Impact:
Although there is no technical impact, there are many zombie processes left behind.
Workaround:
Restart admd to remove all existing rsync zombies:
bigstart restart admd
653228-2 : SNAT does not work properly on FTP VIP2VIP
Solution Article: K34312110
Component: Local Traffic Manager
Symptoms:
SNAT does not work properly on FTP VIP2VIP.
Conditions:
-- FTP communicates VIP2VIP to second virtual server.
-- SNAT is configured on second virtual server.
Impact:
SNAT does not work properly on FTP VIP2VIP on data channel.
Workaround:
Do not configure SNAT on second virtual server.
653137-1 : Virtual flaps when FQDN node and pool configured with autopopulate
Solution Article: K24159492
Component: Local Traffic Manager
Symptoms:
Virtual address status flaps (RED :: BLUE :: DOWN :: UNCHECKED) when the FQDN node and pool are configured with autopopulate enabled, and the FQDN DNS response returns the same addresses.
Conditions:
-- FQDN node and pool are configured with autopopulate enabled.
-- FQDN DNS response returns the same addresses.
Impact:
The virtual server becomes unavailable, and later switches to unchecked.
Workaround:
None.
652577-2 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.
Conditions:
- HA pair
- Traffic-group with a MAC set in the MAC Masquerading setting.
- Floating Self-IP using the above traffic-group
- Make a change to the MAC Masquerading MAC address on the Active unit.
- Run a config-sync from Active to Standby
Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.
Workaround:
Reboot or restart TMM.
652530 : Parameter names are case sensitive in Internet Explorer 9 only
Component: Fraud Protection Services
Symptoms:
Mis-configured parameter names with incorrect case will work as if they were configured correctly in all browsers except for Internet Explorer 9
Conditions:
Parameter names configured in the wrong case
Impact:
Encryption and data integrity features will appear to work as expected in all browsers except Internet Explorer 9.
In Internet Explorer 9, encryption and data integrity will not be activated on the misconfigured parameter.
Workaround:
Reconfigure the parameter name to use the correct case.
652370-1 : The persist cookie insert iRule command may leak memory
Component: Local Traffic Manager
Symptoms:
In some situations, the persist cookie insert iRule command may leak memory for the cookie name.
Conditions:
The persist cookie insert iRule command is used.
Impact:
Eventually, the TMM will run out of memory due to the leak.
652223-1 : BWC: Non-TCP data going through Category can make policy active
Solution Article: K50325308
Component: TMOS
Symptoms:
When category is set at lower rate than 100% of the user rate, and traffic going through the category is non-TCP, and the amount of data is 150% of the instance rate, then that can create policy to be active, lowering the overall bandwidth.
Conditions:
This occurs when all of the following conditions are met:
-- Category rate is less than max-user-rate
-- Traffic is non-TCP data.
-- Amount of data passing is 150% of max-user-rate.
Impact:
BWC dynamic policy cannot achieve 100% of max-rate.
Workaround:
Increase the max-rate of any dynamic policy, and add an additional static policy set to the max-rate expected from the dynamic policy.
Note: There is no actual fix for this issue except for not using UDP traffic in categories, if the amount of traffic on that UDP category is expected to exceed 150%, or over to the maximum fair rate provided by the BWC instance. Note that the PEM subscriber and BWC instance have 1-1 relationship.
652222-1 : Sending scheduled-reports will fail due to lack of backend support
Component: Application Visibility and Reporting
Symptoms:
Using the scheduled report from GUI fails and causes some orphan file descriptors every time scheduled report runs.
Conditions:
Using the scheduled report from GUI.
Impact:
Scheduled-reports won't work and cause the system to have more orphan opened file-descriptors every time it tries to send the report.
Workaround:
None.
651169-3 : The Dashboard does not show an alert when a power supply is unplugged
Component: Advanced Firewall Manager
Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.
Conditions:
One of the power supplies is unplugged.
Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.
Workaround:
None.
651136-2 : ReqLog profile on FTP virtual server with default profile can result in service disruption.
Solution Article: K36893451
Component: TMOS
Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.
Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.
Impact:
Service disruption, fail-over event.
Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.
651005-3 : FTP data connection may use incorrect auto-lasthop settings.
Component: Local Traffic Manager
Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.
Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'
(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'
With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'
(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'
Impact:
FTP data connection may fail to be established.
Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.
650019-2 : The commented-out sample functions in audit_forwarder.tcl are incorrect
Component: TMOS
Symptoms:
The commented-out sample "Transform" functions in audit_forwarder.tcl are not correct and should not be used.
Conditions:
Attempting to write your own Transform function in audit_forwarder.tcl using the examples.
Impact:
The Transform function may not work if the examples are followed.
Workaround:
Use the default Transform function as a starting point instead of one of the examples.
649897 : Using the REST API, making a change to an FQDN pool causes the pool member availability to become unknown.
Component: Local Traffic Manager
Symptoms:
Using iControl REST, making a change to an FQDN pool member causes the pool member availability to become 'unknown'.
Conditions:
Using iControl REST, modify an existing pool member configured with an FQDN name.
Note: This issue does not affect pool members configured to point directly at an IP address.
Impact:
The pool member status will show 'unknown'.
Workaround:
None.
649441-2 : Classification memory allocation
Component: Traffic Classification Engine
Symptoms:
Classification library ('CE') allocates an extra 2 KB of memory per flow and never used it.
Conditions:
Classification and HTTP profile attached to Virtual Server.
Impact:
High memory footprint for heavily loaded systems.
Workaround:
Install latest Classification Update Package ('IM Package').
649275-2 : RSASSA-PSS client certificates support in Client SSL
Component: Local Traffic Manager
Symptoms:
Client certificate verification in BIG-IP v11.6.0 through 13.1.0 does not support client certificates that are signed using the RSASSA-PSS signature algorithm. Validation of such client certificates will fail.
Conditions:
- Client certificate signed with RSASSA-PSS algorithm.
- Client Certificate is set to 'Required' in Client SSL profile.
- Running any version from BIG-IP v11.6.0 through 13.1.0.
Impact:
SSL connections using client PSS certificates are rejected.
Workaround:
None.
648873-3 : Traffic-group failover-objects cannot be retrieved via iControl REST
Solution Article: K93513131
Component: TMOS
Symptoms:
When issuing a GET you get the following error message:
List property is not implemented! Detail [cm traffic-group failover-objects {...}].
(The ... represents the data that was presented as a list property.)
Conditions:
Trying to use iControl REST for getting failover-objects associated to floating traffic-groups
Impact:
No access to list of failover-objects associated to an specific floating traffic-group via the iControl REST interface
Workaround:
Use a different user interface (tmsh or GUI).
648806-1 : Invalid "with the first highest ratio counter" logging for pool member ratio load balance
Component: Global Traffic Manager (DNS)
Symptoms:
Invalid value for "with the first highest ratio counter" for wideip load balancing decision is logged.
Conditions:
Enabled logging for wideip load balancing decision.
Impact:
Invalid value is logged for "with the first highest ratio counter".
648316-3 : Flows using DEFLATE decompresion can generate error message during flow tear-down.
Solution Article: K10776106
Component: TMOS
Symptoms:
Repeated entries in the ltm log will show a completion-code error (comp_code=4) as in the following:
Zip engine ctx eviction (comp_code=4): ctx dropped.
Conditions:
The problem occurs when a flow that requests DEFLATE decompression is terminated when the compression engine is still in the middle of working on an incomplete DEFLATE block.
Impact:
False errors can appear:
o In fields of tmctl rst_cause_stat table, false stats counters will increment for compression and packet errors.
o Log entries with the "Zip engine... (comp_code=4)" appear in ltm log.
Monitors observing the ltm log or stats in the tmctl rst_cause_stat table will see false positives.
Workaround:
Disable hardware acceleration.
647834-4 : Failover DB variables do not correctly implement 'reset-to-default'
Component: TMOS
Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.
Conditions:
This is known to affect at least the following failover-related DB variables:
log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary
Impact:
The configuration change does not take effect.
Workaround:
Explicitly set the DB variable to the desired value.
647812-3 : /tmp/wccp.log file grows unbounded
Component: TMOS
Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.
Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.
Impact:
/tmp/wccp.log grows unbounded, filling up the disk.
647590-2 : Apmd crashes with segmentation fault when trying to load access policy
Component: Access Policy Manager
Symptoms:
Rarely, apmd restarts when trying to re-load an access policy.
Conditions:
This occurs when some of the policy items are modified while apmd is trying to re-load the access policy.
Impact:
The apmd process restarts.
Workaround:
None.
647158-3 : Internal virtual server inherits CMP hash mode from parent virtual server
Solution Article: K76581555
Component: Service Provider
Symptoms:
An internal virtual server might behave in unexpected ways, such as abort a client connection before connecting to the server.
Conditions:
Virtual server with request-adapt or response-adapt profile and a vlan with 'cmp-hash' mode 'src-ip'.
Internal virtual server without a VLAN or 'cmp-hash' setting.
Impact:
The internal virtual server might sometimes abort when attempting to make a connection to the server. This occurs after a successful load-balance pick indicated by the LB_SELECTED event, but before a TCP SYN packet is sent to the server. As a result the parent virtual performs the service-down-action configured in the request-adapt or response-adapt profile.
Workaround:
If possible, do not use the cmp-hash mode 'src-ip'.
647151-1 : CPU overtemp condition threshold is 75C
Component: TMOS
Symptoms:
A CPU overtemp condition is logged when a B4450 CPU reaches 75C.
Conditions:
CPU temperature is only 75C and ambient temperature in the blade is in the normal range.
Impact:
Since the temperature threshold is set too low, the warning does not indicate an actual problem.
Workaround:
None.
646768-4 : VCMP Guest CM device name not set to hostname when deployed
Solution Article: K71255118
Component: TMOS
Symptoms:
When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is running v11.6.0 or earlier.
-- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later.
-- You have configured the vCMP guest instance with a hostname other than bigip1.
-- You deploy the vCMP guest instance.
Impact:
The vCMP guest does not use the configured hostname.
Workaround:
-- In tmsh, run the following commands, in sequence:
mv cm device bigip1 HOSTNAME
save sys config
-- Rename the device name in the GUI.
646495-2 : BIG-IP may send oversized TCP segments on traffic it originates
Component: Local Traffic Manager
Symptoms:
Traffic from the Linux host on BIG-IP may send TCP segments larger than the advertised TCP MSS of a remote host.
Conditions:
Received TCP MSS (plus protocol overhead) smaller than configured MTU of interface.
Linux host sending large TCP segments, such as SNMP getbulk replies.
Impact:
TMM may send traffic to a TCP host that exceeds the host's advertised MTU.
Workaround:
disable segmentation offload for the vnic
646440-7 : TMSH allows mirror for persistence even when no mirroring configuration exists
Component: Local Traffic Manager
Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.
Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.
Impact:
A memory leak and degraded performance can occur when:
-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.
Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.
If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:
1. Access the BIG-IP Bash prompt.
2. List the Persistence profiles with the following command:
tmsh list ltm persistence
3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.
4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled
5. Save the changes to the Persistence profiles:
tmsh save sys config
645674-2 : 'bigd' message send to 'mcpd' failure is not logged
Component: Local Traffic Manager
Symptoms:
A bigd message to mcpd notifying of monitor status change may fail to be sent, without log notification, when the message is too large.
Conditions:
A message sent from bigd to mcpd that is too large (e.g., because of the unbounded accumulation of HTTP/1.1 200 codes with unique values).
Impact:
Mcpd is not notified of the monitor status change, and the missing message is not logged. The monitor reflects an incorrect status until a future status change triggers a successful notification-message to be sent from bigd to mcpd.
Workaround:
Diagnosis of an incorrect monitor status may identify this issue, but no direct workaround is available.
The issue of the too-large bigd message is described in ID 645197, and involves the accumulation of unique HTTP/1.1 200 codes (indicating monitor success) without a monitor status-change for extended time (days or weeks). When a monitor status change finally occurs, bigd cannot notify mcpd because the message is too big. Thus, there is no indication of the monitor-status change. The secondary issue, here, is that there is no log message indicating the status-change-message-send failure.
645635-2 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
Component: Local Traffic Manager
Symptoms:
VCMP clusters without configured slot-specific management-ip addresses will report 0.0.0.0 for: sFlow (Agent Address), High Speed Logging (in certain log messages), and IPFIX (domain ID).
When creating VCMP guests, the cluster's floating IP address is configured on the host using a command of the form: 'tmsh modify vcmp guest guest0 management-ip 10.1.2.3/24'; however, this will leave the slot-specific management IP address unconfigured. In this case, the affected services (sFlow, HSL, and IPFIX) will report 0.0.0.0 as their management IP address.
Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow and/or HSL and/or IPFIX configured.
Impact:
sflow, HSL, and IPFIX may incorrectly use 0.0.0.0 when identifying the BIG-IP system by management IP address. For sFlow, this is the default Agent Address. For HSL, certain log messages which identify the origin BIG-IP system by its management IP address will use this default value. For IPFIX, the domain ID will use this default value.
Workaround:
Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a VCMP guest which runs on a single slot, use a command similar to the following:
tmsh modify sys cluster default members { 1 { address 10.1.2.3 } }
645206-4 : Missing cipher suites in outgoing LDAP TLS ClientHello★
Solution Article: K23105004
Component: TMOS
Symptoms:
BIG-IP drops all SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). The same behavior is also seen for BIG-IP system auth via LDAP or AD when TLS is used.
Conditions:
You have LDAP servers requiring SHA256 and SHA384 ciphers for LDAP/TLS authentication.
Impact:
Servers requiring SHA for LDAP/TLS authentication will no longer be able to authenticate. This could suddenly break LDAP auth if you are upgrading from version 11.x where SHA256 and SHA384 existed.
Workaround:
Configure LDAP servers not to be dependent on SHA256 and SHA384 ciphers.
644979-2 : Errors not logged from hourly 1k key generation cron job
Component: TMOS
Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.
Conditions:
This occurs during hourly generation of ephemeral keys.
Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.
Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.
644135 : 12.1.1-hf1 does not support module tuning for Finisar 100G LR4 optics
Solution Article: K53342451
Component: TMOS
Symptoms:
12.1.1-hf1 only supports module tuning for Source Photonics 100G LR4 optics. It does not support Finisar 100G LR4 optics via f5optics.
Conditions:
This is relevant only if you are running 12.1.1-hf1, and are using Finisar 100G optics.
Impact:
FCS errors may be observed on interfaces using Finisar 100G LR4 optics.
Workaround:
The only workaround is to update the software you are running with an engineering hotfix or software version that supports module tuning for Finisar 100G LR4 optics.
Note: This issue applies only to 12.1.1-hf1. This issue is addressed in other versions using a mechanism different from 12.1.1-hf1. For version 12.1.1-hf1, there is an engineering hotfix available to support Finisar 100G LR4 optics.
625156 : Bigd memory leak
Solution Article: K50524736
Component: LTM
Symptoms:
The bigd process grows in size until one of two things happens:
-- The Linux kernel runs out of memory and OOM kills the bigd process (or potentially some other large process) a few hours after the system starts up.
-- On high-end platforms, the bigd process grows to just under 4GB in virtual size (vsize) and starts failing in unexpected ways, for example marking targets down that are not actually down, or failing to detect targets that are down.
Conditions:
-- You are running BIG-IP 12.1.5.3.
-- You have HTTPS monitors configured.
Impact:
A memory leak occurs. Depending on the platform, process daemons might restart or fail. Monitored targets may be incorrectly marked down.
Although restarting bigd is not traffic-impacting, it is possible that other daemon processes restart due to low memory conditions, and could disrupt traffic while they restart.
Workaround:
None
643860-4 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
Solution Article: K41573401
Component: Local Traffic Manager
Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:
-- In /var/log/tmm:
notice MCP connection expired early in startup; retrying.
In/var/log/ltm:
mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.
Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.
Impact:
The TMM processes will restart and fail to come up properly.
Workaround:
To recover, reboot the system.
Note: Do not perform file open operations on /dev/vnic. There is no need to.
643799-1 : Deleting a partition may cause a sync validation error
Component: TMOS
Symptoms:
Deleting a partition may cause the sync to peers to fail.
For example, on BIG-IP1:
tmsh delete auth partition P1
tmsh show cm sync-status
Sync Summary
Status Sync Failed
Summary A validation error occurred while syncing to a remote device
Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)
Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.
Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.
Impact:
The sync of this change may fail on peers.
Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.
643455-2 : Update TTL for equally trusted records only
Component: Global Traffic Manager (DNS)
Symptoms:
A child server's domain name may continue to be resolved by the child server even after the parent server revokes the NS record for the child server.
Conditions:
* Steady series of DNS queries for a domain name in the child server.
* The TTL for the domain name. A record is shorter than the TTL for the NS record for the child name server.
* The NS record is removed from the parent server.
Impact:
A client will still use the revoked child server after it is revoked.
Workaround:
Restart the TMM to clear out the cache.
642786-3 : TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.
Solution Article: K01833444
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may drop tunneled traffic destined for it, even though the corresponding tunnel is created correctly.
Conditions:
The local-address of a tunnel is resided in a non-default route-domain and the sys db variable 'connection.vlankeyed' is set to 'disable'. Note that the default setting of that sys db variable is 'enable'.
Impact:
The BIG-IP system may drop tunneled traffic.
Workaround:
None.
642422-2 : BFD may not remove dependant static routes when peer sends BFD Admin-Down
Component: TMOS
Symptoms:
As a result of a known issue, the BFD feature used in an Dynamic routing configuration, may not remove static routes when configured to be dependant on the liveliness of the BFD peer.
Conditions:
- BFD configured and up.
- Static route configured and dependant on the BFD status of the BFD peer.
- BFD peer enters maintenance mode by user configuration, setting the BFD session to admin-down.
Impact:
Static route may not be removed on BFD session configured by peer to be and traffic may still be routed.
641582-1 : Rarely, an HSB transmitter failure occurs
Component: TMOS
Symptoms:
A very rare HSB transmitter failure occurs. This is indicated by the following message in the tmm logs:
panic: hsb interface 1 DMA lockup on transmitter failure.
Conditions:
Although the exact conditions for this issue are unknown, this might be related to a 5250 platform or to a configuration containing a vCMP guest.
Impact:
Reboot of the unit.
Workaround:
None.
Note: Although there is no workaround, beginning in v13.0.0, there is an internal counter that tracks occurrences of these types of HSB transmitter failures, which enables better understanding of the issue and a more thorough investigation into its cause.
641543-1 : bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled.
Component: TMOS
Symptoms:
If you have a custom bind-timeout value set for ldap system-auth, the custom value is honored for anonymous users but is ignored for explicit users.
Conditions:
ldap auth configured for remote authentication, and a custom bind timeout value is specified.
Impact:
The default timeout value of 10 seconds will be enforced for ldap auth.
Workaround:
None.
641001 : BWC: dynamic policy category sees lower bandwidth than expected in Congested policies
Component: TMOS
Symptoms:
When BWC policy is configured with category that is configured at lower rate than max-user-rate, when the system is congested, the system might experience lower bandwidth and is not able to fill the pipe.
Conditions:
BWC dynamic policy configured with category.
The number of sessions created is greater than max-rate/max-user-rate, utilizing all the policies.
For example: max-rate=10mbps, max user rate=5mbps, cat rate=3mbps.
Impact:
Lower bandwidth is seen.
Workaround:
Configure categories at the same rate as that of max-user-rate.
640924-1 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
Component: Access Policy Manager
Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.
Conditions:
macOS Sierra (10.12.x) and Edge client application.
Impact:
This is a display issue only. There is no functional impact to the system.
Workaround:
None.
640863-2 : Disabling partition selector in DNS Resolver's Forward Zones
Solution Article: K29231946
Component: TMOS
Symptoms:
The partition selector is enabled in DNS Resolver's Forward Zones.
Conditions:
Having Forward Zones in DNS Resolvers inside different partitions.
Impact:
Changing the partition in the Forward Zones page may error out.
Workaround:
Change the partition in the DNS Resolver List or use tmsh.
640751-2 : No PCRE Validation Performed For Regular Expression Parameters
Component: Application Security Manager
Symptoms:
If a Parameter is configured to match a specified regular expression, but the regular expression is misconfigured, there is no error presented to the user, and there is no regexp enforcement for the parameter.
The following log can be observed in bd.log
"PCRE compilation failed at offset 12: PCRE does not support \L, \l, \N, \U, or \u"
Conditions:
A non-PCRE regular expression is configured for a Parameter.
Impact:
No Regular Expression enforcement is performed.
640704 : A BIG-IP HA pair upgraded directly from 10.2.x to 12.1.x may lose the primary and secondary mirror IP addresses★
Solution Article: K20418658
Component: Local Traffic Manager
Symptoms:
When upgrading a BIG-IP HA pair directly from version 10.2.x to version 12.1.x, the devices may fail to retain their primary and secondary mirror IP addresses after the upgrade.
Conditions:
This will only occur during a direct upgrade from 10.2.x to 12.1.x. This will not occur, for instance, when upgrading to 12.0.x.
Impact:
The devices will not be performing any mirroring after the upgrade to version 12.1.x as a result of this issue.
Workaround:
You can work around this issue by either:
A) Performing an intermediate upgrade to BIG-IP version 12.0.x first.
or
B) Manually reconfiguring the mirror IP addresses after the devices have been upgraded to 12.1.x (for more information on how to do so, refer to K13478: Overview of connection and persistence mirroring (11.x - 12.x) https://support.f5.com/csp/article/K13478).
640548-1 : In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked.
Component: Policy Enforcement Manager
Symptoms:
In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked and PEM doesn't do re-try.
Conditions:
In Gy delayed binding mode, concurrent flows hits another rating group before the CCA-I for the first rating groups comes back.
Impact:
Quota management service will not be active for those concurrent flows.
640489 : iSeries LCD alerts screen returns to splash screen intermittently
Solution Article: K53571714
Component: TMOS
Symptoms:
If there is a pending alert and the LCD remains on the alerts screen for an extended period of time, when you attempt to view the alerts for a particular severity (critical, error, warning, etc), the system re-directs to the splash screen instead of to the screen with a list of alerts.
Conditions:
-- An alert is pending.
-- The LCD remains on the alerts screen for a long time (e.g., 1-2 minutes).
-- Navigate to one of the alert levels to view the pending alerts.
-- The LCD displays the splash screen instead of a list of alerts.
Impact:
The system returns to the splash screen instead of a list of alerts.
Workaround:
Navigate back to the alerts screen and select an alert severity to get a list of alerts.
640395-1 : When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly
Solution Article: K26144701
Component: Local Traffic Manager
Symptoms:
When upgrading from 10.x to version 12.1.0 or later, a network virtual address that had ARP disabled will not have spanning automatically enabled.
Conditions:
Upgrading from 10.x to 12.1.0 or later. Must have a network virtual address configured with ARP disabled when upgrading.
Impact:
If you are not actually using the spanning feature, there is no impact.
If you are using the spanning feature, it will no longer work until it is explicitly enabled. This can result in the loss of traffic, as the upstream router will be sending packets to standby systems that will now refuse to process that traffic.
Workaround:
Upgrade to an intermediate version that implements the explicit ICMP-Echo setting for virtual addresses (e.g. 11.x) and then upgrade to the desired version.
Alternatively, you can manually set the spanning property on their virtual addresses as desired (after the upgrade).
640054-1 : Selective ICMP-echo behavior is inconsistent, depending on where the virtual address is disabled
Component: TMOS
Symptoms:
When a virtual address is using selective ICMP-echo and the virtual address is disabled, it will sometimes respond to ICMP echo requests, and sometimes not.
Conditions:
The difference appears to depend on where the virtual address is disabled.
1) If the virtual address is disabled in the virtual address settings page in the GUI: [Local Traffic :: Virtual Servers : Virtual Address List :: <address>] it stops responding to pings.
2) If the virtual address is disabled on the virtual address list page in the GUI: [Local Traffic :: Virtual Servers : Virtual Address List] it responds to pings.
3) If the virtual address is disabled with TMSH: 'modify ltm virtual-address <address> enabled no' it responds to pings.
In addition, on a BIG-IP Virtual Edition (VE), case #1 also responds to pings.
Impact:
The ICMP echo behavior is different depending on where the virtual address is disabled.
Workaround:
None.
639774-5 : mysqld.err rollover log files are not collected by qkview
Solution Article: K30598276
Component: TMOS
Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.
Conditions:
This occurs when generating a qkview.
Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.
Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.
638089-1 : LACP and CMP state simultaneously fail on 2150 or 2250 blades
Component: TMOS
Symptoms:
An internal traffic stoppage occurs and causes LACP ACTIVE trunk members to go down, and CMP state changes for the HOST and vCMP guests (if configured) on the impacted blade. The tmctl detailed statistics show sustained TX pause generated by HSB on one or more links and matching RX Pause received in interface_stat (on 4.1, 4.2, 4.3).
Conditions:
-- This happens when using 2150 or 2250 blades and an internal FPGA device gets into a bad state under heavy traffic load.
-- The root cause of that is still under investigation.
-- It happens extremely rarely.
Impact:
Traffic no longer functions on the blade where stoppage occurs.
Workaround:
Reboot blade.
637979-1 : IPsec over isession not working
Component: TMOS
Symptoms:
User cannot send IPsec encrypted application data traffic through a secured iSession connection, just by configuring symmetric optimization to use IPsec for IP encapsulation.
Conditions:
Configure IPSec with iSession through the Quick Start screen and/or under the "Local Endpoint" configuration. Do not create any new IKE peers or traffic selectors.
Impact:
User is unable to send encrypted traffic using IPsec over the tunnel without additional configuration required for a typical IPSec setup.
Workaround:
Configuration needed for a typical IPsec setup should be made explicitly.
isession encapsulation should be set to "none", and proper IKE-peer, IPsec policy, and traffic selectors should be configured to capture isession traffic between the isession endpoints.
BIG-IP1 GUI:
[Local Endpoint]
Acceleration->Symmetric Optimization : Local Endpoint->Properties
WAN Self IP Address: <BIG-IP1-local-endpoint-ipaddress>
IP Encapsulation Type: None
[Remote Endpoint]
Acceleration > Symmetric Optimization : Remote Endpoints >New Remote Endpoint...
IP Address: <BIG-IP2-local-endpoint-ipaddress>
[IKE peer]
Network->IPsec : IKE Peers->New IKE Peer...
Remote Address: <BIG-IP2-local-endpoint-ipaddress>
Version: Version1
Presented ID Value: <BIG-IP1-local-endpoint-ipaddress>
Verified ID Value: <BIG-IP2-local-endpoint-ipaddress>
[IPsec policy]
Network->IPsec : IPsec Policies->New IPsec Policy…
Name:<isession_policy_name>
Mode: Tunnel
Tunnel Local Address: <BIG-IP1-local-endpoint-ipaddress>
Tunnel Remote Address: <BIG-IP2-local-endpoint-ipaddress>
[Traffic selector]
Network ->IPsec : Traffic Selectors ->New Traffic Selector...
IPsec Policy Name: <isession_policy_name>
Source IP Address: <BIG-IP1-local-endpoint-ipaddress>
Destination IP Address: <BIG-IP2-local-endpoint-ipaddress>
BIG-IP2 GUI: Analogous--just swap the local and remote endpoint addresses where they appear above
637686-2 : relax_unicode_in_xml should become the default behavior
Component: Application Security Manager
Symptoms:
You see "Malformed XML data - Malformed document, Input stream corrupt" violations on valid XML.
Conditions:
A character appears in the payload that is considered by the XML parser as illegal.
Impact:
A violation happens.
Workaround:
Use internal parameter relax_unicode_in_xml.
637613-3 : Cluster blade being disabled immediately returns to enabled/green
Solution Article: K24133500
Component: Local Traffic Manager
Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.
Conditions:
This can occur intermittently under these conditions:
- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.
Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.
Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.
637279 : Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS.
Component: TMOS
Symptoms:
Pool member discovery does not work and produces the following error: as-describe-auto-scaling-groups: Refused: The security token included in the request is invalid.
Conditions:
This occurs in the eu-central-1 region only. Does not apply for failover. Note: This error might happen even when correct IAM credentials are specified.
Impact:
Pool member discovery cannot be run in eu-central-1 region.
Workaround:
Create autoscale configuration in regions other than eu-central-1.
636866-3 : Access Policy with a secure attribute object can fail at runtime for users, if admins perform AP export/import at the same time
Component: Access Policy Manager
Symptoms:
When an access profile with a secure attribute (for example: AAA AD Auth agent, LDAP Auth agent, RADIUS Auth agent, etc.) is exported and then imported, secret attribute may not be imported properly.
During run-time authentication error logs like below may be observed:
Nov 30 12:12:12 hostname err apmd[8478]: 01490236:3: /Common/access-policy-name:Common:xxxxxxxx: LDAP Module: Failed to bind with 'cn=yyyy,dc=zzz,dc=xxx'. Invalid credentials.
Conditions:
APM access policy agent with a secure attribute (for example: AAA AD Auth agent, LDAP Auth agent, RADIUS Auth agent, etc.) exported and then imported.
Impact:
The APM agent imported in the access profile may not run properly and may end up in wrong branch.
Workaround:
After importing the access profile, manually re-configure agents with secure attributes.
636823-3 : Node name and node address
Component: TMOS
Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.
Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1
Impact:
When you attempt to add the node to a pool, an error will occur:
Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1
Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.
636412-1 : ASM start process fail with 'Protobuf message exceeds max defined size' on machines with thousands of ASM configuration entities
Component: Application Security Manager
Symptoms:
ASM start process fails on machines with thousands of ASM configuration entities.
The log file contains error messages similar to the following:
Protobuf message exceeds max defined size. Table: CONFIG_TYPE_DYNAMIC_TABLES.
Conditions:
Issue is very rarely reproducible and requires thousands of ASM policy entities on the machine.
Impact:
ASM may report legitimate request traffic as a violation.
Workaround:
There is no workaround at this time.
636348-3 : BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.
Component: Local Traffic Manager
Symptoms:
In the /var/log/ltm file you may observe an error message similar to the following example
01071837:3: The pool (/Common/http_pool) contains a reference to a gateway failsafe device (/Common/bigip1.f5.com), which does not exist on the system. Please specify a valid device for this configuration. Unexpected Error: Loading configuration process failed.
Conditions:
This issue occurs when all the following conditions are met:
-You have multiple BIG-IP systems in a High Availability (HA) configuration.
-You have configured System Gateway Failsafe
-You reset device trust
-You attempt to reload the configuration or reboot the device before recreating the device trust
Impact:
Configuration may fail to load
Workaround:
Remove Gateway Failsafe before resetting device trust
636164 : Remote IP not working in IE 8
Component: TMOS
Symptoms:
Adding a Remote IP in System :: Logs : Configuration : Remote Logging has no effect in Microsoft Internet Explorer (IE) version 8.
Conditions:
Using IE 8.
Impact:
Remote IP does not work.
Workaround:
BIG-IP version 12.x and later do not support IE 8. Use a later version of IE, or use another browser.
636163 : Certificate Key Chain not working in IE 8
Component: TMOS
Symptoms:
Certificate Key Chain not working in Microsoft Internet Explorer (IE) version 8.
Conditions:
Using IE 8.
Impact:
Certificate Key Chain does not work.
Workaround:
BIG-IP version 12.1.0 and later do not support IE 8. Use a later version of IE, or use another browser.
636104-2 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
Component: Application Visibility and Reporting
Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.
Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.
Impact:
Not seeing the pool member under the HTTP "pool" dimension.
Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.
636031-4 : GUI LTM Monitor Configuration String adding CR for type Oracle
Solution Article: K23313837
Component: TMOS
Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.
Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.
Impact:
The /config/bigip.conf file contains CR characters in the file.
Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.
635871-1 : tmsh validation of hash persistence timeout setting is incorrect
Component: Local Traffic Manager
Symptoms:
The permitted hash persistence timeout value is a range from 1 - 4294967295. But in tmsh you can set the value to 0 without error
Conditions:
This occurs when running the following tmsh command:
tmsh modify ltm persistence hash <profile_name> timeout <number>
where <number> = 0
The GUI will report a validation error if you try to set it to 0 in the GUI.
Impact:
The value of 0 will be saved but the minimum value should be 1.
Workaround:
If you accidentally set a timeout to 0 you can set it back to the correct range using the following tmsh command:
tmsh modify ltm persistence hash <profile>name> timeout <1-4294967295>
634369-2 : Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes
Component: Local Traffic Manager
Symptoms:
Bigd crash (SIGABRT) while running iControl REST scripts against monitor configurations with FQDN nodes.
Conditions:
-- Bigd configured with FQDN nodes.
-- iControl REST calls are used to interact with system.
Impact:
Bigd crashes and restarts. Monitoring correctly resumes after the restart period.
Workaround:
None.
634014 : Absolute timers may fire one second early during the leap second event
Component: TMOS
Symptoms:
Absolute timers that expire at midnight UTC may fire one second early when the leap second is inserted.
Conditions:
This occurs if an absolute timer is used to trigger a task, and the leap second occurs during the timer window. For example if an absolute timer of 60 seconds is scheduled and the leap second event occurs midway through that interval, the event will appear to fire one second earlier than expected.
Impact:
Impact to applications unknown. The system stays stable, and a timer may be fired off earlier than expected
Workaround:
None.
633824-2 : Cannot add pool members containing a colon in the node name
Solution Article: K39319200
Component: TMOS
Symptoms:
You are allowed to create nodes that contain a colon in the node name. If you later try to add the named node (e.g. 10.1.20.10:80), adding the node will fail and you will get an error similar to the following:
0107003a:3: Pool member node (/Common/10.1.20.10) and existing node (/Common/10.1.20.10:80) cannot use the same IP Address (10.1.20.10).
Conditions:
This occurs when attempting to add a node to a pool where the node name contains a colon in it
Impact:
You are unable to add the node to the pool and will get a validation error.
Workaround:
First rename the node to not contain a colon in it, then you can add the node to the pool without error.
633568 : Pool statistics page doesn't show all pool members in IE8 with compatibility view
Component: TMOS
Symptoms:
While accessing the pool statistics page with IE8 with compatibility view mode, pool member expand/collapse icons do not work properly. Specifically, one of the pool members is displayed as blank.
Conditions:
This occurs when accessing the BIG-IP GUI using IE8; navigate to Statistics :: Module Statistics : Local Traffic. Select "Pool" and press "collapse (plus)" icon to expand pool members.
Impact:
You will see that one pool member will displayed as blank row.
633495 : Cannot switch between partitions in Local Traffic :: Policies
Component: TMOS
Symptoms:
When you are in the Local Traffic :: Policies page, you are unable to change partitions.
Conditions:
This occurs when multiple admin partitions exist and there are policies in each partition, and you wish to change partitions.
Impact:
You are unable to change partitions from the Local Traffic :: Policies page.
Workaround:
Change to another page in the GUI and change the partition, then visit the Policies page again.
633464-2 : Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.
Component: Local Traffic Manager
Symptoms:
Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.
Conditions:
HTTP/2 profile is attached to the virtual. Content-length header is sent by the server.
Impact:
If a client application requires the content length for HTTP/2, the application does not function as expected.
Workaround:
None.
633454-1 : Older versions of Chrome get blocked when Proactive Bot Defense is enabled.
Component: Application Security Manager
Symptoms:
Older versions of Chrome get blocked when Proactive Bot Defense is enabled.
Conditions:
-- Versions of Chrome older than version 53.
-- Proactive Bot Defense is enabled.
Impact:
Browser gets blocked.
Workaround:
Use one of the following workarounds:
-- Use a version of Chrome that is version 53 or later.
-- Use a different browser.
633349-3 : localdbmgr hangs and eventually crashes
Solution Article: K86613330
Component: Access Policy Manager
Symptoms:
localdbmgr hangs, consumes a lot of CPU and eventually crashes due to a rare condition where the program's execution halts, upon logging configuration changes.
Conditions:
Rare condition upon changing log settings configuration, or when localdbmgr process loads existing log config settings upon start / restart.
Impact:
localdbmgr hangs, consume a lot of CPU and will eventually crash.
Workaround:
localdbmgr should restart and recover from this crash. If it doesn't, perform a "bigstart restart localdbmgr"
633172 : External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command
Solution Article: K12473201
Component: TMOS
Symptoms:
The REST call to install a key from a local file fails when the user is external (e.g., LDAP), even when its role is Administrator.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP system is configured to allow access to external LDAP users.
-- The external LDAP user is assigned an Administrator role.
-- The external LDAP user uses the tm/sys/crypto/key iControl REST command to import a key from a local file.
For example, you use the tm/sys/crypto/key iControl REST command with external LDAP user f5user that is assigned with the Administrator role, as follows:
restcurl -u f5user:f5user -X POST https://localhost/tm/sys/crypto/key -d '{"command":"install","name":"/Common/my-key.key","from-local-file":"/var/config/rest/downloads/my_key.key"}'
Impact:
Key install operation fails.
Workaround:
To work around this issue, you can use the sys/file/ssl-key iControl REST command to import a key file instead. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure should not have a negative impact on your system.
Log in to the command line on the system from which you want to import the key file.
Note: The system must be able to support the command line version of the curl command.
Import the key file using the following command syntax:
curl -k -u <username:password> -H "Content-Type: application/json" -X POST https://<BIG-IP device>/tm/sys/file/ssl-key/ -d '{"name":"<key file name>","source-path":"<full path to key file>"}'
For example:
curl -k -u f5user:f5user -H "Content-Type: application/json" -X POST https://localhost/tm/sys/file/ssl-key/ -d '{"name":"f5user1.key","source-path":"file:///shared/my_key.key"}'
Note: Ensure that the key file name includes the file suffix, as the tm/sys/file/ssl-key iControl REST command does not automatically append .key in the key name.
633110-2 : Literal tab character in monitor send/receive string causes config load failure, unknown property
Solution Article: K09293022
Component: Local Traffic Manager
Symptoms:
BIG-IP allows you to paste in monitor send or receive strings that contains tabs, but the tabs do not get quoted when it gets saved to the configuration. This will cause the configuration load to fail, with this error signature:
Loading configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
Syntax Error:(/config/bigip.conf at line: <line>) "<text>" unknown property
Conditions:
This can occur if you copy/paste a monitor send or receive string and paste it into the send/recv string field in tmsh or the GUI.
Impact:
The monitor will not work as expected, and subsequent config loads will fail on unknown property.
Workaround:
Since you are still able to use the BIG-IP GUI, you can update the monitor send or receive string using \t to represent the tab, and save the changes.
632958-2 : APM MIB gauges not reset on standby device
Component: Access Policy Manager
Symptoms:
The following MIB gauges are not reset after the device transitions from active to standby:
F5-BIG-IP-APM-MIB::apmAccessStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmAccessStatCurrentEndedSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentPendingSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentCompletedSessions
Conditions:
After failover happens
Impact:
Since these gauges represent current session counts, administrator may not be able to identify the active device by looking at these gauges.
632901-1 : JET documentation incorrect for RESOLV::lookup
Solution Article: K03112333
Component: Local Traffic Manager
Symptoms:
JET documentation for the iRule command RESOLV::lookup contains a description of a bug where PTR records are not being cached. The documentation includes a workaround for this bug. However, the bug no longer exists.
Conditions:
tmsh help ltm rule command RESOLV::lookup | grep "Note: The results" -A6
Impact:
Jet documentation mentions a resolution to a bug that no longer exists.
Workaround:
None. This is a cosmetic issue that you can safely ignore.
632839 : UDP Flood does not get detected if the vector limits are infinite
Component: Advanced Firewall Manager
Symptoms:
If the UDP_flood AFM DoS vector is configured as 'infinite' for both detection-threshold-pps and default-internal-rate-limit then it will not get detected. Even per-virtual server and Sweep/Flood will not detect UDP_Flood. If they are not infinite, they should work as expected, and the default value for detection-threshold-pps is 400000.
Conditions:
-- Settings of 'infinite' for UDP_flood device-dos vector.
-- Running v12.1.1, 12.1.2, or 12.1.3.
Impact:
You might expect UDP_flood vector to be detected at the per-virtual server and Sweep/Flood level, but if it is configured at infinite at the global device level, then it will not be detected at any level at all.
Workaround:
To enable the system to detect UDP_Flood at the various levels, set the global device-dos level for UDP_flood to be 4294967294 (1 less than MAX_UINT32).
Note: With this workaround, the system still cannot detect UDP_flood vector still at the global device-level because the number is too high.
632838-1 : Deterministic NAT performance may be degraded
Component: Performance
Symptoms:
Deterministic NAT performance may be degraded compared to performance in 12.1.x.
Conditions:
Deterministic NAT configuration in use in version 13.0.
Impact:
CPU utilization will be higher, and the system may pass traffic with less speed.
Workaround:
Enable the db variable pva.fwdaccel to see DNAT performance improve with a fastL4 profile.
632825-5 : bcm56xxd crash following 'silent' port-mirror configuration failure
Component: TMOS
Symptoms:
A port-mirror configuration can fail 'silently', that is, no error from MCPD yet the following is logged in /var/log/ltm:
err bcm56xxd: 012c0011:3: Trunk port trouble with bcm_mirror_port_set() Entry exists bs_mirror.c(598).
err bcm56xxd: 012c0010:3: Trouble committing mirror settings to hardware: 0:21 bs_mirror.c(671).
err bcm56xxd: 012c0010:3: Trouble setting port mirror from 2.1 to 2.6 bsx.c(5173).
Once this happens, any subsequent port-mirror configuration will result in a deadlock condition and SOD will restart bcm56xxd.
If the port-mirror interfaces are part of a trunk, any trunk configuration will cause this condition. For example, adding a vCMP guest.
Conditions:
Prior 'silent' port-mirror configuration error followed by a subsequent port-mirror configuration command.
Impact:
bcm56xxd continuously restarts until the bad port-mirror configuration is removed.
Workaround:
None.
632723-1 : tmm core with remote logging pool in non-zero route domain
Solution Article: K05079458
Component: Advanced Firewall Manager
Symptoms:
tmm cores every minute with a security log profile set to send log messages to pool members in a different route domain.
Conditions:
Remote logging pool configured, and the pool members are in a non-zero route domain that is different than that of the forwarding virtual.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the logging pool members are in the zero route domain.
632604-1 : SSL::sessionid iRule command returns incorrect result
Component: Local Traffic Manager
Symptoms:
SSL::sessionid iRule command returns incorrect result
Conditions:
An iRule is used to retrieve the session ID.
Impact:
The session ID might not be reliable.
Workaround:
None.
632553-2 : DHCP: OFFER packets from server are intermittently dropped
Solution Article: K14947100
Component: Local Traffic Manager
Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP.
Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.
Impact:
Client machines joining the network do not receive DHCP OFFER messages.
Workaround:
Enforce that the serverside flow is getting deleted, e.g. if dhcp server 10.0.66.222 is broken, issue the following tmsh command:
tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67
632246-1 : Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades.
Component: Advanced Firewall Manager
Symptoms:
pvasyncookies db variable does not disable/enable HW syn-cookies on secondary blades, and does not persist across MCPD restart/reboot.
Conditions:
Non-default setting for the pvasyncookies db variable.
Impact:
Setting does not persist across MCPD restart/reboot.
Workaround:
None.
632204-1 : Local Traffic Policies rule page is incorrectly showing all partition's objects in 'Forward traffic' actions
Solution Article: K22568472
Component: TMOS
Symptoms:
When creating an LTM policy rule action 'Forward Traffic' and selecting from a list of pools or virtual servers, objects from partitions other than the current partition and the Common partition show up.
Conditions:
This occurs on the LTM policy rule creation page within a specific partition, and there are objects of the same type in other partitions.
Impact:
Users without access to the associated partition receive an error when selecting an object from that partition and clicking submit.
Workaround:
Do not select objects other than the ones in the current or Common partition from a dropdown.
631715-1 : ASM::disable does not disable client side challenges
Component: Application Security Manager
Symptoms:
ASM::disable command was run but a challenge was still sent.
Conditions:
irule with ASM::disable. CS or DID challenge is configured.
Impact:
An unexpected JS challenge arrives
Workaround:
N/A
631083-2 : Some files in home directory are overwritten on password change
Component: TMOS
Symptoms:
The files
.bash_logout
.bash_profile
.bashrc
in a user's home directory are overwritten when that user's password is changed.
Conditions:
Change a user's password.
Impact:
Customizations to these files would be lost on password change. This only applies to users with advanced shell access.
Workaround:
Back up the files to a different location before making a password change.
631046 : Unable to generate a FIPS key using the GUI
Component: TMOS
Symptoms:
While generating a FIPS key from the BIG-IP GUI, you get the following error:
Key management library returned bad status: -4, FIPS security is not licensed, FIPS key security type is not allowed.
Generating a FIPS key from tmsh works properly.
Conditions:
This occurs on FIPS-licensed 12.1.1 HF1 and HF2, when using the GUI to generate the FIPS key.
Impact:
Unable to generate a FIPS key using the GUI.
Workaround:
Use the following tmsh command to generate a FIPS key:
tmsh create sys crypto key <key_object_name> security-type fips.
630795-1 : No guestagentd entry in merged.conf
Component: TMOS
Symptoms:
There is no entry in guestagentd in merged.conf. This results in this error in the ltm log whenever merged starts up:
"Process managed by runsv is not in /config/merged.conf: guestagentd"
Conditions:
This is encountered whenever merged starts.
Impact:
In addition, for stats purposes, the proc_stat and plane_proc_stat tables are affected. If the pid changes (for whatever reason) BIG-IP will not have the assignments to the right process information.
Workaround:
Add guestagentd entry to merged.conf
630257-1 : Monitor send/receive strings cannot end with trailing single-backslash★
Component: Local Traffic Manager
Symptoms:
A monitor with a 'send' or 'receive' string is not supported with a single trailing backslash, such as "GET /\r\n\" (note the single-trailing backslash that "escapes" the trailing double-quotes).
Conditions:
A monitor 'send' or 'receive' string ends with a single trailing backslash; and the configuration is saved, and then a load is attempted.
Impact:
When configuration is saved and then loaded, the single-trailing backslash will escape the trailing double-quotes and the configuration will fail to load.
Workaround:
A double-trailing backslash is supported, where the trailing double-quotes will not be escaped, for example:
"GET /\\r\\n"
629834-4 : istatsd high CPU utilization with large number of entries
Component: TMOS
Symptoms:
With a large number of istats entries, statsd uses a large amount of CPU time to process istats.
Conditions:
This occurs when there is a large number of istats entries in iRules.
Impact:
istats processing is slow. CPU utilization by istatsd is high.
Workaround:
Reduce the number of istats entries. Periodically purge the the istats entries if possible.
628696-1 : Under rare circumstances, all blades in cluster claim not primary during start up
Component: Local Traffic Manager
Symptoms:
All blades in cluster claim not primary during startup
Conditions:
during TMM startup
Impact:
The cluster (even if standalone) appears Standby, and ready-for-world is never reached.
Workaround:
Restart tmm on primary blade
627760-3 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
Component: TMOS
Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.
Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.
Impact:
No DNSSEC key of that name is present on FIPS card.
Workaround:
None.
627447 : Sync fails after firewall policy deletion
Component: Advanced Firewall Manager
Symptoms:
When deleting a firewall policy and then creating a new one, sync to standby fails.
Conditions:
Delete firewall policy then create a new one. Sync to Standby.
Impact:
Sync fails.
Workaround:
None.
627384-1 : eamtest tool fails with Segmentation fault after initialization.
Component: Access Policy Manager
Symptoms:
Tests done with eamtest tool fail with Segmentation fault after initialization.
Conditions:
Run eamtest tool.
Impact:
eamtest tool fails, which affects troubleshooting using the tool.
Workaround:
Run eamtest with LD_PRELOAD=libeam_asdk_preload.so prefix.
627221-1 : iControl SOAP doesn't support displaying all possible media options for interfaces
Component: TMOS
Symptoms:
Newer media options would erroneously be displayed as MT_AUTO from iControl SOAP.
If the media option is considered internal; iControl SOAP will still display the specific type if available in its list. This has been changed to display MT_NONE for those options.
Conditions:
Platforms that support the missing interfaces in the iControl SOAP will not get the right info vi iControl SOAP.
Specifically those that support MEDIA_40000_FDX and MEDIA_40000_LR4_FDX.
Affected Platforms:
A108
A112
D112
D113
Impact:
Information Mismatch
627144 : Two users cannot create policies at the same time.
Component: Application Security Manager
Symptoms:
Two users cannot create policies at the same time.
Conditions:
-- Two users with admin authority are logged onto the GUI.
-- Both begin creating separate ASM policies with distinct options.
For instance:
- User 'wafadmin1' logs in first.
- User 'wafadmin2' logs in second.
- Both are creating policies.
- When wafadmin2 submits the policy, it's being overwritten by policy details given by wafadmin1.
- Only user wafadmin1 can de-activate a policy; for other users the option itself is grayed out.
Impact:
Policy from one user can overwrite another's. Can also affect who can de-activate a policy.
Workaround:
Have only one user at a time create/modify/delete policies.
626480-1 : Restjavad log messages: [ProcessManager] Maximum child processes of 3 has been reached
Component: TMOS
Symptoms:
Restjavad log file contains multiple messages similar to the following:
-- [I][479][02 Nov 2016 00:38:51 UTC][ProcessManager] Maximum child processes of 3 has been reached.
-- [I][480][02 Nov 2016 00:38:51 UTC][ProcessManager] Maximum child processes of 3 has been reached.
Conditions:
-- Restjavad startup.
-- 100 or more devices discovered/managed.
Impact:
Potentially alarming/unnecessary error log messages.
Workaround:
None. Although the messages might be problematic, they do not indicate a serious condition.
626279-1 : After reboot LCD reports "unit going standby" even if it has gone active.
Component: TMOS
Symptoms:
After a reboot, the LCD and the tmsh show sys alert command reports "unit going standby" even though the device has become active.
Conditions:
This can occur intermittently on system startup.
Impact:
LCD and tmsh show sys alert erroneously report "unit going standby". The /var/log/ltm log will have messages from sod indicating that it has become active.
626226-1 : Large SSL certificate bundle export by GUI silently fails
Component: TMOS
Symptoms:
GUI SSL certificate bundle export silently fails if the size of the certificate bundle is greater than approximately 1824 KB.
Conditions:
1. Import a certificate whose size is greater than 1823 KB.
2. Try to Export that certificate using the GUI.
Impact:
Unable to download large SSL certificate.
Workaround:
You can export the large SSL Certificate bundle as 'Archive' using the following procedure:
1. Navigate to System :: File Management : SSL Certificate List.
2. Click 'Archive.
3. Download the large SSL Certificate bundle.
625807-6 : Tmm cores in bigproto_cookie_buffer_to_server
Component: Local Traffic Manager
Symptoms:
TMM cores on SIGSEGV during normal operation.
Although the exact triggering conditions are unknown, it might that when a connection is aborted in a client-side iRule, the reported log signature may indicate its occurrence:
tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>.
Conditions:
Specific conditions that trigger this issue are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
625215-1 : unic: flow redirects for non-default cmp-hash on untagged VLANs
Component: TMOS
Symptoms:
-- Low throughput.
-- Flow re-directs in tmstat.
Conditions:
-- Untagged VLAN is in use
-- A non-default cmp hash, such as src-ip or dst-ip, is in use.
Impact:
Performance degradation.
Workaround:
None.
625165-3 : Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.
Component: Access Policy Manager
Symptoms:
-Routes to local DNS that get added due to 'allow local DNS' option in Network Access config do not get removed once network changes after VPN is established.
Conditions:
- 'Allow local DNS' option is selected in Network Access config.
- BIG-IP administrator changes the network configuration after VPN is connected.
Impact:
If the BIG-IP administrator changes the network after a VPN is connected, and if DNS servers have changed, then routes to old DNS servers (which may or may not be reachable) will be left in the routing table.
Workaround:
None.
625156-2 : Bigd memory leak
Solution Article: K50524736
Component: Local Traffic Manager
Symptoms:
The bigd process grows in size until one of two things happens:
-- The Linux kernel runs out of memory and OOM kills the bigd process (or potentially some other large process) a few hours after the system starts up.
-- On high-end platforms, the bigd process grows to just under 4GB in virtual size (vsize) and starts failing in unexpected ways, for example marking targets down that are not actually down, or failing to detect targets that are down.
Conditions:
-- You are running BIG-IP 12.1.5.3.
-- You have HTTPS monitors configured.
Impact:
A memory leak occurs. Depending on the platform, process daemons might restart or fail. Monitored targets may be incorrectly marked down.
Although restarting bigd is not traffic-impacting, it is possible that other daemon processes restart due to low memory conditions, and could disrupt traffic while they restart.
Workaround:
There is an engineering hotfix available HotFix-BIGIP-12.1.5.3.0.16.5-EHF16 :: https://downloads.f5.com/esd/product.jsp?sw=BIG-IP&pro=big-ip_v12.x&ver=12.1.5
To work around this, you can switch to non-HTTPS monitors until the engineering hotfix can be applied. Once you switch to non-HTTPS, restart bigd to release the leaked memory (restarting bigd should not be service impacting).
625108-1 : Learn flags of subviolations are incorrectly updated when all violations are updated by REST
Component: Application Security Manager
Symptoms:
When the learn flags of all violations are updated by REST PATCH, the learn flags of all subviolations are incorrectly updated as well.
Conditions:
The learn flags of all violations are updated in a single REST PATCH operation.
Impact:
The learn flags of all subviolations are incorrectly updated as well.
Workaround:
You can use either of the following workarounds:
-- Update violations in individual REST operations.
-- Update the subviolations after the violation update.
624917 : First few handshakes fail after chassis/appliance reboot when using HSM
Component: Local Traffic Manager
Symptoms:
After rebooting with an HSM configured, you notice the first few handshakes fail, with the following error signature in /var/log/ltm:
warning tmm3[13085]: 01260009:4: Connection error: info tmm3[13085]: 01260013:6: ssl_hs_vfy_sign_srvkeyxchg:9921: sign_srvkeyxchg (80)
1260013:6: SSL Handshake failed for TCP <src> -> <dest>
Conditions:
This occurs on the first few connections after reboot when an HSM is configured, and seems to occur if the device does not immediately pass traffic after reboot.
Impact:
The initial SSL connections will fail, then normal operation will resume.
Workaround:
None.
624626-3 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
Component: TMOS
Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:
01020036:3: The requested Certificate File (/Common/example.crt) was not found
Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.
Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.
Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:
tmsh delete sys crypto cert example
tmsh delete sys crypto key example
624580-1 : BigDB.dat may become truncated
Solution Article: K37147352
Component: TMOS
Symptoms:
BigDB.dat may become truncated.
Conditions:
The conditions under which this occurs are not well understood.
Impact:
Tomcat and possibly mcpd may restart due to having incorrectly generated configuration.
Workaround:
None.
624187-1 : Relocate TUC AVP to group AVP USU
Component: Policy Enforcement Manager
Symptoms:
Current implementation sends Traffic Change Usage (TCU) in MSCC at the same level as USU.
Conditions:
Anytime there is a TCU.
Impact:
Interoperability with ZTE OCS, which requires it as a child USU (Used-Service-Unit)
624044-1 : LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load★
Solution Article: K42806722
Component: Local Traffic Manager
Symptoms:
If LTM monitor configuration parameters have custom strings that end with backslash, the saved configuration will fail to load.
Conditions:
Any of the "recv", "send", or "recv-disable" parameters having a backslash at the end, and the configuration is saved.
Impact:
The new configuration fails upon reload.
Workaround:
Do not end custom strings with backslashes. If config contains monitor configuration with custom strings that end with backslash. config can be cleaned with following process:
tmsh save sys ucs K42806722_before
find /config/ -type f -name "bigip.conf" -exec sed -i 's/\(\(send\|recv\).*\)\\"$/\1"/g' {} +
tmsh load /sys config
623779-2 : Adding a client side challenge whitelist URL wildcard list
Component: Application Security Manager
Symptoms:
There is no way to tell that a URL wildcard is always qualified for client side challenges. Thus dynamic URLs system can't use the CS defense to dos attack or the proactive bot defense.
Conditions:
dynamic URLs are running in a dos attack and the system has cs mitigation enabled.
Impact:
the cs mitigation is not effective and the dos mitigation moves to the rate limit.
Workaround:
N/A
623488-3 : Custom adaptive reaper settings may be lost at upgrade time★
Component: TMOS
Symptoms:
Beginning in 11.6.0, the adaptive-reaper was changed to use the default-eviction policy. The configuration migration script does not migrate the adaptive-reaper settings, so after upgrade the reaper settings are reset to their default.
Conditions:
Upgrade from 10.x to 11.6.0 or later.
Impact:
Settings may be unexpectedly changed as part of upgrade.
Workaround:
Inspect the values after upgrade and reconfigure them.
623371-1 : After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed
Component: TMOS
Symptoms:
When attempting to ssh in as a nonexistent user using SSH keypair, the connection closes.
Conditions:
1. Configure SSH keypair for passwordless login.
2. Set auth source to a remote type such as RADIUS, TACACS+, LDAP, Active Directory.
3. Set auth source back to local.
4. Attempt to ssh to BIG-IP using keypair as a user that does not exist in the BIG-IP local user directory.
Impact:
User does not see expected password prompt.
This can be used to check which usernames are valid on the BIG-IP system, but it requires SSH keys.
Workaround:
None known.
623367-1 : When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.
Solution Article: K57879554
Component: TMOS
Symptoms:
Able to login to BIG-IP using root's keypair as a user which does not exist on either the BIG-IP or the RADIUS server.
Conditions:
1. Configure SSH keypair for passwordless login on the BIG-IP system.
2. Enable RADIUS auth on the BIG-IP system.
3. Attempt to ssh in to the BIG-IP as a user which does not exist on either the BIG-IP or the RADIUS server, using the keypair.
Impact:
With root SSH keys, can login as nonexistent user.
Workaround:
Set the default remote role to something other than admin.
623313 : After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default.★
Component: TMOS
Symptoms:
After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default. For example, in response to the 'tmsh list sys snmp' command, output in 10.2.x contains the following strings:
community-name public
source default
in 12.1.x, the output does not contain the string 'source default', only the string 'community-name public'.
Conditions:
Upgrade from 10.2.x.
Impact:
Cannot determine the SNMP community name if it is the default.
Workaround:
None.
623265-4 : UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★
Solution Article: K15645547
Component: TMOS
Symptoms:
Inconsistent CA certificate chain creation, or certificate validation/verification when verification occurs against /config/ssl/ssl.crt/ca-bundle.crt.
Conditions:
A system is upgraded from v10.x to v11.x/v12.x, or a v10.x UCS is restored onto a v11.x/v12.x system.
Impact:
Inconsistent ca-bundle.crt upgrade/UCS load handling can lead to odd / non-deterministic behavior between devices, even an HA pair / cluster of devices. Non-determinism increases because ca-bundle.crt does not ConfigSync (and appears not to sync across blades in a chassis).
For example, on one device, the BIG-IP system might construct and send a full certificate chain in an SSL Server Hello, when ca-bundle.crt is specified as a Client SSL profile's 'chain', but on its peer, if the peer is using an older/inconsistent ca-bundle, the peer might be unable to construct a full certificate chain.
Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:
1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
2. Reboot the system and clear the MCPD binary database. Refer to AskF5 article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030), but essentially:
touch /service/mcpd/forceload && reboot
3. After reboot, verify that the two files match (they should have the same checksum):
md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
623084-2 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★
Component: Local Traffic Manager
Symptoms:
mcpd fails to load the configuration if a pre-11.6.0 configuration has a DHCP virtual server configured using any profile that is not /Common/udp.
The following messages appears in /var/log/ltm:
01070095:3: Virtual server /Common/dhcp_relay-p-rd101 lists incompatible profiles.
This is because the profile in this case is /Common/fastL4 and is not 'converted' to a DHCP profile.
Conditions:
-- A pre 11.6.0.
-- DHCP-type virtual server configured with a profile other than /Common/udp.
-- Upgrade to 11.6.0 or later.
Impact:
mcpd fails to load the configuration. The BIG-IP system will not be operational until the configuration is changed and loaded.
Workaround:
Before the upgrade, change the profile to /Common/udp.
If you have already upgraded, manually change the bigip.conf file and load the config using the following command: tmsh load /sys config
622876-1 : Certificate serial number is not displayed properly in OCSP Stapling logs.
Component: Local Traffic Manager
Symptoms:
The certificate serial number is not displayed properly in OCSP Stapling logs.
Conditions:
These logs are seen when there are any errors when fetching and validating an OCSP response, and/or when SSL debug logs are enabled.
Impact:
Certificate serial number is not displayed properly.
Workaround:
None.
622870 : When using a Thales key, SSL handshake failed after restarting pkcs11d
Component: Local Traffic Manager
Symptoms:
With a Thales key, SSL handshake failed after restarting pkcs11d daemon.
Conditions:
Thales netHSM is used and pkcs11d daemon is restarted.
Impact:
SSL traffic is failed.
Workaround:
bigstart restart tmm
after
bigstart restart pkcs11d
622378-1 : Inconsistent hardware syncookie protection mode on B2100/B4300 blades and 5000/7000/10000 appliances
Component: TMOS
Symptoms:
BIG-IP may enter a state where the software indicates it is not in syncookie protection mode for a virtual IP, but the FPGA is still in that mode.
Conditions:
This only occurs on the following platforms (B2100/B4300 blades, 5000/7000/10000 appliances) with Xilinx FPGA. It can be triggered if BIG-IP enters and exits syncookie protection frequently in a short interval as SYN traffic varies.
Impact:
This may lead to undesired behavior in processing traffic. For example it would cause the VIP to remain in hardware syncookie protection mode while SYN traffic is nominal.
Workaround:
Usually "bigstart restart tmm" would clear this error condition.
622204-1 : If a virtual server's name has a "." in it then a DoS profile cannot be attached to it
Solution Article: K14141640
Component: Advanced Firewall Manager
Symptoms:
For virtual servers with a . (dot, or period) in the name and a DoS profile attached, a crash might occur when attacks are detected/stopped.
Conditions:
Virtual server with a name that includes a . and an attached DoS profile, and then a DoS attack is detected.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove the . in the virtual server name.
621843-1 : the ipother proxy is sending icmp error messages to the wrong side
Component: Local Traffic Manager
Symptoms:
the ipother proxy error handling sends ICMP error messages down the wrong side of the proxy. when a client-side error occurs, the error message is being sent to the server side
Conditions:
error handling of the ipother proxy
Impact:
ICMP error messages show up on the wrong side
Workaround:
no workaround
621158-1 : F5vpn does not close upon closing session
Component: Access Policy Manager
Symptoms:
F5vpn does not close upon closing session.
Conditions:
-- With Network Access started and connected to BIG-IP using browser.
-- Clicking 'Logout' button on webtop.
Impact:
Session closes. Network Access window does not close, but instead remains in disconnected state.
Workaround:
None.
620969-3 : iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
Component: TMOS
Symptoms:
Using the get_valid_key_sizes() for querying the valid key sizes, 1024 is returned, which is not valid when the FIPS firmware is version 2.2 or above.
Conditions:
FIPS firmware is version 2.2 or above.
Impact:
Unsupported key-size is returned.
620844-1 : DoS: tmm core after delete packet type from Device Sweep vector
Component: Advanced Firewall Manager
Symptoms:
During the config change of Sweep vector, when all tmm threads delete the rate tracker, a race condition might occur that could prevent the tracker from being deleted. As a result, some tmm threads might see the new instance, which causes the tmm thread to abort.
Conditions:
This potential race condition occurs after delete packet type from Device Sweep vector.
Impact:
tmm thread might abort if a race condition occurs. Traffic disrupted while tmm restarts.
Workaround:
None.
620556-1 : Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule
Component: Local Traffic Manager
Symptoms:
Fragmented packets may be transmited to clone pool members of virtual server, which is also forwarding its traffic to another virtual server.
Conditions:
One virtual server should be configured to forward traffic to another one using iRule, i. e.
when CLIENT_ACCEPTED {
virtual another_virtual
}
This forwarding virtual should also have clone pool configured.
Impact:
Fragmented packet are transmitted to pool members, which affects performance and may trigger some intrusion detection systems.
620053-1 : Gratuitous ARPs may be transmitted by active unit being forced offline
Component: Local Traffic Manager
Symptoms:
When cluster's active is forced offline, the non-primary blades may send gratuitous ARPs.
Conditions:
Cluster's active blade is forced offline.
Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.
Workaround:
Failover the cluster before forcing offline or configuring MAC masquerading.
619667-1 : Allow Local DNS Servers is not honored on Mac OS X
Solution Article: K34751151
Component: Access Policy Manager
Symptoms:
In some cases of split tunnel local DNS resolution on client does not work.
Its "emulated" full tunnel mode i.e. split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0 and don't allow local subnet access.
Conditions:
Configure Allow Local DNS Servers is not honored on Mac OS X.
Configure split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0.
Disable local subnet access.
System has only one physical adapter (ethernet or wifi) available for networking.
Impact:
DNS resolution fails for some split tunnel deployment cases.
Workaround:
Specify "*" in DNS included address space to forward all DNS traffic over the tunnel.
619419 : Workaround for Software Installation Failures in TMUI★
Component: TMOS
Symptoms:
A software installation fails for one of several reasons (unsupported software versions, lack of disk space, etc). This failure leaves the software volume in a state where future installations cannot be completed.
Conditions:
Software installation fails.
Impact:
You cannot install software on the failed volume. You will see "Previous installation not complete" message if you attempt to install software on this failed volume.
Workaround:
1. Installation fails.
2. Navigate to System >> Disk Management. Click on HD1 (for example)
3. Under Contained Software Volumes, you can see the reason for failure on the failed volume.
4. Select the failed volume and click Delete. Confirm you want to delete the failed volume.
5. Once the volume is deleted successfully, return to System >> Software Management : Image List
6. Select a valid image and click the Install button.
7. Under Volume Set Name enter a valid name and click the Install button.
619397-5 : LCD shows error screen on boot or after license expires
Solution Article: K04055706
Component: Device Management
Symptoms:
The LCD on BIG-IP iSeries appliances may display an error screen.
Conditions:
This occurs if the appliance has just finished booting, or if the license has just expired.
Impact:
This may cause an unexpected error and subsequent navigation back to the LCD splash page.
Workaround:
Wait one minute and try to navigate the LCD screens again. If the system has already been licensed and is in the 'Active' state, subsequent attempts should work.
619099 : 'General Database Error' while changing the Admin UI authentication type
Component: Access Policy Manager
Symptoms:
Failed to choose Authentication type from Local to other BIG-IP-supported authentication type.
Conditions:
-- User Directory is Remote - APM Based.
-- Authentication Type is RADIUS, AD, LDAP or TACACS+.
-- All needed information about the AAA Server is specified.
Impact:
GUI error: 'General Database Error'.
Workaround:
None.
618982-1 : IPSEC + chassis behavior for case secondary blades on-off switch.
Component: TMOS
Symptoms:
After cmp_state change (secondary blade restart), some flows will fail
Conditions:
Adding-removing blades causes DAG flow redistribution and redistribution IKE/IPSEC SA's and IPSEC data flows between existing blades. It makes some flows interrupted and IPSEC peer disconnect.
Impact:
Some users may lose their connections and have difficulty restoring them.
Workaround:
None
618889-1 : Clicking the policies list tab does not refresh the policies list on click.
Component: TMOS
Symptoms:
Clicking the policies list tab does not refresh the policies list on click.
Conditions:
This occurs on the policy list page
Impact:
If the policy list changed, the updates will not be displayed.
Workaround:
Refresh the browser or click the menu Local Traffic > Policy List in order to refresh the page
618693-3 : Web Scraping session_opening_anomaly reports the wrong route domain for the source IP
Component: Application Security Manager
Symptoms:
When generating a web scraping attack of session opening anomaly type, there is an attack start/end event shown in the /var/log/asm and GUI: Security :: Event Logs : Application : Web Scraping Statistics. The event has a "source ip" field which should come along with the route domain. In the case of "session opening anomaly" the route domain is always zero. (For example: 127.0.0.1%0). Even there is a non-zero route domain configured.
Conditions:
Route domain is configured and a web scraping attack event triggers.
Impact:
Incorrect route domain field is shown in the GUI and /var/log/asm.
Workaround:
None. This is a cosmetic error. The system uses the correct route domain
618637-1 : Sometimes f5fpc cannot establish Network Access connection and incorrectly reports 'Session timed out' error
Component: Access Policy Manager
Symptoms:
Sometimes f5fpc cannot establish Network Access connection. Successfully established Network Access connection and subsequent login retries will fail with 'Session timed out' error.
Conditions:
This intermittent issue might occur after there has been a successfully established Network Access connection, and a user retries to login once or multiple times.
Impact:
Network Access cannot be established and 'Session timed out' error is presented to the user.
Workaround:
1) Find all processes with regex f5std, svpn and manually kill them.
2) Restart host OS.
618503-1 : Irrelevant fields visible in Logging profile
Component: Application Security Manager
Symptoms:
When switching from logging format 'BIGIQ' to logging format 'Key-Value Pairs' in Application Security logging profiles, 'Maximum Request Size' and 'Maximum Query String Size' properties are not removed.
Conditions:
Switch from logging format 'BIGIQ' to logging format 'Key-Value Pairs' in Application Security logging profiles.
Impact:
Irrelevant fields visible.
Workaround:
None.
618463-2 : artificial low route mtu can cause SIGSEV core from monitor traffic
Component: Local Traffic Manager
Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.
Conditions:
see above
Impact:
Traffic disrupted while tmm restarts.
Workaround:
configure correct MTU
618319-5 : HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked
Solution Article: K58255321
Component: TMOS
Symptoms:
All members of a Sync/Failover Device Group report 'Active' for all traffic-groups, and 'Offline' for all peers. Configuration sync works appropriately.
Conditions:
This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026).
If this port is blocked, the devices cannot exchange failover status information.
Impact:
When devices cannot reach the failover address of their peer devices, failover traffic is not processed correctly and the device become active for all traffic groups. This results in duplicate IP addresses on the network for the objects in the traffic groups, which causes a disruption of service.
Workaround:
Ensure that the 'allow-service' parameter for the self-IP address includes the configured network-failover port.
Normally this is done with 'allow-service { default }' if using the default default-list, or an explicit entry can be used with 'allow-service { udp:1026 }'.
618131-1 : Latency for Thales key population to the secondary slot after reboot
Component: Local Traffic Manager
Symptoms:
It may take a significant amount of time for the Thales key to populate from the primary slot to the secondary slot after a reboot. The latency can be a few minutes.
Conditions:
This occurs for Thales netHSM installed on Chassis.
Impact:
The key can't be found at secondary slot and the ssl traffic may fail.
Workaround:
If SSL handshakes fail on secondary blades for newly created Thales keys, you may check secondary blades with
nfkminfo -l
to see if the file is there. If not the file can be synchronized with rfs-sync --U.
618104-1 : Connection Using TCP::collect iRule May Not Close
Component: Local Traffic Manager
Symptoms:
The BIG-IP never sends a TCP FIN in response to a client FIN.
Conditions:
A finite TCP::collect iRule is in progress.
This is repeatable in the debug kernel; in the default kernel, there has to be execution delay in a CLIENT_DATA iRule.
Impact:
The connection does not close until the sweeper causes a RST.
Workaround:
Adding a TCP::close command to a CLIENT_DATA iRule may work.
617875-1 : vCMP guest may fail to start due to not enough hugepages
Component: TMOS
Symptoms:
In rare cases, when there are many vCMP guests, the last one may fail to start because there are not enough hugepages. The shortfall is between 5 and 20 hugepages. Occasionally, that lack is sufficient to prevent the last guest from starting.
Conditions:
The circumstances under which this occurs are not known, but appears related to a race condition related to memory handling.
Impact:
vCMP guest fails to start.
Workaround:
Once in this state, restarting the host system clears the condition.
Note: Restarting the vCMP guests does not clear the condition.
617643-1 : iControl.ForceSessions enabled results in GUI error on certain pages
Component: TMOS
Symptoms:
GUI pages display 'An error has occurred while trying to process your request.'
Conditions:
Visiting pages related to PKI (cert/key), SNMP, AFM or licensing tasks when iControl.ForceSessions is enabled.
Impact:
Unable to use GUI for certain tasks when iControl.ForceSessions is enabled.
Workaround:
Use shell for related administrative tasks or if feature is not used, disable with the following command:
tmsh# modify sys db icontrol.forcesessions value disable
617629-1 : Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab
Component: Access Policy Manager
Symptoms:
If you click on the "export csv" button and then switch to another report, the same csv file will be download again when you click on the tab of another report.
Conditions:
Creating multiple reports in Access Report page and clicking on the "export csv" button in one report.
Impact:
Same file will be downloaded repeatedly.
Workaround:
Refresh the page before switching to another report.
617578-2 : Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware
Component: TMOS
Symptoms:
On a BIG-IP provisioned with LTM only, the radius profile called radiusLB-subscriber-aware displays inconsistent information between tmsh and configuration utility
Conditions:
This occurs when looking at the radiusLB-subscriber-aware profile in both tmsh and the GUI.
Impact:
On a device that does not have PEM licensed:
root@(v12)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list ltm profile radius radiusLB-subscriber-aware
ltm profile radius radiusLB-subscriber-aware {
app-service none
defaults-from radiusLB
}
However, viewing the profile in the configuration utility Local Traffic :: Profiles : Services : RADIUS : radiusLB-subscriber-aware
Settings field Custom checkbox
Persist Attribute disabled
Subscriber Discovery enabled
Client Spec disabled
Protocol Profile(_sys_radius_proto_imsi) enabled
On a device which does not PEM licensed, the Protocol profile should be set to None but shows as enabled.
617324-2 : Service health calculation creates unjustified CPU utilization
Component: Anomaly Detection Services
Symptoms:
When ASM provisioned service health is calculated and published to all VSs with security profile, even if stress-based detection is not configured
Conditions:
AFM provisioned and configured hundreds of VSs with security profile
Impact:
High CPU utilization
Workaround:
No
617161-1 : Cosmetic: duplicated partition names in the 'Resource Management' window when assigning iRules to Virtual Servers.
Component: TMOS
Symptoms:
There is a cosmetic issue that results in duplicated partition names in the 'Resource Management' window when assigning iRules to Virtual Servers (in Local Traffic :: Virtual Servers : Virtual Server List :: Virtual_Server_name).
Conditions:
1) Go to Local Traffic :: Virtual Servers : Virtual Server List : Virtual_Server_name : Resources : Manage iRules.
2) Move any two available iRules (created in Common partition) left to the 'Enabled' column.
3) Select the bottom iRule from the 'Enabled' column and click the 'Up' button.
4) Add an additional iRule (created in Common partition) to the 'Enabled' column.
Impact:
Instead of showing all iRules under one partition name (Common), the system is duplicating the partition name.
Workaround:
None. This is cosmetic.
616021-1 : Name Validation missing for some GTM objects
Solution Article: K93089152
Component: Performance
Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, the BIG-IP system fails to load GTM configurations where objects containing control characters are referenced by other objects.
The following GTM objects are susceptible to this control character issue:
gtm datacenter
gtm prober-pool
gtm device
gtm application
gtm region entry
gtm virtual server
gtm server
gtm link
gtm pool
Conditions:
-- A GTM object with a control character in the name.
-- That object is referenced by another object.
Reproduction example:
create gtm datacenter "start^Mend"
create gtm server test datacenter "start^Mend" address add { 1.2.3.4 }
save sys config gtm-only
load sys config gtm-only
Impact:
Causes the config to fail to load.
Workaround:
Remove control characters prior to creating GTM objects.
614648-1 : Unable to upload software image larger than 2GB using the GUI
Component: TMOS
Symptoms:
If you attempt to upload a software image at the System :: Software Management : Image List :: New Image screen, the following results may be observed:
-- The Progress bar in the GUI never moves from 0%.
-- A temporary file is created under /shared/images with a name in the form of: upload_###################.dat.
-- The temporary file is never renamed to the correct image file name (as uploaded).
Conditions:
This may occur when the size of the software image to be uploaded is larger than 2 GB in size.
Note: The BIG-IP v14.1.0 Upgrade ISO is 2.1 GB in size. Other BIG-IP v13.x and v14.x Recovery ISOs may also be larger than 2 GB in size.
Impact:
Unable to upload software image via the GUI.
Workaround:
1. Use another method, such as SCP, to copy the BIG-IP software image to the target BIG-IP system.
2. After sufficient time has elapsed to allow the software image upload to complete, manually rename the temporary file under /shared/images to the final file name.
Note: It is highly recommended to verify the md5sum of the temporary file to confirm that upload is complete, and that the temporary file is an accurate copy of the original software image uploaded.
614493-1 : BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.
Component: TMOS
Symptoms:
Reset sent by BIG-IP system on ePVA accelerated active flows might contain stale sequence number and ACK number, which might be out of the receiver's valid RST window.
Conditions:
For example, server side pool member down events lead to BIG-IP reset of all client flows on the pool member. If these flows are actively offloaded in ePVA with heavy traffic at the time of pool member down and reset sending out time, the SEQ/ACK number for the sending RST by BIG-IP SW might not be recent, and therefore a RST with most SW aware SEQ/ACK will be encoded.
Impact:
These RST might be ignored by the receiver if it is out of the valid window. The receiver must rely on the idle or alive timeout to clean this up. Although the receiver must rely on its TCP alive or idle timeout to activate in order to clean up these connections, this is the standard TCP stack behavior.
Workaround:
None.
614410-3 : Unexpected handling of TCP timestamps in HA configuration
Component: Local Traffic Manager
Symptoms:
Despite TCP timestamps being configured, the BIG-IP system fails to present timestamp option during TCP negotiation.
The BIG-IP system calculates invalid round trip time, which might result in delayed retransmission.
Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- Virtual server configured with connection mirroring.
Impact:
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.
Workaround:
None.
614364-1 : Linux client NA components cannot be installed neither using sudo password nor root password
Component: Access Policy Manager
Symptoms:
Linux client Network Access components cannot be installed neither using sudo password nor root password on firefox browser. Issue occurs because version reported is incorrect and post installation version on the machine still doesn't match with version reported by the server.
Conditions:
Firefox web browser, NPAPI plugins, Network Access on Linux distributions
Impact:
Installation and update of web browser plugin for network access fails
614072-1 : Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session.
Component: Access Policy Manager
Symptoms:
All SWG session maps to SNAT pool IP and many requests will get stuck.
Conditions:
SWG virtual with Source Address Translation to SNAT pool, create session and send traffic for expired session
Impact:
Request will get stuck in ACCESS filter and browser will keep looping..
Workaround:
Change source address translation to AUTOMAP instead of SNAT Pool.
613844 : iApp may fail to install if AFM is provisioned
Component: Advanced Firewall Manager
Symptoms:
When you try to deploy the f5.microsoft_sharepoint_2016.v1.0.0rc1 iApp from the GUI, the install may fail when AFM is provisioned. A similar error occurs when deploying f5.http iApp. The failure to deploy might not be related to a specific iApp.
Conditions:
-- AFM provisioned.
-- Using the GUI to deploy the iApp, f5.microsoft_sharepoint_2016.v1.0.0rc1, f5.http, and others.
Impact:
Deployment fails.
Workaround:
None.
613542-2 : tmm core while running the iRule STATS:: command
Solution Article: K81463390
Component: TMOS
Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.
Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED
613483-2 : Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec.
Solution Article: K18133264
Component: Local Traffic Manager
Symptoms:
For PKCS#1, the SHA256 header should be:
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20.
However, there might also be this alternate header:
30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20,
Some implementation use the alternate. According to PKCS#1, the first one is used when producing signature, but both should be accepted when verifying signatures.
In BIG-IP, SSL uses the 1st header: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20, whereas crypto uses the 2nd header format for some cert verification: 30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20, which causes the inconsistent and signature verification fail.
Conditions:
For some particular certificates, crypto uses alternative SHA prefix for verification.
Impact:
SSL handshake fails because of certificate verification failure.
Workaround:
None.
612758-1 : Exception within function F5_Inflate_innerHTML.
Solution Article: K46453748
Component: Access Policy Manager
Symptoms:
Using the Mozilla FireFox browser might cause portal access to keep reloading.
Conditions:
Web-application contains object created by application code with following properties:
o = {tagName: true, setAttribute: true}
o.innerHTML = "any_value";
Impact:
Web-application does not work as expected.
Workaround:
Use the following iRule (customization required for /PATTERN_PATH):
# Updated workaround for SR 1-2326181581
when REWRITE_REQUEST_DONE {
if { [HTTP::path] contains "/PATTERN_PATH" } {
# log "URI=([HTTP::path])"
# Found the file we wanted to modify
REWRITE::post_process 1
}
}
when REWRITE_RESPONSE_DONE {
set strt [string first {<script>} [REWRITE::payload]]
if {$strt > 0} {
REWRITE::payload replace $strt 0 {
<script>
if (typeof F5_Inflate_index !== 'undefined' && typeof F5_old_Inflate_index === 'undefined') {
var F5_old_Inflate_index = F5_Inflate_index;
F5_Inflate_index = function(o, s, incr, v) {
if (typeof v !== 'boolean') return F5_old_Inflate_index (o,s,incr,v);
return (o[s] = incr ? o[s] + v : v)
}
}
</script>
}
}
}
612584-1 : Server side blocking/asm cookie setting may not work under some circumstances
Solution Article: K34500121
Component: Application Security Manager
Symptoms:
ASM Cookies are not set, blocking doesn't happen due to server side violation (such as HTTP status or attack signature in response), or data guard masking/blocking doesn't happen.
Conditions:
CSRF or web scraping is configured.
Impact:
False negative - missing blocking.
False positives due to possible missing cookies.
Workaround:
Add the following iRule to the web server:
when HTTP_REQUEST {
if { [HTTP::uri] contains "TSbd"} {
HTTP::header remove "Connection"
HTTP::header insert "connection" "close"
}
}
612143-2 : Potential tmm core when two connections add the same persistence record simultaneously.
Component: Service Provider
Symptoms:
If two messages processed on different connections with the same persistence key add a persistence record at the same time, one add operation is returned a non-fatal error, stating the 'a' record exists. The error might cause the message to be sent to both the destination and the originator, which fails.
Conditions:
Two messages processed on different connections with the same persistence key add a persistence record at the same time.
Impact:
A potential core occurs. The error might cause the message to be sent to both the destination and the originator, which fails. Traffic disrupted while tmm restarts.
Workaround:
None.
612086-3 : Virtual server CPU stats can be above 100%
Solution Article: K32857340
Component: TMOS
Symptoms:
The CPU usage is reported as above 100%.
Conditions:
It is not known exactly what triggers this.
Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.
Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.
612083 : Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors.
Component: TMOS
Symptoms:
One or more of the following messages appear in the system event log:
CPU0 HW Correctable Error
CPU 0 Corrected Error: Port 1a PCIe* logical port has detected an error.
CPU 0 PCI/DMI Error B:D:F 0x8: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x8: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: multiple_correctable_error_received
CPU 0 Corrected Error: DMI Error Status
CPU 0 PCI/DMI Error B:D:F 0x0: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x0: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: multiple_correctable_error_received
Conditions:
The error messages may appear following an AC power cycle of the BIG-IP i-Series platforms: i2000, i2800 and i4000.
Impact:
The system detected an error on an internal bus and was able to correct it. There is no data loss or functional impact.
Workaround:
There is no mitigation or workaround for this.
611652-3 : iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.
Component: Local Traffic Manager
Symptoms:
While saving an iRule containing HTTP::cookie without the value parameter, you get a validation warning: 'warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. 'unexpected end of arguments;expected argument spec:COOKIE_NAME"160 25][HTTP::cookie $cookie_name]'.
The offending iRule command looks similar to this:
[HTTP::cookie $cookie_name]
Conditions:
iRules containing HTTP::cookie, but missing the optional value parameter, e.g. [HTTP::cookie $cookie_name].
Impact:
Validation warning incorrectly occurs if the optional 'value' parameter is left off. Note that the iRule is still loaded into the configuration.
Workaround:
Use the 'value' parameter in the HTTP::cookie command:
[HTTP::cookie value $cookie_name].
611485-1 : APM AAA RADIUS server address cannot be a multicast IPv6 address.★
Component: Access Policy Manager
Symptoms:
In the 13.0.0 release, support for AAA RADIUS direct IPv6 is added. However, validation will prevent using a multicast address for AAA radius IPv6 address. If you upgrade from a previous version to this version, you will see a validation error when the configuration loads.
Conditions:
The validation error occurs if APM AAA RADIUS address is an IPv6 multicast address on BIG-IP version 13.0.0 and beyond.
Impact:
Support for AAA RADIUS direct IPV6 is added in BIG-IP version 13.0.0. And the new validation affects only IPv6 multicast address. So any working IPv4 configuration will not be affected by this validation.
Workaround:
Multicast IPv6 addresses are not supported for direct IPv6 RADIUS, ensure you are using unicast addresses.
611327-1 : Using an established app tunnel may display a Java exception error message.
Solution Article: K35559723
Component: Access Policy Manager
Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:
When users attempt to use the established access session app tunnel, their Mac OS X device displays a Java exception error message similar to the following example:
An uncaught exception was raised. Choose "Continue" to continue running in an inconsistent state. Choose "Crash" to halt the application and file a bug with Crash Reporter. Choosing "Crash" will result in the loss of all unsaved data.
When the user selects Continue, the exception error message is immediately displayed again (loop).
When the user selects Crash, the established app tunnel is terminated.
Though the Java exception error message is displayed, the app tunnel functions as expected.
Conditions:
This issue occurs when all of the following conditions are met:
-- The local user device is running Mac OS X 10.12 (Sierra).
-- The BIG-IP APM system is configured with an app tunnel that is Java Tunnel-enabled.
-- The user established an access session using the Safari 10 web browser.
-- The user launches an app tunnel session.
-- The user attempts to use the established app tunnel.
Impact:
Cannot use Safari 10 web browser for an app tunnel that is Java Tunnel-enabled.
Workaround:
To work around this issue, you can use an alternate browser, or Apple Safari browser, or ignore the system generated error message while using the app tunnel.
611054-1 : Network failover "enable" setting is sometimes ignored on chassis systems
Component: TMOS
Symptoms:
The failover device group network-failover attribute has no effect on chassis systems. The high availability subsystem will continue to send network failover packets, and continue to operate normally, even if this is set to "disable".
Conditions:
This only affects chassis systems. On appliances, the setting takes effect, causing all devices to become Active simultaneously.
Impact:
System appears to failover normally even when the configuration is incorrect; however, if the system contains more than one traffic-group, the next-active calculation and other failover features do not function correctly.
Workaround:
Enable network-failover in the sync-failover device-group.
610682-2 : LTM Policy action to reset connection only works for requests
Component: Local Traffic Manager
Symptoms:
The LTM Policy forwarding action 'reset', which forcibly terminates the client connection, works for requests, but gives an error when used with a response event.
Conditions:
Issue occurs in an LTM Policy rule where one or more of the conditions is associated with HTTP response, for example, checking the HTTP status code in the response from a backend server.
Impact:
LTM Policy action does not work. System posts error message similar to the following: transaction failed:010716e2:3: Policy '/Common/Drafts/mypolicy', rule 'rule-1'; an action precedes its conditions.
Workaround:
None.
610436-3 : DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.
Solution Article: K13222132
Component: Access Policy Manager
Symptoms:
DNS resolution does not work in a particular case of DNS Relay Proxy Service, when two adapters have the same DNS Server address on Microsoft Windows version 10.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP APM configuration uses a network access profile.
-- The user device is running Windows 10 and is connected to two networks through two network interfaces.
-- The Windows user has installed the BIG-IP Edge Client that includes the DNS Relay Proxy Service.
-- Prior to establishing an access session, the lower index network interface of the Windows device is disconnected.
-- The Windows user establishes an access session using BIG-IP Edge Client.
-- The Windows device's lower index network interface is reconnected.
-- The Windows user attempts a DNS resolution.
Impact:
DNS resolution completely stops working on client systems until the VPN is disconnected.
Workaround:
To work around this issue, add the following registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient with DWORD EnableMultiHomedRouteConflicts set to 0.
This reverts the Windows DNS client behavior to pre-Windows 10 behavior, so the DNS relay proxy creates listeners on loopback for incoming requests, and the driver redirects DNS requests to the listener on the loopback.
Important: Use extreme care when editing Windows registry keys. Incorrect modification of keys might cause unexpected behavior.
For step-by-step instructions for adding this registry key, see K13222132: The DNS Relay Proxy Service may fail to resolve DNS requests :: https://support.f5.com/csp/article/K13222132.
610077-2 : Access Policy Manager CRL cache is locked out for CRLDP authentication
Component: Access Policy Manager
Symptoms:
A page protected by an Access Policy cannot be displayed after submitting credentials.
Internally, on the BIG-IP device, apmd CPU utilization becomes very high.
Conditions:
1. Access policy uses CRLDP authentication.
2. Cached CRL file(s) are expired.
Impact:
Unable to log on due to CRL cache lockout.
Workaround:
None.
609609-1 : TMM crash, Invalid action
Component: Local Traffic Manager
Symptoms:
TMM crashes and restarts. Before the crash, you may see this signature in /var/log/ltm: tmm1[21502]: 011f0007:3: http_process_state_prepend - Invalid action:0x109040.
Conditions:
This intermittent issue may be seen if you have an iRule that performs HTTP::disable, and there are network issues between the BIG-IP system and the pool members.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
609200-2 : Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.★
Component: TMOS
Symptoms:
Hotfix installation fails using certain version 11.x software to host incremental hotfix application of version 12.x software.
Conditions:
This issue occurs when the following conditions are met:
-- Active software is v11.x.
-- Target software is v12.x.
-- This is the first attempt install a hotfix to the installation target.
Impact:
Cannot install hotfix.
Workaround:
Delete the target location, and perform the hotfix installation again.
Subsequent attempts to install the hotfix will automatically install the base release first, which includes the needed DB hash type, and the hotfix will succeed.
609186-5 : TMM or MCP might core while getting connections via iControl.
Component: TMOS
Symptoms:
When getting the connections list over iControl using System.Connections.get_list(), TMM or MCP cores or exits.
Conditions:
Using iControl to view all connections, and there is a very large number of connections (1 million or more) in the list.
Impact:
TMM or MCP may core or exit. Traffic disrupted while tmm restarts.
Workaround:
None.
609043-1 : When BIG-IP processes SAML Single logout request/response, tmm cores intermittently.
Component: Access Policy Manager
Symptoms:
The tmm process crashes.
Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.
-- BIG-IP processes SAML Single Logout Request/Response
Impact:
Traffic disrupted while tmm restarts. All APM end users must log back in.
Workaround:
None.
608511-2 : Message router profile is not inheriting the traffic-group from the parent folder
Solution Article: K22141268
Component: TMOS
Symptoms:
The standby system sends gratuitous ARPs on the standby system for virtual servers configured with message router.
Conditions:
This symptom may occur if:
-- The message router profile traffic-group is set to default (inherit from folder).
-- The message router profile folder is also set to inherit from parent folder.
-- A configuration change is made to the virtual server on the non-active unit.
Impact:
Traffic is routed to the standby system instead of the active one, causing connections to stall/fail until the neighbor table is updated.
Workaround:
Set traffic-group on the message router profile.
608453-1 : Shrink/Expand imgs of Webtop Section is customizable
Component: Access Policy Manager
Symptoms:
Changing images for Shrink/Expand of Webtop Section in Webtop Customization does not actually change images on client; users see default images instead
Conditions:
This is encountered when using Webtop Customization.
Impact:
The default image is displayed instead of the customized image.
Workaround:
None.
607684 : tmsh provides option to delete all URLs from a custom category, which is not possible
Component: Access Policy Manager
Symptoms:
tmsh provides a command option for admin to delete all URLs from a custom category. However, this is not a valid option, and an error will be displayed. The system presents the following error:
Configuration error: Cannot delete url (http://www.example.com*). This occurs because because url-category (/Common/ex) is a custom category. A custom category must have at least one URL.
Conditions:
Running the following command:
tmsh modify sys url-db url-category pattern urls delete { all }
Impact:
No URLs are deleted. Each URL must be deleted individually.
Workaround:
Delete URLs individually.
607166-1 : Hidden directories and files are not synchronized to secondary blades
Component: Local Traffic Manager
Symptoms:
Hidden directories and files (those whose filenames start with '.') that are created on primary blade are not synced to secondary blades.
Existing hidden files that are edited on the primary blade are not synced to secondaries.
Conditions:
Multi-bladed system.
Impact:
The most common uses of hidden files are per-user shell configuration and history.
Workaround:
Manually copy configuration files onto other blades.
606799-1 : GUI total number of records not correctly initialized with search string on several pages.
Solution Article: K16703796
Component: TMOS
Symptoms:
GUI total number of records not correctly initialized with search string on several pages.
Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.
Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.
Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.
606330-5 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
Component: TMOS
Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.
Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.
Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.
Workaround:
Clear the BGP neighbor after changing the configuration.
606032 : Network Failover-based high availability (HA) in AWS may fail
Component: TMOS
Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.
Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.
Impact:
Configuration of high availability (HA) in AWS cannot be completed.
Workaround:
The current workaround is to configure high availability (HA) in AWS with at least 2 network interfaces.
605891-1 : Enable ASM option disappears from L7 policy actions
Component: TMOS
Symptoms:
ASM cannot be enabled if 'Application Security Manager' is used in the license string instead of 'ASM'.
Conditions:
'Application Security Manager' is used in the license string instead of 'ASM'.
Impact:
The ASM module cannot be enabled using the GUI under certain licenses where ASM is licensed.
Workaround:
Enable ASM using tmsh instead of the GUI.
605840-5 : HSB receive failure lockup due to unreceived loopback packets
Component: TMOS
Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***
Conditions:
Unknown.
Impact:
The unit is rebooted.
Workaround:
None.
605800-3 : Web GUI submits changes to multiple pool members as separate transactions
Component: TMOS
Symptoms:
You notice an unusually high amount of sync traffic when changing many pool members at once. In extreme cases, mcpd may run out of memory and crash.
Conditions:
When looking at a list of pool members, it is possible to choose to view many pool members at once, and you can then select them all and enable or disable them with one press of a button. Rather than sending all of the operations in a single transaction, the GUI code updates each pool member one by one. When there are a lot of pool members and auto-sync is being used, this can cause race conditions that can generate a large number of transactions going from the local machine to the remote machine.
Impact:
This can cause an unusually high amount of sync traffic to occur between devices in the sync group with auto-sync enabled. In extreme cases this can cause mcpd to crash and traffic is disrupted while mcpd restarts.
Workaround:
If you frequently need to enable/disable many pool members at once, there are a couple of options:
1. You can switch to manual sync during this operation.
2. You can minimize the number of pool members that are altered at once. The issue was observed when changing over 300 pool members at once.
605414-1 : Mysqld and bcm56xxd seem to run at 100% on vCMP host.
Solution Article: K23230852
Component: Application Visibility and Reporting
Symptoms:
Mysqld and bcm56xxd seem to run at 100% on vCMP host.
Conditions:
When the hypervisor collects statistical data from itself and all hosted guests, too many system resources are used, leading to constant updates of data to mysql.
Impact:
This results in the hypervisor not functioning properly.
Workaround:
Execute the following command:
bigstart stop monpd.
Impact of this workaround: Although no statistical data will be collected, the hypervisor will perform all other functions.
605175 : Backslashes in monitor send and receive strings
Component: Local Traffic Manager
Symptoms:
After creating a monitor using the GUI containing a recv parameter with a backslash such as '\* OK', loading the configuration generates a validation error:
01070753:3: Monitor /Common/test recv parameter contains an invalid regular expression (Invalid preceding regular expression).
Unexpected Error: Loading configuration process failed.
Attempting to configure the same monitor via tmsh throws the validation error before creating the monitor, but the GUI allows the single backslash. Two backslashes are required in this case.
Conditions:
Using the GUI to configure a monitor, whose receive string needs to look for a backslash, and only a single backslash is entered in the GUI.
Impact:
Configuration fails to load after it is successfully created via the GUI. The GUI accepts this when it should throw a validation error: two backslashes are required.
Workaround:
When configuring the monitor via the GUI, use two backslashes instead of one.
605018-2 : Citrix StoreFront integration mode with pass through authentication fails for browser access
Solution Article: K47516511
Component: Access Policy Manager
Symptoms:
Citrix StoreFront integration mode with pass through authentication fails for browser access. After providing the credentials, browser access continuously asks for 'Can not complete the request', press 'OK'.
Conditions:
This occurs when the following conditions are met:
- APM is configured in integration mode with StoreFront.
- External access virtual server IP is used in Citrix gateway configuration 'Subnet IP address' column.
- (Request Header Insert) :: [X-Citrix-Via-Vip:10.10.10.10], 10.10.10.10 is the virtual server IP address. Request Header Insert is configured on the HTTP profile of the same virtual server.
Impact:
No browser access to StoreFront.
Workaround:
StoreFront combines multiple headers of the same name and cannot use the resulting value. You can workaround this issue by stripping multiple headers of type x-citrix-via-vip.
Make 10.10.10.10 the corresponding External access virtual IP address.
when HTTP_REQUEST {
if { [HTTP::header count "X-Citrix-Via-Vip"] >= 2 } {
HTTP::header remove "X-Citrix-Via-Vip"
HTTP::header insert "X-Citrix-Via-Vip" "10.10.10.10"
}
}
604050 : Failed to get master key (ERR_NOT_FOUND) in apm log on first boot
Component: Access Policy Manager
Symptoms:
After booting a new platform for the first time, you may see the following log entry in /var/log/apm:
err tmm1[17340]: 01490563:3: (null):Common:00000000: Access stats encountered error: Failed to get master key (ERR_NOT_FOUND)
Conditions:
Viewing /var/log/ltm after first boot
Impact:
This is a residual log entry and is benign and can be safely ignored
603772-1 : Floating tunnels with names more than 15 characters may cause issues during config-sync.
Component: TMOS
Symptoms:
Floating tunnels with names more than 15 characters may cause issues in config-sync, because such a long name is truncated when creating a corresponding Linux tunnel interface.
Conditions:
The BIG-IP system consists of both floating and non-floating tunnels and their names are longer than 15 characters.
Impact:
When the config-sync happens, the following error may occur:
Caught configuration exception (0), Cannot create tunnel 'g123456789abc~1' in rd0 - ioctl failed: File exists.
Workaround:
Some workarounds are available:
- Make sure that tunnel names are less than 16 characters; or
- Make sure that the names of floating and non-floating tunnels do not share a common prefix in the first 15 characters; or
- Make sure that the BIG-IP system does not have a mixture of floating and non-floating tunnels.
603693-5 : Brace matching in switch statement of iRules can fail if literal strings use braces
Solution Article: K52239932
Component: TMOS
Symptoms:
In the TMUI on any iRule editing page, brace matching within a switch statement can fail if a literal string is surrounded with braces.
Conditions:
Use a literal string surrounded with curly braces for a case/pattern within a switch statement.
Impact:
Incorrect brace matching.
Workaround:
Instead of surrounding the literal string with braces, use double quotes.
603690-2 : CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.
Solution Article: K82210057
Component: Local Traffic Manager
Symptoms:
CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.
Conditions:
APM Edge Client over VPN tunnel. The issue tends to occur when CPR Saver is configured on the Edge Client on devices where hardware compression cannot perform the specific type of compression/decompression being requested.
Impact:
Edge Client shows the VPN tunnel as 'Connected' but no traffic flow. This is an intermittent issue.
Workaround:
You can use either of the following workarounds:
-- Enable CPU Saver in the secure connectivity profile.
+ To do so in the GUI:
1. Navigate to GUI: Access Policy :: Secure Connectivity :: profile_name :: Compression Settings :: Network Access.
2. Check the CPU Saver checkbox.
+ To do so in tmsh, run the following command:
tmsh modify apm profile connectivity dummy compress-cpu-saver true
-- Configure compression strategy to 'speed' (from 'latency'). To do so, run the following command:
tmsh modify sys db compression.strategy value "speed".
603380-6 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
Component: Local Traffic Manager
Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.
Conditions:
You have a DNS virtual server with DNS resolver cache configured. The virtual server receives ICMP unreachable in response to the DNS query.
Impact:
You will see messages similar to the following in /var/log/ltm.
err tmm[5021]: comm_point_tmm_recv_from failed: Software caused connection abort
Workaround:
None.
603093 : AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system
Component: TMOS
Symptoms:
The BIG-IP i-Series platform (i2600, i2800, i4600, i4800) 250W AC power supply PWR-0334-01 and PWR-0334-02 will show differences in their LED behavior when hot swap or hot plug or whenever power is removed from the supply. This includes redundant systems and systems with a single supply.
Conditions:
PWR-0334-01
When the input ramps below 80Vac, the input LED Green Blinking, output LED Amber Blinking.
When the input ramps below 72VAC, the input LED OFF, output LED Amber Blinking.
If the AC cord is removed with 1 or 2 supplies in the system the input LED OFF, output OFF.
PWR-0334-02
When the input ramps below 75VAC + 1VAC, the input LED Green Blinking, output LED Amber Blinking
When the input ramps below 70VAC + 1VAC, the input LED OFF, output LED OFF immediately
Impact:
LED behavior may be inconsistent between revisions of power supply on early platform shipments with PWR-0334-02
Workaround:
N/A
603092-5 : "displayservicenames" does not apply to show ltm pool members
Component: TMOS
Symptoms:
The db variable bigpipe.displayservicenames does not apply to the 'show ltm pool members' tmsh command.
Conditions:
This occurs when running tmsh show ltm pool members with bigpipe.displayservicenames enabled.
Impact:
The the IP address but not the service name is displayed.
602390-2 : Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
Solution Article: K87506901
Component: TMOS
Symptoms:
Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
Conditions:
Customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
Impact:
Can use only English language characters to customize these fields.
Workaround:
None.
602193-4 : iControl REST calls fail when payload contains non-UTF8 data
Component: TMOS
Symptoms:
While using the iControl REST API, calls to the BIG-IP, which result in non-UTF8 data being returned by the BIG-IP, will fail. This data can be intentional (for example, in a TLS certificate) or accidental (like an EEPROM-sourced component name experiencing bit corruption).
Conditions:
BIG-IP attempts to respond to iControl REST API query with data containing non-UTF8 characters.
Impact:
iControl REST API call will fail.
Workaround:
If the data intentionally has non-UTF8 characters, remove or change them to UTF8-compliant characters only. If the data unintentionally contains non-UTF8 characters, determine if a component should be replaced due to name bit corruption.
In some cases, a workaround script can be constructed using the "iconv" utility.
601414-1 : Combined use of session and table irule commands can result in intermittent session lookup failures
Component: TMOS
Symptoms:
[session lookup] commands do not return the expected result.
Conditions:
An iRule which combines use of [table] and [session lookup] commands.
Impact:
Intermittent session functionality.
Workaround:
If possible, use table commands in lieu of session commands.
600985-4 : Network access tunnel data stalls
Component: Access Policy Manager
Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.
Conditions:
The cause of this issue is not yet known.
Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.
Workaround:
Manually re-establish the tunnel.
600872-1 : Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.
Component: Access Policy Manager
Symptoms:
APM end user sessions start successfully, but end within a few minutes and they are forced to logon again.
The default timeout is 900 seconds.
Conditions:
- An HTTP/2-capable browser is in use on a Microsoft Windows platform.
- APM and HTTP/2 are enabled on the same virtual server.
Impact:
APM sessions time out at the configured inactivity timeout (default is 900 seconds) regardless of activity, and APM end users must restart their sessions.
Workaround:
Remove HTTP/2 profile from the affected virtual server.
600634-2 : Schedule-reports can break the upgrade process★
Component: Application Visibility and Reporting
Symptoms:
A scheduled report (of predefined type) that is created using the GUI might result in a validation error on upgrade, which might cause the upgrade process to fail. You may see this error in /var/log/ltm:
Syntax Error:(/config/bigip.conf at line: 86) "predefined-report-name" may not be specified with "multi-leveled-report.time-diff".
Conditions:
Creating predefined-scheduled-report from the GUI.
Impact:
Upgrade process can fail.
Workaround:
If the config load fails, you can get the configuration to load by manually removing the scheduled reports.
Impact of mitigation: This removes scheduled reports from the configuration.
1. Edit bigip.conf.
2. Look for analytics objects that have the scheduled-report in the declaration:
analytics application-security scheduled-report /Common/... {
3. Remove the object and the configuration will load.
600431-6 : DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP
Component: Service Provider
Symptoms:
TCL error in /var/log/ltm that looks like 'error Buffer error invoked from within "DIAMETER::avp data get 257 ip4 index 0"'
Conditions:
iRule that extracts ip address from a diameter avp.
Impact:
The iRule ends with an error.
Workaround:
Instead of
set data [DIAMETER::avp data get 257 ip4]
use an iRule such as
if { [DIAMETER::avp count 257] > 0 } {
set data [DIAMETER::avp data get 257]
binary scan $data S family
switch $family {
1 {
# ipv4 should contains 4 bytes
set ip [IP::addr parse -ipv4 $data 2]
log local0. "ip = $ip"
}
2 {
# ipv6 should contains 16 bytes
set ip [IP::addr parse -ipv6 $data 2]
log local0. "ip = $ip"
}
default {
log local0.alert "address family $family is not supported"
}
}
}
599048-1 : BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option
Component: Local Traffic Manager
Symptoms:
As part of the OCSP Stapling feature, the BIG-IP periodically connects to an OCSP server to certify to its clients that an SSL certificate has not been revoked. It was discovered that these side connections to OCSP servers incorrectly do not use the TCP TIMESTAMPS option.
Conditions:
Use of the OCSP Stapling feature.
Impact:
Usage of the TCP TIMESTAMPS option can help reduce the time a previously used tuple remains in TIME_WAIT on the OCSP server. Therefore, this can help ensure a new connection from the BIG-IP system to the OCSP server re-using a recent tuple is not rejected by the OCSP server. Note that there is little impact even if sporadically a single connection to the OCSP server fails. The BIG-IP will quickly try again, and clients that receive non-stapled SSL SERVER HELLO messages can perform their own validation of the returned SSL certificate.
Workaround:
None
598908-2 : Passing an empty URI to AAM might cause tmm to core.
Solution Article: K07353428
Component: WebAccelerator
Symptoms:
Passing an empty URI to AAM might cause tmm to core.
Conditions:
This occurs when the following conditions are met:
-- AAM/WAM is provisioned and a virtual server with web acceleration policy is configured.
-- The virtual server has an iRule that strips the URI in the request.
-- IBR is configured in the acceleration policy.
Impact:
When AAM/WAM processes the request, it does not check whether the string is empty, which results in tmm crash. Traffic disrupted while tmm restarts.
Workaround:
Apply an iRule that inspects the URI in the request and inserts forward slash ( / ) when the URI is missing.
598650-1 : apache-ssl-cert objects do not support certificate bundles
Component: TMOS
Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.
Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.
Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.
598204-3 : In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
Solution Article: K54284420
Component: Local Traffic Manager
Symptoms:
In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
Conditions:
This occurs when the following conditions are met:
-- TCP profile.
-- syncookie mode.
Impact:
A TCP virtual server might use bigger MSS in syncookie mode and not honor the MSS specified in the profile. Some configurations require a smaller MSS for certain virtual servers, rather than using the VLAN's MTU to calculate the MSS.
Workaround:
None.
598031-1 : Slow memory growth leading to TMM core
Component: Local Traffic Manager
Symptoms:
Tmm cores when using SSL (client and server) with AVR, DoS, APM, ASM on a virtual server.
Conditions:
The exact conditions under which this occurs are unknown.
Impact:
Slow memory growth leading to TMM core. Traffic disrupted while tmm restarts.
Workaround:
None.
597818-2 : Unable to configure IPsec NAT-T to "force"
Component: TMOS
Symptoms:
When configuring IPsec NAT traversal to "Force", the behavior is as if the setting is "Off".
Conditions:
Configuring IPsec NAT Traversal to Force
Impact:
NAT-T does not work
Workaround:
Configure NAT-T to On instead.
597564-3 : 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items
Component: TMOS
Symptoms:
The 'tmsh load sys config' command incorrectly allows users to manually remove the 'app-service' statement from configuration items. For example, if a user is manually editing the bigip.conf file, and they remove the 'app-service' statement from a virtual server, 'tmsh load sys config' will not fail to load the config, which is incorrect.
Conditions:
A user manually edits a BIG-IP configuration file and improperly removes the 'app-service' statement from an object.
Impact:
The lack of the 'app-service' statement effectively disassociates the object from its Application Service. This can lead to further issues down the line. For example, if the object is then updated on a multi-blade VIPRION system, secondary blades will restart with an error similar to the following example:
May 6 08:18:27 slot2/VIP2400-R16-S10 err mcpd[32420]: 01070734:3: Configuration error: Configuration from primary failed validation: 010715bd:3: The parent folder is owned by application service (/Common/dummy.app/dummy), the object ownership cannot be changed to ().... failed validation with error 17241533.
Workaround:
Exercise caution when manually editing BIG-IP configuration files.
597369-1 : Reopen TCP's receive window based on initial receive window size after a zero window
Component: Local Traffic Manager
Symptoms:
TCP reopens its receive window with 3*MSS bytes after a zero window, which is inefficient when round-trip time (RTT) is high.
Conditions:
- TCP zero window is sent by BIG-IP.
- TCP reopens receive window after enough data is drained from proxy.
Impact:
Reopening receive window slowly on the receive side may impact the throughput performance of the sender on the other side.
Workaround:
None.
597253-1 : HTTP::respond Tcl command may incorrectly identify parameters as iFiles
Component: Local Traffic Manager
Symptoms:
The HTTP::respond iRule command may incorrectly identify parameters as an iFile parameter when attaching the iRule to a virtual server.
Conditions:
HTTP::respond command making use of a variable as a header name. For instance:
HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"
Configure a HTTP/TCP virtual server and attach the iRule.
Impact:
1070151:3: Rule [/Common/example_rule] error: Unable to find ifile (header_value_text) referenced at line 3: [HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"]
Workaround:
Ensure the offending header name and value are either both literal strings or variables.
596826-5 : Don't set the mirroring address to a floating self IP address
Component: TMOS
Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address
It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address. The tmsh command will complete without error.
Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.
Impact:
Mirroring does not work in this case. If you configured it this way using tmsh, the GUI will show the primary and secondary mirroring address as "None".
Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.
For more information about mirroring, see K13478: Overview of connection and persistence mirroring at https://support.f5.com/csp/#/article/K13478
596569-3 : Memory leak on Central device in Symmetric deployment
Component: WebAccelerator
Symptoms:
When AAM is provisioned and symmetric configuration is deployed, a central unit will suffer a memory leak.
Conditions:
AAM is provisioned and a symmetric deployment is used.
Impact:
Due to memory leak BIG-IP will run out of memory and won't be able to properly serve new requests.
596278 : ILX workspace created by iApp made from template not deleted when iApp deleted
Component: Local Traffic Manager
Symptoms:
Any ILX workspace created by an iApp from a template (and possibly otherwise) remains even after the iApp is deleted.
You can check for them under tmsh's ltm/ilx/workspace, on the file system in /var/ilx/workspaces, or in the GUI at Local Traffic :: iRules : LX Workspace.
Conditions:
This occurs when using iApps which create ILX workspaces.
Impact:
Configuration which was supposed to be deleted stays on the box.
Workaround:
Delete the left over workspace manually.
596020-3 : Devices in a device-group may report out-of-sync after one of the devices is rebooted
Component: TMOS
Symptoms:
Devices in a device-group may report out-of-sync after one of the devices is rebooted.
As a result of this issue, you may encounter the following symptoms:
- After the reboot, the config-sync originator reports 'Not All Devices Synced'.
- After the reboot, the other devices in the device-group report 'Changes Pending'.
Conditions:
This issue occurs when all of the following conditions are met:
- You have a Sync or Sync-Failover device-group with multiple devices in it.
- On a device (the config-sync originator, you modify the configuration, triggering the devices to become out of synchronization.
- Using the Overwrite Configuration option in the GUI, you manually initiate a synchronization of the configuration from the device where the configuration was modified, to the device-group.
- The devices in the device-group display that they are in the synchronized state.
- You reboot the config-sync originator device.
Impact:
After the reboot, the devices report out-of-sync.
Note: This issue is purely cosmetic; no configuration is lost as result of this issue.
Workaround:
You can work around this issue by not using the Overwrite Configuration option in the Configuration utility if you know you will have to reboot the device soon.
Also note that once the issue occurs, you can restore normal config-sync status on the devices by performing a new config-sync operation.
595921-1 : VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
Component: Local Traffic Manager
Symptoms:
VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
Conditions:
Configuration of a virtual server on a VLAN group that does not have a Self-IP configured.
Impact:
Traffic destined for the virtual server might be rejected with an ICMP unreachable sourced from a loopback address.
Workaround:
Use a Self IP address on the VLAN group.
595868-1 : HSB TX HGM lockup on 3900, 8900, and 10000-series platforms.
Component: TMOS
Symptoms:
HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. Tmm cores with the following error message in /var/log/ltm: notice panic: hsb interface 2 DMA lockup on transmitter failure.
Conditions:
It is not known what triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
595617-1 : Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.
Solution Article: K40420553
Component: TMOS
Symptoms:
When modifying the ipsec-tunnel-profile, the BIG-IP system deletes the IKEv1 phase 2 SAs locally, but does not inform the remote IPsec peer.
Conditions:
- Configuration uses both IPsec 'interface' mode tunnel(s) and IKEv1.
- A user modifies ipsec-tunnel-profile. Namely found here:
-- web UI 'Network : Tunnels : Profiles : IPsec Interface : ipsec-tunnel-profile'.
-- tmsh 'net tunnels ipsec ipsec-tunnel-profile'.
Impact:
A traffic outage on one tunnel when the remote IPsec peer is generally plays the role of Initiator. The remote system, will not attempt to establish a new tunnel because it believes that a valid SA exists.
Workaround:
Delete the defunct IPsec SA from the remote peer. If the remote IPsec peer is also a BIG-IP system, then restarting tmipsecd can be employed, however this will cause all IPsec tunnels to restart.
594547 : LTM policy TCP address selector offers only the condition 'match any of'
Component: Local Traffic Manager
Symptoms:
In the GUI, you can create a condition on a TCP address where a list of specified addresses are considered for a match. But the negated condition (i.e., 'do not match any of') is not available.
Conditions:
Using the GUI, attempt to create an LTM policy condition that checks for addresses that do not match the specified list.
Impact:
Cannot use the GUI to specify conditions in a policy where the TCP address does-not-match a list of specified addresses.
Workaround:
Use tmsh to create or modify a policy to negate a condition on TCP addresses, for example, in tmsh construct a command similar to the following:
modify ltm policy my_policy rules modify { my_rule { conditions replace-all-with { 0 { tcp address not matches values { 10.10.4.0/0 } } } } }
594228-2 : Resetting mgmt interface statistics doesn't work on VE or VCMP
Component: TMOS
Symptoms:
$ tmsh reset-stats net interface mgmt
Doesn't reset mgmt interface statistics.
Conditions:
Only on VE or VCMP
Impact:
You cannot reset the management interface statistics, but this has no impact elsewhere in the system.
593845-3 : VE interface limit
Solution Article: K24093205
Component: TMOS
Symptoms:
TMM fails to bootup successfully.
Conditions:
More than 10 interfaces assigned to Virtual Edition (VE).
Impact:
BIG-IP fails to pass traffic as TMM fails to load successfully.
Workaround:
Make sure VE is assigned 10 or fewer interfaces.
593536-10 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
Solution Article: K64445052
Component: TMOS
Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.
Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.
Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.
Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.
Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.
593396-1 : Stateless virtual servers may not work correctly with route pools or ECMP routes
Component: Local Traffic Manager
Symptoms:
Stateless virtual servers might not work correctly if the configured poolmember is reachable via a route pool or via several ECMP routes learned via dynamic routing.
Conditions:
- Stateless virtual server.
- Pool reachable via route pool or via ECMP routes.
Impact:
Traffic might be dropped.
Workaround:
Use other virtual server types to process this traffic.
593361-1 : The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.
Component: TMOS
Symptoms:
The target platform implementation need to be ensure that it is update to date with draft and additionally tested with other open sources and commercial implementations to deem stable. If not a stable and production version as in case below, sender packets can be with a dummy MAC which is not recognized by BIG-IP.
Conditions:
Target platforms which may be unstable and untested in VXLAN-GPE.
Impact:
BIG-IP drop packets since it does not recognize inner pkt MAC.
Workaround:
Ensure target platform is stable, tested and production version wrt VXLAN-GPE and NSH.
592819-2 : Enabling of whitelists on a protected object requires disabling DoS protection support in hardware
Component: Advanced Firewall Manager
Symptoms:
On certain platforms, DDoS protection support in hardware prevents configuration of a whitelist for a protected object.
Conditions:
-- Configuration of a whitelist on a protected object.
-- Hardware acceleration is configured on 5xxx/7xxx/10xxx/12xxx appliances, and all blades other than B2250/B4450.
Impact:
Cannot configure whitelist on a protected object.
Workaround:
Disable hardware support for DDoS protection from the command line using the following command:
modify sys db dos.forceswdos value true.
Note: Disabling DDoS hardware support might impact the performance of the device because then, all DDoS protection mechanisms are managed in software.
592620-1 : iRule validation does not catch incorrect 'after' syntax
Component: Local Traffic Manager
Symptoms:
iRule validation does not catch iRule with incorrect 'after' syntax, allowing an invalid iRule to be saved.
Conditions:
iRule with incorrect 'after' syntax. For example "after 5000 periodic" should be "after 5000 -periodic" (with a hyphen)
Impact:
Traffic handled by the iRule fails, generating the Tcl error 'invalid command name 'periodic' while executing 'periodic LB::reselect''.
Workaround:
Correct the syntax error.
592591-2 : Deleting/Modifying access profile prompts for apply access policy for other untouched access profiles
Component: Access Policy Manager
Symptoms:
After deleting/modifying an access profile, the 'Apply Access Policy' link appears, and the status flags for other, untouched access profiles turn yellow. Also, there are APM log messages indicating that the configurations for those untouched access profile have been changed.
Conditions:
1. On Admin UI, make a copy of an access policy that contains macros.
3. Delete or modify the copied version of the access policy.
Impact:
The system posts the 'Apply Access Policy' link, and the status flag for the copy becomes yellow.
Note: There is no change to the access profiles that are affected by the deletion or modification. You can click 'Apply Access Policy' to make the link disappear.
Workaround:
None.
592211-1 : Stress CPU on BIG-IP will also take into the packets dropped by hardware.
Component: Advanced Firewall Manager
Symptoms:
Rate limit is directly proportional to CPU stress seen by the BIG-IP system. DoS will rate-limit traffic in hardware (HW) when the BIG-IP system is under stress (CPU is high), then if packets are dropped by HW and CPU of the system will come down and hence DOS will stop rate-limiting. SO this kind of behavior could result in toggling of DOS rate-limit state.
Conditions:
-- DoS in HW starts rate-limit in HW.
-- DoS has autodos enabled.
Impact:
The BIG-IP system may see that one second, DoS is rate-limiting packets and next second, it is allowing packets, and then next second it starts rate-limiting again, and so on. So there will be toggling of DoS vector mitigation state.
Workaround:
The workaround is to disable autodosd for that vector.
591505-1 : Policy may become unsyncable after changing contexts
Component: Advanced Firewall Manager
Symptoms:
This is a known issue due to internal framework in MCPD which marks configurable objects as either synced and non-synced. If the user applies the policy to a non-syncing context (non-floating self-IP), then that policy won't be synced across HA devices anymore.
Conditions:
A config with standalone firewall policy applied to synced and non synced context.
Impact:
A policy that is assigned to otherwise non-syncing context, e.g. non-floating self-IP, the attached policy will no longer be synced even if attached to a syncing object later.
Workaround:
Create a "local" policy for non-floating self-IP only.
591305-4 : Audit log messages with "user unknown" appear on install
Component: TMOS
Symptoms:
Multiple log entries in /var/log/audit similar to
May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]
Conditions:
This happens on initial install, it is not yet known what triggers it.
Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.
591113-2 : CSRF injection leading to blank page
Solution Article: K45901635
Component: Application Security Manager
Symptoms:
When CSRF JS is injected, a blank page is seen.
Conditions:
-- When CSRF JS is injected.
-- This page has has lots of IFrames with the query parameters.
Impact:
Viewing the site causes some pages to show up blank.
Workaround:
Bypass or disable ASM for the following URL: /apps/consumer/ITS/its_Lite/UpperFrame_Lite.jsp.
Can be done using l7policy rules or an irule:
when HTTP_REQUEST {
ASM::enable
if { $uri contains "<affected url>" } {
ASM::disable
}
}
591060-1 : APMD high CPU utilization
Component: Access Policy Manager
Symptoms:
APMD is running at unexpectedly high CPU.
Conditions:
This occurs when both of the following conditions are met:
-- The connection between APMD and MCPD is lost due to MCPD restart.
-- APMD keeps reading from the stale socket.
Impact:
-- High CPU utilization.
-- Configuration cannot be pushed to APMD after MCPD restarts.
Workaround:
None.
590851-4 : "never log" IPs are still reported to AVR
Component: Application Security Manager
Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag
Conditions:
Always
Impact:
Extra, unwanted logging for IP addresses flagged as "never log"
Workaround:
N/A
590156-3 : Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
Component: Local Traffic Manager
Symptoms:
APM connections failing when mac masquerade is in use and source-port preserve-strict is enabled on the APM virtual server.
Conditions:
The traffic-group has mac-masquerade configured and source-port preserve-strict is in use on the APM virtual server
Impact:
Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
Workaround:
Disable either mac-masquerade or source-port preserve-strict (or both)
589856-2 : IControl REST : possible to get duplicate transaction IDs when transactions are created by multiple clients
Component: TMOS
Symptoms:
When two iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction ID, which results in unexpected errors and transaction issues.
Conditions:
-- Two iControl REST clients using the same username.
-- Requests to create transactions, either simultaneously or in quick sequence.
Impact:
Transaction semantics are not followed, and unintended errors may occur.
Workaround:
None.
589606-2 : CSRF enabled within iframe request causes to unpredictable behavior on a website.
Component: Application Security Manager
Symptoms:
The csrf script changes the frame/iframe source attribute. When it happens the browser issue a request, as a result for each frame on a page 2 requests are being sent, the first is the original request when the frame is loaded and the second is when the csrf script changes the frame source attribute.
Conditions:
Enable ASM CSRF
Request a page with an iframe or frameset
Impact:
Viewing the site causes some pages to show up blank.
Workaround:
Bypassing or disabling ASM for URL appears to fix the issue.
589367-2 : Some Edge Client's German translations are incorrect
Component: Access Policy Manager
Symptoms:
Some Edge Client's German translations are incorrect.
Conditions:
APM end-user's system using German locale.
Impact:
Conversion results in confusing text.
Workaround:
None.
588646-1 : Use of Standard access list remarks in imish may causes later entries to fail on add
Component: TMOS
Symptoms:
The use of remarks in standard access lists in dynamic routing shell causes subsequent filters in the same ACL to fail to load.
Conditions:
Create a standard access list with a remark.
Add to the same list another entry to permit or deny a IP/range.
Impact:
The ACL does not load and error is returned.
Workaround:
No not use remarks in standard access lists or use an access list in the extended or named ranges.
588626 : Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member).
Component: Application Visibility and Reporting
Symptoms:
While configuring an alert for Maximum TPS on an Analytics profile, you get an error: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member)
Conditions:
This occurs when attempting to add an Analytics alert that triggers on Max TPS, and the alert is configured to run against a pool member or an application (the default is Virtual Server, not pool member or application).
Impact:
You cannot configure Max TPS alerts at the pool member level. The GUI appears to allow you to do this, but validation rules will prevent you from adding the alert.
The full list of alerts that cannot be configured at the pool or application level include all rules with the word Maximum in them:
- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput
588229-1 : DNS protocol default profiles can be deleted after being modified.
Component: Global Traffic Manager (DNS)
Symptoms:
A protocol default profile can be deleted in some cases.
Conditions:
The protocol default profile is not a parent to any other profile and has been modified.
Impact:
Default protocol profile can be deleted. If a default profile has been deleted, the config might get into an invalid state, and a config reload might be necessary.
Workaround:
Do not attempt to delete a protocol default profile.
588028-1 : Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up
Component: TMOS
Symptoms:
If the LCD visible alerts are cleared using the LCD menu while the Host is down, then when the host is brought back up the LCD will re-display any alerts that were generated after the host went down.
Alerts generated after a the Host is down are persistent and when the host comes up it will harvest those alerts and re-display them on the LCD. Alarm LED may be re-initialized to an unexpected state.
Conditions:
Alerts generated while the host is down and alerts are cleared using the LCD menu interface.
Impact:
Alerts are re-displayed on the LCD when the host comes back up. And the alarm LED may indicate an alarm that was thought previously cleared.
Workaround:
Do not clear the alerts from the LCD interface while the host is down.
587821-5 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
Component: TMOS
Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.
In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.
Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.
Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.
Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.
Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
587804-1 : Symmetric Unit Key decrypt failure on base load
Component: TMOS
Symptoms:
On initial boot of VIPRION blade, before the blade is licensed, you may see the following error message in /var/log/ltm:
err mcpd[5015]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Conditions:
It is not yet known what the conditions are that trigger this error.
Impact:
This occurs on initial boot of the VIPRION blade, prior to licensing the device. After licensing, this error does not occur.
Workaround:
None. If this error is reported on first boot, but can otherwise be licensed, it can be safely ignored. If this occurred after loading a ucs file, see SOL13132: Backing up and restoring BIG-IP configuration files at https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13132.html for more information on this error.
586862-1 : Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule.
Solution Article: K30859144
Component: Local Traffic Manager
Symptoms:
Tcl expression evaluations (outside of an iRule) can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule. A couple of examples where Tcl expressions are evaluated outside the context of an iRule include the tcl-setvar action of LTM Policy and the Request Header Insert feature of the HTTP profile.
Conditions:
Issue has been found on a virtual server with both an attached iRule and LTM Policy. The iRule calls TCP::collect when connection is accepted, and calls TCP::release at the CLIENT_DATA event. The LTM Policy has a single action to set a tcl set-variable expression.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
586660-1 : HTTP/2 and RAM Cache are not compatible.
Component: Local Traffic Manager
Symptoms:
A virtual server fails some requests where the response is served from cache.
Conditions:
This might occur in any of the following circumstances:
1.
-- Virtual server has either SPDY or HTTP/2 enabled
-- Requests that would normally served from RAM cache.
2.
-- HTTP virtual server has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event.
-- Tcl commands attempt to access the response headers.
3.
Certain filters and plugins that require access to the response headers.
Impact:
Errors in certain Tcl commands or failed requests. These correlate to Conditions as follows:
1. If a virtual server has either SPDY or HTTP/2 enabled, it might fail requests that would normally be served from RAM cache.
2. An HTTP virtual server that has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event might give errors to Tcl commands that attempt to access the response headers.
3. Certain filters and plugins that require access to the response headers might also fail in unexpected ways.
Workaround:
Disable CACHE via an iRule:
when HTTP_REQUEST {
if {[HTTP2::active]} {
CACHE::disable
}
}
586348-1 : Network Map Pool Member Parent Node Name display and Pool Member hyperlink
Component: TMOS
Symptoms:
The Network Map was not displaying the correct node name and the link was taking you to an incorrect pool member.
Conditions:
Create a pool and pool member from a FQDN node. Add that pool to a virtual server. From the Network Map page the pool member link does not show the FQDN making it hard to tell what pool member it is. When you click on the pool member hyperlink it takes you to the incorrect pool member.
Impact:
This causes confusion because the pool members are difficult to identify without the FQDN and the link takes you to the incorrect pool member.
586138-1 : Inconsistent display of route-domain information in administrative partitions.
Solution Article: K84112154
Component: Local Traffic Manager
Symptoms:
When IpAddress is displayed in GUI and TMSH, there exists some inconsistencies on how the route-domain of the address is displayed. This occurs for virtual servers and pool members.
Conditions:
IpAddresses configured for virtual servers and pool members outside the default-route-domain of the administrative partition.
Impact:
Although this is only a cosmetic issue, there might be confusion associated with the display inconsistencies.
Workaround:
None.
585248-1 : Resetting crypto client statistics can crash TMM and disrupt traffic handling.
Component: Local Traffic Manager
Symptoms:
TMM crashes when the statistics of the crypto client is reset when the External Crypto Offload feature is not licensed and the client configured with an unreachable crypto server. The command to reset the statistics of a crypto client is below:
tmsh reset-stats sys crypto client [<client name>]
Conditions:
With a crypto client configured to target an invalid or unreachable crypto server and the External Crypto Offload (ECO) feature is not licensed, reset the statics of the crypto client.
Impact:
Traffic is temporarily disrupted while TMM restarts.
Workaround:
Ensure the External Crypto Offload feature is licensed and/or target a valid crypto server when creating the crypto client.
584948-5 : Safenet HSM integration failing after it completes.
Component: Local Traffic Manager
Symptoms:
tmm cannot load the Safenet library, and the following log entry is found in /var/log/auditd/audit.log:
denied { read } for pid=4936 comm="tmm" name="libCryptoki2_64.so" dev=dm-1 ino=1441838 scontext=system_u:system_r:tmm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file.
Conditions:
This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory.
The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions.
Impact:
Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM.
Workaround:
Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly.
For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so.
584788-1 : Directed failover of HA pair using only hardwire failover will fail
Component: TMOS
Symptoms:
Units configured in a HA pair using only hardwire failover will not be able to use a targeted failover.
Conditions:
HA pair configured without network failover but with a hardwire failover.
Failover is attempted using one of the 2 following methods:
Via GUI
Device Management -> Traffic Groups
check <traffic group>
click "force to standby"
again click "force to standby"
via tmsh
tmsh run sys failover standby device <peer device> traffic-group <traffic group name>
Impact:
Failover may fail with the following logs in /var/log/ltm
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c0044:5: Command: go standby <traffic group name> <device name> GUI.
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c002b:5: Traffic group <traffic group name> received a targeted failover command for <peer mgmt IP>.
Mar 15 10:28:00 <hostname> notice sod[8214]: 010c004b:5: Target device <traffic group name> is not responding, cannot failover.
Workaround:
Use an alternative failover method:
- Device Management > Devices > Force to Standby
- Device Management > Traffic Groups > [traffic Group name] > Force to Standby
- tmsh run sys failover standby # without device
584772 : ssldump may crash when decrypting bad records
Component: Local Traffic Manager
Symptoms:
ssldump crashes while decrypting.
Conditions:
Using ssldump to decrypt SSL which contains bad records.
Impact:
ssldump crashes making it difficult to decrypt SSL data.
584716-1 : SAML XML Canonicalization on BIG-IP as IdP may return invalid value if AuthnRequest is formed in a special way
Component: Access Policy Manager
Symptoms:
Signature validation fails on BIG-IP as IDP when AuthnRequest from external SP is signed, and contains a newline/linefeed character after '</Signature>' element
Conditions:
- BIG-IP is used as IdP
- External SP signs AuthnRequests
- Signed AuthnRequest contains newline/linefeed character after '</Signature>' element
Impact:
WebSSO will fail
Workaround:
n/a
584504-2 : Allowing non-English characters on login screen
Solution Article: K36912228
Component: TMOS
Symptoms:
Passwords can contain non-English characters but it fails when logging in.
Conditions:
Passwords contain non-English characters.
Impact:
Users entering these characters on the login screen are unable to log in.
Workaround:
Make sure passwords contain only English characters.
584414 : Deleting persistence-records via tmsh may result in persistence being created to different nodes
Component: Local Traffic Manager
Symptoms:
After deleting the persistence records, a connection may use persistent records to two different nodes breaking persistence.
Conditions:
Deleting persistence records when there is high concurrency for particular persistence records (e.g., load testing).
Impact:
Client fails to persist to a particular node.
Workaround:
Avoid removing persistence records from tmsh or use iRules to remove persistence records.
583777-5 : [TMSH] sys crypto cert missing tab completion function
Solution Article: K33230520
Component: TMOS
Symptoms:
When pressing the tab key for the tmsh command "sys crypto cert", it does not display existing certificate names. You must manually type the certificate name that you want to operate.
Conditions:
This occurs in tmsh:
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
Impact:
Not possible to select a certificate using tab complete.
Workaround:
Manually type the certificate name.
583101-2 : ADAPT::result bypass after continue causes bad state transition
Component: Service Provider
Symptoms:
Tcl command 'ADAPT::result bypass' does not work in ADAPT_REQUEST_RESULT when the ICAP server has previously returned 100-continue.
Conditions:
iRules exist on a VS with an adapt profile, containing:
when ADAPT_REQUEST_RESULT {
ADAPT::result bypass
}
or
when ADAPT_RESPONSE_RESULT {
ADAPT::result bypass
}
Impact:
ADAPT logs an unexpected state transition and resets the connection, making it impossible for iRules to replace the ICAP response.
Workaround:
Avoid 'ADAPT::result bypass' commands in cases where there is no preview (either configured for no preview, or after the preview has been dropped due to a 100-continue or 200-ok ICAP response).
583084-5 : iControl produces 404 error while creating records successfully
Solution Article: K15101680
Component: TMOS
Symptoms:
iControl produces an HTTP 404 - Not Found error message while creating the BIG-IP DNS topology record successfully.
Conditions:
Creating GTM topology record without using full path via iControl.
Impact:
Resulting code/information is not compatible with actual result.
For a post request, the create command and the list command are formed and executed, and the name in the curl request and the name in the list response are compared to verify whether or not it is the actual object. When a create command is executed with properties that are not fullPath (e.g., in iControl), it still creates the object with fullPath. So list returns the name with fullPath and compares it with the name that does not contain the fullPath, and the comparison fails because the names do not match.
Workaround:
Use the full path when creating BIG-IP DNS topology records using iControl.
582606-1 : IPv6 downloads stall when NA IPv4&IPv6 is used.
Component: Access Policy Manager
Symptoms:
When downloading large files through network access, downloads can appear to stall for a period of time and then resume.
Conditions:
This occurs when Network Access is configured with an IPv4&IPv6 resource
Impact:
Downloads occasionally stall with download speed going to 0, and then they resume.
Workaround:
It is possible that disabling large receive offload will work as a mitigation. To do so, run the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.
582595-2 : default-node-monitor is reset to none for HA configuration.
Solution Article: K52029952
Component: TMOS
Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.
Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
* ltm node with a monitor.
* ltm default-node-monitor with a different monitor.
Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.
Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.
Workaround:
Reconfigure a default-node-monitor.
582440-4 : Linux client does not restore route to the default GW on Ubuntu 15.10
Component: Access Policy Manager
Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.
Conditions:
Ubuntu 15.10, network access tunnel connect and then disconnect
Impact:
User will not be able to reach internet after disconnecting from network access.
Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.
582331-1 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
582234-6 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
Component: Local Traffic Manager
Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it
Impact:
Monitoring does not resume when pool member is re-enabled via config merge.
Workaround:
You can re-enable monitoring by running the following commands:
tmsh save sys config
tmsh load sys config
582127-1 : VE OVA logrotate max-file-size too big for /var/log partition size
Solution Article: K55138704
Component: TMOS
Symptoms:
Virtual Edition (VE) OVA logrotate max-file-size is too big for the /var/log partition size.
Conditions:
This occurs on 11.5.0 and later, where the partition size was reduced from 6 GB to 500 MB, to better manage disk space.
This can also happen on Micro instance on a fixed version
Impact:
The BIG-IP VE system runs out of disk space due to increased logging. In this instance, logrotate should run and potentially free up space by rotating and compressing the actively written logs. With the current setting for max-file-size, however, that cannot happen, thus leading to increased likelihood of running out of space in /var/log.
Workaround:
You can extend the disk space for logs by performing the following procedure. (From K14952: Extending disk space on BIG-IP Virtual Edition, available here: https://support.f5.com/csp/article/K14952#proc3.)
Impact of procedure: You need to shut down the BIG-IP VE system during the disk provisioning steps, and the system will not be available for traffic processing. You should perform this procedure during a suitable maintenance window. Increasing the disk size on the VE system is irreversible, since F5 does not support disk shrinking.
1. Log in to the command line on the BIG-IP VE system.
2. Shut down the system by typing the following command:
shutdown -h now
3. Provision the desired disk space for the VE system on the hypervisor. For information about disk provisioning on the hypervisor, refer to the documentation from your hypervisor vendor.
4. Start up the BIG-IP VE guest instance on your hypervisor. For information about starting a guest instance on the hypervisor, refer to the documentation from your hypervisor vendor.
5. When the BIG-IP VE system is up, log in to the command line on the VE system.
6. Extend the /var/log directory by using the following command syntax:
tmsh modify /sys disk directory /var/log new-size <desired value in KB>.
--For example you would type the following command to extend the /var/log directory to 10 GB:
tmsh modify /sys disk directory /var/log new-size 10485760.
7. Save the configuration by typing the following command:
tmsh save /sys config.
8. Reboot the VE system by typing the following command:
reboot.
9. When the BIG-IP VE system is up, log in to the command line on the VE system.
10. Verify that the /var/log directory is successfully extended to the size you have specified in step 6 by typing the following command:
tmsh show /sys disk directory.
581865-2 : 6900, 8900, 8950, or 11050 platforms missing swap storage★
Solution Article: K11053914
Component: TMOS
Symptoms:
No swap is available; observable via 'cat /proc/swaps'.
Conditions:
A 6900, 8900, 8950, or 11050 platform with RAID LVM, directly upgraded from a pre-10.2.4 version to version 11.x/12.x.
Impact:
No swap space is created during upgrade. Multiple unexpected issues might occur because there is no swap space available.
Workaround:
Newer systems have the swap storage created during initial format. You might also be able to first upgrade to version 10.2.4. Then, when upgrading to version 11.x/12.x, the process creates the swap during upgrade.
581668 : DNS/SIP whitelisted packets not reported
Component: Advanced Firewall Manager
Symptoms:
If a DNS/SIP packet hits DOS whitelist then this packet is not being reported to AVR.
Conditions:
The packet has to be DNS or SIP packet and has to hit the whitelist.
Impact:
There is no functional impact but AVR tables will not have the whitelisted packets in their count.
580499-2 : Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled.
Solution Article: K34082034
Component: TMOS
Symptoms:
Configuring alternate admin user fails on multi-blade VIPRION chassis and will prevent newly added blades from being available to process traffic. If default admin on primary is disabled and you are on a chassis with at least two blades. After disabling the default admin on the primary and configuring an alternate, mcpd on secondary blades goes into a restart loop, and posts error messages similar to the following in /var/log/ltm:
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-primary2.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary1.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary2.
err mcpd[26012]: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.
err mcpd[26012]: 01070734:3: Configuration error: Configuration from primary failed validation: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.... failed validation with error 17242343.
In this example, admin-primary1 is the default admin user set in the GUI under System :: Platform :: Admin Account, admin-primary2, admin-secondary1 and admin-secondary2 are other admin users on the device, but they are not configured as the default admin user.
Conditions:
Chassis with multiple blades; alternate primary admin is set on the primary blade.
Impact:
mcpd in a restart loop on secondaries.
Workaround:
There is no workaround that will allow you to use a different primary admin user on BIG-IP software versions affected by this issue. To stop secondary blades from restarting in a loop, issue the following commands on your primary blade, which should be stable at this time:
# tmsh modify sys db systemauth.primaryadminuser value admin
# tmsh save sys config
579652-1 : Multidomain SSO Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.
Component: Access Policy Manager
Symptoms:
When URLs from multiple browser tabs start an access policy, the session is created with the landing URL from the first tab that started the session, not with URL the second tab that continued and finished establishing the access session.
For example, an end user opens browser and sends GET to /first_url resource. Access initiates session, and renders logon page. Then end user opens another tab, and sends GET to /second_url resource. Access returns an error message "Access policy evaluation is already in progress for your current session." with a link to start new session. If the end user selects the "click here", the new session will start with /first_url, and not with /second_url as would be expected.
Conditions:
Using Multidomain SSO, and accessing two different resources before the access policy has been created. This causes the access policy to run from two different landing URLs
Impact:
This may cause BIG-IP as SAML SP unable to establish a session with IdP. In the case of LTM and APM, the user is always redirected to the URL from first tab after policy execution finishes.
Workaround:
None.
579252-3 : Traffic can be directed to a less specific virtual during virtual modification
Component: Local Traffic Manager
Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.
Conditions:
net self external-ipv4 {
address 10.124.0.19/16
traffic-group traffic-group-local-only
vlan external
}
net self internal-ipv4 {
address 10.125.0.19/16
traffic-group traffic-group-local-only
vlan internal
}
ltm pool redirect-echo {
members { 10.125.0.17:7 }
}
ltm virtual fw {
description "less-specific virtual"
destination 10.125.0.0:any
ip-forward
mask 255.255.255.0
profiles { fastL4 }
translate-address disabled
translate-port disabled
vlans-disabled
}
ltm virtual redirect-echo {
description "enable/disable this one"
destination 10.125.0.20:echo
ip-protocol udp
mask 255.255.255.255
pool redirect-echo
profiles { udp }
vlans { external }
vlans-enabled
}
Impact:
Traffic can be directed to less specific virtual server
Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.
579035-5 : Config sync error when a key with passphrase is converted into FIPS.
Solution Article: K46145454
Component: TMOS
Symptoms:
When a key with passphrase is converted to a FIPS key (that is, imported into the FIPS card) and a config sync is done, sync fails with an error saying that passphrase is specified but the key is not passphrase protected.
Conditions:
Converting a private key with a passphrase to FIPS key and then performing a config-sync.
Impact:
Config sync will fail.
Workaround:
Ensure that you only import FIPS keys that are not encrypted with a passphrase. For more information, see K15720: Certain tasks related to the management of SSL certificates do not support encrypted private keys (11.x) at https://support.f5.com/csp/#/article/K15720
578989-5 : Maximum request body size is limited to 25 MB
Component: Access Policy Manager
Symptoms:
When a POST request with body size exceeds 25 MB is sent to APM virtual server, the request fails.
Conditions:
POST request body size exceeded 25 MB.
Impact:
The POST request fails. The maximum request body size is limited to 25 MB
Workaround:
There is no workaround at this time.
577904-1 : When a fips key is deleted, its corresponding public key is not deleted from fips card
Component: Local Traffic Manager
Symptoms:
BIG-IP does not delete the automatically-created public keys in FIPS cards when a FIPS keys is deleted
Conditions:
When the FIPS key is deleted, the corresponding public key is not deleted from the FIPS card.
Impact:
No functional impact.
Workaround:
None.
575368-5 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
Component: TMOS
Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.
Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.
Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.
Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.
574318-3 : Unable to resume session when switching to Protected Workspace
Component: Access Policy Manager
Symptoms:
Clients logging into Protected Workspace are unable to view the page. The client's log file may have the following signature: HandlePwsCmd, detoured.dll signature validation error
Conditions:
This occurs infrequently on certain Windows clients logging into Protected Workspace
Impact:
Client browser cannot render the protected workspace
574113-2 : Block All - Session Tracking Status is not persisted across an auto-sync device group
Component: Application Security Manager
Symptoms:
Users, IP addresses, and Sessions that are meant to be blocked due to their traffic patterns, are not being synchronized to the peer device in an auto-sync device group with ASM sync enabled.
This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.
Conditions:
1) Devices are in an auto-sync device group with ASM sync enabled.
2) Session Tracking is enabled.
Impact:
This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.
Workaround:
Force a full sync to propagate the session tracking information.
572519-1 : More than one header name/value pair not accepted by ACCESS::respond
Component: Access Policy Manager
Symptoms:
An error is seen when ACCESS::respond command is used, for example, in an iRule with multiple header name/value pairs. The error appears similar to the following:
warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected token(s):....
Conditions:
When ACCESS::respond command is used with multiple header name/value pairs.
Impact:
An error is generated when the command is used.
Workaround:
Let the command take only one name/value pair.
572142-2 : Config sync peer may fail to monitor newly added pool member after it is added via sync
Component: Local Traffic Manager
Symptoms:
If a pool member in a sync group is removed and another member added and then synced to the peer, the monitor state on the peer may be erroneous.
Conditions:
2 or more devices in a device group
A pool member is deleted, and another is added, then a full config sync is performed
Impact:
Monitoring does not happen. If the pool member should be marked down by the monitor, it may indicate as being up. You may need to do a system restart to get monitoring to resume properly.
Workaround:
Suggested workaround:
Here’s a way that should avoid any possible downtime:
1. Do the node replacement on box A. Do not sync.
2. Do the node replacement on box B. Do not sync.
3. This will cause a sync conflict, and its resolution will require a full load. This is intentional. Force a sync.
The result of that final sync will be that mcpd sends no changes to the relevant nodes on the receiving device.
571727-1 : 'force-full-load-push' is not tab expandable
Solution Article: K52707821
Component: TMOS
Symptoms:
The 'force-full-load-push' option for 'run cm config-sync' is not tab expandable unless it's the first option given.
Conditions:
This is encountered when trying to use tab complete in tmsh for the 'run cm config-sync' command.
Impact:
The keyword 'force-full-load-push' has to be typed out in full or used as the first option.
Workaround:
Use 'force-full-load-push' as the first option, or type it out in full.
571622-1 : 'Exceeding pool member limit' error with FQDN pool members and non-LTM license
Component: Local Traffic Manager
Symptoms:
When configuring FQDN pool members on a BIG-IP system with a license that does not include the LTM module, an error similar to the following may be logged by mcpd:
01071732:3: Exceeding pool member limit (3). Cannot add pool member to pool:(/Common/pool_name).
Conditions:
This may occur if:
1. The active BIG-IP license does not include the LTM module. Specifically, the active license defines a pool member limit (ltm_lb_pool_member_limit) other than 'unlimited'. This applies to AFM, APM, and ASM licenses.
2. FQDN pool members are configured with 'autopopulate' set to 'enabled'.
Impact:
Under these conditions, the ephemeral FQDN pool members are counted against the pool member limit (ltm_lb_pool_member_limit) defined in the LTM license. Cannot configure FQDN pool members with autopopulate enabled on BIG-IP systems without an LTM license.
Workaround:
There are two workarounds for this issue:
Workaround 1
-----------
1. Configure FQDN pool members with autopopulate disabled.
2. Do not attempt to configure more pool members than are permitted by the active license.
Workaround 2
-----------
Add the LTM module to the license configuration.
571503-1 : Windows Edge client cannot detect local LAN in some cases
Component: Access Policy Manager
Symptoms:
If Edge client is configured in Always Connected mode with option to "Allow Traffic" without VPN, it will continue to establish VPN even when location awareness is configured.
Conditions:
1) Edge client was installed using a package that was created without setting DNS suffix list in connectivity profile
2) DNS suffix list to identify enterprise LAN was set in the connectivity profile after client package was created.
Impact:
Edge client will fail to detect Enterprise LAN and continue to establish VPN even when machine is connected to enterprise LAN.
571333-8 : FastL4 TCP handshake timeout not honored for offloaded flows
Solution Article: K36155089
Component: TMOS
Symptoms:
When a virtual server is configured with a FastL4 profile that enables full acceleration and offload state set to 'embryonic', and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the 'idle timeout' value of the FastL4 profile, but it should be set to the 'tcp handshake timeout' instead.
Conditions:
-- Virtual server is configured with a FastL4 profile that enables full acceleration and offload state of 'embryonic'.
-- A flow is offloaded for hardware acceleration.
Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.
Workaround:
Set the acceleration-offload state to establish. For example:
tmsh modify ltm profile fastl4 fastl4_xyzzy pva-offload-state establish
571017-1 : Extra log messages seen on optics removal.
Component: TMOS
Symptoms:
Following message may appear in /var/log/ltm when optics are removed:
soc_phy_i2c_read_devtype - eeprom soc_phy_i2c_read_bytes failed port(28)
Conditions:
Optics removal.
Impact:
This is a cosmetic message and does not indicate a problem with the system.
Workaround:
None needed.
570845-3 : Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy
Solution Article: K00334323
Component: TMOS
Symptoms:
The configuration infrastructure currently allows the invalid 'None' option to be configured on an IPsec IKE peer for phase 1 Perfect Forward Secrecy. Although the ability to configure the 'None' option is incorrect functionality which happens on specific browsers, the configuration infrastructure should have stronger checking and prevent the acceptance of an invalid 'None' option for configured IKE peers.
Conditions:
The ability to configure an IKE peer with an invalid 'None' option for Perfect Forward Secrecy occurs on Internet Explorer and Safari browsers, and the configuration infrastructure does not reject this invalid configuration for these cases.
Impact:
The racoon daemon will fail to start and all IPsec tunnels may fail to work. The racoon.log file may contain messages like:
INFO: Reading configuration from "/etc/racoon/racoon.conf"
ERROR: /etc/racoon/racoon.conf.bigip:59: "}" DH group required.
ERROR: fatal parse failure (1 errors)
ERROR: failed to parse configuration file.
Workaround:
Don't configure the 'None' option for Perfect Forward Secrecy in the IKE peer configuration section.
570013 : TCP Analytics Profile section in virtual server UI has erroneous caption
Component: TMOS
Symptoms:
In TMUI: Local Traffic: Virtual Server:: Create: advanced, TCP Analytics profile section has a erroneous caption for HTTP Analytics profile.
Conditions:
This occurs when creating a TCP Analytics profile in the GUI when AVR is not provisioned.
Impact:
The screen posts a warning similar to the following: Warning: The Application Visibility and Reporting (AVR) module is not provisioned. Assigning an HTTP Analytics profile is not recommended.
However, it should be TCP Analytics profile.
Workaround:
None. The message is correct the AVR is not provisioned. However, the warning should reference the TCP Analytics profile instead of the HTTP Analytics profile.
569968 : snmpd core during startup
Component: TMOS
Symptoms:
sod reanimates (with core dump) snmpd due to heartbeat timeout during BIG-IP system startup and configuration load.
Conditions:
During startup and configuration load, snmpd sometimes blocks while waiting for certain system resources to become available. If snmpd blocks longer than its configured heartbeat timeout, sod reanimates it (with a core dump).
Impact:
Only impact is the generation of a core file.
Workaround:
Increase the snmpd heartbeat timeout to 300 seconds or more.
The 11.5.1 default timeout of 60 seconds might be too short for certain platforms and configurations. The default timeout for later releases is 300 seconds.
569859-2 : Password policy enforcement for root user when mcpd is not available
Component: TMOS
Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.
Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.
Impact:
Root password may be set to a string that does not comply with the current password policy.
Workaround:
None.
569331-1 : Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP
Component: TMOS
Symptoms:
Traffic will not pass to virtual servers of a traffic group
Conditions:
BIG-IP AWS
High Availability
AWS network outage
Impact:
Some of virtual addresses end up associated with the standby BIG-IP; traffic will not pass to their virtual servers.
Workaround:
If the desired BIG-IP is standby, failover to the BIG-IP.
If the desired BIG-IP is already active, failover from this BIG-IP and then failover back to this BIG-IP.
569281-6 : L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot
Solution Article: K33242855
Component: TMOS
Symptoms:
Several 'kernel: BUG: soft lockup' messages from kernel leading to TMM. Eventual blade reboot
Conditions:
-- Using vCMP.
-- Network to which the BIG-IP management port is connected has a Layer 2 loop.
Impact:
The BIG-IP system is unusable and eventually reboots.
Workaround:
Avoid L2 loops in the network to which the BIG-IP management port is connected.
568458 : DoS vectors must be enabled in both DoS Profile and Device Configuration
Component: Advanced Firewall Manager
Symptoms:
In order for a DoS vector in a DoS Profile to detect a you must enable that same vector in the DoS Device Configuration.
Conditions:
DoS vector configured at the per-virtual server level, but not at the device level.
Impact:
Might result in false negatives.
Workaround:
You can use the following workaround:
1. Enable the vector in Security : DoS Protection : DoS Profiles.
To do so, click Network Protection, click Enabled, and enable the DoS Vector for the DoS Profile.
2. Enable the vector in the Device Configuration.
To do so, go to Security : Dos Protection : Device Configuration, select the vector, and then configure the vector either manually, or with the auto-configuration option.
567513-4 : Erroneous syncookie flag in HSB return descriptor causes the BIG-IP system to pass through the ACK packets after the session is closed.
Component: Performance
Symptoms:
In rare situations, a packet with ACK flag arriving shortly after the FIN packet is received on a flow might be marked by FPGA to be a valid syncookie response. The BIG-IP system creates a new connection for the ACK packet and passes the packet to the server side, causing a double transaction on the server.
Conditions:
This occurs in the unlikely event of an ACK packet accidentally matching the match hardware syncookie.
Impact:
Confusion on the client/server and double transaction on the server side.
Workaround:
None.
567503-1 : ACCESS:session remove can result in confusing ERR_NOT_FOUND logs
Solution Article: K03293396
Component: Access Policy Manager
Symptoms:
When using the iRule command ACCESS:session remove, ERR_NOT_FOUND messages may appear in /var/log/apm. Theses are not real errors. ACCESS is trying to insert a session variable, but it is not able to find the session because the iRule already deleted the session.
The logs in /var/log/apm look something like this:
err tmm1[15932]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_save_init_req_to_sessiondb, Line: 14823.
Conditions:
An iRule using the command ACCESS:session remove, and the end-user does a POST.
Impact:
No functional impact, the iRule correctly deletes the session, and BIG-IP does not send a reset. But the log messages can be alarming or confusing.
Workaround:
None.
567490-2 : db.proxy.__iter__ value is overwritten if it's manually set
Component: TMOS
Symptoms:
When setting the "BIND Forwarder Server List" on the "Configuration : Device : DNS" page, the system stores the values in the sysdb variable db.proxy.__iter__. When changing the value using tmsh or iControl, the db.proxy.__iter__ value is overwritten when subsequently viewing the value in the GUI.
Conditions:
When setting these values in sysdb via tmsh or REST, the values are set, but then upon re-visiting Configuration : Device : DNS in the GUI, the values in the sysdb variable are reset to their former values.
Impact:
BIND Forwarder Server List values do not persist.
Workaround:
Use the GUI to change the BIND Forwarder Server List values.
565755 : Dashboard does not work when custom port is used for management port.
Component: TMOS
Symptoms:
BIG-IP v12.0.0 introduced the ability to change the management port, but the dashboard was not changed to support that. Dashboard does not work when a port is used for management port other than the default port 443.
Conditions:
Using the dashboard when the management address is configured to use a port other than port 443.
Impact:
The dashboard reports a connection error and asks you to log back in.
Workaround:
None.
564634-5 : Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool
Component: Local Traffic Manager
Symptoms:
Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool.
Conditions:
Remove a monitor from a pool using tmsh edit commands.
Impact:
bigd still monitors the pool.
Workaround:
None.
564431-3 : Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail
Component: Policy Enforcement Manager
Symptoms:
Subscriber lines terminated with an EOL that occur before the line without an EOL are loaded.
Conditions:
At least one line in the static subscriber file is not terminated with an EOL character.
Impact:
Impact to support staff in diagnosing the root cause for failure while importing a subscriber file.
Workaround:
Save the file in unix format that appends EOL characters to the each line.
While editing the file make sure lines are terminated with an EOL character.
563651-2 : Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★
Component: Access Policy Manager
Symptoms:
Web application does not work/works intermittently via Portal Access after upgrading the BIG-IP system to any new software version.
Conditions:
-- Web application via Portal Access.
-- Using any modern browser, for example Google Chrome, Mozilla Firefox, Safari, Microsoft Internet Explorer 11 (IE11), or Microsoft Edge.
-- Upgrading BIG-IP software.
-- Web Application uses HTML5 features Local Storage or Session Storage.
Impact:
Various unexpected behaviors. For example, a custom intranet application link might experience intermittent failures through rewrite. This occurs because Portal Access does not support Storage areas (localStorage, sessionStorage). This might impact web-applications with content previously populated in Storage areas.
Workaround:
Possible workaround:
-- Clear browser 'cookies and website data' or 'offline data' manually after upgrading (options to use depend on which browser you are using).
560601-1 : HTML5 File API and MediaSource URLs are blocked in Portal Access
Component: Access Policy Manager
Symptoms:
Web Application is not working and a message similar to following is logged to the developer tools console in the browser:
"Refused to load media from 'blob:https://...' because it violates the following Content Security Policy directive: ..."
Conditions:
This occurs on web applications that are using the HTML5 file API
Impact:
Applications with usage of HTML5 File API could stop working when accessed via APM Portal Access.
Workaround:
when HTTP_RESPONSE_RELEASE {
if { [HTTP::header exists Content-Security-Policy] } {
HTTP::header replace Content-Security-Policy \
[string map {"data:" "data: blob: mediasource: mediastream:"} [HTTP::header Content-Security-Policy]]
}
}
559402-4 : Client initiated form based SSO fails when username and password not replaced correctly while posting the form
Component: Access Policy Manager
Symptoms:
Client initiated form based SSO fails when the username and password are not replaced correctly in post request. The reason for this is that client initiated form based SSO and browser urlencode special character in username/password differently. and the case sensitive comparison fails to find match between both these urlencoded values. So sso module adds the username password to the token again. This results in password attribute/value pair appears twice with both the f5-sso-token and the real password and so it fails
Conditions:
When the password contains special charaters like [ or ]
Impact:
SSO fails with password attribute/value pair appears twice with both the f5-sso-token and the real password in the token and so it fails
Workaround:
No workaround
559082-2 : Tunnel details are not shown for MAC Edge client
Component: Access Policy Manager
Symptoms:
Tunnel details are not shown for MAC Edge client.
Tunnel details are located in Edge client :: View details :: Connection :: Tunnel details
Conditions:
MAC Edge client and established network access connection.
Impact:
Minor. Only diagnostic information is missing, otherwise tunnel works fine.
Workaround:
None.
554504 : Client OS version not logged in Browser/OS Reports for iOS client devices
Component: Access Policy Manager
Symptoms:
When an iOS device is used to login with APM, the client OS version is not logged and is not correctly reported in the Browser/OS Report.
Conditions:
Client device must run iOS.
Impact:
Devices running different versions of iOS are not differentiated in the Browser/OS Report.
Workaround:
None.
552988-2 : Cannot enable MPTCP on some profiles in GUI.
Component: Local Traffic Manager
Symptoms:
Version 12.1 Cannot enable MPTCP on some profiles in GUI. Get error message: 01070734:3: Configuration error: In profile /Common/proxy-client to enable MPTCP, Hardware SYN Cookie must be disabled.
Conditions:
Version 12.1 Enabling MPTCP on some profiles in GUI.
Impact:
Version 12.1 Cannot enable MPTCP.
Workaround:
Use tmsh to enable MPTCP on some profiles.
552444-1 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
Component: Access Policy Manager
Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.
Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"
Impact:
Dynamic drive mapping may not function.
Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.
homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]
547692-3 : Firewall-blocked KPASSWD service does not cause domain join operation to fail
Component: Access Policy Manager
Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.
As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.
However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.
Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.
Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.
Workaround:
Allow KPASSWD to reach ActiveDirectory server
547428-3 : Unexpected storage-format string causes asm restart
Component: Application Security Manager
Symptoms:
ASM restarts and bd generates a core.
Conditions:
Logging Format : Comma-Separated Values
Storage Format : User-Defined
And give format string like what is mentioned in Splunk document - https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup
"f5_asm=Splunk-F5-ASM,attack_type=%attack_type%,blocking_exception_reason=%blocking_exception_reason%,client_type=%client_type%,credential_stuffing_lookup_result=%credential_stuffing_lookup_result%,date_time=%date_time%,dest_ip=%dest_ip%,dest_port=%dest_port%,device_id=%device_id%,enforced_by=%enforced_by%,enforcement_action=%enforcement_action%,epoch_time=%epoch_time%,geo_info=%geo_location%,headers=%headers%,http_class=%http_class_name%,ip_addr_intelli=%ip_address_intelligence%,ip_client=%ip_client%,ip_route_domain=%ip_with_route_domain%,is_trunct=%is_truncated%,login_result=%login_result%,manage_ip_addr=%management_ip_address%,method=%method%,mobile_application_name=%mobile_application_name%,mobile_application_version=%mobile_application_version%,policy_apply_date=%policy_apply_date%,policy_name=%policy_name%,protocol=%protocol%,protocol_info=%protocol_info%,query_str=%query_string%,req=%request%,req_status=%request_status% ...snip..."
Once the virtual server receives a request and bd tries to generate remote log message, bd crashes.
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
Use items available in "Available Items" only.
544980-5 : BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
Component: TMOS
Symptoms:
The size of /var volume is 500 MB instead of 3 GB for BETTER and BEST license bundles.
Conditions:
BIG-IP VE BETTER and BEST vm_bundle images.
Impact:
Not enough space in /var.
Workaround:
In the current volume:
1. Modify global_attributes file.
* The global_attributes file is located at /shared/.tmi_config, so modify global_attributes file by using vi command.
From:
{"TMI_VOLUME_FIX_VAR_MIB":"500","TMI_VOLUME_FIX_CONFIG_MIB":"500"}
To:
{"TMI_VOLUME_FIX_VAR_MIB":"3000","TMI_VOLUME_FIX_CONFIG_MIB":"500"}
2. Install version.
3. Modify global_attributes file to back original value.
4. Switchboot to newly installed volume.
5. To change /var to 3 GB and from tmsh, run the following command:
modify /sys disk directory /var new-size 3145728
6. Reboot.
544958-4 : Monitors packets are sent even when pool member is 'Forced Offline'.
Component: Local Traffic Manager
Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.
Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.
Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.
Workaround:
None.
544568-5 : Flows for a FastL4 profile that are forwarded may now be accelerated.
Component: TMOS
Symptoms:
Forwarded FastL4 profiles are not accelerated.
Conditions:
This occurs when any of the following conditions is met:
-- Using a preserve-strict setting on a virtual server.
-- Using the "snat" command in an iRule.
-- Using CGNAT with few available endpoints.
Impact:
Forwarded FastL4 flows are not accelerated.
Workaround:
None.
542347-2 : Denied message in audit log on first time boot
Component: TMOS
Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:
type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.
Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.
Impact:
This error message is benign and can be ignored.
Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.
542137 : TMM continually restarts due to HSB failure
Component: TMOS
Symptoms:
The HSB device returns invalid data to TMM, resulting in a TMM core. This condition persists for each TMM start and can be observed in the TMM logs as a series of SIGSEGV or SIGFPE signals every time TMM attempts to start.
Conditions:
-- It is unknown under what conditions this error occurs.
-- This occurs only on BIG-IP 6900 (D104), 3900 (C106), and 8900 (D106) platforms.
Impact:
TMM continually restarts, requiring manual intervention to reboot the unit. Traffic disrupted.
Workaround:
None.
542104-2 : In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
Solution Article: K33458192
Component: Local Traffic Manager
Symptoms:
In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
TCP monitors may fail because the server fails to respond to the initial TCP SYN.
TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN.
Conditions:
A server with tcp_tw_recycle enabled.
A multi-blade BIG-IP chassis.
Impact:
Monitor failures or traffic disruption.
Workaround:
After confirming that the time is properly synchronized across the chassis, reboot the chassis.
Alternatively, if your servers do not require tcp_tw_recycle to be enabled, it is recommended that you disable this setting on your servers.
541622-2 : APD/APMD Crashes While Verifying CAPTCHA
Component: Access Policy Manager
Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA
Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.
Impact:
Authentication service will be disrupted until APD/APMD is up again.
539026-5 : Stats refinements for reporting Unhandled Query Actions :: Drops
Component: Local Traffic Manager
Symptoms:
There are five drop down sections for Unhandled Query Actions:
Allow
Drop
Reject
Hint
No Error
but in statistics page, there are only four Unhandled Query Actions:
Drops
Rejects
Hints
No Errors
Drops refers to the dropped packets for the system, not specifically for Unhandled Query Actions. It would be more clear if there were one dropped packets stats for the system, and another specifically for Unhandled. And also add stats for Allow packets under Unhandled.
Conditions:
Statistics pages for Unhandled Query Actions :: Drops.
Impact:
May be confusing to determine what the statistics mean.
Workaround:
None.
538283-5 : iControl REST asynchronous tasks may block other tasks from running
Component: TMOS
Symptoms:
If an iControl REST asynchronous task is running, other iControl REST queries (synchronous or asynchronous) will wait until the asynchronous task completes before executing. If the asynchronous task is long-running, subsequent requests will block for a long time.
Conditions:
-- Executing an iControl REST task asynchronously.
-- Performing further iControl REST tasks (synchronous or asynchronous) while the asynchronous task is still running.
Impact:
Potential (and unexpected) long wait times while running a task asynchronously.
Workaround:
None.
537209-5 : Fastl4 profile sends RST packet when idle timeout value set to 'immediate'
Component: Local Traffic Manager
Symptoms:
When a virtual is configured with a Fastl4 profile and the idle timeout value is set to 'immediate', traffic is handled improperly and a RST is issued.
Conditions:
A virtual is processing traffic that contains a Fastl4 profile with idle timeout set to 'immediate'.
Impact:
Traffic is Reset on a virtual where it should properly handle the traffic.
Workaround:
Avoid using the 'immediate' setting for the idle timeout value on a Fastl4 profile.
535122-8 : [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects
Component: TMOS
Symptoms:
Using iControl REST's process (iCRD) with 'sys crypto' always fails, and the GUI does not work with SSL file objects created without extensions using tmsh (with 'sys file') during the create process.
Conditions:
-- Creating SSL certificates/keys/CRL/CSR objects using iControl (with 'sys crypto') or tmsh (with 'sys file').
-- Specifying the file extension associated with the object: .crt/.key/.crl/.csr.
Impact:
The system creates a file with two extensions, for example, specifying the filename csrname.crt creates a file named csrname.crt.csr in folder /config/ssl/ssl.csr/.
-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
+ Inconsistently manages those files improperly.
+ May return errors (e.g., 'An error has occurred while trying to process your request.' or 'No certificate.').
+ May confuse two objects (e.g., 'web-server' and 'web-server.crt').
+ GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing one of these files, and reports an error similar to the following: Key management library returned bad status: -2, Not Found.
Workaround:
When creating SSL-related file objects via tmsh 'sys file' or iCRD with 'sys crypto', do include a file extension (.crt/.key/.crl/.csr) in the object name, even if it is the extension associated with the type of object. This is because the system explicitly adds the appropriate file extension during the create operation for ('sys crypto') but does not add extensions for ('sys file').
535119-1 : APM log tables initial rotation in MySQL may be wrong
Component: Access Policy Manager
Symptoms:
APM uses local MySQL to store logs and automatically rotate the log tables when the log table size exceeds a limit, which removes the oldest log table and make room for a new current log table.
However, the initial timestamps of those log tables may be very close--or the same in 1-second granularity of MySQL timestamps--right after the installation that initially creates those log tables. Due to the timestamp granularity, it may be wrong for APM to choose the oldest log table to remove in the first round of rotation, resulting in removal of log data that are not the oldest.
After the first rotation, the log table rotation should work as normal.
Conditions:
The first round of log table rotation after installation
Impact:
Log data that are not the oldest may be removed at the first round of log table rotation.
534187-2 : Passphrase protected signing keys are not supported by SAML IDP/SP
Component: Access Policy Manager
Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.
Conditions:
Private key used to perform digital signing operations is passphrase protected.
Impact:
SAML protocol will not function properly due to inability to sign messages.
Workaround:
To work around the problem, remove the passphrase from the signing key.
530092-2 : AD/LDAP groupmapping is overencoding group names with backslashes
Component: Access Policy Manager
Symptoms:
Adding a group value that contains space(s) manually in AD/LDAP Group Resource Assign actions will result in the space(s) being escaped and thus invalidating match attempts. For example, adding group 'Foo Bar' (without the quotes) will result in an expression found in bigip.conf as follows:
expression "expr { [mcget -decode {session.ldap.last.attr.memberOf}] contains \"CN=Foo\\\\ Bar\" }"
The value '\"CN=Foo\\\\ Bar\"' will not match a memberOf group returned that contains 'CN=Foo Bar,...'.
Conditions:
Spaces are encoded with backslashes.
Impact:
Matching for memberOf group will not working.
Workaround:
N/A
529896-2 : DNS Cache can use cached data from ADDITIONAL sections in answers after RRset cache cleared
Component: Global Traffic Manager (DNS)
Symptoms:
On deleting the RRset cache, an incorrect answer could be served out of the message cache.
Conditions:
The RRset cache is cleared but the message cache is not.
Impact:
A deleted or cleared answer may be served
528894-9 : Config sync after sub-partition config changes results extra lines in the partition's conf file
Component: TMOS
Symptoms:
Config sync after sub-partition config changes results extra lines in the partition's conf file.
Conditions:
Make changes under any partition except /Common and then config sync without overwrite.
Impact:
/config/partitions/partition_name/bigip_base.conf in the partitions folder has trunk and ha-group configuration. /config/bigip_base.conf no longer has the trunk and ha-group configuration.
Workaround:
'Sync Device to Group' with 'Overwrite Configuration' enabled.
528295-6 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
Solution Article: K40735404
Component: TMOS
Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.
Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.
Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.
Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.
527119-4 : An iframe document body might be null after iframe creation in rewritten document.
Component: Access Policy Manager
Symptoms:
Cannot use certain page elements (such as the Portal Access menu) in Google Chrome, and it appears that JavaScript has not properly initialized, and results in JavaScript errors on the following kinds of code:
iframe.contentDocument.write(html)
iframe.contentDocument.close()
<any operation with iframe.contentDocument.body>
Conditions:
-- The body of a dynamically created iframe document might be initialized asynchronously after APM rewriting.
-- Using the Chrome browser.
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access. For example, one of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.
527004-4 : Monitor delete-and-create within a transaction fails
Component: Local Traffic Manager
Symptoms:
A transaction fails when it attempts to delete a pool and associated monitor, and within that same transaction then attempts to create that same pool with a different monitor. The transaction fail message is:
'Monitor -old_monitor_name- is in use'
This behavior is due to transaction validation, where a delete-and-create of the pool within that same transaction causes validation to fail (and the transaction to be aborted). The monitor cannot be deleted as long as the pool uses that monitor, and the pool will not be deleted at the conclusion of the transaction because later in the same transaction that same pool will be (re-)created.
Conditions:
-- A pool exists with an associated monitor.
-- A transaction is attempted to delete that pool and monitor, and then recreate that pool with a different monitor.
Impact:
The transaction fails. The configuration is not changed, and the BIG-IP system continues to function as if the transaction had not been attempted.
Workaround:
Perform the desired steps outside a transaction to replace the monitor, and/or delete and recreate the pool.
526519-1 : APM sessiondump command can produce binary data
Component: Access Policy Manager
Symptoms:
New session variable "session.access.scope" includes a null character after the value. This will result in piped grep commands from sessiondump such as:
sessiondump <args> | grep <search value>
returning the text:
Binary file (standard input) matches
instead of the expected output.
Note that this problem exists in APM version 12.
Conditions:
Using sessiondump command with pipe to grep.
Impact:
Administrator cannot use "grep" command with sessiondump.
Workaround:
Use "-a" option with grep. For example:
sessiondump <args> | grep -a <search value>
525378 : iRule commands do not validate session scope
Component: Access Policy Manager
Symptoms:
Assume that a user establishes a session on one virtual server. If the user learns his session ID, he may attempt to reuse that session ID to gain access to resources guarded by a different virtual server. When this happens, the iRule access session commands like [ACCESS::session sid] and [ACCESS::session exists] do not validate the scope of the session. The iRules consider sessions from other virtual servers to be valid, which can cause unintended results and potentially lead to end-users gaining higher privileges than administrators intended.
Conditions:
There may be multiple access profiles assigned to multiple virtual servers, but the iRule session commands will treat all sessions the same.
Impact:
If the administrator is not careful with how the iRule session commands are used, it can result in a user bypassing the access policy and receiving higher privileges than the administrator intended.
Workaround:
Care must be used to ensure that iRules using the session commands do not result in unintended behavior. An iRule similar to one below can be used to restrict a session to the virtual server on which it was created:
when ACCESS_ACL_ALLOWED {
set sessionlistener [ACCESS::session data get "session.server.listener.name"]
set virtualname [virtual name]
if { [HTTP::cookie MRHSession] != "" } {
if { not ($sessionlistener equals $virtualname) } {
# enter whatever command you wish to use to prevent the connection
reject
}
}
}
524193-5 : Multiple Source addresses are not allowed on a TMSH SNMP community
Component: TMOS
Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.
Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.
Impact:
The command is accepted, but only the first address will be allowed snmp access.
Workaround:
Add an additional source address to another snmp community object that has the same community string.
524123-1 : iRule ISTATS::remove does not work
Component: TMOS
Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.
Conditions:
Invoking the ISTATS::remove command from an iRule.
Impact:
The value of the iStat remains defined.
Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.
523198-1 : DNS resolver multiplexing might cause unexpected behaviors
Component: Global Traffic Manager (DNS)
Symptoms:
DNS resolver multiplexing might cause unexpected behaviors, resulting in multiple error message: notice hud_msg_queue is full.
Conditions:
This occurs with a DNS resolver configured.
Impact:
TMM cores or connflows not expiring. System posts messages similar to the following: notice hud_msg_queue is full.
Workaround:
None.
523158-1 : In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails
Component: Access Policy Manager
Symptoms:
In rare case when dn is returned with cn= in lower case VPE is failing to match groupnames
Conditions:
Server that returns cn in low case
Impact:
Group mapping doesn't work
Workaround:
No workaround.
522241-3 : Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete
Component: Local Traffic Manager
Symptoms:
After running the tmsh command "show ltm dns cache records <key|msg|nameserver|rrset> cache <name> count-only" you may experience the following symptoms:
- One of the TMM instances on the system climbs to 100% CPU utilization for a prolonged amount of time.
- The odd-numbered hyperthread (i.e. 1) corresponding to the even-numbered hyperthread (i.e. 0) where the busy TMM instance is running is partially halted by the HT-Split feature (this will be observable in utilities such as "top" and by the presence of "Idle enforce starting" log messages in the /var/log/kern.log file).
- After waiting for a very long time, the tmsh command may not actually return and display a record count.
- The tmsh command does not respond to CTRL+C and continues running.
Conditions:
A DNS cache contains a large number of records and the BIG-IP Administrator runs the following tmsh command to determine the exact record count:
"show ltm dns cache records <key|msg|nameserver|rrset> cache <name> count-only"
Impact:
Due to the high CPU utilization, traffic handling is impaired. Control-plane processes can also become affected, leading to different issues (this depends on the size and load of the BIG-IP system). For example, the lacpd process can become descheduled causing trunks to flap.
Workaround:
Do not run the specified tmsh command.
If you have run the specified tmsh command and this has not returned after a very long time and you want restore normal system operation, perform the following steps:
1) Press CTRL+Z to background execution of the command.
2) Enter the "killall -9 tmsh" command (if you have multiple tmsh commands running and only want to kill the affected one, you will have to identify the correct tmsh process using utilities such as ps and top).
If your login shell is tmsh and not bash, simply close your SSH session to the BIG-IP system (as you won't be able to perform the aforementioned steps).
520500-4 : Connection inside Windows VPN tunnel may break if renegotiation is enabled in SSL profile
Component: Access Policy Manager
Symptoms:
VPN connection on Microsoft Windows may temporary stop passing traffic while performing secure TLS renegotiation. Although this lasts only for a few seconds, for some applications, it may result in connection stall or loss.
Conditions:
- APM clients for Windows.
- Secure renegotiation (by time or a size) configured on TLS profile on BIG-IP APM.
Impact:
VPN connection on Windows momentarily stops passing traffic.
Workaround:
None.
517609-3 : GTM Monitor Needs Special Escape Character Treatment
Solution Article: K77005041
Component: Global Traffic Manager (DNS)
Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.
Conditions:
Any running GTM monitor.
Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.
Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.
For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.
516280-4 : bigd process uses a large percentage of CPU
Component: Local Traffic Manager
Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.
Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.
Impact:
bigd process uses a large percentage of CPU.
Workaround:
None.
514703-1 : gtm listener cannot be listed across partitions
Component: TMOS
Symptoms:
Unable to reference (perform operations: list, create, modify ...) gtm listeners across partitions.
Conditions:
-- In one partition.
-- Listener in another partition.
-- Attempt to perform operations on the listener in the other partition.
For example, the current partition is /Common, and a listener exists in /DifferentPartition, and you try to perform operations on the listener under /DifferentPartition.
Impact:
Cannot perform any operations on that listener. The listener will be listed as non-existent.
Workaround:
Change to the partition where the listener exists before performing any operations on it.
513887-8 : The audit logs report that there is an unsuccessful attempt to install a mysql user on the system
Component: Application Security Manager
Symptoms:
There are "/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'
Conditions:
Provisioning AFM and/or APM after ASM is already provisioned.
Impact:
"/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'
no other impact
Workaround:
none
512490-14 : Increased latency during connection setup when using FastL4 profile and connection mirroring.
Component: Local Traffic Manager
Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.
Conditions:
FastL4 profile with connection mirroring.
Impact:
Slight delay during connection setup.
Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.
510395-5 : Disabling some events while in the event, then running some commands can cause tmm to core.
Solution Article: K17485
Component: Local Traffic Manager
Symptoms:
If an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed, TMM can core.
Conditions:
An event is disabled from inside the event, and then a parking command is issued.
Example:
when HTTP_REQUEST {
if { $a == $b } {
event disable HTTP_REQUEST
}
after 100
log local0. "foo"
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable events as the last command before exiting the event. For example:
when HTTP_REQUEST {
if { $a == $b } {
event disable HTTP_REQUEST
return
}
}
510034-2 : Access Policy memory is not cleared between access policy executions
Component: Access Policy Manager
Symptoms:
APD has a Tcl interpreter that can process commands provided inside an Access policy, for variable assignment or other purposes.
The Tcl environment provided does not reliably clear Tcl variables assigned in prior executions, so care must be taken to initialize the potentially dirty variables if they are used.
Conditions:
User uses some Tcl variables that can potentially be not initialized. For example, a variable assign:
session.test = regexp {(.+)@example.com} "[mcget {session.logon.last.username}]" foo captured; return $captured
Note that here, the regex may match or not match depending on the user input. If it does not match, the variable "captured" *may* contain the results from a different user who logged in previously.
Impact:
Unexpected results from Access Policy execution.
Workaround:
To work around the problem, any variable that was used must be checked. For example, instead of the regex statement above, this could be used:
if { [regexp {(.+)example.com} "[mcget {session.logon.last.username}]" foo captured] == 1 } { return $captured; } else { return "nomatch"; }
This way, if the regex does NOT match, then the result will be "nomatch" instead of potentially containing results from a previous session.
509596-1 : iFrames with 'javascript:' scheme in SRC may not work
Solution Article: K44043455
Component: Access Policy Manager
Symptoms:
Some applications do not work with Portal Access, resulting in an error 'F5_Invoke_write is not defined' on JavaScript Console.
Conditions:
Web application that uses IFrames with 'javascript:' scheme in SRC attribute runs through Portal Access.
Impact:
Web application does not work through Portal Access.
Workaround:
There is no workaround at this time.
509497-1 : VCMP guests on a specific host may be restarted when that host system experiences large date/time changes
Component: TMOS
Symptoms:
After a large (longer than 7 months) change in system date/time, either manually or via NTPD, vCMP guests may be terminated and restarted.
Conditions:
-- vCMP is provisioned.
-- There is a large change (longer than 7 months, for example), to the system date/time.
Impact:
Temporary loss of service of data path elements, until terminated guests are restarted.
Workaround:
Avoid large changes in system time during critical hours of operation.
It may be better to bring down guests administratively, make the date/time change, and then bring the guests back up rather than allowing them to be terminated/restarted automatically due to heartbeat timer expiration.
505037-2 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
Solution Article: K01993279
Component: Local Traffic Manager
Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.
Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.
Impact:
Secondary in a restart loop.
Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.
501258-2 : Unable to modify 'gtm region region-members' via iControl REST
Component: TMOS
Symptoms:
Unable to modify 'gtm region region-members' via iControl REST. The system posts error 400 Invalid region type messages.
Conditions:
Attempt to modify gtm region region-members via iControl REST.
Impact:
Unable to use iControl REST to configure this portion of the GTM/DNS configuration.
Workaround:
Use tmsh to modify GTM Regions.
499404-1 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
Solution Article: K15457342
Component: Local Traffic Manager
Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.
Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.
Impact:
The wrong MSS value is advertised during 3WHS.
Workaround:
None.
499348-5 : System statistics may fail to update, or report negative deltas due to delayed stats merging
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:
-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).
-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue has two workarounds:
1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:
-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.
2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge.
496621-1 : Portal Access incorectly rewrites expressions with JavaScript typeof operator
Component: Access Policy Manager
Symptoms:
The Portal Access module transforms intranet web application code to make it accessible via an APM virtual server. One of these transformations might incorrectly rewrite expressions with 'typeof' operator, though you might not see any immediate visible effect.
Conditions:
The issue affects expressions like 'typeof something' where 'something' is expected to be transformed by Portal Access.
For example, with the original code similar to 'var l = window.location; if (typeof l.href) {...}' unrewritten typeof argument causes condition to fail.
Impact:
When Portal Access accesses the intranet application containing such code, expressions with typeof operator may have wrong value, leading application to incorrect code paths. As a result, the application might fail with a very obscure and difficult to diagnose errors.
Workaround:
Use an iRule for each specific case. There is no global workaround.
494135-1 : HTML Event handlers may not work if 'eval' is redefined
Solution Article: K43101043
Component: Access Policy Manager
Symptoms:
If 'eval' JavaScript call is redefined in HTML page, event handlers may not work correctly.
Conditions:
There may be many ways to re-define 'eval'. For example:
<form>
<button name=eval onclick="someFunction();">Button</button>
</form>
In this case 'onclick' event handler will not work through Portal Access.
Impact:
Web application may not work correctly. In the worst case scenario, the browser (Internet Explorer 9 or later) may crash.
Workaround:
There is no workaround at this time.
493524 : ASM attack appear ongoing forever if restarting dosl7d during an attack
Component: Application Visibility and Reporting
Symptoms:
If dosl7d is restarted during an attack it doesn't write the "end attack" event to logdb.
Conditions:
Restarting dosl7d in the middle of an ASM attack (including actions that implicitly cause dosl7d restart like tmm restart or reboot).
Impact:
Attack appears ongoing in Dos Overview page (even though it should be marked "ended").
Workaround:
No workaround.
489960-2 : Memory type stats is incorrect
Component: WebAccelerator
Symptoms:
When tmm allocates memory, it adds up stats per memory type allocated. AAM is not properly marking memory type for strings objects, affecting other types of memory stats depending on configuration and release.
Conditions:
AAM is provisioned and there are virtuals in BIG-IP configuration which have web acceleration profiles associated with one or more AAM policies.
Impact:
Stats for some types of memory can be skewed causing troubleshooting issues.
Workaround:
None.
489499-3 : chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd
Component: TMOS
Symptoms:
chmand fails to register for unsolicited LOP events, meaning that asynchronous alerts from lopd will not seen or reported by chmand. A message is seen in /var/log/ltm that contains the phrase, "failed to register for LOP at <address>"
Conditions:
Occurs when chmand has been re-started after it has already synchronized once with lopd.
Impact:
Asynchronous events from lopd will not be reported or handled, such as fan tray removal/insertion and PSU removal/insertion. Alerts that are driven by system_check through polling sensor values and comparing them to specified limits, however, will still be operational.
Workaround:
Re-start lopd:
# bigstart restart lopd
486997-1 : The vCMP guest lost watchdog heartbeat, and the host restarted it.
Component: TMOS
Symptoms:
The guest on one slot stops activating its watchdog for 30 seconds, and the host vcmpd restarts the guest. The host logs messages:
-- 01510014:1: vCMP guest <guestname> heartbeat timeout at the halfway mark.
-- 01510013:1: vCMP guest <guestname> lost heartbeat.
In a multi-slot guest, the other, unaffected guest slots /var/log/ltm can report 'clusterd FAILED' and show evidence of the faulty slot going down.
Conditions:
The conditions under which this occurs are unknown. This is a rarely encountered issue.
Impact:
Guest restart on one slot.
Workaround:
This issue has no workaround at this time.
To assist in capturing potential missed messages from the guest serial console, beginning in version 12.0.0, you can enable the db variables vcmp.guest.console and vcmp.guest.console.logging to log the output to a host-side file. To activate the logging, the guest must be re-deployed.
486735-5 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
486712-7 : GUI PVA connection maximum statistic is always zero
Component: TMOS
Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.
Conditions:
This occurs when fastL4 connections are used.
Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.
484683-4 : Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer.
Component: TMOS
Symptoms:
-- After a configuration synchronization (ConfigSync) operation, the peer of a high-availability (HA) pair cannot show the summary of cert-chain using the command:
tmsh run sys crypto check-cert verbose enabled
-- After a ConfigSync operation, Certificate Subjects may be missing or empty when viewed in the Configuration Utility/GUI under System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: <certificate>.
Conditions:
Conditions leading to this issue include:
1. On the command line or in the GUI, set up an high availability (HA) configuration.
2. Import Certificate chain to one BIG-IP system.
3. Perform a ConfigSync operation to sync the certificate chain to the high availability (HA) peer.
Impact:
After a ConfigSync operation, the certificate chain summary is not created on other high availability (HA) peers.
Workaround:
1. Copy the cert-chain file to a location on the system (e.g., /shared/tmp/).
2. Update the cert-chain using a command similar to the following:
modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_5361_1.
Note: The step above causes the units to be out of sync, so an additional config-sync operation is required to bring the units 'In Sync' again.
482625-1 : Pages with utf-8 Content-Type and utf-16 META tag do not render
Component: Access Policy Manager
Symptoms:
Some pages cannot be displayed. A page has a Content-type header with charset utf-8. The payload has a META tag with charset utf-16. Actual data appears to be utf-8. Rewriting the page inserts a utf-16 BOM in the response, causing the page to not load.
Conditions:
Pages that contain utf-8 Content-Type headers but utf-16 META tags
Impact:
Web-application cannot display some pages.
Workaround:
An iRule can be used to fix the META charset and allow the page to load.
481235-2 : Rare Watchdog Restart of TMM and Datastor
Component: TMOS
Symptoms:
The TMM and Datastor get killed and restarted by the watchdog process.
Conditions:
If the server pool is inadequate, or responses are too slow, datastor can experience a resource starvation problem.
Impact:
TMM and Datastor will be killed by the watchdog process.
Workaround:
None. This usually occurs when your server pool is experiencing problems, delays, or simply has too few servers to handle the load.
480795 : GTM: Move address from one high availability (HA) redundant LTM to another might cause BIG-IP monitor failure
Component: Global Traffic Manager (DNS)
Symptoms:
Move address from one high availability (HA) redundant LTM to another might cause BIG-IP monitor failure.
Conditions:
-- LTM server high availability (HA) configuration with one address at 'Address List' and another at 'Peer Address List'.
-- One of the addresses is moved from another.
Impact:
Only one of the redundant LTM systems get probed. If the probed LTM is standby, it ignores the probe request. The available BIG-IP redundant LTM server is marked down, the monitor does not work, and all hosted virtual servers are marked down.
Workaround:
To work around this:
1. In the GUI, delete the address from either the 'Address List' or 'Peer Address List' and click 'Update'. .
2. Add the address to the other field and click 'Update'.
Note: Make sure to click 'Update' after step 1 before proceeding to step 2.
479262-4 : 'readPowerSupplyRegister error' in LTM log
Component: TMOS
Symptoms:
The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power.
Conditions:
When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power.
Impact:
The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages.
Workaround:
None. You can safely ignore this error message in this case.
478450-5 : Improve log details when "Detection invalid host header ()" is logged
Component: Access Policy Manager
Symptoms:
There is no way for the APM admin to determine the source of the sessions for the log message "Detected invalid host header ()", even at debug level logging.
Conditions:
1- Create APM virtual with any access policy
2- On another BIG-IP, create a pool with an HTTPS monitor to that APM virtual server.
3- Notice the logging in APM.
Impact:
It is difficult for admin to determine the source of the error.
477992-3 : Instance-specific monitor logging fails for pool members created in iApps
Solution Article: K07450534
Component: Local Traffic Manager
Symptoms:
Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp.
Conditions:
Create pool members via an iApp, and attempt to enable logging on the pool member.
Impact:
Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened.
Workaround:
If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.
477611-5 : ICMP monitor does not work on DAG Round Robin enabled VLANs
Component: TMOS
Symptoms:
ICMP monitor does not work on the VLANs with DAG Round Robin set to enabled.
Conditions:
For a VLAN, the DAG Round Robin option is enabled.
Impact:
ICMP monitor will be down.
Workaround:
Utilize another monitor or disable the DAG Round Robin option.
476544-2 : mcpd core during sync
Component: TMOS
Symptoms:
mcpd can run out of memory and core when a device in a sync group is sending an extremely high volume of sync messages.
Conditions:
The exact cause of this is unknown, and it has been seen very rarely with a large sync in a sync group. Large incremental syncs could be a symptom of other things happening between the devices which could trigger the core.
Impact:
mcpd cores and restarts if it runs out or memory. Only through inspection of the core file can this condition be detected.
Workaround:
None.
474901-1 : Profiles with a large number of regexps can cause excessive memory usage.
Component: Local Traffic Manager
Symptoms:
tmm crashes on out of memory.
Conditions:
This can occur if you are using a lot of profiles that rely on regular expressions, such as compression or deflate.
Impact:
Traffic disrupted while tmm restarts.
473755-1 : It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side
Component: Application Visibility and Reporting
Symptoms:
It's possible to open a connection to monpd's Thrift server and if the client does not actively close it, the connection will persist indefinitely (even if it's idle). As a result of this issue, you might experience the following symptoms: -- Cannot access event logs or reports.
-- Cannot run tmsh analytics commands.
Conditions:
Client system opens a connection to monpd's Thrift server (port 9090 or 9091), and does not close it.
Impact:
If the number of allowed connections to monpd's Thrift server is reached, monpd will not receive new connections. Since the idle connections can persist indefinitely this will deny service from monpd.
Workaround:
No workaround (except for manually killing open idle connections).
470807-3 : iRule data-groups are not checked for existence
Component: Local Traffic Manager
Symptoms:
When an iRule specifies a data-group that is not in Common, or that does not have an explicit path to it, it does not result in an error when the iRule is saved, or during runtime.
Conditions:
User saves an iRule with a data-group not in Common or with an explicit path to it.
Impact:
When such an iRule is saved, it can cause all traffic to fail.
Workaround:
None.
470346-5 : Some IPv6 client connections get RST when connecting to APM virtual
Component: Access Policy Manager
Symptoms:
IPv6 clients connecting to APM virtual server that renders some page, e.g., logon page, webtop, or message box, might get connection resets.
Conditions:
IPv6 client has the last 4 bytes of the IP address set to some special-purpose address, e.g., multicast address.
Impact:
Client connection is reset.
Workaround:
Change the last 4 bytes of the client IPv6 address to avoid the IPv4 special-address range.
469366-3 : ConfigSync might fail with modified system-supplied profiles
Solution Article: K16237
Component: TMOS
Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.
Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.
Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'
Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.
467589-4 : Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.
Component: WebAccelerator
Symptoms:
The /usr/share/mysql/purge_mysql_logs.pl script that ships with the new install (and is run hourly via cron) throws an error. The script is meant to be exited if AAM, ASM and PSM are not provisioned, but the check is not done appropriately and it continues execution, failing later.
Conditions:
BIG-IP system with no AAM, ASM, and PSM provisioned, when running the script /etc/cron.hourly/purge_mysql_logs.pl (linked to /usr/share/mysql/purge_mysql_logs.pl)
Impact:
The script gives false output and attempts to execute invalid actions. The system posts the following error: Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27.
Workaround:
Provision AAM, ASM, or PSM. Or modify the script using the following procedure:
Remount /usr partition as RW:
# mount -o remount -rw /usr
Edit /usr/share/mysql/purge_mysql_logs.pl and change the original check:
unless( $provisioned_am || $provisioned_asm || $provisioned_psm ) {
exit 0;
}
to:
unless( $provisioned_am == 1 || $provisioned_asm == 1 || $provisioned_psm == 1 ) {
exit 0;
}
463903-5 : Behavior Change: HA Score calculation when minimum-threshold attribute is in use
Solution Article: K68062382
Component: TMOS
Symptoms:
HA Groups periodically compute an HA health score to determine which BIG-IP device is the 'best' device to host a Traffic Group. If another device has a better score than the current device then the Traffic Group fails over to the other device. The HA Group provides a set of thresholds that, if not met, will evoke failover regardless of HA scores.
Some problems with this are the following:
The HA score measured by two devices may vary slightly over time. The device with the 'best' score may vary thus triggering unnecessary failovers even though the difference in the scores is negligible.
The current method is not flexible. HA groups cannot be easily incorporate other 'boolean' values (i.e VLAN failsafe) or other methods that pick the next active device, (i.e load-aware algorithm).
For these reasons, the HA Group has been refactored into two separate objects, HA Monitor and HA Score, to decouple failure detection from failure remediation. An HA Monitor determines when a traffic group can no longer run on the current device. The HA Score failover method picks the highest scoring device as the next device to host the traffic group. An HA monitor may be combined with other Failover Methods to, for example, failover to the next device in round robin order.
If any component (trunk, pool, cluster member) of a high availability (HA) group violates its 'minimum' requirement (defined by the 'minimum-threshold'), the total HA group score is not forced to 0 (zero) if there is an active bonus set.
Conditions:
-- Configuration contains an HA group with associated components (trunks, pools, cluster members).
-- 'Minimum-threshold' setting of any of those members is non-zero.
-- Non-zero number of members.
Impact:
Because of how HA group score is calculated, the system might incorrectly report a viable traffic group or may fail over unnecessarily.
Workaround:
Use tmsh to configure the 'minimum-threshold' parameter for each of the HA group components (trunks, pools, and cluster members) to a value that specifies the minimum number of monitored objects required to consider this contributor valid.
455066-2 : Read-only account can save system config
Component: TMOS
Symptoms:
A read-only user can run the tmsh save sys config command, which saves the configuration including changes made by other read/write users.
Conditions:
This occurs when logged in as a read-only user and running save sys config in tmsh.
Impact:
Read-only users are able to run save sys config in tmsh.
Workaround:
None.
451627-2 : If key associated with monitor is stored in external hsm, monitor fails.
Component: Local Traffic Manager
Symptoms:
Monitor does not work with netHSM keys.
Conditions:
Configure netHSM keys and monitor.
Impact:
Monitor does not work.
450136-3 : Occasionally customers see chunk boundaries as part of HTTP response
Component: Access Policy Manager
Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.
Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.
Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.
Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.
438574-1 : Web UI: iSession Profile properties page displays incorrect parent profile name.
Component: TMOS
Symptoms:
Local Traffic :: Profiles :: iSession Profile properties page displays incorrect parent profile name.
Conditions:
-- Viewing parent profile for an iSession profile.
-- 'iSession' is set as parent profile .
-- Another profile exists with name beginning from 'a' to 'h'.
Impact:
Incorrect information is displayed on the GUI even though the database has the correct information.
Workaround:
View the properties of iSession profile from tmsh.
435419-4 : Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
Solution Article: K10402225
Component: Access Policy Manager
Symptoms:
Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
Conditions:
-- Attempt to upload a current EPSEC file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.
Impact:
mcpd crashes, followed by multiple cores.
Workaround:
Upload the EPSEC file completely, and try the installation again.
433572-4 : DTLS does not work with rfcdtls cipher on the B2250 blade
Component: Local Traffic Manager
Symptoms:
DTLS does not work with rfcdtls cipher on the B2250 blade.
Conditions:
This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP.
Impact:
DTLS does not work with rfcdtls cipher on the B2250 blade
Workaround:
None.
431503-5 : TMSH crashes in rare initial tunnel configurations
Solution Article: K14838
Component: TMOS
Symptoms:
In rare BigIP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.
Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.
Impact:
TMM crash in rare race conditions.
Workaround:
None.
431480-1 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
Solution Article: K17297
Component: Local Traffic Manager
Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.
Conditions:
The exact conditions that result in this error are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time, but the system recovers without any user action.
417819-2 : APM - when Edge Clients, some JS contents are different causing warning
Solution Article: K69046914
Component: Access Policy Manager
Symptoms:
Intermittent JS Error in sesstimeout.js during access to full webtop by Edge Clients.
Conditions:
-- At least two different Edge Clients with User Agent strings based on Internet Explorer version 11 (IE11).
-- A version of IE earlier that IE11 is used to access full webtop resource.
Impact:
If 'Display notification about all script errors' is enabled in IE (Internet Options :: Advanced tab) IE displays JS error messages. One client might encounter a JS Syntax error, depending on TMM count and APM RAMCACHE content.
Note: There is no impact on product functionality, because Edge Clients do not call JS code from sesstimeout.js. The error is cosmetic only and can be ignored.
Workaround:
Special APM resource assignment branch for standalone Edge Clients can be configured in VPE to access 'webtop-type network', (NA_only_webtop resource does not include /vdesk/sesstimeout.js and /vdesk/hometab.js).
414713-1 : Hosted Content connected object import issues
Solution Article: K51880413
Component: Access Policy Manager
Symptoms:
If object of policy is linked with hosted content, import will fail unless similarly named object is not created on target box.
The import error looks similar to the following:
"Configuration error: Cannot find sandbox file (Common/hosted-content:loginNew.html_1361913754973) referred in resource webtop (/Common/Import-ChangeProperty) Unexpected Error: Validating configuration process failed."
Conditions:
This can occur if you are using Hosted Content and you are using Export/Import to copy an access policy from one APM to a new APM that does not have the Hosted Content files already on it.
Impact:
The import will fail on the new device.
Workaround:
Unlink objects from hosted content or replicate similar objects under similar names in hosted content first
410549-1 : Changing the provision.tmmcount db variable value results in continuous tmm restarts
Component: TMOS
Symptoms:
Changing the 'provision.tmmcount' db variable value results in continuous tmm restarts.
Conditions:
Changing 'provision.tmmcount' db variable value.
Impact:
Continuous tmm restarts.
Workaround:
After making a change to the number of TMMs (provision.tmmcount), save the configuration and reboot the system.
405898-2 : If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected
Component: Local Traffic Manager
Symptoms:
If the maximum transmission unit (MTU) for a network running OSPF is different from ZebOS, or if its neighbor router has configured for its interface MTU, OSPF adjacencies may not form, or some datagrams may be rejected.
Conditions:
TMM has cached a reduced path MTU for a network that is smaller than the configured MTU of the interface. OSPF running on that interface.
Impact:
OSPF adjacencies never fully form and routes are not exchanged.
Workaround:
Restarting TMM clears the cached maximum transmission unit (MTU), and allowing all interface MTUs to function with default values should prevent a mismatch.
396273-2 : Error message in dmesg and kern.log: vpd r/w failed
Component: TMOS
Symptoms:
When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update.
This error can be seen in /var/log/kern.log as well.
Conditions:
This can occur whenever 'lspci -vv' (or 'lspci -vvv', e.g., during qkview generation) is executed.
Impact:
This is a benign firmware message, and you can safely ignore it.
Workaround:
There is no workaround, but this is not a functional issue.
385013-6 : Certain user roles do not trigger a sync for a 'modify auth password' command
Component: TMOS
Symptoms:
If users with the certain roles change their password, the BIG-IP system does not detect that it is out-of-sync with its peer and does not trigger an automatic sync:
Conditions:
-- Multiple BIG-IP devices in a Device Service Cluster that sync configurations with each other.
-- A user with one of the following roles logs in and changes their password:
+ guest
+ operator
+ application-editor
+ manager
+ certificate-manager
+ irule-manager
+ resource-admin
+ auditor
Impact:
The system does not detect that it is out of sync with its peer, and does not report this condition. If automatic sync is enabled, a sync does not automatically occur.
Workaround:
Force a full sync to the peer systems.
382363-7 : min-up-members and using gateway-failsafe-device on the same pool.
Solution Article: K30588577
Component: TMOS
Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.
Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.
Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.
Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.
375434-6 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
Component: TMOS
Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.
Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 89x0, and 110x0 platforms, and the VIPRION B4100, B4200, and B4200N blades.
Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.
Workaround:
None.
374067-7 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections
Solution Article: K14098
Component: Local Traffic Manager
Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.
Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.
Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.
Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.
370573-2 : iRule STREAM command internal error causes connection drop
Component: Local Traffic Manager
Symptoms:
The connection might drop when STREAM::expression command is used.
Conditions:
The regular expression in STREAM::expression command has look-ahead pattern.
Impact:
The connection gets dropped.
Workaround:
There is no workaround other than not using the look-ahead pattern.
369640-1 : Folder path objects in iRules can have only a single context per script
Solution Article: K17195
Component: Local Traffic Manager
Symptoms:
If an iRule is assigned to two different virtual servers in different contexts, the first time the rule runs any internal object conversions/lookups will be performed in the first context. When the second virtual runs the same rule, it will assume that the objects that have been looked up are correct, and point to the wrong members.
Conditions:
Two virtual servers in different folder paths use short names for objects like pools, procs, nodes and virtual servers.
Impact:
iRule can point to objects outside the current folder path.
Workaround:
Give each virtual servers its own copy of the iRule (it is not necessary to provide complete folder paths).
369407-3 : Access policy objects are created inconsistently depending on whether created using wizard or manually.
Component: Access Policy Manager
Symptoms:
Network Access (NA) wizard policy incorrectly labels 'Advanced Resource Assign' as 'Resource Assign' in VPE.
Conditions:
This is evident when viewing the label following completion of the NA wizard.
Impact:
The label in the VPE is 'Resource Assign', where it should be 'Advanced Resource Assign'.
Workaround:
None.
362511 : HTML entities in inline CSS style attributes may cause incorrect rewriting of URLs
Solution Article: K52162658
Component: Access Policy Manager
Symptoms:
Portal Access can incorrectly rewrite CSS in HTML style attributes if it contains HTML entities.
Conditions:
Inline CSS style attributes contains HTML entities.
For example,
<div style="background:url('image.jpg')">
becomes
<div style="background:url('?F5CH=I;image.jpg')">
which cannot be interpreted correctly by a browser. As a result, the image won't be displayed.
Impact:
Some images on the page accessed through Portal Access may fail to load.
Workaround:
Before rewriting, use an iRule to substitute HTML entities in positions significant for parser (i.e., keywords, attribute names, quotes, brackets, colons, etc.) with the corresponding characters.
315765-5 : The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system erroneously performs a SNAT translation after the SNAT translation address has been disabled. As a result of this issue, you may encounter the following symptom:
A network trace capturing the affected traffic on a BIG-IP system shows traffic continues to egress the BIG-IP system using the disabled SNAT translation address.
Conditions:
This issue occurs when the following condition is met: A SNAT translation address is configured, but disabled.
Impact:
Traffic egresses the BIG-IP system with the disabled SNAT translation address.
Workaround:
To work around this issue, you must delete the affected SNAT configuration instead of disabling it. To do so, perform the following procedure:
Impact of workaround: Deleting the affected SNAT configuration removes it entirely from the BIG-IP configuration. If you require the SNAT configuration later, you must recreate it manually.
BIG-IP 11.x/12.x
1. Log in to the tmsh utility.
2. Delete the affected SNAT configuration by entering the following command: delete /ltm snat <affected SNAT name>.
For example, to delete the test-315765 SNAT configuration, you would enter the following command: delete /ltm snat test-315765.
3. Save the modified configuration by entering the following command:
save /sys config
BIG-IP 9.x through 10.x
1. Log in to the command line.
2. Delete the affected SNAT configuration by entering the following command: bigpipe snat <affected SNAT name> delete.
For example, to delete the test-315765 SNAT configuration, you would enter the following command: bigpipe snat test-315765 delete.
3. Save the modified configuration by entering the following command: bigpipe save all.
291256-5 : Changing 'Minimum Length' and 'Required Characters' might result in an error
Component: TMOS
Symptoms:
When setting a value for the password policy attribute 'Minimum Length', and setting 'Required Characters' 'Numeric', 'Uppercase', 'Lowercase', and 'Other' to values whose sum is greater than 'Minimum Length' the system does not save changes, and instead reports an error:
err mcpd[1647]: 01070903:3: Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'
Conditions:
-- Change the value of 'Minimum Length'.
-- Change the values in 'Required Characters' ('Numeric', 'Uppercase', 'Lowercase', and 'Other').
-- The sum of the values from 'Required Characters' is a greater than 'Minimum Length' value before you changed it.
Here is an example:
1. From the default of '6', change 'Minimum Length' to 10.
2. At the same time, change each of the 'Required Characters' options ('Numeric', 'Uppercase', 'Lowercase', and 'Other') to '2', for a total of 8.
3. Click Update.
(These values should be work because the value in 'Minimum Length' (10) is greater than the sum of the values in 'Required Characters' (8).)
Impact:
The changes are not saved, and an error is posted:
Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'.
Workaround:
You can use either of the following workarounds:
-- To workaround this using the GUI, set 'Minimum Length' and 'Required Characters' separately (i.e., specify 'Minimum Length' and click Update, and then specify 'Required Characters' and click Update).
-- Use tmsh instead of the GUI.
264701-1 : GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
Solution Article: K10066
Component: Global Traffic Manager (DNS)
Symptoms:
The zrd process exits and cannot be restarted.
Conditions:
This occurs when the journal is out-of-sync with the zone.
Impact:
The zrd process cannot be restarted.
Workaround:
Before beginning, ensure that no one else is making config changes (i.e., consider making changes during a maintenance window).
I) On a working system, perform the following:
1. # rndc freeze $z
(Do this for all nonworking zones. Do not perform the thaw until you finish copying all needed files to the nonworking system.)
2. # tar zcvf /tmp/named.zone.files namedb/db.[nonworking zones].
3. # rndc thaw $z
II) On each nonworking system, perform the following:
1. # bigstart stop zrd; bigstart stop named
2. Copy the nonworking /tmp/named.zone.files from a working GTM system.
3. # bigstart start named; bigstart start zrd.
(Before continuing, review /var/log/daemon.log for named errors, and review /var/log/gtm for zrd errors0.)
Repeat part II until all previously nonworking systems are working.
III) On a working GTM system, run the following command:
# touch /var/named/config/named.conf.
247527-2 : Mgmt interface cannot be disabled via tmsh
Solution Article: K14890
Component: TMOS
Symptoms:
Issuing a tmsh command to disable the management interface of a blade or appliance appears to succeed, but the management interface is not actually disabled.
Conditions:
This problem occurs on the following hardware platforms:
BIG-IP 1500, 3400, 3410, 6400, 6800, 8400, and 8800 appliances.
This problem does not occur on the following hardware platforms:
BIG-IP 1600, 3600, 3900, 6900, 8900-series and 11000-series appliances.
Impact:
After using the tmsh utility to set the mgmt interface to a disabled state, the tmsh utility will show the mgmt interface as disabled. However, the mgmt interface still responds to network traffic, including ping and ssh.
Workaround:
There are three possible ways to work around this issue:
1) Unplug the management interface if it is not intended to be used.
2) Bring down the switch interface to which the management port connects.
3) Disable the management interface using the following information below.
Important: This workaround might cause unintended consequences. Only use this option as a last resort, as disabling the management interface may remove the ability for the Linux host to communicate with several of the BIG-IP subsystems. As a result of this loss of communication, certain BIG-IP features may not function as expected or at all.
For platforms that expose a 'mgmt' interface via ifconfig, run the command: ifconfig mgmt down. To bring the 'mgmt' interface back up, run the command ifconfig mgmt up.
For platforms that do not expose a 'mgmt' interface via ifconfig, run the command: ifconfig eth0 down. To bring 'eth0' interface back up, run the command ifconfig eth0 up.
224665-2 : Proxy Exclusion List setting is not aware of administrative partitions
Solution Article: K12711
Component: TMOS
Symptoms:
The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group.
Conditions:
Using VLAN groups and proxy exclusion.
Impact:
Results in issues for the VLAN group.
Workaround:
None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here: http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12711.html.
222409-6 : The HTTP::path iRule command may return more information than expected
Solution Article: K9952
Component: Local Traffic Manager
Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.
The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:
GET /dir1/dir2/file.ext HTTP/1.1
In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.
Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:
GET http://www.example.org:80/dir1/dir2/file.ext
In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.
Impact:
The HTTP::path iRule command should return the following path value for both requests:
/dir1/dir2/file.ext
However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:
www.example.org:80/dir1/duir2/file.ext
Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.
Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.
Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:
when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::uri]][URI::basename [HTTP::uri]]"
}
222220-1 : Distributed application statistics
Component: Global Traffic Manager (DNS)
Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.
Conditions:
Using Distributed application statistics and multiple wide-IP-members.
Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.
Workaround:
None.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/